A penetration test on Red Hat Enterprise Linux 5.4 in BT5

Source: Internet
Author: User


The best way to learn is to link theory with practice. When we know how to penetrate an attack, someone will try to simulate a real attack. During Penetration, when we find that some ports are opened on a machine, you can think about how to use the relevant service vulnerabilities to launch attacks without thinking about them. The success of each attack depends on the operating system of the target host. The version and language type of the installed Service Pack. It also depends on whether the Data Execution Protection DEP: Data Execution Prevention is successfully bypassed ). DEP is designed to defend against buffer overflow. It renders the program stack as read-only to prevent shellcode from being maliciously placed on the stack and executed. However, we can bypass DEP protection through some complex stack operations. The essence of attack penetration is to fully identify the security vulnerabilities in the target system, find the corresponding attacks against the vulnerabilities, and obtain system access permissions. 1. The penetration of the operating system has been described in the previous experiment. If you do not know it, you can view it. 2. penetration of installed service packages

Use nmap to detect the target machine quota and scan the port number and service version number.


650) this. width = 650; "title =" 1.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332V091-0.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140054995.png"/>



650) this. width = 650; "title =" 2.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332Tc6-1.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140102370.png"/>


Open the metasploitmsfconsole that comes with BT5 to search For vsftpd-related vulnerability modules in the msfconsole. A vsftpd2.3.4 vulnerability module is just found, and we use it.



650) this. width = 650; "title =" 3.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332U234-2.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 1400000463.png"/>


Set RHOST as the IP address of the target host and execute overflow directly. We will get a linux shell


650) this. width = 650; "title =" 4.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332T0Q-3.png" width = "650" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140117655.png"/>


Queries and various operations in shell


650) this. width = 650; "title =" 5.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332T0b-4.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140125203.png"/>


Add an account with uid = 0 to the shell to raise the permission. In this way, we have full control over the target machine and can perform any operation without knowing the root password!


650) this. width = 650; "title =" 6.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332Tb5-5.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140128168.png"/>



650) this. width = 650; "title =" 7.png" src = "http://www.bkjia.com/uploads/allimg/131228/14332RA8-6.png" style = "padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 140131898.png"/>


If port 3389 or port 22 is enabled for the peer, we can directly log on to linux. After detecting a vulnerability in the installed service package, we need to promptly patch the vulnerability or download and use a new version to avoid host failure because the vulnerability is not fixed in time!
E n d !!!


This article from the "xy low-key development" blog, please be sure to keep this source http://qq7887174.blog.51cto.com/7898352/1301754

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.