本文简单介绍如何使用Metasploit从文件中读取目标地址,来执行检测。
以检测MS17-010漏洞为例,在设定RHOSTS参数时,可设定目标地址范围和CIDR地址块,设定单个IP的目标也是可以的。
msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads
但如何设定从文件中读取目标地址呢?
其实可以使用file指定读取的目标文件...如下:
msf auxiliary(smb_ms17_010) > set rhosts file:/root/pentest/10-all.txt # 设置读取的文件 rhosts => file:/root/pentest/10-all.txt msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS file:/root/pentest/10-all.txt yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_ms17_010) > set threads 10 threads => 10 msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS file:/root/pentest/10-all.txt yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 10 yes The number of concurrent threads
设置完成之后,就可以执行扫描了。
msf auxiliary(smb_ms17_010) > spool ms17-010.txt # 输出记录写入到文件 [*] Spooling to file ms17-010.txt... msf auxiliary(smb_ms17_010) > exploit # 执行检测 [-] 10.0.0.17:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 10.0.0.13:445 - Host does NOT appear vulnerable. [-] 10.0.0.14:445 - Host does NOT appear vulnerable. [-] 10.0.0.2:445 - Host does NOT appear vulnerable. [-] 10.0.0.11:445 - Host does NOT appear vulnerable. [-] 10.2.2.25:445 - Host does NOT appear vulnerable. [-] 10.2.3.160:445 - Host does NOT appear vulnerable. [-] 10.2.3.162:445 - Host does NOT appear vulnerable. [-] 10.5.0.2:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 10.5.0.11:445 - Host does NOT appear vulnerable. [-] 10.5.0.13:445 - Host does NOT appear vulnerable. [-] 10.5.0.24:445 - Host does NOT appear vulnerable. [+] 10.5.0.25:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2012 R2 Standard 9600)
扫描结束之后,使用spool off,即可停止记录。
ms17-010.txt文件中将会保存所有的检测记录。