翻译者说明1:本文为Metasploit Unleashed中文版翻译。原文链接:https://www.offensive-security.com/metasploit-unleashed/
翻译者说明2:为减轻翻译负担采用了机器翻译,翻译者从中人工剔除了机翻错误或歧义的问题,但难免会存在小问题,请读者见谅。如发现文章翻译存在问题,可在文章下方评论留言。
翻译者说明3:如果你喜欢这篇翻译,请给关注一下我并给文章点个赞,你的支持是给我工作的最大鼓励。
翻译者说明4:其他章节一并整合在专栏中,如有兴趣可关注专栏了解更多内容。
四、METASPLOIT 基础
2. MSFconsole
a)什么是 MSFconsole?
MSFconsole可能是Metasploit Framework(MSF)最流行的接口。它提供了一个"一体式"集中式控制台,并允许你高效访问 MSF 中几乎所有可用的选项。MSFconsole 乍一看似乎令人生畏,但是一旦你学会了命令的语法,你就会学会欣赏利用这个接口的强大功能。
b)使用 MSFconsole 的好处
- 这是访问Metasploit中大多数功能的唯一受支持方式。
- 为框架提供基于控制台的接口
- 包含最多的功能,是最稳定的 MSF 接口
- 完整的读行支持、选项卡和命令完成
- 可以在 MSFconsole 中执行外部命令:
msf > ping -c 1 192.168.1.100
[*] exec: ping -c 1 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=10.3 ms
--- 192.168.1.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.308/10.308/10.308/0.000 ms
msf >
c)启动 MSFconsole
MSFconsole 是通过从命令行运行 msfconsole 来启动的。MSFconsole 位于 /usr/share/metasploit-framework/msfconsole 目录中。
-q 选项通过以安静模式启动 msfconsole 来删除启动横幅。
root@kali:# msfconsole -q
msf >
d)如何使用命令提示符
可以将 -h 传递给 msfconsole 以查看可用的其他用法选项。
root@kali:~# msfconsole -h
Usage: msfconsole [options]
Common options
-E, --environment ENVIRONMENT The Rails environment. Will use RAIL_ENV environment variable if that is set. Defaults to production if neither option not RAILS_ENV environment variable is set.
Database options
-M, --migration-path DIRECTORY Specify a directory containing additional DB migrations
-n, --no-database Disable database support
-y, --yaml PATH Specify a YAML file containing database settings
Framework options
-c FILE Load the specified configuration file
-v, --version Show version
Module options
--defer-module-loads Defer module loading unless explicitly asked.
-m, --module-path DIRECTORY An additional module path
Console options:
-a, --ask Ask before exiting Metasploit or accept 'exit -y'
-d, --defanged Execute the console as defanged
-L, --real-readline Use the system Readline library instead of RbReadline
-o, --output FILE Output to the specified file
-p, --plugin PLUGIN Load a plugin on startup
-q, --quiet Do not print the banner on startup
-r, --resource FILE Execute the specified resource file (- for stdin)
-x, --execute-command COMMAND Execute the specified string as console commands (use ; for multiples)
-h, --help Show this message
在 msf 命令提示符下输入help或 ? 后,将显示可用命令的列表以及这些命令的用途说明。
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
advanced Displays advanced options for one or more modules
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
info Displays information about one or more modules
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
e)Tab键完成
MSFconsole 旨在快速使用,帮助实现此目标的功能之一是 Tab 键完成。由于可用的模块种类繁多,因此很难记住要使用的特定模块的确切名称和路径。与大多数其他shell一样,输入您知道的内容并按"Tab"将显示可用的选项列表,或者如果只有一个选项,则自动完成字符串。Tab 完成取决于 ruby readline 扩展,控制台中的几乎每个命令都支持 Tab 完成。
- use exploit/windows/dce
- 使用 .netapi.
- 设置主机
- 显示
- 设置目标
- 设置有效载荷窗口/外壳/
- exp
msf > use exploit/windows/smb/ms
use exploit/windows/smb/ms03_049_netapi
use exploit/windows/smb/ms04_007_killbill
use exploit/windows/smb/ms04_011_lsass
use exploit/windows/smb/ms04_031_netdde
use exploit/windows/smb/ms05_039_pnp
use exploit/windows/smb/ms06_025_rasmans_reg
use exploit/windows/smb/ms06_025_rras
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/smb/ms06_066_nwapi
use exploit/windows/smb/ms06_066_nwwks
use exploit/windows/smb/ms06_070_wkssvc
use exploit/windows/smb/ms07_029_msdns_zonename
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
use exploit/windows/smb/ms10_046_shortcut_icon_dllloader
use exploit/windows/smb/ms10_061_spoolss
use exploit/windows/smb/ms15_020_shortcut_icon_dllloader
msf > use exploit/windows/smb/ms08_067_netapi
MSFconsole是Metasploit最常用的接口。让自己熟悉这些msfconsole 命令将在整个课程中为您提供帮助,并为您提供使用Metasploit的坚实基础。
f)MSFconsole 命令
MSFconsole 有许多不同的命令选项可供选择。以下是一组核心的 Metasploit 命令及其输出。
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
back 命令
使用完特定模块后,或者无意中选择错误的模块后,可以发出 back 命令以移出当前上下文。但是,这不是必需的。就像在商用路由器中一样,您可以从其他模块中切换模块。提醒一下,变量只有在全局设置时才会结转。
msf auxiliary(ms09_001_write) > back
msf >
banner 命令
仅显示随机选择的banner。
msf > banner
_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_
|/ |____/ ___/ / \___/ / __| |_ ___
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
check 命令
支持它的漏洞并不多,但还有一个检查选项,可以检查目标是否容易受到特定漏洞的攻击,而不是实际利用它。
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > check
[*] Verifying vulnerable status... (path: 0x0000005a)
[*] System is not vulnerable (status: 0x00000000)
[*] The target is not exploitable.
msf exploit(ms08_067_netapi) >
color 命令
如果通过 msfconsole 获得的输出将包含颜色,则可以启用或禁用。
msf > color
Usage: color >'true'|'false'|'auto'>
Enable or disable color output.
connect 命令
msfconsole 中内置了一个微型 Netcat 克隆,支持 SSL、代理、透视和文件传输。通过发出带有 IP 地址和端口号的连接命令,您可以从 msfconsole 中连接到远程主机,就像使用 Netcat 或 Telnet 一样。
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
您可以通过发出 -h 参数来查看所有其他选项。
msf > connect -h
Usage: connect [options]
Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.
OPTIONS:
-C Try to use CRLF for EOL sequence.
-P <opt> Specify source port.
-S <opt> Specify source address.
-c <opt> Specify which Comm to use.
-h Help banner.
-i <opt> Send the contents of a file.
-p <opt> List of proxies to use.
-s Connect with SSL.
-u Switch to a UDP socket.
-w <opt> Specify connect timeout.
-z Just try to connect, then return.
msf >
edit 命令
edit命令将使用$ VISUAL或$ EDITOR编辑当前模块。默认情况下,这将在 Vim 中打开当前模块。
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/windows_error'
class Metasploit3 > Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
exit 命令
exit命令将仅退出 msfconsole。
msf exploit(ms10_061_spoolss) > exit
root@kali:~#
grep 命令
grep 命令类似于 Linux grep。它与来自另一个 msfconsole 命令输出的给定模式匹配。以下是使用 grep 匹配包含字符串"http"的输出的示例,该输出来自搜索包含字符串"oracle"的模块。
msf > grep
Usage: grep [options] pattern cmd
Grep the results of a console command (similar to Linux grep command)
OPTIONS:
-A <opt&> Show arg lines of output After a match.
-B Show arg lines of output Before a match.
-c Only print a count of matching lines.
-h Help banner.
-i Ignore case.
-k Keep (include) arg lines at start of output.
-m Stop after arg matches.
-s Skip arg lines of output before attempting match.
-v Invert match.
msf >
msf > grep http search oracle
auxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leak
auxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
auxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utility
exploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Execution
exploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Upload
exploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Execution
exploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encoding
exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflow
exploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)
exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
exploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload
exploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Execution
exploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Execution
exploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Upload
exploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
help 命令
help 命令将为您提供所有可用命令的列表和小描述。
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
...snip...
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
...snip...
info 命令
info 命令将提供有关特定模块的详细信息,包括所有选项、目标和其他信息。在使用之前,请务必始终阅读模块说明,因为有些可能会产生不良效果。
info 命令还提供以下信息:
- 作者和许可信息
- 漏洞引用(即:CVE、BID 等)
- 模块可能具有的任何有效负载限制
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Version: 14774
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
Laurent Gaffie <laurent.gaffie@gmail.com>
hdm <hdm@metasploit.com>
sf <stephen_fewer@harmonysecurity.com>
Available targets:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.
Payload information:
Space: 1024
Description:
This module exploits an out of bounds function table dereference in
the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates (not RTM), and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.
References:
http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
http://www.securityfocus.com/bid/36299
http://www.osvdb.org/57799
http://seclists.org/fulldisclosure/2009/Sep/0039.html
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
msf exploit(ms09_050_smb2_negotiate_func_index) >
irb 命令
运行 irb 命令会将您放入一个实时 Ruby 解释器 shell 中,您可以在其中发出命令并动态创建 Metasploit 脚本。此功能对于了解框架的内部结构也非常有用。
msf > irb
[*] Starting IRB shell...
>> puts "Hello, metasploit!"
Hello, metasploit!
=> nil
>> Framework::Version
=> "4.8.2-2014022601"
jobs 命令
jobs是在后台运行的模块。jobs命令提供了列出和终止这些jobs的功能。
msf > jobs -h
Usage: jobs [options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-i Lists detailed information about a running job.
-k Terminate the specified job name.
-l List all running jobs.
-v Print more detailed info. Use with -i and -l
msf >
kill 命令
当提供作业 ID 时,kill 命令将终止任何正在运行的作业。
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...
[*] Server stopped.
load 命令
load 命令从 Metasploit 的插件目录中加载一个插件。参数在 shell 上作为 key=val 传递。
msf > load
Usage: load [var=val var=val ...]
Loads a plugin from the supplied path. If path is not absolute, first looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that can be passed to plugins.
msf > load pcap_log
[*] PcapLog plugin loaded.
[*] Successfully loaded plugin: pcap_log
loadpath 命令
loadpath 命令将为该路径加载一个由第三部分组成的模块树,以便您可以将 Metasploit 指向您的 0 day漏洞利用、编码器、有效负载等。
msf > loadpath /home/secret/modules
Loaded 0 modules.
unload 命令
相反,unload命令卸载以前加载的插件并删除所有扩展命令。
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
resource 命令
resource命令运行可通过 msfconsole 加载的资源(批处理)文件。
msf > resource
Usage: resource path1 [path2 ...]
Run the commands stored in the supplied files. Resource files may also contain
ruby code between tags.
See also: makerc
某些攻击(如 Karmetasploit)使用资源文件在 karma.rc 文件中运行一组命令来创建攻击。稍后,我们将讨论在Karmetasploit之外,这如何非常有用。
msf > resource karma.rc
[*] Processing karma.rc for ERB directives.
resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn
...snip...
批处理文件可以大大加快测试和开发时间,并允许用户自动执行许多任务。除了从 msfconsole 中加载批处理文件之外,还可以在启动时使用 -r 标志传递批处理文件。下面的简单示例创建一个批处理文件,以在启动时显示 Metasploit 版本号。
root@kali:~# echo version > version.rc
root@kali:~# msfconsole -r version.rc
_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_
|/ |____/ ___/ / \___/ / __| |_ ___
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
=[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
+ -- --=[ 1265 exploits - 695 auxiliary - 202 post ]
+ -- --=[ 330 payloads - 32 encoders - 8 nops ]
[*] Processing version.rc for ERB directives.
resource (version.rc)> version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
route 命令
Metasploit中的route命令允许您通过会话或"通信"路由套接字,从而提供基本的透视功能。若要添加路由,请传递目标子网和网络掩码,后跟会话 (comm) 编号。
meterpreter > route -h
Route traffic destined to a given subnet through a supplied session.
Usage:
route [add/remove] subnet netmask [comm/sid]
route [add/remove] cidr [comm/sid]
route [get]
route [flush]
route [print]
Subcommands:
add - make a new route
remove - delete a route; 'del' is an alias
flush - remove all routes
get - display the route for a given target
print - show all active routes
Examples:
Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1
route add 192.168.0.0 255.255.255.0 1
route add 192.168.0.0/24 1
Delete the above route
route remove 192.168.0.0/24 1
route del 192.168.0.0 255.255.255.0 1
Display the route that would be used for the given host or network
route get 192.168.0.11
meterpreter >
meterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.1.254
127.0.0.0 255.0.0.0 127.0.0.1
172.16.1.0 255.255.255.0 172.16.1.100
172.16.1.100 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.1.100
224.0.0.0 240.0.0.0 172.16.1.100
255.255.255.255 255.255.255.255 172.16.1.100
search 命令
msfconsole 包括一个广泛的基于正则表达式的搜索功能。如果您对要查找的内容有大致了解,则可以通过search进行搜索。在下面的输出中,正在搜索 MS 公告 MS09-011。搜索函数将在模块名称、描述、引用等中找到此字符串。
请注意,Metasploit 模块的命名约定使用下划线而不是连字符。
msf > search usermap_script
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
msf >
help 命令
您可以使用内置的关键字系统进一步优化搜索。
msf > help search
Usage: search [keywords]
Keywords:
app : Modules that are client or server attacks
author : Modules written by this author
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
name : Modules with a matching descriptive name
platform : Modules affecting this platform
ref : Modules with a matching ref
type : Modules of a specific type (exploit, auxiliary, or post)
Examples:
search cve:2009 type:exploit app:client
msf >
name 关键字
若要使用描述性名称进行搜索,请使用 name 关键字。
msf > search name:mysql
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query
auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution
exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >
platform 关键字
您可以使用platform将搜索范围缩小到影响特定平台的模块。
msf > search platform:aix
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
payload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
payload/aix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
type 关键字
使用type可以按模块类型(如auxiliary<辅助模块>、post、exploit<漏洞利用模块>等)进行筛选。
msf > search type:post
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_cron normal Linux Cron Job Enumeration
post/linux/gather/enum_linux normal Linux Gather System Information
...snip...
author 关键字
使用author关键字进行搜索可让您按自己喜欢的作者搜索模块。
msf > search author:dookie
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow
exploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow Exploit
exploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 bdo tag overflow
...snip...
多个关键字组合
您还可以将多个关键字组合在一起,以进一步缩小返回结果的范围。
msf > search cve:2011 author:jduck platform:linux
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
sessions 命令
sessions命令允许您列出生成的会话、与之交互和终止生成的会话。这些会话可以是 shell、Meterpreter 会话、VNC 等。
msf > sessions -h
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
-C Run a Meterpreter Command on the session given with -i, or all
-K Terminate all sessions
-c Run a command on the session given with -i, or all
-h Help banner
-i Interact with the supplied session ID
-k Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-t Set a response timeout (default: 15)
-u Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
要列出任何活动会话,请将 -l 选项传递给sessions。
msf exploit(3proxy) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
要与给定会话交互,您只需使用 -i 开关,后跟会话的 ID 号。
msf exploit(3proxy) > sessions -i 1
[*] Starting interaction with 1...
C:WINDOWSsystem32>
set 命令
set 命令允许您为正在使用的当前模块配置框架选项和参数。
msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134
RHOST => 172.16.194.134
msf auxiliary(ms09_050_smb2_negotiate_func_index) > show options
Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Metasploit还允许您设置在运行时使用的编码器。当您不太确定哪些有效负载编码方法适用于给定的漏洞利用时,这在漏洞利用开发中特别有用。
msf exploit(ms09_050_smb2_negotiate_func_index) > show encoders
Compatible Encoders
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/none normal The "none" Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
unset 命令
当然,与 set 命令相反的是unset。unset 将删除以前使用 set 配置的参数。您可以使用unset all删除所有分配的变量。
msf > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > set THREADS 50
THREADS => 50
msf > set
Global
======
Name Value
---- -----
RHOSTS 192.168.1.0/24
THREADS 50
msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > set
Global
======
No entries in data store.
msf >
setg 命令
为了在渗透测试期间节省大量键入,可以在 msfconsole 中设置全局变量。您可以使用 setg 命令执行此操作。设置完这些内容后,您可以根据需要在任意数量的exploits和auxiliary模块中使用它们。您还可以保存它们,以便在下次启动 msfconsole 时使用。但是,问题是忘记了您已经保存了全局变量,因此在运行或利用之前,请始终检查您的选项。相反,可以使用 unsetg 命令取消设置全局变量。在下面的示例中,变量以全大写字母输入(即:LHOST),但Metasploit不区分大小写,因此没有必要这样做。
msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136
设置不同的变量后,可以运行 save 命令来保存当前环境和设置。保存设置后,它们将在启动时自动加载,这使您不必再次设置所有内容。
msf > save
Saved configuration to: /root/.msf4/config
msf >
show 命令
在 msfconsole 提示符处输入 show 将显示 Metasploit 中的每个模块。
msf > show
Encoders
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
...snip...
您可以使用许多 show 命令,但最常用的命令是 show auxiliary、show exploits、show payloads、show encoders和 show nops。
auxiliary 模块
执行show auxiliary模块将显示 Metasploit 中所有可用辅助模块的列表。如前所述,辅助模块包括scanners扫描仪、denial of service modules拒绝服务模块、fuzzers模糊测试器等。
msf > show auxiliary
Auxiliary
=========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
...snip...
exploits 模块
当然,show exploits将是您最感兴趣的命令,因为从本质上讲,Metasploit都是关于利用的。运行 show exploits 以获取框架中包含的所有漏洞利用的列表。
msf > show exploits
Exploits
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
...snip...
使用 MSFconsole Payloads
正在运行的show payloads将显示 Metasploit 中所有可用平台的所有不同有效负载。
msf > show payloads
Payloads
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
aix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
payloads 模块
如您所见,有很多有效负载可用。幸运的是,当您处于特定漏洞的上下文中时,运行 show payloads将仅显示与该特定漏洞兼容的有效负载。例如,如果这是Windows漏洞,则不会向您显示Linux有效负载。
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
...snip...
options
如果选择了特定模块,则可以发出 show options 命令以显示该特定模块可用和/或需要的设置。
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
targets
如果您不确定操作系统是否容易受到特定攻击,请从exploits模块的上下文中运行 show targets 命令,以查看支持哪些目标。
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
...snip...
advanced
如果您希望进一步微调漏洞,可以通过运行 show advanced 来查看更高级的选项。
msf exploit(ms08_067_netapi) > show advanced
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
...snip...
encoders
正在运行的 show encoders将显示 MSF 中可用的编码器的列表。
msf > show encoders
Compatible Encoders
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
nops
最后,发出 show nops 命令将显示 Metasploit 必须提供的 NOP 生成器。
msf > show nops
NOP Generators
==============
Name Disclosure Date Rank Description
---- --------------- ---- -----------
armle/simple normal Simple
mipsbe/better normal Better
php/generic normal PHP Nop Generator
ppc/simple normal Simple
sparc/random normal SPARC NOP Generator
tty/generic normal TTY Nop Generator
x64/simple normal Simple
x86/opty2 normal Opty2
x86/single_byte normal Single Byte
use 命令
当您决定使用特定模块时,发出 use 命令以选择它。use 命令会将您的上下文更改为特定模块,从而公开特定于类型的命令。请注意,在下面的输出中,之前设置的任何全局变量都已配置。
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
msf auxiliary(ms09_001_write) >
在需要帮助的任何时候,都可以使用 msfconsole help命令来显示可用选项。
6914
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
