zoukankan      html  css  js  c++  java
  • Kali linux 2016.2 的 plyload模块之meterpreter plyload详解

      不多说,直接上干货!

    前期博客

    Kali linux 2016.2(Rolling)中的payloads模块详解

      当利用成功后尝试运行一个进程,它将在系统进程列表里显示,即使在木马中尝试执行系统命令,还是会为有经验的法庭调查者留下足够的痕迹,如果命令提示符在系统上执行,HIDS也会发出警告,除了危险警告之外还将启动一个cmd shell,这个shell本身可能有限制。

      举个例子:如果进程运行在chroot环境,在访问库和命令可能会有严重限制或者如果某些二进制文件已经从系统中删除,这样可能我们做其他工作会非常困难。经常在启动利用程序之前,payload和特定动作会被明确指定,从而,你必须明确一旦成功,你要去反弹shell到你的系统,或者在远程系统添加一个用户,或是简单运行任意特定命令。但是这样不够灵活。

       然而,meterpreter payload克服了这些限制并且提供API使攻击者在meterpreter shell中代码后续攻击,此外meterpreter还允许开发者以dll形式写自己的扩展,它们可以上传到远程系统并执行,meterpreter真正的妙处在于它可以把自身投入到远程系统的漏洞进程,而且允许的所有命令也是在这个进程,这样可以避免AntiVirus检查和取证。

      Meterpreter的命令

    metasploit.meterpreter学习笔记(博主推荐)

    MetaSploit攻击实例讲解------工具Meterpreter常用功能介绍(kali linux 2016.2(rolling))(详细)

      我这里,

    以下是meterpreter 命令的总浏览:
    meterpreter > help
    
    Core Commands          核心命令
    ================
    
        Command                   Description
        -------                   -----------
        ?                         Help menu                帮助菜单
        background                Backgrounds the current session          将当前会话抛到后台
        bgkill                    Kills a background meterpreter script        杀死一个背景 meterpreter 脚本
        bglist                    Lists running background scripts              提供所有正在运行的后台脚本的列表
        bgrun                     Executes a meterpreter script as a background thread      作为一个后台线程运行脚本
        channel                   Displays information or control active channels        显示动态频道的信息
        close                     Closes a channel                      关闭一个频道
        disable_unicode_encoding  Disables encoding of unicode strings
        enable_unicode_encoding   Enables encoding of unicode strings
        exit                      Terminate the meterpreter session            终止 meterpreter 会话
        get_timeouts              Get the current session timeout values
        help                      Help menu                              帮助菜单
        info                      Displays information about a Post module
        irb                       Drop into irb scripting mode                进入 Ruby 脚本模式
        load                      Load one or more meterpreter extensions
        machine_id                Get the MSF ID of the machine attached to the session
        migrate                   Migrate the server to another process              移动meterpreter到一个指定的 PID 的活动进程
        quit                      Terminate the meterpreter session            终止 meterpreter 会话
        read                      Reads data from a channel                  从通道读取数据
        resource                  Run the commands stored in a file
        run                       Executes a meterpreter script or Post module        从频道读数据
        sessions                  Quickly switch to another session
        set_timeouts              Set the current session timeout values
        sleep                     Force Meterpreter to go quiet, then re-establish session.
        transport                 Change the current transport mechanism
        use                       Deprecated alias for 'load'                    加载一个或多个meterpreter 的扩展
        uuid                      Get the UUID for the current session
        write                     Writes data to a channel                    将数据写入到一个频道
    
    
        
    
        
    Stdapi: File system Commands            文件系统命令
    =====================================    
    
        Command       Description
        -------       -----------
        cat           Read the contents of a file to the screen        读取并输出到标准输出文件的内容
        cd            Change directory                      对受害人更改目录
        checksum      Retrieve the checksum of a file
        cp            Copy source to destination
        dir           List files (alias for ls)
        download      Download a file or directory            从受害者系统文件下载
        edit          Edit a file                    用 vim编辑文件
        getlwd        Print local working directory            打印本地目录
        getwd         Print working directory              打印工作目录
        lcd           Change local working directory            更改本地目录
        lpwd          Print local working directory          打印本地目录
        ls            List files                    列出在当前目录中的文件列表
        mkdir         Make directory                  在受害者系统上的创建目录
        mv            Move source to destination
        pwd           Print working directory              输出工作目录
        rm            Delete the specified file            删除文件
        rmdir         Remove directory                  受害者系统上删除目录
        search        Search for files
        show_mount    List all mount points/logical drives
        upload        Upload a file or directory            从攻击者的系统往受害者系统上传文件
    
    
    
    Stdapi: Networking Commands                网络命令
    =====================================    
    
        Command       Description
        -------       -----------
        arp           Display the host ARP cache
        getproxy      Display the current proxy configuration
        ifconfig      Display interfaces
        ipconfig      Display interfaces                  显示网络接口的关键信息,包括 IP 地址、 等。
        netstat       Display the network connections
        portfwd       Forward a local port to a remote service              端口转发
        resolve       Resolve a set of host names on the target
        route         View and modify the routing table            查看或修改受害者路由表
    
    
    
    
    Stdapi: System Commands                    系统命令
    =====================================    
    
        Command       Description
        -------       -----------
        clearev       Clear the event log                  清除了受害者的计算机上的事件日志
        drop_token    Relinquishes any active impersonation token.        被盗的令牌
        execute       Execute a command                          执行命令
        getenv        Get one or more environment variable values
        getpid        Get the current process identifier                  获取当前进程 ID (PID)
        getprivs      Attempt to enable all privileges available to the current process      尽可能获取尽可能多的特权
        getsid        Get the SID of the user that the server is running as
        getuid        Get the user that the server is running as              获取作为运行服务器的用户
        kill          Terminate a process                      终止指定 PID 的进程
        localtime     Displays the target system's local date and time
        ps            List running processes                      列出正在运行的进程
        reboot        Reboots the remote computer                  重新启动受害人的计算机
        reg           Modify and interact with the remote registry            与受害人的注册表进行交互,即可以修改受害人的注册表
        rev2self      Calls RevertToSelf() on the remote machine          在受害者机器上调用 RevertToSelf()
        shell         Drop into a system command shell              在受害者计算机上打开一个shell
        shutdown      Shuts down the remote computer                  关闭了受害者的计算机
        steal_token   Attempts to steal an impersonation token from the target process      试图窃取指定的 (PID) 进程的令牌
        suspend       Suspends or resumes a list of processes
        sysinfo       Gets information about the remote system, such as OS      获取有关受害者计算机操作系统和名称等的详细信息
    
    
    
    
    Stdapi: User interface Commands
    =====================================    
    
        Command        Description
        -------        -----------
        enumdesktops   List all accessible desktops and window stations            列出所有可访问桌面和windows工作站
        getdesktop     Get the current meterpreter desktop                  获取当前的 meterpreter 桌面
        idletime       Returns the number of seconds the remote user has been idle        检查长时间以来,受害者系统空闲进程。或者说远程用户闲置时间
        keyscan_dump   Dump the keystroke buffer                键盘记录软件的内容转储
        keyscan_start  Start capturing keystrokes              启动时与如 Word 或浏览器的进程相关联的键盘记录软件
        keyscan_stop   Stop capturing keystrokes                      停止键盘记录软件
        screenshot     Grab a screenshot of the interactive desktop            抓去 meterpreter 桌面的屏幕截图
        setdesktop     Change the meterpreters current desktop            更改 meterpreter 桌面
        uictl          Control some of the user interface components          启用用户界面组件的一些控件或者说用户接口控制
    
    
    
    
    Stdapi: Webcam Commands
    =====================================    
    
        Command        Description
        -------        -----------
        record_mic     Record audio from the default microphone for X seconds
        webcam_chat    Start a video chat
        webcam_list    List webcams
        webcam_snap    Take a snapshot from the specified webcam
        webcam_stream  Play a video stream from the specified webcam
    
    
    
    Priv: Elevate Commands                  特权升级命令
    =====================================    
    
        Command       Description
        -------       -----------
        getsystem     Attempt to elevate your privilege to that of local system.        获得系统管理员权限
    
    
        
        
    Priv: Password database Commands          密码数据库的命令
    =====================================    
    
        Command       Description
        -------       -----------
        hashdump      Dumps the contents of the SAM database        抓去哈希密码 (SAM) 文件中的值  或者说 SAM存储,即说白了就是提取远程系统的hash密码
                  得到之后,然后可以结合 windows/smb/psesec,来通过smb登录远程系统
    
    
    
    Priv: Timestomp Commands                时间戳命令
    =====================================    
    
        Command       Description
        -------       -----------
        timestomp     Manipulate file MACE attributes        操作修改,访问,并创建一个文件的属性
        
        
    
    
    
    Incognito Commands
    =====================================    
    
        Command              Description
        -------              -----------
        add_group_user       Attempt to add a user to a global group with all tokens
        add_localgroup_user  Attempt to add a user to a local group with all tokens
        add_user             Attempt to add a user with all tokens
        impersonate_token    Impersonate specified token
        list_tokens          List tokens available under current user context
        snarf_hashes         Snarf challenge/response hashes for every token

     

     

     

  • 相关阅读:
    8. Django系列之上传文件与下载-djang为服务端,requests为客户端
    机器学习入门15
    机器学习入门14
    机器学习入门13
    机器学习入门12
    ML
    AI
    机器学习入门11
    机器学习入门10
    机器学习入门09
  • 原文地址:https://www.cnblogs.com/zlslch/p/6891732.html
Copyright © 2011-2022 走看看