#############
## metasplot
#############
Attacker ~# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v6.1.14-dev ]
+ -- --=[ 2180 exploits - 1155 auxiliary - 399 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
msf6 > exit
Attacker ~# msfconsole --help
| Usage: msfconsole [options] Common options: -E, --environment ENVIRONMENT Set Rails environment, defaults to RAIL_ENV environment variable or 'production' Database options: -M, --migration-path DIRECTORY Specify a directory containing additional DB migrations -n, --no-database Disable database support -y, --yaml PATH Specify a YAML file containing database settings Framework options: -c FILE Load the specified configuration file -v, -V, --version Show version Module options: --defer-module-loads Defer module loading unless explicitly asked -m, --module-path DIRECTORY Load an additional module path Console options: -a, --ask Ask before exiting Metasploit or accept 'exit -y' -H, --history-file FILE Save command history to the specified file -l, --logger STRING Specify a logger to use (TimestampColorlessFlatfile, Flatfile, StdoutWithoutTimestamps, Stderr, Stdout) -L, --real-readline Use the system Readline library instead of RbReadline -o, --output FILE Output to the specified file -p, --plugin PLUGIN Load a plugin on startup -q, --quiet Do not print the banner on startup -r, --resource FILE Execute the specified resource file (- for stdin) -x, --execute-command COMMAND Execute the specified console commands (use ; for multiples) -h, --help Show this message |
msf6 > help
:
:(생략)
msf6 > show exploitsmsf6 > show exploits
msf6 > show payloads
msf6 > help search
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > help info
:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
https://docs.microsoft.com/ko-kr/security-updates/SecurityBulletins/2008/MS08-067
msf6 > info exploit/windows/smb/ms08_067_netapi
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption <-- 모듈을 설명하는 이름
Module: exploit/windows/smb/ms08_067_netapi <-- 모듈명
Platform: Windows <-- 플랫폼은 이 공격이 윈도우 시스템에 해당되는 것을 의미한다.
Arch:
Privileged: Yes <-- 이 공격을 성공했을 때 목표 시스템에 대한 권한을 얻게 되는지 알려준다.
License: Metasploit Framework License (BSD)
Rank: Great <-- 순위는 이 공격으로 인하여 목표 시스템이 받게 되는 잠재적인 영향을 목록화한다.
Disclosed: 2008-10-28 <-- 공개된 날짜
Provided by: <-- 제공된 사람들
hdm <x@hdm.io>
Brett Moore <brett.moore@insomniasec.com>
frank2 <frank2@dc949.org>
jduck <jduck@metasploit.com>
Available targets: <-- 가용 목표는 해당 모듈이 공략할 수 있는 OS버전과 패치 레벨을 목록화한다. 총 72개의 공격 가능한 목표를 갖고 있다.
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
10 Windows XP SP2 Chinese - Simplified (NX)
11 Windows XP SP2 Chinese - Traditional (NX)
12 Windows XP SP2 Czech (NX)
13 Windows XP SP2 Danish (NX)
14 Windows XP SP2 German (NX)
15 Windows XP SP2 Greek (NX)
16 Windows XP SP2 Spanish (NX)
17 Windows XP SP2 Finnish (NX)
18 Windows XP SP2 French (NX)
19 Windows XP SP2 Hebrew (NX)
20 Windows XP SP2 Hungarian (NX)
21 Windows XP SP2 Italian (NX)
22 Windows XP SP2 Japanese (NX)
23 Windows XP SP2 Korean (NX)
24 Windows XP SP2 Dutch (NX)
25 Windows XP SP2 Norwegian (NX)
26 Windows XP SP2 Polish (NX)
27 Windows XP SP2 Portuguese - Brazilian (NX)
28 Windows XP SP2 Portuguese (NX)
29 Windows XP SP2 Russian (NX)
30 Windows XP SP2 Swedish (NX)
31 Windows XP SP2 Turkish (NX)
32 Windows XP SP3 Arabic (NX)
33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
34 Windows XP SP3 Chinese - Simplified (NX)
35 Windows XP SP3 Chinese - Traditional (NX)
36 Windows XP SP3 Czech (NX)
37 Windows XP SP3 Danish (NX)
38 Windows XP SP3 German (NX)
39 Windows XP SP3 Greek (NX)
40 Windows XP SP3 Spanish (NX)
41 Windows XP SP3 Finnish (NX)
42 Windows XP SP3 French (NX)
43 Windows XP SP3 Hebrew (NX)
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)
49 Windows XP SP3 Norwegian (NX)
50 Windows XP SP3 Polish (NX)
51 Windows XP SP3 Portuguese - Brazilian (NX)
52 Windows XP SP3 Portuguese (NX)
53 Windows XP SP3 Russian (NX)
54 Windows XP SP3 Swedish (NX)
55 Windows XP SP3 Turkish (NX)
56 Windows 2003 SP1 English (NO NX)
57 Windows 2003 SP1 English (NX)
58 Windows 2003 SP1 Japanese (NO NX)
59 Windows 2003 SP1 Spanish (NO NX)
60 Windows 2003 SP1 Spanish (NX)
61 Windows 2003 SP1 French (NO NX)
62 Windows 2003 SP1 French (NX)
63 Windows 2003 SP2 English (NO NX)
64 Windows 2003 SP2 English (NX)
65 Windows 2003 SP2 German (NO NX)
66 Windows 2003 SP2 German (NX)
67 Windows 2003 SP2 Portuguese - Brazilian (NX)
68 Windows 2003 SP2 Spanish (NO NX)
69 Windows 2003 SP2 Spanish (NX)
70 Windows 2003 SP2 Japanese (NO NX)
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
Check supported:
Yes
Basic options: <-- 기본 옵션은 다양한 옵션들이 존재한다.
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syn
tax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information: <-- 페이로드 정보는 공격 코드에 사용할 수 있는 페이로드 정보를 담고 있다.
Space: 408
Avoid: 8 characters
Description: <-- 설명은 해당 모듈이 공격하는 특정 취약점에 관한 더 많은 정보를 포함하고 있다.
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
References: <-- 참고는 온라인 취약점 데이터베이스 항목에 관한 링크다.
https://nvd.nist.gov/vuln/detail/CVE-2008-4250
OSVDB (49243)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
Vulnerability & Exploit Database
A curated repository of vetted computer software exploits and exploitable vulnerabilities. Technical details for over 140,000 vulnerabilities and 3,000 exploits are available for security professionals and researchers to review.
www.rapid7.com
'Linux > 모의해킹' 카테고리의 다른 글
| Windows XP 에서 Bind Shell 이해하기 (0) | 2022.01.03 |
|---|---|
| msfconsole 공격 기법 (0) | 2022.01.03 |
| hping3 로 IDLE 스캐닝 (0) | 2022.01.03 |
| TCP FIN 스캔 (-sF) (0) | 2021.12.31 |
| TCP SYN stealth 스캔 (Half open scan) (0) | 2021.12.31 |