实验名称:渗透测试实例,xampp靶机实验
实验目的:对xampp靶机进行渗透测试
实验环境:Kali虚拟机一台4G xampp靶机一台 IP:192.168.22.128
实验步骤:
一、对靶机进行扫描:使用Neuss
二、开启metasploit框架进行扫描
msf6 > db_nmap -A -T4 192.168.22.128 使用namp进行扫描
(1)进行渗透测试
扫描smb版本信息
msf6 > search smb_version 查看是否有smb版本扫描模块
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version
msf6 > use auxiliary/scanner/smb/smb_version 引用模块
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.22.128 设置扫描IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/smb/smb_version) > run 执行
[] 192.168.22.128:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:2w 3d 1h 19m 15s) (guid:{079eddaa-883e-448c-9c75-df3fb0d2aa5c}) (authentication domain:W2K8)
[+] 192.168.22.128:445 - Host is running Windows 2008 R2 Datacenter SP1 (build:7601) (name:W2K8) (workgroup:WORKGROUP)
[] 192.168.22.128: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
(2)先寻找暴露出来的第一个问题点
msf6 auxiliary(scanner/smb/smb_version) > search smb description:2 寻找相应模块
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/admin/mssql/mssql_ntlm_stealer normal No Microsoft SQL Server NTLM Stealer
1 auxiliary/docx/word_unc_injector normal No Microsoft Word UNC Path Injector
2 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
3 auxiliary/dos/windows/smb/ms05_047_pnp normal No Microsoft Plug and Play Service Registry Overflow
4 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
5 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
6 auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop normal No Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
7 auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow normal No Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
8 auxiliary/dos/windows/smb/ms11_019_electbowser normal No Microsoft Windows Browser Pool DoS
9 auxiliary/fuzzers/smb/smb2_negotiate_corrupt normal No SMB Negotiate SMB2 Dialect Corruption
10 auxiliary/gather/konica_minolta_pwd_extract normal No Konica Minolta Password Extractor
11 auxiliary/scanner/http/citrix_dir_traversal 2019-12-17 normal No Citrix ADC (NetScaler) Directory Traversal Scanner
12 auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir normal No SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
13 auxiliary/scanner/smb/smb_enum_gpp normal No SMB Group Policy Preference Saved Passwords Enumeration
14 auxiliary/server/capture/smb normal No Authentication Capture: SMB
15 auxiliary/server/teamviewer_uri_smb_redirect normal No TeamViewer Unquoted URI Handler SMB Redirect
16 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
17 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
18 exploit/multi/ids/snort_dce_rpc 2007-02-19 good No Snort 2 DCE/RPC Preprocessor Buffer Overflow
19 exploit/windows/browser/java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double Quote Injection
20 exploit/windows/fileformat/ms13_071_theme 2013-09-10 excellent No MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
21 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
22 exploit/windows/fileformat/ursoft_w32dasm 2005-01-24 good No URSoft W32Dasm Disassembler Function Buffer Overflow
23 exploit/windows/fileformat/vlc_smb_uri 2009-06-24 great No VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
24 exploit/windows/misc/hp_dataprotector_c