Metasploit operation and intranet Pivot graphic tutorial

Enterprise 2023-05-05 06:27:11 views: null

Table of contents

1. Introduction to metasploit

2. Basic use

3. Use encoders

4. pivot technology

1. Introduction to metasploit

Metasploit is an open source security vulnerability detection tool that integrates a wealth of penetration testing tools and is popular among security
All workers love it. Official website: www.metasploit.com
This case will describe the basic usage of metasploit and specific application skills in the form of illustrations .

2.  Basic use

1. Startup interface

2. Find specific modules: within metasploit , you can use the search command to search for specific modules

 

3. Use a specific module:

 

4. View available payloads: You can view available payloads, encoders, and more detailed setting parameters through the show command

5. Choose to use a specific payload :

 

6. To sum up, the basic method of using metasploit:
Use exploit_path_name
Set parameters
Set payload payload_name & parameters.
Exploit

3.  Use encoders

In an environment with protective equipment such as IDS , the use of common overflow codes can easily be detected by IDS , thus exposing the attack. Fortunately, metasploit provides a series of encoders that can be used. The payload used can be dynamically encrypted in real time to achieve the purpose of evading detection.
1. View available encoders :

2. Use the encoder in conjunction with the attack module:

 

4.

4. Take msfpayload as an example to generate an executable file in PE format from payload meterpreter :

 

5. From the help information, we can see that msfpaylod can generate RAW format, so we can use a pipeline to encrypt the generated code with msfencode , so as to evade AV detection. First look at the help information of msfencode:

6. Examples of generating encrypted executable files through msfpayload combined with msfencode

 

4. Pivot technology

We often encounter such a situation, after a lot of hard work, we get the control authority of a host, but our target host is in another intranet network segment, and it happens that the controlled host spans the two Network segment, what should we do? I think everyone will think of using this host as a springboard to continue infiltration. But do not want to install software on the host, this time metasploit has become our preferred target. Metasploit has built-in portfwd, route, and with the module socks4a, it can make intranet penetration like a duck to water. Let's take a look at these modules dedicated to pivot. Assuming you have obtained a meterpreter shell.
1. First introduce the demo environment:
Attacker[10.10.100.18]--->comprisedServer[10.10.100.8]---->targetServer[192.168.3.12 9]
The Attacker cannot directly access the Target Server, but the controlled host 10.10.100.8 can.
Portfwd : Through portfwd, you can monitor a port on this machine and forward the data to the target ip in the intranet
specific port. In this example, we forward port 808 of the local machine to port 80 of the target host .

 

2. Then access port 808 of the machine to access port 80 of the target host :

 

3.Route : Route specific subnet data to the specified session

 

4. Meterpreter> route add 192.168.3.0 255.255.255.0 session_ID After this, we can use regular commands inside msfconsole to access the intranet 192.168.3.0/24 . Socks4a: Socks4a allows us to run the code in the target memory without uploading files to the target host to enable the socks function, thereby realizing the proxy function.
5. Under linux, it is generally used with proxychains . Just add the proxy entry for socks4 in the configuration file and set the port to the port set by SRVPORT. After everything is configured properly, we can use proxychains to proxy arbitrary programs (nmap, Nessus, ssh, telnet, vncviewer ...)
6. Use nessus to scan intranet hosts:
After setting up the routing and assuming socks4a, scanning the intranet becomes very simple. First start the background service of nessus through proxychains. #proxychains Nessus-service –D
It may be a little slow to load the plug-in when the service starts, so wait patiently. After the service is started, you can access the https://127.0.0.1:8834 port of the machine through the browser to start the scanning routine. I won’t go into details here, please refer to the scanning basic teaching plan for details.
Through wireshark we can see that all scan data for 192.168.3.139 is forwarded through 10.10.100.8. Work done. It's just that the nessus scan initiated by the agent is very slow, and a detailed streamlined scan strategy is required to reduce the amount of scanned data.

 

 

 

 

 

 

 

 

 

 

Guess you like

Origin blog.csdn.net/xiongIT/article/details/128173432
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com