Study notes
https://blog.csdn.net/kevinhanser/article/details/79940686
1, Perplexity of penetration testers
- You need to master hundreds of tools and software and thousands of command parameters. You really can't remember them
- The vulnerabilities PoC/EXP have different operating environment requirements, and the preparation work is cumbersome
- I spent most of my time learning the user environment of different tools. If only it could be unified
- Can Metasploit solve the above problems (to some extent)
2, Introduction to Metasploit
-
At present, the most popular, powerful and extensible penetration test platform software
-
Process and method of penetration testing and vulnerability analysis based on Metasploit
-
The first edition was released by HD More in 2003 and written in ruby language in 2007
-
The framework inherits the penetration test standard (PETS)
-
It unifies the working environment of penetration test research to a certain extent
-
New attack code can be easily added to the framework
-
Active development and frequent version updates
-
The early version was based on community power maintenance. After being acquired by Rapid 7, Dazhao released its commercial version
-
At present, it is divided into four versions, and the community version is still very active
-
HD More said: writing a book for Metasploit is self abuse
-
Metasploit is integrated in kali linux by default
-
Using postgresql database to store data
-
Earlier versions required starting the database before starting msf
3, Metasploit architecture
Rex
- The basic function library is used to complete daily basic tasks without manual coding
- Handle socket connection access and protocol response (http/SSL/SMB, etc.)
- Encoding conversion (XOR, Base64, Unicode)
Msf::Core
- It provides the core basic API of Metasploit, which is the core capability implementation library of the framework
Msf::Base
- Provide a friendly API interface to facilitate the module to call the library
Plugin plug in
- Connecting and invoking external extension functions and systems
modular
/usr/share/metasploit-framework/modules/
Technical function module (not process module)
Exploits:
- The action of using system vulnerabilities to attack. This module corresponds to the attack method (active and passive) of each specific vulnerability
Payload:
After successful exploit, the code or instruction that is actually executed on the target system
- shellcode or system command
- Three payload s: / usr/share/metasploit-
framework/modules/payloads/
Single: all-in-one
Stager: when the memory of the target computer is limited, first transfer a smaller payload to establish a connection
stages: subsequent payload s downloaded through the connection established by stager
There are many types of Stagers and stages, which are suitable for different scenarios
shellcode is a kind of payload, named for the forward / reverse shell during the period
Technical function module (not process module)
Auxiliary:
Auxiliary module for information collection, enumeration, fingerprint detection, scanning and other functions (without payload's exploit module)
Encoders:
The module that encrypts the payload to avoid AV inspection
Nops:
Improve the stability and maintain the size of paylaod
4, Basic use
1. Upgrade before use: msfupdate
- msfcli uses the interface. Now msfconsole -x has been updated
- Interface used by msfconsole
The most popular user interface
Almost all msf functions can be used
The console command supports TAB auto completion
Support the execution of external commands (system commands, etc.)
[sudo] password for kali-2:
┌──(root💀kali)-[/home/kali-2]
└─# msfconsole
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
https://metasploit.com
=[ metasploit v6.0.45-dev ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View advanced module options with
advanced
msf6 >
2. Click the mouse to start
General options:
-E, --environment ENVIRONMENT set up Rails Environment, default to RAIL_ENV Environment variable or'production'
Database options:
-M, --migration-path DIRECTORY Specify the directory that contains other database migrations
-n, --no-database Disable database support
-y, --yaml PATH Specify a that contains database settings YAML file
Frame options:
-c FILE Loads the specified configuration file
-v, -V, --version Display version
Module options:
--defer-module-loads Delay module loading unless explicitly asked
-m, --module-path DIRECTORY Load an additional module path
Console options:
-a, --ask Exiting Metasploit Ask or accept before'sign out-y'
-H, --history-file FILE Saves the command history to the specified file
-L, --real-readline Use system Readline Library instead of RbReadline
-o, --output FILE Output to the specified file
-p, --plugin PLUGIN Load plug-ins at startup
-q, --quiet Do not display at startup banner information
-r, --resource FILE Executes the specified resource file( - be used for stdin)
-x, --execute-command COMMAND Execute the specified console command (using;(for multiples)
-h, --help Show this message
3. help
root@kali:~# msfconsole
msf > help
Core command
=============
command describe
------- -----------
? Help menu
banner Show a great metasploit banner
cd Change the current working directory
color Toggle highlight color
connect Connect and communicate with the host msf Lower nc
exit Exit exit console
get Gets the value of a context specific variable
getg Gets the value of the global variable
grep Grep Output of another command
help Help menu
history History displays command history
irb get into irb Script mode
load Load a framework plug-in
quit Exit console
route Routing routing traffic through sessions
save Save active data store
sessions Session dumps the session list and displays information about the session
set Set context specific variables to a value
setg Set the global variable to a value
sleep Sleep does nothing for the specified number of seconds
spool Write console output to file and screen
threads Thread viewing and manipulating background threads
unload Uninstall the framework plug-in
unset Unset unsets one or more context specific variables
unsetg Unset unsets one or more global variables
version Version displays the frame and console library version numbers
Module command
===============
command describe
------- -----------
advanced Advanced displays advanced options for one or more modules
back Return returns from the current context
edit Edit use the preferred editor to edit the current module or file
info Displays information about one or more modules
loadpath Load path search and load modules in the path
options Options displays global options or one or more modules
popm Pop the latest module from the stack and make it active
previous Set the previously loaded module as the current module
pushm Push the list of activities or modules into the module stack
reload_all Reload all modules in all defined module paths
reload_lib Loads the library file from the specified path
search Search module name and description
show Displays modules of a given type or all modules
use Using select module by name
Work order
============
command describe
------- -----------
handler The handler starts the load handler as a job
jobs Job display and management
kill Kill a job
rename_job Rename job
Resource script command
========================
command describe
------- -----------
makerc Save commands entered from start to file
resource Run the command stored in the file
Database backend command
=========================
command describe
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect the current database instance
db_export Export a file that contains the contents of the database
db_import Import scan result file (file type will be automatically detected)
db_nmap implement nmap And automatically record the output
db_rebuild_cache Rebuild database enclosure cache
db_status Displays the current database status
hosts Lists all hosts in the database
loot List all spoils in the database
notes Lists all comments in the database
services Lists all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Voucher backend command
============================
command describe
------- -----------
creds Lists all credentials in the database(password)
3.1 ms>help show
[*]"show" Valid parameters for the command are: all, encoders, nops, exploits, payloads, auxiliary, plugins, info, options [*]Other module specific parameters are: missing, advanced, evasion, targets, actions
3.2 msf>help search
usage: search [keywords] Keywords: app : Client or server attack module author : Module written by the author bid : With matching Bugtraq ID Module of cve : With matching CVE ID Module of edb : With matching Exploit-DB ID Module of name : Modules with matching descriptive names platform : Modules that affect this platform ref : Module with matching reference type : Specific types of modules( exploit,auxiliary or post) msf > search ms08-067 msf > search name:mysql / type:aux /author:aaron # Multiple conditions can be searched at the same time
4. Commands in the module
msf > search ms09_001_write
msf > use auxiliary/dos/windows/smb/ms09_001_write
msf auxiliary(dos/windows/smb/ms09_001_write) > info
[*]Other module specific parameters are: missing, advanced, evasion, targets, actions
msf auxiliary(dos/windows/smb/ms09_001_write) > show missing
msf auxiliary(dos/windows/smb/ms09_001_write) > show advanced
msf auxiliary(dos/windows/smb/ms09_001_write) > show targets
msf auxiliary(dos/windows/smb/ms09_001_write) > help edit
Usage: Edit[file / to / edit.rb]
Use to edit the currently active module or local file.
If a file path is specified, it will automatically reload after editing.
Otherwise, you can use reload or rerun to reload the active module.
msf auxiliary(dos/windows/smb/ms09_001_write) > edit
5. Database operation
msf > help db_connect
[*] Usage: db_connect <user:pass>@<host:port>/<database>
[*] OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > help db_import
Usage: db_import <filename> [file2...]
Filenames can be globs like *.xml, or **/*.xml which will search recursively
msf > help db_export
Usage:
db_export -f <format> [filename]
Format can be one of: xml, pwdump
Start database
Very confused, the solution is invalid - init
msfdb init # initialize the database
5, Exploit module
1. Active exploit
Attacker actively connects victim:
2. Passive Exploits
The attacker waits for the victim to trigger the connection and bounce back to the attacker