第一章 Metasploit快速入門
在本章中,我們將會學習以下內容:
1、在Windows上安裝Metasploit
2百揭、在Linux和MacOS上安裝Metasploit
3塞俱、在Kali Linux中使用 Metasploit
4、使用虛擬化軟件構建滲透測試實驗環(huán)境
5渣窜、配置SSH連接
6铺根、使用SSH連接Kali
7、為Metaspolit配置PostgreSQL數(shù)據(jù)庫
8乔宿、創(chuàng)建工作區(qū)
9位迂、使用數(shù)據(jù)庫
10、使用hosts命令
11详瑞、理解services命令
簡介
Metasploit 是目前世界上領先的滲透測試工具掂林,也是信息安全與滲透測試領域最大的開源項目之一。它徹底改變了我們執(zhí)行安全測試的方式坝橡。Metasploit之所以流行泻帮,是因為它可以執(zhí)行廣泛的安全測試任務,從而簡化滲透測試的工作计寇。Metasploit 適用于所有流行的操作系統(tǒng)锣杂,本書中,主要以Kali Linux為主番宁。因為Kali Linux預裝了 Metasploit 框架和運行在框架上的其他第三方工具元莫。
框架和相關術語簡介:
Metasploit Framework:這是一個免費的、開源的滲透測試框架蝶押,由 H.D.Moore 在 2003 年發(fā)布踱蠢,后來被 Rapid7 收購。當前穩(wěn)定版本是使用 Ruby 語言編寫的播聪。它擁有世界上最大的滲透測試攻擊數(shù)據(jù)庫朽基,每年超過100萬次的下載。它也是迄今為止使用 Ruby構建的最復雜的項目之一离陶。
Vulnerability:允許攻擊者入侵或危害系統(tǒng)安全性的弱點稱為漏洞稼虎,漏洞可能存在于操作系統(tǒng),應用軟件甚至網(wǎng)絡協(xié)議中招刨。
Exploit:攻擊代碼或程序霎俩,它允許攻擊者利用易受攻擊的系統(tǒng)并危害其安全性。每個漏洞都有對應的漏洞利用程序。Metasploit有超過 1700 個漏洞利用程序打却。
Payload:攻擊載荷杉适。它主要用于建立攻擊者和受害者機器直接的連接,Metasploit有超過 500個有效攻擊載荷柳击。
Module:模塊是一個完整的構件猿推,每個模塊執(zhí)行特定的任務,并通過幾個模塊組成一個單元運行捌肴。這種架構的好處是可以很容易的將自己寫的利用程序和工具集成到框架中蹬叭。
Metasploit框架具有模塊化的體系結構,exploits状知、payload秽五、encoders都是獨立的模塊:
Metasploit提供兩種不同的UI,msfconsole和WebUI饥悴,本書中主要使用msfconsole接口坦喘。因為msfconsole對Metasploit支持最好,可以使用所有功能西设。
1瓣铣、在Windows上安裝Metasploit
在Windows上安裝Metasploit非常簡單,直接從官方下載(http://www.metasploit.com/download).安裝文件進行安裝即可济榨。
準備工作
Metasploit的四個版本:
Pro:適用于滲透測試人員和IT安全團隊
Express:適用于一般IT人員
Community:適用于小公司和學生
Framework:適用于開發(fā)人員和安全研究人員
請從官網(wǎng)下載最新版的 Metasploit Framework(https://windows.metasploit.com/metasploitframework-latest.msi)
它包含控制臺程序和其他依賴程序坯沪。
如何安裝
下載完之后,運行即可擒滑,它將自動安裝相關所有組件腐晾。
Tip:在Windows上安裝Metasploit時候,應該禁用防護軟件丐一,因為可能會檢測到一些安裝文件為惡意程序藻糖,從而阻止安裝過程。安裝完后將 Metasploit加入到防護軟件的白名單库车。
2巨柒、在Linux和MacOS上安裝Metasploit
通過以下快速安裝腳本導入Rapid7簽名密鑰并為受支持的Linux和macOS系統(tǒng)設置程序包:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
軟件包將集成到系統(tǒng)的包管理器中,可以使用 msfupdate 命令或包管理器進行更新柠衍。
安裝過程差不多是這樣的:
bcook@localhost:~$ uname -a
Linux localhost 3.14.0 #1 SMP PREEMPT Mon Feb 6 21:59:30 PST 2017 armv7l armv7l armv7l GNU/Linux
bcook@localhost:~$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
> chmod 755 msfinstall && \
> ./msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5394 100 5394 0 0 5609 0 --:--:-- --:--:-- --:--:-- 5607
Switching to root user to update the package
[sudo] password for bcook:
Adding metasploit-framework to your repository list..OK
Updating package cache..OK
Checking for and installing update..
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
metasploit-framework
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 148 MB of archives.
After this operation, 358 MB of additional disk space will be used.
Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main armhf metasploit-framework armhf 4.13.23+20170217143300.git.1.85dca6a~1rapid7-1 [148 MB]
Fetched 148 MB in 19s (7743 kB/s)
Selecting previously unselected package metasploit-framework.
(Reading database ... 28449 files and directories currently installed.)
Preparing to unpack .../metasploit-framework_4.13.23+20170217143300.git.1.85dca6a~1rapid7-1_armhf.deb ...
Unpacking metasploit-framework (4.13.23+20170217143300.git.1.85dca6a~1rapid7-1) ...
Setting up metasploit-framework (4.13.23+20170217143300.git.1.85dca6a~1rapid7-1) ...
update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode
Run msfconsole to get started
W: --force-yes is deprecated, use one of the options starting with --allow instead.
bcook@localhost:~$ msfconsole //啟動msfconsole
** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
Would you like to use and setup a new database (recommended)? y //是否設置數(shù)據(jù)庫
Creating database at /home/bcook/.msf4/db
Starting database at /home/bcook/.msf4/db...success
Creating database users
Creating initial database schema
** Metasploit Framework Initial Setup Complete **
=[ metasploit v4.13.23-dev-584850f1f8a1a74b69b5cea16c700c9fd1b8e4c6]
+ -- --=[ 1622 exploits - 924 auxiliary - 282 post ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
在MacOS中手動安裝Metasploit
最新的OS X安裝程序包也可以直接在這里下載:https://osx.metasploit.com/metasploitframework-latest.pkg
下載完后安裝即可洋满,安裝完后,使用/opt/metasploit-framework/bin/msfconsole啟動msfconsole珍坊。
3牺勾、在Kali Linux上使用Metasploit
Kali Linux是最受安全從業(yè)人員歡迎的操作系統(tǒng),第一阵漏、它預裝了幾乎所有流行的滲透測試工具驻民,降低了使用成本翻具,其次它是基于Linux的操作系統(tǒng),具有可靠的穩(wěn)定性和安全性回还。
準備工作
你可以在物理機上安裝Kali Linux裆泳,也可以在虛擬機中安裝它,安裝過程非常簡單柠硕。
在Kali Linux設置Metasploit開發(fā)環(huán)境可以用以下命令:
sudo apt update
sudo apt -y install autoconf bison build-essential curl git-core libapr1
libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev
libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-
dev libxslt-dev libyaml-dev locate ncurses-dev openssl postgresql
postgresql-contrib wget xsel zlib1g zlib1g-dev
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
sudo chown -R `whoami` /opt/metasploit-framework
cd metasploit-framework
rvm --install $(cat .ruby-version)
gem install bundler
bundle install
如何安裝
你可以從Kali官網(wǎng)下載(https://www.kali.org)Kali Linux ISO鏡像文件工禾,用來制作USB啟動盤或者制作DVD-ROM光盤。你可以將Kali Linux安裝到硬盤上或者直接使用 Live CD模式蝗柔。也可以在虛擬機中安裝Kali Linux帜篇。
本書中,我們將使用 Kali Linux 虛擬機诫咱。
1、從官網(wǎng)下載 Kali Vmware 虛擬機文件洪灯,導入到Vmware Workstation中坎缭,啟動系統(tǒng),輸入用戶名和密碼即可登錄到Kali中签钩,root默認密碼是toor掏呼。
2、成功登錄后铅檩,直接從 應用程序 菜單中啟動 Metasploit
Tip:從應用程序菜單啟動 Metasploit后憎夷,將自動設置PostgreSQL數(shù)據(jù)庫,它將創(chuàng)建數(shù)據(jù)庫用戶昧旨,創(chuàng)建msf和msf_test數(shù)據(jù)庫拾给,配置Metasploit使用數(shù)據(jù)庫,并通過以下命令啟動msfconsole:(這是自動的兔沃,不需要手動執(zhí)行下面的命令)
service postgresql start && msfdb init && msfconsole
過程如下:
其他
或者你可以直接在終端中運行msfconsole啟動Metasploit
4蒋得、升級Kali Linux
升級Kali Linux非常簡單,建議定期升級以獲得最新的安全更新乒疏。若要升級额衙,可以使用 apt update,然后使用 apt upgrade進行升級怕吴,這種方法是在不刪除任何包的情況下升級已安裝的包窍侧。如果要升級大的版本和重要更新∽粒可以使用apt full-upgrade進行完全升級伟件,這種方式將會刪除過時的軟件包和安裝新的依賴。
5暇咆、構建滲透測試實驗環(huán)境
構建一個滲透測試實驗環(huán)境是非常有必要的锋爪。它允許你在一個安全的環(huán)境中練習和測試丙曙,因為直接針對真實系統(tǒng)攻擊測試是違法的。使用虛擬機構建滲透測試實驗環(huán)境具有可移植性其骄,靈活性和低維護成本亏镰。并且可以構建多種操作系統(tǒng),設置復雜的網(wǎng)絡場景拯爽,并在多個目標上執(zhí)行滲透測試索抓。
準備工作
選擇你喜歡的虛擬化軟件,比如 Vmware Workstation毯炮、VirtualBox逼肯、Hyper-V等
我們需要構建的滲透測試實驗環(huán)境拓撲如下:
包含 Kali Linux,Linux服務器和Windows服務器以及一臺Windows 10客戶機桃煎。
當然你可以根據(jù)自己的喜好來構建篮幢。
如何構建
Kali Linux:直接從Kali官網(wǎng)下載安裝就行
Linux服務器:可以從 SourceForge下載 Metasploitable2 : https://sourceforge.net/projects/
metasploitable/files/Metasploitable2/
Windows 10 客戶機:可以從微軟開發(fā)者網(wǎng)站下載 90天評估版: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
Windows Server:我們通過Metasploitable 3來構建。在Windows上運行build_win2008.sh進行構建为迈。
Metasploitable 3 安裝過程在此不做描述
構建過程不做詳細描述
6三椿、配置SSH連接
準備工作
要配置遠程登錄Kali Linux,首先我們需要更改默認的root密碼并生成新的SSH密鑰葫辐。
怎么做
使用passwd命令修改root密碼
root@osboxes:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@osboxes:~#
重新配置SSH主機密鑰非常簡單搜锰,首先刪除當前的SSH主機密鑰,然后使用dpkg-reconfigure openssh-server命令重新生成密鑰即可耿战。
root@osboxes:~# rm /etc/ssh/ssh_host_*
root@osboxes:~# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:1FN10l0k50Ng/dpeLIXTPmFGyupZB22hk4JNQC1aKcI root@osboxes (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:37c9q4AwOW4wEwUoEpQ1Jz/KXIYJfV53ORWeGBzONdI root@osboxes (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:ky1bOQlbMFIMB0si0w7Msv32fpSeza6lZeHn8OevGdU root@osboxes (ED25519)
rescue-ssh.target is a disabled or a static unit, not starting it.
我們還需要編輯OpenSSH服務配置文件:/etc/ssh/sshd_config蛋叼,將#PermitRootLogin without-password 更改為PermitRootLogin yes,從而允許root遠程登錄剂陡。
若要設置SSH服務開機啟動狈涮,則執(zhí)行systemctl enable ssh即可
root@osboxes:~# systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Tip:最好是將遠程登錄配置為密鑰登錄,而不是使用密碼鹏倘。
7薯嗤、使用SSH連接到Kali
要連接到Kali Linux,我們只需要使用SSH客戶端即可纤泵,大多數(shù)Unix骆姐,Linux和MacOS都已經(jīng)安裝了SSH客戶端。如果使用的是Windows捏题,可以安裝PuTTY等SSH客戶端軟件玻褪。
怎么做
查看Kali的IP地址
root@osboxes:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:9f:99:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.177.138/24 brd 192.168.177.255 scope global dynamic noprefixroute eth0
valid_lft 1784sec preferred_lft 1784sec
inet6 fe80::28ff:605:ed51:4ab7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
使用SSH 客戶端連接到Kali
λ ssh root@192.168.177.138
The authenticity of host '192.168.177.138 (192.168.177.138)' can't be established.
ECDSA key fingerprint is SHA256:37c9q4AwOW4wEwUoEpQ1Jz/KXIYJfV53ORWeGBzONdI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.177.138' (ECDSA) to the list of known hosts.
root@192.168.177.138's password:
Linux osboxes 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Linux osboxes 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@osboxes:~#
8、配置PostgreSQL數(shù)據(jù)庫
Metasploit的一個重要特性是支持PostgreSQL數(shù)據(jù)庫公荧,使用它來存儲滲透測試結果和漏洞信息带射。
準備工作
啟動服務,然后使用 Metasploit msfdb 初始化數(shù)據(jù)庫
怎么做
1循狰、啟動數(shù)據(jù)庫
root@osboxes:~# systemctl start postgresql
2窟社、初始化數(shù)據(jù)庫
~# msfdb init
Creating database user 'msf'
Enter password for new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
msfdb 還可以用來管理Metasploit Framework數(shù)據(jù)庫
root@osboxes:~# msfdb
Manage the metasploit framework database
msfdb init # start and initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
msfdb status # check service status
msfdb run # start the database and run msfconsole
3券勺、修改數(shù)據(jù)庫配置文件
我們可以直接編輯 database.yml文件,文件位于/usr/share/metasploit-framework/config/database.yml
root@osboxes:~# cat /usr/share/metasploit-framework/config/database.yml
development:
adapter: postgresql
database: msf
username: msf
password: 9JHbuu/CdoGT0kvBiSXf+VLDRQ9dKKpMYyWKY6Ui2jc=
host: localhost
port: 5432
pool: 5
timeout: 5
production:
adapter: postgresql
database: msf
username: msf
password: 9JHbuu/CdoGT0kvBiSXf+VLDRQ9dKKpMYyWKY6Ui2jc=
host: localhost
port: 5432
pool: 5
timeout: 5
test:
adapter: postgresql
database: msf_test
username: msf
password: 9JHbuu/CdoGT0kvBiSXf+VLDRQ9dKKpMYyWKY6Ui2jc=
host: localhost
port: 5432
pool: 5
timeout: 5
里面的usrname和password是默認配置的灿里,你可以根據(jù)自己的喜好進行更改
4关炼、確定是否連接到數(shù)據(jù)庫
啟動msfconsole,然后執(zhí)行db_status匣吊,檢查數(shù)據(jù)庫連接情況儒拂。
msf > db_status
[*] postgresql connected to msf
msf >
更多
如果要手動連接到數(shù)據(jù)庫,可以使用如下命令:
db_connect <user:pass>@<host:port>/<database>
我們可以使用databse.yml文件測試db_connect命令
msf > db_disconnect //斷開連接
msf > db_status //查看連接狀態(tài)
[*] postgresql selected, no connection
msf > db_connect
[*] Usage: db_connect <user:pass>@<host:port>/<database>
[*] OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect -y /usr/share/metasploit-framework/config/database.yml //連接數(shù)據(jù)庫
[*] Rebuilding the module cache in the background...
msf > db_status //查看連接狀態(tài)
[*] postgresql connected to msf
msf >
9色鸳、創(chuàng)建工作區(qū)
Metasploit中有工作區(qū)的概念社痛,可以用來隔離不同的滲透測試任務,從而避免混淆不同的測試任務命雀。
怎么做
1蒜哀、默認工作區(qū)
默認工作區(qū)是default,輸入workspace查看
msf > workspace
* default
msf >
輸入workspace -h 查看命令幫助
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old> <new> Rename workspace
workspace -h Show this help information
msf >
2吏砂、新建工作區(qū)
使用workspace -a <workspacename> 命令添加新的工作區(qū)
msf > workspace -a book
[*] Added workspace: book
msf > workspace
default
* book
msf >
3凡怎、刪除工作區(qū)
使用workspace -d <workspacename> 命令刪除工作區(qū)
msf > workspace -d book
[*] Deleted workspace: book
[*] Switched workspace: default
4、更改工作區(qū)
使用workspace <workspacename> 命令更改工作區(qū)
msf > workspace book
[*] Workspace: book
5赊抖、重命名工作區(qū)
使用workspace -r <workspacename> <workspacenewname> 重命名工作區(qū)
msf > workspace -r book msf
[*] Switched workspace: msf
msf >
10、使用數(shù)據(jù)庫
配置完數(shù)據(jù)庫寨典,我們就可以使用它了氛雪,首先我們了解如何使用db_import導入外部工具數(shù)據(jù)。
準備工作
在msfconsole中運行db_import命令耸成,查看支持的文件類型
msf > db_import
Usage: db_import <filename> [file2...]
Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
Acunetix
Amap Log
Amap Log -m
Appscan
Burp Session XML
Burp Issue XML
CI
Foundstone
FusionVM XML
...
Wapiti XML
msf >
怎么做
1报亩、導入nmap掃描結果
先完成掃描,保存結果為 XML 文檔
root@osboxes:~# nmap -Pn -A -oX report 192.168.177.139
2井氢、然后執(zhí)行 db_import PATH進行導入
msf > db_import /root/report
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.8.5'
[*] Importing host 192.168.177.139
[*] Successfully imported /root/report
msf >
3弦追、當然也可以直接在msfconsole中運行db_nmap進行掃描,這樣結果就直接保存到當前數(shù)據(jù)庫中了花竞,db_nmap 命令的參數(shù)與nmap 命令相同劲件。
11、使用 hosts 命令
既然數(shù)據(jù)庫中有了數(shù)據(jù)约急,就可以使用hosts命令來顯示當前工作區(qū)中存儲的所有主機了零远。
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.177.139 00:0c:29:c6:a9:e5 Unknown device
msf >
怎么做
1、查看命令幫助hosts -h
msf > hosts -h
Usage: hosts [ options ] [addr1 addr2 ...]
OPTIONS:
-a,--add Add the hosts instead of searching
-d,--delete Delete the hosts instead of searching
-c <col1,col2> Only show the given columns (see list below)
-C <col1,col2> Only show the given columns until the next restart (see list below)
-h,--help Show this help information
-u,--up Only show hosts which are up
-o <file> Send output to a file in csv format
-O <column> Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
-i,--info Change the info of a host
-n,--name Change the name of a host
-m,--comment Change the comment of a host
-t,--tag Add or specify a tag to a range of hosts
Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
msf >
12厌蔽、理解 services 命令
services命令作用是顯示目標主機上可用的服務
查看命令幫助:
msf > services -h
Usage: services [-h] [-u] [-a] [-r <proto>] [-p <port1,port2>] [-s <name1,name2>] [-o <filename>] [addr1 addr2 ...]
-a,--add Add the services instead of searching
-d,--delete Delete the services instead of searching
-c <col1,col2> Only show the given columns
-h,--help Show this help information
-s <name1,name2> Search for a list of service names
-p <port1,port2> Search for a list of ports
-r <protocol> Only show [tcp|udp] services
-u,--up Only show services which are up
-o <file> Send output to a file in csv format
-O <column> Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
Available columns: created_at, info, name, port, proto, state, updated_at
怎么做
1牵辣、顯示所有可用服務
msf > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.142 22 tcp ssh open OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
192.168.177.142 80 tcp http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.177.142 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.177.142 143 tcp imap open Courier Imapd released 2008
192.168.177.142 443 tcp ssl/https open
192.168.177.142 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.177.142 5001 tcp java-rmi open Java RMI
192.168.177.142 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.177.142 8081 tcp http open Jetty 6.1.25
msf >
2、過濾服務
msf > services -s http
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.142 80 tcp http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.177.142 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.177.142 8081 tcp http open Jetty 6.1.25
3奴饮、過濾端口
msf > services -p 22
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.142 22 tcp ssh open OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
msf >
4纬向、搜索特定字符
msf > services -S Apache
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.142 80 tcp http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.177.142 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
5择浊、多條件過濾
msf > services -c name,port,info -S Apache 192.168.177.142
Services
========
host name port info
---- ---- ---- ----
192.168.177.142 http 80 Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.177.142 http 8080 Apache Tomcat/Coyote JSP engine 1.1
Tip:在后續(xù)的章節(jié)我們將學習更多的數(shù)據(jù)庫命令,比如 loot逾条、cred琢岩、vulns、notes膳帕。
本章完
相關練習實驗
Metasploit之PostgreSQL及Scanner實踐
說明
原書:《Metasploit Penetration Testing Cookbook - Third Edition》
本文由合天網(wǎng)安實驗室編譯粘捎,轉載請注明來源。
關于合天網(wǎng)安實驗室
合天網(wǎng)安實驗室(www.hetianlab.com)-國內領先的實操型網(wǎng)絡安全在線教育平臺
真實環(huán)境危彩,在線實操學網(wǎng)絡安全 攒磨; 實驗內容涵蓋:系統(tǒng)安全,軟件安全汤徽,網(wǎng)絡安全娩缰,Web安全,移動安全谒府,CTF拼坎,取證分析,滲透測試完疫,網(wǎng)安意識教育等泰鸡。
