简介
Msfconsole是msf的一个使用接口。通俗讲,就是启动msf的一个命令。当然可以启动msf的接口还有其他的,比如上节文末的msfcli命令。
官方介绍:
msfconsole可能是Metasploit框架(MSF)最流行的接口。它提供了一个“一体化”的集中控制台,并允许您高效访问MSF中几乎所有可用的选项。MSFconsole一开始可能看起来很吓人,但一旦你学会了命令的语法,你就会学会使用这个界面的强大功能。
详解
启动MSFconsole
-q选项通过在安静模式下启动msfconsole来删除启动横幅。
输入help或者?将显示可用命令的列表以及它们的用途描述。
msf > helpCore Commands
Command Description ------- ----------- ? Help menu advanced Displays advanced options for one or more modules back Move back from the current context banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host edit Edit the current module with $VISUAL or $EDITOR exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu info Displays information about one or more modules irb Drop into irb scripting mode jobs Displays and manages jobs kill Kill a job load Load a framework plugin loadpath Searches for and loads modules from a path makerc Save commands entered since start to a file options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack quit Exit the console reload_all Reloads all modules from all defined module paths rename_job Rename a job resource Run the commands stored in a file route Route traffic through a session save Saves the active datastores search Searches module names and descriptions sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value show Displays modules of a given type, or all modules sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables use Selects a module by name version Show the framework and console library version numbersDatabase Backend Commands
Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces</code></pre></div></div><p>输入命令,支持<code>Tab</code>键只能补全命令,就像shell黑窗口。</p><h3 id="flegf" name="%E5%91%BD%E4%BB%A4%E8%AF%A6%E8%A7%A3">命令详解</h3><h4 id="9uc2" name="back">back</h4><p>一旦您完成了对特定模块的操作,或者如果您无意中选择了错误的模块,您可以发出<code>back</code>命令以移出当前上下文。</p><div class="rno-markdown-code"><div class="rno-markdown-code-toolbar"><div class="rno-markdown-code-toolbar-info"><div class="rno-markdown-code-toolbar-item is-type"><span class="is-m-hidden">代码语言:</span>javascript</div></div><div class="rno-markdown-code-toolbar-opt"><div class="rno-markdown-code-toolbar-copy"><i class="icon-copy"></i><span class="is-m-hidden">复制</span></div></div></div><div class="developer-code-block"><pre class="prism-token token line-numbers language-javascript"><code class="language-javascript" style="margin-left:0">msf auxiliary(ms09_001_write) > back
msf >
check
check命令可以检查目标是否容易受到特定exploit的攻击。
msf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
RHOST 172.16.194.134 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Exploit target:
Id Name
0 Automatic Targeting
msf exploit(ms08_067_netapi) > check
[] Verifying vulnerable status... (path: 0x0000005a)
[] System is not vulnerable (status: 0x00000000)
[*] The target is not exploitable.
msf exploit(ms08_067_netapi) >
color
如果通过msfconsole获得的输出包含颜色,则可以启用或禁用。
msf > color
Usage: color >'true'|'false'|'auto'>
Enable or disable color output.
connect
msfconsole中内置了一个小型Netcat克隆,支持SSL、代理、数据透视和文件传输。通过发出带有IP地址和端口号的connect命令,您可以从msfconsole中连接到远程主机,就像使用Netcat或Telnet一样。
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:可以通过发出-h参数来查看所有其他选项。
msf > connect -h
Usage: connect [options]Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.OPTIONS:
-C Try to use CRLF for EOL sequence. -P <opt> Specify source port. -S <opt> Specify source address. -c <opt> Specify which Comm to use. -h Help banner. -i <opt> Send the contents of a file. -p <opt> List of proxies to use. -s Connect with SSL. -u Switch to a UDP socket. -w <opt> Specify connect timeout. -z Just try to connect, then return.
msf >
edit
edit命令将使用VISUAL或EDITOR编辑当前模块内容。默认情况下,使用Vim编辑的当前模块内容。
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rbThis module requires Metasploit: http//metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core'
require 'msf/windows_error'class Metasploit3 > Msf::Exploit::Remote
Rank = ExcellentRankinginclude Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
exit
exit命令将简单地退出msfconsole。
msf exploit(ms10_061_spoolss) > exit
root@kali:~#grep
这个命令类似shell的grep命令。可以快速的匹配具有特定字符的模块名。
msf > grep
Usage: grep [options] pattern cmdGrep the results of a console command (similar to Linux grep command)
OPTIONS:
-A <opt&> Show arg lines of output After a match. -B Show arg lines of output Before a match. -c Only print a count of matching lines. -h Help banner. -i Ignore case. -k Keep (include) arg lines at start of output. -m Stop after arg matches. -s Skip arg lines of output before attempting match. -v Invert match.
msf >
msf > grep http search oracle
auxiliary/scanner/http/oracle_demantra_database_credentials_leak 2014-02-28 normal Oracle Demantra Database Credentials Leak
auxiliary/scanner/http/oracle_demantra_file_retrieval 2014-02-28 normal Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
auxiliary/scanner/http/oracle_ilom_login normal Oracle ILO Manager Login Brute Force Utility
exploit/multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Execution
exploit/multi/http/oracle_ats_file_upload 2016-01-20 excellent Oracle ATS Arbitrary File Upload
exploit/multi/http/oracle_reports_rce 2014-01-15 great Oracle Forms and Reports Remote Code Execution
exploit/windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encoding
exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflow
exploit/windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)
exploit/windows/http/oracle_beehive_evaluation 2010-06-09 excellent Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
exploit/windows/http/oracle_beehive_prepareaudiotoplay 2015-11-10 excellent Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload
exploit/windows/http/oracle_btm_writetofile 2012-08-07 excellent Oracle Business Transaction Management FlashTunnelService Remote Code Execution
exploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Oracle Endeca Server Remote Command Execution
exploit/windows/http/oracle_event_processing_upload 2014-04-21 excellent Oracle Event Processing FileUploadServlet Arbitrary File Upload
exploit/windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
help
上文讲过,查看所有可用命令的列表和简短描述。
info
正如其名,提供有关特定模块的详细信息,包括所有选项、目标和其他信息。在使用之前,请务必阅读模块说明,因为有些模块可能会产生不期望的效果。info命令还提供以下信息:
- 作者和许可信息
- 漏洞参考(即:CVE、BID等)
- 关于此模块具有的有效的payload
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_indexName: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index Version: 14774Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: GoodProvided by:
Laurent Gaffie <laurent.gaffie@gmail.com>
hdm <hdm@metasploit.com>
sf <stephen_fewer@harmonysecurity.com>Available targets:
Id Name
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Basic options:
Name Current Setting Required Description
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.Payload information:
Space: 1024Description:
This module exploits an out of bounds function table dereference in
the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates (not RTM), and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.References:
http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
http://www.securityfocus.com/bid/36299
http://www.osvdb.org/57799
http://seclists.org/fulldisclosure/2009/Sep/0039.html
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
msf exploit(ms09_050_smb2_negotiate_func_index) >
irb
运行irb命令会进入一个实时的Ruby解释器shell,可以实时发出命令并创建Metasploit脚本。
msf > irb
[*] Starting IRB shell...
>> puts "Hello, metasploit!"
Hello, metasploit!
=> nil
>> Framework::Version
=> "4.8.2-2014022601"
jobs
作业是在后台运行的模块。jobs命令提供列出和终止这些作业的功能。
msf > jobs -h
Usage: jobs [options]Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs. -h Help banner. -i Lists detailed information about a running job. -k Terminate the specified job name. -l List all running jobs. -v Print more detailed info. Use with -i and -l
msf >
kill
当提供作业id时(即jobs命令显示的id),kill命令将终止任何正在运行的作业。
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...
[*] Server stopped.
load
load命令从Metasploit的插件目录中加载一个插件。参数在shell上以key=val的形式传递。
msf > load
Usage: load [var=val var=val ...]Loads a plugin from the supplied path. If path is not absolute, first looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that can be passed to plugins.
msf > load pcap_log
[] PcapLog plugin loaded.
[] Successfully loaded plugin: pcap_log
loadpath
loadpath命令将为路径加载第三部分模块树,这样您就可以将Metasploit指向自己的 0-day exploits, encoders, payloads等等。
msf > loadpath /home/secret/modules
Loaded 0 modules.
unload
unload命令卸载先前加载的插件并删除任何扩展命令。
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.resource
可以运行外部的文件,比如脚本文件等。
msf > resource
Usage: resource path1 [path2 ...]Run the commands stored in the supplied files. Resource files may also contain
ruby code between tags.
See also: makerc
route
可以查看或者添加网络路由
meterpreter > route -h
Route traffic destined to a given subnet through a supplied session.Usage:
route [add/remove] subnet netmask [comm/sid]
route [add/remove] cidr [comm/sid]
route [get]
route [flush]
route [print]Subcommands:
add - make a new route
remove - delete a route; 'del' is an alias
flush - remove all routes
get - display the route for a given target
print - show all active routesExamples:
Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1
route add 192.168.0.0 255.255.255.0 1
route add 192.168.0.0/24 1Delete the above route
route remove 192.168.0.0/24 1
route del 192.168.0.0 255.255.255.0 1Display the route that would be used for the given host or network
route get 192.168.0.11
meterpreter >
meterpreter > routeNetwork routes
Subnet Netmask Gateway ------ ------- ------- 0.0.0.0 0.0.0.0 172.16.1.254 127.0.0.0 255.0.0.0 127.0.0.1 172.16.1.0 255.255.255.0 172.16.1.100 172.16.1.100 255.255.255.255 127.0.0.1 172.16.255.255 255.255.255.255 172.16.1.100 224.0.0.0 240.0.0.0 172.16.1.100 255.255.255.255 255.255.255.255 172.16.1.100</code></pre></div></div><h4 id="77hi4" name="search">search</h4><p>类似于上述的<code>grep</code>命令。<code>search</code>将在模块名称、描述、引用等中定位此字符串。</p><div class="rno-markdown-code"><div class="rno-markdown-code-toolbar"><div class="rno-markdown-code-toolbar-info"><div class="rno-markdown-code-toolbar-item is-type"><span class="is-m-hidden">代码语言:</span>javascript</div></div><div class="rno-markdown-code-toolbar-opt"><div class="rno-markdown-code-toolbar-copy"><i class="icon-copy"></i><span class="is-m-hidden">复制</span></div></div></div><div class="developer-code-block"><pre class="prism-token token line-numbers language-javascript"><code class="language-javascript" style="margin-left:0">msf > search usermap_scriptMatching Modules
Name Disclosure Date Rank Description
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
msf >
要使用描述性名称进行搜索,请使用name关键字。
msf > search name:mysqlMatching Modules
Name Disclosure Date Rank Description
auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query
auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution
exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >
可以使用platform 将搜索范围缩小到影响特定平台的模块。
msf > search platform:aixMatching Modules
Name Disclosure Date Rank Description
payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
payload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
payload/aix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
使用type可以按模块类型进行筛选,如auxiliary, post, exploit等
msf > search type:postMatching Modules
Name Disclosure Date Rank Description
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_cron normal Linux Cron Job Enumeration
post/linux/gather/enum_linux normal Linux Gather System Information
...snip...
使用author关键字搜索可以按喜爱的作者搜索模块。
msf > search author:dookieMatching Modules
Name Disclosure Date Rank Description
exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow
exploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow Exploit
exploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 bdo tag overflow
...snip...
还可以使用multiple 将多个关键字组合在一起,以进一步缩小返回结果的范围。
msf > search cve:2011 author:jduck platform:linuxMatching Modules
Name Disclosure Date Rank Description
exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
sessions
sessions命令允许列出、交互和终止派生的会话。会话可以是shell、Meterpeter会话、VNC等。
msf > sessions -h
Usage: sessions [options] or sessions [id]Active session manipulation and interaction.
OPTIONS:
-C Run a Meterpreter Command on the session given with -i, or all -K Terminate all sessions -c Run a command on the session given with -i, or all -h Help banner -i Interact with the supplied session ID -k Terminate sessions by session ID and/or range -l List all active sessions -q Quiet mode -r Reset the ring buffer for the session given with -i, or all -s Run a script on the session given with -i, or all -t Set a response timeout (default: 15) -u Upgrade a shell to a meterpreter session on many platforms -v List sessions in verbose mode -x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
要列出任何活动会话,请将-l选项传递给会话。
msf exploit(3proxy) > sessions -lActive sessions
Id Description Tunnel
1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
要与给定的会话进行交互,只需要使用-i选项,后跟会话的Id号。
msf exploit(3proxy) > sessions -i 1
[*] Starting interaction with 1...
C:WINDOWSsystem32>
set
set命令允许为正在使用的当前模块配置框架选项和参数。
msf auxiliary(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134
RHOST => 172.16.194.134
msf auxiliary(ms09_050_smb2_negotiate_func_index) > show optionsModule options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
RHOST 172.16.194.134 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.Exploit target:
Id Name
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Metasploit还允许设置在运行时使用的编码器。
msf exploit(ms09_050_smb2_negotiate_func_index) > show encodersCompatible Encoders
Name Disclosure Date Rank Description
generic/none normal The "none" Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
unset
set命令的反面是unset。unset删除以前使用set配置的参数。您可以使用unset all删除所有已分配的变量。
msf > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > set THREADS 50
THREADS => 50
msf > setGlobal
Name Value
RHOSTS 192.168.1.0/24
THREADS 50msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > setGlobal
No entries in data store.
msf >
setg
与set类似,但是这个命令时设置全局是,g-->global
msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136设置后,还可以使用save保存,重启后全局设置依旧存在
msf > save
Saved configuration to: /root/.msf4/config
msf >show
输入show将显示Metasploit中的每个模块,或者后跟模块名显示模块内容。
msf > showEncoders
Name Disclosure Date Rank Description
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic $ Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
...snip...
可以使用许多show命令,但最常用的是show auxiliary、show exploits、show payload、show encoders和show nop。
msf > show auxiliary
AuxiliaryName Disclosure Date Rank Description
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
...snip...
msf > show exploitsExploits
Name Disclosure Date Rank Description
aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
...snip...
msf > show payloadsPayloads
Name Disclosure Date Rank Description
aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
aix/ppc/shell_interact normal AIX execve shell for inetd
...snip...
msf exploit(ms08_067_netapi) > show payloadsCompatible Payloads
Name Disclosure Date Rank Description
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
...snip...
如果选择了特定模块,则可以发出show options命令来显示该特定模块必须或者独有设置。
msf exploit(ms08_067_netapi) > show optionsModule options:
Name Current Setting Required Description
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Exploit target:
Id Name
0 Automatic Targeting
如果不确定操作系统是否容易受到某个漏洞的影响,可以在漏洞利用模块的上下文中运行show targets命令,以查看支持的目标。
msf exploit(ms08_067_netapi) > show targetsExploit targets:
Id Name
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
...snip...
如果希望进一步微调漏洞,可以通过运行show advanced来查看更高级的选项。
msf exploit(ms08_067_netapi) > show advancedModule advanced options:
Name : CHOST
Current Setting:
Description : The local client addressName : CPORT
Current Setting:
Description : The local client port
...snip...
运行show encoders将显示MSF中可用的编码器列表。
msf > show encoders
Compatible EncodersName Disclosure Date Rank Description
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic $ Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
show nops命令将显示Metasploit必须提供的NOP生成器。
msf > show nops
NOP GeneratorsName Disclosure Date Rank Description
armle/simple normal Simple
mipsbe/better normal Better
php/generic normal PHP Nop Generator
ppc/simple normal Simple
sparc/random normal SPARC NOP Generator
tty/generic normal TTY Nop Generator
x64/simple normal Simple
x86/opty2 normal Opty2
x86/single_byte normal Single Byte
use
使用use命令,选择要使用的模块
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show optionsModule options:
Name Current Setting Required Description
RHOST yes The target address
RPORT 445 yes Set the SMB service port
msf auxiliary(ms09_001_write) >
