第四期_Metasploit 基础(二)MSFconsole《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译。原文链接:https://www.offensive-security.com/metasploit-unleashed/
翻译者说明2:为减轻翻译负担采用了机器翻译,翻译者从中人工剔除了机翻错误或歧义的问题,但难免会存在小问题,请读者见谅。如发现文章翻译存在问题,可在文章下方评论留言。
翻译者说明3:如果你喜欢这篇翻译,请给关注一下我并给文章点个赞,你的支持是给我工作的最大鼓励。
翻译者说明4:其他章节一并整合在专栏中,如有兴趣可关注专栏了解更多内容。
四、METASPLOIT 基础
2. MSFconsole
a)什么是 MSFconsole?
MSFconsole可能是Metasploit Framework(MSF)最流行的接口。它提供了一个"一体式"集中式控制台,并允许你高效访问 MSF 中几乎所有可用的选项。MSFconsole 乍一看似乎令人生畏,但是一旦你学会了命令的语法,你就会学会欣赏利用这个接口的强大功能。
b)使用 MSFconsole 的好处
- 这是访问Metasploit中大多数功能的唯一受支持方式。
- 为框架提供基于控制台的接口
- 包含最多的功能,是最稳定的 MSF 接口
- 完整的读行支持、选项卡和命令完成
- 可以在 MSFconsole 中执行外部命令:
msf > ping -c 1 192.168.1.100
[*] exec: ping -c 1 192.168.1.100PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=10.3 ms--- 192.168.1.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.308/10.308/10.308/0.000 ms
msf >
c)启动 MSFconsole
MSFconsole 是通过从命令行运行 msfconsole 来启动的。MSFconsole 位于 /usr/share/metasploit-framework/msfconsole 目录中。
-q 选项通过以安静模式启动 msfconsole 来删除启动横幅。
root@kali:# msfconsole -q
msf >
d)如何使用命令提示符
可以将 -h 传递给 msfconsole 以查看可用的其他用法选项。
root@kali:~# msfconsole -h
Usage: msfconsole [options]Common options-E, --environment ENVIRONMENT The Rails environment. Will use RAIL_ENV environment variable if that is set. Defaults to production if neither option not RAILS_ENV environment variable is set.Database options-M, --migration-path DIRECTORY Specify a directory containing additional DB migrations-n, --no-database Disable database support-y, --yaml PATH Specify a YAML file containing database settingsFramework options-c FILE Load the specified configuration file-v, --version Show versionModule options--defer-module-loads Defer module loading unless explicitly asked.-m, --module-path DIRECTORY An additional module pathConsole options:-a, --ask Ask before exiting Metasploit or accept 'exit -y'-d, --defanged Execute the console as defanged-L, --real-readline Use the system Readline library instead of RbReadline-o, --output FILE Output to the specified file-p, --plugin PLUGIN Load a plugin on startup-q, --quiet Do not print the banner on startup-r, --resource FILE Execute the specified resource file (- for stdin)-x, --execute-command COMMAND Execute the specified string as console commands (use ; for multiples)-h, --help Show this message
在 msf 命令提示符下输入help
或 ?
后,将显示可用命令的列表以及这些命令的用途说明。
msf > helpCore Commands
=============Command Description------- -----------? Help menuadvanced Displays advanced options for one or more modulesback Move back from the current contextbanner Display an awesome metasploit bannercd Change the current working directorycolor Toggle colorconnect Communicate with a hostedit Edit the current module with $VISUAL or $EDITORexit Exit the consoleget Gets the value of a context-specific variablegetg Gets the value of a global variablegrep Grep the output of another commandhelp Help menuinfo Displays information about one or more modulesirb Drop into irb scripting modejobs Displays and manages jobskill Kill a jobload Load a framework pluginloadpath Searches for and loads modules from a pathmakerc Save commands entered since start to a fileoptions Displays global options or for one or more modulespopm Pops the latest module off the stack and makes it activeprevious Sets the previously loaded module as the current modulepushm Pushes the active or list of modules onto the module stackquit Exit the consolereload_all Reloads all modules from all defined module pathsrename_job Rename a jobresource Run the commands stored in a fileroute Route traffic through a sessionsave Saves the active datastoressearch Searches module names and descriptionssessions Dump session listings and display information about sessionsset Sets a context-specific variable to a valuesetg Sets a global variable to a valueshow Displays modules of a given type, or all modulessleep Do nothing for the specified number of secondsspool Write console output into a file as well the screenthreads View and manipulate background threadsunload Unload a framework pluginunset Unsets one or more context-specific variablesunsetg Unsets one or more global variablesuse Selects a module by nameversion Show the framework and console library version numbersDatabase Backend Commands
=========================Command Description------- -----------creds List all credentials in the databasedb_connect Connect to an existing databasedb_disconnect Disconnect from the current database instancedb_export Export a file containing the contents of the databasedb_import Import a scan result file (filetype will be auto-detected)db_nmap Executes nmap and records the output automaticallydb_rebuild_cache Rebuilds the database-stored module cachedb_status Show the current database statushosts List all hosts in the databaseloot List all loot in the databasenotes List all notes in the databaseservices List all services in the databasevulns List all vulnerabilities in the databaseworkspace Switch between database workspaces
e)Tab键完成
MSFconsole 旨在快速使用,帮助实现此目标的功能之一是 Tab 键完成。由于可用的模块种类繁多,因此很难记住要使用的特定模块的确切名称和路径。与大多数其他shell一样,输入您知道的内容并按"Tab"将显示可用的选项列表,或者如果只有一个选项,则自动完成字符串。Tab 完成取决于 ruby readline 扩展,控制台中的几乎每个命令都支持 Tab 完成。
- use exploit/windows/dce
- 使用 .netapi.
- 设置主机
- 显示
- 设置目标
- 设置有效载荷窗口/外壳/
- exp
msf > use exploit/windows/smb/ms
use exploit/windows/smb/ms03_049_netapi
use exploit/windows/smb/ms04_007_killbill
use exploit/windows/smb/ms04_011_lsass
use exploit/windows/smb/ms04_031_netdde
use exploit/windows/smb/ms05_039_pnp
use exploit/windows/smb/ms06_025_rasmans_reg
use exploit/windows/smb/ms06_025_rras
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/smb/ms06_066_nwapi
use exploit/windows/smb/ms06_066_nwwks
use exploit/windows/smb/ms06_070_wkssvc
use exploit/windows/smb/ms07_029_msdns_zonename
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
use exploit/windows/smb/ms10_046_shortcut_icon_dllloader
use exploit/windows/smb/ms10_061_spoolss
use exploit/windows/smb/ms15_020_shortcut_icon_dllloader
msf > use exploit/windows/smb/ms08_067_netapi
MSFconsole是Metasploit最常用的接口。让自己熟悉这些msfconsole 命令将在整个课程中为您提供帮助,并为您提供使用Metasploit的坚实基础。
f)MSFconsole 命令
MSFconsole 有许多不同的命令选项可供选择。以下是一组核心的 Metasploit 命令及其输出。
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
back 命令
使用完特定模块后,或者无意中选择错误的模块后,可以发出 back
命令以移出当前上下文。但是,这不是必需的。就像在商用路由器中一样,您可以从其他模块中切换模块。提醒一下,变量只有在全局设置时才会结转。
msf auxiliary(ms09_001_write) > back
msf >
banner 命令
仅显示随机选择的banner。
msf > banner_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_|/ |____/ ___/ / \___/ / __| |_ ___Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
check 命令
支持它的漏洞并不多,但还有一个检查选项,可以检查目标是否容易受到特定漏洞的攻击,而不是实际利用它。
msf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):Name Current Setting Required Description---- --------------- -------- -----------RHOST 172.16.194.134 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Exploit target:Id Name-- ----0 Automatic Targetingmsf exploit(ms08_067_netapi) > check[*] Verifying vulnerable status... (path: 0x0000005a)
[*] System is not vulnerable (status: 0x00000000)
[*] The target is not exploitable.
msf exploit(ms08_067_netapi) >
color 命令
如果通过 msfconsole 获得的输出将包含颜色,则可以启用或禁用。
msf > color
Usage: color >'true'|'false'|'auto'>Enable or disable color output.
connect 命令
msfconsole 中内置了一个微型 Netcat 克隆,支持 SSL、代理、透视和文件传输。通过发出带有 IP 地址和端口号的连接命令,您可以从 msfconsole 中连接到远程主机,就像使用 Netcat 或 Telnet 一样。
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
您可以通过发出 -h 参数来查看所有其他选项。
msf > connect -h
Usage: connect [options] Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.OPTIONS:-C Try to use CRLF for EOL sequence.-P <opt> Specify source port.-S <opt> Specify source address.-c <opt> Specify which Comm to use.-h Help banner.-i <opt> Send the contents of a file.-p <opt> List of proxies to use.-s Connect with SSL.-u Switch to a UDP socket.-w <opt> Specify connect timeout.-z Just try to connect, then return.msf >
edit 命令
edit
命令将使用$ VISUAL或$ EDITOR编辑当前模块。默认情况下,这将在 Vim 中打开当前模块。
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##require 'msf/core'
require 'msf/windows_error'class Metasploit3 > Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::DCERPCinclude Msf::Exploit::Remote::SMBinclude Msf::Exploit::EXEinclude Msf::Exploit::WbemExecdef initialize(info = {})
exit 命令
exit
命令将仅退出 msfconsole。
msf exploit(ms10_061_spoolss) > exit
root@kali:~#
grep 命令
grep
命令类似于 Linux grep。它与来自另一个 msfconsole 命令输出的给定模式匹配。以下是使用 grep
匹配包含字符串"http"的输出的示例,该输出来自搜索包含字符串"oracle"的模块。
msf > grep
Usage: grep [options] pattern cmdGrep the results of a console command (similar to Linux grep command)OPTIONS:-A <opt&> Show arg lines of output After a match.-B Show arg lines of output Before a match.-c Only print a count of matching lines.-h Help banner.-i Ignore case.-k Keep (include) arg lines at start of output.-m Stop after arg matches.-s Skip arg lines of output before attempting match.-v Invert match.
msf >
msf > grep http search oracleauxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leakauxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypassauxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utilityexploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Executionexploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Uploadexploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Executionexploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encodingexploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflowexploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerabilityexploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Uploadexploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Executionexploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Executionexploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Uploadexploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
help 命令
help
命令将为您提供所有可用命令的列表和小描述。
msf > helpCore Commands
=============Command Description------- -----------? Help menubanner Display an awesome metasploit bannercd Change the current working directorycolor Toggle colorconnect Communicate with a host
...snip...Database Backend Commands
=========================Command Description------- -----------db_connect Connect to an existing databasedb_disconnect Disconnect from the current database instancedb_export Export a file containing the contents of the databasedb_import Import a scan result file (filetype will be auto-detected)
...snip...
info 命令
info
命令将提供有关特定模块的详细信息,包括所有选项、目标和其他信息。在使用之前,请务必始终阅读模块说明,因为有些可能会产生不良效果。
info
命令还提供以下信息:
- 作者和许可信息
- 漏洞引用(即:CVE、BID 等)
- 模块可能具有的任何有效负载限制
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table DereferenceModule: exploit/windows/smb/ms09_050_smb2_negotiate_func_indexVersion: 14774Platform: WindowsPrivileged: YesLicense: Metasploit Framework License (BSD)Rank: GoodProvided by:Laurent Gaffie <laurent.gaffie@gmail.com>hdm <hdm@metasploit.com>sf <stephen_fewer@harmonysecurity.com>Available targets:Id Name-- ----0 Windows Vista SP1/SP2 and Server 2008 (x86)Basic options:Name Current Setting Required Description---- --------------- -------- -----------RHOST yes The target addressRPORT 445 yes The target portWAIT 180 yes The number of seconds to wait for the attack to complete.Payload information:Space: 1024Description:This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.References:http://www.microsoft.com/technet/security/bulletin/MS09-050.mspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103http://www.securityfocus.com/bid/36299http://www.osvdb.org/57799http://seclists.org/fulldisclosure/2009/Sep/0039.htmlhttp://www.microsoft.com/technet/security/Bulletin/MS09-050.mspxmsf exploit(ms09_050_smb2_negotiate_func_index) >
irb 命令
运行 irb
命令会将您放入一个实时 Ruby 解释器 shell 中,您可以在其中发出命令并动态创建 Metasploit 脚本。此功能对于了解框架的内部结构也非常有用。
msf > irb
[*] Starting IRB shell...>> puts "Hello, metasploit!"
Hello, metasploit!
=> nil
>> Framework::Version
=> "4.8.2-2014022601"
jobs 命令
jobs是在后台运行的模块。jobs
命令提供了列出和终止这些jobs的功能。
msf > jobs -h
Usage: jobs [options]Active job manipulation and interaction.OPTIONS:-K Terminate all running jobs.-h Help banner.-i Lists detailed information about a running job.-k Terminate the specified job name.-l List all running jobs.-v Print more detailed info. Use with -i and -lmsf >
kill 命令
当提供作业 ID 时,kill
命令将终止任何正在运行的作业。
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...[*] Server stopped.
load 命令
load
命令从 Metasploit 的插件目录中加载一个插件。参数在 shell 上作为 key=val 传递。
msf > load
Usage: load [var=val var=val ...]Loads a plugin from the supplied path. If path is not absolute, first looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that can be passed to plugins.msf > load pcap_log
[*] PcapLog plugin loaded.
[*] Successfully loaded plugin: pcap_log
loadpath 命令
loadpath
命令将为该路径加载一个由第三部分组成的模块树,以便您可以将 Metasploit 指向您的 0 day漏洞利用、编码器、有效负载等。
msf > loadpath /home/secret/modulesLoaded 0 modules.
unload 命令
相反,unload
命令卸载以前加载的插件并删除所有扩展命令。
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
resource 命令
resource
命令运行可通过 msfconsole 加载的资源(批处理)文件。
msf > resource
Usage: resource path1 [path2 ...]Run the commands stored in the supplied files. Resource files may also contain
ruby code between tags.See also: makerc
某些攻击(如 Karmetasploit)使用资源文件在 karma.rc 文件中运行一组命令来创建攻击。稍后,我们将讨论在Karmetasploit之外,这如何非常有用。
msf > resource karma.rc
[*] Processing karma.rc for ERB directives.
resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn
...snip...
批处理文件可以大大加快测试和开发时间,并允许用户自动执行许多任务。除了从 msfconsole 中加载批处理文件之外,还可以在启动时使用 -r
标志传递批处理文件。下面的简单示例创建一个批处理文件,以在启动时显示 Metasploit 版本号。
root@kali:~# echo version > version.rc
root@kali:~# msfconsole -r version.rc_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_|/ |____/ ___/ / \___/ / __| |_ ___Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.=[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
+ -- --=[ 1265 exploits - 695 auxiliary - 202 post ]
+ -- --=[ 330 payloads - 32 encoders - 8 nops ][*] Processing version.rc for ERB directives.
resource (version.rc)> version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
route 命令
Metasploit中的route
命令允许您通过会话或"通信"路由套接字,从而提供基本的透视功能。若要添加路由,请传递目标子网和网络掩码,后跟会话 (comm) 编号。
meterpreter > route -h
Route traffic destined to a given subnet through a supplied session.Usage:route [add/remove] subnet netmask [comm/sid]route [add/remove] cidr [comm/sid]route [get] route [flush]route [print]Subcommands:add - make a new routeremove - delete a route; 'del' is an aliasflush - remove all routesget - display the route for a given targetprint - show all active routesExamples:Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1route add 192.168.0.0 255.255.255.0 1route add 192.168.0.0/24 1Delete the above routeroute remove 192.168.0.0/24 1route del 192.168.0.0 255.255.255.0 1Display the route that would be used for the given host or networkroute get 192.168.0.11meterpreter >
meterpreter > routeNetwork routes
==============Subnet Netmask Gateway------ ------- -------0.0.0.0 0.0.0.0 172.16.1.254127.0.0.0 255.0.0.0 127.0.0.1172.16.1.0 255.255.255.0 172.16.1.100172.16.1.100 255.255.255.255 127.0.0.1172.16.255.255 255.255.255.255 172.16.1.100224.0.0.0 240.0.0.0 172.16.1.100255.255.255.255 255.255.255.255 172.16.1.100
search 命令
msfconsole 包括一个广泛的基于正则表达式的搜索功能。如果您对要查找的内容有大致了解,则可以通过search
进行搜索。在下面的输出中,正在搜索 MS 公告 MS09-011。搜索函数将在模块名称、描述、引用等中找到此字符串。
请注意,Metasploit 模块的命名约定使用下划线而不是连字符。
msf > search usermap_scriptMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionmsf >
help 命令
您可以使用内置的关键字系统进一步优化搜索。
msf > help search
Usage: search [keywords]Keywords:app : Modules that are client or server attacksauthor : Modules written by this authorbid : Modules with a matching Bugtraq IDcve : Modules with a matching CVE IDedb : Modules with a matching Exploit-DB IDname : Modules with a matching descriptive nameplatform : Modules affecting this platformref : Modules with a matching reftype : Modules of a specific type (exploit, auxiliary, or post)Examples:search cve:2009 type:exploit app:clientmsf >
name 关键字
若要使用描述性名称进行搜索,请使用 name
关键字。
msf > search name:mysqlMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Moduleauxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Queryauxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dumpauxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdumpauxiliary/scanner/mysql/mysql_login normal MySQL Login Utilityauxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dumpauxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumerationexploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflowexploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflowexploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Executionexploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >
platform 关键字
您可以使用platform
将搜索范围缩小到影响特定平台的模块。
msf > search platform:aixMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inlinepayload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inlinepayload/aix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
type 关键字
使用type
可以按模块类型(如auxiliary<辅助模块>、post、exploit<漏洞利用模块>等)进行筛选。
msf > search type:postMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------post/linux/gather/checkvm normal Linux Gather Virtual Environment Detectionpost/linux/gather/enum_cron normal Linux Cron Job Enumerationpost/linux/gather/enum_linux normal Linux Gather System Information
...snip...
author 关键字
使用author
关键字进行搜索可让您按自己喜欢的作者搜索模块。
msf > search author:dookieMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflowexploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow Exploitexploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 bdo tag overflow
...snip...
多个关键字组合
您还可以将多个关键字组合在一起,以进一步缩小返回结果的范围。
msf > search cve:2011 author:jduck platform:linuxMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
sessions 命令
sessions
命令允许您列出生成的会话、与之交互和终止生成的会话。这些会话可以是 shell、Meterpreter 会话、VNC 等。
msf > sessions -h
Usage: sessions [options] or sessions [id]Active session manipulation and interaction.OPTIONS:-C Run a Meterpreter Command on the session given with -i, or all-K Terminate all sessions-c Run a command on the session given with -i, or all-h Help banner-i Interact with the supplied session ID-k Terminate sessions by session ID and/or range-l List all active sessions-q Quiet mode-r Reset the ring buffer for the session given with -i, or all-s Run a script on the session given with -i, or all-t Set a response timeout (default: 15)-u Upgrade a shell to a meterpreter session on many platforms-v List sessions in verbose mode-x Show extended information in the session tableMany options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
要列出任何活动会话,请将 -l
选项传递给sessions
。
msf exploit(3proxy) > sessions -lActive sessions
===============Id Description Tunnel-- ----------- ------1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
要与给定会话交互,您只需使用 -i
开关,后跟会话的 ID 号。
msf exploit(3proxy) > sessions -i 1
[*] Starting interaction with 1...C:WINDOWSsystem32>
set 命令
set
命令允许您为正在使用的当前模块配置框架选项和参数。
msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134
RHOST => 172.16.194.134
msf auxiliary(ms09_050_smb2_negotiate_func_index) > show optionsModule options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):Name Current Setting Required Description---- --------------- -------- -----------RHOST 172.16.194.134 yes The target addressRPORT 445 yes The target portWAIT 180 yes The number of seconds to wait for the attack to complete.Exploit target:Id Name-- ----0 Windows Vista SP1/SP2 and Server 2008 (x86)
Metasploit还允许您设置在运行时使用的编码器。当您不太确定哪些有效负载编码方法适用于给定的漏洞利用时,这在漏洞利用开发中特别有用。
msf exploit(ms09_050_smb2_negotiate_func_index) > show encodersCompatible Encoders
===================Name Disclosure Date Rank Description---- --------------- ---- -----------generic/none normal The "none" Encoderx86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoderx86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoderx86/avoid_utf8_tolower manual Avoid UTF8/tolowerx86/call4_dword_xor normal Call+4 Dword XOR Encoderx86/context_cpuid manual CPUID-based Context Keyed Payload Encoderx86/context_stat manual stat(2)-based Context Keyed Payload Encoderx86/context_time manual time(2)-based Context Keyed Payload Encoderx86/countdown normal Single-byte XOR Countdown Encoderx86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoderx86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoderx86/nonalpha low Non-Alpha Encoderx86/nonupper low Non-Upper Encoderx86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoderx86/single_static_bit manual Single Static Bitx86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoderx86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
unset 命令
当然,与 set
命令相反的是unset
。unset
将删除以前使用 set
配置的参数。您可以使用unset all
删除所有分配的变量。
msf > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > set THREADS 50
THREADS => 50
msf > setGlobal
======Name Value---- -----RHOSTS 192.168.1.0/24THREADS 50msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > setGlobal
======No entries in data store.msf >
setg 命令
为了在渗透测试期间节省大量键入,可以在 msfconsole 中设置全局变量。您可以使用 setg
命令执行此操作。设置完这些内容后,您可以根据需要在任意数量的exploits和auxiliary模块中使用它们。您还可以保存它们,以便在下次启动 msfconsole 时使用。但是,问题是忘记了您已经保存了全局变量,因此在运行或利用之前,请始终检查您的选项。相反,可以使用 unsetg
命令取消设置全局变量。在下面的示例中,变量以全大写字母输入(即:LHOST),但Metasploit不区分大小写,因此没有必要这样做。
msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136
设置不同的变量后,可以运行 save
命令来保存当前环境和设置。保存设置后,它们将在启动时自动加载,这使您不必再次设置所有内容。
msf > save
Saved configuration to: /root/.msf4/config
msf >
show 命令
在 msfconsole 提示符处输入 show
将显示 Metasploit 中的每个模块。
msf > showEncoders
========Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/generic_sh good Generic Shell Variable Substitution Command Encodercmd/ifs low Generic ${IFS} Substitution Command Encodercmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
...snip...
您可以使用许多 show
命令,但最常用的命令是 show auxiliary
、show exploits
、show payloads
、show encoders
和 show nops
。
auxiliary 模块
执行show auxiliary
模块将显示 Metasploit 中所有可用辅助模块的列表。如前所述,辅助模块包括scanners扫描仪、denial of service modules拒绝服务模块、fuzzers模糊测试器等。
msf > show auxiliary
Auxiliary
=========Name Disclosure Date Rank Description---- --------------- ---- -----------admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerabilityadmin/backupexec/dump normal Veritas Backup Exec Windows Remote File Accessadmin/backupexec/registry normal Veritas Backup Exec Server Registry Access
...snip...
exploits 模块
当然,show exploits
将是您最感兴趣的命令,因为从本质上讲,Metasploit都是关于利用的。运行 show exploits
以获取框架中包含的所有漏洞利用的列表。
msf > show exploitsExploits
========Name Disclosure Date Rank Description---- --------------- ---- -----------aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflowaix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
...snip...
使用 MSFconsole Payloads
正在运行的show payloads
将显示 Metasploit 中所有可用平台的所有不同有效负载。
msf > show payloadsPayloads
========Name Disclosure Date Rank Description---- --------------- ---- -----------aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inlineaix/ppc/shell_find_port normal AIX Command Shell, Find Port Inlineaix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
payloads 模块
如您所见,有很多有效负载可用。幸运的是,当您处于特定漏洞的上下文中时,运行 show payloads
将仅显示与该特定漏洞兼容的有效负载。例如,如果这是Windows漏洞,则不会向您显示Linux有效负载。
msf exploit(ms08_067_netapi) > show payloadsCompatible Payloads
===================Name Disclosure Date Rank Description---- --------------- ---- -----------generic/custom normal Custom Payloadgeneric/debug_trap normal Generic x86 Debug Trapgeneric/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
...snip...
options
如果选择了特定模块,则可以发出 show options
命令以显示该特定模块可用和/或需要的设置。
msf exploit(ms08_067_netapi) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------RHOST yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Exploit target:Id Name-- ----0 Automatic Targeting
targets
如果您不确定操作系统是否容易受到特定攻击,请从exploits模块的上下文中运行 show targets
命令,以查看支持哪些目标。
msf exploit(ms08_067_netapi) > show targetsExploit targets:Id Name-- ----0 Automatic Targeting1 Windows 2000 Universal10 Windows 2003 SP1 Japanese (NO NX)11 Windows 2003 SP2 English (NO NX)12 Windows 2003 SP2 English (NX)
...snip...
advanced
如果您希望进一步微调漏洞,可以通过运行 show advanced
来查看更高级的选项。
msf exploit(ms08_067_netapi) > show advancedModule advanced options:Name : CHOSTCurrent Setting:Description : The local client addressName : CPORTCurrent Setting:Description : The local client port...snip...
encoders
正在运行的 show encoders
将显示 MSF 中可用的编码器的列表。
msf > show encoders
Compatible Encoders
===================Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/generic_sh good Generic Shell Variable Substitution Command Encodercmd/ifs low Generic ${IFS} Substitution Command Encodercmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encodergeneric/none normal The "none" Encodermipsbe/longxor normal XOR Encodermipsle/longxor normal XOR Encoderphp/base64 great PHP Base64 encoderppc/longxor normal PPC LongXOR Encoderppc/longxor_tag normal PPC LongXOR Encodersparc/longxor_tag normal SPARC DWORD XOR Encoderx64/xor normal XOR Encoderx86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoderx86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoderx86/avoid_utf8_tolower manual Avoid UTF8/tolowerx86/call4_dword_xor normal Call+4 Dword XOR Encoderx86/context_cpuid manual CPUID-based Context Keyed Payload Encoderx86/context_stat manual stat(2)-based Context Keyed Payload Encoderx86/context_time manual time(2)-based Context Keyed Payload Encoderx86/countdown normal Single-byte XOR Countdown Encoderx86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoderx86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoderx86/nonalpha low Non-Alpha Encoderx86/nonupper low Non-Upper Encoderx86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoderx86/single_static_bit manual Single Static Bitx86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoderx86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
nops
最后,发出 show nops
命令将显示 Metasploit 必须提供的 NOP 生成器。
msf > show nops
NOP Generators
==============Name Disclosure Date Rank Description---- --------------- ---- -----------armle/simple normal Simplemipsbe/better normal Betterphp/generic normal PHP Nop Generatorppc/simple normal Simplesparc/random normal SPARC NOP Generatortty/generic normal TTY Nop Generatorx64/simple normal Simplex86/opty2 normal Opty2x86/single_byte normal Single Byte
use 命令
当您决定使用特定模块时,发出 use
命令以选择它。use
命令会将您的上下文更改为特定模块,从而公开特定于类型的命令。请注意,在下面的输出中,之前设置的任何全局变量都已配置。
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------RHOST yes The target addressRPORT 445 yes Set the SMB service portmsf auxiliary(ms09_001_write) >
在需要帮助的任何时候,都可以使用 msfconsole help
命令来显示可用选项。
第四期_Metasploit 基础(二)MSFconsole《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》相关推荐
- 第四期_Metasploit 基础(三)Exploits《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第四期_Metasploit 基础(六)Meterprete《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第五期_信息收集《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第三期_Metasploit 介绍《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第十三期_维护访问权限《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- OpenGL ES着色器语言之变量和数据类型(二)(官方文档第四章)
OpenGL ES着色器语言之变量和数据类型(二)(官方文档第四章) 4.5精度和精度修饰符 4.5.1范围和精度 用于存储和展示浮点数.整数变量的范围和精度依赖于数值的源(varying,unifo ...
- Spring Framework 官方文档学习(四)之Validation、Data Binding、Type Conversion(二)
接前一篇 Spring Framework 官方文档学习(四)之Validation.Data Binding.Type Conversion(一) 本篇主要内容:Spring Type Conver ...
- spark之4:基础指南(源自官方文档)
spark之4:基础指南(源自官方文档) @(SPARK)[spark, 大数据] spark之4基础指南源自官方文档 一简介 二接入Spark 三初始化Spark 一使用Shell 四弹性分布式数据 ...
- 对于微信二维码相关官方文档的一些注解(微信登录和绑定微信、关注公众号)
转载自:https://www.jianshu.com/p/d533c69be034 由于微信官方文档对此的描述虽然还可以,但是还是有一些让人疑惑的地方,所以笔者做了一些注解,希望对大家有所帮助 为什 ...
- 【Java基础】2020如何查看Java官方文档
一.首先百度搜索oracle进入oracle公司官网(注意是官网). 二.点击首页最下角的developers(开发者). 三.点击开发者页面中间部分的technologies(技术),点击java. ...
最新文章
- 纯JS制作的窗户雨滴效果
- 使用Actuator检查与监控
- 体验.NET Core使用IKVM对接Java
- 如何使用易我数据恢复向导恢复数码相机删除的图片
- UltraISO制作linux启动盘(包含写入不完整解决方法)
- Android 折线图(MPAndroidChart框架)
- 普中科技51单片机_【笔记】-普中科技-51单片机-按键
- 京东数科发布《京东区块链技术实践白皮书2020》(附白皮书下载链接)
- php中大于等于的表示方法,php:判断php版本是否大于等于某个版本的方法
- LDC(logic data center)与传统的(Internet Data Center-IDC)架构对比与优势(淘宝双十一经典案例解析)
- 深度操作系统deepin下载与安装教程-系统安装
- 嵌入式linux之yocto(五)拓展核心镜像
- Overload vs Override
- MacAir苹果本(2013AJ7629)安装win7单系统的曲折经历
- 中国人民银行清算总中心CDA业务数据分析师培训正式开课
- 做好准备:独立游戏开发人员适用的 4P 营销理论
- 04-dropbear
- 数字图像处理拓展题目——利用Matlab实现动态目标检测 二帧差法、ViBe法、高斯混合模型法,可应用于学生递东西行为检测
- 躬身入局,干货分享,2023年春招后端技术岗(Python)面试实战教程,Offer今始为君发
- u盘读不出来怎么修复?数据还有机会恢复吗?
热门文章
- linux用户配额管理,—linux 磁盘配额按用户管理(quota)
- 2019华为机试题 消息扩散
- c语言中格式字符e E g G,C语言输出格式总结
- 网易云课堂C++开发工程师案例-网吧前台收银系统(MFC+ADO)C++收银系统完整
- ecshop ectouch 不支持html,ECTouch操作使用的常见问题整理(不定期更新)
- 硬盘坏道检测工具对比(DiskGenius/HdTunePro/MHDD等)
- 浦发银行计算机基础知识题库,2018浦发银行面试经验(信息科技岗,总行信息技术岗等)...
- 阿里云主要产品及功能介绍,阿里云产品分为6大分类:云计算基础/安全/大数据/人工智能/企业应用/物联网...
- 计算机休眠唤醒后 网络受限,彻底解决win10系统待机、休眠被唤醒后笔记本WIFI无线网无法连接的问题-网络教程与技术
-亦是美网络...
- I2C接口触摸屏驱动分析