文章目录
- 前言
- 一、msfconsole
- 启动msfconsole
- 命令分类
- 核心命令
- 模块命令
- 作业命令
- 资源脚本命令
- 后台数据库命令
- 二、使用案例
- 更改提示和提示字符
- 运行shell命令
- 信息收集:HTTP头检测
前言
理解了Meatasploit框架架构、原理之后,自然就很好理解它的使用逻辑
- find relevant exploits ----> 寻找相关的
EXP - set parameters ----> 设置参数(payloads、目标参数等)
- exploit vulnerable services ----> 攻击/利用 存在漏洞的服务
MSF被称为一个渗透测试框架,而不单单是一个漏洞利用框架,这就说明我们还可以使用MSF做信息收集、后渗透等许多事情。所以的使用逻辑是这样:
- find relevant modules ----> 寻找相关的模块
- set parameters ----> 设置参数(payloads、目标参数等)
- run ----> 运行(发送数据包,输出回显信息)
一、msfconsole
msfconsole是MSF的一个使用接口,提供了集中式的控制台使你可以高效地访问MSF中的可用选项。刚开始使用msfconsole时可能会有点疑惑:这到底是个啥?他是怎样工作的?我们已经清楚地知道了框架地底层逻辑,第一个问题解决了。至于第二个问题,可以这样理解:msfconsole就是一个“控制台接口”,像Linux 的shell 一样,接收输入,显示输出。既然msfconsole是一个“命令行”,那么就有它支持的命令、选项等,这就是我们接下来要学习的
启动msfconsole
在命令行输入msfconsole即可以正常模式启动,我们会看到一堆欢迎信息,也就是软件的banner,banner信息是随机的,每次都不一样
如果输入msfconsole -q,即可以静默模式启动,静默模式不会显示错误、警告和banner信息。
进入到MSF的“控制台”之后干什么,没学过msfconsole支持的命令就会一脸茫然心生畏惧。
命令分类
进入msfconsole后,输入help或者?,可以看到开发团队为我们梳理好的命令分类
核心命令
最常用和通用的命令
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
模块命令
编辑、加载、使用Msf模块
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
favorite Add module(s) to the list of favorite modules
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Interact with a module by name or search term/index
作业命令
处理MSF模块的作业操作,例如创建作业、列出后台运行的作业、取消和重命名作业
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
资源脚本命令
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
后台数据库命令
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
二、使用案例
更改提示和提示字符
进入到msfconsole,我们不知道做什么,或者说我们不知道目前有什么选项可以使用。可以输入show options或者options,显示如下:
Global Options:
===============
Option Current Setting Description
------ --------------- -----------
ConsoleLogging false Log all console input and output
LogLevel 0 Verbosity of logs (default 0, max 3)
MeterpreterPrompt meterpreter The meterpreter prompt string
MinimumRank 0 The minimum rank of exploits that will run without explicit confirmation
Prompt msf6 The prompt string
PromptChar > The prompt character
PromptTimeFormat %Y-%m-%d %H:%M:%S Format for timestamp escapes in prompts
SessionLogging false Log all input and output for sessions
SessionTlvLogging false Log all incoming and outgoing TLV packets
TimestampOutput false Prefix all console output with a timestamp
我们使用set可以设置这些选项,例如,更改提示和提示符号:
msf6 > set Prompt 辣鸡
Prompt => ▒辣鸡
▒辣鸡 > set PromptChar >>>
PromptChar => >>>
▒辣鸡 >>>
▒辣鸡 >>>
msf6 > 变成了 ▒辣鸡 >>>
运行shell命令
可以在msfconsole中执行shell命令,因为Metasploit将这些命令作为参数传递给操作系统的shell
▒辣鸡 >>> whoami
[*] exec: whoami
kali
▒辣鸡 >>> ls | grep burp
[*] exec: ls | grep burp
burpsuiteP
从输出可以猜测,应该是ruby中使用了exec()函数,将该字符串解析为系统命令并执行。
信息收集:HTTP头检测
