安云网 - AnYun.ORG | 专注于网络信息收集、网络数据分享、网络安全研究、网络各种猎奇八卦。
当前位置: 安云网 > 技术关注 > 网络安全 > 关于MS17_010漏洞的检测以及是否被植入后门的检测

关于MS17_010漏洞的检测以及是否被植入后门的检测

时间:2017-05-16来源:milsec 作者:milsec点击:
不想蹭热点,不想装逼,很多朋友问我内网的检测统计方案,现在微博上发的最多的是,如何关闭端口,如何停止服务,如何恢复文件,如何打补丁,从来没有人提出内网如何检测漏洞,如何检

from:http://mp.weixin.qq.com/s/SOhGCP9woHBkDdSqRLQmdg //ANYUN.ORG

不想蹭热点,不想装逼,很多朋友问我内网的检测统计方案,现在微博上发的最多的是,如何关闭端口,如何停止服务,如何恢复文件,如何打补丁,从来没有人提出内网如何检测漏洞,如何检测是否被入侵种了后门,基本上都是统计的外网和各种地图炮,对企业内部管理来说并不是个好事情。这里给出企业内部自测的方法,不需要专门的检测工具,我们只需要用msf来完成一些列的检测工作,来实现如何对企业内网的漏洞检测和后门检测。

//内容来自安云网

 

//内容来自安云网

  //本文来自安云网

这里我们所需要的工具只是一个metasploit,不需要借助其他的所谓第三方专门的检测工具,我会以一种比较便捷的方式来实现漏洞检测和后门的检测,通过检测结果,我们可以很直观的反映出企业内网哪些机器存在漏洞,哪些机器已经被植入后门,哪些需要打补丁。 //内容来自安云网

  //ANYUN.ORG

对于smb信息和版本的检测,有各种方式,大家习惯用的是nmap,在这里并不推荐,因为nmap不能扫描出详细的操作系统版本,我们推荐使用msfsmb模块,废话不多说,我们所需要的只是两个模块,具体操作如下:

//本文来自安云网

首先扫描smb的版本信息,实际上这里是探测开放了smb的机器。 //本文来自安云网

  //copyright AnYun.ORG

msf > use auxiliary/scanner/smb/smb_version //内容来自AnYun.ORG

msf auxiliary(smb_version) > info

//内容来自AnYun.ORG

  //安云网,anyun.org

       Name: SMBVersion Detection

//安云网,anyun.org

     Module:auxiliary/scanner/smb/smb_version //copyright AnYun.ORG

    License:Metasploit Framework License (BSD) //ANYUN.ORG

       Rank: Normal

//copyright AnYun.ORG

  //安云网,anyun.org

Provided by: //安云网,anyun.org

  hdm <[email protected]> //copyright AnYun.ORG

  //内容来自安云网

Basic options: //安云网,anyun.org

  Name       Current Setting               Required  Description

//内容来自安云网

  ----       ---------------               --------  -----------

//ANYUN.ORG

  RHOSTS     192.168.1.0/24 172.16.0.0/24  yes      The target address range or CIDR identifier //本文来自安云网

  SMBDomain  .                             no        The Windows domain to use forauthentication //内容来自AnYun.ORG

  SMBPass                                  no        The password for the specified username

//copyright AnYun.ORG

  SMBUser                                  no        The username to authenticate as //本文来自安云网

  THREADS    100                           yes       The number of concurrent threads //ANYUN.ORG

 

//copyright AnYun.ORG

Description: //安云网,anyun.org

  Display versioninformation about each system //copyright AnYun.ORG

  //copyright AnYun.ORG

msf auxiliary(smb_version) > set RHOSTS 192.168.1.0/24172.16.10.0/24 10.10.0.0/24 //内容来自安云网

RHOSTS => 192.168.1.0/24 172.16.10.0/24 10.10.0.0/24

//ANYUN.ORG

msf auxiliary(smb_version) > set THREADS 100

//本文来自安云网

THREADS => 100

//内容来自安云网

msf auxiliary(smb_version) > run

//copyright AnYun.ORG

 

//安云网咨询系统

 

//ANYUN.ORG

等待扫描结果完成,所有的扫描结果会保存在metasploit的数据库中,这里我们可以调用目前扫描出来的smb的主机ip,传递到下一个检测模块中,操作如下:

//安云网,anyun.org

 

//安云网咨询系统

msf auxiliary(smb_version) > useauxiliary/scanner/smb/smb_ms17_010 //内容来自AnYun.ORG

msf auxiliary(smb_ms17_010) > info //内容来自安云网

 

//copyright AnYun.ORG

       Name: MS17-010SMB RCE Detection

//ANYUN.ORG

     Module:auxiliary/scanner/smb/smb_ms17_010 //安云网咨询系统

    License:Metasploit Framework License (BSD) //本文来自安云网

       Rank: Normal //内容来自AnYun.ORG

 

//内容来自AnYun.ORG

Provided by:

//ANYUN.ORG

  Sean Dillon<[email protected]>

//ANYUN.ORG

  Luke Jennings

//安云网,anyun.org

  //安云网咨询系统

Basic options: //本文来自安云网

  Name       Current Setting  Required Description

//内容来自安云网

  ----       ---------------  -------- ----------- //内容来自安云网

  RHOSTS                      yes       The target address range or CIDRidentifier

//ANYUN.ORG

  RPORT      445              yes       The SMB service port (TCP) //本文来自安云网

  SMBDomain  .                no        The Windows domain to use forauthentication //内容来自安云网

  SMBPass                     no        The password for the specified username //内容来自AnYun.ORG

  SMBUser                     no        The username to authenticate as

//安云网咨询系统

  THREADS    1                yes       The number of concurrent threads

//copyright AnYun.ORG

  //内容来自AnYun.ORG

Description:

//安云网,anyun.org

  Uses informationdisclosure to determine if MS17-010 has been

//安云网咨询系统

  patched or not.Specifically, it connects to the IPC$ tree and

//安云网,anyun.org

  attempts atransaction on FID 0. If the status returned is

//安云网,anyun.org

 "STATUS_INSUFF_SERVER_RESOURCES", the machine does not havethe //ANYUN.ORG

  MS17-010 patch. Ifthe machine is missing the MS17-010 patch, the

//ANYUN.ORG

  module will checkfor an existing DoublePulsar (ring 0

//内容来自安云网

  shellcode/malware)infection. This module does not require valid SMB //本文来自安云网

  credentials indefault server configurations. It can log on as the //安云网咨询系统

  user "\"and connect to IPC$.

//安云网咨询系统

 

//本文来自安云网

References:

//安云网,anyun.org

 https://cvedetails.com/cve/CVE-2017-0143/ //本文来自安云网

 https://cvedetails.com/cve/CVE-2017-0144/

//安云网咨询系统

 https://cvedetails.com/cve/CVE-2017-0145/ //ANYUN.ORG

 https://cvedetails.com/cve/CVE-2017-0146/

//内容来自AnYun.ORG

 https://cvedetails.com/cve/CVE-2017-0147/

//内容来自安云网

 https://cvedetails.com/cve/CVE-2017-0148/ //内容来自AnYun.ORG

 https://technet.microsoft.com/en-us/library/security/MS17-010

//本文来自安云网

 https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

//内容来自安云网

  https://github.com/countercept/doublepulsar-detection-script //内容来自AnYun.ORG

 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

//内容来自AnYun.ORG

 

//安云网咨询系统

 

//本文来自安云网

 

//ANYUN.ORG

 

//copyright AnYun.ORG

sf auxiliary(smb_ms17_010) > services -r tcp -p 445 -R

//内容来自AnYun.ORG

  //安云网,anyun.org

Services //安云网咨询系统

========

//ANYUN.ORG

 

//安云网咨询系统

host           port  proto  name state  info //ANYUN.ORG

----           ----  -----  ---- -----  ---- //ANYUN.ORG

192.168.63.36  445   tcp    smb  open   Windows 7 Ultimate SP1(build:7601) (name:ZGC-20160503MHI) (workgroup:WORKGROUP ) //ANYUN.ORG

192.168.63.58  445   tcp    smb  open   Windows 7 Professional SP1(build:7601) (name:LENOVO-PC)

//copyright AnYun.ORG

192.168.63.121 445   tcp    smb  open   Windows 7 Professional SP1(build:7601) (name:LENOVO-PC) (workgroup:WORKGROUP )

//copyright AnYun.ORG

192.168.63.233 445   tcp    smb  open    () //ANYUN.ORG

192.168.63.245 445   tcp    smb  open   Windows 7 Ultimate (build:7600)(name:WIN-HQ8SS0G00MR) (workgroup:WORKGROUP ) //内容来自AnYun.ORG

192.168.63.254 445   tcp    smb  open   Windows 2012 R2 Standard(build:9600) (name:83NS-CDUQDUDATB) //本文来自安云网

  //copyright AnYun.ORG

RHOSTS => file:/tmp/msf-db-rhosts-20170514-1802-ksv006 //ANYUN.ORG

  //内容来自AnYun.ORG

msf auxiliary(smb_ms17_010) > set THREADS 100 //copyright AnYun.ORG

THREADS => 100 //本文来自安云网

msf auxiliary(smb_ms17_010) > run //内容来自安云网

  //安云网咨询系统

[*] Scanned  98 of 256 hosts (38% complete)

//内容来自AnYun.ORG

[*] Scanned 100 of 256 hosts (39%complete) //内容来自AnYun.ORG

[*] Scanned 102 of 256 hosts (39%complete) //内容来自安云网

[+] 192.168.63.121:445   -Host is likely VULNERABLE to MS17-010!  (Windows Server 2003 3790 ServicePack 2) //安云网,anyun.org

[*] Scanned 127 of 256 hosts (49%complete) //copyright AnYun.ORG

[*] Scanned 136 of 256 hosts (53%complete)

//安云网,anyun.org

[*] Scanned 194 of 256 hosts (75%complete) //安云网咨询系统

[*] Scanned 198 of 256 hosts (77%complete)

//安云网,anyun.org

[*] Scanned 228 of 256 hosts (89%complete)

//安云网,anyun.org

[*] Scanned 241 of 256 hosts (94%complete)

//copyright AnYun.ORG

[*] Scanned 256 of 256 hosts (100%complete) //ANYUN.ORG

[*] Auxiliary module executioncompleted //安云网,anyun.org

  //安云网,anyun.org

 

//ANYUN.ORG

  //本文来自安云网

扫描的结果都保存在数据库里,我们只需要执行

//内容来自AnYun.ORG

msf auxiliary(smb_ms17_010) > vulns -R  //内容来自AnYun.ORG

  //copyright AnYun.ORG

………………………………

//ANYUN.ORG

………………………………

//本文来自安云网

RHOSTS =>file:/var/folders/09/0k_s4_wx3vz6kyvblzrz9fsh0000gn/T/msf-db-rhosts-20170515-40366-ksyx9u //本文来自安云网

 

//ANYUN.ORG

这里我们只需要cat /var/folders/09/0k_s4_wx3vz6kyvblzrz9fsh0000gn/T/msf-db-rhosts-20170515-40366-ksyx9u 就可以查看所有存在ms17-010漏洞的主机,剩下的事情,就是打补丁了。

//内容来自AnYun.ORG


//内容来自AnYun.ORG

顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
验证码: 点击我更换图片
相关内容