架构
- Rex:
- 基本功能库,用于完成日常基本任务,无需人工手动编码实现。
- 处理socket连接访问,协议应答,编码转换。
- Msf:Core
- 提供Msf的核心基本API,是框架的核心能力实现库。
- Msf:Base
- Plugin 插件
模块目录
root@lqh:/opt/metasploit-framework/embedded/framework/modules# ls
auxiliary encoders evasion exploits nops payloads post
- auxiliary: 辅助
- encoders: 编码解码
- evasion: 用于躲避IPS、IDS。
- exploits: 漏洞利用
- nops: 提高攻击载荷的稳定性和攻击量。
- payloads: 执行的程序或代码
- post: 后期开发
模块
- Exploits: 利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法(主动、被动)。
- Payload: 成功exploits之后,真正在目标系统执行的代码或者指令。
- shellCode: 属于Payload的一种,用于建立正向、反向shell执行命令
- singles: all-in-one
- stagers: 目标计算机内存有限时,先传输一个较小的payload用于建立连接。
- stages:利用stager建立的连接下载后续的payload。
- Auxiliary: 执行信息收集、枚举、指纹探测、扫描等功能的辅助模块。
- Encoders:对payload进行加密解密,躲避杀毒的检查模块。
- Nops:提高palyload的稳定性和攻击量。
- Evasion: 用于躲避IPS、IDS。
- Post: 后期开发
基本使用
使用msfconsole进入msf控制台
root@lqh:/home/lqh# msfconsole
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v5.0.74-dev- ]
+ -- --=[ 1967 exploits - 1088 auxiliary - 338 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
在msf控制台中也可以使用外部的系统命令,使用help或者?来获取帮助,也可以使用help 结合命令来获取响应命令的帮助
msf5 > help advanced
Usage: advanced [mod1 mod2 ...]
Queries the supplied module or modules for advanced options. If no module is given,
show advanced options for the currently active module.
核心命令
Core Commands
=============
Command Description
------- -----------
? Help menu #帮助菜单
banner Display an awesome metasploit banner #显示metasploit的banner
cd Change the current working directory #改变当前的工作目录
color Toggle color #颜色的开关
connect Communicate with a host #连接到一个主机
exit Exit the console #退出终端
get Gets the value of a context-specific variable #获取一个特殊的上限文变量中的值
getg Gets the value of a global variable #获取全局的变量的值
grep Grep the output of another command #过滤命令输出的内容
help Help menu #帮助菜单
history Show command history #显示历史命令
load Load a framework plugin #载入一个框架插件
quit Exit the console #退出这个终端
repeat Repeat a list of commands #重复一个列表中的命令
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
模块命令
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions #搜索模块名字和描述信息
show Displays modules of a given type, or all modules #显示需要选择的模块,或者所有的模块
use Interact with a module by name or search term/index
msf5 > search -h
Usage: search [<options>] [<keywords>]
If no options or keywords are provided, cached results are displayed.
OPTIONS:
-h Show this help information
-o <file> Send output to a file in csv format
-S <string> Search string for row filter
-u Use module if there is one result
Keywords:
aka : Modules with a matching AKA (also-known-as) name
author : Modules written by this author
arch : Modules affecting this architecture
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
check : Modules that support the 'check' method
date : Modules with a matching disclosure date
description : Modules with a matching description
fullname : Modules with a matching full name
mod_time : Modules with a matching modification date
name : Modules with a matching descriptive name
path : Modules with a matching path
platform : Modules affecting this platform
port : Modules with a matching port
rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
ref : Modules with a matching ref
reference : Modules with a matching reference
target : Modules affecting this target
type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)
Examples:
search cve:2009 type:exploit
上面说了要使用search 加上选项 加上关键字。
- option选项:
1. -h:显示这个帮助信息。
2. -o: 将检索结果保存到一个表格的格式的文件里面,需要指定一个输出文件。
3. -S:在行里面过滤搜索的字符串。
4. -u: 如果只有一个结果就使用那个模块
- Keyword关键字:
1. aka: 匹配模块别名
2. author:匹配模块作者
3. bid:通过BUGID匹配
4. 太多了不列举了,常用: name,path,type,cve,port,edb,bid
5. help最后中有Examples。
db_nmap 扫描
- 用法与NMAP一致也是用于信息收集发现的,但是与NAMP不同的时,db_nmap会将扫描结果存储到数据库中,可以对结果进行操作。
- 使用hosts对扫描到的结果进行过滤显示。用法: hosts 选项 IP
HOSTS
- 用于展示扫描发现结果并管理扫描结果
- 常用选项 -d, -u, -S
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.2 Unknown device
192.168.1.126 Linux server
192.168.1.254 lqh Unknown device
msf5 > hosts -h
Usage: hosts [ options ] [addr1 addr2 ...]
OPTIONS:
-a,--add Add the hosts instead of searching
-d,--delete Delete the hosts instead of searching
-c <col1,col2> Only show the given columns (see list below)
-C <col1,col2> Only show the given columns until the next restart (see list below)
-h,--help Show this help information
-u,--up Only show hosts which are up
-o <file> Send output to a file in csv format
-O <column> Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
-i,--info Change the info of a host
-n,--name Change the name of a host
-m,--comment Change the comment of a host
-t,--tag Add or specify a tag to a range of hosts
Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
| 选项 |
描述 |
| -a, --add |
添加主机到搜索结果中 |
| -d, --delete |
在搜索结果中删除主机 |
| -c <clo1,clo2> |
只显示选择的行 |
| -C <clo1,clo2> |
在下次启动之前都值显示选的的行 |
| -h |
显示帮助信息 |
| -u |
只显示开机状态的主机 |
| -o |
将结果输出到表格文件 |
| -O |
按照指定行排序 |
| -R |
从检索结果中设置目标主机 |
| -S |
根据字符串去过滤检索结果 |
| -i |
更改主机信息 |
| -n |
改变主机名 |
| -m |
改变主机备注 |
| -t |
向范围内的主机添加标签 |
Services
- 针对主机端口信息进行查看管理的命令。
- 用法:services 选项 IP 与hosts用法基本一致
- 常用选项: -p,-c
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.2 135 tcp msrpc open Microsoft Windows RPC
192.168.1.2 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.1.2 445 tcp microsoft-ds open Windows Server 2008 R2 Enterprise 7601 Service Pack 1 microsoft-ds
192.168.1.2 3389 tcp ssl open Microsoft SChannel TLS
192.168.1.2 49152 tcp msrpc open Microsoft Windows RPC
192.168.1.2 49153 tcp msrpc open Microsoft Windows RPC
192.168.1.2 49154 tcp msrpc open Microsoft Windows RPC
192.168.1.2 49161 tcp msrpc open Microsoft Windows RPC
192.168.1.126 22 tcp ssh open OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
192.168.1.126 80 tcp http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.1.126 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.126 143 tcp imap open Courier Imapd released 2008
192.168.1.126 443 tcp ssl/http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.1.126 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.126 5001 tcp java-rmi open Java RMI
192.168.1.126 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.1.126 8081 tcp http open Jetty 6.1.25
msf5 > services -h
Usage: services [-h] [-u] [-a] [-r <proto>] [-p <port1,port2>] [-s <name1,name2>] [-o <filename>] [addr1 addr2 ...]
-a,--add Add the services instead of searching
-d,--delete Delete the services instead of searching
-c <col1,col2> Only show the given columns
-h,--help Show this help information
-s <name> Name of the service to add
-p <port> Search for a list of ports
-r <protocol> Protocol type of the service being added [tcp|udp]
-u,--up Only show services which are up
-o <file> Send output to a file in csv format
-O <column> Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
-U,--update Update data for existing service
Available columns: created_at, info, name, port, proto, state, updated_at
| 选项 |
描述 |
| -a |
添加服务到扫描结果 |
| -d |
在扫描结果中删除服务 |
| -c |
参考hosts |
| -h |
帮助 |
| -s |
添加服务名 |
| -p |
在结果列表中搜索端口区间或者说列表 |
| -r |
添加协议类型tcp或udp |
| -u |
只显示开放的服务 |
| -o |
同hosts |
| -O |
同hosts |
| -R |
同hosts |
| -S |
在结果中搜字符串过滤 |
| -U |
退出服务更新数据 |
