[kali] Mestasploit - basic use

Study notes
https://blog.csdn.net/kevinhanser/article/details/79940686

1, Perplexity of penetration testers

  • You need to master hundreds of tools and software and thousands of command parameters. You really can't remember them
  • The vulnerabilities PoC/EXP have different operating environment requirements, and the preparation work is cumbersome
  • I spent most of my time learning the user environment of different tools. If only it could be unified
  • Can Metasploit solve the above problems (to some extent)

2, Introduction to Metasploit

  • At present, the most popular, powerful and extensible penetration test platform software

  • Process and method of penetration testing and vulnerability analysis based on Metasploit

  • The first edition was released by HD More in 2003 and written in ruby language in 2007

  • The framework inherits the penetration test standard (PETS)

  • It unifies the working environment of penetration test research to a certain extent

  • New attack code can be easily added to the framework

  • Active development and frequent version updates

  • The early version was based on community power maintenance. After being acquired by Rapid 7, Dazhao released its commercial version

  • At present, it is divided into four versions, and the community version is still very active

  • HD More said: writing a book for Metasploit is self abuse

  • Metasploit is integrated in kali linux by default

  • Using postgresql database to store data

  • Earlier versions required starting the database before starting msf

3, Metasploit architecture

Rex

  • The basic function library is used to complete daily basic tasks without manual coding
  • Handle socket connection access and protocol response (http/SSL/SMB, etc.)
  • Encoding conversion (XOR, Base64, Unicode)

Msf::Core

  • It provides the core basic API of Metasploit, which is the core capability implementation library of the framework

Msf::Base

  • Provide a friendly API interface to facilitate the module to call the library

Plugin plug in

  • Connecting and invoking external extension functions and systems

modular

/usr/share/metasploit-framework/modules/

Technical function module (not process module)

Exploits:

  • The action of using system vulnerabilities to attack. This module corresponds to the attack method (active and passive) of each specific vulnerability

Payload:

After successful exploit, the code or instruction that is actually executed on the target system

  • shellcode or system command
  • Three payload s: / usr/share/metasploit-

framework/modules/payloads/

Single: all-in-one
Stager: when the memory of the target computer is limited, first transfer a smaller payload to establish a connection
stages: subsequent payload s downloaded through the connection established by stager
There are many types of Stagers and stages, which are suitable for different scenarios
shellcode is a kind of payload, named for the forward / reverse shell during the period

Technical function module (not process module)

Auxiliary:

Auxiliary module for information collection, enumeration, fingerprint detection, scanning and other functions (without payload's exploit module)

Encoders:

The module that encrypts the payload to avoid AV inspection

Nops:

Improve the stability and maintain the size of paylaod

4, Basic use

1. Upgrade before use: msfupdate

  • msfcli uses the interface. Now msfconsole -x has been updated
  • Interface used by msfconsole

The most popular user interface
Almost all msf functions can be used
The console command supports TAB auto completion
Support the execution of external commands (system commands, etc.)

[sudo] password for kali-2: 
┌──(root💀kali)-[/home/kali-2]
└─# msfconsole
                                                  
                          ########                  #
                      #################            #
                   ######################         #
                  #########################      #
                ############################
               ##############################
               ###############################
              ###############################
              ##############################
                              #    ########   #
                 ##        ###        ####   ##
                                      ###   ###
                                    ####   ###
               ####          ##########   ####
               #######################   ####
                 ####################   ####
                  ##################  ####
                    ############      ##
                       ########        ###
                      #########        #####
                    ############      ######
                   ########      #########
                     #####       ########
                       ###       #########
                      ######    ############
                     #######################
                     #   #   ###  #   #   ##
                     ########################
                      ##     ##   ##     ##
                            https://metasploit.com


       =[ metasploit v6.0.45-dev                          ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: View advanced module options with 
advanced

msf6 > 

2. Click the mouse to start

General options:
    -E, --environment ENVIRONMENT    set up Rails Environment, default to RAIL_ENV Environment variable or'production'

Database options:
    -M, --migration-path DIRECTORY   Specify the directory that contains other database migrations
    -n, --no-database                Disable database support
    -y, --yaml PATH                  Specify a that contains database settings YAML file

Frame options:
    -c FILE                          Loads the specified configuration file
    -v, -V, --version                Display version

Module options:
        --defer-module-loads         Delay module loading unless explicitly asked
    -m, --module-path DIRECTORY      Load an additional module path

Console options:
    -a, --ask                        Exiting Metasploit Ask or accept before'sign out-y'
    -H, --history-file FILE          Saves the command history to the specified file
    -L, --real-readline              Use system Readline Library instead of RbReadline
    -o, --output FILE                Output to the specified file
    -p, --plugin PLUGIN              Load plug-ins at startup
    -q, --quiet                      Do not display at startup banner information
    -r, --resource FILE              Executes the specified resource file( - be used for stdin)
    -x, --execute-command COMMAND    Execute the specified console command (using;(for multiples)
    -h, --help                       Show this message

3. help

root@kali:~# msfconsole
msf > help

Core command
=============

    command            describe
    -------       -----------
    ?             Help menu
    banner        Show a great metasploit banner
    cd            Change the current working directory
    color         Toggle highlight color
    connect       Connect and communicate with the host msf Lower nc
    exit          Exit exit console
    get           Gets the value of a context specific variable
    getg          Gets the value of the global variable
    grep          Grep Output of another command
    help          Help menu
    history       History displays command history
    irb           get into irb Script mode
    load          Load a framework plug-in
    quit          Exit console
    route         Routing routing traffic through sessions
    save          Save active data store
    sessions      Session dumps the session list and displays information about the session
    set           Set context specific variables to a value
    setg          Set the global variable to a value
    sleep         Sleep does nothing for the specified number of seconds
    spool         Write console output to file and screen
    threads       Thread viewing and manipulating background threads
    unload        Uninstall the framework plug-in
    unset         Unset unsets one or more context specific variables
    unsetg        Unset unsets one or more global variables
    version       Version displays the frame and console library version numbers


Module command
===============

    command            describe
    -------       -----------
    advanced      Advanced displays advanced options for one or more modules
    back          Return returns from the current context
    edit          Edit use the preferred editor to edit the current module or file
    info          Displays information about one or more modules
    loadpath      Load path search and load modules in the path
    options       Options displays global options or one or more modules
    popm          Pop the latest module from the stack and make it active
    previous      Set the previously loaded module as the current module
    pushm         Push the list of activities or modules into the module stack
    reload_all    Reload all modules in all defined module paths
    reload_lib    Loads the library file from the specified path
    search        Search module name and description
    show          Displays modules of a given type or all modules
    use           Using select module by name


Work order
============

    command            describe
    -------       -----------
    handler       The handler starts the load handler as a job
    jobs          Job display and management
    kill          Kill a job
    rename_job    Rename job


Resource script command
========================

    command            describe
    -------       -----------
    makerc        Save commands entered from start to file
    resource      Run the command stored in the file


Database backend command
=========================

    command                describe
    -------           -----------
    db_connect        Connect to an existing database
    db_disconnect     Disconnect the current database instance
    db_export         Export a file that contains the contents of the database
    db_import         Import scan result file (file type will be automatically detected)
    db_nmap           implement nmap And automatically record the output
    db_rebuild_cache  Rebuild database enclosure cache
    db_status         Displays the current database status
    hosts             Lists all hosts in the database
    loot              List all spoils in the database
    notes             Lists all comments in the database
    services          Lists all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces


Voucher backend command
============================

    command            describe
    -------       -----------
    creds         Lists all credentials in the database(password)

3.1 ms>help show

[*]"show" Valid parameters for the command are: all, encoders, nops, exploits, payloads, auxiliary, plugins, info, options
[*]Other module specific parameters are: missing, advanced, evasion, targets, actions

3.2 msf>help search

usage: search [keywords]

Keywords:
  app       :  Client or server attack module
  author    :  Module written by the author
  bid       :  With matching Bugtraq ID Module of
  cve       :  With matching CVE ID Module of
  edb       :  With matching Exploit-DB ID Module of
  name      :  Modules with matching descriptive names
  platform  :  Modules that affect this platform
  ref       :  Module with matching reference
  type      :  Specific types of modules( exploit,auxiliary or post)

msf > search ms08-067
msf > search name:mysql / type:aux /author:aaron    # Multiple conditions can be searched at the same time



4. Commands in the module

msf > search ms09_001_write
msf > use auxiliary/dos/windows/smb/ms09_001_write
msf auxiliary(dos/windows/smb/ms09_001_write) > info

[*]Other module specific parameters are: missing, advanced, evasion, targets, actions
msf auxiliary(dos/windows/smb/ms09_001_write) > show missing
msf auxiliary(dos/windows/smb/ms09_001_write) > show advanced
msf auxiliary(dos/windows/smb/ms09_001_write) > show targets



msf auxiliary(dos/windows/smb/ms09_001_write) > help edit
    Usage: Edit[file / to / edit.rb]
    Use to edit the currently active module or local file.
    If a file path is specified, it will automatically reload after editing.
    Otherwise, you can use reload or rerun to reload the active module.
msf auxiliary(dos/windows/smb/ms09_001_write) > edit

5. Database operation

msf > help db_connect 
    [*]    Usage: db_connect <user:pass>@<host:port>/<database>
    [*]       OR: db_connect -y [path/to/database.yml]
    [*] Examples:
    [*]        db_connect user@metasploit3
    [*]        db_connect user:pass@192.168.0.2/metasploit3
    [*]        db_connect user:pass@192.168.0.2:1500/metasploit3

msf > help db_import
    Usage: db_import <filename> [file2...]
    Filenames can be globs like *.xml, or **/*.xml which will search recursively

msf > help db_export
    Usage:
    db_export -f <format> [filename]
    Format can be one of: xml, pwdump

Start database

Very confused, the solution is invalid - init

msfdb init    # initialize the database


5, Exploit module

1. Active exploit

Attacker actively connects victim:

2. Passive Exploits

The attacker waits for the victim to trigger the connection and bounce back to the attacker

Tags: msf

Posted on Sat, 23 Oct 2021 06:07:22 -0400 by Htmlwiz