metasploit unleashed(Chinese Simplified Edition)-8
metasploit基础
Msfconsole
Msfconsole Command
MSFconsole有许多不同的命令选项可供选择。 根据不同的输出,以下是Metasploit命令的核心集。
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
back
一旦你使用完特定模块后,或者无意中选择了错误的模块,可以发出后退命令back以移出当前上下文。 然而,这不是必需的。 就像在商用路由器中一样,您可以从其他模块中切换模块。 注意,如果全局设置变量,变量将只会延续。
msf auxiliary(ms09_001_write) > back
msf >
banner
简单的展示一下随机选择的banner
msf > banner_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_|/ |____/ ___/ / \___/ / __| |_ ___Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
check
没有很多漏洞可以支持它,但是还有一个check选项可以检查目标是否容易受到特定漏洞的攻击,而不是实际攻击它。
msf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):Name Current Setting Required Description---- --------------- -------- -----------RHOST 172.16.194.134 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Exploit target:Id Name-- ----0 Automatic Targetingmsf exploit(ms08_067_netapi) > check[*] Verifying vulnerable status... (path: 0x0000005a)
[*] System is not vulnerable (status: 0x00000000)
[*] The target is not exploitable.
msf exploit(ms08_067_netapi) >
color
可以启用或禁用通过msfconsole获得的输出是否包含颜色。
msf > color
Usage: color >'true'|'false'|'auto'>Enable or disable color output.
connect
msfconsole中内置了一个小型Netcat,支持SSL,代理,pivoting和文件传输。 通过发出带有IP地址和端口号的connect命令,您可以从msfconsole中连接到远程主机,就像直接使用Netcat或Telnet一样。
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
使用-h参数你可以看到所有额外的选项
msf > connect -h
Usage: connect [options] Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.OPTIONS:-C Try to use CRLF for EOL sequence.-P <opt> Specify source port.-S <opt> Specify source address.-c <opt> Specify which Comm to use.-h Help banner.-i <opt> Send the contents of a file.-p <opt> List of proxies to use.-s Connect with SSL.-u Switch to a UDP socket.-w <opt> Specify connect timeout.-z Just try to connect, then return.msf >
edit
edit命令将使用$ VISUAL或$ EDITOR编辑当前模块。 默认情况下,这在Vim中打开的当前模块。
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##require 'msf/core'
require 'msf/windows_error'class Metasploit3 > Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::DCERPCinclude Msf::Exploit::Remote::SMBinclude Msf::Exploit::EXEinclude Msf::Exploit::WbemExecdef initialize(info = {})
exit
exit会直接退出msfconsole
grep
grep命令类似于Linux grep。 它匹配另一个msfconsole命令的输出中的给定模式。 以下是在搜索包含字符串“oracle”的模块时使用grep匹配包含字符串“http”的输出的示例。
msf > grep
Usage: grep [options] pattern cmdGrep the results of a console command (similar to Linux grep command)OPTIONS:-A Show arg lines of output After a match.-B Show arg lines of output Before a match.-c Only print a count of matching lines.-h Help banner.-i Ignore case.-k Keep (include) arg lines at start of output.-m Stop after arg matches.-s Skip arg lines of output before attempting match.-v Invert match.
msf >
msf > grep http search oracleauxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leakauxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypassauxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utilityexploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Executionexploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Uploadexploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Executionexploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encodingexploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflowexploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerabilityexploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Uploadexploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Executionexploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Executionexploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Uploadexploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
help
help命令会给你所有可用的命令的列表和简单描述
msf > helpCore Commands
=============Command Description------- -----------? Help menubanner Display an awesome metasploit bannercd Change the current working directorycolor Toggle colorconnect Communicate with a host
...snip...Database Backend Commands
=========================Command Description------- -----------db_connect Connect to an existing databasedb_disconnect Disconnect from the current database instancedb_export Export a file containing the contents of the databasedb_import Import a scan result file (filetype will be auto-detected)
...snip...
info
info命令将提供有关特定模块的详细信息,包括所有选项,目标和其他信息。 请务必在使用前仔细阅读模块说明,因为有些说明可能会产生相反的效果。
info命令还提供以下信息:
.作者和分发许可信息
.漏洞来源(CVE,BID等)
.模块可能存在的任何payload限制
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table DereferenceModule: exploit/windows/smb/ms09_050_smb2_negotiate_func_indexVersion: 14774Platform: WindowsPrivileged: YesLicense: Metasploit Framework License (BSD)Rank: GoodProvided by:Laurent Gaffie hdm sf Available targets:Id Name-- ----0 Windows Vista SP1/SP2 and Server 2008 (x86)Basic options:Name Current Setting Required Description---- --------------- -------- -----------RHOST yes The target addressRPORT 445 yes The target portWAIT 180 yes The number of seconds to wait for the attack to complete.Payload information:Space: 1024Description:This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.References:http://www.microsoft.com/technet/security/bulletin/MS09-050.mspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103http://www.securityfocus.com/bid/36299http://www.osvdb.org/57799http://seclists.org/fulldisclosure/2009/Sep/0039.htmlhttp://www.microsoft.com/technet/security/Bulletin/MS09-050.mspxmsf exploit(ms09_050_smb2_negotiate_func_index) >
irb
运行irb命令将使您进入实时Ruby解释器shell,您可以在其中发出命令并动态创建Metasploit脚本。 此功能对于理解Framework的内部结构也非常有用。
jobs
jobs是在后台运行的模块。 jobs命令提供列出和终止这些作业的功能。
msf > jobs -h
Usage: jobs [options]Active job manipulation and interaction.OPTIONS:-K Terminate all running jobs.-h Help banner.-i Lists detailed information about a running job.-k Terminate the specified job name.-l List all running jobs.-v Print more detailed info. Use with -i and -lmsf >
kill
kill命令将会杀死任何符号作业id的正在运行的作业
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...[*] Server stopped.
load
load命令会从metasploit插件库里加载插件。参数在shell上以key = val的形式传递。
msf > load
Usage: load [var=val var=val ...]Loads a plugin from the supplied path. If path is not absolute, first looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that can be passed to plugins.msf > load pcap_log
[*] PcapLog plugin loaded.
[*] Successfully loaded plugin: pcap_log
loadpath
loadpath命令将加载第三方模块树,以便您可以使用Metasploit利用0day漏洞,编码器encoders,有效负载payload等。
msf > loadpath /home/secret/modulesLoaded 0 modules.
unload
与上面的相反。unload命令卸载以前加载的插件并删除任何扩展命令。
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
resource
resource命令运行可以通过msfconsole加载的资源(批处理)文件。
msf > resource
Usage: resource path1 [path2 ...]Run the commands stored in the supplied files. Resource files may also contain
ruby code between tags.See also: makerc
某些攻击(如Karmetasploit)使用资源文件在karma.rc文件中运行一组命令来创建攻击。 稍后,我们将讨论在Karmetasploit之外,如何有效攻击。
msf > resource karma.rc
[*] Processing karma.rc for ERB directives.
resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn
...snip...
批处理文件可以大大加快测试和开发时间,并允许用户自动执行许多任务。 除了从msfconsole中加载批处理文件外,还可以使用-r标志在启动时传递它们。 下面的简单示例创建一个批处理文件,以在启动时显示Metasploit版本号。
root@kali:~# echo version > version.rc
root@kali:~# msfconsole -r version.rc_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_|/ |____/ ___/ / \___/ / __| |_ ___Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.=[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
+ -- --=[ 1265 exploits - 695 auxiliary - 202 post ]
+ -- --=[ 330 payloads - 32 encoders - 8 nops ][*] Processing version.rc for ERB directives.
resource (version.rc)> version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
route
Metasploit中的route命令允许您通过会话或“comm”路由套接字,从而提供基本的pivoting功能。 要添加路由,请传递目标子网和网络掩码,然后传递会话(comm)编号。
meterpreter > route -h
Route traffic destined to a given subnet through a supplied session.Usage:route [add/remove] subnet netmask [comm/sid]route [add/remove] cidr [comm/sid]route [get] route [flush]route [print]Subcommands:add - make a new routeremove - delete a route; 'del' is an aliasflush - remove all routesget - display the route for a given targetprint - show all active routesExamples:Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1route add 192.168.0.0 255.255.255.0 1route add 192.168.0.0/24 1Delete the above routeroute remove 192.168.0.0/24 1route del 192.168.0.0 255.255.255.0 1Display the route that would be used for the given host or networkroute get 192.168.0.11meterpreter >meterpreter > routeNetwork routes
==============Subnet Netmask Gateway------ ------- -------0.0.0.0 0.0.0.0 172.16.1.254127.0.0.0 255.0.0.0 127.0.0.1172.16.1.0 255.255.255.0 172.16.1.100172.16.1.100 255.255.255.255 127.0.0.1172.16.255.255 255.255.255.255 172.16.1.100224.0.0.0 240.0.0.0 172.16.1.100255.255.255.255 255.255.255.255 172.16.1.100```
***search***
msfconsole包含广泛的基于正则表达式的搜索功能。 如果您对所需内容有一个大概的了解,可以通过搜索进行搜索。 在下面的输出中,正在搜索MS Bulletin MS09-011。 搜索功能将在模块名称,描述,引用等定位此字符串。请注意,Metasploit模块的命名约定使用下划线与连字符。
msf > search usermap_scriptMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionmsf >***help***
您可以使用内置关键字系统进一步优化搜索。msf > help search
Usage: search [keywords]Keywords:app : Modules that are client or server attacksauthor : Modules written by this authorbid : Modules with a matching Bugtraq IDcve : Modules with a matching CVE IDedb : Modules with a matching Exploit-DB IDname : Modules with a matching descriptive nameplatform : Modules affecting this platformref : Modules with a matching reftype : Modules of a specific type (exploit, auxiliary, or post)Examples:search cve:2009 type:exploit app:clientmsf >***name***
要使用描述性名称进行搜索,请使用name关键字。
msf > search name:mysqlMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Moduleauxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Queryauxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dumpauxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdumpauxiliary/scanner/mysql/mysql_login normal MySQL Login Utilityauxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dumpauxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumerationexploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflowexploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflowexploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Executionexploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >***platform***
您可以使用platform将搜索范围缩小到影响特定平台的模块。***type***
使用type让你过滤模块类型,比如auxiliary,post,exploit等。msf > search type:postMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------post/linux/gather/checkvm normal Linux Gather Virtual Environment Detectionpost/linux/gather/enum_cron normal Linux Cron Job Enumerationpost/linux/gather/enum_linux normal Linux Gather System Information
...snip...***author***
使用author关键字可以让你搜索到你最喜欢的作者写的模块msf > search author:dookieMatching Modules
================Name Disclosure Date Rank Description---- --------------- ---- -----------exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflowexploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow Exploitexploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 bdo tag overflow
...snip...未完待续。。。
metasploit unleashed(Chinese Simplified Edition)-8相关推荐
- 第四期_Metasploit 基础(六)Meterprete《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第五期_信息收集《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第三期_Metasploit 介绍《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第十三期_维护访问权限《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- 第四期_Metasploit 基础(三)Exploits《Metasploit Unleashed Simplified Chinese version(Metasploit官方文档教程中文版)》
翻译者说明1:本文为Metasploit Unleashed中文版翻译.原文链接:https://www.offensive-security.com/metasploit-unleashed/ 翻译 ...
- source insight 注释乱码?(【File】 > 【Reload As Encoding…】 > 【Chinese Simplified (GB18030)】 > 选择后,点击load)
文章目录 没有用,只是改变了显示,复制出去还是乱码 能解决 没有用,只是改变了显示,复制出去还是乱码 如图,注释乱码 打开: options->preferences->Syntax Fo ...
- Linux(五):Ubuntu 16.04 更改系统语言为简体中文(Chinese simplified)
Linux(五):Ubuntu 16.04 更改系统语言为简体中文(Chinese simplified) 文章目录 1 问题 2 设置中文 2.1 设置: 2.2 点击 Install: 2.3 输 ...
- PyCharm汉化:简单两步搞定!PyCharm怎么设置中文简体,为什么我的pycharm搜不到中文语言包(Chinese (Simplified) Language Pack)
心灵笔记 今天我要给PyCharm汉化,这老是看英文难免眼睛有些不适应,时间长了呢还容易出现眼盲(哈啊哈哈) 用户珍贵,时间珍贵,用户的时间最珍贵 废话不多说了,直接开车.首先,你已经下载并安装好了P ...
- IDEA插件系列(2)Chinese (Simplified) Language Pack插件——中文语言包
1.插件介绍 Chinese (Simplified) Language Pack插件. 中文语言包将为您的 IntelliJ IDEA, AppCode, CLion, DataGrip, Go ...
最新文章
- MapInfo开发心得——控件篇【转】
- improvement不可数
- C++反汇编第三讲,反汇编中识别虚表指针,以及指向的虚函数地址
- zeekooper集群搭建_Zookeeper与Kafka集群搭建完整教程
- Michael Nygard on Building Resilient Systems
- 【SDL的编程】VC环境搭建
- 真不值!技术大神,却只是阿里P6...
- beetl 页面标签_Beetl 2.9.0 发布,修改 HTML 标签的渲染机制
- 【数据库】Mysql删除重复记录只保留一条
- 贴吧粉丝怎么全部移除_教程:高达模型贴大面积的水贴纸张要如何操作
- 单片机跑马灯代码示例
- 解决keil注册机在win10无法打开问题
- js 如何实现拖动滑块
- 电脑显卡,台式电脑显卡怎么选择
- 大麦 Android 选座场景性能优化全解析
- 红外小目标检测中ROC曲线的绘制
- 覆盖网络(Overlay Network)
- ​Spring Cloud:统一异常处理
- 计算机组老师颁奖词,学生表彰颁奖词与学生计算机室管理制度合集.doc
- Socket的超时时间