2017-2018-2 20155225 "Network Countermeasure Technology" Experiment 5 Basic Application of MSF

2017-2018-2 20155225 "Network Countermeasure Technology" Experiment 5 Basic Application of MSF

ms08_067

1. Use the search command to search for modules related to ms08_067, as shown in the figure:

I found the corresponding attack module exploit/windows/smb/ms08_067_netapi , which shows that this is an attack module for SMB service under windows.

Server Message Block (SMB) is a network file sharing protocol that allows applications and end users to access file resources from remote file servers.

The description says that this is a relative path stack corruption vulnerability in Microsoft Server Services.

The specific principle is not clear, anyway, it is a server service related vulnerability.

2. Use the info command to view information about exploit/windows/smb/ms08_067_netapi. You can see the type of target host with this vulnerability. The selected target host is Windows XP SP3 English, as shown in the figure.

It mentions NX

NX is a CPU technology that divides memory regions into units that store only the processor's instruction set, or units that only use data. Any memory using NX technology is meant for data use only, so the processor's instruction set cannot be stored in these areas.

NX technology prevents most buffer overflow attacks.

1. Use the show payloads command to view available payloads. Select the general class (generic), tcp back connection.

4. Setting parameters, there is a problem that a session cannot be established.

First, I checked the network connection and found that the machine is in bridge mode. After changing to NAT mode, the two hosts are connected and the attack is successful, as shown in the figure:

ms11_050

1. The search command searches for modules related to ms11_050.

According to the description, ms11_050 is a vulnerability related to cobjectelement in mshtml.

mshtml is the name of the typesetting engine of IE browser. It is a COM component of Microsoft Corporation. This component encapsulates all elements and their attributes in the HTML language. Through the standard interface provided by it, you can access all elements of a specified web page.

Anyway, it's about IE browser. This is the introduction of ms11_050 in the exploit database

1. Use the info command to view detailed information.

As shown in the figure, you can see that there are IE browsers and corresponding operating systems that can be attacked , as well as basic options, such as server-side addresses and ports .

1. Use the use command to enter the module.

2. Set the payload to windows/meterpreter/reverse_http and view the options with show options.

After many attempts and analysis, I found that SRVHOST and SRVPORT in Module options are the same as LHOST and LPORT in Payload options .

When using the set of addresses, ports, and URIs of SRVHOST and SRVPORT, although the connection is not successful, the reply is as follows:

When using the addresses of LHOST and LPORT, there was no success, but the URI could not be found under this port, and only the host could be located. The reply obtained is as follows:

It can be seen that in fact, you only need to specify SRVHOST and SRVPORT, and you can attack without specifying LHOST and LPORT. SRVHOST and SRVPORT will be automatically transmitted to LHOST and LPORT.

Finally, don't know why it keeps reminding me Unknown request to with UA 'Mozilla/4.0. Searched online for solutions to no avail. Although this exploit was unsuccessful, I learned how to set parameters, try out what the parameters do, and analyze and try msf feedback issues.

Attack on Adobe Reader

1. Use the windows/fileformat/adobe_cooltype_sing module. show options to view the parameters, set the machine as the listening host, the default port is 4444, the default pdf file name is msf, and the msf file is successfully generated, as shown in the figure:

1. Copy msf.pdf to the attacked machine, and then enable the local monitoring module. As soon as you click on the pdf, you will be recruited, as shown in the figure:

Auxiliary module

CVE: Vulnerability Database
NVD: US Vulnerability Database

The framework directory of metasploit in kali is: /usr/share/metasploit-framework

Then enter /modules, enter /auxiliary, you can see the source code of the auxiliary module, as shown in the figure.

Enter the msfconsole console, show auxiliary to view the available auxiliary modules, you can know the operating system/type/module name corresponding to each module by naming , and info view the detailed information of a module.

First I selected the admin/vmware/poweroff_vm module, the description says that this module will log into VMware's Web API and attempt to power off the specified virtual machine.

I can't find the configuration method of this module on Baidu, and no one has repeated it with me.

Based on the description of each option and my own understanding,

PASSWORD and USERNAME are the username and password for logging in to the target drone.

RHOST and RPORT are the target machine's IP and open TCP port,

The VM specifies which target machine is powered off.

Then configure it as shown in the figure:

Then the expected failure, after all, how could it have been successful, right?

Analyze the feedback message of exploit failure, and the connection is rejected.

Suddenly I thought that the open port of the target machine is set to 443 by default. What if 443 is not open? So I scanned it with namp, the open ports of the target machine were found only 22 and 111 ports. So modify the target machine port setting to 22.

It still failed, but the connection has been successful in the feedback result, but the target machine does not support the ssl protocol, so the ssl connection cannot be established. The teacher said not to worry about environmental issues, and the teacher also said that the purpose of learning is not success but experience, so I gave up. But I have tried using the admin/vmware/poweroff_vm module and the analysis solved a connection problem.

basic question answer

1. Explain what is exploit, payload, encode in your own words.

Obviously, these three are in a hierarchical relationship from large to small. The exploit is the code of how to use this vulnerability, the payload is the functional code after the vulnerability is successfully attacked, and the encode is the core code in the payload.

1. Practice summary and experience

The biggest impression this experiment gave me is that failure is the norm, and success is the result of many failures. Since failure is almost inevitable, what we need most is the ability to analyze and solve problems in order to succeed after several failures.

1. What technologies or steps are still missing from actual combat?

In the end, I chose the admin/vmware/poweroff_vm module. There is no information on Baidu. Based on a few descriptions, it is difficult to guess the usage of this module, and you don't know what your target machine is in actual combat. For example, I I want to use the admin/vmware/poweroff_vm module here, but the target machine does not support ssl, which further reflects the importance of information collection and scanning, and mastering accurate information is the key factor for success.