Msfconsole
@ Zhang zhiyang · Monday, Jan 1, 0001 · 3 minute read · Update at Monday, Jan 1, 0001

0x00 Introduction

location

  • /usr/share/metasploit-framework/

interface

  • msfconsole: 终端接口,非常常用,几乎能处理所有事情
  • msfvenom: payload生成接口,用来生成木马,反弹shell
  • msfcil: 命令行接口,已删除,通过msfconsole -x调用
  • armitage: 图形化界面接口,使用前需启动数据库(systemctl start postgresql)

moudle

模块 作用 路径
auxiliary 辅助模块,主要做一些信息收集和暴力破解的工作 modules/auxiliary
exploits 渗透攻击模块,发现安全漏洞,利用payload进行攻击 modules/exploits
payloads 漏洞利用模块,渗透攻击成功后植入shellcode,获取shell modules/payloads
encoders 编码器模块,删除坏字符,免杀 modules/encoders
post 后渗透模块 modules/post
nops 空指令模块 modules/nops
evasion 免杀模块 modules/evasion

0x01 Database

postgresql

psql是msf框架的默认数据库,默认库名为msf,(配置文件:/etc/postgresql/11/main/pstgresql)

root@kali:~# service postgresql start    //启动postgresql
root@kali:~# service postgresql status   //检查状态
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor pres
   Active: active (exited) since Thu 2020-03-19 11:40:37 CST; 1h 31min ago
  Process: 1546 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 1546 (code=exited, status=0/SUCCESS)

3月 19 11:40:37 kali systemd[1]: Starting PostgreSQL RDBMS...
3月 19 11:40:37 kali systemd[1]: Started PostgreSQL RDBMS.
root@kali:~# 
root@kali:~# sudo -u postgres psql      //赋予postgres用户root权限并执行psql
psql (11.5 (Debian 11.5-1))             //进入数据库
输入 "help" 来获取帮助信息.

postgres=# alter user postgres password '123456'  //更改密码为123456
postgres-# \q                           //退出

msfdb

命令 作用
msfdb init 启动并初始化数据库
msfdb reinit 删除并重新初始化数据库
msfbd delet 删除数据库并关闭数据库
msfdb start 启动数据库
msfdb stop 关闭数据库
msfdb status 查看数据库运行状态
msfdb run 启动数据库并运行msfconsole

0x02 msfconsole

elementary command

  • help/?: 显示msfconsole可以使用的命令及用法
  • connect:msf中的nc命令
  • set|unset:设置|取消参数
  • save:保存设置参数
  • check:检查目标是否存在漏洞
  • run/exploit(-j):开始使用模块
  • sessions(-i id):查看当前已经建立的sessions(shell)
  • load|unload:调用外部的扫描器
  • back|exit:回到|退出msfconsole
  • info:查看模块的信息
msf5 > info exploit/windows/smb/ms08_067_netapi
  • use:使用模块
msf5 > use exploit/windows/smb/ms08_067_netapi
  • search:查找模块具体位置,可指定关键字(name,path,author…)
msf5 > search name:mysql

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   auxiliary/admin/mysql/mysql_enum                                    normal     No     MySQL Enumeration Module
   1   auxiliary/admin/mysql/mysql_sql                                     normal     No     MySQL SQL Generic Query
   2   auxiliary/analyze/jtr_mysql_fast                                    normal     No     John the Ripper MySQL Password Cracker (Fast Mode)
   3   auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal     Yes    MySQL Authentication Bypass Password Dump
   4   auxiliary/scanner/mysql/mysql_file_enum                             normal     Yes    MYSQL File/Directory Enumerator
   5   auxiliary/scanner/mysql/mysql_hashdump                              normal     Yes    MYSQL Password Hashdump
   6   auxiliary/scanner/mysql/mysql_login                                 normal     Yes    MySQL Login Utility
   7   auxiliary/scanner/mysql/mysql_schemadump                            normal     Yes    MYSQL Schema Dump
   8   auxiliary/scanner/mysql/mysql_version                               normal     Yes    MySQL Server Version Enumeration
   9   auxiliary/scanner/mysql/mysql_writable_dirs                         normal     Yes    MYSQL Directory Write Test
   10  auxiliary/server/capture/mysql                                      normal     No     Authentication Capture: MySQL
   11  exploit/linux/mysql/mysql_yassl_getname            2010-01-25       good       No     MySQL yaSSL CertDecoder::GetName Buffer Overflow
   12  exploit/linux/mysql/mysql_yassl_hello              2008-01-04       good       No     MySQL yaSSL SSL Hello Message Buffer Overflow
   13  exploit/multi/mysql/mysql_udf_payload              2009-01-16       excellent  No     Oracle MySQL UDF Payload Execution
   14  exploit/windows/mysql/mysql_mof                    2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows MOF Execution
   15  exploit/windows/mysql/mysql_start_up               2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows FILE Privilege Abuse
   16  exploit/windows/mysql/mysql_yassl_hello            2008-01-04       average    No     MySQL yaSSL SSL Hello Message Buffer Overflow
   17  exploit/windows/mysql/scrutinizer_upload_exec      2012-07-27       excellent  Yes    Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

database command

command effect
db_connect 连接数据库
db_disconnect 断开数据库
db_status 查看msf有无连接数据库
db_rebuild_cache 将模块信息写入数据库,便于查询
db_nmap 调用nmap并保存到数据库
db_import 数据库导入
db_export 数据库导出
db_remove 数据库删除
db_save 数据库保存

show command

command effect
show 展示指定模块下的所有文件
show options 展示模块的选项参数
show all 展示所有
show targets 展示目标主机
show advanced 展示模块的高级选项参数
show missing 查看没有被设置的必需选项
show plugins 展示插件
show info 展示模块信息
show actions

0x02 Msfvenom

Zhang zhiyang's blog
不过是些许风霜罢了
c cyber http linux math mysql php python 前端
c
c_language_note
cyber
edusrc
Fileupload
Msfconsole
mysqlReadWriteVul
nmap
SQLInjection
sqlmap
sshProtocal
伪协议与文件包含
http
httpTool
linux
linuxCommandTool
linuxFolder
math
不定积分
无穷级数
mysql
mysql
php
php黑魔法
php黑魔法
前后端分离
python
pyClass
pyFunction
pySpider
pyThread
RegularExpression
前端
axios.post

© 2016 - 2022 Zhangzhiyang的博客

Powered by Hugo with theme Dream.

我听别人说这世界上有一种鸟是没有脚的,它只能够一直的飞呀飞呀,飞累了就在风里面睡觉,这种鸟一辈子只能下地一次,那一次就是它死亡的时候。

日程

Zhangzhiyang的 ❤️ 博客

其他

如果你喜欢我的开源项目或者它们可以给你带来帮助,可以赏一杯咖啡 ☕ 给我。~

If you like my open source projects or they can help you. You can buy me a coffee ☕.~

PayPal

https://paypal.me/g1eny0ung

Patreon

Become a Patron!

微信赞赏码

wechat

最好附加一下信息或者留言,方便我可以将捐助记录 📝 下来,十分感谢 🙏。

It is better to attach some information or leave a message so that I can record the donation 📝, thank you very much 🙏.