蜜罐攻击检测实验

实验内容

  1. 使用honeyd软件实现低交互蜜罐,要求能够模拟主机、服务、漏洞和网络拓扑。
  2. 在虚拟机上部署具有可利用漏洞的系统、软件或网站。
  3. 使用扫描器、metasploit等攻击工具对网络靶场进行攻击,达到扫描探测、信息获取、获取管理员权限、窃取管理员密码、拒绝服务、文件篡改、进程操作等攻击效果。
  4. 物理蜜罐上使用入侵检测工具snort,或编写信息采集、日志分析代码,检测并记录受到的攻击。记录形式如:日志文件、告警文件、实时显示等方式。

安装配置Honeyd

Honeyd及其依赖项简介

Honeyd是一个可以在网络上创建虚拟主机的小型daemon。可以对此虚拟主机的服务和TCP进行配置,使其在网络中看起来是在运行某种操作系统。Honeyd可以使一台主机在局域网中模拟出多个地址以满足网络实验环境的要求。通过对配置文件进行设置可以使虚拟计算机模拟运行任何服务。也可以使用服务代理替代服务模拟。

  1. libevent,一个非同步事件通知的函数库。通过使用libevent,开发者能够设定某些事件发生时所运行的函数,能够取代以往程序所使用的循环检查。
  2. libdnet,为若干个低层的网络例程提供了一个简单的可移植的接口,包括网络地址处理,内核 arp 缓冲和路由表查找和管理,网络防火墙(IP filter, ipfw, ipchains, pf, PktFilter, …),网络接口查找和管理,IP 隧道(BSD/Linux tun, Universal TUN/TAP device),未加工的 IP 包和以太网帧的传输。
  3. libpcapunix/linux平台下的网络数据包捕获函数包,大多数网络监控软件都以它为基础。Libpcap 可以在绝大多数类 unix平台下工作。
  4. arpd,执行在与honeyd同样的系统上。是honeyd众多协作工具中最重要的一个。Arpd工作时监视局域网内的流量。并通过查看honeyd系统的ARP表推断其他系统的活动与否。arpd将对指定的 IP 地址范围内未使用的 IP 用 honeyd主机的 MAC 地址做出arp应答
  5. zlibLinux核心使用zlib以实作网络协定的压缩、档案系统的压缩以及开机时解压缩自身的核心。

安装Honeyd及其依赖项

  1. 从官网下载安装honeyd-1.5c

    下载地址http://www.honeyd.org/release.php

  2. 下载解压编译安装honeyd的依赖库:libeventlibdumbnetlibpcaplibedit,参考https://www.cnblogs.com/yjbjingcha/p/6791631.html

  3. 安装arpd-0.2

  4. 成功安装honeyd

    1565763010078

网络拓扑结构

1565767984997

日志及配置文件

  1. 日志文件及位置为/var/log/honeyd/honeyd.log/var/log/honeyd/service.log

  2. honeyd配置文件及位置为/root/桌面/honeyd.conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    route entry 192.168.43.153 network 192.168.43.144/28   
    route 192.168.43.153 link 192.168.43.152/29

    route 192.168.43.153 add net 192.168.43.156/30 192.168.43.157
    route 192.168.43.157 link 192.168.43.165/30

    create windows
    set windows personality "Microsoft Windows 2000 SP2"
    set windows default tcp action reset
    set windows default udp action reset
    set windows default icmp action open
    add windows tcp port 110 "/usr/share/honeyd-1.5c/scripts/pop3.pl"
    add windows tcp port 80 "/usr/share/honeyd-1.5c/scripts/web.sh"
    add windows tcp port 25 "/usr/share/honeyd-1.5c/scripts/smtp.pl"
    add windows tcp port 23 "/usr/share/honeyd-1.5c/scripts/router-telnet.pl"
    add windows tcp port 21 proxy 192.168.43.1:21

    create linux
    set linux personality "Linux 2.4.20"
    set linux default tcp action reset
    set linux default udp action reset
    set linux default icmp action open
    add linux tcp port 80 "/usr/share/honeyd-1.5c/scripts/web.sh"
    add linux tcp port 23 "/usr/share/honeyd-1.5c/scripts/router-telnet.pl"
    add linux tcp port 22 "/usr/share/honeyd-1.5c/scripts/ssh.sh"
    add linux tcp port 21 proxy 192.168.43.1:21
    add linux tcp port 20 open

    create router
    set router personality "Cisco 7206 running IOS 11.1(24)"
    set router default tcp action reset
    add router tcp port 23 "/usr/share/honeyd-1.5c/scripts/router-telnet.pl"

    bind 192.168.43.153 router
    bind 192.168.43.156 router

    bind 192.168.43.154 windows
    bind 192.168.43.155 linux
    bind 192.168.43.157 windows
    bind 192.168.43.158 linux
  3. 各种端口配置文件位于/honeyd/honeyd-1.5c/script位置,包括

    ssh.sh

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    #!/bin/bash
    #
    # $1: srcip, $2: srcport, $3: dstip, $4: dstport, $5: config
    #
    # modified by Fabian Bieker <fabian.bieker@web.de>
    # modified by DataSoft Corporation
    #. scripts/misc/base.sh
    SRCIP=$1
    SRCPORT=$2
    DSTIP=$3
    DSTPORT=$4

    STRINGSFILE=$5
    VERSION=`perl -nle '/SSH_VERSION (.*)/ and print $1' < $STRINGSFILE`

    SERVICE="ssh"
    HOST="serv"


    my_start

    echo -e "$VERSION"

    while read name; do
    echo "$name" >> $LOG
    LINE=`echo "$name" | egrep -i "[\n ]"`
    if [ -z "$LINE" ]; then
    echo "Protocol mismatch."
    my_stop
    else
    echo "$name"
    fi
    done
    my_stop

    web.sh

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    #!/bin/sh
    REQUEST=""
    while read name
    do
    LINE=`echo "$name" | egrep -i "[a-z:]"`
    if [ -z "$LINE" ]
    then
    break
    fi
    echo "$name" >> /tmp/log
    NEWREQUEST=`echo "$name" | grep "GET .scripts.*cmd.exe.*dir.* HTTP/1.0"`
    if [ ! -z "$NEWREQUEST" ] ; then
    REQUEST=$NEWREQUEST
    fi
    done

    if [ -z "$REQUEST" ] ; then
    cat << _eof_
    HTTP/1.1 404 NOT FOUND
    Server: Microsoft-IIS/5.0
    P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
    Content-Location: http://cpmsftwbw27/default.htm
    Date: Thu, 04 Apr 2002 06:42:18 GMT
    Content-Type: text/html
    Accept-Ranges: bytes

    <html><title>You are in Error</title>
    <body>
    <h1>You are in Error</h1>
    O strange and inconceivable thing! We did not really die, we were not really buried, we were not really crucified and raised again, but our imitation was but a figure, while our salvation is in reality. Christ was actually crucified, and actually buried, and truly rose again; and all these things have been vouchsafed to us, that we, by imitation communicating in His sufferings, might gain salvation in reality. O surpassing loving-kindness! Christ received the nails in His undefiled hands and feet, and endured anguish; while to me without suffering or toil, by the fellowship of His pain He vouchsafed salvation.
    <p>
    St. Cyril of Jerusalem, On the Christian Sacraments.
    </body>
    </html>
    _eof_
    exit 0
    fi

    DATE=`date`
    cat << _eof_
    HTTP/1.0 200 OK
    Date: $DATE
    Server: Microsoft-IIS/5.0
    Connection: close
    Content-Type: text/plain


    Volume in drive C is Webserver
    Volume Serial Number is 3421-07F5
    Directory of C:\inetpub

    01-20-02 3:58a <DIR> .
    08-21-01 9:12a <DIR> ..
    08-21-01 11:28a <DIR> AdminScripts
    08-21-01 6:43p <DIR> ftproot
    07-09-00 12:04a <DIR> iissamples
    07-03-00 2:09a <DIR> mailroot
    07-16-00 3:49p <DIR> Scripts
    07-09-00 3:10p <DIR> webpub
    07-16-00 4:43p <DIR> wwwroot
    0 file(s) 0 bytes
    20 dir(s) 290,897,920 bytes free
    _eof_

    router.pl

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    #!/usr/bin/perl
    # Copyright 2002 Niels Provos <provos@citi.umich.edu>
    # All rights reserved.
    #
    # For the license refer to the main source code of Honeyd.
    #
    # Don't echo Will Echo Will Surpress Go Ahead
    $return = pack('ccccccccc', 255, 254, 1, 255, 251, 1, 255, 251, 3);
    syswrite STDOUT, $return,9;

    $count = 0;
    while ($count < 3) {
    do {
    $count++;
    syswrite STDOUT, "\r\n";
    $word = read_word("Username: ", 1);
    } while (!$word && $count < 3);
    if ($count >= 3 && !$word) {
    exit;
    }
    $password = read_word("Password: ", 0);
    if (!$password) {
    syswrite STDOUT, "% Login invalid\r\n";
    } else {
    syswrite STDERR, "Attempted login: $word/$password";
    syswrite STDOUT, "% Access denied\r\n";
    }
    }

    exit;

    sub read_word {
    local $prompt = shift;
    local $echo = shift;
    local $word;

    syswrite STDOUT, "$prompt";

    $word = "";
    $alarmed = 0;
    eval {
    local $SIG{ALRM} = sub { $alarmed = 1; die; };
    alarm 30;
    $finished = 0;
    do {
    $nread = sysread STDIN, $buffer, 1;
    die unless $nread;
    if (ord($buffer) == 0) {
    ; #ignore
    } elsif (ord($buffer) == 255) {
    sysread STDIN, $buffer, 2;
    } elsif (ord($buffer) == 13 || ord($buffer) == 10) {
    syswrite STDOUT, "\r\n" if $echo;
    $finished = 1;
    } else {
    syswrite STDOUT, $buffer, 1 if $echo;
    $word = $word.$buffer;
    }
    } while (!$finished);
    alarm 0;
    };
    #syswrite STDOUT, "\r\n" if $alarmed || ! $echo;
    #if ($alarmed) {
    # syswrite STDOUT, "% $prompt timeout expired!\r\n";
    #return (0);
    #}

    return ($word);
    }

启动Honeyd

命令行输入命令

1
2
arpd 192.168.43.152/29
honeyd -f honeyd.conf -d -l /var/log/honeyd/honeyd.log -s /var/log/honeyd/service.log --fix-webserver-permissions 192.168.43.152/29

1565764175954

1565764181622

检查honeyd搭建情况

  1. telnet连接

    kali使用telnet命令,连接192.168.43.157,观察日志文件和连接结果。

    输入命令

    1
    telnet 192.168.43.157

    检测与IP地址为192.168.43.157telnet连接是否成功。结果如下图所示,连接成功,但因为不知道用户名和密码,输入三次用户名和密码后直接退出。

    1565764325222

    日志文件如下,可以查看输入的用户名和密码

    1565764345368

    1565764350258

  2. ssh连接

    使用ssh命令,连接192.168.43.155观察日志文件和连接结果。

    输入命令

    1
    ssh 192.168.43.155

    检测ssh连接是否有效,结果如下,与ssh.sh配置文件符合

  3. web运行

    在浏览器输入URL:192.168.43.155,检测web是否运行

    1565764466896

    在网页中输入用户名和密码后点击登录跳转到网页如下,与web.sh配置文件相符合

    1565764498045

    查看honeyd日志文件,成功运行web.sh的脚本

    1565764543952

    如下所示,从192.168.43.19552304端口访问了192.168.43.15580端口

    1565764549209

部署漏洞虚拟机

  1. 永恒之蓝漏洞,操作系统为win7家庭版虚拟机,ip地址为192.168.43.59
  2. CVE-2012-5613,部署在win xp上的mysql5.5.19版本的权限提升漏洞,ip地址为192.168.43.213
  3. metasploitable2虚拟机,一个特别制作的ubuntu操作系统,本身设计作为安全工具测试和演示常见漏洞攻击。默认只开启一个网络适配器并且开启NATHost-only,该虚拟机的ip为192.168.43.120

Honeyd虚拟机中安装配置Snort

Snor简介

Snort是1998年用C语言开发的开源的入侵检测系统。直至今天,Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPSSnort符合通用公共许可(GPL——GNU General Pubic License),在网上可以通过免费下载获得Snort

​ 由于Snort混杂模式可以抓取网段中的所有数据包,snort部署在同一子网下的win7虚拟机上。

local.rules配置

对尝试对密网中每个主机的访问写入类似如下告警规则:

1
alert tcp any any -> 192.168.43.153 any (msg:"TCP detected"; sid:1000004; rev:12;)

检测对所有蜜罐虚拟主机和漏洞虚拟机的访问,并产生告警:TCP detected

Sqlmap, WebInspect, Netsparker, Appscan, Nmap, Awvscan的扫描写入告警规则。

1565765754290

经过反复实验后,又修改了NMAP检测规则:

1
alert icmp any any -> 192.168.43.0/24 any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1;)

mysql.rules配置

3306sql攻击写入如下告警规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; metadata:service mysql; classtype:protocol-command-decode; sid:1775; rev:3;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; metadata:service mysql; classtype:protocol-command-decode; sid:1776; rev:3;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:3; content:"root|00|"; within:5; distance:5; nocase; metadata:service mysql; classtype:protocol-command-decode; sid:3456; rev:4;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL CREATE FUNCTION attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function/smi"; metadata:service mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:misc-activity; sid:3528; rev:3;)
alert tcp any 3306 -> 192.168.43.128/25 any (msg:"MYSQL server greeting"; flow:from_server,established; content:"|00|"; depth:1; offset:3; flowbits:set,mysql.server_greeting; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3665; rev:6;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL protocol 41 secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3669; rev:6;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|"; offset:9; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3668; rev:8;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,!&,0x02,4; content:"|00|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3672; rev:6;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3670; rev:6;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL protocol 41 client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14 00|"; offset:36; metadata:policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3667; rev:6;)
alert tcp any any -> 192.168.43.128/25 3306 (msg:"MYSQL protocol 41 client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,&,0x02,4; content:"|00|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3671; rev:6;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"MYSQL server greeting finished"; flow:from_server,established; byte_test:1,>,0,3; flowbits:isset,mysql.server_greeting; flowbits:unset,mysql.server_greeting; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3666; rev:8;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL CREATE FUNCTION buffer overflow attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function\s+\S{50}/smi"; metadata:service mysql; reference:bugtraq,14509; reference:cve,2005-2558; classtype:misc-activity; sid:4649; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL Date_Format denial of service attempt"; flow:to_server,established; content:"DATE_FORMAT"; pcre:"/DATE_FORMAT\x28\s*(\x22[^\x22]+\x25[^\x22]*\x22|\x27[^\x27]+\x25[^\x27]*\x27)/smi"; metadata:service mysql; reference:bugtraq,19032; reference:cve,2006-3469; reference:url,dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html; classtype:attempted-dos; sid:8057; rev:2;)

1565765815890

检测root login, show databases, create function, secure client overflow等等攻击尝试,并产生对应的告警信息。

snort.conf配置

设置output database,记录所有alertlog文件到数据库

1565766059427

并记录日志文件到数据库,可以从网站打开查看日志。

snort其他组件

安装adobdjgraphacid(网页文件)组件。

配置Acid网页配置文件acid_conf.php,使其与mysql数据库匹配,并能输出日志和告警到网页端。

浏览器输入http://localhost/acid/acid_db_setup.php,初始化数据库。

1565766150653

网络靶场攻击与检测

靶场扫描检测

局域网设置

攻击机靶机snort在同一局域网下。攻击机kali的ip地址为192.168.43.257

1565766422794

据此可知子网为192.168.43.0/24

攻击机nmap扫描局域网

攻击机nmap扫描192.168.43.0/24网段,发现该网段下共19台主机,其中图中MAC地址相同的主机为honeyd搭建的拓扑结构里面的虚拟主机,而不是此MAC地址的机器为具有漏洞的真实虚拟机。可见honeyd的MAC地址为62:44:42:89:7D:46

1565766497207

第一次扫描后honeyd的日志

1565766512229

攻击漏洞虚拟机

metasploitable2漏洞虚拟机攻击

metasploitable2的ip地址为192.168.32.120,首先对6667端口使用unreal_ircd_3281_backdoor模块,即irc_3281_backdoor漏洞。

1565766748326

成功植入后门,getshell:

1565766767823

攻击机端控制漏洞机192.168.43.120后,在根目录下执行命令:

1
mkdir 77777777777777777

创建了新目录

1565766807924

在漏洞机可以看到已经被写入:

1565766822946

win xp 漏洞机攻击

  1. 对局域网中第二个主机192.168.43.59检测端口,发现3306端口打开,由此推测存在mysql服务漏洞,随后检测mysql版本

    1565766888821

  2. 扫描到3306端口开放后,使用mysql_version模块检测mysql版本,检测到是5.5.19版本,存在提权漏洞CVE-2012-5613

    1565766949919

  3. Metasploit拥有如下模块,使用mysql中的mysql_mof对目标主机进行本地提权

    1565766975491

    设置用户名root, 密码rootRHOSTS为目标机192.168.43.213LHOST监听主机为攻击机192.168.43.247LHOST监听端口为5012,攻击漏洞虚拟机192.168.43.213,成功getshell

    1565767036734

    命令行如下,打开了Meterpreter session:

    1565767058474

    getshell之后,写入文件夹到C盘。在winXP漏洞机上发现了新文件夹

    1565767090009

    最后让被getshell的漏洞机关机:

    1565767122319

    windows被迫关机

    1565767134174

win 7漏洞机攻击

  1. 选择局域网中的第一台真机192.168.43.59,扫描该IP端口,如下图所示,可以发现135139445等端口开放。

    1565767256750

    nmap扫描到该主机的445端口开放,用永恒之蓝模块检测

  2. 使用smb_ms17_010对漏洞机进行检测,设置目标主机为192.168.43.59,检测到Host is likely VULNERABLE to MS17-010

    1
    2
    3
    4
    5
    6
    7
    8
    msf5 > use auxiliary/scanner/smb/smb_ms17_010
    msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.43.59
    rhosts => 192.168.43.59
    msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

    [+] 192.168.43.59:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
    [*] 192.168.43.59:445 - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    1565767344496

    扫描确认存在永恒之蓝漏洞

  3. 获取控制权,使用ms17_010_eternalblue模块getshell

    1565767393800

    添加文件

    1565767407235

    在漏洞主机上发现了新建的文件夹

    1565767425902

  4. 图形界面渗透成功图示

    192.168.43.59为部署永恒之蓝漏洞的win7虚拟机,192.168.43.213为部署mysql漏洞的winXP虚拟机

    1565767471994

    mysql提权漏洞获得shell之后,可以取得screenshot屏幕截图

    1565767498529

snort检测

AWVS扫描检测

攻击机kali使用AWVS扫描蜜罐虚拟机192.168.43.15480端口

1565767586483

浏览器URL输入http://localhost/acid/acid_db_setup.php,即snort网页报告,可以看到检测到扫描

1565767619513

NMAP扫描检测

在扫描局域网时,snort检测到nmap扫描,攻击机为192.168.43.247

1565767660232

Metasploit渗透攻击检测

445端口检测到攻击NETBIOS SMB-DS Trans Max Param DOS attempt

1565767691050

对主机进行端口扫描,其实是使用了nmap工具,检测到nmap ping sweep scan

1565767716793

利用SQL提权漏洞进行渗透攻击,Snort检测到MYSQL attack

1565767738851

尝试建立Meteroreter会话时,Snort检测到NMAP扫描

1565767760977

本文标题: 蜜罐攻击检测实验

文章作者: 李钰璕

发布时间: 2019年08月14日 - 13:36

最后更新: 2020年04月02日 - 14:29

原始链接: https://www.leeyuxun.icu/蜜罐攻击检测实验.html

许可协议: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议,转载请注明出处!