关于MS17_010漏洞的检测以及是否被植入后门的检测

from:http://mp.weixin.qq.com/s/SOhGCP9woHBkDdSqRLQmdg

不想蹭热点，不想装逼，很多朋友问我内网的检测统计方案，现在微博上发的最多的是，如何关闭端口，如何停止服务，如何恢复文件，如何打补丁，从来没有人提出内网如何检测漏洞，如何检测是否被入侵种了后门，基本上都是统计的外网和各种地图炮，对企业内部管理来说并不是个好事情。这里给出企业内部自测的方法，不需要专门的检测工具，我们只需要用msf来完成一些列的检测工作，来实现如何对企业内网的漏洞检测和后门检测。

 

 

这里我们所需要的工具只是一个metasploit，不需要借助其他的所谓第三方专门的检测工具，我会以一种比较便捷的方式来实现漏洞检测和后门的检测，通过检测结果，我们可以很直观的反映出企业内网哪些机器存在漏洞，哪些机器已经被植入后门，哪些需要打补丁。

 

对于smb信息和版本的检测，有各种方式，大家习惯用的是nmap，在这里并不推荐，因为nmap不能扫描出详细的操作系统版本，我们推荐使用msf的smb模块，废话不多说，我们所需要的只是两个模块，具体操作如下：

首先扫描smb的版本信息，实际上这里是探测开放了smb的机器。

 

msf > use auxiliary/scanner/smb/smb_version

msf auxiliary(smb_version) > info

 

       Name: SMBVersion Detection

     Module:auxiliary/scanner/smb/smb_version

    License:Metasploit Framework License (BSD)

       Rank: Normal

 

Provided by:

  hdm <[email protected]>

 

Basic options:

  Name       Current Setting               Required  Description

  ----       ---------------               --------  -----------

  RHOSTS     192.168.1.0/24 172.16.0.0/24  yes      The target address range or CIDR identifier

  SMBDomain  .                             no        The Windows domain to use forauthentication

  SMBPass                                  no        The password for the specified username

  SMBUser                                  no        The username to authenticate as

  THREADS    100                           yes       The number of concurrent threads

 

Description:

  Display versioninformation about each system

 

msf auxiliary(smb_version) > set RHOSTS 192.168.1.0/24172.16.10.0/24 10.10.0.0/24

RHOSTS => 192.168.1.0/24 172.16.10.0/24 10.10.0.0/24

msf auxiliary(smb_version) > set THREADS 100

THREADS => 100

msf auxiliary(smb_version) > run

 

 

等待扫描结果完成，所有的扫描结果会保存在metasploit的数据库中，这里我们可以调用目前扫描出来的smb的主机ip，传递到下一个检测模块中，操作如下：

 

msf auxiliary(smb_version) > useauxiliary/scanner/smb/smb_ms17_010

msf auxiliary(smb_ms17_010) > info

 

       Name: MS17-010SMB RCE Detection

     Module:auxiliary/scanner/smb/smb_ms17_010

    License:Metasploit Framework License (BSD)

       Rank: Normal

 

Provided by:

  Sean Dillon<[email protected]>

  Luke Jennings

 

Basic options:

  Name       Current Setting  Required Description

  ----       ---------------  -------- -----------

  RHOSTS                      yes       The target address range or CIDRidentifier

  RPORT      445              yes       The SMB service port (TCP)

  SMBDomain  .                no        The Windows domain to use forauthentication

  SMBPass                     no        The password for the specified username

  SMBUser                     no        The username to authenticate as

  THREADS    1                yes       The number of concurrent threads

 

Description:

  Uses informationdisclosure to determine if MS17-010 has been

  patched or not.Specifically, it connects to the IPC$ tree and

  attempts atransaction on FID 0. If the status returned is

 "STATUS_INSUFF_SERVER_RESOURCES", the machine does not havethe

  MS17-010 patch. Ifthe machine is missing the MS17-010 patch, the

  module will checkfor an existing DoublePulsar (ring 0

  shellcode/malware)infection. This module does not require valid SMB

  credentials indefault server configurations. It can log on as the

  user "\"and connect to IPC$.

 

References:

 https://cvedetails.com/cve/CVE-2017-0143/

 https://cvedetails.com/cve/CVE-2017-0144/

 https://cvedetails.com/cve/CVE-2017-0145/

 https://cvedetails.com/cve/CVE-2017-0146/

 https://cvedetails.com/cve/CVE-2017-0147/

 https://cvedetails.com/cve/CVE-2017-0148/

 https://technet.microsoft.com/en-us/library/security/MS17-010

 https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

  https://github.com/countercept/doublepulsar-detection-script

 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

 

 

sf auxiliary(smb_ms17_010) > services -r tcp -p 445 -R

 

Services

========

 

host           port  proto  name state  info

----           ----  -----  ---- -----  ----

192.168.63.36  445   tcp    smb  open   Windows 7 Ultimate SP1(build:7601) (name:ZGC-20160503MHI) (workgroup:WORKGROUP )

192.168.63.58  445   tcp    smb  open   Windows 7 Professional SP1(build:7601) (name:LENOVO-PC)

192.168.63.121 445   tcp    smb  open   Windows 7 Professional SP1(build:7601) (name:LENOVO-PC) (workgroup:WORKGROUP )

192.168.63.233 445   tcp    smb  open    ()

192.168.63.245 445   tcp    smb  open   Windows 7 Ultimate (build:7600)(name:WIN-HQ8SS0G00MR) (workgroup:WORKGROUP )

192.168.63.254 445   tcp    smb  open   Windows 2012 R2 Standard(build:9600) (name:83NS-CDUQDUDATB)

 

RHOSTS => file:/tmp/msf-db-rhosts-20170514-1802-ksv006

 

msf auxiliary(smb_ms17_010) > set THREADS 100

THREADS => 100

msf auxiliary(smb_ms17_010) > run

 

[*] Scanned  98 of 256 hosts (38% complete)

[*] Scanned 100 of 256 hosts (39%complete)

[*] Scanned 102 of 256 hosts (39%complete)

[+] 192.168.63.121:445   -Host is likely VULNERABLE to MS17-010!  (Windows Server 2003 3790 ServicePack 2)

[*] Scanned 127 of 256 hosts (49%complete)

[*] Scanned 136 of 256 hosts (53%complete)

[*] Scanned 194 of 256 hosts (75%complete)

[*] Scanned 198 of 256 hosts (77%complete)

[*] Scanned 228 of 256 hosts (89%complete)

[*] Scanned 241 of 256 hosts (94%complete)

[*] Scanned 256 of 256 hosts (100%complete)

[*] Auxiliary module executioncompleted

 

 

 

扫描的结果都保存在数据库里,我们只需要执行

msf auxiliary(smb_ms17_010) > vulns -R 

 

………………………………

………………………………

RHOSTS =>file:/var/folders/09/0k_s4_wx3vz6kyvblzrz9fsh0000gn/T/msf-db-rhosts-20170515-40366-ksyx9u

 

这里我们只需要cat /var/folders/09/0k_s4_wx3vz6kyvblzrz9fsh0000gn/T/msf-db-rhosts-20170515-40366-ksyx9u 就可以查看所有存在ms17-010漏洞的主机，剩下的事情，就是打补丁了。