MSF 后渗透 流量分析

MSF_Meterpreter_Traffic_Parser

MSF_Meterpreter_Traffic_Parser

Posted by taomujian on October 8, 2023

前言

最近在攻防世界刷以往的CTF题目时,有道Misc题目叫做抓住了个黑客,是要分析MSF流量的,解密获得flag,题目给出了RSA私钥,又恰逢最近又在研究Cobalt Strike魔改以及免杀,参考网上公开的已有信息进行整理总结本文章.

首先官方地址已经给出了Meterpreter的默认通信协议的流程与大概的组成结构.

组成部分

1
2

Values: [XOR KEY][session guid][encryption flags][packet length][packet type][ .... TLV packets go here .... ]
Size:   [   4   ][    16      ][      4       ][       4     ][     4     ][ ....          N          .... ]

XOR KEY

前4个字节是异或用到的密钥,用开始的4字节异或密钥对后续报文进行异或解密,得到32字节的报文头

session guid

会话id,占用16个字节,用来区分会话.在无有效负载的情况下,session guid的值为null,当会话建立时,会生成一个session guid并将其传递给Meterpreter实例.

encryption flags

加密标志位,占用4个字节,用来区分此数据包是否已被加密以及用什么加密.然后如果无加密,包类型之后的数据是TLV报文,否则包类型之后的数据前16位是AES加解密用到的IV,然后才是是TLV报文,这个报文需要用AES(CBC模式,key、iv)解密后才能得到数据.例如,如果加密标志是AES256即值为1,它看起来像这样:

1
2

Values: ... [packet length][packet type][AES IV][ .... encrypted TLV .... ]
Size:   ... [       4     ][     4     ][  16  ][ ....        N      .... ]

加密标志位的值共有3种,如下

类型 含义
ENC_FLAG_NONE 0 不加密
ENC_FLAG_AES256 1 AES-256加密
ENC_FLAG_AES128 2 AES-128加密

packet length

标志着这个数据包的长度为多少,占用4个字节.

packet type

标志着这个数据包的类型是什么,占用4个字节.

数据包的类型如下:

类型 含义
PACKET_TYPE_REQUEST 0 请求报文
PACKET_TYPE_RESPONSE 1 响应保文
PACKET_TYPE_PLAIN_REQUEST 10 明文请求包
PACKET_TYPE_PLAIN_RESPONSE 11 明文响应包

TLV

是一个数据结构,一个报文中有多个这样的数据结构,用于传递具体的信息.每个TLV中包含type、length、payload等信息.

TLV具体的类型的值在源码中并不是直接给出的,而是要和一些常量进行或运算得到,用到的常量如下:

类型 含义
TLV_META_TYPE_NONE 0 | 空  
TLV_META_TYPE_STRING 1 « 16 | 字符串  
TLV_META_TYPE_UINT 1 « 17 | 单元  
TLV_META_TYPE_RAW 1 « 18 | 原始  
TLV_META_TYPE_BOOL 1 « 19 | 布尔  
TLV_META_TYPE_QWORD 1 « 20 | 四字  
TTLV_META_TYPE_COMPRESSED 1 « 29 | 压缩  
TLV_META_TYPE_GROUP 1 « 30 | 组  
TLV_META_TYPE_COMPLEX 1 « 31 | 复杂  

TLV具体的类型如下:

类型 计算公式 含义
TLV_TYPE_ANY TLV_META_TYPE_NONE | 0 0 任意值
TLV_TYPE_COMMAND_ID TLV_META_TYPE_UINT | 1 1 命令id
TLV_TYPE_REQUEST_ID TLV_META_TYPE_STRING | 2 2 请求id
TLV_TYPE_EXCEPTION TLV_META_TYPE_GROUP | 3 3 异常的值
TLV_TYPE_RESULT TLV_META_TYPE_UINT | 4 4 结果的值
TLV_TYPE_STRING TLV_META_TYPE_STRING | 10 10 字符串
TLV_TYPE_UINT TLV_META_TYPE_UINT | 11 11 单元
TLV_TYPE_BOOL TLV_META_TYPE_BOOL | 12 12 布尔
TLV_TYPE_LENGTH TLV_META_TYPE_UINT | 25 25 长度
TLV_TYPE_DATA TLV_META_TYPE_RAW | 26 26 任意数据
TLV_TYPE_FLAGS TLV_META_TYPE_UINT | 27 27 标志
TLV_TYPE_CHANNEL_ID TLV_META_TYPE_UINT | 50 50 渠道id
TLV_TYPE_CHANNEL_TYPE TLV_META_TYPE_STRING | 51 51 渠道类型
TLV_TYPE_CHANNEL_DATA TLV_META_TYPE_RAW | 52 52 渠道数据
TLV_TYPE_CHANNEL_DATA_GROUP TLV_META_TYPE_GROUP | 53 53 渠道数据组
TLV_TYPE_CHANNEL_CLASS TLV_META_TYPE_UINT | 54 54 渠道类
TLV_TYPE_CHANNEL_PARENTID TLV_META_TYPE_UINT | 55 55 渠道类型
TLV_TYPE_SEEK_WHENCE TLV_META_TYPE_UINT | 70 70 寻找的开始时间
TLV_TYPE_SEEK_OFFSET TLV_META_TYPE_UINT | 71 71 寻找偏移量
TLV_TYPE_SEEK_POS TLV_META_TYPE_UINT | 72 72 寻找位置
TLV_TYPE_EXCEPTION_CODE TLV_META_TYPE_UINT | 300 300 异常代码
TLV_TYPE_EXCEPTION_STRING TLV_META_TYPE_STRING | 301 301 异常的值
TLV_TYPE_LIBRARY_PATH TLV_META_TYPE_STRING | 400 400 加载包的路径
TLV_TYPE_TARGET_PATH TLV_META_TYPE_STRING | 401 401 目标路径
TLV_TYPE_MIGRATE_PID TLV_META_TYPE_UINT | 402 402 迁移目标的进程号
TLV_TYPE_MIGRATE_PAYLOAD TLV_META_TYPE_RAW | 404 404 迁移的payload
TLV_TYPE_MIGRATE_ARCH TLV_META_TYPE_UINT | 405 405 迁移目标的架构
TLV_TYPE_MIGRATE_BASE_ADDR TLV_META_TYPE_UINT | 407 407 迁移目标的基址
TLV_TYPE_MIGRATE_ENTRY_POINT TLV_META_TYPE_UINT | 408 408 迁移目标的入口点
TLV_TYPE_MIGRATE_SOCKET_PATH TLV_META_TYPE_STRING | 409 409 domain套接字路径,在linux上迁移目标中使用
TLV_TYPE_MIGRATE_STUB TLV_META_TYPE_RAW | 411 411 迁移存根
TLV_TYPE_LIB_LOADER_NAME TLV_META_TYPE_STRING | 412 412 反射加载函数路径
TLV_TYPE_LIB_LOADER_ORDINAL TLV_META_TYPE_UINT | 413 413 反射加载函数序数
TLV_TYPE_TRANS_TYPE TLV_META_TYPE_UINT | 430 430 变换的通信类型
TLV_TYPE_TRANS_URL TLV_META_TYPE_STRING | 431 431 传输使用的新URL
TLV_TYPE_TRANS_UA TLV_META_TYPE_STRING | 432 432 传输使用的 user agent
TLV_TYPE_TRANS_COMM_TIMEOUT TLV_META_TYPE_UINT | 433 433 通信超时时间
TLV_TYPE_TRANS_SESSION_EXP TLV_META_TYPE_UINT | 434 434 回话是否过期
TLV_TYPE_TRANS_CERT_HASH TLV_META_TYPE_RAW | 435 435 证书hash
TLV_TYPE_TRANS_PROXY_HOST TLV_META_TYPE_STRING | 436 436 代理服务器host
TLV_TYPE_TRANS_PROXY_USER TLV_META_TYPE_STRING | 437 437 代理服务器用户
TLV_TYPE_TRANS_PROXY_PASS TLV_META_TYPE_STRING | 438 438 代理服务器密码
TLV_TYPE_TRANS_RETRY_TOTAL TLV_META_TYPE_UINT | 439 439 重连尝试次数
TLV_TYPE_TRANS_RETRY_WAIT TLV_META_TYPE_UINT | 440 440 重连间隔
TLV_TYPE_TRANS_HEADERS TLV_META_TYPE_STRING | 441 441 请求的自定义头
TLV_TYPE_TRANS_GROUP TLV_META_TYPE_GROUP | 442 442 传输组
TLV_TYPE_MACHINE_ID TLV_META_TYPE_STRING | 460 460 机器id
TLV_TYPE_UUID TLV_META_TYPE_RAW | 461 461 uuid
TLV_TYPE_SESSION_GUID TLV_META_TYPE_RAW | 462 462 会话id
TLV_TYPE_RSA_PUB_KEY TLV_META_TYPE_RAW | 550 550 RSA公钥
TLV_TYPE_SYM_KEY_TYPE TLV_META_TYPE_UINT | 551 551 对称密钥类型
TLV_TYPE_SYM_KEY TLV_META_TYPE_RAW | 552 552 对称密钥
TLV_TYPE_ENC_SYM_KEY TLV_META_TYPE_RAW | 553 553 RSA公钥加密对称密钥后的值
TLV_TYPE_PIVOT_ID TLV_META_TYPE_RAW | 650 650 pivot监听器id
TLV_TYPE_PIVOT_STAGE_DATA TLV_META_TYPE_RAW | 651 651 staged在新连接上的数据
TLV_TYPE_PIVOT_NAMED_PIPE_NAME TLV_META_TYPE_STRING | 653 653 pipe名

交换密钥流程

1.用漏洞或者其他方式如钓鱼执行stager

2.stager连接到MSF

3.MSF将一个(比stager小得多的)metsrv DLL发到stager

4.stager下载这个stage(即metsrv DLL),将其复制到RWX内存并调用它

5.metsrv开始执行并接管stager的通信

6.然后,MSF开始AES密钥协商阶段:

  i.MSF生成一个2048位RSA密钥对(公钥和私钥)

  ii.公钥以pem格式添加到数据包中,然后使用命令core_negotiate_aes将数据包发送到Meterpreter.

  iii.Meterpreter接收数据包.如果AES协商功能不存在,则会像往常一样发生”未找到方法”错误.

  iv. 如果支持该命令并且支持公钥处理(此时支持Windows Meterpreter),则:

    a.提取并解析公钥.

    b.使用加密安全随机数生成器生成256位AES密钥.

    c.AES密钥与会话数据存储在Meterpreter的存储器中.

    d.用给出的公钥对AES密钥进行加密,这个加密信息作为初始消息的一部分.

    e.Meterpreter用包含加密后的AES-256密钥的数据包响应MSF.

  v.如果支持该命令但不支持公钥处理(可能不是这种情况,但可能是其他Meterpreter):

    a.生成AES密钥并与Meterpreter会话数据一起存储.

    b.AES密钥可以以明文形式返回.

  vi.MSF接收命令的结果:

    a.如果消息不受支持,则没有AES密钥与会话相关联

    b.如果消息完全受支持,则MSF使用与公钥一起生成的私钥解密AES密钥,并且AES密钥与会话处理程序一起存储.

    c.如果消息部分受支持,则MSF复制明文的AES密钥并将其与会话处理程序一起存储.

    d.在所有情况下,生成的RSA密钥对都会被销毁.

7.如果密钥协商成功,则使用共享的AES密钥加密后面所有的数据包,并且在数据包上设置加密标志.

8.如果密钥协商不成功,后面的的数据包将以纯文本发送,就像平常一样(与此同时仍然会XOR).

解析代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

import zlib
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from Crypto.Util.number import long_to_bytes

def xor_decrypt(xor_key, data):
    
    """
    进行异或解密
    
    :param str xor_key: 异或用到的key
    :param str data: 要解密的数据
    
    :return str result: 解密后的数据
    
    """
    
    result = b''
    for i in range(0, len(data)):
        result += (data[i] ^ xor_key[i % 4]).to_bytes(1, 'big')

    return result

def get_aes_key(private_key, payload):
    
    """
    利用RSA私钥获得AES KEY
    
    :param str private_key: RSA私钥
    :param str payload: AES被加密后的数据
    
    :return str aes_key: 获取到的AES KEY
    
    """
    
    rsa_key = RSA.import_key(private_key)
    cipher = PKCS1_v1_5.new(rsa_key)
    aes_key = cipher.decrypt(payload, None)
    return aes_key

def parse_packet_header(data):
    
    """
    解析数据包头部信息
    
    :param str data: 数据包头部数据
   
    :return dict packet_header: 解析后的数据
    
    """
    
    packet_header = {}
    packet_header['xor_key'] = data[0:4]
    data = xor_decrypt(packet_header['xor_key'], data[4:32])
    packet_header['session_guid'] = data[0:16].hex()
    packet_header['enc_flags'] = int.from_bytes(data[16:20], 'big')
    packet_header['pkt_length'] = int.from_bytes(data[20:24], 'big')
    packet_header['pkt_type'] = int.from_bytes(data[24:28], 'big')
    return packet_header

def parse_tlv_unit(data):
    
    """
    解析TLV数据结构
    
    :param str data: TLV数据
   
    :return dict tlv_unit: 解析后的数据
    
    """
    
    tlv_unit = {}
    data_header = data[0:8]
    tlv_unit['type'] = int.from_bytes(data_header[4:8], 'big')
    tlv_unit['length'] = int.from_bytes(data_header[0:4], 'big')
    tlv_unit['payload'] = data[8:tlv_unit['length']]
    if tlv_unit['type'] & (1 << 29) == (1 << 29):
        tlv_unit['payload'] = zlib.decompress(tlv_unit['payload'])
        tlv_unit['type'] = tlv_unit['type'] ^ (1 << 29)
    
    return tlv_unit

def run(data, aes_key = b""):
    
    """
    函数主入口
    
    :param int data: 数据包信息
    :param bytes aes_key: aes key
   
    :return dict result: 解析后的数据
    
    """
    
    packet_header = parse_packet_header(data[0:32])
    data_raw = xor_decrypt(packet_header['xor_key'], data[32:])
    # Decrypt packet if enc_flags are set
    if packet_header['enc_flags'] != 0:
        if len(aes_key) != 32:
            raise "Invalid AES Key or AES Key was not set"
        iv = data_raw[0:16]
        cipher = AES.new(aes_key, AES.MODE_CBC, iv)
        data_raw = cipher.decrypt(data_raw[16:])
        
    raw = data_raw
    tlv_units = []
    while len(raw) != 0:
        tlv_unit = parse_tlv_unit(raw)
        raw = raw[tlv_unit['length']:]
        tlv_units.append(tlv_unit)

    result = {
        'xor_key': packet_header['xor_key'], 
        'session_guid': packet_header['session_guid'], 
        'enc_flags': packet_header['enc_flags'], 
        'pkt_length': packet_header['pkt_length'], 
        'pkt_type': packet_header['pkt_type'],
        'tlv_units': tlv_units
    }
    
    return result

if __name__ == '__main__':

    data = 0x2926993adf8c06b90319d8059f51ec99b401f9b42926993a292698b52926993b2926991c2927993b4a49eb5f7648fc5d4652f05b5d43c64e4550c65f4745eb435952f0554726993a290f993b2924ac0e181fac0f1110a90d1f10ab031e13ac081b16aa0f1a16a0031813af0a1f15993a2926953a2b24be3a2926983a2927913a2d24b039ec75e27c93f3e0167fb28dd2c98ea0fd2ff42887d961f4e205a619311cf4b8dd93f189d24b8eb45af277bc76cc0ea8d5a0b3332812e6c8f73cced9f1d32189311dc13c30b80ebf944228979fd974a6ce23aacf386ebb5dbc1ac414a49678e6425944edf4a56f263a9c9e2a80e4d1884b35fc8da6e68bff64d33265350bf3e2b72dc5b0f0580cc12925074fc5505c9cd250b279150b9701cf5b2666ae9d0a0722f8b72aed8ffaa51f43594ebebe13b5bcb75e8a33c8cd396445c0c9da3d5a5b862bde38f62d13afd5387a62abce70e3d4192e3e96996ceaa0d1b0c7796028bdeabfbd8eddd13576f23135e1e7b06a0057a4b07bc786394ba1cd691547fad5db3a2926953a2b269d3a2926993a2926813a2d27542832d93a2fb12d08349729256baeb187
    p = run(long_to_bytes(data))

    for i in p['tlv_units']:
        if i['type'] & 551 == 551:
            # 0x01 => AES256
            sym_key_type = int.from_bytes(i['payload'], 'big')
        if i['type'] & 552 == 552:
            sym_key_value_encrypted = i['payload']

    with open('key.pem', "r") as key_file:
        rsa_private_key = key_file.read()
        
    aes_key = get_aes_key(rsa_private_key, sym_key_value_encrypted)
    print(aes_key)

    print(run(long_to_bytes(0x7e30af14889a3097540fee2bc847dab7e317cf9a7e30af157e30af7c7e30af144a1999b733e68b894ee6b64581a31e4f800f1e2413c6ffabc4690df0ffdf5ad592f3d3de710b43f85611c113dff2d03a4a91fc6cf046cafc37d823f986dee137e05368e717be6acbd31e87435f8bc7601dae969be7b5888050246f2f01b9cab8), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef54b835d361e2e784b4e2e9168aa4cd074c5b434009388fb2550a98ee6d49ea108c50b1f1b6c4c17a6fa0b01cd5e04f5fe5ba536da008841f20cef4324fe752f92923ea05e1d683bf991306b6878e301a68c933579c58c47482afc576545cc3cc2610d3f2ee70a3a36404996ff877b3a7756efe57bd043ad32f04ca9a137846cfeb6f53c817f32986117c0f26fc30b60b70a1f072987c80eda747fcc5ae85da2ed3), aes_key))
    print(run(long_to_bytes(0x2926993adf8c06b90319d8059f51ec99b401f9b42926993b292699b22926993b0438eb2dc77a917a03839c6bb9f6afb8192bbf8baf251e45d7f08cb799975ab8c4661cee35f7d4c9c63b7d1607fabdd602313a66d04c4fe8570ddd650eb2e9595358f04c0e781a347ddb62027dea0a0e899709fa3eeaa238600e4abb48d28fce74817d9ce4a627d36b5ee9e9d59719e4ae246ef1d39f8468dbe5ca236dbee597), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4eddd2ab4ef54a64307198e637c0fd0dfc74aad3b1fbcd26e62d8113e05e6af14d5cf78b82c11a0761ba6e95a984da59db055e44b9d5830cf6ec34a0e7ff0686fef9472546c93cd169eebf86e933f424f8a6f116bfa447a286bed01168019eb59eb83f5d455be5bf7fe55c49db5e7752b9b3135d1a4ccb6da5ca2c37af0c9311e6e335bc57642debf54952abd91b589527436429128a062f587edf20a215bf4161253898cc89a146c92c77cc6b34dd782f97007444f674dba89901758b8a7e55f1c82c7f0f0af78b41bae90d0d008518668d7fadf570da991365e09048b70d162b0e0b281cc28df2b64e759e480fa3dab1bb8635f85237205c66d6926fd85c829921956403b454598d57a7185ec80ea7ca1a8494d3c6ed7b7580dfbaaa585f018ca8c8efd5dd15b38e9281c3fc0385312544d7f24cb0fd3e8392fce9f07501028be0b6fa656dccb9247ab9b99fd3ff8cc04199d26398ea7fb4fac7be96769c8fa5f7e0d63cc524f0699104e89c91411d5a2168bbd7b59237b65143f81107667fddc2ba0e5c5382cf4dd672950da2ee088ba8e74039e872d89e69aeca904dac87463bb691075cd888a93d07c9ca792ffc53bd25a8487389a1776ffdfc4232028ea08d5f555d7738574ddd942d95d7cc5d0b086798c991ed140c72257b039a7aa8b61727976c6cd939b3815a4e04e94bafe8d5cb69f9dc11930431207ddc03517ccfd5e4499609b87914c40be1481a5ef174a45ce0fa70e8f6a683a2975a1b6b1905613444dac3ba12e8902d41f6ba2e7c940e347a6fdade78c6560e79f2f2313a90b74af7c1137e0bb3cd9f721af2a13deade2551a4be241b095992a608fb0e5aa063a10207414c2f2c18f7272bcffe0ecac0cfa8b4c2bf2bb3232044cccecaf91ed310d07ca1c), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef9d2ab4ef5415d984862f64b0e891b131ecc5d2a06c8ec29332954025fa1b2807cb007edcb73bba65e5c12cb31a40db6b26a4fa05a8d3e5a67d3871228a8cd6b6f6ce75a263823fecc17be818e1bd27a4cc9d512372e5f2f58f0aea4a11bfb631ceee791e0f5682f4dd94fc8b1aa59514037a8d76ff8b8d72ca32c2a299049f9089f430e403b9c64419d1eb8b6577c440bec9a16a5c51081ad4040fa32759ef37740c20a1a3893f511b08d37926ae67abedfa4084d1c3cb97f47a130dea915cd000fb51873c), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef549568c9bca4f5201e93dbdb4852d51967a2e9b23cc1a88ce4b2a37950450a8586cde6043906b7803994a8ce6db44ede0258b2b5d29318145c26075ddb963991ad85007119e0ad4de637818aa78e8fbe14631c113894ff87aefc336a427eb6c90cfc4e8b2efb088d63c1a301381cf90270e2b7c96371530800724ed4762f963d17b9ce23ab12cc4d656fbfc999d144f5f7cedee8eb9cc56200d51bede00a242bea), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4eddd2ab4ef54e1a628a81569018cd0f5bf315d7b320e5b77b0f8b8345c79e0fc4594a74a390315f368d3c474883c2aa91a6e0573ff936f5bb5aba31790051bb71dc50bba249affef1b06d4fa9d297abbc5142c40a90d031af7e4cf885d6ad3e09bc0338a8d0e8675b7f332797ec9d87c48b37e8a2e3a75c8f80d78c3de96029eb298203090029a32a858b55714fb5a805dcd52c02734d04d04285f729285ba731207c73ee0c7c2ef52ecb3e973e787cce4fd720c83a3a221f8a98de6180c939785c52fec692acb34f3cf2a36de23a850928dd405afd0abd376c4dac3582153ea8de6e3cdf19fd4706688782e9a48b8b05c591abcc892555e2a061601f73a3498bdcbd1f1baf142a6471065d42312b48ded576689a1bb5bcdb877e8160995be495603a4405e2a2892f2b650760640286b1ad93461909518fd8392929e251157b0c5461825badfa065a42bb12b60bb7bc0fdbd62bc376b188f705e76820e832c0226f536b0c2620ab917dbebb346c9bf01c2a0c81832fed64e6f64407d3d7f051c6c8460900c50d2d8c361f57afb5958888c1bf983bd314ea54697d87ce70b9230837a98398b4d1cba073b86615712078079362f6fb1b0c80e2b25af230ce8016a0b0115607f730195f0811d21db64cc422e5b0f73d6fbcc88a0843fbdbed51db87851c940c99e4a0d72d3fa7604caf585b40b962f93cbd252373b78bbecf891975d8e152358534d999fe0008453b9f6952acccdce89d2f31021f67b5d4ae2099ff7b38d92a9f2f7541e9fcf9a89d9b8146dfbee579bfbd933ca07bb7ba04efda4c24cf5e9ca43afdd5bdaea05677fd293bcd74c31b37b24196f8e0d0be9e79831f7794ea91a52db03e8f35230ed75adbb5a0974380905b510883af3be066a03b984af5effc060), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef9d2ab4ef54a74abf08695adaad8be818da14b4dadc981f6157553f5d955e82e35ff422847f969300e94f38c7ec84dcc4fef465f3e62b0fbc142e3761c036cdfe4c5e7a880445ad31a51ee1112a89fec6e8693852d739fbd91d05327c0d6cda8cb26a17c3ae9b43f28774f991afb2545a69210f47d82339c219d7f7bfbd5d76c2a4a82e376ef1d2ff1142a0713b1e055bd6c6c78866e4da63c65cb6d161da9d55222c90984a6295e5b68bf4dce2ce684b9d067c02352b8f3fa457783c911a340f2b9c552fa6), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef545042629ac50792c2d9f387304e12245dcb7bc137fcf865d9548f52c1f4b4d7662a2e5b4a04ce32d51bdb99b725807534a9b288fdcce5512a4801b71d7a97de1624de6175b884a4ef080e2b8b39683a98d86cb9ff8ce0e1c1c7300fc582f2ed5d8f8a2b23b77ddb01e65e059738478f9aab61ec7e93f8f17eb1903786ae1c654edaf7ca60cd5c4d7012bffea32c54f5091952d4ddf7573efe77bda7d974bc4bb3), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4eddd2ab4ef54a0c32aa9adca2454808fa09531321b03dade8023acab14d49f4bd36589277683be8ad1f5483cff7411c3db741baca849b7647a94650614d5ca05acadffd7ead06a172d74f279bbcf94a7c1365a1f6c624ae42f39644511bcecdddd516ba7e64280b6ee9300837628b207057b3c1d67abace40bb66ea250c438daac90110725da12c7b4fdca846a84ff3c842355eb5ae9c5814a83f0266e8e304b7c18c99ee2e6dddba999ef6c16bd459f7e5e0133a89f93c139887816477b133e70e333fd2c8187c39b504d983dded4b8d2ed57124dd564ecf36212a8208864dbaa756317d084d85a54066fb1179efb7e1d2ae41d49e5f79691f83676cd6d9d9f7e69ef5be859398c00bbed2dae001f80f7e784ed3ecd37e860a1a0b7eada9cae6cd34a78fd383ffb006597de7a427cf3fe2109edbbc9bbd8a4e58b7e9137c836b0ee899e8228c536e78664cf6f1626a298b635250d1e3c8b67dc33ce96ad33d8562e7bbc2eac3b0268aaec137377fa29542af2ffb940ad168fa6bc28a24d671c71432ac557026f7bd6cb5c4a3d6295ba03f9732138b74c6c0190c6d03cc65ec7ff90dbbd6a033d3d8f464af5523ddc1eec87f4a8920204bea066b62463f7055fc3a3443eb6831e068ff7c7884534c8c961b59ab638cc2c68f996c1e04938e6b36982940470775a8d67842d62db2a8fa297057816e3c1a8494ab8d8605cd363e7b02398f9462b29d4c6ae6d054e34df2de2960da4d2ecdc03da04a8b8c0f0429f5b6d69f654f895d39d538d772a54aa99e6ff4c9f2553a8d562e67de80bb6ce6f7b64f4a15006a97f3e356201b0ec1f35cb01d8e3121658f2f07db46174c1332dcda43e11ea9aab1d6da405ddeea61ebaca8db07aab89dbc971a107144f77d1e34fa5d162da5a), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef9d2ab4ef547eeb277e493e9d2dad9be2f9bb47f0b6355a47223f26e74ea01c55dbd02f3a256bebb806798caae2813f140c39b000a2b8d366c28b88bf92e71ba5760993884f3661f258cac484858353a5e430f20ab1ea10e2b9d58a92d395804ac305c8620cc25a0e41c33543723871e32dd2551b740e083d9524d8ab912d7d33ebc574ac103aa3b6d960d6812a40eb371be855151846d027dac6694e01d3ce26bcb648309c721316d0baf1c167a1ff4f21181a4f45fd1bb8b4219047d7cdcbbc0befff021c), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef5416d7e52b7aafb3d98d01695ad4dad9c844c16f1f5ab9c6524bd888fa10316d0f8cc027e58ca6abac24105f2b006c5c1687ee80da56344e9915c81c88195897056dbe672a7d5ed6060ca3b079edb8bd7c7137ba8f78160c16fec5ce685439cebd31761f47527f04cf840da0cdb430e5f71f13c6bd45ee04e8aa6670c2f3265b8663c1c9b600f68afd7b943ae566f9e9bf8eab2ea9714bf1fdce89e89e522af060), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4eddd2ab4ef549ed176f02b7f872de8b1a1c09035e4c445e4eefd55f8b21766398cebdbbbac51638200564e211698faade01639890646b5a7df93dbfe2ab6fed342d53fe139f6d698075298003c873a3b394d52d5fa2db04ca3ced01e26f505a9dae196e528cf229390e572fd3c4f49712d4552f182e903e4cab21880065813920d8eb27d40a57b691a8cef7e83abaaec5b6d27b653942481771236a9e1fa96de9fa7013539f4f51a632c7d5377087c1e5ff04ece37e31be0201d8acb15f3ffea099ba7161a8b099fe436babe9ec972f5acd7b1b13c8fc63531a0e48613fe0828f70263c21af801c1cdbae91dc7f05dfd348e9120230dbbe52dfbc7d6f4ff4281a26e04d64ac17be5ffdd46c38bfd4d5f23e536bb976210e764922a9fa1a4a0d32676c2a3ae77376b0fdee2e484877cca94e36d38b7fe4370ab2cd24dd1c1daf37a3025b82c4cdd43808997fbab7ae1bbfb38039f225f238a05c7a43d75d325964cc8709d06e4a0201760bd978ae7719af4f44bde5e55bcfd4cb5e20f71fb9c2ac3bf71eb7b4552f1ea466e11218b291d2311344e72232c71286fc1b41464aff44975bda745c78ae7309c1c6cafdc22833de0585e879d8fa1257421c6372cf5d6159eb927a64b32b4a26f93e119983e1b75dcb51588d666ce3f66078a9f9ed1b843bd82a0d8ba2020869fd49ef9434610961c7d95ce2e43cdf3b4d8cf1a1eaeadcfc0deb5651a6af86cecce1ab15172160eb25c17421e65d34e4efbdd6917860610360b662aa4d7e3fa62157ab07d1e2a2af88f1387fd82df72155f0602ece0ce617215c5bef59a393e0d7cd2572d848510c5c09c78916d6240778f2d2efead1dd1795096554a8100d61bcf1a7d51e5fd22e9633d0673268745990827da0027c7812fbdefb0d1), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef9d2ab4ef54f6cf111c29995e8ddf9cfc68568b392a827cbd823b57a5b72e8a5befc5581afc9a3d62dc240ec020910740d3d782ec0d25232da13f1f1634569d749562e8e9c65de0016af28faa98409554e21b7932eb5587670935ddc66138139828832adb339b6e390090432eb4ea1f292ad9918345903aae300c1ece3e8e04b19d3a95856d908975f370b4e4dbb054f7d2b62325e95578df134e23e15478855f5015318f78d6e5cf9ea0808207153432f12f6c916dba4d73a5b603abd5944ff81873278e0c), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef548a457a00a50fdd743b833ace6e884f5e1ee7d93e1d5465013006b47661b78a31cb121fddc9cad7539a91d2f876775063efb3517bcadb658160ec961b4482cd1ef4ac797936a9061a48318c67ff7e5d2055f8d2b0e7e5fbca0fef43935e23afe3daaee2c0400d950f96c2a41e3a36dc82b6f02f8ce2031d95fee1c4129e3b11e352afa470bc219fd9ebc0f70cec328071cd9ee9c423559debc72a4b82997bcf72), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4eddd2ab4ef5417935c499443c593861b309077d9bde14d10e835529bf1ae2d48cf5eb8732fe500780aef921e1e4c9d42400ef3aa0d8642e9a53a17cc4115093bdfe64b15af6ddb9ba8a928e8aee3c693712a25cc9776956dd2bd88e2eb1b340e49c7c06004025d4018b5cb963edb72d36335c0e46599684bbacba9be975919d374cf36f8036bc85dc7b6eb28f2db271d89f2a6884850fba6a4223a607cfc6ea27ad5967fbf111193c80dc5651e5875bdde2590d3759c6229012c82f571bac7e9c34278a2c6510c5440a563282078f75437a6b83a2795628747c8a42cd1962d5892a301f240fa0ab2ff2ffdc37fd9c31681c7be58bb211fa2a65656612936aee9610785fba11a8fb5eeffecffd28da7257a06147b8b3f7b4840b9e14ff58a62de5d895a72192db8da9bc8eab0018dba287c2259a2424ef2c07320ecf8333bad402ed073fdfec3a9074e4ac483adffaae6827363292969b0a8b667ce87608c280eea0d588636862e7c685a1098c4cfe5be6ced796dcb68a13dc8d627c0a1507f29118c873538eca45775ff552df3caeeffd83dda2b690c577a4ac2a6b2ee1fb6292f30b92f653817b1347a2511f4ce6b16b8b326561788207153b8e34abe2c01f18084c39d8d112f30abba79c18fd41364dc6569700ba8e50bfd3698c364c980185e41983b5b8a2123e05c8d2d20e8ff344d45eba3a696c168a41828e89dfd52b933ae2fda939115e33388f8d001f222968cdff85014df2a13012e8ed2de7b7e344016a31fe040c4f499b11405331825d792889f6ff88de901bb22c63b3b2ed03230f466dcfd266b9de98a9555e55612be2488cd4725d8dbc082821d5de0579c71755d2f1546e88eb20a0f4bfd15d6ee97a560e73fd9a428af958e2d8f4359ddb89de5d02e387a), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef9d2ab4ef54673f20ea63ed7dcee5ad41191624f11654116ea6e529188198f3d8c99fb8c7a4cd02d95c775fcd228293c4e07f457fff20f4dd86beecd707729f7e320557c541568e499880bd3d60edd8d517ef847314fa92add61d1ebad74bb38fe874defc674d5c0a185089963ec494879a56af9fd814a476e41e057c4c1a00a9d1f69e1b7c45bbb769791636ae9a42514c366eee52f9f5346c92c6fa9138845f0c3eaf3a30f3f71c048ee4f9fd3e5dec452cde0bf13794ad43c7c7334c1b841294ed61d3bc), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4effd2ab4ef54bf7b08dd116835468ca87c273505a310dab1059bfd1ba816574d1e3f35f8429788dccf3848b0872bfc5b5d149ca192532ee30b2291bb57fca70ed1fb4f7653445f1c373a74f0e324ea23efdf3c3be17aa51821c4fac4a2b26f73f7ac306ad49b7cbaf5edbdd2e9962a1ee0d3127ae049a5823e8f2ab88879dbb679f37323e1497fdea2d807af51c94a7f8a9a27dbffcc65ee8778848a5315a994b9a7c71c914d), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4efcd2ab4ef543db8b8d5acda5a1235b3ad7d07db722102cd9e53750cef7e31131b2d59afa2206d5adc9c877d8ea88bef37dfdff1ffe46e42443d29429793ab306042ee0b2173de2b24e750a0ec61eae0fb8dc5ba0c9961330cfc253aa550022cbf03120d8561e96d54ff94e08ca352d1c069065caceb101e16845fe69db34893f8cb9f3c1e7749b573c1e3f4f2caf2486620cab399fd), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4efdd2ab4ef54e28b751ce10cff077f8445dfe8ddc32363ccef83833a6e9c72f75026116d0253b77e884b483db4b28ab58a9397911ed8afd892a938b4eaee9806d96c070f1f1e587bca16e8e8e16e2b2af5a530e84cc95221f13ce3c66b391318c11f6740bb16d7216dbf70004cbdf4e451b13cb70223235f7e63a33d32c631f512bd5ca7511b), aes_key))
    print(run(long_to_bytes(0x2ab4ef55dc1e70d6008bae6a9cc39af6b7938fdb2ab4ef542ab4ef8d2ab4ef549df15c8d63e084ea41796e1080c422c10c4af26c0b5563cb3058bd6e4aa3f2cc22de1c6edf7e6468ad7e1ff8fa11bd0d2955218906c89bc9c1aca68485ba41d6c1363d26e1ca77e379eede5843a78cf2890a4a4d48d532564d081638df298d10b5b8e57b4714d29993407e26b857a054f18cbba0769a9d7a3ab9b2fc503b9b4e0f13e3e0e4086d9def861eb75b54df80426839c540b6836702d3585c1d11b1fcc1f56d6a2a58bee99fa22ea3792bd764075cdd0bfe11d2a7953c9174210b35afc3a38ab0ff13abebf06b74046bc902df), aes_key))

总结

以上就是MSF与Meterpreter通信的全流程,以及通信的数据包组成结构.总结看下来,并没有多复杂,加密数据是用RSA+AES结合的方式来进行加密的,关键是二者之间交换AES密钥,同时又为了防止MITM,采用了RSA来交换AES KEY.

参考

https://blog.sparta-en.org/2021/10/10/Meterpreter%E9%80%9A%E8%AE%AF%E5%88%86%E6%9E%90/

https://github.com/rapid7/metasploit-framework/pull/8625

CATALOG
    FEATURED TAGS
    leetcode Struts2 漏洞分析 后渗透 渗透测试 C2 CTF Go Sliver
    FRIENDS