Msfvenom 学习笔记与总结

发布于 2019-09-26 作者 风铃 69次 浏览 版块 前端

平台:Android,可用Payload:


1  android/meterpreter/reverse_http                    Run a meterpreter server on Android. Tunnel communication over HTTP
2
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
3
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
4
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
5
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
6
android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager


不常用的是最后三行的Payload ,用它只能得到一个sh的shell,不如meterpreter提供的后渗透模块强大,可能是有其他的用处吧..不解..


运行平台:Java,可用Payload:



1  java/jsp_shell_bind_tcp                             Listen for a connection and spawn a command shell
2
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
3
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
4
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
5
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
6
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
7
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
8
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
9
java/shell_reverse_tcp Connect back to attacker and spawn a command shell


明白怎么回事,说不出来,还是没明白透,先略过了


 


平台:Linux ,可用Payload:



 1     linux/armle/adduser                                 Create a new user with UID 0
2
linux/armle/exec Execute an arbitrary command
3
linux/armle/shell/bind_tcp dup2 socket in r12, then execve. Listen for a connection
4
linux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attacker
5
linux/armle/shell_bind_tcp Connect to target and spawn a command shell
6
linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
7
linux/mipsbe/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes.
8
linux/mipsbe/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures.
9
linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
10
linux/mipsbe/shell_bind_tcp Listen for a connection and spawn a command shell
11
linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell
12
linux/mipsle/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space.
13
linux/mipsle/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes.
14
linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
15
linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell
16
linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell
17
linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
18
linux/ppc/shell_find_port Spawn a shell on an established connection
19
linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
20
linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell
21
linux/ppc64/shell_find_port Spawn a shell on an established connection
22
linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell
23
linux/x64/exec Execute an arbitrary command
24
linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
25
linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
26
linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell
27
linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
28
linux/x64/shell_find_port Spawn a shell on an established connection
29
linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
30
linux/x86/adduser Create a new user with UID 0
31
linux/x86/chmod Runs chmod on specified file with specified mode
32
linux/x86/exec Execute an arbitrary command
33
linux/x86/meterpreter/bind_ipv6_tcp Inject the meterpreter server payload (staged). Listen for an IPv6 connection (Linux x86)
34
linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
35
linux/x86/meterpreter/bind_nonx_tcp Inject the meterpreter server payload (staged). Listen for a connection
36
linux/x86/meterpreter/bind_tcp Inject the meterpreter server payload (staged). Listen for a connection (Linux x86)
37
linux/x86/meterpreter/bind_tcp_uuid Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86)
38
linux/x86/meterpreter/find_tag Inject the meterpreter server payload (staged). Use an established connection
39
linux/x86/meterpreter/reverse_ipv6_tcp Inject the meterpreter server payload (staged). Connect back to attacker over IPv6
40
linux/x86/meterpreter/reverse_nonx_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
41
linux/x86/meterpreter/reverse_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
42
linux/x86/meterpreter/reverse_tcp_uuid Inject the meterpreter server payload (staged). Connect back to the attacker
43
linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
44
linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
45
linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
46
linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)
47
linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
48
linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection
49
linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86)
50
linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
51
linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection
52
linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker over IPv6
53
linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker
54
linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
55
linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker
56
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
57
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
58
linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
59
linux/x86/shell_find_port Spawn a shell on an established connection
60
linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
61
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
62
linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell


真他妈的多


 


平台:osx(mac电脑的系统吗:) ) ,可用payload:



 1     osx/armle/execute/bind_tcp                          Spawn a command shell (staged). Listen for a connection
2
osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
3
osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
4
osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
5
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
6
osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
7
osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
8
osx/ppc/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
9
osx/ppc/shell/find_tag Spawn a command shell (staged). Use an established connection
10
osx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
11
osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
12
osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
13
osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute
14
osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, execute
15
osx/x64/exec Execute an arbitrary command
16
osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech
17
osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
18
osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
19
osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
20
osx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute
21
osx/x86/bundleinject/reverse_tcp Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute
22
osx/x86/exec Execute an arbitrary command
23
osx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute
24
osx/x86/isight/reverse_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute
25
osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell
26
osx/x86/shell_find_port Spawn a shell on an established connection
27
osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
28
osx/x86/vforkshell/bind_tcp Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute
29
osx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute
30
osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell
31
osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell


挺想用用这个payload做实验呢,就是找不到mac电脑~~~


 


运行环境:python,php,ruby, 可用Payload:



 1     php/bind_perl                                       Listen for a connection and spawn a command shell via perl (persistent)
2
php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6
3
php/bind_php Listen for a connection and spawn a command shell via php
4
php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6)
5
php/download_exec Download an EXE from an HTTP URL and execute it
6
php/exec Execute a single system command
7
php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection
8
php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6
9
php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support
10
php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Support
11
php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
12
php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
13
php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
14
php/reverse_perl Creates an interactive shell via perl
15
php/reverse_php Reverse PHP connect back shell with checks for disabled functions
16
php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.
17
python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection
18
python/meterpreter/bind_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection with UUID Support
19
python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP
20
python/meterpreter/reverse_https Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP using SSL
21
python/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker
22
python/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support
23
python/meterpreter_bind_tcp Connect to the victim and spawn a Meterpreter shell
24
python/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shell
25
python/meterpreter_reverse_https Connect back to the attacker and spawn a Meterpreter shell
26
python/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell
27
python/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3
28
python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
29
ruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Ruby
30
ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Ruby
31
ruby/shell_reverse_tcp Connect back and create a command shell via Ruby
32
ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL


 


重点来了 Windows:



  1  windows/adduser                                     Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
2
windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
3
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
4
windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)
5
windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)
6
windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
7
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86)
8
windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
9
windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)
10
windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection
11
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
12
windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)
13
windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP
14
windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6
15
windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX)
16
windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker
17
windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker
18
windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
19
windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker
20
windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker
21
windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker
22
windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support
23
windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
24
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
25
windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it
26
windows/exec Execute an arbitrary command
27
windows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume.
28
windows/loadlibrary Load an arbitrary library path
29
windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
30
windows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
31
windows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
32
windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)
33
windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
34
windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)
35
windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
36
windows/meterpreter/bind_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection
37
windows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)
38
windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection
39
windows/meterpreter/reverse_hop_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
40
windows/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)
41
windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP
42
windows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)
43
windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support
44
windows/meterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6
45
windows/meterpreter/reverse_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)
46
windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
47
windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
48
windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
49
windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
50
windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
51
windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
52
windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support
53
windows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)
54
windows/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)
55
windows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell
56
windows/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
57
windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
58
windows/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell
59
windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
60
windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
61
windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
62
windows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
63
windows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
64
windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)
65
windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)
66
windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX)
67
windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)
68
windows/patchupdllinject/bind_tcp_rc4 Inject a custom DLL into the exploited process. Listen for a connection
69
windows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)
70
windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connection
71
windows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6
72
windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)
73
windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
74
windows/patchupdllinject/reverse_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
75
windows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
76
windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attacker
77
windows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attacker
78
windows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attacker
79
windows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support
80
windows/patchupmeterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
81
windows/patchupmeterpreter/bind_hidden_tcp Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
82
windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)
83
windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
84
windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX)
85
windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)
86
windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connection
87
windows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)
88
windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an established connection
89
windows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6
90
windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)
91
windows/patchupmeterpreter/reverse_ord_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
92
windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
93
windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
94
windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
95
windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker
96
windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
97
windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support
98
windows/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session
99
windows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session
100
windows/shell/bind_hidden_ipknock_tcp Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
101
windows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
102
windows/shell/bind_ipv6_tcp Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)
103
windows/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
104
windows/shell/bind_nonx_tcp Spawn a piped command shell (staged). Listen for a connection (No NX)
105
windows/shell/bind_tcp Spawn a piped command shell (staged). Listen for a connection (Windows x86)
106
windows/shell/bind_tcp_rc4 Spawn a piped command shell (staged). Listen for a connection
107
windows/shell/bind_tcp_uuid Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)
108
windows/shell/find_tag Spawn a piped command shell (staged). Use an established connection
109
windows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6
110
windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX)
111
windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attacker
112
windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attacker
113
windows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
114
windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attacker
115
windows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attacker
116
windows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attacker
117
windows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Support
118
windows/shell_bind_tcp Listen for a connection and spawn a command shell
119
windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell
120
windows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.
121
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
122
windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API
123
windows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
124
windows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
125
windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)
126
windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
127
windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX)
128
windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86)
129
windows/upexec/bind_tcp_rc4 Uploads an executable and runs it (staged). Listen for a connection
130
windows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)
131
windows/upexec/find_tag Uploads an executable and runs it (staged). Use an established connection
132
windows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6
133
windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX)
134
windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attacker
135
windows/upexec/reverse_tcp Uploads an executable and runs it (staged). Connect back to the attacker
136
windows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
137
windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attacker
138
windows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attacker
139
windows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attacker
140
windows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support
141
windows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
142
windows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
143
windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen for an

收藏
暂无回复