Primers passos
Primers passos #
Primer pas : actualitzar #
-
Important per a tenir els últims exploits
-
Pots utilitzar la comanda msfupdate o
apt udpdate; apt install metasploit-framework
Arrancar #
- Applications > Exploiting tools > Metasploit
- o msfconsole (si ja està arrancada la db. si no msfdb)
msfconsole
Ajuda #
- help mostra les comandes
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
...
Cerques #
- search permet fer cerques
- Per exemple cercar exploits relacionats amb Fedora
msf > search fedora
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt Privilege Escalation
exploit/linux/local/apport_abrt_chroot_priv_esc 2015-03-31 excellent Yes Apport / ABRT chroot Privilege Escalation
exploit/linux/local/bpf_sign_extension_priv_esc 2017-11-12 great Yes Linux BPF Sign Extension Local Privilege Escalation
exploit/linux/local/glibc_origin_expansion_priv_esc 2010-10-18 excellent Yes glibc '$ORIGIN' Expansion Privilege Escalation
exploit/linux/local/libuser_roothelper_priv_esc 2015-07-24 great Yes Libuser roothelper Privilege Escalation
exploit/linux/local/nested_namespace_idmap_limit_priv_esc 2018-11-15 great Yes Linux Nested User Namespace idmap Limit Local Privilege Escalation
exploit/linux/local/netfilter_priv_esc_ipv4 2016-06-03 good Yes Linux Kernel 4.6.3 Netfilter Privilege Escalation
exploit/linux/local/overlayfs_priv_esc 2015-06-16 good Yes Overlayfs Privilege Escalation
exploit/linux/local/rds_priv_esc 2010-10-20 great Yes Reliable Datagram Sockets (RDS) Privilege Escalation
exploit/linux/local/service_persistence 1983-01-01 excellent No Service Persistence
exploit/linux/misc/hplip_hpssd_exec 2007-10-04 excelnterprise VA SSH Private Key Exposure
exploit/linux/ssh/mercurial_ssh_exec 2017-04-18 excellent No Mercurial Custom hg-ssh Wrapper Remote Code Exec
exploit/linux/ssh/quantum_dxi_known_privkey 2014-03-17 excellent No Quantum DXi V1000 SSH Private Key Exposure
exploit/linux/ssh/quantum_vmpro_backdoor 2014-03-17 excellent No Quantum vmPRO Backdoor Command
exploit/linux/ssh/solarwinds_lem_exec 2017-03-17 excellent No SolarWind LEM Default SSH Password Remote Code Execution
exploit/linux/ssh/symantec_smg_ssh 2012-08-27 excellent No Symantec Messaging Gateway 9.5 Default SSH Password Vulnerabilitylent No HPLIP hpssd.py From Address Arbitrary Command Execution
exploit/linux/pop3/cyrus_pop3d_popsubfolders 2006-05-21 normal No Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc 2016-09-23 excellent Yes MagniComp SysInfo mcsiwrapper Privilege Escalation
exploit/multi/vpn/tincd_bof 2013-04-22 average No Tincd Post-Authentication Remote TCP Stack Buffer Overflow
exploit/unix/dhcp/rhel_dhcp_client_command_injection 2018-05-15 excellent No DHCP Client Command Injection (DynoRoot)
exploit/unix/webapp/spip_connect_exec 2012-07-04 excellent Yes SPIP connect Parameter PHP Injection
-
Si només indiques search et mostra els paràmetres per refinar la cerca
-
Ara, si per exemple ens trobem davant d'un ssh a linux i volem exploits podem fer una cerca com aquesta:
msf > search type:exploit port:22 linux
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/linux/misc/hplip_hpssd_exec 2007-10-04 excellent No HPLIP hpssd.py From Address Arbitrary Command Execution
exploit/linux/ssh/ceragon_fibeair_known_privkey 2015-04-01 excellent No Ceragon FibeAir IP-10 SSH Private Key Exposure
exploit/linux/ssh/exagrid_known_privkey 2016-04-07 excellent No ExaGrid Known SSH Key and Default Password
exploit/linux/ssh/f5_bigip_known_privkey 2012-06-11 excellent No F5 BIG-IP SSH Private Key Exposure
exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey 2014-03-17 excellent No Loadbalancer.org Enterprise VA SSH Private Key Exposure
exploit/linux/ssh/mercurial_ssh_exec 2017-04-18 excellent No Mercurial Custom hg-ssh Wrapper Remote Code Exec
exploit/linux/ssh/quantum_dxi_known_privkey 2014-03-17 excellent No Quantum DXi V1000 SSH Private Key Exposure
exploit/linux/ssh/quantum_vmpro_backdoor 2014-03-17 excellent No Quantum vmPRO Backdoor Command
exploit/linux/ssh/solarwinds_lem_exec 2017-03-17 excellent No SolarWind LEM Default SSH Password Remote Code Execution
exploit/linux/ssh/symantec_smg_ssh 2012-08-27 excellent No Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability
exploit/linux/ssh/vmware_vdp_known_privkey 2016-12-20 excellent No VMware VDP Known SSH Key
exploit/multi/ssh/sshexec 1999-01-01 manual No SSH User Code Execution
- un cop trobat podem cercar informació referent a l'exploit amb la comanda info i el path de l'exploit
- Aquesta informació serà útil per poder executar l'exploit (quins paràmetres hem d'utilitar), la descripció així com referències als CVE útils per a fer els informes de l'auditoria.
msf > info exploit/linux/ssh/vmware_vdp_known_privkey
Name: VMware VDP Known SSH Key
Module: exploit/linux/ssh/vmware_vdp_known_privkey
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-12-20
Provided by:
phroxvs
Available targets:
Id Name
-- ----
0 Universal
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 22 yes The target port
Payload information:
Description:
VMware vSphere Data Protection appliances 5.5.x through 6.1.x
contain a known ssh private key for the local user admin who is a
sudoer without password.
References:
https://cvedetails.com/cve/CVE-2016-7456/
https://www.vmware.com/security/advisories/VMSA-2016-0024.ithm String Buffer Overflow
2129 exploit/windows/ssh/putty_msg_debug 2002-12-16 normal No PuTTY Buffer Overflow
2130 exploit/windows/ssh/securecrt_ssh1 2002-07-23 average No SecureCRT SSH1 Buffer Overflow
2131 exploit/windows/ssh/sysax_ssh_username 2012-02-27 normal Yes Sysax 5.53 SSH Username Buffer Overflow
2132 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private Communications Transport Overflow
2133 exploit/windows/telnet/gamsoft_telsrv_username 2000-07-17 average Yes GAMSoft TelSrv 1.5 Username Buffer Overflow
2134 exploit/windows/telnet/goodtech_telnet 2005-03-15 average No GoodTech Telnet Server Buffer Overflow
2135 exploit/windows/tftp/attftp_long_filename 2006-11-27 average No Allied Telesyn TFTP Server 1.9 Long Filename Overflow
2136 exploit/windows/tftp/distinct_tftp_traversal 2012-04-08 excellent No Distinct TFTP 3.10 Writable Directory Traversal Execution
2137 exploit/windows/tftp/dlink_long_filename 2007-03-12 good No D-Link TFTP 1.0 Long Filename Buffer Overflow
2138 exploit/windows/tftp/futuresoft_transfermode 2005-05-31 average No FutureSoft TFTP Server 2000 Transfer-Mode Overflow
2139 exploit/windows/tftp/netdecision_tftp_traversal 2009-05-16 excellent No NetDecision 4.2 TFTP Writable Directory Traversal Execution
2140 exploit/windows/tftp/opentftp_error_code 2008-07-05 average No OpenTFTP SP 1.4 Error Packet Overflow
2141 exploit/windows/tftp/quick_tftp_pro_mode 2008-03-27 good No Quick FTP Pro 2.1 Transfer-Mode Overflow
2142 exploit/windows/tftp/tftpd32_long_filename 2002-11-19 average No TFTPD32 Long Filename Buffer Overflow
2143 exploit/windows/tftp/tftpdwin_long_filename 2006-09-21 great No TFTPDWIN v0.4.2 Long Filename Buffer Overflow
2144 exploit/windows/tftp/tftpserver_wrq_bof 2008-03-26 normal No TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
2145 exploit/windows/tftp/threectftpsvc_long_mode 2006-11-27 great No 3CTftpSvc TFTP Long Mode Buffer Overflow
2146 exploit/windows/unicenter/cam_log_security 2005-08-22 great Yes CA CAM log_security() Stack Buffer Overflow (Win32)
2147 exploit/windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow
2148 exploit/windows/vnc/ultravnc_client 2006-04-04 normal No UltraVNC 1.0.1 Client Buffer Overflow
2149 exploit/windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
2150 exploit/windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow
2151 exploit/windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow
2152 exploit/windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution
2153 exploit/windows/wins/ms04_045_wins 2004-12-14 great Yes MS04-045 Microsoft WINS Service Memory Overwrite
html
show #
- serveix per a mostrar els mòduls disponibles
info #
- Serveix per mostrar detalls sobre un mòdul en particular
Comandes d'interacció #
Use #
- Comanda per seleccionar el mòdul
use exploit/linux/ssh/vmware_vdp_known_privkey
set, unset, get #
- El mòdul demana configurar variables (en l'exemple RHOST, RPORT)
set RHOST IP
SET RPORT 22
-
setg serveix per configurar una variable global
-
get serveix per recuperar el valor d'una variable
-
getg serveix per recuperar el valor d'una variable Global
-
unset, unsetg serveix per a borrar el valor de la variable
Variables #
- LHOST : localhost
- RHOST : Remote Host
- RHOSTS : Remote Hosts (varis) (ip/mask o path fitexer amb les IP)
- LPORT : Local Port
- RPORT : Remote Port
Check, exploit, sessions #
- check permet verificar una vulnerabilitat pre utilitzar l'script
- exploit executa un exploit i retorna el control remot mitjançant una sessió de meterpreter
- sessions llista les sessions obertes amb màquines vulnerables
- -l llista
- -s executa un script sobre totes
- -u passa d'una shell win32 a meterpreter
save #
- Save guarda la configuració de l'entorn
route #
- configuració d'encaminament
logs / spool #
- Spool permet configurar els logs
Workspace #
- Afegir workspace
workspace -a test
[*] Added workspace: test
- Anar al worskpace : workspace nom
Màquines #
- Afegir màquines al workspace
msf > hosts -a 192.168.1.33
[*] Time: 2019-01-07 17:12:46 UTC Host: host=192.168.1.33
llistar hosts (hosts/dbhosts) #
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.33
Backup #
db_export -f [format] [path]