Study notes
https://blog.csdn.net/kevinhanser/article/details/79940686
1, Perplexity of penetration testers
- You need to master hundreds of tools and software and thousands of command parameters. You really can't remember them
- The vulnerabilities PoC/EXP have different operating environment requirements, and the preparation work is cumbersome
- I spent most of my time learning the user environment of different tools. If only it could be unified
- Can Metasploit solve the above problems (to some extent)
2, Introduction to Metasploit
-
At present, the most popular, powerful and extensible penetration test platform software
-
Process and method of penetration testing and vulnerability analysis based on Metasploit
-
The first edition was released by HD More in 2003 and written in ruby language in 2007
-
The framework inherits the penetration test standard (PETS)
-
It unifies the working environment of penetration test research to a certain extent
-
New attack code can be easily added to the framework
-
Active development and frequent version updates
-
The early version was based on community power maintenance. After being acquired by Rapid 7, Dazhao released its commercial version
-
At present, it is divided into four versions, and the community version is still very active
-
HD More said: writing a book for Metasploit is self abuse
-
Metasploit is integrated in kali linux by default
-
Using postgresql database to store data
-
Earlier versions required starting the database before starting msf
3, Metasploit architecture
Rex
- The basic function library is used to complete daily basic tasks without manual coding
- Handle socket connection access and protocol response (http/SSL/SMB, etc.)
- Encoding conversion (XOR, Base64, Unicode)
Msf::Core
- It provides the core basic API of Metasploit, which is the core capability implementation library of the framework
Msf::Base
- Provide a friendly API interface to facilitate the module to call the library
Plugin plug in
- Connecting and invoking external extension functions and systems
modular
/usr/share/metasploit-framework/modules/
Technical function module (not process module)
Exploits:
- The action of using system vulnerabilities to attack. This module corresponds to the attack method (active and passive) of each specific vulnerability
Payload:
After successful exploit, the code or instruction that is actually executed on the target system
- shellcode or system command
- Three payload s: / usr/share/metasploit-
framework/modules/payloads/
Single: all-in-one
Stager: when the memory of the target computer is limited, first transfer a smaller payload to establish a connection
stages: subsequent payload s downloaded through the connection established by stager
There are many types of Stagers and stages, which are suitable for different scenarios
shellcode is a kind of payload, named for the forward / reverse shell during the period
Technical function module (not process module)
Auxiliary:
Auxiliary module for information collection, enumeration, fingerprint detection, scanning and other functions (without payload's exploit module)
Encoders:
The module that encrypts the payload to avoid AV inspection
Nops:
Improve the stability and maintain the size of paylaod
4, Basic use
1. Upgrade before use: msfupdate
- msfcli uses the interface. Now msfconsole -x has been updated
- Interface used by msfconsole
The most popular user interface
Almost all msf functions can be used
The console command supports TAB auto completion
Support the execution of external commands (system commands, etc.)
[sudo] password for kali-2: ┌──(root💀kali)-[/home/kali-2] └─# msfconsole ######## # ################# # ###################### # ######################### # ############################ ############################## ############################### ############################### ############################## # ######## # ## ### #### ## ### ### #### ### #### ########## #### ####################### #### #################### #### ################## #### ############ ## ######## ### ######### ##### ############ ###### ######## ######### ##### ######## ### ######### ###### ############ ####################### # # ### # # ## ######################## ## ## ## ## https://metasploit.com =[ metasploit v6.0.45-dev ] + -- --=[ 2134 exploits - 1139 auxiliary - 364 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: View advanced module options with advanced msf6 >
2. Click the mouse to start
General options: -E, --environment ENVIRONMENT set up Rails Environment, default to RAIL_ENV Environment variable or'production' Database options: -M, --migration-path DIRECTORY Specify the directory that contains other database migrations -n, --no-database Disable database support -y, --yaml PATH Specify a that contains database settings YAML file Frame options: -c FILE Loads the specified configuration file -v, -V, --version Display version Module options: --defer-module-loads Delay module loading unless explicitly asked -m, --module-path DIRECTORY Load an additional module path Console options: -a, --ask Exiting Metasploit Ask or accept before'sign out-y' -H, --history-file FILE Saves the command history to the specified file -L, --real-readline Use system Readline Library instead of RbReadline -o, --output FILE Output to the specified file -p, --plugin PLUGIN Load plug-ins at startup -q, --quiet Do not display at startup banner information -r, --resource FILE Executes the specified resource file( - be used for stdin) -x, --execute-command COMMAND Execute the specified console command (using;(for multiples) -h, --help Show this message
3. help
root@kali:~# msfconsole msf > help Core command ============= command describe ------- ----------- ? Help menu banner Show a great metasploit banner cd Change the current working directory color Toggle highlight color connect Connect and communicate with the host msf Lower nc exit Exit exit console get Gets the value of a context specific variable getg Gets the value of the global variable grep Grep Output of another command help Help menu history History displays command history irb get into irb Script mode load Load a framework plug-in quit Exit console route Routing routing traffic through sessions save Save active data store sessions Session dumps the session list and displays information about the session set Set context specific variables to a value setg Set the global variable to a value sleep Sleep does nothing for the specified number of seconds spool Write console output to file and screen threads Thread viewing and manipulating background threads unload Uninstall the framework plug-in unset Unset unsets one or more context specific variables unsetg Unset unsets one or more global variables version Version displays the frame and console library version numbers Module command =============== command describe ------- ----------- advanced Advanced displays advanced options for one or more modules back Return returns from the current context edit Edit use the preferred editor to edit the current module or file info Displays information about one or more modules loadpath Load path search and load modules in the path options Options displays global options or one or more modules popm Pop the latest module from the stack and make it active previous Set the previously loaded module as the current module pushm Push the list of activities or modules into the module stack reload_all Reload all modules in all defined module paths reload_lib Loads the library file from the specified path search Search module name and description show Displays modules of a given type or all modules use Using select module by name Work order ============ command describe ------- ----------- handler The handler starts the load handler as a job jobs Job display and management kill Kill a job rename_job Rename job Resource script command ======================== command describe ------- ----------- makerc Save commands entered from start to file resource Run the command stored in the file Database backend command ========================= command describe ------- ----------- db_connect Connect to an existing database db_disconnect Disconnect the current database instance db_export Export a file that contains the contents of the database db_import Import scan result file (file type will be automatically detected) db_nmap implement nmap And automatically record the output db_rebuild_cache Rebuild database enclosure cache db_status Displays the current database status hosts Lists all hosts in the database loot List all spoils in the database notes Lists all comments in the database services Lists all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Voucher backend command ============================ command describe ------- ----------- creds Lists all credentials in the database(password)
3.1 ms>help show
[*]"show" Valid parameters for the command are: all, encoders, nops, exploits, payloads, auxiliary, plugins, info, options [*]Other module specific parameters are: missing, advanced, evasion, targets, actions
3.2 msf>help search
usage: search [keywords] Keywords: app : Client or server attack module author : Module written by the author bid : With matching Bugtraq ID Module of cve : With matching CVE ID Module of edb : With matching Exploit-DB ID Module of name : Modules with matching descriptive names platform : Modules that affect this platform ref : Module with matching reference type : Specific types of modules( exploit,auxiliary or post) msf > search ms08-067 msf > search name:mysql / type:aux /author:aaron # Multiple conditions can be searched at the same time
4. Commands in the module
msf > search ms09_001_write msf > use auxiliary/dos/windows/smb/ms09_001_write msf auxiliary(dos/windows/smb/ms09_001_write) > info [*]Other module specific parameters are: missing, advanced, evasion, targets, actions msf auxiliary(dos/windows/smb/ms09_001_write) > show missing msf auxiliary(dos/windows/smb/ms09_001_write) > show advanced msf auxiliary(dos/windows/smb/ms09_001_write) > show targets msf auxiliary(dos/windows/smb/ms09_001_write) > help edit Usage: Edit[file / to / edit.rb] Use to edit the currently active module or local file. If a file path is specified, it will automatically reload after editing. Otherwise, you can use reload or rerun to reload the active module. msf auxiliary(dos/windows/smb/ms09_001_write) > edit
5. Database operation
msf > help db_connect [*] Usage: db_connect <user:pass>@<host:port>/<database> [*] OR: db_connect -y [path/to/database.yml] [*] Examples: [*] db_connect user@metasploit3 [*] db_connect user:pass@192.168.0.2/metasploit3 [*] db_connect user:pass@192.168.0.2:1500/metasploit3 msf > help db_import Usage: db_import <filename> [file2...] Filenames can be globs like *.xml, or **/*.xml which will search recursively msf > help db_export Usage: db_export -f <format> [filename] Format can be one of: xml, pwdump
Start database
Very confused, the solution is invalid - init
msfdb init # initialize the database
5, Exploit module
1. Active exploit
Attacker actively connects victim:
2. Passive Exploits
The attacker waits for the victim to trigger the connection and bounce back to the attacker