• 纯粹的翻译工作，确实没有必要，博主以后再也不作死去翻译了，大家都是成年人了，时间很宝贵的，科科。这篇文章很容易看懂的部分，就没翻译。不太容易理解，博主就用中文描述了一下。

关于Metasploit

Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate.

Metasploit框架

• 开源项目地址：https://github.com/rapid7/metasploit-framework/
• 项目wiki页面：https://github.com/rapid7/metasploit-framework/wiki

Metasploit Pro 和 其他商业版本

Most of the additional features are targeted towards automating and streamlining common pentest tasks, such as vulnerability validation, social engineering, custom payload generation, and bruteforce attacks.

• 每个版本的功能对比：https://help.rapid7.com/metasploit/Content/getting-started/product-editions.html#top

Metasploit 组件

Modules 模块

Modules类型包括：exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation

Services 服务

• PostgreSQL运行的数据库服务，用于存储MSF的项目数据
• Ruby on Rails运行web版的MSF接口
• Pro service, or the Metasploit service bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.

Web Interface

A web interface is available for you to work with Metasploit Pro. To launch the web interface, open a web browser and go to https://localhost:3790.

组件介绍

• Auxiliary module: 这个模块不执行payload(带有一定利用为目的的代码，攻击载体)。辅助模块包括扫描，模糊测试，拒绝服务攻击等功能（scanners, fuzzers, and denial of service attacks）
• Bind shell payload：A shell that attaches a listener on the exploited system and waits for a connection to the listener.
• Discovery scan: A discovery scan is a Metasploit scan that combines Nmap and several Metasploit modules to enumerate and fingerprint targets.
• Exploit:利用特定的漏洞，使攻击者进入目标系统的程序。For example, one of the most common exploits is MS08-067, which targets a Windows Server Service vulnerability that could allow remote code execution.
• Exploit module: an exploit creates a session. Exploit modules include buffer overflow, code injection, and web application exploits.
• Meterpreter:这个一个高级的多功能的payload，他提供给你一个shell接口。你可以利用这个Meterpreter shell接口，做很多事情，像是下载文件、获取账号的密码hash、跳向其他网络（跳板，pivot into other networks）。Meterpreter运行在内存中，所以他无法被大多数的入侵检测系统发觉。
• Payload:在成功得到目标机的权限后，一段执行在目标系统中的代码。这个payload中你可以定义怎么连接shell，你控制了目标机后想做哪些操作。payload可以是反弹shell或绑定shell的功能。这两个payload功能(反弹shell和绑定shell)的不同点是连接方向的不同，反弹shell是目标机主动连攻击者机器，绑定shell是攻击者机器去连接目标机。
• Post-exploitation module: 这个模块能够搜集更多信息，或是为得到系统更进一步的访问权限而获取信息。例如hash dumps、应用和服务的统计。
• shellcode：The set of instructions that an exploit uses as the payload. payload中的指令集。

MSF文件结构

root@kali:/usr/share/metasploit-framework# tree -L 2 --sort=version -r -d
.
├── vendor
│   └── bundle
├── tools                           #额外的小工具和第三方脚本工具
│   ├── recon
│   ├── password
│   ├── modules
│   ├── memdump
│   ├── hardware
│   ├── exploit
│   ├── dev
│   └── context
├── scripts                     #metasplit的常用后渗透模块，区别于data里的后渗透模块，不需要加post参数和绝对路径，可以直接运行
│   ├── shell
│   ├── resource
│   ├── ps
│   └── meterpreter
├── plugins                 #metasploit的第三方插件接口
├── modules                 #metasploit系统工具模块
│   ├── post                #后渗透模块
│   ├── payloads        #攻击荷载模块
│   ├── nops                #空字段模块
│   ├── exploits            #渗透模块
│   ├── encoders            #编码模块
│   └── auxiliary              #辅助模块
├── lib                                 #metasploit的一些基础类和第三方模块类
│   ├── telephony
│   ├── tasks
│   ├── sqlmap
│   ├── snmp
│   ├── rex
│   ├── rbmysql
│   ├── rabal
│   ├── postgres
│   ├── net
│   ├── msf
│   ├── metasploit
│   ├── metasm
│   └── anemone
├── documentation -> ../doc/metasploit-framework
├── db                              #rails编译生成msf的web框架时的数据库信息
│   └── migrate
├── data                            #后渗透模块的一些工具及payload，第三方小工具集合，用户字典等数据信息
│   ├── wordlists
│   ├── wmap
│   ├── webcam
│   ├── templates
│   ├── sounds
│   ├── snmp
│   ├── post
│   ├── php
│   ├── passivex
│   ├── msfcrawler
│   ├── meterpreter
│   ├── markdown_doc
│   ├── logos
│   ├── lab
│   ├── ipwn
│   ├── flash_detector
│   ├── exploits
│   ├── cpuinfo
│   └── SqlClrPayload
├── config                              #metasploit的环境配置信息，数据库配置信息
│   └── environments
└── app
    ├── validators
    └── concerns

66 directories

root@kali:/usr/share/metasploit-framework# tree -L 1 --sort=version -r -p | grep '\[-'
├── [-rwxr-xr-x]  ruby
├── [-rwxr-xr-x]  msfvenom          #集成了msfpayload和msfencode的功能，效率更高，即将替代msf payload和msfencode
├── [-rwxr-xr-x]  msfupdate         #metasploit更新模块，可以用来更新metasploit模块
├── [-rwxr-xr-x]  msfrpcd           #持久性的metasploit本地服务，可以给远程用户提供rpc服务以及其他的http服务，可以通过xml进行数据传输。
├── [-rwxr-xr-x]  msfrpc            #metasploit的服务端，非持久性的rpc服务
├── [-rwxr-xr-x]  msfdb
├── [-rwxr-xr-x]  msfd              #metasploit服务，非持久性服务
├── [-rwxr-xr-x]  msfconsole        #metasploit的基本命令行，集成了各种功能。
├── [-rw-r--r--]  metasploit-framework.gemspec
├── [-rwxr-xr-x]  Rakefile
├── [-rw-r--r--]  Gemfile.lock
└── [-rwxr-xr-x]  Gemfile

• 引用：http://bobao.360.cn/learning/detail/201.html

• 图片来源：https://www.offensive-security.com/metasploit-unleashed/metasploit-architecture/

相关阅读

• CVE Details
• Common Weakness Enumeration List
• MSF - Vulnerability & Exploit Database
• Github Metasploit-framework
• Exploit Database
• CVSS评分计算器：http://www.security-database.com/cvss.php