msfconsole 启动msfconsole之前需要把postgresql 设置开机自启动,这样方便后期直接启动,无需手动启动 systemctl enable postgresql 启动postgresql systemctl start postgresql 如果忘记启动postgresql可以用以下命令直接启动 msfdb run 这条命令,先来启动数据库,再来启动msconsole 启动以后,每次出现的图形界面是不一样的,各种图案都会出现 我启动以后是下面这样的界面 IIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIII 'YvP' `-.__|__.-' love shells --egypt =[ metasploit v5.0.101-dev ] -- --=[ 2049 exploits - 1108 auxiliary - 344 post ] -- --=[ 562 payloads - 45 encoders - 10 nops ] -- --=[ 7 evasion ] etasploit tip: After running db_nmap, be sure to check out the result of hosts and services 解释: =[ metasploit v5.0.101-dev ] 软件的版本号 + -- --=[ 2049 exploits - 1108 auxiliary - 344 post ] 2049 exploits 渗透攻击模块2049个 1108 auxiliary 辅助模块1046个 344 post 端口344个 + -- --=[ 562 payloads - 45 encoders - 10 nops ] 562 payloads 载荷562 45 encoders 编码45 10 nops 指令 + -- --=[ 7 evasion ] 7 evasion 辅助模块7个 输入help获取帮助 help 返回结果: Core Commands 核心命令 ============= Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host debug Display information useful for debugging exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads tips Show a list of useful productivity tips unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers Module Commands 模块命令 =============== Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context clearm Clear the module stack info Displays information about one or more modules listm List the module stack loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index Job Commands 后台任务命令 ============ Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job Resource Script Commands 资源脚本命令 ======================== Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file Database Backend Commands 数据库后端命令 ========================= Command Description ------- ----------- analyze Analyze database information about a specific address or address range db_connect Connect to an existing data service db_disconnect Disconnect from the current data service db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache (deprecated) db_remove Remove the saved data service entry db_save Save the current data service connection as the default to reconnect on startup db_status Show the current data service status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Credentials Backend Commands 证书凭证后的命令 ============================ Command Description ------- ----------- creds List all credentials in the database Developer Commands 开发命令 ================== Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths msfconsole ========== `msfconsole` is the primary interface to Metasploit Framework. There is quite a lot that needs go here, please be patient and keep an eye on this space! Building ranges and lists ------------------------- Many commands and options that take a list of things can use ranges to avoid having to manually list each desired thing. All ranges are inclusive. ### Ranges of IDs Commands that take a list of IDs can use ranges to help. Individual IDs must be separated by a `,` (no space allowed) and ranges can be expressed with either `-` or `..`. ### Ranges of IPs There are several ways to specify ranges of IP addresses that can be mixed together. The first way is a list of IPs separated by just a ` ` (ASCII space), with an optional `,`. The next way is two complete IP addresses in the form of `BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR specifications may also be used, however the whole address must be given to Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC. Additionally, a netmask can be used in conjunction with a domain name to dynamically resolve which block to target. All these methods work for both IPv4 and IPv6 addresses. IPv4 addresses can also be specified with special octet ranges from the [NMAP target specification](https://nmap.org/book/man-target-specification.html) ### Examples Terminate the first sessions: sessions -k 1 Stop some extra running jobs: jobs -k 2-6,7,8,11..15 Check a set of IP addresses: check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255 Target a set of IPv6 hosts: set RHOSTS fe80::3990:0000/110, ::1-::f0f0 Target a block from a resolved domain name: set RHOSTS www.example.test/24 解释: Core Commands #核心命令 Module Commands #模块命令 Job Commands #后台任务命令 Resource Script Commands #资源脚本命令 Database Backend Commands #数据库后端命令 Credentials Backend Commands #证书/凭证后端命令 Developer Commands #开发人员命令 connect 命令主要用于远程连接主机。一般用于内网渗透。比较常用的命令就是“connect 192.168.1.1 80” 查看connect帮助 connect命令主要用于远程链接主机,一般用于内网渗透。比较常用的命令就是“connect 命令格式 connect ip port msf5 > connect 返回结果: Usage: connect [options] <host> <port> Communicate with a host, similar to interacting via netcat, taking advantage of any configured session pivoting. OPTIONS: -C Try to use CRLF for EOL sequence. -P <opt> Specify source port. -S <opt> Specify source address. -c <opt> Specify which Comm to use. -h Help banner. -i <opt> Send the contents of a file. -p <opt> List of proxies to use. -s Connect with SSL. -u Switch to a UDP socket. -w <opt> Specify connect timeout. -z Just try to connect, then return. 模块相关命令,show使用方法,使用show命令想对速度很慢 show 命令的有效参数是:all,encoders,nops,exploits,payloads,auxiliary,post,plugins,info,options 列举出所有的模块 show all 列举metasploit框架中的所有渗透攻击模块exploits show exploits 列举出metasploit框架中的所有攻击载荷 show pyyloads 列举出metasploit框架中的所有辅助攻击载荷 show auxiliary 模块相关的命令search搜索的使用方法,方便高效 查看search帮助 search -h 返回结果: Usage: search [<options>] [<keywords>:<value>] Prepending a value with '-' will exclude any matching results. If no options or keywords are provided, cached results are displayed. OPTIONS: -h Show this help information -o <file> Send output to a file in csv format -S <string> Regex pattern used to filter search results -u Use module if there is one result Keywords: aka : Modules with a matching AKA (also-known-as) name author : Modules written by this author arch : Modules affecting this architecture bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID check : Modules that support the 'check' method date : Modules with a matching disclosure date description : Modules with a matching description fullname : Modules with a matching full name mod_time : Modules with a matching modification date name : Modules with a matching descriptive name path : Modules with a matching path platform : Modules affecting this platform port : Modules with a matching port rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400')) ref : Modules with a matching ref reference : Modules with a matching reference target : Modules affecting this target type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop) Examples: search cve:2009 type:exploit search cve:2009 type:exploit platform:-linux 通过name关键词进行查找 格式 search name search后直接跟想要自己查找的内容,查的很广泛,只有当你对漏洞名字描述很清楚时,使用这个方法 例子: 先查出自己想要的ms08_067 msf5 > search ms08_067 返回结果: Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruptio 模块名称 发布日期 等级 是否检查 描述 每一个漏洞利用模块基于他们对目标系统的潜在影响都被标记了一个Rank字段 用户可以基于Rank对漏洞利用模块进行搜索,分类以及排序 Rank按照可能性降序排列: excellent 漏洞利用程序绝对不会使目标服务崩溃,就像sql注入,命令执行,远程文件包含,本地文件包含等等.除非有特殊情况,典型的内存破坏利用程序不可以被评估为该级别 great 该漏洞利用程序有一个默认的目标系统,并可以自动检测适当的目标系统,或者在目标服务的版本检查之后可以返回一个特性的返回地址. good 该漏洞利用程序有一个默认的目标系统,并且是这种类型的软件. "常见情况" (桌面应用程序的 windows7,服务器的2012等) normal 该漏洞利用程序是可靠的,但是依赖于特定的版本,并且不能或者不能可靠的自动检测. average 该漏洞利用程序不可靠或者难以利用. low 对于通用的平台而言,该漏洞利用程序几乎不能利用(或者低于50%的利用成功率) manual 该漏洞利用程序不稳定或者难以利用并且基于拒绝服务(dos). 如果一个模块只有在用户特别配置该模块的时候才会被利用到,否则该米快不会被使用到,那么也可以评为该等级 通过名字查找,查找mysql的相关模块 search name::mysql 通过路径查找,有时候我们只记得模块的路径,但是忘记了模块的名称,那么可以用path,命令查找在该路径下的所有模块,如果我要mysql路径下的所有MySQL模块,那么就输入: msf5 > search path:mysql 返回结果: Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/mysql/mysql_enum normal No MySQL Enumeration Module 1 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query 2 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump 3 auxiliary/scanner/mysql/mysql_file_enum normal No MYSQL File/Directory Enumerator 4 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump 5 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility 6 auxiliary/scanner/mysql/mysql_schemadump normal No MYSQL Schema Dump 7 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration 8 auxiliary/scanner/mysql/mysql_writable_dirs normal No MYSQL Directory Write Test 9 auxiliary/server/capture/mysql normal No Authentication Capture: MySQL 10 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow 11 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow 12 exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent No Oracle MySQL UDF Payload Execution 13 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution 14 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse 15 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow 16 exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Yes Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential Interact with a module by name or index, for example use 16 or use exploit/windows/mysql/scrutinizer_upload_exec 通过系统类型搜索相关的漏洞,内容过多,就不写返回结果了 用法: msf5 >search platform:os(系统类型) 搜索linux的相关的漏洞 msf5 >search platform:linux 搜索windows相关的漏洞,内容过多,就不写返回结果了 msf5 >search platform:windows 有时候我们会搜索到大量的模块,那么可以用 platform:命令来缩小查询范围。使用 platform 命令后,所查询的结果会列出 rank 比较高的模块。如果我要查找 mysql 的漏洞,那么输入: msf5 > search platform:mysql 返回结果: Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow 1 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 3 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution 4 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse 5 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow Interact with a module by name or index, for example use 5 or use exploit/windows/mysql/mysql_yassl_hello 注:大家对比一下上面的截图,发现没有,所有 rank 为 normal 的模块全部都屏蔽了,只剩下几个比较高级的利用模块 通过类型进行查找查找 这里需要用到type:命令 type:特定类型的模块(exploit,payload,auxiliary,encoder,evasion,post,or,nop) 比如想查找攻击渗透模块 msf5 > search type:exploit 查找辅助模块 msf5 > search type:auxiliary 组合命令查找mysql相关的攻击渗透模块 名字:name:mysql 类型:type: msf5 > search name:mysql type:exploit 返回结果: Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow 1 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow 2 exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent No Oracle MySQL UDF Payload Execution 3 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution 4 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse 5 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow 6 exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Yes Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential Interact with a module by name or index, for example use 6 or use exploit/windows/mysql/scrutinizer_upload_exec
