Berikut ini adalah satu set inti dari Perintah Metasploit.
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
back
Dimulai dari perintah back, mungkin setelah Anda selesai bekerja dengan modul-modul tertentu, atau jika Anda secara tidak sengaja memilih modul yang salah, nah... tu.. bingung kan, jangan bingung anda dapat keluar dari konteks saat ini dengan menggunakan perintah back . dengan perintah tersebut anda dapat beralih ke modul lain.
msf auxiliary(ms09_001_write) > back
msf >
banner
Hanya menampilkan banner yang dipilih secara acak atau bisa juga dibilang semacam hiasan :D
msf > banner
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
check
Tidak banyak eksploitasi yang mendukungnya, akan tetapi ada juga yang mememakainya ketika akan memeriksa apakah target rentan terhadap eksploitasi.
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > check
[*] Verifying vulnerable status... (path: 0x0000005a)
[*] System is not vulnerable (status: 0x00000000)
[*] The target is not exploitable.
msf exploit(ms08_067_netapi) >
color
Anda dapat mengaktifkan atau menonaktifkan jika output Anda melalui msfconsole akan berisi warna.
msf > banner
Usage: color <'true'|'false'|'auto'>
Enable or disable color output.
connect
Ada tiruan miniatur netcat yang dibangun ke dalam msfconsole yang mendukung SSL, proxy, berputar, dan file yang mengirimkan. Dengan mengeluarkan perintah connect dengan alamat ip dan nomor port, Anda dapat terhubung ke remote host dari dalam msfconsole sama seperti yang Anda lakukan dengan netcat atau telnet.
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
Anda dapat melihat semua opsi tambahan dengan mengeluarkan "-h" parameter.
msf > connect -h
Usage: connect [options]
Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.
OPTIONS:
-C Try to use CRLF for EOL sequence.
-P <opt> Specify source port.
-S <opt> Specify source address.
-c <opt> Specify which Comm to use.
-h Help banner.
-i <opt> Send the contents of a file.
-p <opt> List of proxies to use.
-s Connect with SSL.
-u Switch to a UDP socket.
-w <opt> Specify connect timeout.
-z Just try to connect, then return.
msf >
edit
Perintah ini berguna untuk mengedit modul saat ini dengan VISUAL atau $ EDITOR $. Secara default ini akan membuka modul saat ini di Vim.
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/windows_error'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
exit
Perintah jika akan keluar dari msfconsole.
msf exploit(ms10_061_spoolss) > exit
root@kali:~#
help
Perintah help akan berguna ketika anda ingin memberikan daftar dan deskripsi kecil dari semua perintah yang tersedia.
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
...snip...
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
...snip...
info
Perintah info akan memberikan informasi rinci tentang modul tertentu termasuk semua pilihan, target, dan informasi lainnya. Pastikan untuk selalu membaca deskripsi modul sebelum menggunakannya karena beberapa diantaranya mungkin memiliki efek un-diinginkan.
Perintah info juga menyediakan informasi berikut:
- Penulis dan perizinan informasi
- Referensi kerentanan (yaitu: CVE, BID, dll)
- Pembatasan muatan modul mungkin memiliki
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Version: 14774
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
Laurent Gaffie <laurent.gaffie@gmail.com>
hdm <hdm@metasploit.com>
sf <stephen_fewer@harmonysecurity.com>
Available targets:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.
Payload information:
Space: 1024
Description:
This module exploits an out of bounds function table dereference in
the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates (not RTM), and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.
References:
http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
http://www.securityfocus.com/bid/36299
http://www.osvdb.org/57799
http://seclists.org/fulldisclosure/2009/Sep/0039.html
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
msf exploit(ms09_050_smb2_negotiate_func_index) >
irb
Perintah irb akan berguna ketika anda ingin membuat skrip Metasploit dengan cepat. Fitur ini juga sangat berguna untuk memahami internal Framework.
msf > irb
[*] Starting IRB shell...
>> puts "Hello, metasploit!"
Hello, metasploit!
=> nil
>> Framework::Version
=> "4.8.2-2014022601"
jobs
Jobs adalah modul yang berjalan di latar belakang. Perintah jobs juga menyediakan kemampuan untuk daftar dan mengakhiri pekerjaan ini.
msf > jobs -h
Usage: jobs [options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-i <opt> Lists detailed information about a running job.
-k <opt> Terminate the specified job name.
-l List all running jobs.
-v Print more detailed info. Use with -i and -l
msf >
kill
Perintah kill akan berguna ketika anda akan mematikan setiap pekerjaan yang sedang berjalan ketika disertakan dengan id pekerjaan.
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...
[*] Server stopped.
load
Perintah load beban plugin dari direktori Plugin Metasploit ini. Argumen yang lulus sebagai kunci = val di shell.
msf > load
Usage: load <path> [var=val var=val ...]
Loads a plugin from the supplied path. If path is not absolute, first looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that can be passed to plugins.
msf > load pcap_log
[*] PcapLog plugin loaded.
[*] Successfully loaded plugin: pcap_log
loadpath
Perintah loadpath akan memuat pohon modul-bagian ketiga untuk jalan sehingga Anda bisa mengarahkan Metasploit pada 0-hari eksploitasi Anda, encoders, muatan, dll
msf > loadpath /home/secret/modules
Loaded 0 modules.
unload
Sebaliknya, perintah unload plugin dimuat sebelumnya dan menghapus semua perintah diperpanjang.
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
resource
Perintah resource berjalan sebagai sumber daya (batch) file yang dapat dimuat melalui msfconsole.
msf > resource
Usage: resource path1 [path2 ...]
Run the commands stored in the supplied files. Resource files may also contain
ruby code between tags.
See also: makerc
Beberapa serangan seperti Karmetasploit menggunakan file sumber daya untuk menjalankan sekumpulan perintah dalam file karma.rc untuk membuat serangan. Kemudian kita akan membahas bagaimana, di luar Karmetasploit, yang bisa sangat berguna.
msf > resource karma.rc
[*] Processing karma.rc for ERB directives.
resource (karma.rc)> db_connect msf3:PASSWORD@127.0.0.1:7175/msf3
resource (karma.rc)> use auxiliary/server/browser_autopwn
...snip...
Batch file dapat sangat mempercepat pengujian dan pengembangan kali serta memungkinkan pengguna untuk mengotomatisasi banyak tugas. Selain memuat file batch dari dalam msfconsole, mereka juga dapat lulus pada saat startup menggunakan 'r' bendera. Contoh sederhana di bawah ini menciptakan sebuah file batch untuk menampilkan nomor versi Metasploit saat startup.
root@kali:~# echo version > version.rc
root@kali:~# msfconsole -r version.rc
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
=[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
+ -- --=[ 1265 exploits - 695 auxiliary - 202 post ]
+ -- --=[ 330 payloads - 32 encoders - 8 nops ]
[*] Processing version.rc for ERB directives.
resource (version.rc)> version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
route
"rute" perintah dalam Metasploit memungkinkan Anda untuk soket rute melalui sesi atau 'comm', menyediakan kemampuan berputar dasar. Untuk menambahkan rute, Anda lulus target subnet mask dan jaringan diikuti dengan sesi (comm) nomor.
meterpreter > route -h
Usage: route [-h] command [args]
Display or modify the routing table on the remote machine.
Supported commands:
add [subnet] [netmask] [gateway]
delete [subnet] [netmask] [gateway]
list
meterpreter >
meterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.1.254
127.0.0.0 255.0.0.0 127.0.0.1
172.16.1.0 255.255.255.0 172.16.1.100
172.16.1.100 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.1.100
224.0.0.0 240.0.0.0 172.16.1.100
255.255.255.255 255.255.255.255 172.16.1.100
search
Msfconsole mencakup regular-expression berdasarkan fungsi pencarian ekstensif.
Jika Anda memiliki gambaran umum tentang apa yang Anda cari Anda dapat mencari melalui
'search'. Dalam output bawah, pencarian sedang dibuat untuk MS Bulletin MS09-011.
Fungsi pencarian akan menemukan string ini dalam modul nama, deskripsi, referensi, dll
Perhatikan konvensi penamaan untuk modul Metasploit menggunakan garis bawah dibandingkan tanda hubung.
msf > search usermap_script
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
msf >
help
Anda dapat lebih menyempurnakan pencarian Anda dengan menggunakan sistem kata kunci built-in.
msf > help search
Usage: search [keywords]
Keywords:
name : Modules with a matching descriptive name
path : Modules with a matching path or reference name
platform : Modules affecting this platform
type : Modules of a specific type (exploit, auxiliary, or post)
app : Modules that are client or server attacks
author : Modules written by this author
cve : Modules with a matching CVE ID
bid : Modules with a matching Bugtraq ID
osvdb : Modules with a matching OSVDB ID
Examples:
search cve:2009 type:exploit app:client
msf >
name
Untuk pencarian menggunakan nama deskriptif, menggunakan kata kunci"name".
msf > search name:mysql
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query
auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution
exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >
Follow Us
Were this world an endless plain, and by sailing eastward we could for ever reach new distances