Learn to walk before you run
Learn first, then learn to run
Today I played an intranet penetration, which mainly used metasploit this intranet penetration artifact. Metasploit is definitely no stranger to me, I have been in contact since long ago, but every time I re-use it, I will forget some usages, so in order to facilitate the query, I have some common commands of metasploit artifacts in this record, as well as intranet penetration. How to use it.
Installing metasploit under mac is relatively simple. The official website downloads the pkg installation package and installs it directly; you need to pay attention to the path after the installation is complete.
There are several other commonly used tools in this directory:
Msf plugin path:
Role: Generate Trojan files, replacing the earlier versions of msfpayload and msfencoder.
The msfvenom command line options are as follows:
View the list of supported payloads:
View supported output file types:
Check the supported encoding: (in order to achieve the effect of killing)
View the supported empty field modules: (in order to achieve the effect of killing)
Linux Based Shellcode
Windows Based Shellcode
Mac Based Shellcode
Under normal circumstances, the Trojan file generated by msfvenom can be directly uploaded to the target server to run (plus permissions). But I have encountered a pit myself, and some of the generated file content is useless, which will cause an error, as shown in the following figure.
The solution is a vim file that deletes invalid content from the first two lines of the file.
Role: used to start metasploit on the command line.
After startup, you can see the current version of metasploit and the number of plugins for each module.
- auxiliary scanning module
- exploits exploit module
- encoders coding module
- nops empty character module
For example, look for the exploit plugin for the ms15_034 vulnerability.
Earlier I introduced how to use msfvenom to generate Trojan files. Here I will show how to use the msf connection to execute the Trojan files to reach the target server.
First, let’s review the command to generate a Trojan file, which has a payload option, a few commonly used payloads.
Linux related payload:
Windows related payload:
Note: x64 only works with target servers for 64-bit operating systems, no x64 or x86 for 32-bit operating systems only; modules with meterpreter will bounce meterpreter_shell, while normal shell modules will only bounce ordinary shells (rebound results) Similar to nc); reverse_tcp means that the Trojan will actively connect to the target server, bind_tcp means that the Trojan will listen to the local port and wait for the attacker to connect. Therefore, the Trojan files generated should be determined on a case-by-case basis.
The previous introduction of the commonly used payload, then the three major elements of the payload selection are as follows:
- The direction of the Trojan connection
- Target operating system and version
- Shell type of bounce
Trojan connection direction:
The msf trojan is divided into a forward connection and a reverse connection. The forward connection is suitable for the case where the attack function is connected to the target machine. The reverse connection uses the target function to connect to the attack machine. The connection mentioned here generally refers to a port of the tcp. . Therefore, before generating a Trojan, you need to determine the current environment, suitable for a Trojan horse connected in the forward direction or a reverse connection. (You can use the nc tool to test, for details: [[Infiltration Artifact Series] nc] (https://thief.one/SecWeb/%2F2017%2F04%2F10%2F1%2F))
Target operating system type view: This is not to say!
Operating system digits view:
Rebound shell type:
This mainly depends on the purpose of the rebounding shell. Generally, if the system command is executed, the shell of the ordinary operating system is enough. If you want to use advanced features such as: keylogger, turn on the camera, add routing, etc., you can use meterpreter_shell.
Turn on msf and enable the exploit/multi/handler module.
Note: The payload of the set here is the same as the payload used by the generated Trojan. The rest of the parameters are filled in according to the selected payload.
When we get the meterpreter_shell of the target server, we can do a lot of things.
File management features:
Network and system operation:
User actions and other features are explained:
Most of the time we get the meterpreter shell on the intranet, and we need to proxy to the target intranet environment to scan its intranet server. At this time, you can use the route function to add a route to the intranet of the target server.
View the shell network environment:
Add a route to the target server intranet
View routing settings:
If no routing information is found, the route set by the meterpreter shell does not take effect. We can add a route to msf.
Description: 1 indicates session 1. If the attacker wants to access the resources of the network segment 10.0.0.8/8, the next hop is session1. As for what is next, there is not much to say here. Anyway, the attacker can access the intranet anyway. Resources are gone.
Suppose that we have scanned a certain ip of 10 network segments with mysql weak password and account password. Then we can log in to the target server mysql on the broiler server. Of course, if I want to log in to mysql on the attack machine, I can use port forwarding. (In some cases, the machines on the intranet cannot ssh each other and need to log in to the bastion machine)
In the meterpreter shell, type:
- There are a lot of information about metasploit usage on the web. Here are some common usages and some pits in personal use.
[[Infiltration Artifact Series] DNS Information Query] (http://thief.one/2017/07/12/1/)
[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[Infiltration artifact series] nmap
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[Infiltration Artifact Series] Search Engine
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)