>> It's time to enter the world of MSF, Metasploit Framework.I fired up my Kali VM once again and opened up a terminal.First I started the Postgresql Database Service.Postgresql is an open source relational DBMS, database management system, used by Metasploit.After that, I created and initialized the Metasploit Framework databasewith the command msfdb init.You'll only enter this command the first time you go through these steps.Subsequently, it will be msfdb start instead of msfdb init.Finally, it's time to run msfconsole, the most popular interface to the Metasploit Framework.It's an all-in-one centralized console that allows youto efficiently access the MSF options.I'm going to run this in a second terminal.MSF runs in its own environment,and I like having a bash shell prompt handy just in case I need it.[ Silence ]After a little bit, you'll see the MSF prompt.Each time you load MSF, you'll see a different cute and funny text display.
>> I've opened up a second instance of VMWare work station playerwith good ol' Windows XP as the VM.Like my cally box, my Windows XP box is in bridged mode.Therefore, my windows host machine, my cally VMand my Windows XP VM are all on the same sub-net.I brought end map right into the mix.Dash upper case A performs tons of tests on the target IP address, including OS detection,version detection, script scanning and trace route.Dash lower case V specifies that we want verbose output.[silence]Notice, towards the bottom of the output, there are lines regarding SMB.Server message block security on the XP machine.SMB allows for sharing of files and printers.Furthermore, port 445 used for directly hosted SMB over TCP IP is open.Let's see all exploits associated with SMB vulnerabilities.[silence]Let's zone in on one of the most famous exploits of all time.[silence]Great. Let's use it.You'll notice that the prompt changes to a specific exploit prompt.Let's understand where we are.We've identified a vulnerability of SMB on the target machine.We've selected the MS08067 net API exploit.Now, we need a pay load[silence]Let's zone in on my favorite one.[silence]Let's use it.Using this payload, we're going to get the victim machineto initiate a TCP connection back to us.That's much better than an unsolicited connection coming into the victim machinefrom an unknown IP address, which would be flagged by a firewall, IDS or IPS.Now, we need to configure the exploit.[silence]Show targets will give you a list of all the targets that this exploit works for.[silence]Based on the output from N map earlier, I'll type set target two.Keeping the default of target zero, automatic targeting is fine as well.Let's see the options again.[silence]Let's set the remote host with the IP address of my Windows XP box.[silence]Let's set the local host using the IP address of this Kali box.Show options, again, verifies our settings.We could change the local port from 4444 to avoid detection since IDS is almost likely knowabout Metasploit's use of port 4444.But we'll just leave it for now.Ready to exploit?Bam.We're in. We now own the XP box.What could we do here?Let's take a look.[silence]
>> Let's take a look at some cool Meterpreter commands.Sysinfo.Now we've got some information about the compromised system.Hashdump.Ahh! Now you can use these hashes in a brute force attack,a dictionary attack, or a rainbow table attack.Idletime. It's been this long since there were hands on a keyboard of the compromised system.This information could be helpful in determiningif an attacker should be daring now or wait a little bit.Ps, a list of every running process on the compromised system.KillIn this case with a process ID of 1364.Do you see the Windows command line interface on the Windows XP system?No, you don't.Poof. It's gone.[ Silence ]Migrate.Meterpreter's migrate command allows us to move our running code into a processthat has interactive access to the compromised system.The running payload will be migrated into the explorer.exe process when I specify 1608.This explorer.exe process is owned by the active user.Now we can use keyscan_start ---- to log every single one of the user's keystrokes, including the arrow keys,the backspace key, the delete key, and more.If we wanted to capture system login information,we'd migrate to the winlogon process, which will capture the credentialsof all users logging into the system.This is dependent, of course, on the machine being in a running state.Rebooting or shutting down the compromised system would end our Meterpreter session.[ Silence ]Keyscan_dump.There it is.[ Silence ]Let's sign in to EDX.[ Silence ]Let's sign in to my courses.[ Silence ]Let's check our Gmail.[ Silence ]It's all there.[ Silence ]Keyscan_stop.Shell pops up a Windows command line interface within Meterpreter.We can execute networking commands.[ Silence ]Yes! I'm actually sending pings from the compromised Windows XP system.We can execute file system commands.We just made a directory.[ Silence ]We just made a file.[ Silence ]We just deleted a file.We just removed a directory.
转载于:https://www.cnblogs.com/sec875/articles/10028516.html
