I. Introduction of Metasploit
Metasploit is an open source security vulnerability detection Tool, and Metasploit is a free tool, so security workers often use Metasploit tools to detect system security. The Metasploit Framework (MSF) was released as an open source in 2003 and is a freely available development framework. It is a powerful open-source platform for developing, testing, and using malicious code, an environment that provides a reliable platform for penetration testing, shellcode authoring, and vulnerability research.
This extensible model integrates load control (payload), encoders (encode), no-action generators (Nops), and vulnerabilities to make the Metasploit Framework a way to study high-risk vulnerabilities. It integrates common overflow vulnerabilities and popular shellcode on various platforms, and is constantly updated.
The current version collects hundreds of useful overflow attack programs and some assistive tools that let people use simple methods to complete security vulnerability detection, even if a person who does not understand security can easily use it. Of course, it's not just a simple collection tool that provides all the classes and methods that developers use to quickly and easily develop two of times.
A small part of its core is implemented by the Assembly and C language, while the rest is implemented by Ruby. Modifications to the Assembly and the C language section are not recommended. Second, build Metasploit environment
Installed in the Windows environment.
Download the installation version of Windows from the official website http://www.metasploit.com/, and install it directly. The installed version is 3.5.1. Installation should pay attention to the following two points: when the installation to turn off the antivirus software. Otherwise, it will cause anti-virus software and Metasploit conflict, causing the installation to fail. Select English (United States) in the Control Panel-Regional and Language Options-select English (United States)-Advanced tab. Because it will be detected at the time of installation, the installation will fail if it belongs to a non-English locale.
If you have antivirus software installed, you will often be prompted to detect a virus or Trojan in the Metasploit installation directory.
Installed under the Linux environment.
The official website provides two types of Linux installation, one is packaged Metasploit installation package, such as Framework-3.5.1-linux-i686.run, which contains the various packages required for installation, download and install directly on the computer. Root privileges are required for installation. If you have anti-virus software installed, you need to shut down the anti-virus software.
The other is the source package, downloaded to the machine after the installation itself. Need to install a variety of trusted packages in advance, after installation requires a certain configuration, more cumbersome. This example uses the source package installation method, because previously installed Postsql, in the use of Framework-3.5.1-linux-i686.run installation will report an error has been installed Postsql database and so on. When using Metasploit in Windows, after learning a certain stage, I feel some things do not understand, installed the Linux version of the Metasploit to learn.
third, the use of Metasploit
Metasploit currently provides three user interfaces, one GUI mode, the other is the console mode, and the third is the CLI (command line) mode. It also provides a web schema that is no longer supported. There are pros and cons to these three models and are recommended for use in the MSF console model. You can use almost all of the functionality provided by MSF in the console, and you can perform some other external commands, such as Ping, in the console.
Windows under the GUI startup mode. From the Start menu--metasploit framework--metaspliit GUI. , as shown in the following illustration:
Figure 1:metasploit GUI startup mode
Its GUI mode starts after the interface as shown in Figure 2:
Figure 2:metasploit GUI start-up interface
The Windows Console mode starts in a similar way to the GUI, with the boot-up interface shown in Figure 3:
Figure 3:metasploit Console post-boot interface
The use of Metasploit is simple and the basic commands can be understood. Here's how to use the console as an example:
Enter Help or. To view help information. As shown in Figure 4
Figure 4:help
The following is an example of ms04_045_wins in exploit.
1 show exploits as shown in Figure 5:
Figure 5:show Exploits
2 Info exploit/windows/wins/ms04_045_wins View its description information. As shown in Figure 6:
Figure 6:info
3 Use Exploit/windows/wins/ms04_045_wins uses this exploit. As shown in Figure 7:
Figure 7:use
4 Show Options View the appropriate option, as shown in Figure 8
Figure 8:show Options
5 Set RHOST 192.168.1.200 setting targets
6 Set Rport 7777 Setup Port
7 Set PAYLOAD generic/shell_bind_tcp settings used by shellcode
8 Exploit execution attack
For the above steps, some are not necessary, such as the 2nd step. The GUI interface is used in a similar way and is simpler, but some features may not be available.
When used on Linux, you can start terminal mode by entering Msfconsole on the terminal. Enter Msfgui to start GUI mode. It works like on Windows. Iv. Classification of Metasploit attack methods
There are 635 types of overflow (exploit) modules, 314 auxiliary (auxiliary) modules, 215 loading (payload) modules, 27 coding (Encoder), and 8 kinds of nops.
Exploits is generally divided into two types of overflow (exploit) attack methods, namely, active overflow and passive overflow. Active overflow is targeted at the target host of the vulnerability of the active attack to gain control, passive overflow is the target host passive monitoring and then get the appropriate operation. In all exploit, the most for Windows platforms is more than the sum of all the other platforms.
A buffer overflow is when the computer fills the buffer with data bits that exceed the buffer itself's capacity overflow data coverage on legitimate data, ideally the program to check the length of the data does not allow the input of characters beyond the length of the buffer, but most of the program will assume that the data length always match the allocated storage space, This is the hidden danger of buffer overflow. The buffer used by the operating system is also known as a "stack". Between the various operations, instructions are temporarily stored in the "stack" and a buffer overflow occurs on the stack.
Buffer overflow is a very common, very dangerous vulnerability that exists widely in various operating systems and applications. The use of buffer overflow can cause program failure, System panic, restart, etc., can also be used to obtain non-authorized instructions, and even system privileges, and then carry out various illegal operations.
In the current network and distributed system security, more than 50% of the widely used is buffer overflow. Buffer overflow, the most dangerous is the stack overflow, because the intruder can take advantage of the stack overflow, the function returned when the return of the address of the program, let it jump to any address, the harm one is a program crashes caused by a denial of service, the other is to jump and execute a piece of malicious code, such as Get shell, Then do whatever you have.
By writing content that exceeds its length to the program's buffer, the buffer overflows, thereby destroying the program's stack, causing the program to crash or allowing the program to execute other instructions in order to achieve the purpose of the attack. The cause of the buffer overflow is that the user input parameters are not carefully checked in the program.
Simply filling in the buffer and causing it to overflow will generally only "Fragment error" (segmentation fault), but not the purpose of the attack. The most common approach is to make the program run a user shell by making a buffer overflow, and then execute other commands through the shell. If the program is rooted and has suid permissions, the attacker obtains a root-privileged shell that can perform arbitrary operations on the system.
Buffer overflow attacks are a common security attack means because buffer overflow vulnerabilities are too common and easy to implement. Also, a buffer overflow is the primary means of a remote attack because the buffer overflow vulnerability gives the attacker everything he wants: implant and execute the attack code. The injected attack code runs a program with a buffer overflow vulnerability with certain privileges to gain control of the attacked host.
The purpose of a buffer overflow attack is to disrupt the functionality of a program that has certain privileges to run, which allows an attacker to take control of the program, and if the program has sufficient permissions, the entire host is controlled. In general, an attacker attacks the root program and executes a shell similar to "exec (SH)" execution code to gain root privileges. To achieve this goal, the attacker must achieve the following two goals:
1. Arrange the appropriate code in the program's address space.
2. Through the appropriate initialization register and memory, let the program jump to the address space assigned by the intruder to execute.
Whenever a function call occurs, the caller leaves an activity record in the stack that contains the address returned at the end of the function. The attacker points the return address to the attack code by spilling an automatic variable in the stack. By changing the return address of the program, when the function call ends, the program jumps to the address set by the attacker, not the original address. This type of buffer overflow is called a stack overflow attack (smashing Attack), which is the most commonly used buffer overflow attack mode.
function pointers can be used to locate any address space. For example: "Void (* foo) ()" Declares a function pointer variable foo with a return value of void. So an attacker could simply find an overflow buffer near the function pointer in any space and then overflow the buffer to change the function pointer. At some point, when a program invokes a function through a function pointer, the program's process is implemented according to the attacker's intent. One of its attack paradigms is the Superprobe program under the Linux system.
A simple inspection/recovery system, called SETJMP/LONGJMP, is included in the C language. It means to set "setjmp" at the checkpoint and use "longjmp" to restore the checkpoint. However, if an attacker is able to enter the buffer space, then "longjmp" is actually the code that jumps to the attacker. Like a function pointer, the LONGJMP buffer can point to anywhere, so what an attacker has to do is find a buffer that can overflow.
The overflow module (Exploit) in Metasploit is divided into 13 types: AIS, BSDI, dialup, FreeBSD, Hpux, IRIX, Linux, Multi, NetWare, OSX, Solaris, UNIX, Windows. One of the most under Windows.
Aided