[-= blog directory=-]
1-Practice goals
1.1-MSF basic application
Master the basic application of metasploit.
1.2 - Practical content
An active attack practice, such as ms08_067; (1 point)
An attack against the browser, such as ms11_050; (1 point)
A client-side attack, such as Adobe; (1 point)
Successfully applied any of the auxiliary modules. (0.5 points).
1.3 - Practical requirements
- basic question answer
- Explain what is exploit, payload, encode in your own words.
- Experiment summary and experience
- practice process record
- Report score 1.5 points
- The overall perception of the report is 0.5 points
- Report format range, plus 0.5 for neat layout.
- Add 0 points if the report typesetting is confusing.
- 1 point for writing
- The text content of the report is very comprehensive, and the presentation is clear and accurate, plus 1 point.
- The logic of the report is clear, and 0.5 points are added for a brief introduction of its own operating goals and processes.
- 0 points may be added if the logic of the report is confusing, the expression is unclear or the text has obvious plagiarism
2-Practice process
2.1 Intelligence gathering
Use the MSF auxiliary module auxiliary+nmap to analyze the drone intelligence -
at the beginning, I was confused about the teacher's request, actively attack? Browser attack? what the hell? Who are you attacking? So I decided to pretend to be Shi Lezhi.
First open Kali, start msfconsole, and a cute little buffalo came out. He said: I don't have it! Ahem, off-
topic, then I started to collect information:
First of all, for convenience (lazy), the target drone must be in the local area network, then I Of course, I have to scan my LAN segment to see if there are any active machines in it. So, hey, what module are we going to use (don't listen carefully in class)? Quickly find it:
Well, after searching, I found the location of the exploit, so of course it is no problem to find auxiliary (in fact, I forgot how to spell it).
Then, you need to... scan, there are two possible ways to scan, one is to use auxiliary, the other is to use nmap directly:
- Auxiliary /arp-sweep
Damn, I was shocked . As shown
in the figure, I found the friend 192.168.196.147. - nmap is shown
in the figure, and I also found the friend 192.168.196.147. I have
determined the IP. Then I will learn more about the details. According to the routine, the port scanning portscan starts: - Auxiliary /portscan/SYN After
I played the king, it swept out three TCP ports (and deliberately raised the thread to 20) - nmap
is indeed an old-fashioned scanning tool, with great efficiency, and it can be done in a few seconds.
In fact, I originally wanted to write openvas, but something went wrong during installation:
(The actual measurement on Kali in 2016.08.21 seems to be very different from the current situation...)
Considering the tragedy of installing Veil in the last experiment, I decided to give up ...
2.2 Active Attack Practice-ms08_067
After determining the OS (winxp) of the machine, we can find a suitable exploit module to do the work.
This part is about the ms08_067 vulnerability, the Windows Server service RPC request buffer overflow vulnerability, because there are tutorials on the teacher's code cloud, so there is no need to worry about it.
Search for ms08_067:
After you find it, take a look at the targets it targets:
it's very complete, set the parameters:
come on! exploit!
what? Thinking hard:
Forgot to turn off the firewall, exploit!
Get it!
2.3 Browser Attack Practice-many*3
I was too lazy to download other browsers, so I chose IE, and found that the IE version is relatively old, so I downloaded IE8. I have tried about seven or eight loopholes, but they have not been successful. Here I choose three and write the process:
ms10_002_ie_object vulnerability attack:
According to the process use->targets->payload->options->exploit, msf reports an error:
ms11-050_mshtml_cobjectelement vulnerability attack:
According to the process use->targets->payload->options->exploit, msf reports an error:
ms11_081_option vulnerability attack
According to the process use->targets->payload->options->exploit, msf reports an error:
SESSION may not be compatible with this module!!!
Very speechless... I checked and found... It's not my IE8 problem.
I think this is SP3 but it's not! Because when I worked on the ms08_067 vulnerability before, I didn't see the target en_winxp_sp3 in the targets, but it can still attack successfully? (I chose autotargets, and I don't know which one he chose...) This is not scientific.
2.4 Client-side attack practice - Cool PDF
To find the attack client, through the above lessons, I found that the environment (or version is a very important issue)
As witty as me, I learned a lesson. When looking for client-side vulnerabilities, I did not forget to find the Vulerable App corresponding to the vulnerability!
Here I recommend a routine that I have figured out by myself. Any similarities are purely coincidental~
- First go to the list in the CVE to check;
- Then go to exploit-database to search for Metasploit;
- Look at the msf-framework in Kali and search for this exploit. If not, download it. If there is an application software, you can also download the Vulerable App by the way, so you don't have to look everywhere yourself, which is beautiful.
Here I picked a cool PDF software vulnerability that looks cool directly from the framework: Cool PDF Image Stream (CVE-2012-4914)
Download software (Cool PDF 3.0.2.256):
msf don't be idle, generate a PDF :
Transfer to XP, enable msf to monitor, and use Cool PDF to open msf.pdf file (I opened it several times...):
what? again! ? After researching it, I found that Kali received the message from the exploit, but xp refused to receive the message from Kali, which is very embarrassing, because I have closed everything that can be closed, so... The problem should appear in... this self-proclaimed sp3 on xp? ? ! delete delete delete! ! !
Unexpectedly, I did not want to change the environment and finally changed the environment...
2.5 Answers to basic questions
- Explain what is exploit, payload, encode in your own words
- exploit: a tool for exploiting vulnerabilities
- payload: The code block (payload) generated by the tool
- encode: encoding method, shaping and changing the form of the payload to avoid firewall and intrusion detection
3- Reference materials & practical experience
Practical experience
Every time I finish writing a blog, I find that my understanding of online confrontation is a little more comprehensive. I feel that the learning process set up by the teacher is very good, but it is a bit regrettable, because I feel that every piece can be digged deeply, but digging deeply is a bottomless pit and requires a lot of Time and energy can only be done within one's capacity (I finally know how complicated a subject information security is...)
References
- Metasploit Penetration Test Devil Training Camp Notes (1) Configuration Environment
- Vulnerability & Exploit Database
- Cool PDF Image Stream - Remote Buffer Overflow (Metasploit)
- Information Gathering and NMAP
- Vulnerability Scanning - OpenVAS
- Wang Yifan's blog
- MSF2 MS08-067 Vulnerability Penetration Attack Practice
- VCE