MSFconsole核心命令教程
MSFconsole有许多不同的命令选项可供选择。以下是Metasploit命令的核心组合,并参考其格式。
back 从当前上下文返回banner 显示一个很棒的metasploit横幅
cd 更改当前的工作目录color 切换颜色connect 与主机通信edit 使用或 EDITOR编辑当前模块exit 退出控制台
get 特定于上下文的变量的值
getg 获取全局变量的值
go_pro 启动Metasploit Web GUIgrep Grep另一个命令的输出help 菜单info 显示有关一个或多个模块的信息irb 进入irb脚本模式jobs 显示和管理工作kill 杀死一份工作load 加载一个框架插件
loadpath 搜索并加载路径中的模块
makerc 保存从开始到文件输入的命令
popm 将最新的模块从堆栈弹出并使其处于活动状态
previous 将之前加载的模块设置为当前模块
pushm 将活动或模块列表推入模块堆栈
quit 退出控制台
reload_all 重新加载所有定义的模块路径中的所有模块
rename_job 重命名作业
resource 运行存储在文件中的命令route 通过会话路由流量
save 保存活动的数据存储search 搜索模块名称和说明sessions 转储会话列表并显示有关会话的信息set 将特定于上下文的变量设置为一个值setg 将全局变量设置为一个值show 显示给定类型的模块或所有模块
sleep 在指定的秒数内不执行任何操作
spool 将控制台输出写入文件以及屏幕
threads 查看和操作后台线程unload 卸载框架插件unset 取消设置一个或多个特定于上下文的变量
unsetg 取消设置一个或多个全局变量use 按名称选择模块
version 显示框架和控制台库版本号
back
一旦你完成了一个特定的模块的工作,或者你无意中选择了错误的模块,你可以发出back命令移出当前的上下文。但是,这不是必需的。就像在商用路由器中一样,您可以从其他模块中切换模块。提醒一下,变量只有在全球范围内设定后才能继续。
msf auxiliary(ms09_001_write) > back msf >banner
只需显示随机选择的横幅
msf > banner ______________________________________________________________________________ | | | 3Kom SuperHack II Logon | |______________________________________________________________________________| | | | | | | | User Name: [ security ] | | | | Password: [ ] | | | | | | | | [ OK ] | |______________________________________________________________________________| | | | https://metasploit.com | |______________________________________________________________________________| =[ metasploit v4.16.8-dev ] + -- --=[ 1684 exploits - 964 auxiliary - 299 post ] + -- --=[ 498 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]check
支持它的漏洞并不多,但也有一个check选项,用于检查目标是否容易受到特定漏洞攻击,而不是实际利用漏洞。
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 172.16.194.134 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > check [*] Verifying vulnerable status... (path: 0x0000005a) [*] System is not vulnerable (status: 0x00000000) [*] The target is not exploitable. msf exploit(ms08_067_netapi) >color
如果通过msfconsole获得的输出将包含颜色,则可以启用或禁用颜色输出。
msf > color Usage: color Enable or disable color output. msf > color falseconnect
msfconsole内置了一个微型Netcat克隆,它支持SSL,代理服务器,枢纽和文件传输。
通过使用IP地址和端口号发出connect命令,您可以像使用Netcat或Telnet一样,从msfconsole连接到远程主机。
msf > connect 192.168.1.1 23 [*] Connected to 192.168.1.1:23 DD-WRT v24 std (c) 2018 NewMedia-NET GmbH Release: 04/17/18 (SVN revision: 10011) DD-WRT login:您可以通过发出“-h”参数来查看所有附加选项。
msf > connect -h用法
connect [选项]描述:
与主机通信,类似于通过netcat进行交互,利用任何配置的会话透视。选项:
-C 尝试将CRLF用于EOL序列。
-P 指定源端口。
-S 指定源地址。
-c 指定使用哪个Comm。
-h 帮助横幅。
-i 发送文件的内容。
-p 使用的代理列表。
-s 使用SSL连接。
-u 切换到UDP套接字。
-w 定连接超时。
-z 试着连接,然后返回。
edit
该edit命令将edit与或 EDITOR当前模块。默认情况下,这将在Vim中打开当前模块。
msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > edit [*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/windows_error' class Metasploit3 > Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info = {})exit
在exit命令会退出msfconsole。
msf exploit(ms10_061_spoolss) > exit root@kali:~#grep
该grep的命令类似的Linux的grep。它匹配来自另一个msfconsole命令输出的给定模式。
以下是使用grep从包含字符串“oracle”的模块搜索中匹配包含字符串“http”的输出的示例。
msf > grep用法:
grep [options] pattern cmd
grep [选项] 匹配词 命令描述:
grep控制台命令的结果(类似于Linux grep命令)选项:
-A 显示输出的参数行匹配后。
-B 在匹配前显示输出的参数行。
-c 仅打印匹配行数。
-h 帮助横幅。
-i 忽略大小写。
-k 在输出开始处保持(包含)arg行。
-m 在arg匹配后停止。
-s 在尝试匹配之前跳过输出的arg行。
-v 反转匹配。
msf > grep http search oracle auxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leak auxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypass auxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utility exploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Execution exploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Upload exploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Execution exploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encoding exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflow exploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32) exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability exploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload exploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Execution exploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Execution exploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Upload exploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerabilityhelp
该help命令会给你所有可用命令的列表和小描述。
msf > help 核心命令
命令说明
? 帮助菜单
banner 显示一个很棒的metasploit横幅
cd 更改当前的工作目录
color 切换颜色
connect 与主机通信
...略...
数据库后端命令
命令说明
db_connect 连接到现有的数据库
db_disconnect 断开与当前数据库实例的连接
db_export 导出包含数据库内容的文件
db_import 导入扫描结果文件(文件类型将被自动检测)
...略...
info
该info命令将提供包括所有选项,目标和其它信息的特定模块的详细信息。请务必在使用之前始终阅读模块说明,因为有些可能会产生不希望的效果。
info命令还提供了以下信息:
- 作者和许可信息
- 漏洞引用(即:CVE,BID等)
- 模块可能具有的任何有效负载限制
msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index [-] Invalid module: info Name: MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Disclosed: 2009-09-07 Provided by: Laurent Gaffie hdm sf Available targets: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port (TCP) WAIT 180 yes The number of seconds to wait for the attack to complete. Payload information: Space: 1024 Description: This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. References: https://technet.microsoft.com/en-us/library/security/MS09-050 https://cvedetails.com/cve/CVE-2009-3103/ http://www.securityfocus.com/bid/36299 OSVDB (57799) http://seclists.org/fulldisclosure/2009/Sep/0039.html http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx msf exploit(ms09_050_smb2_negotiate_func_index) >irb
运行irb命令将会让你进入一个真实的Ruby解释器shell,你可以在其中发布命令并创建Metasploit脚本。这个特性对于理解框架的内部也很有用。
msf > irb [*] Starting IRB shell... >> puts "Hello, metasploit!" Hello, metasploit! => nil >> Framework::Version => "4.16.8-dev"jobs
jobs是在后台运行的模块。该jobs命令提供列出和终止这些jobs的能力。
msf > jobs -h用法:
jobs [选项]描述:
积极的jobs操作和交互。选项:
-K 终止所有正在运行的作业。
-S 行搜索过滤器。
-h 帮助横幅。
-i 列出有关正在运行的作业的详细信息。
-k 按作业ID和/或范围终止作业。
-l 列出所有正在运行的作业。
-v 打印更多详细信息。与-i和-l一起使用
kill
使用jobs ID提供的kill命令将会终止任何正在运行的jobs。和linux中的kill相似;
msf exploit(ms10_002_aurora) > kill 0 Stopping job: 0... [*] Server stopped.load
该load命令加载从Metasploit工具的插件 插件目录。参数在shell上以key = val的形式传递。
msf > load用法:
load [var=val var=val ...]描述:
从提供的路径加载插件。选项:
有关内置插件的列表,请执行以下操作:load -l
可选的var = val选项是可以传递给插件的自定义参数。
msf > load pcap_log [*] PcapLog plugin loaded. [*] Successfully loaded plugin: pcap_log msf >loadpath
该loadpath命令将加载第三部分模块树的路径,这样你可以在你的0-day,encoders(编码器),payloads(有效载荷)等成为一个Metasploit拥有更多漏洞工具集合;
msf > loadpath /home/secret/modules Loaded 0 modules.unload
相反,unload命令会卸载先前加载的插件并删除所有扩展的命令。
msf > unload pcap_log Unloading plugin pcap_log...unloaded.resource
该resource命令运行资源(批)可以通过msfconsole载入的文件。
msf > resource用法:
resource path1 [path2 ...]描述:
运行存储在提供的文件中的命令。资源文件也可能包含代码之间的ruby代码。
另见:makerc
一些攻击,如Karmetasploit,使用资源文件在运行一组命令karma.rc文件中创建的攻击。稍后,我们将讨论在Karmetasploit之外,这可能非常有用。
msf > resource karma.rc [*] Processing karma.rc for ERB directives. resource (karma.rc_.txt)> db_connect postgres:[[email protected]](/cdn-cgi/l/email-protection)/msfbook resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn ...略...批处理文件可以大大加快测试和开发时间,并允许用户自动完成许多任务。除了从msfconsole加载批处理文件外,还可以使用-r标志在启动时传递它们。
下面的简单示例创建一个批处理文件,以在启动时显示Metasploit版本号。
root@kali:~# echo version > version.rc root@kali:~# msfconsole -r version.rc IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt =[ metasploit v4.16.8-dev ] + -- --=[ 1684 exploits - 964 auxiliary - 299 post ] + -- --=[ 498 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing version.rc for ERB directives. resource (version.rc)> version Framework: 4.16.8-dev Console : 4.16.8-devroute
Metasploit中的“route”命令允许您通过session或'comm'路由套接字,从而提供基本的旋转功能。要添加路由,请传递目标子网和网络掩码,然后传递session (comm) 号码。
msf > route -h 通过提供的会话将流量发往指定的子网。用法:
route [add/remove] subnet netmask [comm/sid]
route [add/remove] cidr [comm/sid]
route [get]
route [flush]
route [print]子命令:
add - 制作新路线
remove - 删除路线; 'del'是一个别名
flush - 删除所有路线
get - 显示给定目标的路线
print - 显示所有活动路线例子:
通过session 1为从192.168.0.0到192.168.0.0的所有主机添加路由
route add 192.168.0.0 255.255.255.0 1
route add 192.168.0.0/24 1
删除上述路线
route remove 192.168.0.0/24 1
route del 192.168.0.0 255.255.255.0 1
显示将用于给定主机或网络的路线
route get 192.168.0.11
meterpreter > route Network routes ============== Subnet Netmask Gateway ------ ------- ------- 0.0.0.0 0.0.0.0 172.16.1.254 127.0.0.0 255.0.0.0 127.0.0.1 172.16.1.0 255.255.255.0 172.16.1.100 172.16.1.100 255.255.255.255 127.0.0.1 172.16.255.255 255.255.255.255 172.16.1.100 224.0.0.0 240.0.0.0 172.16.1.100 255.255.255.255 255.255.255.255 172.16.1.100search
msfconsole包含广泛的基于正则表达式的搜索功能。如果您对所查找内容有一个大致的了解,则可以通过搜索进行搜索。在下面的输出中,正在搜索MS Bulletin MS09-011。搜索功能将在模块名称,描述,引用等内找到该字符串。
请注意,Metasploit模块的命名约定使用下划线和连字符。
msf > search usermap_script Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionhelp
您可以使用内置的关键字系统进一步优化您的搜索。
msf > help search用法:
search [关键字]关键词:
app:客户端或服务器攻击的模块
author:这个作者写的模块
bid:具有匹配的Bugtraq ID的模块
cve:具有匹配CVE ID的模块
edb:具有匹配的Exploit-DB ID的模块
name:具有匹配描述性名称的模块
platform:影响这个平台的模块
ref:具有匹配参考的模块
type:特定类型的模块(exploit,auxiliary或post)例子:
search cve:2009 type:exploit app:client
name
要使用描述性名称进行搜索,请使用name关键字。
msf > search name:mysql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode) auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump auxiliary/scanner/mysql/mysql_file_enum normal MYSQL File/Directory Enumerator auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration auxiliary/scanner/mysql/mysql_writable_dirs normal MYSQL Directory Write Test auxiliary/server/capture/mysql normal Authentication Capture: MySQL exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow exploit/windows/mysql/mysql_mof 2012-12-01 excellent Oracle MySQL for Microsoft Windows MOF Execution exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Oracle MySQL for Microsoft Windows FILE Privilege Abuse exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credentialplatform
您可以使用platform将搜索范围缩小到影响特定platform(平台)的模块。
msf > search platform:aix Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/aix/local/ibstat_path 2013-09-24 excellent ibstat $PATH Privilege Escalation exploit/aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow exploit/aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline payload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline payload/aix/ppc/shell_interact normal AIX execve Shell for inetd payload/aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline post/aix/hashdump normal AIX Gather Dump Password Hashes post/multi/manage/sudo normal Multiple Linux / Unix Post Sudo Upgrade Shell post/multi/recon/local_exploit_suggester normal Multi Recon Local Exploit Suggestertype
使用该type可以按模块类型进行过滤,如auxiliary(辅助),post(提交),exploit(利用)等。
msf > search type:post Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection post/linux/gather/enum_cron normal Linux Cron Job Enumeration post/linux/gather/enum_linux normal Linux Gather System Information ...略...author
使用author关键字搜索可让您搜索您最喜爱的作者的模块。
msf > search author:dookie Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow exploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow exploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 'bdo' Tag Overflow exploit/windows/browser/communicrypt_mail_activex 2010-05-19 great CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow exploit/windows/browser/mozilla_reduceright 2011-06-21 normal Mozilla Firefox Array.reduceRight() Integer Overflow exploit/windows/browser/nctaudiofile2_setformatlikesample 2007-01-24 normal NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow exploit/windows/fileformat/a_pdf_wav_to_mp3 2010-08-17 normal A-PDF WAV to MP3 v1.0.0 Buffer Overflow exploit/windows/fileformat/adobe_illustrator_v14_eps 2009-12-03 great Adobe Illustrator CS4 v14.0.0 exploit/windows/fileformat/audio_wkstn_pls 2009-12-08 good Audio Workstation 6.4.2.4.3 pls Buffer Overflow exploit/windows/fileformat/audiotran_pls 2010-01-09 good Audiotran 1.4.1 (PLS File) Stack Buffer Overflow exploit/windows/fileformat/fatplayer_wav 2010-10-18 normal Fat Player Media Player 0.6b0 Buffer Overflow exploit/windows/fileformat/feeddemon_opml 2009-02-09 great FeedDemon Stack Buffer Overflow exploit/windows/fileformat/foxit_title_bof 2010-11-13 great Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow exploit/windows/fileformat/ideal_migration_ipj 2009-12-05 great PointDev IDEAL Migration Buffer Overflow exploit/windows/fileformat/millenium_mp3_pls 2009-07-30 great Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow exploit/windows/fileformat/somplplayer_m3u 2010-01-22 great S.O.M.P.L 1.0 Player Buffer Overflow exploit/windows/fileformat/varicad_dwb 2010-03-17 great VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow exploit/windows/fileformat/wm_downloader_m3u 2010-07-28 normal WM Downloader 3.1.2.2 Buffer Overflow exploit/windows/ftp/trellian_client_pasv 2010-04-11 normal Trellian FTP Client 3.01 PASV Remote Buffer Overflow exploit/windows/ftp/xftp_client_pwd 2010-04-22 normal Xftp FTP Client 3.0 PWD Remote Buffer Overflow exploit/windows/misc/eureka_mail_err 2009-10-22 normal Eureka Email 2.2q ERR Remote Buffer Overflow exploit/windows/misc/hp_omniinet_4 2011-06-29 good HP OmniInet.exe Opcode 20 Buffer Overflow exploit/windows/misc/nettransport 2010-01-02 normal NetTransport Download Manager 2.90.510 Buffer Overflow exploit/windows/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflowmultiple
您还可以将multiple关键字组合在一起以进一步缩小返回的结果。
msf > search cve:2011 author:jduck platform:linux Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflowsessions
该sessions命令可以列出,互动,并杀死催生了sessions。sessions可以是shell,Meterpreter会话,VNC等。
msf > sessions -h用法:
sessions [选项] 或 sessions [ID]描述:
活动的会话操作和交互。选项:
-C 对使用-i或全部给定的会话运行Meterpreter命令
-K 终止所有会话
-c 在由-i或全部给定的会话上运行命令
-h 帮助横幅
-i 与提供的会话ID进行交互
-k 按会话ID和/或范围终止会话
-l 列出所有活动会话
-q 安静模式
-r 重置用-i或全部给定的会话的环形缓冲区
-s 在与-i或全部给定的会话上运行脚本
-t 设置响应超时(默认值:15)
-u 在许多平台上将shell升级到meterpreter会话
-v 以详细模式列出会话
-x 在会话表中显示扩展信息
许多选项允许使用逗号和破折号指定会话范围。例如:
sessions -s checkvm -i 1,3-5 或者 sessions -k 1-2,5,6
要列出任何活动会话,请将 **-l **选项传递给sessions。
msf exploit(3proxy) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444要与给定的会话进行交互,只需使用' **-i **'开关,然后使用sessions的Id号码。
msf exploit(3proxy) > sessions -i 1 [*] Starting interaction with 1... C:WINDOWSsystem32>set
该set命令允许您配置框架选项和参数为你正在使用的当前模块。
msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134 RHOST => 172.16.194.134 msf auxiliary(ms09_050_smb2_negotiate_func_index) > show options Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 172.16.194.134 yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete. Exploit target: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86)Metasploit还允许您设置“encoder(编码器)”以在运行时使用。如果您不确定哪种“payload(有效负载”)编码方法适用于给定的漏洞攻击,那么这对于攻击开发尤其有用。
msf exploit(ms09_050_smb2_negotiate_func_index) > show encoders Compatible Encoders =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/eicar manual The EICAR Encoder generic/none normal The "none" Encoder x86/add_sub manual Add/Sub Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_underscore_tolower manual Avoid underscore/tolower x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder x86/bmp_polyglot manual BMP Polyglot x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/opt_sub manual Sub Encoder (optimised) x86/service manual Register Service x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoderunset
当然,set命令的相反部分是unset的。unset会删除以前使用set进行配置的参数。您可以全部取消全部删除所有分配的变量。
msf > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf > set THREADS 50 THREADS => 50 msf > set Global ====== Name Value ---- ----- RHOSTS 192.168.1.0/24 THREADS 50 msf > unset THREADS Unsetting THREADS... msf > unset all Flushing datastore... msf > set Global ====== No entries in data store.setg
为了在pentest中节省大量输入,可以在msfconsole中设置全局变量。你可以用setg命令来做到这一点。一旦这些设置完成,您就可以在任意多个漏洞利用和辅助模块中使用它们。您也可以将它们保存下次启动msfconsole时使用。然而,陷阱是忘记了你已经保存了全局变量,所以在运行或利用之前总是检查你的选项。相反,您可以使用unsetg命令取消设置全局变量。在下面的例子中,变量以全部大写形式输入(即:LHOST),但Metasploit不区分大小写,因此没有必要这样做。
msf> setg LHOST 192.168.1.101 LHOST => 192.168.1.101 msf> setg RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf> setg RHOST 192.168.1.136 RHOST => 192.168.1.136设置完不同的变量后,您可以运行save命令来保存当前的环境和设置。保存设置后,它们将在启动时自动加载,这样就不必再次设置所有内容。
msf > save Saved configuration to: /root/.msf4/config msf >show
在msfconsole提示符下输入show会显示Metasploit中的每个模块。
msf > show Encoders ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder ...略...您可以使用许多show命令,但您最常使用的命令是:show auxiliary, show exploits, show payloads, show encoders 和 **show nops **.
auxiliary
执行show exploits将显示Metasploit中所有可用辅助模块的列表。如前所述,辅助模块包括扫描器,拒绝服务模块,模糊器等。
msf > show auxiliary Auxiliary ========= Name Disclosure Date Rank Description ---- --------------- ---- ----------- admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access admin/backupexec/registry normal Veritas Backup Exec Server Registry Access ...略...exploits
自然,显示“exploits(漏洞利用)”将是你最感兴趣的命令,因为Metasploit的核心是关于漏洞。运行显示漏洞获取框架中包含的所有漏洞列表。
msf > show exploits Exploits ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow ...略...MSFconsole Payloads
运行显示Payloads将显示Metasploit中所有可用平台的所有不同Payloads。
msf > show payloads Payloads ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline aix/ppc/shell_interact normal AIX execve shell for inetd ...略...payloads
正如你所看到的,有很多可用的payloads。幸运的是,当您处于特定漏洞利用的模块时,运行的show payload将仅显示与该漏洞兼容的payloads。
例如,如果它是Windows漏洞利用,则不会显示Linux的“payloads(有效负载)”。
msf exploit(ms08_067_netapi) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline ...略...options
如果您选择了特定模块,则可以发出show options命令来显示该特定模块可用和/或必需的设置。
msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targetingtargets
如果您不确定操作系统是否容易受到特定漏洞攻击,请在漏洞利用模块的上下文中运行show targets命令以查看哪些目标受支持。
msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 10 Windows 2003 SP1 Japanese (NO NX) 11 Windows 2003 SP2 English (NO NX) 12 Windows 2003 SP2 English (NX) ...略...advanced
如果您希望进一步微调漏洞,可以通过运行show advanced来查看更多高级选项。
msf exploit(ms08_067_netapi) > show advanced Module advanced options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection ContextInformationFile no The information file that contains context information DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses DisablePayloadHandler false no Disable the handler code for the selected payload EnableContextEncoding false no Use transient context when encoding payloads NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified) NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true Proxies no A proxy chain of format type:host:port[,type:host:port][...] SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication SMB::VerifySignature false yes Enforces client-side verification of server response signatures SMBDirect true no The target port is a raw SMB service (not NetBIOS) SMBDomain . no The Windows domain to use for authentication SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections) SMBPass no The password for the specified username SMBUser no The username to authenticate as SSL false no Negotiate SSL/TLS for outgoing connections SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH" SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER) SSLVersion Auto no Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1, TLS1.2) VERBOSE false no Enable detailed status messages WORKSPACE no Specify the workspace for this module WfsDelay 0 no Additional delay when waiting for a sessionencoders
正在运行show encoders将显示MSF中可用“encoders(编码器)”的列表。
msf > show encoders Encoders ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/echo good Echo Command Encoder cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/perl normal Perl Command Encoder cmd/powershell_base64 excellent Powershell Base64 Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/eicar manual The EICAR Encoder generic/none normal The "none" Encoder mipsbe/byte_xori normal Byte XORi Encoder mipsbe/longxor normal XOR Encoder mipsle/byte_xori normal Byte XORi Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 Encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x64/zutto_dekiru manual Zutto Dekiru x86/add_sub manual Add/Sub Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_underscore_tolower manual Avoid underscore/tolower x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder x86/bmp_polyglot manual BMP Polyglot x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/opt_sub manual Sub Encoder (optimised) x86/service manual Register Service x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encodernops
最后,运行 **show nops **命令将显示Metasploit必须提供的“NOP(空指令)”生成器。
msf > show nops NOP Generators ============== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aarch64/simple normal Simple armle/simple normal Simple mipsbe/better normal Better php/generic normal PHP Nop Generator ppc/simple normal Simple sparc/random normal SPARC NOP Generator tty/generic normal TTY Nop Generator x64/simple normal Simple x86/opty2 normal Opty2 x86/single_byte normal Single Byteuse
当您决定使用某个特定模块时,请发出use命令来选择它。在使用命令改变你的需要选择的模块,露出特定类型的命令。在下面的输出中注意,之前设置的全局变量已经被配置。
msf > use dos/windows/smb/ms09_001_write msf auxiliary(ms09_001_write) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port msf auxiliary(ms09_001_write) >
为你铺好的HACKWAY
长按扫码上车
你点的每个在看,我都认真当成了喜欢
6068
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
