Comprehensive penetration test -WAR Back door deployment

First step , Open the network topology , Start the experimental virtual machine , View the virtual machines separately IP Address ：

Kali Linux

Windows 7

Windows 7-1：

The second step , stay Windows 7-1 Running in the target Tomcat：

desktop -apache-tomcat-9.0.29-bin- double-click startup.bat

The third step , Switch to the infiltration machine Kali Linux, Use the browser to access the target Tomcat service ：

http://172.16.1.200:8080（ Drone aircraft IP Address ）

Step four , Click on the “Manager App”, Asked to enter a user name and password ：

Step five , Open the terminal , function msfconsole. Use Tomcat Password cracking module cracking Tomcat Password ：

We set the user name to Tomcat default “tomcat”, Use a password dictionary “/root/dict.txt”.

After running the command , obtain Tomcat Background administrator user name ：tomcat, password ：s3cret.

Step six , Switch to Windows 7 Infiltration machine , Visit the target's Tomcat service ：

http://172.16.1.200:8080

Step seven , Click on “Manager App” Button , enter one user name tomcat, password s3cret, Log in to the administration page

Step eight , Put the JSP In a word, the Trojan horse packs . Right click torjan.jsp- Add to “torjan.zip”：

Step nine , take torjan.zip Rename it to torjan.war

Step 10 , go back to Tomcat Manage Pages , stay “ To deploy WAR file ” It's about , Upload just compressed torjan.war

Step 11 , Click deploy , Access the deployed jsp File location ：

http://172.16.1.200:8080/torjan/torjan.jsp

The twelfth step , Open the desktop 2011caidao Folder , double-click chopper.exe Start the Chinese kitchen knife

Thirteenth Step , Right click the blank space of the kitchen knife - add to - Set the address to torjan.jsp The address of , The password for pass, Click Add ：

The fourteenth step , Double click the added address , Access the file manager of the target ：

Successfully read the file in the target .

The fifteenth step , Back to home , Right click the address - Virtual terminal

The sixteenth step , Add users to the terminal hacker, password 123456, And set the user as the administrator ：

net user hacker 123456 /add

net localgroup administrators hacker /add

The seventeenth step , Turn on the remote desktop function of the target ：

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

The eighteenth step , stay Windows 7 Penetration machine press Win+R Key or click Start Menu - function , Input mstsc

The nineteenth step , enter server IP Click Connect after the address

The twentieth step , Sign in hacker/123456

Step 21 , Go to remote desktop , open cmd, Input net user hacker

So far, the right has been raised successfully .