#This document is only for experimentation, please do not use it for malicious attacks!
In the "Network Security Law of the People's Republic of China", the crime of maliciously damaging computer information systems is clearly stipulated in Article 27, which stipulates that:
Article 27 No unit or individual may, for the purpose of undermining the security of computer information systems, produce, sell, or disseminate destructive programs such as computer viruses, or provide tools specially used for producing or disseminating destructive programs; Whoever destroys the functions of the computer information system by using other destructive programs, or otherwise destroys the functions of the computer information system, causing the computer information system to fail to operate normally or not to be used normally, thereby endangering the security of the computer information system, shall be investigated for criminal responsibility in accordance with the provisions of this Law.
Target machine environment:
1. Kali linux IP address: 192.168.94.139
2. Windows Server 2008 IP address: 192.168.94.145
By using nmap -sV to scan the target machine information, it is found that the target machine is Windows Server 2008 and port 445 (SMB) is open.
Then we know that the vulnerability corresponding to 445 is MS17_010 Eternal Blue, we can try to exploit this vulnerability first
Implement the attack exploit after setting the parameters
Enter the meterpreter mode,
Meterpreter is a powerful tool in the Metasploit framework. It is used as an attack load after the vulnerability overflows. After the attack load triggers the vulnerability, it will return a channel controlled by us, which can be used to execute commands remotely!
Metasploit provides Meterpreter versions of various mainstream platforms, including Windows, Linux, and supports x86 and x64 platforms. In addition, Meterpreter also provides implementations based on PHP and Java languages. Meterpreter's working mode is pure memory. The advantage is that it starts hidden and is difficult to be detected by anti-virus software. There is no need to access the target host disk, so there are no traces of intrusion. In addition to the above, Meterpreter also supports extensions in the form of Ruby scripts. So it is necessary to understand the Ruby language.
getuid view current permissions as system permissions
Next, we use load kiwi (using the kiwi module requires SYSTEM authority) to blast the password of the administrator user
The kiwi_cmd module allows us to use all the functions of mimikatz , and the commands of mimikatz can be used directly in kiwi_cmd
Terminal input load kiwi needs to be loaded for the first time
use creds_all //get all passwords
Then we know that the password is only available. Recall that the previous nmap scan found that the target machine opened the 3389 remote connection port. We can directly use the password to remotely access the system.
Connect to the system, and the experiment is over!