本文簡單介紹如何使用Metasploit從文件中讀取目標地址,來執行檢測。
以檢測MS17-010漏洞為例,在設定RHOSTS參數時,可設定目標地址范圍和CIDR地址塊,設定單個IP的目標也是可以的。
msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads
但如何設定從文件中讀取目標地址呢?
其實可以使用file指定讀取的目標文件...如下:
msf auxiliary(smb_ms17_010) > set rhosts file:/root/pentest/10-all.txt # 設置讀取的文件 rhosts => file:/root/pentest/10-all.txt msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS file:/root/pentest/10-all.txt yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_ms17_010) > set threads 10 threads => 10 msf auxiliary(smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts RHOSTS file:/root/pentest/10-all.txt yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 10 yes The number of concurrent threads
設置完成之后,就可以執行掃描了。
msf auxiliary(smb_ms17_010) > spool ms17-010.txt # 輸出記錄寫入到文件 [*] Spooling to file ms17-010.txt... msf auxiliary(smb_ms17_010) > exploit # 執行檢測 [-] 10.0.0.17:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 10.0.0.13:445 - Host does NOT appear vulnerable. [-] 10.0.0.14:445 - Host does NOT appear vulnerable. [-] 10.0.0.2:445 - Host does NOT appear vulnerable. [-] 10.0.0.11:445 - Host does NOT appear vulnerable. [-] 10.2.2.25:445 - Host does NOT appear vulnerable. [-] 10.2.3.160:445 - Host does NOT appear vulnerable. [-] 10.2.3.162:445 - Host does NOT appear vulnerable. [-] 10.5.0.2:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 10.5.0.11:445 - Host does NOT appear vulnerable. [-] 10.5.0.13:445 - Host does NOT appear vulnerable. [-] 10.5.0.24:445 - Host does NOT appear vulnerable. [+] 10.5.0.25:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2012 R2 Standard 9600)
掃描結束之后,使用spool off,即可停止記錄。
ms17-010.txt文件中將會保存所有的檢測記錄。