A penetration test on Red Hat Enterprise Linux 5.4 in BT5

The best way to learn is to link theory with practice. When we know how to penetrate an attack, someone will try to simulate a real attack. During Penetration, when we find that some ports are opened on a machine, you can think about how to use the relevant service vulnerabilities to launch attacks without thinking about them. The success of each attack depends on the operating system of the target host. The version and language type of the installed Service Pack. It also depends on whether the Data Execution Protection DEP: Data Execution Prevention is successfully bypassed ). DEP is designed to defend against buffer overflow. It renders the program stack as read-only to prevent shellcode from being maliciously placed on the stack and executed. However, we can bypass DEP protection through some complex stack operations. The essence of attack penetration is to fully identify the security vulnerabilities in the target system, find the corresponding attacks against the vulnerabilities, and obtain system access permissions. 1. The penetration of the operating system has been described in the previous experiment. If you do not know it, you can view it. 2. penetration of installed service packages

Use nmap to detect the target machine quota and scan the port number and service version number.

650) this. width = 650; "title =" 1.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332V091-0.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140054995.png"/>

650) this. width = 650; "title =" 2.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332Tc6-1.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140102370.png"/>

Open the metasploitmsfconsole that comes with BT5 to search For vsftpd-related vulnerability modules in the msfconsole. A vsftpd2.3.4 vulnerability module is just found, and we use it.

650) this. width = 650; "title =" 3.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332U234-2.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 1400000463.png"/>

Set RHOST as the IP address of the target host and execute overflow directly. We will get a linux shell

650) this. width = 650; "title =" 4.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332T0Q-3.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140117655.png"/>

Queries and various operations in shell

650) this. width = 650; "title =" 5.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332T0b-4.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140125203.png"/>

Add an account with uid = 0 to the shell to raise the permission. In this way, we have full control over the target machine and can perform any operation without knowing the root password!

650) this. width = 650; "title =" 6.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332Tb5-5.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140128168.png"/>

650) this. width = 650; "title =" 7.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332RA8-6.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140131898.png"/>

If port 3389 or port 22 is enabled for the peer, we can directly log on to linux. After detecting a vulnerability in the installed service package, we need to promptly patch the vulnerability or download and use a new version to avoid host failure because the vulnerability is not fixed in time!
E n d !!!

This article from the "xy low-key development" blog, please be sure to keep this source http://qq7887174.blog.51cto.com/7898352/1301754