平台:Android,可用Payload:
1 android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP 2 android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS 3 android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager 4 android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP 5 android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS 6 android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager
不常用的是最后三行的Payload ,用它只能得到一个sh的shell,不如meterpreter提供的后渗透模块强大,可能是有其他的用处吧..不解..
运行平台:Java,可用Payload:
1 java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell 2 java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell 3 java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection 4 java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP 5 java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS 6 java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager 7 java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection 8 java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager 9 java/shell_reverse_tcp Connect back to attacker and spawn a command shell
明白怎么回事,说不出来,还是没明白透,先略过了
平台:Linux ,可用Payload:
1 linux/armle/adduser Create a new user with UID 0 2 linux/armle/exec Execute an arbitrary command 3 linux/armle/shell/bind_tcp dup2 socket in r12, then execve. Listen for a connection 4 linux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attacker 5 linux/armle/shell_bind_tcp Connect to target and spawn a command shell 6 linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell 7 linux/mipsbe/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. 8 linux/mipsbe/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. 9 linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 10 linux/mipsbe/shell_bind_tcp Listen for a connection and spawn a command shell 11 linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell 12 linux/mipsle/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. 13 linux/mipsle/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes. 14 linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 15 linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell 16 linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell 17 linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell 18 linux/ppc/shell_find_port Spawn a shell on an established connection 19 linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell 20 linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell 21 linux/ppc64/shell_find_port Spawn a shell on an established connection 22 linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell 23 linux/x64/exec Execute an arbitrary command 24 linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 25 linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 26 linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell 27 linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. 28 linux/x64/shell_find_port Spawn a shell on an established connection 29 linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell 30 linux/x86/adduser Create a new user with UID 0 31 linux/x86/chmod Runs chmod on specified file with specified mode 32 linux/x86/exec Execute an arbitrary command 33 linux/x86/meterpreter/bind_ipv6_tcp Inject the meterpreter server payload (staged). Listen for an IPv6 connection (Linux x86) 34 linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86) 35 linux/x86/meterpreter/bind_nonx_tcp Inject the meterpreter server payload (staged). Listen for a connection 36 linux/x86/meterpreter/bind_tcp Inject the meterpreter server payload (staged). Listen for a connection (Linux x86) 37 linux/x86/meterpreter/bind_tcp_uuid Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86) 38 linux/x86/meterpreter/find_tag Inject the meterpreter server payload (staged). Use an established connection 39 linux/x86/meterpreter/reverse_ipv6_tcp Inject the meterpreter server payload (staged). Connect back to attacker over IPv6 40 linux/x86/meterpreter/reverse_nonx_tcp Inject the meterpreter server payload (staged). Connect back to the attacker 41 linux/x86/meterpreter/reverse_tcp Inject the meterpreter server payload (staged). Connect back to the attacker 42 linux/x86/meterpreter/reverse_tcp_uuid Inject the meterpreter server payload (staged). Connect back to the attacker 43 linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service 44 linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service 45 linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor 46 linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86) 47 linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86) 48 linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection 49 linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86) 50 linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86) 51 linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection 52 linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker over IPv6 53 linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker 54 linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 55 linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker 56 linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell 57 linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell 58 linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. 59 linux/x86/shell_find_port Spawn a shell on an established connection 60 linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) 61 linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 62 linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell
真他妈的多
平台:osx(mac电脑的系统吗:) ) ,可用payload:
1 osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection 2 osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 3 osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 4 osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 5 osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell 6 osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell 7 osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>. 8 osx/ppc/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 9 osx/ppc/shell/find_tag Spawn a command shell (staged). Use an established connection 10 osx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 11 osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell 12 osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell 13 osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute 14 osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, execute 15 osx/x64/exec Execute an arbitrary command 16 osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech 17 osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port 18 osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) 19 osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell 20 osx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute 21 osx/x86/bundleinject/reverse_tcp Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute 22 osx/x86/exec Execute an arbitrary command 23 osx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute 24 osx/x86/isight/reverse_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute 25 osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell 26 osx/x86/shell_find_port Spawn a shell on an established connection 27 osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 28 osx/x86/vforkshell/bind_tcp Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute 29 osx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute 30 osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell 31 osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell
挺想用用这个payload做实验呢,就是找不到mac电脑~~~
运行环境:python,php,ruby, 可用Payload:
1 php/bind_perl Listen for a connection and spawn a command shell via perl (persistent) 2 php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6 3 php/bind_php Listen for a connection and spawn a command shell via php 4 php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6) 5 php/download_exec Download an EXE from an HTTP URL and execute it 6 php/exec Execute a single system command 7 php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection 8 php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6 9 php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support 10 php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Support 11 php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions 12 php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions 13 php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP) 14 php/reverse_perl Creates an interactive shell via perl 15 php/reverse_php Reverse PHP connect back shell with checks for disabled functions 16 php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes. 17 python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection 18 python/meterpreter/bind_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection with UUID Support 19 python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP 20 python/meterpreter/reverse_https Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP using SSL 21 python/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker 22 python/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support 23 python/meterpreter_bind_tcp Connect to the victim and spawn a Meterpreter shell 24 python/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shell 25 python/meterpreter_reverse_https Connect back to the attacker and spawn a Meterpreter shell 26 python/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell 27 python/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3 28 python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design. 29 ruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Ruby 30 ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Ruby 31 ruby/shell_reverse_tcp Connect back and create a command shell via Ruby 32 ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL
重点来了 Windows:
1 windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) 2 windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 3 windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host. 4 windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86) 5 windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86) 6 windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX) 7 windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86) 8 windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection 9 windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86) 10 windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection 11 windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 12 windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet) 13 windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP 14 windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6 15 windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX) 16 windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker 17 windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker 18 windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly) 19 windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker 20 windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker 21 windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker 22 windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support 23 windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp) 24 windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload 25 windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it 26 windows/exec Execute an arbitrary command 27 windows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume. 28 windows/loadlibrary Load an arbitrary library path 29 windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon 30 windows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 31 windows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 32 windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86) 33 windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 34 windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX) 35 windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86) 36 windows/meterpreter/bind_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection 37 windows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86) 38 windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection 39 windows/meterpreter/reverse_hop_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 40 windows/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet) 41 windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP 42 windows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet) 43 windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support 44 windows/meterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6 45 windows/meterpreter/reverse_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX) 46 windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 47 windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 48 windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 49 windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 50 windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 51 windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 52 windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support 53 windows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp) 54 windows/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp) 55 windows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell 56 windows/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell 57 windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell 58 windows/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell 59 windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell 60 windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service 61 windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service 62 windows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 63 windows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host. 64 windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86) 65 windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86) 66 windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX) 67 windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86) 68 windows/patchupdllinject/bind_tcp_rc4 Inject a custom DLL into the exploited process. Listen for a connection 69 windows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86) 70 windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connection 71 windows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6 72 windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX) 73 windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attacker 74 windows/patchupdllinject/reverse_tcp Inject a custom DLL into the exploited process. Connect back to the attacker 75 windows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly) 76 windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attacker 77 windows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attacker 78 windows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attacker 79 windows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support 80 windows/patchupmeterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 81 windows/patchupmeterpreter/bind_hidden_tcp Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 82 windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86) 83 windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 84 windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX) 85 windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86) 86 windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connection 87 windows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86) 88 windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an established connection 89 windows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6 90 windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX) 91 windows/patchupmeterpreter/reverse_ord_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker 92 windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker 93 windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 94 windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker 95 windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker 96 windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker 97 windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support 98 windows/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session 99 windows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session 100 windows/shell/bind_hidden_ipknock_tcp Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 101 windows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 102 windows/shell/bind_ipv6_tcp Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86) 103 windows/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 104 windows/shell/bind_nonx_tcp Spawn a piped command shell (staged). Listen for a connection (No NX) 105 windows/shell/bind_tcp Spawn a piped command shell (staged). Listen for a connection (Windows x86) 106 windows/shell/bind_tcp_rc4 Spawn a piped command shell (staged). Listen for a connection 107 windows/shell/bind_tcp_uuid Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86) 108 windows/shell/find_tag Spawn a piped command shell (staged). Use an established connection 109 windows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6 110 windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX) 111 windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attacker 112 windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attacker 113 windows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 114 windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attacker 115 windows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attacker 116 windows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attacker 117 windows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Support 118 windows/shell_bind_tcp Listen for a connection and spawn a command shell 119 windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell 120 windows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode. 121 windows/shell_reverse_tcp Connect back to attacker and spawn a command shell 122 windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API 123 windows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 124 windows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 125 windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86) 126 windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 127 windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX) 128 windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86) 129 windows/upexec/bind_tcp_rc4 Uploads an executable and runs it (staged). Listen for a connection 130 windows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86) 131 windows/upexec/find_tag Uploads an executable and runs it (staged). Use an established connection 132 windows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6 133 windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX) 134 windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attacker 135 windows/upexec/reverse_tcp Uploads an executable and runs it (staged). Connect back to the attacker 136 windows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 137 windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attacker 138 windows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attacker 139 windows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attacker 140 windows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support 141 windows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 142 windows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 143 windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86) 144 windows/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 145 windows/vncinject/bind_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX) 146 windows/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86) 147 windows/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Listen for a connection 148 windows/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86) 149 windows/vncinject/find_tag Inject a VNC Dll via a reflective loader (staged). Use an established connection 150 windows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 151 windows/vncinject/reverse_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet) 152 windows/vncinject/reverse_http_proxy_pstore Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP 153 windows/vncinject/reverse_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6 154 windows/vncinject/reverse_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX) 155 windows/vncinject/reverse_ord_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 156 windows/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 157 windows/vncinject/reverse_tcp_allports Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 158 windows/vncinject/reverse_tcp_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 159 windows/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 160 windows/vncinject/reverse_tcp_rc4_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 161 windows/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support 162 windows/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp) 163 windows/x64/exec Execute an arbitrary command (Windows x64) 164 windows/x64/loadlibrary Load an arbitrary x64 library path 165 windows/x64/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64) 166 windows/x64/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64) 167 windows/x64/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64) 168 windows/x64/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64) 169 windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) 170 windows/x64/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) 171 windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64) 172 windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64) 173 windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp) 174 windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp) 175 windows/x64/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell 176 windows/x64/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell 177 windows/x64/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell 178 windows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell 179 windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell 180 windows/x64/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session 181 windows/x64/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session 182 windows/x64/shell/bind_ipv6_tcp Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64) 183 windows/x64/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64) 184 windows/x64/shell/bind_tcp Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64) 185 windows/x64/shell/bind_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64) 186 windows/x64/shell/reverse_tcp Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64) 187 windows/x64/shell/reverse_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) 188 windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64) 189 windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) 190 windows/x64/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64) 191 windows/x64/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64) 192 windows/x64/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64) 193 windows/x64/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64) 194 windows/x64/vncinject/reverse_http Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) 195 windows/x64/vncinject/reverse_https Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) 196 windows/x64/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64) 197 windows/x64/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) 198 windows/x64/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp) 199 windows/x64/vncinject/reverse_winhttps Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)
